Recommend!!

Get the Full CISM dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISM-exam-dumps.html ( New Questions)

Isaca
Exam Questions CISM
Certified Information Security Manager

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISM dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISM-exam-dumps.html ( New Questions)

NEW QUESTION 1
Information security governance is PRIMARILY driven by:

A. technology constraint
B. regulatory requirement
C. litigation potentia
D. business strateg

Answer: D

Explanation:

Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important
factors, but they are necessarily in line with the business strategy.

NEW QUESTION 2
To justify its ongoing security budget, which of the following would be of MOST use to the information security' department?

A. Security breach frequency

B. Annualized loss expectancy (ALE)
C. Cost-benefit analysis
D. Peer group comparison

Answer: C

Explanation:

Cost-benefit analysis is the legitimate way to justify budget. The frequency of security breaches may assist the argument for budget but is not the key tool; it does
not address the impact. Annualized loss expectancy (ALE) does not address the potential benefit of security investment. Peer group comparison would provide a
good estimate for the necessary security budget but it would not take into account the specific needs of the organization.

NEW QUESTION 3
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

A. Information security manager

B. Chief operating officer (COO)
C. Internal auditor
D. Legal counsel

Answer: B

Explanation:

The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives. The chief internal
auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated
by someone versed in the strategy and direction of the business. Since a security manager is looking to this group for direction, they are not in the best position to
oversee formation of this group.

NEW QUESTION 4
It is important to classify and determine relative sensitivity of assets to ensure that:

A. cost of protection is in proportion to sensitivit

B. highly sensitive assets are protecte
C. cost of controls is minimize
D. countermeasures are proportional to ris

Answer: D

Explanation:

Classification of assets needs to be undertaken to determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures
can be effectively implemented. While higher costs are allowable to protect sensitive assets, and it is always reasonable to minimize the costs of controls, it is most
important that the controls and countermeasures are commensurate to the risk since this will justify the costs. Choice B is important but it is an incomplete answer
because it does not factor in risk. Therefore, choice D is the most important.

NEW QUESTION 5
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be
carried out FIRST to mitigate the risk during this time period?

A. Identify the vulnerable systems and apply compensating controls

B. Minimize the use of vulnerable systems
C. Communicate the vulnerability to system users
D. Update the signatures database of the intrusion detection system (IDS)

Answer: A

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISM dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISM-exam-dumps.html ( New Questions)

Explanation:

The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and
communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the
timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore,
this approach should not always be considered as the first option.

NEW QUESTION 6
An information security organization should PRIMARILY:

A. support the business objectives of the company by providing security-related support service
B. be responsible for setting up and documenting the information security responsibilities of the information security team member
C. ensure that the information security policies of the company are in line with global best practices and standard
D. ensure that the information security expectations are conveyed to employee

Answer: A

Explanation:

The information security organization is responsible for options B and D within an organization, but they are not its primary mission. Reviewing and adopting
appropriate standards (option C) is a requirement. The primary objective of an information security organization is to ensure that security supports the overall
business objectives of the company.

NEW QUESTION 7
An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?

A. Security in storage and transmission of sensitive data

B. Provider's level of compliance with industry standards
C. Security technologies in place at the facility
D. Results of the latest independent security review

Answer: A

Explanation:

Mow the outsourcer protects the storage and transmission of sensitive information will allow an information security manager to understand how sensitive data will
be protected. Choice B is an important but secondary consideration. Choice C is incorrect because security technologies are not the only components to protect
the sensitive customer information. Choice D is incorrect because an independent security review may not include analysis on how sensitive customer information
would be protected.

NEW QUESTION 8
Which of the following is a key area of the ISO 27001 framework?

A. Operational risk assessment

B. Financial crime metrics
C. Capacity management
D. Business continuity management

Answer: D

Explanation:

Operational risk assessment, financial crime metrics and capacity management can complement the information security framework, but only business continuity
management is a key component.

NEW QUESTION 9
Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood?

A. Periodic focus group meetings

B. Periodic compliance reviews
C. Computer-based certification training (CBT)
D. Employee's signed acknowledgement

Answer: C

Explanation:

Using computer-based training (CBT) presentations with end-of-section reviews provides feedback on how well users understand what has been presented.
Periodic compliance reviews are a good tool to identify problem areas but do not ensure that procedures are known or understood. Eocus groups may or may not
provide meaningful detail. Although a signed employee acknowledgement is good, it does not indicate whether the material has been read and/or understood.

NEW QUESTION 10
Security awareness training is MOST likely to lead to which of the following?

A. Decrease in intrusion incidents

B. Increase in reported incidents
C. Decrease in security policy changes

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISM dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISM-exam-dumps.html ( New Questions)

D. Increase in access rule violations

Answer: B

Explanation:

Reported incidents will provide an indicator as to the awareness level of staff. An increase in reported incidents could indicate that staff is paying more attention to
security. Intrusion incidents and access rule violations may or may not have anything to do with awareness levels. A decrease in changes to security policies may
or may not correlate to security awareness training.

NEW QUESTION 11
An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security
management. The MOST important element of the request for proposal (RI P) is the:

A. references from other organization

B. past experience of the engagement tea
C. sample deliverabl
D. methodology used in the assessmen

Answer: D

Explanation:

Methodology illustrates the process and formulates the basis to align expectations and the execution of the assessment. This also provides a picture of what is
required of all parties involved in the assessment. References from other organizations are important, but not as important as the methodology used in the
assessment. Past experience of the engagement team is not as important as the methodology used. Sample deliverables only tell how the assessment is
presented, not the process.

NEW QUESTION 12
Which of the following areas is MOST susceptible to the introduction of security weaknesses?

A. Database management
B. Tape backup management
C. Configuration management
D. Incident response management

Answer: C

Explanation:

Configuration management provides the greatest likelihood of security weaknesses through misconfiguration and failure to update operating system (OS) code
correctly and on a timely basis.

NEW QUESTION 13
Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?

A. Provide security awareness training to the third-party provider's employees

B. Conduct regular security reviews of the third-party provider
C. Include security requirements in the service contract
D. Request that the third-party provider comply with the organization's information security policy

Answer: B

Explanation:

Regular security audits and reviews of the practices of the provider to prevent potential information security damage will help verify the security of outsourced
services. Depending on the type of services outsourced, security awareness may not be necessary. Security requirements should be included in the contract, but
what is most important is verifying that the requirements are met by the provider. It is not necessary to require the provider to fully comply with the policy if only
some of the policy is related and applicable.

NEW QUESTION 14
Which of the following will BEST ensure that management takes ownership of the decision making process for information security?

A. Security policies and procedures

B. Annual self-assessment by management
C. Security- steering committees
D. Security awareness campaigns

Answer: C

Explanation:

Security steering committees provide a forum for management to express its opinion and take ownership in the decision making process. Security awareness
campaigns, security policies and procedures, and self- assessment exercises are all good but do not exemplify the taking of ownership by management.

NEW QUESTION 15
An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISM dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISM-exam-dumps.html ( New Questions)

control approaches is MOST appropriate?

A. Rule-based
B. Mandatory
C. Discretionary
D. Role-based

Answer: D

Explanation:

Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users
are assigned to the various roles and the system controls the access based on those roles. Rule-based access control needs to define the access rules, which is
troublesome and error prone in large organizations. In mandatory access control, the individual's access to information resources needs to be defined, which is
troublesome in large organizations. In discretionary access control, users have access to resources based on predefined sets of principles, which is an inherently
insecure approach.

NEW QUESTION 16
What is the MOST cost-effective method of identifying new vendor vulnerabilities?

A. External vulnerability reporting sources

B. Periodic vulnerability assessments performed by consultants
C. Intrusion prevention software
D. honey pots located in the DMZ

Answer: A

Explanation:

External vulnerability sources are going to be the most cost-effective method of identifying these vulnerabilities. The cost involved in choices B and C would be
much higher, especially if performed at regular intervals. Honeypots would not identify all vendor vulnerabilities. In addition, honeypots located in the DMZ can
create a security risk if the production network is not well protected from traffic from compromised honey pots.

NEW QUESTION 17
An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:

A. source routin
B. broadcast propagatio
C. unregistered port
D. nonstandard protocol

Answer: A

Explanation:

If the firewall allows source routing, any outsider can carry out spoofing attacks by stealing the internal (private) IP addresses of the organization. Broadcast
propagation, unregistered ports and nonstandard protocols do not create a significant security exposure.

NEW QUESTION 18
The PRIMARY objective of security awareness is to:

A. ensure that security policies are understoo

B. influence employee behavio
C. ensure legal and regulatory compliance
D. notify of actions for noncomplianc

Answer: B

Explanation:

It is most important that security-conscious behavior be encouraged among employees through training that influences expected responses to security incidents.
Ensuring that policies are read and understood, giving employees fair warning of potential disciplinary action, or meeting legal and regulatory requirements is
important but secondary.

NEW QUESTION 19
To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST
facilitates the correlation and review of these logs?

A. Database server
B. Domain name server (DNS)
C. Time server
D. Proxy server

Answer: C

Explanation:

To accurately reconstruct the course of events, a time reference is needed and that is provided by the time server. The other choices would not assist in the

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISM dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISM-exam-dumps.html ( New Questions)

correlation and review1 of these logs.

NEW QUESTION 20
An unauthorized user gained access to a merchant's database server and customer credit card information. Which of the following would be the FIRST step to
preserve and protect unauthorized intrusion activities?

A. Shut down and power off the serve

B. Duplicate the hard disk of the server immediatel
C. Isolate the server from the networ
D. Copy the database log file to a protected serve

Answer: C

Explanation:

Isolating the server will prevent further intrusions and protect evidence of intrusion activities left in memory and on the hard drive. Some intrusion activities left in
virtual memory may be lost if the system is shut down. Duplicating the hard disk will only preserve the evidence on the hard disk, not the evidence in virtual
memory, and will not prevent further unauthorized access attempts. Copying the database log file to a protected server will not provide sufficient evidence should
the organization choose to pursue legal recourse.

NEW QUESTION 21
......

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full CISM dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/CISM-exam-dumps.html ( New Questions)

Thank You for Trying Our Product

We offer two products:

1st - We have Practice Tests Software with Actual Exam Questions

2nd - Questons and Answers in PDF Format

CISM Practice Exam Features:

* CISM Questions and Answers Updated Frequently

* CISM Practice Questions Verified by Expert Senior Certified Staff

* CISM Most Realistic Questions that Guarantee you a Pass on Your FirstTry

* CISM Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year

100% Actual & Verified — Instant Download, Please Click

Order The CISM Practice Test Here

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Powered by TCPDF (www.tcpdf.org)