Replace CISM test preparation Guide

The studying components will be updated promptly in accordance with the modifications on the CISM exam. We will current the newest simulated test questions which can be in step with the current Examcollection exam. Whats a lot more, the items you purchase will be updated within time inside 120 days for totally free. Its the duty to spare simply no efforts to be able to offer just about all customers the best after-sale service. We can provide 24h customer support for you personally to determine out your questions timely following receiving them. For this reason, it is possible to contact us with anytime if you have any difficulties about Isaca CISM certification. With a large extent, the satisfaction from the customers will be our expectation and possesses great contribution to be able to our development.

2021 Jan CISM brain dumps

Q151. Which of the following are seldom changed in response to technological changes? 

A. Standards 

B. Procedures 

C. Policies 

D. Guidelines 



Policies are high-level statements of objectives. Because of their high-level nature and statement of broad operating principles, they are less subject to periodic change. Security standards and procedures as well as guidelines must be revised and updated based on the impact of technology changes. 

Q152. Which of the following would generally have the GREATEST negative impact on an organization? 

A. Theft of computer software 

B. Interruption of utility services 

C. Loss of customer confidence 

D. Internal fraud resulting in monetary loss 



Although the theft of software, interruption of utility services and internal frauds are all significant, the loss of customer confidence is the most damaging and could cause the business to fail. 

Q153. The FIRST step in developing an information security management program is to: 

A. identify business risks that affect the organization. 

B. clarify organizational purpose for creating the program. 

C. assign responsibility for the program. 

D. assess adequacy of controls to mitigate business risks. 



In developing an information security management program, the first step is to clarify the organization's purpose for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After clarifying the purpose, the other choices are assigned and acted upon. 

Q154. A risk assessment should be conducted: 

A. once a year for each business process and subprocess. 

B. every three to six months for critical business processes. 

C. by external parties to maintain objectivity. 

D. annually or whenever there is a significant change. 



Risks are constantly changing. Choice D offers the best alternative because it takes into consideration a reasonable time frame and allows flexibility to address significant change. Conducting a risk assessment once a year is insufficient if important changes take place. Conducting a risk assessment every three-to-six months for critical processes may not be necessary, or it may not address important changes in a timely manner. It is not necessary for assessments to be performed by external parties. 

Q155. The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that: 

A. the plan aligns with the organization's business plan. 

B. departmental budgets are allocated appropriately to pay for the plan. 

C. regulatory oversight requirements are met. 

D. the impact of the plan on the business units is reduced. 



The steering committee controls the execution of the information security strategy according to the needs of the organization and decides on the project prioritization and the execution plan. The steering committee does not allocate department budgets for business units. While ensuring that regulatory oversight requirements are met could be a consideration, it is not the main reason for the review. Reducing the impact on the business units is a secondary concern but not the main reason for the review. 

Up to date CISM exam question:

Q156. Which of the following would be the MOST important goal of an information security governance program? 

A. Review of internal control mechanisms 

B. Effective involvement in business decision making 

C. Total elimination of risk factors 

D. Ensuring trust in data 



The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance. Review of internal control mechanisms relates more to auditing, while the total elimination of risk factors is not practical or possible. Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted. 

Q157. When a significant security breach occurs, what should be reported FIRST to senior management? 

A. A summary of the security logs that illustrates the sequence of events 

B. An explanation of the incident and corrective action taken 

C. An analysis of the impact of similar attacks at other organizations 

D. A business case for implementing stronger logical access controls 



When reporting an incident to senior management, the initial information to be communicated should include an explanation of what happened and how the breach was resolved. A summary of security logs would be too technical to report to senior management. An analysis of the impact of similar attacks and a business case for improving controls would be desirable; however, these would be communicated later in the process. 

Q158. Effective IT governance is BEST ensured by: 

A. utilizing a bottom-up approach. 

B. management by the IT department. 

C. referring the matter to the organization's legal department. 

D. utilizing a top-down approach. 



Effective IT governance needs to be a top-down initiative, with the board and executive management setting clear policies, goals and objectives and providing for ongoing monitoring of the same. Focus on the regulatory issues and management priorities may not be reflected effectively by a bottom-up approach. IT governance affects the entire organization and is not a matter concerning only the management of IT. The legal department is part of the overall governance process, but cannot take full responsibility. 

Q159. In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST: 

A. prepare a security budget. 

B. conduct a risk assessment. 

C. develop an information security policy. 

D. obtain benchmarking information. 



Risk assessment, evaluation and impact analysis will be the starting point for driving management's attention to information security. All other choices will follow the risk assessment. 

Q160. When performing a qualitative risk analysis, which of the following will BEST produce reliable results? 

A. Estimated productivity losses 

B. Possible scenarios with threats and impacts 

C. Value of information assets 

D. Vulnerability assessment 



Listing all possible scenarios that could occur, along with threats and impacts, will better frame the range of risks and facilitate a more informed discussion and decision. Estimated productivity losses, value of information assets and vulnerability assessments would not be sufficient on their own. 

see more CISM dumps