• Home
  • Articles
  • [Dec-2021] CISM Exam Dumps - Free Demo & 365 Day Updates [Q158-Q182]

[Dec-2021] CISM Exam Dumps - Free Demo & 365 Day Updates [Q158-Q182]

Share

[Dec-2021] CISM Exam Dumps - Free Demo & 365 Day Updates

Free Sales Ending Soon - Use Real  CISM PDF Questions


ISACA CISM: What requirements should you meet?

The ISACA CISM certificate is available for those individuals who have technical and IS/IT experience and are ready to become a Manager. It validates your expertise in risk management, incident management, security governance, as well as program management and development. This certification proves your knowledge in the following domains:

  • Information Security Program Development & Management;
  • Information Security Governance.
  • Information Security Incident Management;
  • Information Risk Management;

ISACA recommends all the potential candidates to have at least 5 years of experience in the IS management. To become eligible for this certification, you also need to pass one exam.


What is the duration of the CISM Exam

  • Length of Examination: 4 hours
  • Format: Multiple choices, multiple answers
  • Number of Questions: 200

 

NEW QUESTION 158
The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should:

  • A. ensure the provider is made liable for losses.
  • B. recommend not renewing the contract upon expiration.
  • C. determine the current level of security.
  • D. recommend the immediate termination of the contract.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
It is important to ensure that adequate levels of protection are written into service level agreements (SLAs) and other outsourcing contracts. Information must be obtained from providers to determine how that outsource provider is securing information assets prior to making any recommendation or taking any action in order to support management decision making. Choice A is not acceptable in most situations and therefore not a good answer.

 

NEW QUESTION 159
A risk mitigation report would include recommendations for:

  • A. acceptance.
  • B. evaluation.
  • C. quantification.
  • D. assessment.

Answer: A

Explanation:
Explanation
Acceptance of a risk is an alternative to be considered in the risk mitigation process. Assessment. evaluation and risk quantification are components of the risk analysis process that are completed prior to determining risk mitigation solutions.

 

NEW QUESTION 160
The BEST way to establish a recovery time objective (RTO) that balances cost with a realistic recovery time frame is to:

  • A. perform a business impact analysis.
  • B. determine daily downtime cost.
  • C. analyze cost metrics.
  • D. conduct a risk assessment.

Answer: A

Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT

 

NEW QUESTION 161
The MOST effective way to determine the resources required by internal incident response teams is to:

  • A. determine the scope and charter of incident response.
  • B. request guidance from incident management consultants.
  • C. test response capabilities with event scenarios.
  • D. benchmark against other incident management programs.

Answer: C

Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE

 

NEW QUESTION 162
Management has expressed concerns to the information security manager that shadow IT may be a risk to the organization. What is the FIRST step the information security manager should take?

  • A. Update the security policy to address shadow IT.
  • B. Determine the extent of shadow IT usage.
  • C. Determine the value of shadow IT projects.
  • D. Block the end user's ability to use shadow IT

Answer: A

 

NEW QUESTION 163
Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?

  • A. Chief operating officer (COO)
  • B. Chief privacy officer (CPO)
  • C. Chief security officer (CSO)
  • D. Chief legal counsel (CLC)

Answer: A

Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation
Explanation:
The chief operating officer (COO) is most knowledgeable of business operations and objectives. The chief privacy officer (CPO) and the chief legal counsel (CLC) may not have the knowledge of the day- to-day business operations to ensure proper guidance, although they have the same influence within the organization as the COO. Although the chief security officer (CSO) is knowledgeable of what is needed, the sponsor for this task should be someone with far-reaching influence across the organization.

 

NEW QUESTION 164
Before conducting a formal risk assessment of an organization's information resources, an information security manager should FIRST:

  • A. review available sources of risk information.
  • B. determine the financial impact if threats materialize.
  • C. map the major threats to business objectives.
  • D. identify the value of the critical assets.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Risk mapping or a macro assessment of the major threats to the organization is a simple first step before performing a risk assessment. Compiling all available sources of risk information is part of the risk assessment. Choices C and D are also components of the risk assessment process, which are performed subsequent to the threats-business mapping.

 

NEW QUESTION 165
During an information security audit, it was determined that IT staff did not follow the established standard when configuring and managing IT systems. Which of the following is the BEST way to prevent future occurrences?

  • A. Updating configuration baselines to allow exceptions
  • B. Providing annual information security awareness training
  • C. Implementing a strict change control process
  • D. Conducting periodic vulnerability scanning

Answer: C

Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE
Explanation

 

NEW QUESTION 166
An organization is entering into an agreement with a new business partner to conduct customer mailings.
What is the MOST important action that the information security manager needs to perform?

  • A. A due diligence security review of the business partner's security controls
  • B. Ensuring that the business partner has an effective business continuity program
  • C. Talking to other clients of the business partner to check references for performance
  • D. Ensuring that the third party is contractually obligated to all relevant security requirements

Answer: D

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
The key requirement is that the information security manager ensures that the third party is contractually bound to follow the appropriate security requirements for the process being outsourced. This protects both organizations. All other steps are contributory to the contractual agreement, but are not key.

 

NEW QUESTION 167
Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:

  • A. describe handling procedures of cryptographic keys.
  • B. define cryp,0£raphic algorithms and key lengths.
  • C. establish the use of cryptographic solutions.
  • D. define the circumstances where cryptography should be used.

Answer: D

Explanation:
Explanation/Reference:
Explanation:
There should be documented standards- procedures for the use of cryptography across the enterprise; they should define the circumstances where cryptography should be used. They should cover the selection of cryptographic algorithms and key lengths, but not define them precisely, and they should address the handling of cryptographic keys. However, this is secondary to how and when cryptography should be used.
The use of cryptographic solutions should be addressed but, again, this is a secondary consideration.

 

NEW QUESTION 168
Which of the following would be the BEST way for a company 10 reduce the risk of data loss resulting from employee-owned devices accessing the corporate email system?

  • A. Use a mobile device management solution to isolate the local corporate email storage.
  • B. Require employees to undergo training before permitting access to the corporate email service
  • C. Link the bring-your-own-device (BYOD) policy to the existing staff disciplinary policy.
  • D. Require employees to install a reputable mobile anti-virus solution on their personal devices.

Answer: A

 

NEW QUESTION 169
An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?

  • A. Key performance indicators (KPIs)
  • B. Technical vulnerability assessment
  • C. Gap analysis
  • D. Business impact analysis (BIA)

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Gap analysis would help identify the actual gaps between the desired state and the current implementation of information security management. BIA is primarily used for business continuity planning. Technical vulnerability assessment is used for detailed assessment of technical controls, which would come later in the process and would not provide complete information in order to identify gaps.

 

NEW QUESTION 170
The PRIMARY purpose of a risk assessment is to enable business leaders to:

  • A. define key risk indicators (KRIs).
  • B. align information security to business objectives.
  • C. make informed decisions.
  • D. manage information security expenditures.

Answer: C

 

NEW QUESTION 171
Which of the following information security metrics is the MOST difficult to quantify?

  • A. Proportion of control costs to asset value
  • B. Extent of employee security awareness
  • C. Cost of security incidents prevented
  • D. Percentage of controls mapped to industry frameworks

Answer: B

 

NEW QUESTION 172
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSI.), confidentiality is MOST vulnerable to which of the following?

  • A. Repudiation
  • B. Man-in-the-middle attack
  • C. IP spoofing
  • D. Trojan

Answer: D

Explanation:
A Trojan is a program that gives the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user. IP spoofing will not work because IP is not used as an authentication mechanism. Man-in-the-middle attacks are not possible if using SSL with client-side certificates. Repudiation is unlikely because client-side certificates authenticate the user.

 

NEW QUESTION 173
Which of the following is the MOST appropriate method of ensuring password strength in a large organization?

  • A. Install code to capture passwords for periodic audit
  • B. Attempt to reset several passwords to weaker values
  • C. Review general security settings on each platform
  • D. Sample a subset of users and request their passwords for review

Answer: C

Explanation:
Reviewing general security settings on each platform will be the most efficient method for determining password strength while not compromising the integrity of the passwords. Attempting to reset several passwords to weaker values may not highlight certain weaknesses. Installing code to capture passwords for periodic audit, and sampling a subset of users and requesting their passwords for review, would compromise the integrity of the passwords.

 

NEW QUESTION 174
When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?

  • A. Business management
  • B. System users
  • C. Information security manager
  • D. Operations manager

Answer: C

Explanation:
Explanation/Reference:
Explanation:
The escalation process in critical situations should involve the information security manager as the first contact so that appropriate escalation steps are invoked as necessary. Choices A, B and D would be notified accordingly.

 

NEW QUESTION 175
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?

  • A. Quality control manager
  • B. Information security manager
  • C. System analyst
  • D. Process owner

Answer: D

Explanation:
Process owners implement information protection controls as determined by the business' needs. Process owners have the most knowledge about security requirements for the business application for which they are responsible. The system analyst, quality control manager, and information security manager do not possess the necessary knowledge or authority to implement and maintain the appropriate level of business security.

 

NEW QUESTION 176
In an organization, information systems security is the responsibility of:

  • A. all personnel.
  • B. information systems personnel.
  • C. functional personnel.
  • D. information systems security personnel.

Answer: A

Explanation:
All personnel of the organization have the responsibility of ensuring information systems security-this can include indirect personnel such as physical security personnel. Information systems security cannot be the responsibility of information systems personnel alone since they cannot ensure security. Information systems security cannot be the responsibility of information systems security personnel alone since they cannot ensure security. Information systems security cannot be the responsibility of functional personnel alone since they cannot ensure security.

 

NEW QUESTION 177
Risk management programs are designed to reduce risk to:

  • A. a level that is too small to be measurable.
  • B. a level that the organization is willing to accept.
  • C. the point at which the benefit exceeds the expense.
  • D. a rate of return that equals the current cost of capital.

Answer: B

Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Risk should be reduced to a level that an organization is willing to accept. Reducing risk to a level too small to measure is impractical and is often cost-prohibitive. To tie risk to a specific rate of return ignores the qualitative aspects of risk that must also be considered. Depending on the risk preference of an organization, it may or may not choose to pursue risk mitigation to the point at which the benefit equals or exceeds the expense. Therefore, choice C is a more precise answer.

 

NEW QUESTION 178
A common concern with poorly written web applications is that they can allow an attacker to:

  • A. abuse a race condition.
  • B. inject structured query language (SQL) statements.
  • C. gain control through a buffer overflow.
  • D. conduct a distributed denial of service (DoS) attack.

Answer: B

Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Structured query language (SQL) injection is one of the most common and dangerous web application vulnerabilities. Buffer overflows and race conditions are very difficult to find and exploit on web applications.
Distributed denial of service (DoS) attacks have nothing to do with the quality of a web application.

 

NEW QUESTION 179
Who should drive the risk analysis for an organization?

  • A. Security manager
  • B. Senior management
  • C. Legal department
  • D. Quality manager

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Although senior management should support and sponsor a risk analysis, the know-how and the management of the project will be with the security department. Quality management and the legal department will contribute to the project.

 

NEW QUESTION 180
Which of the following BEST supports the risk assessment process to determine critically of an asset?

  • A. Vulnerability assessment
  • B. Residual risk analysis
  • C. Business impact analysis (BIA)
  • D. Threat assessment

Answer: C

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT

 

NEW QUESTION 181
Which of the following is the PRIMARY reason for implementing a risk management program?

  • A. Satisfies audit and regulatory requirements
  • B. Allows the organization to eliminate risk
  • C. Assists in incrementing the return on investment (ROD
  • D. Is a necessary part of management's due diligence

Answer: D

Explanation:
Explanation
The key reason for performing risk management is that it is part of management's due diligence. The elimination of all risk is not possible. Satisfying audit and regulatory requirements is of secondary importance.
A risk management program may or may not increase the return on investment (ROD.

 

NEW QUESTION 182
......

CISM Dumps - Pass Your Certification Exam: https://www.passexamdumps.com/CISM-valid-exam-dumps.html

Latest Real ISACA CISM Exam Dumps Questions: https://drive.google.com/open?id=1uz-9BYpwW-VMmhuxkFopv1c3g4h5QmV0

Related Articles

more
ISACA CISM Certification Practice Exam