Want to Pass CISM Exam In Next HOURS? Get it now →
October 11, 2017

Top Highest Quality CISM practice Tips!

It is impossible to pass Isaca CISM exam without any help in the short term. Come to Testking soon and find the most advanced, correct and guaranteed Isaca CISM practice questions. You will get a surprising result by our Improved Certified Information Security Manager practice guides.

Q21. Which of the following risks is represented in the risk appetite of an organization? 

A. Control 

B. Inherent 

C. Residual 

D. Audit 



Residual risk is unmanaged, i.e., inherent risk which remains uncontrolled. This is key to the organization's risk appetite and is the amount of residual risk that a business is living with that affects its viability. Hence, inherent risk is incorrect. Control risk, the potential for controls to fail, and audit risk, which relates only to audit's approach to their work, are not relevant in this context. 

Q22. An information security manager must understand the relationship between information security and business operations in order to: 

A. support organizational objectives. 

B. determine likely areas of noncompliance. 

C. assess the possible impacts of compromise. 

D. understand the threats to the business. 



Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization. Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways. 

Q23. Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk? 

A. Historical cost of the asset 

B. Acceptable level of potential business impacts 

C. Cost versus benefit of additional mitigating controls 

D. Annualized loss expectancy (ALE) 



The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important. 

Q24. Which of the following is the MOST important factor when designing information security architecture? 

A. Technical platform interfaces 

B. Scalability of the network 

C. Development methodologies 

D. Stakeholder requirements 



The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements. Interoperability and scalability, as well as development methodologies, are all important but are without merit if a technologically-elegant solution is achieved that does not meet the needs of the business. 

Q25. Which of the following would be MOST helpful to achieve alignment between information security and organization objectives? 

A. Key control monitoring 

B. A robust security awareness program 

C. A security program that enables business activities 

D. An effective security architecture 



A security program enabling business activities would be most helpful to achieve alignment between information security and organization objectives. All of the other choices are part of the security program and would not individually and directly help as much as the security program. 

Q26. Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program? 

A. Number of controls implemented 

B. Percent of control objectives accomplished 

C. Percent of compliance with the security policy 

D. Reduction in the number of reported security incidents 



Control objectives are directly related to business objectives; therefore, they would be the best metrics. Number of controls implemented does not have a direct relationship with the results of a security program. Percentage of compliance with the security policy and reduction in the number of security incidents are not as broad as choice B. 

Q27. A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this 

decision is that: 

A. there are sufficient safeguards in place to prevent this risk from happening. 

B. the needed countermeasure is too complicated to deploy. 

C. the cost of countermeasure outweighs the value of the asset and potential loss. 

D. The likelihood of the risk occurring is unknown. 



An organization may decide to live with specific risks because it would cost more to protect themselves than the value of the potential loss. The safeguards need to match the risk level. While countermeasures could be too complicated to deploy, this is not the most compelling reason. It is unlikely that a global financial institution would not be exposed to such attacks and the frequency could not be predicted. 

Q28. The cost of implementing a security control should not exceed the: 

A. annualized loss expectancy. 

B. cost of an incident. 

C. asset value. 

D. implementation opportunity costs. 



The cost of implementing security controls should not exceed the worth of the asset. Annualized loss expectancy represents the losses drat are expected to happen during a single calendar year. A security mechanism may cost more than this amount (or the cost of a single incident) and still be considered cost effective. Opportunity costs relate to revenue lost by forgoing the acquisition of an item or the making of a business decision. 

Q29. An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the: 

A. threat. 

B. loss. 

C. vulnerability. 

D. probability. 



Implementing more restrictive preventive controls mitigates vulnerabilities but not the threats. Losses and probability of occurrence may not be primarily or directly affected. 

Q30. Which of the following would BEST address the risk of data leakage? 

A. File backup procedures 

B. Database integrity checks 

C. Acceptable use policies 

D. Incident response procedures 



Acceptable use policies are the best measure for preventing the unauthorized disclosure of confidential information. The other choices do not address confidentiality of information. 

see more free CISM exam dumps