Get Instant Access of 100% REAL CISM DUMP Pass Your Exam Easily [Q466-Q482]

Share

Get Instant Access of 100% REAL CISM DUMP Pass Your Exam Easily

CISM Free Exam Questions with Quality Guaranteed

NEW QUESTION # 466
Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

  • A. More savings in total operating costs
  • B. Better adherence to policies
  • C. Better alignment to business unit needs
  • D. More uniformity in quality of service

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Decentralization of information security management generally results in better alignment to business unit needs. It is generally more expensive to administer due to the lack of economies of scale. Uniformity in quality of service tends to vary from unit to unit.


NEW QUESTION # 467
Which of the following is the MOST effective way to mitigate the risk of confidential data leakage to unauthorized stakeholders?

  • A. Create a data classification policy.
  • B. Conduct information security awareness training.
  • C. Implement role-based access controls.
  • D. Require the use of login credentials and passwords.

Answer: B


NEW QUESTION # 468
Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?

  • A. Request a list of the software to be used
  • B. Provide clear directions to IT staff
  • C. Establish clear rules of engagement
  • D. Monitor intrusion detection system (IDS) and firewall logs closely

Answer: C

Explanation:
Explanation/Reference:
Explanation:
It is critical to establish a clear understanding on what is permissible during the engagement. Otherwise, the tester may inadvertently trigger a system outage or inadvertently corrupt files. Not as important, but still useful, is to request a list of what software will be used. As for monitoring the intrusion detection system (IDS) and firewall, and providing directions to IT staff, it is better not to alert those responsible for monitoring (other than at the management level), so that the effectiveness of that monitoring can be accurately assessed.


NEW QUESTION # 469
The PRIMARY goal of a corporate risk management program is to ensure that an organization's:

  • A. business risks are addressed by preventive controls.
  • B. IT assets in key business functions are protected.
  • C. IT facilities and systems are always available.
  • D. stated objectives are achievable.

Answer: D

Explanation:
Risk management's primary goal is to ensure an organization maintains the ability to achieve its objectives. Protecting IT assets is one possible goal as well as ensuring infrastructure and systems availability. However, these should be put in the perspective of achieving an organization's objectives. Preventive controls are not always possible or necessary; risk management will address issues with an appropriate mix of preventive and corrective controls.


NEW QUESTION # 470
Which of the following is the MOST important consideration in a bring your own device (BYOD) program to protect company data in the event of a loss?

  • A. The ability to restrict unapproved applications
  • B. The ability to remotely locate devices
  • C. The ability to centrally manage devices
  • D. The ability to classify types of devices

Answer: C

Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT


NEW QUESTION # 471
The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?

  • A. Data owner
  • B. Security administrator
  • C. Systems programmer
  • D. Data custodian

Answer: C

Explanation:
Explanation
A systems programmer should not have privileges to modify the access control list (ACL) because this would give the programmer unlimited control over the system. The data owner would request and approve updates to the ACL, but it is not a violation of the separation of duties principle if the data owner has update rights to the ACL. The data custodian and the security administrator could carry out the updates on the ACL since it is part of their duties as delegated to them by the data owner.


NEW QUESTION # 472
Which of the following BEST facilitates the effective execution of an incident response plan?

  • A. The plan is based on industry best practice.
  • B. The response team is trained on the plan.
  • C. The plan is based on risk assessment results.
  • D. The incident response plan aligns with the IT disaster recovery plan (DRP).

Answer: B


NEW QUESTION # 473
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

  • A. data privacy policy of the headquarters' country.
  • B. data privacy directive applicable globally.
  • C. corporate data privacy policy.
  • D. data privacy policy where data are collected.

Answer: D

Explanation:
Explanation
As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.


NEW QUESTION # 474
Which of the following is MOST useful to an information security manager when conducting a post-incident review of an attack?

  • A. Cost of the attack to the organization
  • B. Details from intrusion detection system (IDS) logs
  • C. Method of operation used by the attacker
  • D. Location of the attacker

Answer: B


NEW QUESTION # 475
An information security manager has noticed a large number of security policy exceptions have been approved by business unit leaders. Which of the following would be the BEST course of action to address this situation?

  • A. Ensure that business unit leaders are aware of the relevant risk.
  • B. Revise the security policy to accommodate the exceptions.
  • C. Provide security awareness training to business unit leaders more frequently.
  • D. Report the exceptions as a security incident.

Answer: A


NEW QUESTION # 476
An employee is found to be using an external cloud storage service to share corporate information with a third-party consultant, which is against company policy.
Which of the following should be the information security manager's FIRST course of action?

  • A. Determine the classification level of the information
  • B. Inform higher management of a security breach
  • C. Seek business justification from the employee
  • D. Block access to the cloud storage service

Answer: D


NEW QUESTION # 477
Which of the following recovery strategies has the GREATEST chance of failure?

  • A. Cold site
  • B. Reciprocal arrangement
  • C. Redundant site
  • D. Hot site

Answer: B

Explanation:
Explanation/Reference:
Explanation:
A reciprocal arrangement is an agreement that allows two organizations to back up each other during a disaster. This approach sounds desirable, but has the greatest chance of failure due to problems in keeping agreements and plans up to date. A hot site is incorrect because it is a site kept fully equipped with processing capabilities and other services by the vendor. A redundant site is incorrect because it is a site equipped and configured exactly like the primary site. A cold site is incorrect because it is a building having a basic environment such as electrical wiring, air conditioning, flooring, etc. and is ready to receive equipment in order to operate.


NEW QUESTION # 478
The chief information security officer (CISO) has developed an information security strategy, but is struggling to obtain senior management commitment for funds to implement the strategy. Which of the following is the MOST likely reason?

  • A. The strategy does not include a cost-benefit analysis.
  • B. The strategy does not comply with security standards.
  • C. There was a lack of engagement with the business during development.
  • D. The CISO reports to the CIO.

Answer: A


NEW QUESTION # 479
Meeting which of the following security objectives BEST ensures that information is protected against unauthorized modification?

  • A. Integrity
  • B. Authenticity
  • C. Availability
  • D. Confidentiality

Answer: D


NEW QUESTION # 480
Which of the following is the BEST option to lower the cost to implement application security controls?

  • A. Perform security tests in the development environment.
  • B. Integrate security activities within the development process
  • C. Include standard application security requirements
  • D. Perform a risk analysis after project completion.

Answer: B

Explanation:
Integrating security activities within the development process is the best option to lower the cost to implement application security controls because it ensures that security is considered and addressed throughout the software development life cycle (SDLC), from design to deployment, and reduces the likelihood and impact of security flaws or vulnerabilities that may require costly fixes or patches later on. Performing security tests in the development environment is not the best option because it may not detect or prevent all security issues that may arise in different environments or scenarios. Performing a risk analysis after project completion is not a good option because it may be too late to identify or mitigate security risks that may have been introduced during the project. Including standard application security requirements is not a good option because it may not account for specific or unique security needs or challenges of different applications or projects. Reference: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/secure-software-development-lifecycle https://www.isaca.org/resources/isaca-journal/issues/2016/volume-4/technical-security-standards-for-information-systems


NEW QUESTION # 481
An organization with a large number of users finds it necessary to improve access control applications. Which of the following would BEST help to prevent unauthorized user access to networks and applications?

  • A. Complex user passwords
  • B. Biometric systems
  • C. Single sign-on
  • D. Access control lists

Answer: D


NEW QUESTION # 482
......


To be able to pass the CISM exam with a high result, you have to learn all the required skills. The domains that are covered in this test are the following:

  • Information Risk Management (30%)

    This section will evaluate your knowledge of gap analysis techniques related to IS, risk reporting requirements, and information asset valuation methodologies. You should also know about the methods that can be used to monitor internal and external risk factors. Your skills in identifying regulatory, organizational, legal, and other applicable requirements to manage the risk of noncompliance to acceptable levels as well as monitoring for external and internal factors will be measured.

  • Information Security Governance (24%)

    For this area, you need to know the techniques that are used to develop the IS strategies, methods to plan and implement the IS governance framework, as well as considerations for communicating with the stakeholders and senior leadership. Besides that, you need to have the skills in integrating IS governance into corporate governance to ensure that all the organizational objectives and goals are supported by the IS program. The potential candidates need to be ready to define and communicate IS responsibilities throughout the organization as well.

  • Information Security Incident Management (19%)

    In this last topic, it is important to have the relevant knowledge of the external and internal incident reporting procedures and requirements, components of an incident response plan, as well as notification and escalation processes. While answering the questions from this domain, you will be tested on whether you are able to establish integration among an incident response plan, disaster recovery plan, and business continuity plan or not. Additionally, you need to have the skills in organizing, training, and equipping the incident response teams to respond to IS incidents in an effective and timely manner.

  • Information Security Program Development & Management (27%)

    Here, you need to know the methods to align the IS program requirements with those of other business functions, establish effective IS awareness and training programs, as well as design and implement operational IS metrics. As for your practical skills, it is required to know how to establish and maintain the IS program in the alignment with the IS strategy, integrate the IS requirements into the organizational processes, and compile your reports to the key stakeholders.

 

CISM Free Exam Files Downloaded Instantly: https://www.practicevce.com/ISACA/CISM-practice-exam-dumps.html

Practice Exams and Training Solutions for Certifications: https://drive.google.com/open?id=14NwQjYjbAJIGoDTR9PHmzU6vf3ZBOl16