The PRIMARY goal of a corporate risk management program is to ensure that an organization's:Options are :
Answer : stated objectives are achievable. CISM Information Risk Management Certification Test The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?Options are :
Answer : Visibility of impact Risk management programs are designed to reduce risk to:Options are :
Answer : a level that the organization is willing to accept Which of the following will BEST protect an organization from internal security attacks?Options are :
Answer : Prospective employee background checks CISM Information Security Governance Certified Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?Options are :
Answer : Entitlement changes Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following?Options are :
Answer : Heat charts In a business impact analysis, the value of an information system should be based on the overall cost:Options are :
Answer : if unavailable. CISM Information Security Governance Practice Test Set 2 Which of the following risks would BEST be assessed using quantitative risk assessment techniques?Options are :
Answer : An electrical power outage Risk acceptance is a component of which of the following?Options are :
Answer : Mitigation The value of information assets is BEST determined byOptions are :
Answer : individual business managers. CISM Information Risk Management Certification Practice The recovery point objective (RPO) requires which of the following?Options are :
Answer : Before-image restoration Which two components PRIMARILY must be assessed in an effective risk analysis?Options are :
Answer : Likelihood and impact The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the:Options are :
Answer : financial losses incurred by affected business units. CISM Incident Management Response Certified Practice Exam Set 2 Acceptable risk is achieved when:Options are :
Answer : residual risk is minimized An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:Options are :
Answer : vulnerability. A risk assessment should be conducted:Options are :
Answer : annually or whenever there is a significant change. CISM Information Security Program Management Practice Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?Options are :
Answer : Chief operations officer (COO) Which of the following will BEST prevent external security attacks?Options are :
Answer : Network address translation A risk analysis should:Options are :
Answer : address the potential size and likelihood of loss. CISM Information Security Program Management Practice Exam The MOST effective way to incorporate risk management practices into existing production systems is through:Options are :
Answer : change management. Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?Options are :
Answer : Business impact analysis When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:Options are :
Answer : data owners who may be impacted. Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?Options are :
Answer : Change management procedures are poor Which of the following groups would be in the BEST position to perform a risk analysis for a business?Options are :
Answer : Process owners Which of (lie following would be the MOST relevant factor when defining the information classification policy?Options are :
Answer : Requirements of data owners CISM Information Security Program Management Test When performing a qualitative risk analysis, which of the following will BEST produce reliable results?Options are :
Answer : Possible scenarios with threats and impacts The PRIMARY reason for initiating a policy exception process is when:Options are :
Answer : the risk is justified by the benefit. An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?Options are :
Answer : Gap analysis Cism Information Security Program Development Practice The MOST effective use of a risk register is to:Options are :
Answer : facilitate a thorough review of all IT-related risks on a periodic basis. An information security organization should PRIMARILY:Options are :
Answer : support the business objectives of the company by providing security-related support services. An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:Options are :
Answer : mitigating the risk. CISM Information Risk Management Certification Which of the following are the essential ingredients of a business impact analysis (B1A)?Options are :
Answer : Downtime tolerance, resources and criticality After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?Options are :
Answer : Business manager |