Exam (elaborations)
CISM - Risk management & Response questions with correct answers 2024/2025
- Course
- Institution
CISM - Risk management & Response questions with correct answers 2024/2025
[Show more]
Content preview
CISM - Risk management & ResponseC is the correct answer.
Justification
File backup procedures ensure the availability of information in alignment with data retention
requirements but do nothing to prevent leakage.
Database integrity checks verify the allocation and structural integrity of all the objects in the
specified database but do nothing to prevent leakage.
An acceptable use policy establishes an agreement between users and the enterprise and
defines for all parties the ranges of use that are approved before gaining access to a
network or the Internet.
Incident response procedures provide detailed steps that help an organization minimize the
impact of an adverse event and do not directly address data leakage. - ANSWhich of the
following would BEST address the risk of data leakage?
File backup procedures
Database integrity checks
Acceptable use policies
Incident response procedures
B is the correct answer.
Justification
Risk assessment includes identification and analysis to determine the likelihood and
potential consequences of a compromise, which is not when risk is to be considered for
acceptance or requires mitigation.
If after risk evaluation a risk is unacceptable, acceptability is determined after risk mitigation
efforts.
Risk identification is the process during assessment during which viable risk is identified
through developing a series of potential risk scenarios.
Monitoring is unrelated to risk acceptance. - ANSRisk acceptance is a component of which
of the following?
,Risk assessment
Risk treatment
Risk identification
Risk monitoring
C is the correct answer.
Justification
Only after data are determined critical to the organization can a data leak prevention
program be properly implemented.
User awareness training can be helpful but only after data have been classified.
Information classification must be conducted first.
Network intrusion detection is a technology that can support the data leak prevention
program, but it is not a primary consideration. - ANSIn controlling information leakage,
management should FIRST establish:
a data leak prevention program.
user awareness training.
an information classification process.
a network intrusion detection system.
D is the correct answer.
Justification
A gap analysis is not as appropriate for evaluating a business impact analysis.
A gap analysis is not as appropriate for developing a business balanced scorecard.
A gap analysis is not as appropriate for evaluating demonstrating the relationship between
controls.
A gap analysis is most useful in addressing the differences between the current state and
future state. - ANSWhich of the following is the MOST appropriate use of gap analysis?
Evaluating a business impact analysis
Developing a balanced business scorecard
,Demonstrating the relationship between controls
Measuring current state versus desired future state
A is the correct answer.
Justification
Organizational requirements should determine when a risk has been reduced to an
acceptable level.
The acceptability of a risk is ultimately a management decision, which may or may not be
consistent with information systems requirements.
The acceptability of a risk is ultimately a management decision, which may or may not be
consistent with information security requirements.
Because each organization is unique, international standards may not represent the best
solution for specific organizations and are primarily a guideline. - ANSThe decision as to
whether an IT risk has been reduced to an acceptable level should be determined by:
organizational requirements.
information systems requirements.
information security requirements.
international standards.
A is the correct answer.
Justification
Role-based access control is a preventive control that provides access according to
business needs; therefore, it reduces unnecessary access rights and enforces
accountability.
Audit trail monitoring is a detective control, which is "after the fact."
Privacy policy is not relevant to this risk.
Defense in depth primarily focuses on external threats and control layering. - ANSWhich of
the following measures would be MOST effective against insider threats to confidential
information?
Role-based access control
, Audit trail monitoring
Privacy policy
Defense in depth
C is the correct answer.
Justification
The fact that overall risk has been quantified does not necessarily indicate the existence of a
successful risk management practice.
Eliminating inherent risk is virtually impossible.
A successful risk management practice reduces residual risk to acceptable levels.
Although the tying of control risk to business may improve accountability, this is not as
desirable as achieving acceptable residual risk levels. - ANSWhich of the following BEST
indicates a successful risk management practice?
Overall risk is quantified.
Inherent risk is eliminated.
Residual risk is minimized.
Control risk is tied to business units.
D is the correct answer.
Justification
Inherent risk may already be acceptable and require no remediation. Minimizing below the
acceptable level is not the objective and usually raises costs.
Elimination of business risk is not possible.
Effective controls are naturally a clear objective of a risk management program to the extent
of achieving the primary goal of achieving acceptable risk across the organization.
The goal of a risk management program is to ensure that acceptable risk levels are achieved
and maintained. - ANSWhat is the PRIMARY objective of a risk management program?
Minimize inherent risk.
Eliminate business risk.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Qualityexam. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $10.49. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
78677 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now