Microsoft
Amazon
CompTIA
Salesforce
Cisco®
SAP
PMI
ISC
ISACA
VMware
HP
Palo Alto Networks
EC-Council
LPI
Google
Fortinet
All Vendors
  2. Home
  3. Exam List
  4. ISACA
  5. CISM

Certified Information Security Manager
CISM Exam

The cost of implementing a security control should not exceed the:

  1. annualized loss expectancy.
  2. cost of an incident.
  3. asset value.
  4. implementation opportunity costs.

Answer(s): C

Explanation:

The cost of implementing security controls should not exceed the worth of the asset. Annualized loss expectancy represents the losses drat are expected to happen during a single calendar year. A security mechanism may cost more than this amount (or the cost of a single incident) and still be considered cost effective. Opportunity costs relate to revenue lost by forgoing the acquisition of an item or the making of a business decision.



When a security standard conflicts with a business objective, the situation should be resolved by:

  1. changing the security standard.
  2. changing the business objective.
  3. performing a risk analysis.
  4. authorizing a risk acceptance.

Answer(s): C

Explanation:

Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.



Minimum standards for securing the technical infrastructure should be defined in a security:

  1. strategy.
  2. guidelines.
  3. model.
  4. architecture.

Answer(s): D

Explanation:

Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place. A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components.



Which of the following is MOST appropriate for inclusion in an information security strategy?

  1. Business controls designated as key controls
  2. Security processes, methods, tools and techniques
  3. Firewall rule sets, network defaults and intrusion detection system (IDS) settings
  4. Budget estimates to acquire specific security tools

Answer(s): B

Explanation:

A set of security objectives, processes, methods, tools and techniques together constitute a security strategy. Although IT and business governance are intertwined, business controls may not be included in a security strategy. Budgets will generally not be included in an information security strategy. Additionally, until information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available. Firewall rule sets, network defaults and intrusion detection system (IDS) settings are technical details subject to periodic change, and are not appropriate content for a strategy document.




seagal
I just passed (310-025) SCJP test yesterday. Your guide is right on the money and almost covers every question word for word. Great work !
- Edmonton
Upvote


Illya
I passed my exam today with a score of 964. This was a difficult test but the preparation guide was very good. I would not have passed without the materials. Thank you very much for giving me the opportunity to better my life.
- Alberta
Upvote


Jackson
Exam syo-101 Exam I passed my exam today with no problem whatsoever. I just wanted to say a sincere thank you for the outstanding study guide. You guys are a phenomenal help when it comes to study assistance. Thanks and definitely expect to see me again.
- MJ
Upvote


CJ
Exam 1Z0-040: 1Z0-040 passed!!! I have passed my exam 59/60. You people are the boom. Thanks for the exam questions. They were so real!!
- UNITED STATES
Upvote


Oshrit
Dear Support, I passed (as you expected) the Sun Solaris Admin I (310-011) at first trial. Thank you so much.
- Israel
Upvote


Lee W.
Just thought I would let you know I took the CCDA test on Tuesday, like I planned and scored a 902!"
- China
Upvote


Micheal C.
I have used your Exams for preparation for 70-290, 70-291, 70-292, 70-296, 70-298, 70- 299, 70-300, 70-305, 70-310, 70-315, 70-316,70-320. I also passed all those on the first round. I'm currently preparing for the CCNA.
- ON
Upvote


kris J.
Now my dream has come true. I thank you a million times for the best study guides that you provided to a poor kid like me....I got it. Finally MCSE. Best regards,
- GERMANY
Upvote


Jason
I passed my CCNA exam yesterday. I would like to make some comments. "Excellent Study Guide, Excellent Support Service, Excellent Examination Web Site" Best Regards
- UNITED STATES
Upvote


Micheal
Thanks for your study guides, i have passed it. All questions in your material, we study this only 2 days. Thanks very very much!!!!!
- UNITED STATES
Upvote

Read more ...