Top Isaca CISM forum Choices

Exact of CISM practice exam materials and pdf for Isaca certification for IT learners, Real Success Guaranteed with Updated CISM pdf dumps vce Materials. 100% PASS Certified Information Security Manager exam Today!

2021 Feb CISM free download

Q91. An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution? 

A. Rewrite the application to conform to the upgraded operating system 

B. Compensate for not installing the patch with mitigating controls 

C. Alter the patch to allow the application to run in a privileged state 

D. Run the application on a test platform; tune production to allow patch and application 



Since the operating system (OS) patch will adversely impact a critical application, a mitigating control should be identified that will provide an equivalent level of security . Since the application is critical, the patch should not be applied without regard for the application; business requirements must be considered. Altering the OS patch to allow the application to run in a privileged state may create new security weaknesses. Finally, running a production application on a test platform is not an acceptable alternative since it will mean running a critical production application on a platform not subject to the same level of security controls. 

Q92. Which of the following would be the BEST metric for the IT risk management process? 

A. Number of risk management action plans 

B. Percentage of critical assets with budgeted remedial 

C. Percentage of unresolved risk exposures 

D. Number of security incidents identified 



Percentage of unresolved risk exposures and the number of security incidents identified contribute to the IT risk management process, but the percentage of critical assets with budgeted remedial is the most indicative metric. Number of risk management action plans is not useful for assessing the quality of the process. 

Q93. Which of the following is MOST likely to be discretionary? 

A. Policies 

B. Procedures 

C. Guidelines 

D. Standards 



Policies define security goals and expectations for an organization. These are defined in more specific terms within standards and procedures. Standards establish what is to be done while procedures describe how it is to be done. Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary. 

Q94. Who is responsible for ensuring that information is categorized and that specific protective measures are taken? 

A. The security officer 

B. Senior management 

C. The end user 

D. The custodian 



Routine administration of all aspects of security is delegated, but top management must retain overall responsibility. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed. 

Q95. Which of the following should be determined while defining risk management strategies? 

A. Risk assessment criteria 

B. Organizational objectives and risk appetite 

C. IT architecture complexity 

D. Enterprise disaster recovery plans 



While defining risk management strategies, one needs to analyze the organization's objectives and risk appetite and define a risk management framework based on this analysis. Some organizations may accept known risks, while others may invest in and apply mitigation controls to reduce risks. Risk assessment criteria would become part of this framework, but only after proper analysis. IT architecture complexity and enterprise disaster recovery plans are more directly related to assessing risks than defining strategies. 

Abreast of the times CISM test engine:

Q96. After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program? 

A. Define security metrics 

B. Conduct a risk assessment 

C. Perform a gap analysis 

D. Procure security tools 



When establishing an information security program, conducting a risk assessment is key to identifying the needs of the organization and developing a security strategy. Defining security metrics, performing a gap analysis and procuring security tools are all subsequent considerations. 

Q97. The recovery time objective (RTO) is reached at which of the following milestones? 

A. Disaster declaration 

B. Recovery of the backups 

C. Restoration of the system 

D. Return to business as usual processing 



The recovery time objective (RTO) is based on the amount of time required to restore a system; disaster declaration occurs at the beginning of this period. Recovery of the backups occurs shortly after the beginning of this period. Return to business as usual processing occurs significantly later than the RTO. RTO is an "objective," and full restoration may or may not coincide with the RTO. RTO can be the minimum acceptable operational level, far short of normal operations. 

Q98. After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be: 

A. transferred. 

B. treated. 

C. accepted. 

D. terminated. 



When the cost of control is more than the cost of the risk, the risk should be accepted. Transferring, treating or terminating the risk is of limited benefit if the cost of that control is more than the cost of the risk itself. 

Q99. Which of the following is the MOST important to keep in mind when assessing the value of information? 

A. The potential financial loss 

B. The cost of recreating the information 

C. The cost of insurance coverage 

D. Regulatory requirement 



The potential for financial loss is always a key factor when assessing the value of information. Choices B, C and D may be contributors, but not the key factor. 

Q100. Relationships among security technologies are BEST defined through which of the following? 

A. Security metrics 

B. Network topology 

C. Security architecture 

D. Process improvement models 



Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of security technologies. Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies. 

see more CISM dumps