CISM Online Practice Questions

Explanation:
Annualized loss resulting from security incidents is the most appropriate metric to demonstrate the effectiveness of information security controls to senior management, as it quantifies the financial impact of security breaches on the organization’s assets, operations, and reputation. This metric helps to communicate the value of security investments, justify the security budget, and prioritize the security initiatives based on the potential loss reduction. Annualized loss resulting from security incidents can be calculated by multiplying the annualized rate of occurrence (ARO) of an incident by the single loss expectancy (SLE) of an incident. ARO is the estimated frequency of an incident occurring in a year, and SLE is the estimated cost of an incident. For example, if an organization estimates that a ransomware attack may occur once every two years, and that each attack may cost $100,000 to recover, then the annualized loss resulting from ransomware attacks is $50,000 ($100,000 / 2).
Reference = CISM Review Manual 2022, page 3171; CISM Exam Content Outline, Domain 4, Knowledge Statement 4.112; Key Performance Indicators for Security Governance, Part
1; Performance Measurement Guide for Information Security

Explanation:
The strongest justification for granting an exception to the security policy that disables access to USB
storage devices on laptops and desktops is that the benefit is greater than the potential risk. A security policy is a document that defines the goals, objectives, principles, roles, responsibilities, and requirements for protecting information and systems in an organization. A security policy should be based on a risk assessment that identifies and evaluates the threats and vulnerabilities that affect the organization’s assets, as well as the potential impact and likelihood of incidents. A security pol-icy should also be aligned with the organization’s business objectives and risk appe-tite1. However, there may be situations where a security policy cannot be fully enforced or complied with due to technical, operational, or business reasons. In such cases, an exception to the policy may be requested and granted by an authorized person or body, such as a security manager or a policy committee. An exception to a security policy should be justified by a clear and compelling reason that outweighs the risk of non-compliance. An exception to a security policy should also be documented, approved, monitored, reviewed, and revoked as necessary2. The strongest justification for granting an exception to the security policy that disables access to USB storage devices on laptops and desktops is that the benefit is greater than the potential risk. USB storage devices are portable devices that can store large amounts of data and can be easily connected to laptops and desktops via USB ports.
They can provide several benefits for users and organizations, such as:
• Enhancing data mobility and accessibility
• Improving data backup and recovery
• Supporting data sharing and collaboration
• Enabling data encryption and authentication
However, USB storage devices also pose significant security risks for users and organizations, such as:
• Introducing malware or viruses to laptops and desktops
• Exposing sensitive data to unauthorized access or disclosure
• Losing or stealing data due to device loss or theft
• Violating security policies or regulations
Therefore, an exception to the security policy that disables access to USB storage de-vices on laptops and desktops should only be granted if the benefit of using them is greater than the potential risk of compromising them. For example, if a user needs to transfer a large amount of data from one laptop to another in a remote location where there is no network connection available, and the data is encrypted and protected by a strong password on the USB device, then the benefit of using the USB device may be greater than the risk of losing or exposing it. The other options are not the strongest justifications for granting an exception to the security policy that disables access to USB storage devices on laptops and desktops. Enabling USB storage devices based on user roles is not a justification, but rather a possible way of implementing a more granular or flexible security policy that allows different levels of access for different types of users3. Users accepting the risk of noncompliance is not a justification, but rather a requirement for requesting an exception to a security policy that acknowledges their responsibility and accountability for any consequences of noncompliance4. Accessing being restricted to read-only is not a justification, but rather a possible control that can reduce the risk of introducing malware or viruses from USB devices to laptops and desktops5.
Reference: 1: Information Security Policy -NIST 2: Policy Exception Management -ISACA 3: Deploy and manage Removable Storage Access Control using In-tune -Microsoft Learn 4: Policy Exception Request Form -University of California 5: Re-movable Media Policy Writing Tips -CurrentWare

Explanation:
The core objective of a post-incident review (PIR) is to identify gaps and weaknesses in the response process. This includes missteps, delays, communication failures, or policy limitations ― all of which provide insight to improve future incident handling.
"Post-incident reviews focus on identifying root causes and areas for improvement to enhance the organization’s preparedness for future incidents.”
― CISM Review Manual 15th Edition, Chapter 4: Post-Incident Activities*
Though training, reporting, and budgeting may follow, they are secondary outcomes of this process.