• Home
  • Articles
  • ISACA Certified CISM Dumps Questions Valid CISM Materials [Q79-Q100]

ISACA Certified CISM Dumps Questions Valid CISM Materials [Q79-Q100]

Share

ISACA Certified CISM  Dumps Questions Valid CISM Materials

Current CISM Exam Dumps [2023] Complete ISACA Exam Smoothly

NEW QUESTION # 79
Regular vulnerability scanning on an organization's internal network has identified that many user workstations have unpatched versions of software What is the BEST way for the information security manager to help senior management understand the related risk?

  • A. Recommend the security steering committee conduct a review
  • B. Include the impact of the risk as part of regular metrics
  • C. Send regular notifications directly to senior managers
  • D. Update the risk assessment at regular intervals

Answer: B


NEW QUESTION # 80
Which of the following is the BIST course of action for the information security manager when residual risk is above the acceptable level of risk?

  • A. Defer to business management.
  • B. Recommend additional controls.
  • C. Perform a cost-benefit analysis.
  • D. Carry out a risk assessment

Answer: B


NEW QUESTION # 81
Web application firewalls are needed in addition to other intrusion prevention and detection technology PRIMARILY because:

  • A. web services require unique forensic evidence
  • B. they recognize web application protocols.
  • C. web services are prone to attacks.
  • D. they prevent modification of application source code

Answer: B


NEW QUESTION # 82
The PRIMARY purpose of implementing information security governance metrics is to:

  • A. refine control operations,
  • B. measure alignment with best practices.
  • C. guide security towards the desired state.
  • D. assess operational and program metrics.

Answer: C

Explanation:
Section: MIXED QUESTIONS


NEW QUESTION # 83
Which of the following is MOST important for an information security manager to regularly report to senior management?

  • A. Results of penetration tests
  • B. Threat analysis reports
  • C. Audit reports
  • D. Impact of unremediated risks

Answer: B


NEW QUESTION # 84
A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?

  • A. Create a strong random password
  • B. Track usage of the account by audit trails
  • C. Ask for a vendor patch
  • D. Prevent the system from being accessed remotely

Answer: A

Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Creating a strong random password reduces the risk of a successful brute force attack by exponentially increasing the time required. Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risks. Vendor patches are not always available, tracking usage is a detective control and will not prevent an attack.


NEW QUESTION # 85
Which of the following is the BEST approach for improving information security management processes?

  • A. Survey business units for feedback.
  • B. Perform periodic penetration testing.
  • C. Define and monitor security metrics.
  • D. Conduct periodic security audits.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Defining and monitoring security metrics is a good approach to analyze the performance of the security management process since it determines the baseline and evaluates the performance against the baseline to identify an opportunity for improvement. This is a systematic and structured approach to process improvement. Audits will identify deficiencies in established controls; however, they are not effective in evaluating the overall performance for improvement. Penetration testing will only uncover technical vulnerabilities, and cannot provide a holistic picture of information security management, feedback is subjective and not necessarily reflective of true performance.


NEW QUESTION # 86
Which of the following is MOST important to consider when developing a security awareness program in an organization?

  • A. Targeted monthly deliverables
  • B. Industry benchmarks
  • C. Target audience demographics
  • D. Established key risk indicators (KRIs)

Answer: C


NEW QUESTION # 87
What is the FIRST action an information security manager should take when a company laptop is reported stolen?

  • A. Evaluate the impact of the information loss
  • B. Disable the user account immediately
  • C. Ensure compliance with reporting procedures
  • D. Update the corporate laptop inventory

Answer: C

Explanation:
Explanation
The key step in such an incident is to report it to mitigate any loss. After this, the other actions should follow.


NEW QUESTION # 88
A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:

  • A. assess whether existing controls meet the regulation.
  • B. update the existing security/privacy policy.
  • C. analyze key risks in the compliance process.
  • D. meet with stakeholders to decide how to comply.

Answer: A

Explanation:
Explanation
If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.


NEW QUESTION # 89
Which of the following is the PRIMARY driver of information security compliance?

  • A. Risk appetite
  • B. Industry standards
  • C. Regulatory requirements
  • D. Threat environment

Answer: D


NEW QUESTION # 90
Which of the following reduces the potential impact of social engineering attacks?

  • A. Effective performance incentives
  • B. Compliance with regulatory requirements
  • C. Promoting ethical understanding
  • D. Security awareness programs

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. The other choices are not user-focused.


NEW QUESTION # 91
A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST?

  • A. Determine the cost to remediate the noncompliance.
  • B. Assess the business impact to the organization.
  • C. Present the noncompliance risk to senior management.
  • D. Investigate alternative options to remediate the noncompliance.

Answer: D


NEW QUESTION # 92
Which of the following has the highest priority when defining an emergency response plan?

  • A. Critical infrastructure
  • B. Critical data
  • C. Safety of personnel
  • D. Vital records

Answer: C

Explanation:
Explanation
The safety of an organization's employees should be the most important consideration given human safety laws. Human safety is considered first in any process or management practice. All of the other choices are secondary.


NEW QUESTION # 93
Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?

  • A. Hot site equipment needs are recertified on a regular basis
  • B. Detailed technical recovery plans are maintained offsite
  • C. Appropriate declaration criteria have been established
  • D. Network redundancy is maintained through separate providers

Answer: B

Explanation:
Explanation/Reference:
Explanation:
In a major disaster, staff can be injured or can be prevented from traveling to the hot site, so technical skills and business knowledge can be lost. It is therefore critical to maintain an updated copy of the detailed recovery plan at an offsite location. Continuity of the business requires adequate network redundancy, hot site infrastructure that is certified as compatible and clear criteria for declaring a disaster. Ideally, the business continuity program addresses all of these satisfactorily. However, in a disaster situation, where all these elements are present, but without the detailed technical plan, business recovery will be seriously impaired.


NEW QUESTION # 94
The MOST basic requirement for an information security governance program is to:

  • A. be based on a sound risk management approach.
  • B. be aligned with the corporate business strategy.
  • C. provide best practices for security- initiatives.
  • D. provide adequate regulatory compliance.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
To receive senior management support, an information security program should be aligned with the corporate business strategy. Risk management is a requirement of an information security program which should take into consideration the business strategy. Security governance is much broader than just regulatory compliance. Best practice is an operational concern and does not have a direct impact on a governance program.


NEW QUESTION # 95
An intrusion detection system should be placed:

  • A. on the firewall server.
  • B. on a screened subnet.
  • C. outside the firewall.
  • D. on the external router.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
An intrusion detection system (IDS) should be placed on a screened subnet, which is a demilitarized zone (DMZ). Placing it on the Internet side of the firewall would leave it defenseless. The same would be tmc of placing it on the external router, if such a thing were feasible. Since firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to store the IDS on the same physical device.


NEW QUESTION # 96
Which of the following is MOST relevant for an information security manager to communicate to IT operations?

  • A. Vulnerability assessments
  • B. The level of exposure
  • C. The level of inherent risk
  • D. Threat assessments

Answer: A

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 97
Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?

  • A. The risk environment is constantly changing.
  • B. Justification of the security budget must be continually made.
  • C. New vulnerabilities are discovered every day.
  • D. Management needs to be continually informed about emerging risks.

Answer: A

Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed.


NEW QUESTION # 98
Security policies should be aligned MOST closely with:

  • A. local laws and regulations.
  • B. generally accepted standards.
  • C. organizational needs.
  • D. industry' best practices.

Answer: C

Explanation:
Explanation
The needs of the organization should always take precedence. Best practices and local regulations are important, but they do not take into account the total needs of an organization.


NEW QUESTION # 99
When establishing classifications of security incidents for the development of an incident response plan, which of the following provides the MOST valuable input?

  • A. Business impact analysis (BIA) results
  • B. Vulnerability assessment results
  • C. Recommendations from senior management
  • D. The business continuity plan (BCP)

Answer: A

Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE


NEW QUESTION # 100
......


ISACA Certified Information Security Manager CISM Exam

ISACA Certified Information Security Manager CISM Exam is related to Certified Information Security Manager CISM certification. This CISM Exam validates the ability to maintain and establish an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives. Candidate must have the ability to manage information risk appropriately and program resources are managed responsibly. It also deals with the ability to ensure that organizational goals and objectives are supported by the information security program communicate managements directives and guide the development of standards, procedures, and guidelines and develop business cases to support investments in information security. Security Managers Industry Leaders and Industry Practitioners usually hold or pursue this certification and you can expect the same job roles after completion of this certification.

 

CISM Premium PDF & Test Engine Files with 282 Questions & Answers: https://www.prepawaytest.com/ISACA/CISM-practice-exam-dumps.html

Get 100% Real CISM Accurate & Verified Answers As Seen in the Real Exam!: https://drive.google.com/open?id=1PzVjzVQRKlBxQ57iJkdD_vOH6lUPbNv0

Related Articles

more
ISACA CISM Certification Practice Exam

Contact Us

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

Useful Links

Latest Updated