Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test pdf to succeed.

Jun-2024 Pass Your CISM Exam at the First Try with 100% Real Exam [Q280-Q300]

Share

Jun-2024 Pass Your CISM Exam at the First Try with 100% Real Exam

Get Real Exam Questions for CISM with New Questions


To be eligible to take the CISM certification exam, candidates must have at least five years of experience in information security management, with a minimum of three years of experience in the role of information security manager. Alternatively, candidates can substitute experience with relevant education and other certifications. Once the candidate passes the CISM exam, they must adhere to the ISACA Code of Professional Ethics, maintain their certification through continuing education, and adhere to the ISACA Certification Maintenance Policy.

 

NEW QUESTION # 280
The MAIN reason for internal certification of web-based business applications is to ensure:

  • A. compliance with industry standards.
  • B. changes to the organizational policy framework are identified.
  • C. compliance with organizational policies.
  • D. up-to-date web technology is being used.

Answer: C

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation


NEW QUESTION # 281
A risk management program would be expected to:

  • A. maintain residual risk at an acceptable level.
  • B. remove all inherent risk.
  • C. reduce control risk to zero.
  • D. implement preventive controls for every threat.

Answer: A

Explanation:
The object of risk management is to ensure that all residual risk is maintained at a level acceptable to the business; it is not intended to remove every identified risk or implement controls for every threat since this may not be cost-effective. Control risk, i.e., that a control may not be effective, is a component of the program but is unlikely to be reduced to zero.


NEW QUESTION # 282
Which of the following is the MOST important to ensure a successful recovery?

  • A. Recovery location is secure and accessible
  • B. Network alternate links are regularly tested
  • C. More than one hot site is available
  • D. Backup media is stored offsite

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Unless backup media are available, all other preparations become meaningless. Recovery site location and security are important, but would not prevent recovery in a disaster situation. Having a secondary hot site is also important, but not as important as having backup media available. Similarly, alternate data communication lines should be tested regularly and successfully but, again, this is not as critical.


NEW QUESTION # 283
Why is "slack space" of value to an information security manager as pan of an incident investigation?

  • A. Slack space is encrypted
  • B. It provides flexible space for the investigation
  • C. The slack space contains login information
  • D. Hidden data may be stored there

Answer: D

Explanation:
"Slack space" is the unused space between where the fdc data end and the end of the cluster the data occupy. Login information is not typically stored in the slack space. Encryption for the slack space is no different from the rest of the file system. The slack space is not a viable means of storage during an investigation.


NEW QUESTION # 284
Which of the following is MOST likely to occur following a security awareness campaign''

  • A. A decrease in user-reported false positive incidents
  • B. A decrease in number of account lockouts
  • C. An increase in reported social engineering attempts
  • D. An increase in the number of viruses detected in incoming email

Answer: A


NEW QUESTION # 285
Senior management learns of several web application security incidents and wants to know the exposure risk to the organization. What is the information security manager's BEST course of action?

  • A. Review audit logs from IT systems.
  • B. Assess IT system configurations
  • C. Perform a vulnerability assessment.
  • D. Activate the incident response plan

Answer: C


NEW QUESTION # 286
Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?

  • A. Risk analysis
  • B. Regression analysis
  • C. Gap analysis
  • D. Business impact analysis

Answer: D

Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Recovery time objectives (RTOs) are a primary deliverable of a business impact analysis. RTOs relate to the financial impact of a system not being available. A gap analysis is useful in addressing the differences between the current state and an ideal future state. Regression analysis is used to test changes to program modules. Risk analysis is a component of the business impact analysis.


NEW QUESTION # 287
Which of the following is the BEST method to securely transfer a message?

  • A. Steganography
  • B. Password-protected removable media
  • C. Facsimile transmission in a secured room
  • D. Using public key infrastructure (PKI) encryption

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Using public key infrastructure (PKI) is currently accepted as the most secure method to transmit e-mail messages. PKI assures confidentiality, integrity and nonrepudiation. The other choices are not methods that are as secure as PKI. Steganography involves hiding a message in an image.


NEW QUESTION # 288
Which of the following will BEST protect an organization from internal security attacks?

  • A. Static IP addressing
  • B. Employee awareness certification program
  • C. Internal address translation
  • D. Prospective employee background checks

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Because past performance is a strong predictor of future performance, background checks of prospective employees best prevents attacks from originating within an organization. Static IP addressing does little to prevent an internal attack. Internal address translation using non-routable addresses is useful against external attacks but not against internal attacks. Employees who certify that they have read security policies are desirable, but this does not guarantee that the employees behave honestly.


NEW QUESTION # 289
An information security manager learns that IT personnel are not adhering to the information security policy because it creates process inefficiencies. What should the information security manager do FIRST?

  • A. Propose that IT update information security policies and procedures.
  • B. Request that internal audit conduct a review of the policy development process,
  • C. Conduct user awareness training within the IT function.
  • D. Determine the risk related to noncompliance with the policy.

Answer: D

Explanation:
Explanation
The information security manager should first determine the risk related to noncompliance with the policy, as this will help to understand the impact and likelihood of the policy violation and the potential consequences for the organization. The information security manager can then use the risk assessment results to communicate the importance of the policy to the IT personnel, propose any necessary changes to the policy or the processes, or request an audit of the policy development process, depending on the situation. Conducting user awareness training, updating policies and procedures, or requesting an audit are possible actions that the information security manager can take after determining the risk, but they are not the first step. References = CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section: Risk Assessment, page 86; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 59, page 60.


NEW QUESTION # 290
Which of the following is the GREATEST risk associated with the installation of an intrusion prevention system (IPS)?

  • A. Critical business processes may be blocked.
  • B. Data links can no longer be encrypted end-to-end.
  • C. IPS logfiles may become too large to process.
  • D. Staff may not be able to access the Internet.

Answer: A


NEW QUESTION # 291
An information security manager has been alerted to a possible incident involving a breach at one of the organization's vendors. Which of the following should be done FIRST?

  • A. Discontinue the relationship with the vendor.
  • B. Perform incident recovery.
  • C. Perform incident eradication.
  • D. Engage the incident response team.

Answer: D


NEW QUESTION # 292
Which of the following is a desired outcome of information security governance?

  • A. Penetration test
  • B. Business agility
  • C. Improved risk management
  • D. A maturity model

Answer: C


NEW QUESTION # 293
An information security manager must understand the relationship between information security and business operations in order to:

  • A. support organizational objectives.
  • B. understand the threats to the business.
  • C. assess the possible impacts of compromise.
  • D. determine likely areas of noncompliance.

Answer: A

Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization. Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways.


NEW QUESTION # 294
The value of information assets is BEST determined by:

  • A. industry averages benchmarking.
  • B. individual business managers.
  • C. information security management.
  • D. business systems analysts.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Individual business managers are in the best position to determine the value of information assets since they are most knowledgeable of the assets' impact on the business. Business systems developers and information security managers are not as knowledgeable regarding the impact on the business. Peer companies' industry averages do not necessarily provide detailed enough information nor are they as relevant to the unique aspects of the business.


NEW QUESTION # 295
Which of the following would be the BEST defense against sniffing?

  • A. Implement a dynamic IP address scheme
  • B. Password protect the files
  • C. Encrypt the data being transmitted
  • D. Set static mandatory access control (MAC) addresses

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Encrypting the data will obfuscate the data so that they are not visible in plain text. Someone would have to collate the entire data stream and try decrypting it, which is not easy. Passwords can be recovered by brute-force attacks and by password crackers, so this is not the best defense against sniffing. IP addresses can always be discovered, even if dynamic IP addresses are implemented. The person sniffing traffic can initiate multiple sessions for possible IP addresses. Setting static mandatory access control (MAC) addresses can prevent address resolution protocol (ARP) poisoning, but it does not prevent sniffing.


NEW QUESTION # 296
Which of the following is MOST critical for prioritizing actions in a business continuity plan (BCP)?

  • A. Asset classification
  • B. Business process mapping
  • C. Risk assessment
  • D. Business impact analysis (6IA)

Answer: D


NEW QUESTION # 297
To ensure IT equipment meets organizational security standards, the MOST efficient approach is to:

  • A. develop an approved equipment list.
  • B. ensure compliance during user acceptance testing.
  • C. assess the risks of all new equipment.
  • D. assess security during equipment deployment.

Answer: A

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 298
An organization has identified a large volume of old data that appears to be unused. Which of the following should the information security manager do NEXT?

  • A. Implement media sanitization procedures.
  • B. Update the awareness and training program.
  • C. Consult the backup and recovery policy.
  • D. Consult the record retention policy.

Answer: D

Explanation:
Explanation
The next thing that the information security manager should do after identifying a large volume of old data that appears to be unused is to consult the record retention policy. The record retention policy is a document that defines the types, formats, and retention periods of data that the organization needs to keep for legal, regulatory, operational, or historical purposes. By consulting the record retention policy, the information security manager can determine if the old data is still required to be stored, archived, or disposed of, and how to do so in a secure and compliant manner.
References: The CISM Review Manual 2023 states that "the information security manager is responsible for ensuring that the data lifecycle management process is in alignment with the organization's record retention policy" and that "the record retention policy defines the types, formats, and retention periods of data that the organization needs to keep for legal, regulatory, operational, or historical purposes" (p. 140). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale for this answer: "Consult the record retention policy is the correct answer because it is the next logical step to take after identifying a large volume of old data that appears to be unused, as it will help the information security manager to decide on the appropriate data lifecycle management actions for the old data, such as storage, archiving, or disposal" (p. 64). Additionally, the article Data Retention Policy: What It Is and How to Create One from the ISACA Journal 2019 states that "a data retention policy is a document that outlines the types, formats, and retention periods of data that an organization needs to keep for various purposes, such as legal compliance, business operations, or historical records" and that "a data retention policy can help an organization to manage its data lifecycle, optimize its storage capacity, reduce its costs, and enhance its security and privacy" (p. 1)1.


NEW QUESTION # 299
An organization is close to going live with the implementation of a cloud-based application. Independent penetration test results have been received that show a high-rated vulnerability. Which of the following would be the BEST way to proceed?

  • A. Implement the application and request the cloud service provider to fix the vulnerability.
  • B. Commission further penetration tests to validate initial test results,
  • C. Postpone the implementation until the vulnerability has been fixed.
  • D. Assess whether the vulnerability is within the organization's risk tolerance levels.

Answer: C


NEW QUESTION # 300
......

Updated CISM Certification Exam Sample Questions: https://www.actual4test.com/CISM_examcollection.html

Get Unlimited Access to CISM Certification Exam Cert Guide: https://drive.google.com/open?id=19KsHYdqsDQWjq_tq38xhoQBj-PKkm7Yi