10 Tips For CISM IT professionals

Candidates are acquiring wiser by practicing each of our Isaca exam braindumps every day. Youll be confidently and also successfully pass your real exam. We spare no initiatives to get rid of your likelihood of failure. Youll be proud of yourself if get certified. Additionally, we also provide 100% money-back policy. In case you unluckily fail, we can refund you following confirming your data.

2021 Feb CISM practice exam

Q1. The BEST way to justify the implementation of a single sign-on (SSO) product is to use: 

A. return on investment (ROD. 

B. a vulnerability assessment. 

C. annual loss expectancy (ALE). 

D. a business case. 



A business case shows both direct and indirect benefits, along with the investment required and the expected returns, thus making it useful to present to senior management. Return on investment (ROD would only provide the costs needed to preclude specific risks, and would not provide other indirect benefits such as process improvement and learning. A vulnerability assessment is more technical in nature and would only identify and assess the vulnerabilities. This would also not provide insights on indirect benefits. Annual loss expectancy (ALE) would not weigh the advantages of implementing single sign-on (SSO) in comparison to the cost of implementation. 

Q2. The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by: 

A. periodically testing the incident response plans. 

B. regularly testing the intrusion detection system (IDS). 

C. establishing mandatory training of all personnel. 

D. periodically reviewing incident response procedures. 



Security incident response plans should be tested to find any deficiencies and improve existing processes. Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation. All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring the process works as intended. Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis. 

Q3. Which of the following risks is represented in the risk appetite of an organization? 

A. Control 

B. Inherent 

C. Residual 

D. Audit 



Residual risk is unmanaged, i.e., inherent risk which remains uncontrolled. This is key to the organization's risk appetite and is the amount of residual risk that a business is living with that affects its viability. Hence, inherent risk is incorrect. Control risk, the potential for controls to fail, and audit risk, which relates only to audit's approach to their work, are not relevant in this context. 

Q4. A risk management approach to information protection is: 

A. managing risks to an acceptable level, commensurate with goals and objectives. 

B. accepting the security posture provided by commercial security products. 

C. implementing a training program to educate individuals on information protection and risks. 

D. managing risk tools to ensure that they assess all information protection vulnerabilities. 



Risk management is identifying all risks within an organization, establishing an acceptable level of risk and effectively managing risks which may include mitigation or transfer. Accepting the security- posture provided by commercial security products is an approach that would be limited to technology components and may not address all business operations of the organization. Education is a part of the overall risk management process. Tools may be limited to technology and would not address non-technology risks. 

Q5. Information security governance is PRIMARILY driven by: 

A. technology constraints. 

B. regulatory requirements. 

C. litigation potential. 

D. business strategy. 



Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy. 

Replace CISM practice test:

Q6. When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint? 

A. Compliance with international security standards. 

B. Use of a two-factor authentication system. 

C. Existence of an alternate hot site in case of business disruption. 

D. Compliance with the organization's information security requirements. 



Prom a security standpoint, compliance with the organization's information security requirements is one of the most important topics that should be included in the contract with third-party service provider. The scope of implemented controls in any ISO 27001-compliant organization depends on the security requirements established by each organization. Requiring compliance only with this security standard does not guarantee that a service provider complies with the organization's security requirements. The requirement to use a specific kind of control methodology is not usually stated in the contract with third-party service providers. 

Q7. Which of the following is MOST important to the success of an information security program? 

A. Security' awareness training 

B. Achievable goals and objectives 

C. Senior management sponsorship 

D. Adequate start-up budget and staffing 



Sufficient senior management support is the most important factor for the success of an information security program. Security awareness training, although important, is secondary. Achievable goals and objectives as well as having adequate budgeting and staffing are important factors, but they will not ensure success if senior management support is not present. 

Q8. Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following? 

A. Tree diagrams 

B. Venn diagrams 

C. Heat charts 

D. Bar charts 



Meat charts, sometimes referred to as stoplight charts, quickly and clearly show the current status of remediation efforts. Venn diagrams show the connection between sets; tree diagrams are useful for decision analysis; and bar charts show relative size. 

Q9. The PRIMARY reason for initiating a policy exception process is when: 

A. operations are too busy to comply. 

B. the risk is justified by the benefit. 

C. policy compliance would be difficult to enforce. 

D. users may initially be inconvenienced. 



Exceptions to policy are warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits. Being busy is not a justification for policy exceptions, nor is the fact that compliance cannot be enforced. User inconvenience is not a reason to automatically grant exception to a policy. 

Q10. The MOST appropriate role for senior management in supporting information security is the: 

A. evaluation of vendors offering security products. 

B. assessment of risks to the organization. 

C. approval of policy statements and funding. 

D. monitoring adherence to regulatory requirements. 



Since the members of senior management are ultimately responsible for information security, they are the ultimate decision makers in terms of governance and direction. They are responsible for approval of major policy statements and requests to fund the information security practice. Evaluation of vendors, assessment of risks and monitoring compliance with regulatory requirements are day-to-day responsibilities of the information security manager; in some organizations, business management is involved in these other activities, though their primary role is direction and governance. 

see more CISM dumps