
Excellent CISM PDF Dumps With 100% Actual4test Exam Passing Guaranted [Dec-2021]
100% Pass Your CISM Certified Information Security Manager at First Attempt with Actual4test
NEW QUESTION 223
Which of the following should be the PRIMARY consideration when selecting a recovery site?
- A. Geographical location
- B. Recovery time objective
- C. Recovery point objective
- D. Regulatory requirements
Answer: B
Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT
NEW QUESTION 224
After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:
- A. implement monitoring techniques to detect and react to potential fraud.
- B. increase its customer awareness efforts in those regions.
- C. make the customer liable for losses if they fail to follow the bank's advice.
- D. outsource credit card processing to a third party.
Answer: A
Explanation:
While customer awareness will help mitigate the risks, this is insufficient on its own to control fraud risk. Implementing monitoring techniques which will detect and deal with potential fraud cases is the most effective way to deal with this risk. If the bank outsources its processing, the bank still retains liability. While making the customer liable for losses is a possible approach, nevertheless, the bank needs to be seen to be proactive in managing its risks.
NEW QUESTION 225
Which of the following is MOST important when selecting an information security metric?
- A. Ensuring the metric is repeatable
- B. Defining the metric in qualitative terms
- C. Aligning the metric to the IT strategy
- D. Defining the metric in quantitative terms
Answer: D
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
NEW QUESTION 226
When developing an information security strategy, the MOST important requirement is that:
- A. a schedule is developed to achieve objectives.
- B. critical success factors (CSFs) are developed.
- C. the desired outcome is known.
- D. standards capture the intent of management.
Answer: D
Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT
NEW QUESTION 227
Which of the following is the BEST method to securely transfer a message?
- A. Facsimile transmission in a secured room
- B. Password-protected removable media
- C. Steganography
- D. Using public key infrastructure (PKI) encryption
Answer: D
Explanation:
Explanation/Reference:
Explanation:
Using public key infrastructure (PKI) is currently accepted as the most secure method to transmit e-mail messages. PKI assures confidentiality, integrity and nonrepudiation. The other choices are not methods that are as secure as PKI. Steganography involves hiding a message in an image.
NEW QUESTION 228
Security policies should be aligned MOST closely with:
- A. generally accepted standards.
- B. industry' best practices.
- C. local laws and regulations.
- D. organizational needs.
Answer: D
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
The needs of the organization should always take precedence. Best practices and local regulations are important, but they do not take into account the total needs of an organization.
NEW QUESTION 229
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
- A. To identify a complete list of vulnerabilities
- B. To mitigate technical risks
- C. To receive an independent view of security exposures
- D. To have an independent certification of network security
Answer: C
Explanation:
Explanation
Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure.
Mitigating technical risks is not a direct result of a penetration test. A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities.
NEW QUESTION 230
Quantitative risk analysis is MOST appropriate when assessment data:
- A. contain subjective information.
- B. contain percentage estimates.
- C. do not contain specific details.
- D. include customer perceptions.
Answer: B
Explanation:
Explanation
Percentage estimates are characteristic of quantitative risk analysis. Customer perceptions, lack of specific details or subjective information lend themselves more to qualitative risk analysis.
NEW QUESTION 231
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability?
- A. The provider services all major companies in the area
- B. Exclusive use of the hot site is limited to six weeks
- C. The time of declaration determines site access priority
- D. The hot site may have to be shared with other customers
Answer: A
Explanation:
Explanation/Reference:
Explanation:
Sharing a hot site facility is sometimes necessary in the case of a major disaster. Also, first come, first served usually determines priority of access based on general industry practice. Access to a hot site is not indefinite; the recovery plan should address a long-term outage. In case of a disaster affecting a localized geographical area, the vendor's facility and capabilities could be insufficient for all of its clients, which will all be competing for the same resource. Preference will likely be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients based locally.
NEW QUESTION 232
An information security program should be sponsored by:
- A. key business process owners.
- B. the corporate audit department.
- C. infrastructure management.
- D. information security management.
Answer: A
Explanation:
Explanation
The information security program should ideally be sponsored by business managers, as represented by key business process owners. Infrastructure management is not sufficiently independent and lacks the necessary knowledge regarding specific business requirements. A corporate audit department is not in as good a position to fully understand how an information security program needs to meet the needs of the business. Audit independence and objectivity will be lost, impeding traditional audit functions. Information security implements and executes the program. Although it should promote it at all levels, it cannot sponsor the effort due to insufficient operational knowledge and lack of proper authority.
NEW QUESTION 233
In business-critical applications, user access should be approved by the:
- A. data owner.
- B. business management.
- C. information security manager.
- D. data custodian.
Answer: A
Explanation:
Explanation/Reference:
Explanation:
A data owner is in the best position to validate access rights to users due to their deep understanding of business requirements and of functional implementation within the application. This responsibility should be enforced by the policy. An information security manager will coordinate and execute the implementation of the role-based access control. A data custodian will ensure that proper safeguards are in place to protect the data from unauthorized access; it is not the data custodian's responsibility to assign access rights. Business management is not. in all cases, the owner of the data.
NEW QUESTION 234
In assessing risk, it is MOST essential to:
- A. focus primarily on threats and recent business losses.
- B. provide equal coverage for all asset types.
- C. use benchmarking data from similar organizations.
- D. consider both monetary value and likelihood of loss.
Answer: D
Explanation:
A risk analysis should take into account the potential financial impact and likelihood of a loss. It should not weigh all potential losses evenly, nor should it focus primarily on recent losses or losses experienced by similar firms. Although this is important supplementary information, it does not reflect the organization's real situation. Geography and other factors come into play as well.
NEW QUESTION 235
Which of the following will BEST ensure that management takes ownership of the decision making process for information security?
- A. Security awareness campaigns
- B. Annual self-assessment by management
- C. Security- steering committees
- D. Security policies and procedures
Answer: C
Explanation:
Explanation/Reference:
Explanation:
Security steering committees provide a forum for management to express its opinion and take ownership in the decision making process. Security awareness campaigns, security policies and procedures, and self- assessment exercises are all good but do not exemplify the taking of ownership by management.
NEW QUESTION 236
Which of the following is the MOST important information to include in a strategic plan for information security?
- A. IT capital investment requirements
- B. Information security staffing requirements
- C. information security mission statement
- D. Current state and desired future state
Answer: D
Explanation:
Explanation/Reference:
Explanation:
It is most important to paint a vision for the future and then draw a road map from the stalling point to the desired future state. Staffing, capital investment and the mission all stem from this foundation.
NEW QUESTION 237
A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BES T approach of the information security manager?
- A. Acceptance of the business manager's decision on the risk to the corporation
- B. Acceptance of the information security manager's decision on the risk to the corporation
- C. Review of the assessment with executive management for final input
- D. A new risk assessment and BIA are needed to resolve the disagreement
Answer: C
Explanation:
Executive management must be supportive of the process and fully understand and agree with the results since risk management decisions can often have a large financial impact and require major changes. Risk management means different things to different people, depending upon their role in the organization, so the input of executive management is important to the process.
NEW QUESTION 238
Which of the following is the MOST important factor to ensure information security is meeting the organization's objectives?
- A. Internal audit's involvement in the security process
- B. Implementation of a security awareness program
- C. Establishment of acceptable risk thresholds
- D. Implementation of a control self-assessment process
Answer: A
NEW QUESTION 239
Secure customer use of an e-commerce application can BEST be accomplished through:
- A. digital signatures.
- B. two-factor authentication.
- C. data encryption.
- D. strong passwords.
Answer: C
Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT
Explanation:
Encryption would be the preferred method of ensuring confidentiality in customer communications with an e- commerce application. Strong passwords, by themselves, would not be sufficient since the data could still be intercepted, while two-factor authentication would be impractical. Digital signatures would not provide a secure means of communication. In most business-to-customer (B-to-C) web applications, a digital signature is also not a practical solution.
NEW QUESTION 240
An organization wants to ensure its confidential data is isolated in a multi-tenanted environment at a well- known cloud service provider. Which of the following is the BEST way to ensure the data is adequately protected?
- A. Review the provider's information security policies and procedures.
- B. Obtain documentation of the encryption management practices.
- C. Verify the provider follows a cloud service framework standard.
- D. Ensure an audit of the provider is conducted to identify control gaps.
Answer: C
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
NEW QUESTION 241
Which of the following should be determined FIRST when establishing a business continuity program?
- A. Cost to rebuild information processing facilities
- B. Incremental daily cost of the unavailability of systems
- C. Location and cost of offsite recovery facilities
- D. Composition and mission of individual recovery teams
Answer: B
Explanation:
Explanation/Reference:
Explanation:
Prior to creating a detailed business continuity plan, it is important to determine the incremental daily cost of losing different systems. This will allow recovery time objectives to be determined which, in turn, affects the location and cost of offsite recovery facilities, and the composition and mission of individual recovery teams. Determining the cost to rebuild information processing facilities would not be the first thing to determine.
NEW QUESTION 242
After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:
- A. transferred.
- B. treated.
- C. terminated.
- D. accepted.
Answer: D
Explanation:
Explanation/Reference:
Explanation:
When the cost of control is more than the cost of the risk, the risk should be accepted. Transferring, treating or terminating the risk is of limited benefit if the cost of that control is more than the cost of the risk itself.
NEW QUESTION 243
Which of the following is the BEST approach when using sensitive customer data during the testing phase of a systems development project?
- A. Monitor the test environment for data loss.
- B. Sanitize customer data.
- C. Establish the test environment on a separate network.
- D. Implement equivalent controls to those on the source system.
Answer: B
NEW QUESTION 244
An organization experienced a data breach and followed its incident response plan. Later it was discovered that the plan was incomplete, omitting a requirement to report the incident to the relevant authorities. In addition to establishing an updated incident response plan, which of the following would be MOST helpful in preventing a similar occurrence?
- A. Attached reporting forms as an addendum to the incident response plan
- B. Assignment of responsibility for communications.
- C. Ongoing evaluation of the incident response plan.
- D. Management approval of the incident reporting process
Answer: B
NEW QUESTION 245
What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They:
- A. are decrypted by the firewall.
- B. all use weak encryption.
- C. may be corrupted by the receiving mail server.
- D. may be quarantined by mail filters.
Answer: D
Explanation:
Often, mail filters will quarantine zip files that are password-protected since the filter (or the firewall) is unable to determine if the file contains malicious code. Many zip file products are capable of using strong encryption. Such files are not normally corrupted by the sending mail server.
NEW QUESTION 246
......
Significant Tidbits about CISM Test
Firstly, this exam precisely measures your technical knowledge as you prepare to take on a managerial role. Since this is a step up from being a team player, you need to have the expertise in the four domains mentioned above. Before you face the responsibilities of becoming an ISACA certified specialist in the workplace, though, you must first deal with the pressure of finishing the 150 exam questions in 4 hours. In the global scene, there are more than 46,000 holders of this renowned certification so, with the right attitude and preparation, you can be the next in line for professional success.
Trend for CISM pdf dumps before actual exam: https://www.actual4test.com/CISM_examcollection.html
Real Exam Questions & Answers - ISACA CISM Dump is Ready: https://drive.google.com/open?id=1R9eLfzDworYFsG6BgPfY7QVNG6hWwPxF