• Home
  • Articles
  • [Dec-2023] ISACA CISM Dumps – Reduce Your Chance of Failure in CISM Exam [Q204-Q229]

[Dec-2023] ISACA CISM Dumps – Reduce Your Chance of Failure in CISM Exam [Q204-Q229]

Share

[Dec-2023] ISACA CISM Dumps – Reduce Your Chance of Failure in CISM Exam

To help you achieve your ultimate goal, we suggest the actual ISACA CISM dumps for your Certified Information Security Manager exam preparation to use as your guideline.

NEW QUESTION # 204
Which of the following would BEST justify continued investment in an information security program?

  • A. Security framework alignment
  • B. Speed of implementation
  • C. Industry peer benchmarking
  • D. Reduction in residual risk

Answer: D

Explanation:
Residual risk is the remaining risk after all security controls have been implemented. It is important to measure the residual risk of an organization in order to determine the effectiveness of the security program and to justify continued investment in the program. A reduction in residual risk is an indication that the security program is effective and that continued investment is warranted.


NEW QUESTION # 205
For an organization with a large and complex IT infrastructure, which of the following elements of a disaster recovery hot site service will require the closest monitoring?

  • A. Number of subscribers
  • B. Audit tights
  • C. Employee access
  • D. Systems configurations

Answer: D


NEW QUESTION # 206
Which of the following threats is prevented by using token-based authentication?

  • A. Session eavesdropping attack on the network
  • B. Password sniffing attack on the network
  • C. Denial of service attack over the network
  • D. Main-in-the middle attack on the client

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 207
An emergency change was made to an IT system as a result of a failure. Which of the following should be of GREATEST concern to the organization's information security manager?

  • A. Documentation of the change was made after implementation.
  • B. The operations team implemented the change without regression testing.
  • C. The information security manager did not review the change prior to implementation.
  • D. The change did not include a proper assessment of risk.

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 208
What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They:

  • A. are decrypted by the firewall.
  • B. all use weak encryption.
  • C. may be quarantined by mail filters.
  • D. may be corrupted by the receiving mail server.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Often, mail filters will quarantine zip files that are password-protected since the filter (or the firewall) is unable to determine if the file contains malicious code. Many zip file products are capable of using strong encryption. Such files are not normally corrupted by the sending mail server.


NEW QUESTION # 209
An organization with a large number of users finds it necessary to improve access control applications.
Which of the following would BEST help to prevent unauthorized user access to networks and applications?

  • A. Complex user passwords
  • B. Biometric systems
  • C. Single sign-on
  • D. Access control lists

Answer: D

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 210
What should be an organization's concern when evaluating an Infrastructure as a Service (IaaS) cloud computing model for an e-Commerce application?

  • A. Internal audit requirements
  • B. Availability of provider's services
  • C. Where the application resides
  • D. Application ownership

Answer: B


NEW QUESTION # 211
After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?

  • A. Chief information officer (CIO)
  • B. Chief executive officer (CFO)
  • C. Business owner
  • D. Information security officer

Answer: C

Explanation:
Explanation
The business owner of the application needs to understand and accept the residual application risks.


NEW QUESTION # 212
Of the following, who is MOST appropriate to own the risk associated with the failure of a privileged access control?

  • A. Compliance manager
  • B. Business owner
  • C. Information security manager
  • D. Data owner

Answer: B

Explanation:
The business owner is the most appropriate person to own the risk associated with the failure of a privileged access control because they are ultimately responsible for the protection and use of the information in their business unit1. The data owner is responsible for determining the access rights for specific data sets, but not for the access control mechanisms2. The information security manager is responsible for implementing and enforcing the security policies and standards, but not for owning the risk3. The compliance manager is responsible for ensuring that the organization meets the regulatory requirements, but not for owning the risk3. Reference: 1 https://www.cyberark.com/resources/blog/how-do-you-prioritize-risk-for-privileged-access-management 3 https://www.isaca.org/resources/isaca-journal/issues/2017/volume-1/capability-framework-for-privileged-access-management 2 https://security.stackexchange.com/questions/218049/what-is-the-difference-between-data-owner-data-custodian-and-system-owner


NEW QUESTION # 213
Which of the following should be done FIRST when selecting performance metrics to report on the vendor risk management process?

  • A. Identity the intended audience.
  • B. Review the confidentiality requirements.
  • C. Select the data source.
  • D. Identity the data owner.

Answer: D

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 214
Which of the following should be the FIRST step in developing an information security strategy?

  • A. Identify key stakeholders to champion information security
  • B. Create a roadmap to identify security baselines and controls
  • C. Perform a gap analysis based on the current state
  • D. Determine acceptable levels of information security risk

Answer: A

Explanation:
The first step in developing an information security strategy is to identify key stakeholders who can provide support, guidance and resources for information security initiatives. These stakeholders may include senior management, business unit leaders, legal counsel, audit and compliance officers and other relevant parties. By engaging these stakeholders early on, an information security manager can ensure that the strategy aligns with business objectives and expectations, as well as gain buy-in and commitment from them. Determining acceptable levels of risk, creating a roadmap and performing a gap analysis are all important steps in developing an information security strategy, but they should follow after identifying key stakeholders.


NEW QUESTION # 215
Which of the following should be included in an annual information security budget that is submitted for management approval?

  • A. All of the resources that are recommended by the business
  • B. A cost-benefit analysis of budgeted resources
  • C. Baseline comparisons
  • D. Total cost of ownership (TC'O)

Answer: B

Explanation:
A brief explanation of the benefit of expenditures in the budget helps to convey the context of how the purchases that are being requested meet goals and objectives, which in turn helps build credibility for the information security function or program. Explanations of benefits also help engage senior management in the support of the information security program. While the budget should consider all inputs and recommendations that are received from the business, the budget that is ultimately submitted to management for approval should include only those elements that are intended for purchase. TC'O may be requested by management and may be provided in an addendum to a given purchase request, but is not usually included in an annual budget. Baseline comparisons (cost comparisons with other companies or industries) may be useful in developing a budget or providing justification in an internal review for an individual purchase, but would not be included with a request for budget approval.


NEW QUESTION # 216
Which of the following would BEST help to ensure an organization's security program is aligned with business objectives?

  • A. Business leaders receive annual information security awareness training.
  • B. The organization's board of directors includes a dedicated information security advisor..
  • C. Security policies are reviewed and approved by the chief information officer (CIO).
  • D. The security strategy is reviewed and approved by the organization's steering committee,

Answer: D


NEW QUESTION # 217
Which of the following is an example of a vulnerability?

  • A. Ransomware
  • B. Unauthorized users
  • C. Defective software
  • D. Natural disasters

Answer: C


NEW QUESTION # 218
An information security manager is developing a new information security strategy. Which of the following functions would serve as the BEST resource to review the strategy and provide guidance for business alignment?

  • A. The board of directors
  • B. Internal audit
  • C. The legal department
  • D. The steering committee

Answer: A


NEW QUESTION # 219
Which of (lie following would be the MOST relevant factor when defining the information classification policy?

  • A. Requirements of data owners
  • B. Quantity of information
  • C. Available IT infrastructure
  • D. Benchmarking

Answer: A

Explanation:
When defining the information classification policy, the requirements of the data owners need to be identified. The quantity of information, availability of IT infrastructure and benchmarking may be part of the scheme after the fact and would be less relevant.


NEW QUESTION # 220
Which of the following is the information security manager's PRIMARY role in the information assets classification process?

  • A. Securing assets in accordance with their classification
  • B. Assigning asset ownership
  • C. Developing an asset classification model
  • D. Assigning the asset classification level

Answer: C

Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT


NEW QUESTION # 221
The MOST appropriate individual to determine the level of information security needed for a specific business application is the:

  • A. information security manager.
  • B. system developer.
  • C. system data owner.
  • D. steering committee.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Data owners are the most knowledgeable of the security needs of the business application for which they are responsible. The system developer, security manager and system custodian will have specific knowledge on limited areas but will not have full knowledge of the business issues that affect the level of security required. The steering committee does not perform at that level of detail on the operation.


NEW QUESTION # 222
Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?

  • A. A joint risk assessment of the system
  • B. Encryption between the organization and the provider
  • C. A legally binding data protection agreement
  • D. The right to conduct independent security reviews

Answer: D

Explanation:
Explanation
A key requirement of an outsource contract involving critical business systems is the establishment of the organization's right to conduct independent security reviews of the provider's security controls. A legally binding data protection agreement is also critical, but secondary to choice A, which permits examination of the actual security controls prevailing over the system and. as such, is the more effective risk management tool.
Network encryption of the link between the organization and the provider may well be a requirement, but is not as critical since it would also be included in choice
A. A joint risk assessment of the system in conjunction with the outsource provider may be a compromise solution, should the right to conduct independent security reviews of the controls related to the system prove contractually difficult.


NEW QUESTION # 223
An organization has decided to implement a security information and event management (SIEM) system. It is MOST important for the organization to consider:

  • A. threat assessments.
  • B. log sources.
  • C. data ownership.
  • D. industry best practices.

Answer: D

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 224
An information security manager has determined that the mean time to prioritize information security incidents has increased to an unacceptable level. Which of the following processes would BEST enable the information security manager to address this concern?

  • A. Incident classification
  • B. Forensic analysis
  • C. Vulnerability assessment
  • D. Incident response

Answer: A

Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE


NEW QUESTION # 225
Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following?

  • A. Periodic audits of the disaster recovery/business continuity plans
  • B. Reconciliation of the annual systems inventory to the disaster recovery, business continuity plans
  • C. Inclusion as a required step in the system life cycle process
  • D. Comprehensive walk-through testing

Answer: C

Explanation:
Explanation
Information security should be an integral component of the development cycle; thus, it should be included at the process level. Choices A, B and C are good mechanisms to ensure compliance, but would not be nearly as timely in ensuring that the plans are always up-to-date. Choice D is a preventive control, while choices A, B and C are detective controls.


NEW QUESTION # 226
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

  • A. Information security manager
  • B. Legal counsel
  • C. Internal auditor
  • D. Chief operating officer (COO)

Answer: D

Explanation:
The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives. The chief internal auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business. Since a security manager is looking to this group for direction, they are not in the best position to oversee formation of this group.


NEW QUESTION # 227
In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:

  • A. develop an operational plan for achieving compliance with the legislation.
  • B. identify privacy legislation in other countries that may contain similar requirements.
  • C. identify systems and processes that contain privacy components.
  • D. restrict the collection of personal information until compliant.

Answer: C

Explanation:
Explanation
Identifying the relevant systems and processes is the best first step. Developing an operational plan for achieving compliance with the legislation is incorrect because it is not the first step. Restricting the collection of personal information comes later. Identifying privacy legislation in other countries would not add much value.


NEW QUESTION # 228
Senior management has just accepted the risk of noncompliance with a new regulation. What should the information security manager do NEXT7

  • A. Update details within the disk register
  • B. Report the decision to the compliance officer.
  • C. Assess the impact of the regulation.
  • D. Reassess the organization's risk tolerance.

Answer: A


NEW QUESTION # 229
......

100% Free CISM Demo-Trial [Pdf], get it now: https://drive.google.com/open?id=1MtEqYKLOie8X5S9VBAkgz6rsDvfxRUaF

Accurate & Verified Answers As Seen in the Real Exam here: https://www.free4dump.com/CISM-braindumps-torrent.html

Related Articles

more
ISACA CISM Certification Practice Exam