
Pass ISACA CISM Actual Free Exam Q&As Updated Dump Mar 20, 2023
Latest CISM Actual Free Exam Updated 188 Questions
Conclusion
Unlocking your potential becomes much easier when your tank is filled with the best CISM test prep materials. The knowledge you will find in each of the resources presented above is crucial to your success both in the exam process and in the actual field as a Certified Information Security Manager. Don’t get too caught up in reading and memorizing the concepts. Once you think you’ve gained mastery in each domain, try the practice quizzes. That is the surest way to know whether you have really understood the entirety of the exam and its tasks. Let these materials power you up so you can claim your deserved success very soon!
CISM Exam topics
Candidates must know the exam topics before they start of preparation. Because it will really help them in hitting the core. Our CISM exam dumps will include the following topics:
- Information Risk Management and Compliance
- Information Security Program Development and Management
- Information Security Management
- Information Security Incident Management
NEW QUESTION 47
Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security:
- A. strategy.
- B. baseline.
- C. guideline
- D. policy.
Answer: D
Explanation:
A security policy is a general statement to define management objectives with respect to security. The security strategy addresses higher level issues. Guidelines are optional actions and operational tasks. A security baseline is a set of minimum requirements that is acceptable to an organization.
NEW QUESTION 48
The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
- A. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.
- B. Additional network intrusion detection sensors should be installed, resulting in an additional cost.
- C. Laws and regulations of the country of origin may not be enforceable in the foreign country.
- D. A security breach notification might get delayed due to the time difference.
Answer: C
Explanation:
A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws. Option B is not a problem. Time difference does not play a role in a 24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to communicate notifications. Option C is a manageable problem that requires additional funding, but can be addressed. Option D is a problem that can be addressed. Most hosting providers have standardized the level of physical security that is in place. Regular physical audits or a SAS 70 report can address such concerns.
NEW QUESTION 49
An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?
- A. Business impact analysis (BIA)
- B. Technical vulnerability assessment
- C. Key performance indicators (KPIs)
- D. Gap analysis
Answer: D
Explanation:
Explanation/Reference:
Explanation:
Gap analysis would help identify the actual gaps between the desired state and the current implementation of information security management. BIA is primarily used for business continuity planning. Technical vulnerability assessment is used for detailed assessment of technical controls, which would come later in the process and would not provide complete information in order to identify gaps.
NEW QUESTION 50
The FIRST step to create an internal culture that focuses on information security is to:
- A. gain the endorsement of executive management.
- B. implement stronger controls.
- C. actively monitor operations.
- D. conduct periodic awareness training.
Answer: A
Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
Endorsement of executive management in the form of policies provides direction and awareness. The implementation of stronger controls may lead to circumvention. Awareness training is important, but must be based on policies. Actively monitoring operations will not affect culture at all levels.
NEW QUESTION 51
A newly hired information security manager discovers that the cleanup of accounts for terminated employees happens only once a year. Which of the following should be the information security manager's FIRST course of action?
- A. Perform a risk assessment
- B. Update the security policy
- C. Report the issue to senior management
- D. Design and document a new process
Answer: C
NEW QUESTION 52
Which of the following should be included in an annual information security budget that is submitted for management approval?
- A. Baseline comparisons
- B. A cost-benefit analysis of budgeted resources
- C. All of the resources that are recommended by the business
- D. Total cost of ownership (TCO)
Answer: B
Explanation:
Explanation
A brief explanation of the benefit of expenditures in the budget helps to convey the context of how the purchases that are being requested meet goals and objectives, which in turn helps build credibility for the information security function or program. Explanations of benefits also help engage senior management in the support of the information security program. While the budget should consider all inputs and recommendations that are received from the business, the budget that is ultimately submitted to management for approval should include only those elements that are intended for purchase. TCO may be requested by management and may be provided in an addendum to a given purchase request, but is not usually included in an annual budget. Baseline comparisons (cost comparisons with other companies or industries) may be useful in developing a budget or providing justification in an internal review for an individual purchase, but would not be included with a request for budget approval.
NEW QUESTION 53
Which of the following is the MOST important consideration in a bring your own device (BYOD) program to protect company data in the event of a loss?
- A. The ability to restrict unapproved applications
- B. The ability to centrally manage devices
- C. The ability to remotely locate devices
- D. The ability to classify types of devices
Answer: B
Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT
NEW QUESTION 54
The MAIN reason for an information security manager to monitor industry level changes in the business and FT is to:
- A. update information security policies in accordance with the changes
- B. identify changes in the risk environment
- C. change business objectives based on potential impact
- D. evaluate the effect of the changes on the levels of residual risk.
Answer: B
NEW QUESTION 55
When preparing a disaster recovery plan, which of the following would BEST help in prioritizing the restoration of business systems?
- A. Service level agreement (SLA)
- B. Annual loss expectancy (ALE)
- C. System utilization requirements
- D. Recovery time objective (RTO)
Answer: D
NEW QUESTION 56
Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?
- A. Strong encryption
- B. Intrusion detection system (IDS)
- C. Boundary router
- D. Internet-facing firewall
Answer: A
Explanation:
Explanation/Reference:
Explanation:
Strong encryption is the most effective means of protecting wireless networks. Boundary routers, intrusion detection systems (IDSs) and firewalling the Internet would not be as effective.
NEW QUESTION 57
The value of information assets is BEST determined by:
- A. industry averages benchmarking.
- B. business systems analysts.
- C. individual business managers.
- D. information security management.
Answer: C
Explanation:
Explanation/Reference:
Explanation:
Individual business managers are in the best position to determine the value of information assets since they are most knowledgeable of the assets' impact on the business. Business systems developers and information security managers are not as knowledgeable regarding the impact on the business. Peer companies' industry averages do not necessarily provide detailed enough information nor are they as relevant to the unique aspects of the business.
NEW QUESTION 58
The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?
- A. Data owner
- B. Systems programmer
- C. Security administrator
- D. Data custodian
Answer: B
Explanation:
Explanation/Reference:
Explanation:
A systems programmer should not have privileges to modify the access control list (ACL) because this would give the programmer unlimited control over the system. The data owner would request and approve updates to the ACL, but it is not a violation of the separation of duties principle if the data owner has update rights to the ACL. The data custodian and the security administrator could carry out the updates on the ACL since it is part of their duties as delegated to them by the data owner.
NEW QUESTION 59
Which of the following is the MOST important criterion for complete closure of a security incident?
- A. Root cause analysis and lessons learned
- B. Level of potential impact
- C. Identification of affected resources
- D. Documenting and reporting to senior management
Answer: A
NEW QUESTION 60
A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?
- A. Amount of IT budget available
- B. Penetration test results
- C. Risk analysis results
- D. Audit report findings
Answer: C
Explanation:
Risk analysis results are the most useful and complete source of information for determining the amount of resources to devote to mitigating exposures. Audit report findings may not address all risks and do not address annual loss frequency. Penetration test results provide only a limited view of exposures, while the IT budget is not tied to the exposures faced by the organization.
NEW QUESTION 61
Which of the following is MOST important to evaluate after completing a risk action plan?
- A. Vulnerability landscape
- B. Inherent risk
- C. Residual risk
- D. Threat profile
Answer: D
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
NEW QUESTION 62
The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:
- A. required key sizes are smaller.
- B. traffic cannot be sniffed.
- C. reliability of the data is higher in transit.
- D. the existence of messages is unknown.
Answer: D
Explanation:
The existence of messages is hidden when using steganography. This is the greatest risk. Keys are relevant for encryption and not for steganography. Sniffing of steganographic traffic is also possible. Option D is not relevant.
NEW QUESTION 63
When an organization is implementing an information security governance program, its board of directors should be responsible for:
- A. reviewing training and awareness programs.
- B. setting the strategic direction of the program.
- C. drafting information security policies.
- D. auditing for compliance.
Answer: B
Explanation:
Explanation/Reference:
Explanation:
A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company's vision and business goals. The board must incorporate the governance program into the overall corporate business strategy. Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and focus to the policies. Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices. Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance.
NEW QUESTION 64
Senior management commitment and support for information security can BEST be obtained through presentations that:
- A. use illustrative examples of successful attacks.
- B. tie security risks to key business objectives.
- C. explain the technical risks to the organization.
- D. evaluate the organization against best security practices.
Answer: B
Explanation:
Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.
NEW QUESTION 65
Which of the following is MOST important to the successful promotion of good security management practices?
- A. Security metrics
- B. Periodic training
- C. Management support
- D. Security baselines
Answer: C
Explanation:
Explanation/Reference:
Explanation:
Without management support, all other efforts will be undermined. Metrics, baselines and training are all important, but they depend on management support for their success.
NEW QUESTION 66
Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department?
- A. Finance department management
- B. Database administrator (DBA)
- C. IT department management
- D. Information security manager
Answer: A
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
Data owners are responsible for determining data classification; in this case, management of the finance department would be the owners of accounting ledger data. The database administrator (DBA) and IT management are the custodians of the data who would apply the appropriate security levels for the classification, while the security manager would act as an advisor and enforcer.
NEW QUESTION 67
......
Online Questions - Valid Practice CISM Exam Dumps Test Questions: https://www.vceengine.com/CISM-vce-test-engine.html
100% Real CISM dumps - Brilliant CISM Exam Questions PDF: https://drive.google.com/open?id=1tXsl-9VBU-uYYvTSN7uWRmMzRAGBcNPX
