Top Isaca CISM preparation labs Choices

Master the CISM Certified Information Security Manager content and be ready for exam day success quickly with this Testking CISM rapidshare. We guarantee it!We make it a reality and give you real CISM questions in our Isaca CISM braindumps.Latest 100% VALID Isaca CISM Exam Questions Dumps at below page. You can use our Isaca CISM braindumps and pass your exam.

♥♥ 2021 NEW RECOMMEND ♥♥

Free VCE & PDF File for Isaca CISM Real Exam (Full Version!)

★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW CISM Exam Dumps (PDF & VCE):
Available on:

Q171. Which of the following is the BEST reason to perform a business impact analysis (BIA)? 

A. To help determine the current state of risk 

B. To budget appropriately for needed controls 

C. To satisfy regulatory requirements 

D. To analyze the effect on the business 



The BIA is included as part of the process to determine the current state of risk and helps determine the acceptable levels of response from impacts and the current level of response, leading to a gap analysis. Budgeting appropriately may come as a result, but is not the reason to perform the analysis. Performing an analysis may satisfy regulatory requirements, bill is not the reason to perform one. Analyzing the effect on the business is part of the process, but one must also determine the needs or acceptable effect or response. 

Q172. When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify: 

A. the information security steering committee. 

B. customers who may be impacted. 

C. data owners who may be impacted. 

D. regulatory- agencies overseeing privacy. 



The data owners should be notified first so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team. Other parties will be notified later as required by corporate policy and regulatory requirements. 

Q173. Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers? 

A. Daily 

B. Weekly 

C. Concurrently with O/S patch updates 

D. During scheduled change control updates 



New viruses are being introduced almost daily. The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur. Patches may occur less frequently. Weekly updates may potentially allow new viruses to infect the system. 

Q174. To justify its ongoing security budget, which of the following would be of MOST use to the information security' department? 

A. Security breach frequency 

B. Annualized loss expectancy (ALE) 

C. Cost-benefit analysis 

D. Peer group comparison 



Cost-benefit analysis is the legitimate way to justify budget. The frequency of security breaches may assist the argument for budget but is not the key tool; it does not address the impact. Annualized loss expectancy (ALE) does not address the potential benefit of security investment. Peer group comparison would provide a good estimate for the necessary security budget but it would not take into account the specific needs of the organization. 

Q175. In order to highlight to management the importance of network security, the security manager should FIRST: 

A. develop a security architecture. 

B. install a network intrusion detection system (NIDS) and prepare a list of attacks. 

C. develop a network security policy. 

D. conduct a risk assessment. 



A risk assessment would be most helpful to management in understanding at a very high level the threats, probabilities and existing controls. Developing a security architecture, installing a network intrusion detection system (NIDS) and preparing a list of attacks on the network and developing a network security policy would not be as effective in highlighting the importance to management and would follow only after performing a risk assessment. 

Q176. Information security managers should use risk assessment techniques to: 

A. justify selection of risk mitigation strategies. 

B. maximize the return on investment (ROD. 

C. provide documentation for auditors and regulators. 

D. quantify risks that would otherwise be subjective. 



Information security managers should use risk assessment techniques to justify and implement a risk mitigation strategy as efficiently as possible. None of the other choices accomplishes that task, although they are important components. 

Q177. Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization? 

A. The information security department has difficulty filling vacancies. 

B. The chief information officer (CIO) approves security policy changes. 

C. The information security oversight committee only meets quarterly. 

D. The data center manager has final signoff on all security projects. 



A steering committee should be in place to approve all security projects. The fact that the data center manager has final signoff for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization. This would indicate a failure of information security governance. It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief information officer (CIO) approve the security policy due to the size of the organization and frequency of updates. Difficulty in filling vacancies is not uncommon due to the shortage of good, qualified information security professionals. 

Q178. Which of the following is the BEST method or technique to ensure the effective implementation of an information security program? 

A. Obtain the support of the board of directors. 

B. Improve the content of the information security awareness program. 

C. Improve the employees' knowledge of security policies. 

D. Implement logical access controls to the information systems. 



It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Options B and (' are measures proposed to ensure the efficiency of the information security program implementation, but are of less significance than obtaining the aid and support of the board of directors. Option D is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program. 

Q179. Which of the following is characteristic of centralized information security management? 

A. More expensive to administer 

B. Better adherence to policies 

C. More aligned with business unit needs 

D. Faster turnaround of requests 



Centralization of information security management results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economics of scale. However, turnaround can be slower due to the lack of alignment with business units. 

Q180. Quantitative risk analysis is MOST appropriate when assessment data: 

A. include customer perceptions. 

B. contain percentage estimates. 

C. do not contain specific details. 

D. contain subjective information. 



Percentage estimates are characteristic of quantitative risk analysis. Customer perceptions, lack of specific details or subjective information lend themselves more to qualitative risk analysis.