Download Certified Information Security Manager.CISM.PracticeTest.2018-08-01.393q.vcex

Vendor: ISACA
Exam Code: CISM
Exam Name: Certified Information Security Manager
Date: Aug 01, 2018
File Size: 362 KB

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Purchase
Coupon: EXAM_HUB

Discount: 20%

Demo Questions

Question 1
Which of the following results from the risk assessment process would BEST assist risk management decision making?
  1. Control risk
  2. Inherent risk
  3. Risk exposure
  4. Residual risk
Correct answer: D
Explanation:
Residual risk provides management with sufficient information to decide to the level of risk that an organization is willing to accept. Control risk is the risk that a control may not succeed in preventing an undesirable event. Risk exposure is the likelihood of an undesirable event occurring. Inherent risk is an important factor to be considered during the risk assessment.
Residual risk provides management with sufficient information to decide to the level of risk that an organization is willing to accept. Control risk is the risk that a control may not succeed in preventing an undesirable event. Risk exposure is the likelihood of an undesirable event occurring. Inherent risk is an important factor to be considered during the risk assessment.
Question 2
The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?
  1. Mitigating controls
  2. Visibility of impact
  3. Likelihood of occurrence
  4. Incident frequency
Correct answer: B
Explanation:
Visibility of impact is the best measure since it manages risks to an organization in the timeliest manner. Likelihood of occurrence and incident frequency are not as relevant. Mitigating controls is not a determining factor on incident reporting.
Visibility of impact is the best measure since it manages risks to an organization in the timeliest manner. Likelihood of occurrence and incident frequency are not as relevant. Mitigating controls is not a determining factor on incident reporting.
Question 3
Risk acceptance is a component of which of the following?
  1. Assessment
  2. Mitigation
  3. Evaluation
  4. Monitoring
Correct answer: B
Explanation:
Risk acceptance is one of the alternatives to be considered in the risk mitigation process. Assessment and evaluation are components of the risk analysis process. Risk acceptance is not a component of monitoring.
Risk acceptance is one of the alternatives to be considered in the risk mitigation process. Assessment and evaluation are components of the risk analysis process. Risk acceptance is not a component of monitoring.
Question 4
Risk management programs are designed to reduce risk to:
  1. a level that is too small to be measurable.
  2. the point at which the benefit exceeds the expense.
  3. a level that the organization is willing to accept.
  4. a rate of return that equals the current cost of capital.
Correct answer: C
Explanation:
Risk should be reduced to a level that an organization is willing to accept. Reducing risk to a level too small to measure is impractical and is often cost-prohibitive. To tie risk to a specific rate of return ignores the qualitative aspects of risk that must also be considered. Depending on the risk preference of an organization, it may or may not choose to pursue risk mitigation to the point at which the benefit equals or exceeds the expense. Therefore, choice C is a more precise answer.
Risk should be reduced to a level that an organization is willing to accept. Reducing risk to a level too small to measure is impractical and is often cost-prohibitive. To tie risk to a specific rate of return ignores the qualitative aspects of risk that must also be considered. Depending on the risk preference of an organization, it may or may not choose to pursue risk mitigation to the point at which the benefit equals or exceeds the expense. Therefore, choice C is a more precise answer.
Question 5
A risk assessment should be conducted:
  1. once a year for each business process and subprocess.
  2. every three to six months for critical business processes.
  3. by external parties to maintain objectivity.
  4. annually or whenever there is a significant change.
Correct answer: D
Explanation:
Risks are constantly changing. Choice D offers the best alternative because it takes into consideration a reasonable time frame and allows flexibility to address significant change. Conducting a risk assessment once a year is insufficient if important changes take place. Conducting a risk assessment every three-to-six months for critical processes may not be necessary, or it may not address important changes in a timely manner. It is not necessary for assessments to be performed by external parties.
Risks are constantly changing. Choice D offers the best alternative because it takes into consideration a reasonable time frame and allows flexibility to address significant change. Conducting a risk assessment once a year is insufficient if important changes take place. Conducting a risk assessment every three-to-six months for critical processes may not be necessary, or it may not address important changes in a timely manner. It is not necessary for assessments to be performed by external parties.
Question 6
The MOST important function of a risk management program is to:
  1. quantify overall risk.
  2. minimize residual risk.
  3. eliminate inherent risk.
  4. maximize the sum of all annualized loss expectancies (ALEs).
Correct answer: B
Explanation:
A risk management program should minimize the amount of risk that cannot be otherwise eliminated or transferred; this is the residual risk to the organization. Quantifying overall risk is important but not as critical as the end result. Eliminating inherent risk is virtually impossible. Maximizing the sum of all ALEs is actually the opposite of what is desirable.
A risk management program should minimize the amount of risk that cannot be otherwise eliminated or transferred; this is the residual risk to the organization. Quantifying overall risk is important but not as critical as the end result. Eliminating inherent risk is virtually impossible. Maximizing the sum of all ALEs is actually the opposite of what is desirable.
Question 7
Which of the following risks would BEST be assessed using qualitative risk assessment techniques?
  1. Theft of purchased software
  2. Power outage lasting 24 hours
  3. Permanent decline in customer confidence
  4. Temporary loss of e-mail due to a virus attack
Correct answer: C
Explanation:
A permanent decline in customer confidence does not lend itself well to measurement by quantitative techniques. Qualitative techniques are more effective in evaluating things such as customer loyalty and goodwill. Theft of software, power outages and temporary loss of e-mail can be quantified into monetary amounts easier than can be assessed with quantitative techniques.
A permanent decline in customer confidence does not lend itself well to measurement by quantitative techniques. Qualitative techniques are more effective in evaluating things such as customer loyalty and goodwill. Theft of software, power outages and temporary loss of e-mail can be quantified into monetary amounts easier than can be assessed with quantitative techniques.
Question 8
Which of the following will BEST prevent external security attacks?
  1. Static IP addressing
  2. Network address translation
  3. Background checks for temporary employees
  4. Securing and analyzing system access logs
Correct answer: B
Explanation:
Network address translation is helpful by having internal addresses that are nonroutable. Background checks of temporary employees are more likely to prevent an attack launched from within the enterprise. Static IP addressing does little to prevent an attack. Writing all computer logs to removable media does not help in preventing an attack.
Network address translation is helpful by having internal addresses that are nonroutable. Background checks of temporary employees are more likely to prevent an attack launched from within the enterprise. Static IP addressing does little to prevent an attack. Writing all computer logs to removable media does not help in preventing an attack.
Question 9
In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the:
  1. original cost to acquire.
  2. cost of the software stored.
  3. annualized loss expectancy (ALE).
  4. cost to obtain a replacement.
Correct answer: D
Explanation:
The value of the server should be based on its cost of replacement. The original cost may be significantly different from the current cost and, therefore, not as relevant. The value of the software is not at issue because it can be restored from backup media. The ALE for all risks related to the server does not represent the server's value.
The value of the server should be based on its cost of replacement. The original cost may be significantly different from the current cost and, therefore, not as relevant. The value of the software is not at issue because it can be restored from backup media. The ALE for all risks related to the server does not represent the server's value.
Question 10
A business impact analysis (BIA) is the BEST tool for calculating:
  1. total cost of ownership.
  2. priority of restoration.
  3. annualized loss expectancy (ALE).
  4. residual risk.
Correct answer: B
Explanation:
A business impact analysis (BIA) is the best tool for calculating the priority of restoration for applications. It is not used to determine total cost of ownership, annualized loss expectancy (ALE) or residual risk to the organization.
A business impact analysis (BIA) is the best tool for calculating the priority of restoration for applications. It is not used to determine total cost of ownership, annualized loss expectancy (ALE) or residual risk to the organization.
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!