
Get Ready to Pass the CISM exam Right Now Using Our Isaca Certification Exam Package
Enhance Your Career With Available Preparation Guide for CISM Exam
NEW QUESTION # 77
It is MOST important that information security architecture be aligned with which of the following?
- A. Industry best practices
- B. Information technology plans
- C. Information security best practices
- D. Business objectives and goals
Answer: D
Explanation:
Information security architecture should always be properly aligned with business goals and objectives. Alignment with IT plans or industry and security best practices is secondary by comparison.
NEW QUESTION # 78
An organization is aligning its incident response capability with a public cloud service provider. What should be the information security manager's FIRST course of action?
- A. Identify the skill set of the provider's incident response team.
- B. Evaluate the provider's audit logging and monitoring controls.
- C. Update the incident escalation process.
- D. Review the provider's incident definitions and notification criteria.
Answer: D
Explanation:
Explanation
When an organization is aligning its incident response capability with a public cloud service provider, the information security manager's first course of action should be to review the provider's incident definitions and notification criteria. This is because the provider's incident definitions and notification criteria may differ from the organization's own, and may affect the scope, severity, and urgency of the incidents that need to be reported and handled. By reviewing the provider's incident definitions and notification criteria, the information security manager can ensure that there is a common understanding and agreement on what constitutes an incident, how it is classified, and when and how it is communicated. This will help to avoid confusion, delays, or conflicts in the incident response process, and to establish clear roles and responsibilities between the organization and the provider. References = CISM Review Manual, 16th Edition, page 1021 Reviewing the provider's incident definitions and notification criteria is the FIRST course of action when aligning the organization's incident response capability with a public cloud service provider. This is because the organization needs to understand how the provider defines and classifies incidents, what their roles and responsibilities are, and how they will communicate with the organization in case of an incident. This will help the organization align its own incident response processes and expectations with the provider's and ensure a coordinated and effective response.
NEW QUESTION # 79
When developing an information security program, what is the MOST useful source of information for determining available resources?
- A. Job descriptions
- B. Proficiency test
- C. Organization chart
- D. Skills inventory
Answer: D
Explanation:
Explanation/Reference:
Explanation:
A skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.
NEW QUESTION # 80
Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?
- A. Baseline security standards
- B. Exit routines
- C. Role-based access controls
- D. System access violation logs
Answer: C
Explanation:
Role-based access controls help ensure that users only have access to files and systems appropriate for their job role. Violation logs are detective and do not prevent unauthorized access. Baseline security standards do not prevent unauthorized access. Exit routines are dependent upon appropriate role-based access.
NEW QUESTION # 81
The business value of an information asset is derived from:
- A. the threat profile.
- B. its criticality.
- C. its replacement cost.
- D. the risk assessment.
Answer: B
Explanation:
Explanation
The business value of an information asset is derived from its criticality, which is the degree of importance or dependency of the asset to the organization's objectives, operations, and stakeholders. The criticality of an information asset can be determined by assessing its impact on the confidentiality, integrity, and availability (CIA) of the information, as well as its sensitivity, classification, and regulatory requirements. The higher the criticality of an information asset, the higher its business value, and the more resources and controls are needed to protect it.
References = CISM Review Manual 2022, page 371; CISM Exam Content Outline, Domain 1, Task 1.32; IT Asset Valuation, Risk Assessment and Control Implementation Model1; Managing Data as an Asset3
NEW QUESTION # 82
An information security manager learns of a new standard related to an emerging technology the organization wants to implement. Which of the following should the information security manager recommend be done FIRST?
- A. Perform a risk assessment on the new technology.
- B. Determine whether the organization can benefit from adopting the new standard.
- C. Review industry specialists' analyses of the new standard.
- D. Obtain legal counsel's opinion on the standard's applicability to regulations,
Answer: B
Explanation:
= The first step that the information security manager should recommend when learning of a new standard related to an emerging technology is to determine whether the organization can benefit from adopting the new standard. This involves evaluating the business objectives, needs, and requirements of the organization, as well as the potential advantages, disadvantages, and challenges of implementing the new technology and the new standard. The information security manager should also consider the alignment of the new standard with the organization's existing policies, procedures, and standards, as well as the impact of the new standard on the organization's information security governance, risk management, program, and incident management. By conducting a preliminary analysis of the feasibility, suitability, and desirability of the new standard, the information security manager can provide a sound basis for further decision making and planning.
Reference = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Standards, page 391; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 43, page 412.
NEW QUESTION # 83
An organization's security policy is to disable access to USB storage devices on laptops and desktops. Which of the following is the STRONGEST justification for granting an exception to the policy?
- A. The benefit is greater than the potential risk.
- B. USB storage devices are enabled based on user roles.
- C. Users accept the risk of noncompliance.
- D. Access is restricted to read-only.
Answer: A
Explanation:
The strongest justification for granting an exception to the security policy that disables access to USB storage devices on laptops and desktops is that the benefit is greater than the potential risk. A security policy is a document that defines the goals, objec-tives, principles, roles, responsibilities, and requirements for protecting information and systems in an organization. A security policy should be based on a risk assessment that identifies and evaluates the threats and vulnerabilities that affect the organiza-tion's assets, as well as the potential impact and likelihood of incidents. A security pol-icy should also be aligned with the organization's business objectives and risk appe-tite1. However, there may be situations where a security policy cannot be fully enforced or complied with due to technical, operational, or business reasons. In such cases, an exception to the policy may be requested and granted by an authorized person or body, such as a security manager or a policy committee. An exception to a security policy should be justified by a clear and compelling reason that outweighs the risk of non-compliance. An exception to a security policy should also be documented, approved, monitored, reviewed, and revoked as necessary2. The strongest justification for grant-ing an exception to the security policy that disables access to USB storage devices on laptops and desktops is that the benefit is greater than the potential risk. USB storage devices are portable devices that can store large amounts of data and can be easily connected to laptops and desktops via USB ports. They can provide several benefits for users and organizations, such as:
*Enhancing data mobility and accessibility
*Improving data backup and recovery
*Supporting data sharing and collaboration
*Enabling data encryption and authentication
However, USB storage devices also pose significant security risks for users and organi-zations, such as:
*Introducing malware or viruses to laptops and desktops
*Exposing sensitive data to unauthorized access or disclosure
*Losing or stealing data due to device loss or theft
*Violating security policies or regulations
Therefore, an exception to the security policy that disables access to USB storage de-vices on laptops and desktops should only be granted if the benefit of using them is greater than the potential risk of compromising them. For example, if a user needs to transfer a large amount of data from one laptop to another in a remote location where there is no network connection available, and the data is encrypted and protected by a strong password on the USB device, then the benefit of using the USB device may be greater than the risk of losing or exposing it. The other options are not the strongest justifications for granting an exception to the security policy that disables access to USB storage devices on laptops and desktops. Enabling USB storage devices based on user roles is not a justification, but rather a possible way of implementing a more gran-ular or flexible security policy that allows different levels of access for different types of users3. Users accepting the risk of noncompliance is not a justification, but rather a requirement for requesting an exception to a security policy that acknowledges their responsibility and accountability for any consequences of noncompliance4.
Accessing being restricted to read-only is not a justification, but rather a possible control that can reduce the risk of introducing malware or viruses from USB devices to laptops and desktops5. References: 1:
Information Security Policy - NIST 2: Policy Exception Man-agement - ISACA 3: Deploy and manage Removable Storage Access Control using In-tune - Microsoft Learn 4: Policy Exception Request Form - University of California 5: Re-movable Media Policy Writing Tips - CurrentWare
NEW QUESTION # 84
Which of the following is the information security manager's PRIMARY role in the information assets classification process?
- A. Developing an asset classification model
- B. Assigning the asset classification level
- C. Assigning asset ownership
- D. Securing assets in accordance with their classification
Answer: D
NEW QUESTION # 85
A serious vulnerability was detected in a business application that can be exploited by external attackers to compromise the system. What is the information security manager's BEST course of action?
- A. Report the risk to the business application owner.
- B. Implement temporary remediation.
- C. Ask the business application owner to apply the fix immediately.
- D. Request an immediate shutdown of the application.
Answer: A
NEW QUESTION # 86
An organization has decided to implement a security information and event management (SIEM) system. It is MOST important for the organization to consider:
- A. threat assessments.
- B. industry best practices.
- C. data ownership.
- D. log sources.
Answer: B
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
NEW QUESTION # 87
The PRIMARY purpose of a risk assessment is to enable business leaders to:
- A. align information security to business objectives.
- B. manage information security expenditures.
- C. define key risk indicators (KRIs).
- D. make informed decisions.
Answer: D
NEW QUESTION # 88
The recovery point objective (RPO) requires which of the following?
- A. After-image processing
- B. System restoration
- C. Disaster declaration
- D. Before-image restoration
Answer: D
Explanation:
The recovery point objective (RPO) is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Disaster declaration is independent of this processing checkpoint. Restoration of the system can occur at a later date, as does the return to normal, after-image processing.
NEW QUESTION # 89
Penetration testing is MOST appropriate when a:
- A. security incident has occurred.
- B. new system is being designed.
- C. new system is about to go live.
- D. security policy is being developed
Answer: C
NEW QUESTION # 90
Which of the following would BEST support the business case for an increase in the information security budget?
- A. Frequency of information security incidents
- B. Comparison of information security budgets with peer organizations
- C. Cost-benefit analysis results
- D. Business impact analysis (BIA) results
Answer: C
Explanation:
Cost-benefit analysis results are the best way to support the business case for an increase in the information security budget because they help to demonstrate the value and return on investment of the proposed security initiatives or projects. A cost-benefit analysis is a method of comparing the costs and benefits of different alternatives or options, taking into account both quantitative and qualitative factors. A cost-benefit analysis helps to justify the need and feasibility of the security budget, as well as to prioritize the security spending based on the expected outcomes and impacts. Therefore, cost-benefit analysis results are the correct answer.
Reference:
https://www.cisa.gov/resources-tools/resources/business-case-security
https://www.cisa.gov/resources-tools/resources/isc-best-practices-making-business-case-security
https://risk3sixty.com/2020/09/21/how-to-build-a-business-case-for-security-initiatives-part-4/
NEW QUESTION # 91
Which of the following considerations is MOST important when selecting a third-party intrusion detection system (IDS) vendor?
- A. The vendor's proposal requires the provider to have a business continuity plan (BCP).
- B. The vendor's proposal aligns with the objectives of the organization.
- C. The vendor's proposal allows for contract modification during technology refresh cycles.
- D. The vendor's proposal allows for escrow in the event the third party goes out of business.
Answer: B
NEW QUESTION # 92
Which of the following would BEST help to ensure appropriate security controls are built into software?
- A. Providing standards for implementation during development activities
- B. Integrating security throughout the development process
- C. Performing security testing prior to deployment
- D. Providing security training to the software development team
Answer: B
Explanation:
The best way to ensure appropriate security controls are built into software is to integrate security throughout the development process. This means that security should be considered from the initial stages of planning, design, coding, testing, deployment, and maintenance of the software. Integrating security throughout the development process helps to identify and mitigate security risks early, reduce the cost and complexity of fixing vulnerabilities later, improve the quality and reliability of the software, and enhance the trust and confidence of the users and customers. Integrating security throughout the development process also aligns with the best practices and standards of information security governance, such as the CISM framework123.
References =
* CISM Review Manual 15th Edition, page 1631
* CISM domain 3: Information security program development and management [2022 update]2
* CISSP domain 8 overview: Software development security4
NEW QUESTION # 93
Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?
- A. Key risk indicator (KRD setup to security management processes
- B. Continuous analysis, monitoring and feedback
- C. Continuous risk reduction
- D. Continuous monitoring of the return on security investment (ROSD
Answer: B
Explanation:
Explanation/Reference:
Explanation:
To improve the governance framework and achieve a higher level of maturity, an organization needs to conduct continuous analysis, monitoring and feedback compared to the current state of maturity. Return on security investment (ROSD may show the performance result of the security-related activities; however, the result is interpreted in terms of money and extends to multiple facets of security initiatives. Thus, it may not be an adequate option. Continuous risk reduction would demonstrate the effectiveness of the security governance framework, but does not indicate a higher level of maturity. Key risk indicator (KRD setup is a tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
NEW QUESTION # 94
Threat and vulnerability assessments are important PRIMARILY because they are:
- A. used to establish security investments
- B. the basis for setting control objectives.
- C. needed to estimate risk.
- D. elements of the organization's security posture.
Answer: B
Explanation:
Explanation
Threat and vulnerability assessments are important PRIMARILY because they are the basis for setting control objectives. Control objectives are the desired outcomes or goals of implementing security controls in an information system. They are derived from the risk assessment process, which identifies and evaluates the threats and vulnerabilities that could affect the system's confidentiality, integrity and availability. By conducting threat and vulnerability assessments, an organization can determine the level of risk it faces and establish the appropriate control objectives to mitigate those risks.
NEW QUESTION # 95
Senior management has expressed concern that the organization's intrusion prevention system (IPS) may repeatedly disrupt business operations. Which of the following BEST indicates that the information security manager has tuned the system to address this concern?
- A. Decreasing false negatives
- B. Increasing false positives
- C. Increasing false negatives
- D. Decreasing false positives
Answer: D
NEW QUESTION # 96
Which of the following is the BEST method to protect the confidentiality of data transmitted over the Internet?
- A. Message hashing
- B. Transport Layer Security (TLS)
- C. Network address translation (NAT)
- D. Multi-factor authentication
Answer: B
NEW QUESTION # 97
What is the BEST technique to determine which security controls to implement with a limited budget?
- A. Cost-benefit analysis
- B. Impact analysis
- C. Risk analysis
- D. Annualized loss expectancy (ALE) calculations
Answer: A
Explanation:
Explanation
Cost-benefit analysis is performed to ensure that the cost of a safeguard does not outweigh its benefit and that the best safeguard is provided for the cost of implementation. Risk analysis identifies the risks and suggests appropriate mitigation. The annualized loss expectancy (ALE) is a subset of a cost-benefit analysis. Impact analysis would indicate how much could be lost if a specific threat occurred.
NEW QUESTION # 98
The MOST appropriate role for senior management in supporting information security is the:
- A. assessment of risks to the organization.
- B. monitoring adherence to regulatory requirements.
- C. approval of policy statements and funding.
- D. evaluation of vendors offering security products.
Answer: C
Explanation:
Explanation/Reference:
Explanation:
Since the members of senior management are ultimately responsible for information security, they are the ultimate decision makers in terms of governance and direction. They are responsible for approval of major policy statements and requests to fund the information security practice. Evaluation of vendors, assessment of risks and monitoring compliance with regulatory requirements are day-to-day responsibilities of the information security manager; in some organizations, business management is involved in these other activities, though their primary role is direction and governance.
NEW QUESTION # 99
......
Get Special Discount Offer of CISM Certification Exam Sample Questions and Answers: https://www.dumps4pdf.com/CISM-valid-braindumps.html
New CISM Dumps For Preparing Isaca Certification Certified ISACA Exam Well: https://drive.google.com/open?id=15yLKhEnJqhtKNek2nnMZV5w4kpTAUKzY