Master the CISM Certified Information Security Manager content and be ready for exam day success quickly with this Ucertify CISM real exam. We guarantee it!We make it a reality and give you real CISM questions in our Isaca CISM braindumps.Latest 100% VALID Isaca CISM Exam Questions Dumps at below page. You can use our Isaca CISM braindumps and pass your exam.

Q171. A risk management program would be expected to: 

A. remove all inherent risk. 

B. maintain residual risk at an acceptable level. 

C. implement preventive controls for every threat. 

D. reduce control risk to zero. 



The object of risk management is to ensure that all residual risk is maintained at a level acceptable to the business; it is not intended to remove every identified risk or implement controls for every threat since this may not be cost-effective. Control risk, i.e., that a control may not be effective, is a component of the program but is unlikely to be reduced to zero. 

Q172. To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRS T crucial step an information security manager would take in ensuring business continuity planning? 

A. Conducting a qualitative and quantitative risk analysis. 

B. Assigning value to the assets. 

C. Weighing the cost of implementing the plan vs. financial loss. 

D. Conducting a business impact analysis (BIA). 



BIA is an essential component of an organization's business continuity plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. It is the first crucial step in business continuity planning. Qualitative and quantitative risk analysis will have been completed to define the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events. Assigning value to assets is part of the BIA process. Weighing the cost of implementing the plan vs. financial loss is another part of the BIA. 

Q173. Which of the following guarantees that data in a file have not changed? 

A. Inspecting the modified date of the file 

B. Encrypting the file with symmetric encryption 

C. Using stringent access control to prevent unauthorized access 

D. Creating a hash of the file, then comparing the file hashes 



A hashing algorithm can be used to mathematically ensure that data haven't been changed by hashing a file and comparing the hashes after a suspected change. 

Q174. What is the MOST important factor in the successful implementation of an enterprise wide information security program? 

A. Realistic budget estimates 

B. Security awareness 

C. Support of senior management 

D. Recalculation of the work factor 



Without the support of senior management, an information security program has little chance of survival. A company's leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources. Security awareness is important, but not the most important factor. Recalculation of the work factor is a part of risk management. 

Q175. Which of the following is MOST appropriate for inclusion in an information security 


A. Business controls designated as key controls 

B. Security processes, methods, tools and techniques 

C. Firewall rule sets, network defaults and intrusion detection system (IDS) settings 

D. Budget estimates to acquire specific security tools 



A set of security objectives, processes, methods, tools and techniques together constitute a security strategy. Although IT and business governance are intertwined, business controls may not be included in a security strategy. Budgets will generally not be included in an information security strategy. Additionally, until information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available. Firewall rule sets, network defaults and intrusion detection system (IDS) settings are technical details subject to periodic change, and are not appropriate content for a strategy document. 

Q176. In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST: 

A. develop an operational plan for achieving compliance with the legislation. 

B. identify systems and processes that contain privacy components. 

C. restrict the collection of personal information until compliant. 

D. identify privacy legislation in other countries that may contain similar requirements. 



Identifying the relevant systems and processes is the best first step. Developing an operational plan for achieving compliance with the legislation is incorrect because it is not the first step. Restricting the collection of personal information comes later. Identifying privacy legislation in other countries would not add much value. 

Q177. The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to: 

A. provide in-depth defense. 

B. separate test and production. 

C. permit traffic load balancing. 

D. prevent a denial-of-service attack. 



Having two entry points, each guarded by a separate firewall, is desirable to permit traffic load balancing. As they both connect to the Internet and to the same demilitarized zone (DMZ), such an arrangement is not practical for separating test from production or preventing a denial-of-service attack. 

Q178. The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the: 

A. sales department. 

B. database administrator. 

C. chief information officer (CIO). 

D. head of the sales department. 



The owner of the information asset should be the person with the decision-making power in the department deriving the most benefit from the asset. In this case, it would be the head of the sales department. The organizational unit cannot be the owner of the asset because that removes personal responsibility. The database administrator is a custodian. The chief information officer (CIO) would not be an owner of this database because the CTO is less likely to be knowledgeable about the specific needs of sales operations and security concerns. 

Q179. An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the: 

A. corporate data privacy policy. 

B. data privacy policy where data are collected. 

C. data privacy policy of the headquarters' country. 

D. data privacy directive applicable globally. 



As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific. 

Q180. Information security should be: 

A. focused on eliminating all risks. 

B. a balance between technical and business requirements. 

C. driven by regulatory requirements. 

D. defined by the board of directors. 



Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements. It is not practical or feasible to eliminate all risks. Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction in support of the business goals and objectives.