Isaca Updated CISM Exam Questions and Answers by leena

The best justification for making a revision to a password policy is a risk assessment. A risk assessment is a process of identifying, analyzing, and evaluating the potential threats and vulnerabilities that may affect the confidentiality, integrity, and availability of information assets and systems. By conducting a risk assessment, the organization can determine the appropriate level of security controls and measures to protect its information assets and systems, including password policies. A risk assessment can also help identify any gaps or weaknesses in the existing password policy, and provide recommendations for improvement based on the organization’s risk appetite and tolerance. The other options are not the best justification for making a revision to a password policy, although they may be some inputs or outputs of the risk assessment process. A vendor recommendation is an external source of advice or guidance that may or may not be relevant or applicable to the organization’s specific context and needs. A vendor recommendation should not be followed blindly without conducting a risk assessment to evaluate its suitability and effectiveness. An audit recommendation is an internal source of feedback or suggestion that may or may not be accurate or complete. An audit recommendation should not be implemented without conducting a risk assessment to verify its validity and feasibility. An industry best practice is a general standard or guideline that may or may not reflect the organization’s unique characteristics and requirements. An industry best practice should not be adopted without conducting a risk assessment to customize it according to the organization’s goals and priorities

When creating a security policy for a global organization subject to varying laws and regulations, it is important to consider the unique legal and cultural requirements of each location. The best approach is to establish baseline standards for all locations and then add supplemental standards as required to meet local laws and regulations. This approach ensures that the organization is in compliance with all relevant laws and regulations, while also maintaining a consistent and unified approach to security across all locations. Additionally, by establishing baseline standards, the organization can ensure that its security policies are aligned with its overall security strategy and objectives.

Deliver an information security awareness campaign is the BEST approach to obtain support for a new organization-wide information security program. An information security awareness campaign is a great way to raise awareness of the importance of information security and the impact it can have on an organization. It helps to ensure that all stakeholders understand the importance of information security and are aware of the risks associated with it. Additionally, an effective awareness campaign can help to ensure that everyone in the organization is aware of the cybersecurity policies, procedures, and best practices that must be followed.