Isaca Certification CISM Exam Questions and Answers PDF

The best first step is to evaluate and prioritize the risk to determine the appropriate treatment strategy before implementing mitigation.

“Once risks are identified, they should be evaluated and prioritized to determine the best response (mitigation, transfer, acceptance, or avoidance).”

— CISM Review Manual 15th Edition, Chapter 2: Risk Management, Section: Risk Treatment*

ISACA practice questions confirm the need for evaluation and prioritization before taking further action.

 Information security controls should be designed primarily based on business risk scenarios, because they help to identify and prioritize the most relevant and significant threats and vulnerabilities that may affect the organization’s information assets and business objectives. Business risk scenarios are hypothetical situations that describe the possible sources, events, and consequences of a security breach, as well as the likelihood and impact of the occurrence. Business risk scenarios can help to:

Align the information security controls with the business needs and requirements, and ensure that they support the achievement of the strategic goals and the mission and vision of the organization

Assess the effectiveness and efficiency of the existing information security controls, and identify the gaps and weaknesses that need to be addressed or improved

Select and implement the appropriate information security controls that can prevent, detect, or mitigate the risks, and that can provide the optimal level of protection and performance for the information assets

Evaluate and measure the return on investment and the value proposition of the information security controls, and communicate and justify the rationale and benefits of the controls to the stakeholders and management

Information security controls should not be designed primarily based on a business impact analysis (BIA), regulatory requirements, or a vulnerability assessment, because these are secondary or complementary factors that influence the design of the controls, but they do not provide the main basis or criteria for the design. A BIA is a method of estimating and comparing the potential effects of a disruption or a disaster on the critical business functions and processes, in terms of financial, operational, and reputational aspects. A BIA can help to determine the recovery objectives and priorities for the information assets, but it does not identify or address the specific risks and threats that may cause the disruption or the disaster. Regulatory requirements are the legal, contractual, or industry standards and obligations that the organization must comply with regarding information security. Regulatory requirements can help to establish the minimum or baseline level of information security controls that the organization must implement, but they do not reflect the specific or unique needs and challenges of the organization. A vulnerability assessment is a method of identifying and analyzing the weaknesses and flaws in the information systems and assets that may expose them to exploitation or compromise. A vulnerability assessment can help to discover and remediate the existing or potential security issues, but it does not consider the business context or impact of the issues.

References = CISM Review Manual, 16th Edition, ISACA, 2021, pages 119-120, 122-123, 125-126, 129-130.

Comprehensive and Detailed Step-by-Step Explanation:

An effective information security program aims to manage risks to acceptable levels while supporting business objectives.

A. Risk is treated to an acceptable level: This is the BEST answer as it directly reflects the program’s success in mitigating risks within the organization’s tolerance levels.

B. The number of security incidents reported by staff has increased: An increase in reported incidents might indicate improved awareness but does not necessarily reflect overall effectiveness.

C. Key risk indicators (KRIs) are established: KRIs are important for monitoring risks but do not indicate whether risks are being effectively managed.

D. Policies are reviewed and approved by senior management: While essential, this action alone does not demonstrate the program's effectiveness.

= After a breach where the risk has been isolated and forensic processes have been performed, the next step should be to rebuild the server from the last verified backup. This will ensure that the server is restored to a known and secure state, and that any malicious code or data that may have been injected or compromised by the attacker is removed. Rebuilding the server from the original media may not be sufficient, as it may not include the latest patches or configurations that were applied before the breach. Placing the web server in quarantine or shutting it down may not be feasible or desirable, as it may disrupt the business operations or services that depend on the server. Rebuilding the server from the last verified backup is the best option to resume normal operations while maintaining security. References =

CISM Review Manual 15th Edition, page 118: “Recovery is the process of restoring normal operations after an incident. Recovery activities may include rebuilding systems, restoring data, applying patches, changing passwords, and testing functionality.”

Data Breach Experts Share The Most Important Next Step You Should Take After A Data Breach in 2014 & 2015, snippet: “Restore from backup. If you have a backup of your system from before the breach, wipe your system clean and restore from backup. This will ensure that any backdoors or malware installed by the hackers are removed.”