Isaca Updated CISM Exam Questions and Answers by georgi

The PRIMARY purpose of an acceptable use policy is to protect the organization from misuse of information assets, such as data, hardware, software, and network resources, by defining the rules and expectations for the authorized and appropriate use of these assets by the users. An acceptable use policy helps to prevent or reduce the risks of security breaches, legal liabilities, reputational damage, or loss of productivity that may result from unauthorized, inappropriate, or unethical use of information assets.

References =

CISM Review Manual, 16th Edition, ISACA, 2020, p. 74: “An acceptable use policy is a policy that establishes an agreement between users and the enterprise that defines, for all parties, the ranges of use that are approved before gaining access to a network or the Internet.”

The essentials of an acceptable use policy - Infosec Resources: “An Acceptable Use Policy (henceforward mentioned as "AUP") is agreement between two or more parties to a computer network community, expressing in writing their intent to adhere to certain standards of behaviour with respect to the proper usage of specific hardware & software services.”

Acceptable use policy template - Workable: “This Acceptable Use Policy sets the minimum requirements for the use of our company’s IT resources, including computers, networks, devices, software, and internet. It aims to protect our company and our employees from harm and liability, and to ensure that our IT resources are used appropriately, productively, and securely.”

The most appropriate information to communicate to senior management regarding information risk is the risk profile changes, which reflect the current level and nature of the risks that the organization faces. The risk profile changes can help senior management to understand the impact of the risks on the business objectives, the effectiveness of the risk management strategy, and the need for any adjustments or improvements. The risk profile changes can also help senior management to prioritize the allocation of resources and to make informed decisions.

References = CISM Review Manual, 16th Edition eBook1, Chapter 2: Information Risk Management, Section: Risk Communication, Subsection: Risk Reporting, Page 97.