Your success in Isaca CISM is our sole target and we develop all our CISM braindumps in a way that facilitates the attainment of this target. Not only is our CISM study material the best you can find, it is also the most detailed and the most updated. CISM Practice Exams for Isaca CISM are written to the highest standards of technical accuracy.

Q161. Which of the following groups would be in the BEST position to perform a risk analysis for a business? 

A. External auditors 

B. A peer group within a similar business 

C. Process owners 

D. A specialized management consultant 



Process owners have the most in-depth knowledge of risks and compensating controls within their environment. External parties do not have that level of detailed knowledge on the inner workings of the business. Management consultants are expected to have the necessary skills in risk analysis techniques but are still less effective than a group with intimate knowledge of the business. 

Q162. The MOST complete business case for security solutions is one that. 

A. includes appropriate justification. 

B. explains the current risk profile. 

C. details regulatory requirements. 

D. identifies incidents and losses. 



Management is primarily interested in security solutions that can address risks in the most cost-effective way. To address the needs of an organization, a business case should address appropriate security solutions in line with the organizational strategy. 

Q163. What is the MAIN risk when there is no user management representation on the Information Security Steering Committee? 

A. Functional requirements are not adequately considered. 

B. User training programs may be inadequate. 

C. Budgets allocated to business units are not appropriate. 

D. Information security plans are not aligned with business requirements 



The steering committee controls the execution of the information security strategy, according to the needs of the organization, and decides on the project prioritization and the execution plan. User management is an important group that should be represented to ensure that the information security plans are aligned with the business needs. Functional requirements and user training programs are considered to be part of the projects but are not the main risks. The steering committee does not approve budgets for business units. 

Q164. Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers? 

A. Daily 

B. Weekly 

C. Concurrently with O/S patch updates 

D. During scheduled change control updates 



New viruses are being introduced almost daily. The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur. Patches may occur less frequently. Weekly updates may potentially allow new viruses to infect the system. 

Q165. Which of the following would be the BEST metric for the IT risk management process? 

A. Number of risk management action plans 

B. Percentage of critical assets with budgeted remedial 

C. Percentage of unresolved risk exposures 

D. Number of security incidents identified 



Percentage of unresolved risk exposures and the number of security incidents identified contribute to the IT risk management process, but the percentage of critical assets with budgeted remedial is the most indicative metric. Number of risk management action plans is not useful for assessing the quality of the process. 

Q166. To achieve effective strategic alignment of security initiatives, it is important that: 

A. Steering committee leadership be selected by rotation. 

B. Inputs be obtained and consensus achieved between the major organizational units. 

C. The business strategy be updated periodically. 

D. Procedures and standards be approved by all departmental heads. 



It is important to achieve consensus on risks and controls, and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization. Rotation of steering committee leadership does not help in achieving strategic alignment. Updating business strategy does not lead to strategic alignment of security initiatives. Procedures and standards need not be approved by all departmental heads 

Q167. A security risk assessment exercise should be repeated at regular intervals because: 

A. business threats are constantly changing. 

B. omissions in earlier assessments can be addressed. 

C. repetitive assessments allow various methodologies. 

D. they help raise awareness on security in the business. 



As business objectives and methods change, the nature and relevance of threats change as well. Choice B does not, by itself, justify regular reassessment. Choice C is not necessarily true in all cases. Choice D is incorrect because there are better ways of raising security awareness than by performing a risk assessment. 

Q168. It is MOST important that information security architecture be aligned with which of the following? 

A. Industry best practices 

B. Information technology plans 

C. Information security best practices 

D. Business objectives and goals 



Information security architecture should always be properly aligned with business goals and objectives. Alignment with IT plans or industry and security best practices is secondary by comparison. 

Q169. Senior management commitment and support for information security can BEST be obtained through presentations that: 

A. use illustrative examples of successful attacks. 

B. explain the technical risks to the organization. 

C. evaluate the organization against best security practices. 

D. tie security risks to key business objectives. 



Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives. 

Q170. A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account? 

A. Prevent the system from being accessed remotely 

B. Create a strong random password 

C. Ask for a vendor patch 

D. Track usage of the account by audit trails 



Creating a strong random password reduces the risk of a successful brute force attack by exponentially increasing the time required. Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risks. Vendor patches are not always available, tracking usage is a detective control and will not prevent an attack.