
2022 Free ISACA CISM Exam Files Downloaded Instantly
Pass ISACA CISM exam Dumps 100 Pass Guarantee With Latest Demo
NEW QUESTION 33
Which of the following will BEST help to ensure security is addressed when developing a custom application?
- A. Requiring a security assessment before implementation
- B. Integrating a security audit throughout the development process
- C. Integrating security requirements into the development process
- D. Conducting security training for the development staff
Answer: C
NEW QUESTION 34
Which of the following defines the triggers within a business continuity plan (BCP)?
- A. Disaster recovery plan
- B. Gap analysis
- C. Information security policy
- D. Needs of the organization
Answer: C
NEW QUESTION 35
Which of the following is the MOST important reason for performing a cost-benefit analysis when implementing a security control?
- A. To justify information security program activities
- B. To ensure that benefits are aligned with business strategies
- C. To present a realistic information security budget
- D. To ensure that the mitigation effort does not exceed the asset value
Answer: D
NEW QUESTION 36
Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:
- A. establish the use of cryptographic solutions.
- B. describe handling procedures of cryptographic keys.
- C. define cryptographic algorithms and key lengths.
- D. define the circumstances where cryptography should be used.
Answer: D
Explanation:
Explanation
There should be documented standards-procedures for the use of cryptography across the enterprise; they should define the circumstances where cryptography should be used. They should cover the selection of cryptographic algorithms and key lengths, but not define them precisely, and they should address the handling of cryptographic keys. However, this is secondary to how and when cryptography should be used. The use of cryptographic solutions should be addressed but, again, this is a secondary consideration.
NEW QUESTION 37
When a business-critical web server is compromised, the IT security department should FIRST:
- A. archive the logs as evidence.
- B. notify the legal department and/or regulatory officials as required.
- C. attempt to repair any damage in order to keep the server running.
- D. advise management of the incident.
Answer: D
NEW QUESTION 38
Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application?
- A. Security metrics
- B. Patch management
- C. Version control
- D. Change management
Answer: D
Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT
Explanation:
Change management controls the process of introducing changes to systems. Failure to have good change management may introduce new weaknesses into otherwise secure systems. Patch management corrects discovered weaknesses by applying a correction to the original program code. Security metrics provide a means for measuring effectiveness. Version control is a subset of change management.
NEW QUESTION 39
A cloud service provider is unable to provide an independent assessment of controls. Which of the following is the BEST way to obtain assurance that the provider can adequately protect the organization's information?
- A. Check references supplied by the provider's other customers
- B. Review the provider s information security policy.
- C. Invoke the right to audit per the contract
- D. Review the providers serf-assessment
Answer: C
NEW QUESTION 40
Utilizing external resources for highly technical information security tasks allows an information security manager to:
- A. transfer business risk,
- B. leverage limited resources,
- C. outsource responsibility,
- D. distribute technology risk
Answer: D
NEW QUESTION 41
The chief information security officer (CISO) has developed an information security strategy, but is struggling to obtain senior management commitment for funds to implement the strategy.
Which of the following is the MOST likely reason?
- A. The strategy does not comply with security standards.
- B. The CISO reports to the CIO.
- C. The strategy does not include a cost-benefit analysis.
- D. There was a lack of engagement with the business during development.
Answer: C
NEW QUESTION 42
Which of the following is MOST important for measuring the effectiveness of a security awareness program?
- A. Increased interest in focus groups on security issues
- B. Increased number of security violation reports
- C. A quantitative evaluation to ensure user comprehension
- D. Reduced number of security violation reports
Answer: C
Explanation:
Explanation/Reference:
Explanation:
To truly judge the effectiveness of security awareness training, some means of measurable testing is necessary to confirm user comprehension. Focus groups may or may not provide meaningful feedback but, in and of themselves, do not provide metrics. An increase or reduction in the number of violation reports may not be indicative of a high level of security awareness.
NEW QUESTION 43
To prevent computers on the corporate network from being used as part of a distributed denial of service attack, the information security manager should use:
- A. incoming traffic filtering
- B. outgoing traffic filtering
- C. rate limiting
- D. IT security policy dissemination
Answer: B
NEW QUESTION 44
Which of the following would BEST justify spending for a compensating control?
- A. Risk analysis
- B. Peer benchmarking
- C. Threat analysis
- D. Vulnerability analysis
Answer: A
Explanation:
Section: INFORMATION RISK MANAGEMENT
NEW QUESTION 45
An organization implemented a mandatory information security awareness training program a year ago. What is the BEST way to determine its effectiveness?
- A. Analyze results of a social engineering test
- B. Analyze responses from an employee survey of training satisfaction
- C. Analyze results from training completion reports
- D. Analyze findings from previous audit reports
Answer: A
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation/Reference:
NEW QUESTION 46
Which of the following would BEST demonstrate the status of an organization's information security program to the board of directors?
- A. Changes to information security risks
- B. The information security operations matrix
- C. Results of a recent external audit
- D. Information security program metrics
Answer: C
NEW QUESTION 47
An organization experienced a breach which was successfully contained and remediated. Based on industry regulations, the breach needs to be communicated externally. What should the information security manager do NEXT?
- A. Send out a breach notification to all parties involved.
- B. Contact the board of directors.
- C. Refer to the incident response plan.
- D. Invoke the corporate communications plan.
Answer: D
NEW QUESTION 48
Which of the following is the BEST method to determine whether an information security program meets an organization's business objectives?
- A. Review against international security standards.
- B. Implement performance measures.
- C. Perform a business impact analysis (BIA).
- D. Conduct an annual enterprise-wide security evaluation.
Answer: B
Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT
NEW QUESTION 49
An, organization's senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager's FIRST step to support this strategy?
- A. Incorporate social media into the security awareness program.
- B. Develop a guideline on the acceptable use of social media
- C. Employ the use of a web content filtering solution.
- D. Develop a business case for a data loss prevention (DLP) solution.
Answer: A
NEW QUESTION 50
What is the MOST important element to include when developing user security awareness material?
- A. Easy-to-read and compelling information
- B. Information regarding social engineering
- C. Senior management endorsement
- D. Detailed security policies
Answer: A
Explanation:
Explanation
Making security awareness material easy and compelling to read is the most important success factor. Users must be able to understand, in easy terms, complex security concepts in a way that makes compliance more accessible. Choice A would also be important but it needs to be presented in an adequate format. Detailed security policies might not necessarily be included in the training materials. Senior management endorsement is important for the security program as a whole and not necessarily for the awareness training material.
NEW QUESTION 51
Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?
- A. The chief information officer (CIO) approves security policy changes.
- B. The data center manager has final signoff on all security projects.
- C. The information security oversight committee only meets quarterly.
- D. The information security department has difficulty filling vacancies.
Answer: B
Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
A steering committee should be in place to approve all security projects. The fact that the data center manager has final signoff for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization. This would indicate a failure of information security governance. It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief information officer (CIO) approve the security policy due to the size of the organization and frequency of updates. Difficulty in filling vacancies is not uncommon due to the shortage of good, qualified information security professionals.
NEW QUESTION 52
Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?
- A. Replacement cost of the equipment
- B. Intrinsic value of the data stored on the equipment
- C. Disclosure of personal information
- D. Sufficient coverage of the insurance policy for accidental losses
Answer: B
Explanation:
When mobile equipment is lost or stolen, the information contained on the equipment matters most in determining the impact of the loss. The more sensitive the information, the greater the liability. If staff carries mobile equipment for business purposes, an organization must develop a clear policy as to what information should be kept on the equipment and for what purpose. Personal information is not defined in the question as the data that were lost. Insurance may be a relatively smaller issue as compared with information theft or opportunity loss, although insurance is also an important factor for a successful business. Cost of equipment would be a less important issue as compared with other choices.
NEW QUESTION 53
......
Read Online CISM Test Practice Test Questions Exam Dumps: https://www.lead1pass.com/ISACA/CISM-practice-exam-dumps.html
The CISM PDF Dumps Greatest for the ISACA Exam Study Guide!: https://drive.google.com/open?id=1tIFVvRlHr0ov-hIi_YA6mchPjithe0OH