Online Questions - Valid Practice To your CISM Exam (Updated 188 Questions) [Q31-Q54]

Share

Online Questions - Valid Practice To your CISM Exam (Updated 188 Questions)

Practice To CISM - Remarkable Practice On your Certified Information Security Manager Exam

NEW QUESTION 31
The PRIMARY purpose of aligning information security with corporate governance objectives is to:

  • A. identify an organization's tolerance for risk.
  • B. consistently manage significant areas of risk.
  • C. re-align roles and responsibilities.
  • D. build capabilities to improve security processes.

Answer: D

Explanation:
Section: INFORMATION SECURITY GOVERNANCE

 

NEW QUESTION 32
What is the BEST method to verify that all security patches applied to servers were properly documented?

  • A. Review change control documentation for key servers
  • B. Trace change control requests to operating system (OS) patch logs
  • C. Trace OS patch logs to OS vendor's update documentation
  • D. Trace OS patch logs to change control requests

Answer: D

Explanation:
Explanation/Reference:
Explanation:
To ensure that all patches applied went through the change control process, it is necessary to use the operating system (OS) patch logs as a starting point and then check to see if change control documents are on file for each of these changes. Tracing from the documentation to the patch log will not indicate if some patches were applied without being documented. Similarly, reviewing change control documents for key servers or comparing patches applied to those recommended by the OS vendor's web site does not confirm that these security patches were properly approved and documented.

 

NEW QUESTION 33
Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value?

  • A. The number of false negatives increases
  • B. Attack profiles are ignored
  • C. The number of false positives increases
  • D. Active probing is missed

Answer: C

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
Failure to tune an intrusion detection system (IDS) will result in many false positives, especially when the threshold is set to a low value. The other options are less likely given the fact that the threshold for sounding an alarm is set to a low value.

 

NEW QUESTION 34
Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?

  • A. Security patches applied trend report
  • B. Security compliant servers trend report
  • C. Percentage of security compliant servers
  • D. Number of security patches applied

Answer: B

Explanation:
The percentage of compliant servers will be a relevant indicator of the risk exposure of the infrastructure. However, the percentage is less relevant than the overall trend, which would provide a measurement of the efficiency of the IT security program. The number of patches applied would be less relevant, as this would depend on the number of vulnerabilities identified and patches provided by vendors.

 

NEW QUESTION 35
During the due diligence phase of an acquisition, the MOST important course of action for an information security manager is to:

  • A. review information security policies
  • B. review the state of security awareness.
  • C. perform a risk assessment
  • D. perform a gap analysis.

Answer: D

 

NEW QUESTION 36
The chief information security officer (CISO) should ideally have a direct reporting relationship to the:

  • A. head of internal audit.
  • B. chief technology officer (CTO).
  • C. legal counsel.
  • D. chief operations officer (COO).

Answer: D

Explanation:
Explanation
The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations. The head of internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations. Reporting to the chief technology officer (CTO) could become problematic as the CTO's goals for the infrastructure might, at times, run counter to the goals of information security.

 

NEW QUESTION 37
An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to have access to critical business information. The security manager should focus PRIMARILY on defining:

  • A. security metrics
  • B. risk-reporting methodologies
  • C. service level agreements (SLAs)
  • D. security requirements for the process being outsourced

Answer: A

 

NEW QUESTION 38
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?

  • A. Minimize the use of vulnerable systems
  • B. Identify the vulnerable systems and apply compensating controls
  • C. Update the signatures database of the intrusion detection system (IDS)
  • D. Communicate the vulnerability to system users

Answer: B

Explanation:
The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.

 

NEW QUESTION 39
The BEST way to ensure that information security policies are followed is to:

  • A. include escalating penalties for noncompliance.
  • B. perform periodic reviews for compliance.
  • C. distribute printed copies to all employees.
  • D. establish an anonymous hotline to report policy abuses.

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
The best way to ensure that information security policies are followed is to periodically review levels of compliance. Distributing printed copies, advertising an abuse hotline or linking policies to an international standard will not motivate individuals as much as the consequences of being found in noncompliance.
Escalating penalties will first require a compliance review.

 

NEW QUESTION 40
Which of the following is MOST likely to drive an update to the information security strategy?

  • A. A recent penetration test has uncovered a control weakness.
  • B. A major business application has been upgraded.
  • C. A new chief technology officer has been hired.
  • D. Management has decided to implement an emerging technology.

Answer: D

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT

 

NEW QUESTION 41
A security risk assessment exercise should be repeated at regular intervals because:

  • A. business threats are constantly changing.
  • B. they help raise awareness on security in the business.
  • C. repetitive assessments allow various methodologies.
  • D. omissions in earlier assessments can be addressed.

Answer: A

Explanation:
Explanation
As business objectives and methods change, the nature and relevance of threats change as well. Choice B does not, by itself, justify regular reassessment. Choice C is not necessarily true in all cases. Choice D is incorrect because there are better ways of raising security awareness than by performing a risk assessment.

 

NEW QUESTION 42
Which of the following provides the BEST indication of strategic alignment between an organization's information security program and business objectives?

  • A. A balanced scorecard
  • B. A business impact analysis (BIA)
  • C. Security audit reports
  • D. Key risk indicators (KRIs)

Answer: A

 

NEW QUESTION 43
Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack?

  • A. An intrusion prevention system (IPS)
  • B. A host-based firewall
  • C. An intrusion detection system (IDS)
  • D. A host-based intrusion detection system (HIDS)

Answer: A

Explanation:
Explanation
SQL injection attacks occur at the application layer. Most IPS vendors will detect at least basic sets of SQL injection and will be able to stop them. IDS will detect, but not prevent I IIDS will be unaware of SQL injection problems. A host-based firewall, be it on the web server or the database server, will allow the connection because firewalls do not check packets at an application layer.

 

NEW QUESTION 44
What should be an organization's MAIN concern when evaluating an Infrastructure as a Service (IaaS) cloud computing model for an e-Commerce application?

  • A. Availability of provider's services
  • B. Internal about requirements
  • C. Application ownership
  • D. Where the application resides

Answer: A

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation

 

NEW QUESTION 45
An information security manager finds a legacy application has no defined data owner. Of the following, who would be MOST helpful in identifying the appropriate data owner?

  • A. The individual responsible for providing support for the application.
  • B. The individual who manages users of the application
  • C. The individual who has the most privileges within the application
  • D. The individual who manages the process supported by the application.

Answer: B

 

NEW QUESTION 46
When developing metrics related to an organization's information security program, what information will provide the MOST value to enable strategic decision-making?

  • A. How frequently the information security risk register is updated
  • B. How long it takes security incidents to be closed
  • C. How well information security risk is being predicted
  • D. How many security incidents are reported each month

Answer: C

 

NEW QUESTION 47
Which of the following BEST describes a buffer overflow?

  • A. A program contains a hidden and unintended function that presents a security risk.
  • B. A type of covert channel that captures data.
  • C. A function is carried out with more data than the function can handle.
  • D. Malicious code designed to interfere with normal operations.

Answer: D

 

NEW QUESTION 48
The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for:

  • A. sustaining the organization's security posture.
  • B. complying with segregation of duties.
  • C. the existing systems that will be affected.
  • D. identifying vulnerabilities in the system.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
It is important to maintain the organization's security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security in the systems development life cycle (SDLC).

 

NEW QUESTION 49
Which of the following would BEST ensure thai security risk assessment is integrated into the life cycle of major IT projects

  • A. Applying global security standards to the IT projects
  • B. Integrating the risk assessment into the internal audit program
  • C. Having the Information security manager participate on the project steering committees
  • D. Training project managers on risk assessment

Answer: A

 

NEW QUESTION 50
Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers?

  • A. Restrict the available drive allocation on all PCs
  • B. Disable universal serial bus (USB) ports on all desktop devices
  • C. Establish strict access controls to sensitive information
  • D. Conduct frequent awareness training with noncompliance penalties

Answer: A

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
Restricting the ability of a PC to allocate new drive letters ensures that universal serial bus (USB) drives or even CD-writers cannot be attached as they would not be recognized by the operating system. Disabling USB ports on all machines is not practical since mice and other peripherals depend on these connections.
Awareness training and sanctions do not prevent copying of information nor do access controls.

 

NEW QUESTION 51
The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the:

  • A. hourly billing rate charged by the carrier.
  • B. aggregate compensation of all affected business users.
  • C. value of the data transmitted over the network.
  • D. financial losses incurred by affected business units.

Answer: D

Explanation:
Explanation/Reference:
Explanation:
The bottom line on calculating the impact of a loss is what its cost will be to the organization. The other choices are all factors that contribute to the overall monetary impact.

 

NEW QUESTION 52
A critical component of a continuous improvement program for information security is:

  • A. tying corporate security standards to a recognized international standard.
  • B. developing a service level agreement (SLA) for security.
  • C. measuring processes and providing feedback.
  • D. ensuring regulatory compliance.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
If an organization is unable to take measurements that will improve the level of its safety program. then continuous improvement is not possible. Although desirable, developing a service level agreement (SLA) for security, tying corporate security standards to a recognized international standard and ensuring regulatory compliance are not critical components for a continuous improvement program.

 

NEW QUESTION 53
Which of the following is BEST to include in a business case when the return on investment (RIO) for an information security initiative is difficult to calculate?

  • A. Projected costs over time
  • B. Estimated increase in efficiency
  • C. Estimated reduction in risk
  • D. Projected increase in maturity level

Answer: B

 

NEW QUESTION 54
......

True CISM Exam Extraordinary Practice For the Exam: https://www.vceengine.com/CISM-vce-test-engine.html

Get 100% Passing Success With True CISM Exam: https://drive.google.com/open?id=1iU2YQB_L0jiI5s5_wEVjYWnhv5FxrNsl