Dumps Moneyack Guarantee - CISM Dumps UpTo 50% Off
Updated Jan-2022 Pass CISM Exam - Real Practice Test Questions
For more info visit:
Besides that, this section will test your skills in the following:
- Establishing a program for information security awareness and training for the effectiveness of security statistics.
- To ensure whether the information security program adds value and protects the business, one should know how to align the information security program with the operational objectives of other functions of the business;
- Maintaining and establishing the information security program in line with the information security strategy;
- To evaluate the effectiveness and efficiency of information security management, one should know how to monitor and analyze program management and operational metrics;
NEW QUESTION 578
Which of the following would BEST enable an information security manager to provide monthly status on the health of the information security environment to senior management?
- A. Key risk indicators (KRIs)
- B. Internal audits
- C. Key control assessments
- D. Key performance indicators (KPIs)
Answer: D
NEW QUESTION 579
Which of the following actions should lake place immediately after a security breach is reported to an information security manager?
- A. Notify affected stakeholders
- B. Determine impact
- C. Isolate the incident
- D. Confirm the incident
Answer: D
Explanation:
Explanation/Reference:
Explanation:
Before performing analysis of impact, resolution, notification or isolation of an incident, ii must be validated as a real security incident.
NEW QUESTION 580
An information security manager has been asked to create a strategy to protect the organization's information from a variety of threat vectors. Which of the following should be done FIRST?
- A. Select a governance framework
- B. Develop a risk profile
- C. Perform a threat modeling exercise
- D. Design risk management processes
Answer: B
NEW QUESTION 581
Which of the following should be done FIRST when selecting performance metrics to report on the vendor risk management process?
- A. Review the confidentiality requirements.
- B. Select the data source
- C. Identify the data owner.
- D. Identify the intended audience.
Answer: D
NEW QUESTION 582
Which of the following measures would be MOST effective against insider threats to confidential information?
- A. Role-based access control
- B. Defense-in-depth
- C. Privacy policy
- D. Audit trail monitoring
Answer: A
Explanation:
Role-based access control provides access according to business needs; therefore, it reduces unnecessary- access rights and enforces accountability. Audit trail monitoring is a detective control, which is 'after the fact.' Privacy policy is not relevant to this risk. Defense-in-depth primarily focuses on external threats
NEW QUESTION 583
An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?
- A. Meet with data owners to understand business needs
- B. Redefine and implement proper access rights
- C. Establish procedures for granting emergency access
- D. Review the procedures for granting access
Answer: A
Explanation:
Explanation
An information security manager must understand the business needs that motivated the change prior to taking any unilateral action. Following this, all other choices could be correct depending on the priorities set by the business unit.
NEW QUESTION 584
When making an outsourcing decision, which of the following functions is MOST important to retain within the organization?
- A. Security governance
- B. Security management
- C. Incident response
- D. Risk assessment
Answer: A
Explanation:
Section: INFORMATION SECURITY GOVERNANCE
NEW QUESTION 585
An organization's IT department is undertaking a large virtualization project to reduce its physical server footprint. Which of the following should be the HIGHEST priority of the information security manager?
- A. Selecting the virtualization software
- B. Being involved at the design stage of the project
- C. Ensuring the project has appropriate security funding
- D. Determining how incidents will be managed
Answer: C
NEW QUESTION 586
When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?
- A. Change management
- B. Access control management
- C. Configuration management
- D. Risk management
Answer: D
Explanation:
Section: INFORMATION RISK MANAGEMENT
NEW QUESTION 587
When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?
- A. Number of controls
- B. Effectiveness of controls
- C. Test results of controls
- D. Cost of achieving control objectives
Answer: D
Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT
Explanation:
Comparison of cost of achievement of control objectives and corresponding value of assets sought to be protected would provide a sound basis for the information security manager to measure value delivery. Number of controls has no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated. Effectiveness of controls has no correlation with the value of assets unless their costs are also evaluated. Test results of controls have no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated.
NEW QUESTION 588
Which of the following is the MOST important security consideration when developing an incident response strategy with a cloud provider?
- A. Recovery time objective (RTO)
- B. Technological capabilities
- C. Security audit reports
- D. Escalation processes
Answer: B
Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE
NEW QUESTION 589
An organization's information security manager has learned that similar organizations have become increasingly susceptible to spear phishing attacks. What is the BEST way to address this concern?
- A. Update data loss prevention (DLP) rules for email.
- B. Create a new security policy that staff must read and sign.
- C. Include tips to identify threats in awareness training.
- D. Conduct a business impact analysis (BIA) of the threat.
Answer: C
NEW QUESTION 590
Deciding the level of protection a particular asset should be given in BEST determined by:
- A. a vulnerability assessment.
- B. a risk analysis.
- C. corporate risk appetite.
- D. a threat assessment.
Answer: B
Explanation:
Section: INFORMATION RISK MANAGEMENT
NEW QUESTION 591
Which of the following would BEST assist an IS manager in gaining strategic support from executive management?
- A. Annual report of security incidents within the organization
- B. Rating of the organization's security, based on international standards
- C. Risk analysis specific to the organization
- D. Research on trends in global information security breaches
Answer: C
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
NEW QUESTION 592
An outcome of effective security governance is:
- A. risk assessment.
- B. strategic alignment.
- C. business dependency assessment
- D. planning.
Answer: B
Explanation:
Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management. Strategic alignment is an outcome of effective security governance. Where there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process.
NEW QUESTION 593
Which of the following is an information security manager's BEST course of action to gain approval for investment in a technical control?
- A. Conduct a risk assessment.
- B. Conduct a business impact analysis (BIA).
- C. Calculate the exposure factor.
- D. Perform a cost-benefit analysis.
Answer: D
NEW QUESTION 594
Which of the following would BEST help to ensure an organization's security program is aligned with business objectives?
- A. The organization's board of directors includes a dedicated information security specialist.
- B. Project managers receive annual information security awareness training.
- C. The security strategy is reviewed and approved by the organization's executive committee.
- D. Security policies are reviewed and approved by the chief information officer.
Answer: C
NEW QUESTION 595
Which is the MOST important driver for effectively communicating the progress of a new information security program's implementation to key stakeholders?
- A. Understanding stakeholder needs that influence program objectives
- B. Documenting risk that could impact achievement of program objectives
- C. Designing universal key performance indicators (KPIs) for the program
- D. facilitating stakeholder undemanding of program-related technology concepts
Answer: A
Explanation:
32:35
NEW QUESTION 596
When a departmental system continues to be out of compliance with an information security policy's password strength requirements, the BEST action to undertake is to:
- A. submit the issue to the steering committee.
- B. conduct an impact analysis to quantify the risks.
- C. isolate the system from the rest of the network.
- D. request a risk acceptance from senior management.
Answer: B
Explanation:
An impact analysis is warranted to determine whether a risk acceptance should be granted and to demonstrate to the department the danger of deviating from the established policy. Isolating the system would not support the needs of the business. Any waiver should be granted only after performing an impact analysis.
NEW QUESTION 597
When speaking to an organization's human resources department about information security, an information security manager should focus on the need for:
- A. recruitment of technical IT employees.
- B. periodic risk assessments.
- C. an adequate budget for the security program.
- D. security awareness training for employees.
Answer: D
Explanation:
Explanation/Reference:
Explanation:
An information security manager has to impress upon the human resources department the need for security awareness training for all employees. Budget considerations are more of an accounting function.
The human resources department would become involved once they are convinced for the need of security awareness training. Recruiting IT-savvy staff may bring in new employees with better awareness of information security, but that is not a replacement for the training requirements of the other employees.
Periodic risk assessments may or may not involve the human resources department function.
NEW QUESTION 598
Which of the following measures would be MOST effective against insider threats to confidential information?
- A. Role-based access control
- B. Defense-in-depth
- C. Privacy policy
- D. Audit trail monitoring
Answer: A
Explanation:
Explanation/Reference:
Explanation:
Role-based access control provides access according to business needs; therefore, it reduces unnecessary- access rights and enforces accountability. Audit trail monitoring is a detective control, which is 'after the fact.' Privacy policy is not relevant to this risk. Defense-in-depth primarily focuses on external threats
NEW QUESTION 599
The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
- A. Additional network intrusion detection sensors should be installed, resulting in an additional cost.
- B. Laws and regulations of the country of origin may not be enforceable in the foreign country.
- C. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.
- D. A security breach notification might get delayed due to the time difference.
Answer: B
Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws. Option B is not a problem.
Time difference does not play a role in a 24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to communicate notifications. Option C is a manageable problem that requires additional funding, but can be addressed. Option D is a problem that can be addressed. Most hosting providers have standardized the level of physical security that is in place. Regular physical audits or a SAS 70 report can address such concerns.
NEW QUESTION 600
Which of the following should be done FIRST when selecting performance metrics to report on the vendor risk management process?
- A. Review the confidentiality requirements.
- B. Select the data source.
- C. Identity the data owner.
- D. Identity the intended audience.
Answer: C
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
NEW QUESTION 601
......
Download Free ISACA CISM Real Exam Questions: https://www.latestcram.com/CISM-exam-cram-questions.html
Pass Your Exam With 100% Verified CISM Exam Questions: https://drive.google.com/open?id=1WBUmT3eBggOzEDMTlB52Mm7aK19neUNb
