ISACA Certified Information Security Manager CISM Dumps in PDF

Free ISACA CISM Real Questions (page: 59)

Risk assessment is MOST effective when performed:

  1. at the beginning of security program development.
  2. on a continuous basis.
  3. while developing the business case for the security program.
  4. during the business change process.

Answer(s): B

Explanation:

Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.



Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?

  1. Justification of the security budget must be continually made.
  2. New vulnerabilities are discovered every day.
  3. The risk environment is constantly changing.
  4. Management needs to be continually informed about emerging risks.

Answer(s): C

Explanation:

The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed.



There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?

  1. Identify the vulnerable systems and apply compensating controls
  2. Minimize the use of vulnerable systems
  3. Communicate the vulnerability to system users
  4. Update the signatures database of the intrusion detection system (IDS)

Answer(s): A

Explanation:

The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.



Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?

  1. Business impact analysis (BIA)
  2. Penetration testing
  3. Audit and review
  4. Threat analysis

Answer(s): B

Explanation:

Penetration testing focuses on identifying vulnerabilities. None of the other choices would identify vulnerabilities introduced by changes.



Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?

  1. Countermeasure cost-benefit analysis
  2. Penetration testing
  3. Frequent risk assessment programs
  4. Annual loss expectancy (ALE) calculation

Answer(s): A

Explanation:

In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but. alone, will not justify a control.



Share your comments for ISACA CISM exam with other users:

J
jaya
12/17/2023 8:36:00 AM

good for students

B
Bsmaind
8/20/2023 9:23:00 AM

nice practice dumps

K
kumar
11/15/2023 11:24:00 AM

nokia 4a0-114 dumps

V
Vetri
10/3/2023 12:59:00 AM

great content and wonderful to have the answers with explanation

R
Ranjith
8/21/2023 3:39:00 PM

for question #118, the answer is option c. the screen shot is showing the drop down, but the answer is marked incorrectly please update . thanks for sharing such nice questions.

E
Eduardo Ramírez
12/11/2023 9:55:00 PM

the correct answer for the question 29 is d.

D
Dass
11/2/2023 7:43:00 AM

question no 22: correct answers: bc, 1 per session 1 per page 1 per component always

R
Reddy
12/14/2023 2:42:00 AM

these are pretty useful

D
Daisy Delgado
1/9/2023 1:05:00 PM

awesome

A
Atif
6/13/2023 4:09:00 AM

yes please upload

X
Xunil
6/12/2023 3:04:00 PM

great job whoever put this together, for the greater good! thanks!

L
Lakshmi
10/2/2023 5:26:00 AM

just started to view all questions for the exam

R
rani
1/19/2024 11:52:00 AM

helpful material

G
Greg
11/16/2023 6:59:00 AM

hope for the best

H
hi
10/5/2023 4:00:00 AM

will post exam has finished

V
Vmotu
8/24/2023 11:14:00 AM

really correct and good analyze!

H
hicham
5/30/2023 8:57:00 AM

excellent thanks a lot

S
Suman C
7/7/2023 8:13:00 AM

will post once pass the cka exam

R
Ram
11/3/2023 5:10:00 AM

good content

N
Nagendra Pedipina
7/13/2023 2:12:00 AM

q:32 answer has to be option c

T
Tamer Barakat
12/7/2023 5:17:00 PM

nice questions

D
Daryl
8/1/2022 11:33:00 PM

i really like the support team in this website. they are fast in communication and very helpful.

C
Curtis Nakawaki
6/29/2023 9:13:00 PM

a good contemporary exam review

X
x-men
5/23/2023 1:02:00 AM

q23, its an array, isnt it? starts with [ and end with ]. its an array of objects, not object.

A
abuti
7/21/2023 6:24:00 PM

cool very helpfull

K
Krishneel
3/17/2023 10:34:00 AM

i just passed. this exam dumps is the same one from prepaway and examcollection. it has all the real test questions.

R
Regor
12/4/2023 2:01:00 PM

is this a valid prince2 practitioner dumps?

A
asl
9/14/2023 3:59:00 PM

all are relatable questions

S
Siyya
1/19/2024 8:30:00 PM

might help me to prepare for the exam

T
Ted
6/21/2023 11:11:00 PM

just paid and downlaod the 2 exams using the 50% sale discount. so far i was able to download the pdf and the test engine. all looks good.

P
Paul K
11/27/2023 2:28:00 AM

i think it should be a,c. option d goes against the principle of building anything custom unless there are no work arounds available

P
ph
6/16/2023 12:41:00 AM

very legible

S
sephs2001
7/31/2023 10:42:00 PM

is this exam accurate or helpful?

A
ash
7/11/2023 3:00:00 AM

please upload dump, i have exam in 2 days

AI Tutor 👋 I’m here to help!