Top Isaca CISM secret Choices

By way of making a great Isaca an individual often be that much deeper access to almost any future position option or perhaps improvement in someones professional life. CISM recognition is definitely accorded should the prospect travels a new computerised evaluation taking place from a secured environment. The Isaca CISMcourses often includes a all-inclusive course material covering up the vast majority of basic and advanced content material from the uneasy Isaca system.

2021 Jan CISM free question

Q71. Senior management commitment and support for information security can BEST be obtained through presentations that: 

A. use illustrative examples of successful attacks. 

B. explain the technical risks to the organization. 

C. evaluate the organization against best security practices. 

D. tie security risks to key business objectives. 



Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives. 

Q72. Who can BEST advocate the development of and ensure the success of an information security program? 

A. Internal auditor 

B. Chief operating officer (COO) 

C. Steering committee 

D. IT management 



Senior management represented in the security steering committee is in the best position to advocate the establishment of and continued support for an information security program. The chief operating officer (COO) will be a member of that committee. An internal auditor is a good advocate but is secondary to the influence of senior management. IT management has a lesser degree of influence and would also be part of the steering committee. 

Q73. In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the: 

A. original cost to acquire. 

B. cost of the software stored. 

C. annualized loss expectancy (ALE). 

D. cost to obtain a replacement. 



The value of the server should be based on its cost of replacement. The original cost may be significantly different from the current cost and, therefore, not as relevant. The value of the software is not at issue because it can be restored from backup media. The ALE for all risks related to the server does not represent the server's value. 

Q74. A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected? 

A. Access control policy 

B. Data classification policy 

C. Encryption standards 

D. Acceptable use policy 



Data classification policies define the level of protection to be provided for each category of data. Without this mandated ranking of degree of protection, it is difficult to determine what access controls or levels of encryption should be in place. An acceptable use policy is oriented more toward the end user and, therefore, would not specifically address what controls should be in place to adequately protect information. 

Q75. A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BES T approach of the information security manager? 

A. Acceptance of the business manager's decision on the risk to the corporation 

B. Acceptance of the information security manager's decision on the risk to the corporation 

C. Review of the assessment with executive management for final input 

D. A new risk assessment and BIA are needed to resolve the disagreement 



Executive management must be supportive of the process and fully understand and agree with the results since risk management decisions can often have a large financial impact and require major changes. Risk management means different things to different people, depending upon their role in the organization, so the input of executive management is important to the process. 

Refresh CISM practice exam:

Q76. Which of the following roles is PRIMARILY responsible for determining the information 

classification levels for a given information asset? 

A. Manager 

B. Custodian 

C. User 

D. Owner 



Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information classification levels. Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc. The information custodian is responsible for day-to-day security tasks such as protecting information, backing up information, etc. Users are the lowest level. They use the data, but do not classify the data. The owner classifies the data. 

Q77. In implementing information security governance, the information security manager is PRIMARILY responsible for: 

A. developing the security strategy. 

B. reviewing the security strategy. 

C. communicating the security strategy. 

D. approving the security strategy 



The information security manager is responsible for developing a security strategy based on business objectives with the help of business process owners. Reviewing the security strategy is the responsibility of a steering committee. The information security manager is not necessarily responsible for communicating or approving the security strategy. 

Q78. Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level? 

A. Implement countermeasures. 

B. Eliminate the risk. 

C. Transfer the risk. 

D. Accept the risk. 



Risks are typically transferred to insurance companies when the probability of an incident is low but the impact is high. Examples include: hurricanes, tornados and earthquakes. Implementing countermeasures may not be the most cost-effective approach to security management. Eliminating the risk may not be possible. Accepting the risk would leave the organization vulnerable to a catastrophic disaster which may cripple or ruin the organization. It would be more cost effective to pay recurring insurance costs than to be affected by a disaster from which the organization cannot financially recover. 

Q79. The MOST basic requirement for an information security governance program is to: 

A. be aligned with the corporate business strategy. 

B. be based on a sound risk management approach. 

C. provide adequate regulatory compliance. 

D. provide best practices for security- initiatives. 



To receive senior management support, an information security program should be aligned with the corporate business strategy. Risk management is a requirement of an information security program which should take into consideration the business strategy. Security governance is much broader than just regulatory compliance. Best practice is an operational concern and does not have a direct impact on a governance program. 

Q80. An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles? 

A. Ethics 

B. Proportionality 

C. Integration 

D. Accountability 



Information security controls should be proportionate to the risks of modification, denial of use or disclosure of the information. It is advisable to learn if the job description is apportioning more data than are necessary for that position to execute the business rules (types of data access). Principles of ethics and integration have the least to do with mapping job description to types of data access. The principle of accountability would be the second most adhered to principle since people with access to data may not always be accountable but may be required to perform an operation. 

see more CISM dumps