CISM PDF Dumps | Dec 16, 2024 Recently Updated Questions
CISM Exam Questions – Valid CISM Dumps Pdf
The CISM exam consists of 150 multiple-choice questions that must be completed within a four-hour time limit. The questions are designed to test the candidate's knowledge and understanding of information security concepts, as well as their ability to apply this knowledge to real-world scenarios. CISM exam is computer-based and is administered at various testing centers around the world.
The Certified Information Security Manager (CISM) exam is a globally recognized certification in the field of information security. Certified Information Security Manager certification is offered by the Information Systems Audit and Control Association (ISACA), which is a leading global association in the field of IT governance, risk management, and security. The CISM certification demonstrates an individual's expertise in information security management, and the exam covers the essential skills and knowledge required to manage, design, and assess an organization's information security program.
NEW QUESTION # 660
An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:
- A. have duplicate equipment available at the warm site.
- B. inspect the facility and inventory the tapes on a quarterly basis.
- C. retrieve the tapes from the warm site and test them.
- D. use the test equipment in the warm site facility to read the tapes.
Answer: C
Explanation:
Explanation/Reference:
Explanation:
A warm site is not fully equipped with the company's main systems; therefore, the tapes should be tested using the company's production systems. Inspecting the facility and checking the tape inventory does not guarantee that the tapes are usable.
NEW QUESTION # 661
Which of the following is the BEST way to assess the risk associated with using a Software as a Service (SaaS) vendor?
- A. Verify that information security requirements are included in the contract.
- B. Review the results of the vendor's independent control reports.
- C. Require vendors to complete information security questionnaires.
- D. Request customer references from the vendor.
Answer: B
Explanation:
Explanation
Reviewing the results of the vendor's independent control reports is the best way to assess the risk associated with using a SaaS vendor because it provides an objective and reliable evaluation of the vendor's security controls and practices. Independent control reports, such as SOC 2 or ISO 27001, are conducted by third-party auditors who verify the vendor's compliance with industry standards and best practices. These reports can help the customer identify any gaps or weaknesses in the vendor's security posture and determine the level of assurance and trust they can place on the vendor.
Verifying that information security requirements are included in the contract is a good practice, but it does not provide sufficient assurance that the vendor is actually meeting those requirements. The contract may also have limitations or exclusions that reduce the customer's rights or remedies in case of a breach or incident.
Requesting customer references from the vendor is not a reliable way to assess the risk associated with using a SaaS vendor because the vendor may only provide positive or biased references that do not reflect the true experience or satisfaction of the customers. Customer references may also not have the same security needs or expectations as the customer who is conducting the assessment.
Requiring vendors to complete information security questionnaires is a useful way to gather information about the vendor's security policies and procedures, but it does not provide enough evidence or verification that the vendor is actually implementing and maintaining those policies and procedures. Information security questionnaires are also subject to the vendor's self-reporting and interpretation, which may not be accurate or consistent. References = CISM Review Manual 15th Edition, page 144 SaaS Security Risk and Challenges - ISACA1 SaaS Security Checklist & Assessment Questionnaire | LeanIX2 Risk Assessment Guide for Microsoft Cloud3
NEW QUESTION # 662
What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?
- A. Security gap analyses
- B. Business impact analyses
- C. Incident response processes
- D. System performance metrics
Answer: A
Explanation:
Explanation
A security gap analysis is a process which measures all security controls in place against typically good business practice, and identifies related weaknesses. A business impact analysis is less suited to identify security deficiencies. System performance metrics may indicate security weaknesses, but that is not their primary purpose. Incident response processes exist for cases where security weaknesses are exploited.
NEW QUESTION # 663
Which of the following devices should be placed within a DMZ?
- A. Proxy server
- B. Data warehouse server
- C. Application server
- D. Departmental server
Answer: C
Explanation:
Explanation
An application server should normally be placed within a demilitarized zone (DMZ) to shield the internal network. Data warehouse and departmental servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise. A proxy server forms the inner boundary of the DMZ but is not placed within it.
NEW QUESTION # 664
An organization has a policy in which all criminal activity is prosecuted. What is MOST important for the information security manager to ensure when an employee is suspected of using a company computer to commit fraud?
- A. The employee's log files are backed-up.
- B. Senior management is informed of the situation.
- C. The forensics process is immediately initiated.
- D. The incident response plan is initiated.
Answer: A
NEW QUESTION # 665
The PRIMARY reason for initiating a policy exception process is when:
- A. operations are too busy to comply.
- B. users may initially be inconvenienced.
- C. policy compliance would be difficult to enforce.
- D. the risk is justified by the benefit.
Answer: D
Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Exceptions to policy are warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits. Being busy is not a justification for policy exceptions, nor is the fact that compliance cannot be enforced. User inconvenience is not a reason to automatically grant exception to a policy.
NEW QUESTION # 666
Management decisions concerning information security investments will be MOST effective when they are based on:
- A. the reporting of consistent and periodic assessments of risks.
- B. a process for identifying and analyzing threats and vulnerabilities
- C. an annual loss expectancy (ALE) determined from the history of security events.
- D. the formalized acceptance of risk analysis by management.
Answer: D
NEW QUESTION # 667
What should an information security manager do FIRST after a number of security gaps have been identified that need to be resolved?
- A. Consolidate overlapping controls.
- B. Prioritize responses based on likelihood and impact.
- C. Perform a cost-benefit analysis.
- D. Develop and implement incident response strategies.
Answer: B
NEW QUESTION # 668
Which of the following should be the PRIMARY expectation of management when an organization introduces an information security governance framework?
- A. Improved accountability to shareholders
- B. Increased influence of security management
- C. Optimized information security resources
- D. Consistent execution of information security strategy
Answer: A
NEW QUESTION # 669
Threat and vulnerability assessments are important PRIMARILY because they are:
- A. used to establish security investments
- B. the basis for setting control objectives.
- C. needed to estimate risk.
- D. elements of the organization's security posture.
Answer: B
Explanation:
Explanation
Threat and vulnerability assessments are important primarily because they are the basis for setting control objectives. Control objectives are the desired outcomes of implementing security controls, and they should be aligned with the organization's risk appetite and business objectives. Threat and vulnerability assessments help to identify the potential sources and impacts of security incidents, and to prioritize the mitigation actions based on the likelihood and severity of the risks. By conducting threat and vulnerability assessments, the organization can establish the appropriate level and type of security controls to protect its information assets and reduce the residual risk to an acceptable level. References = CISM Review Manual (Digital Version), Chapter 3: Information Security Risk Management, Section 3.1: Risk Identification, p. 115-1161. CISM Review Manual (Print Version), Chapter 3: Information Security Risk Management, Section 3.1: Risk Identification, p. 115-1162. CISM ITEM DEVELOPMENT GUIDE, Domain 3: Information Security Program Development and Management, Task Statement 3.1, p. 193.
Threat and vulnerability assessments are important PRIMARILY because they are the basis for setting control objectives. Control objectives are the desired outcomes or goals of implementing security controls in an information system. They are derived from the risk assessment process, which identifies and evaluates the threats and vulnerabilities that could affect the system's confidentiality, integrity and availability. By conducting threat and vulnerability assessments, an organization can determine the level of risk it faces and establish the appropriate control objectives to mitigate those risks.
NEW QUESTION # 670
Which of the following is MOST important to the successful development of an information security strategy?
- A. Approved policies and standards
- B. Current state and desired objectives
- C. An implemented development life cycle process
- D. A well-implemented governance framework
Answer: B
NEW QUESTION # 671
Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?
- A. Operations
- B. Database
- C. User
- D. Security
Answer: C
Explanation:
Explanation
As owners of the system, user management approval would be the most important. Although the signoffs of security, operations and database management may be appropriate, they are secondary to ensuring the new system meets the requirements of the business.
NEW QUESTION # 672
Which of the following external entities would provide the BEST guidance to an organization facing advanced attacks?
- A. Disaster recovery consultants widely endorsed in industry forums
- B. Open-source reconnaissance
- C. Incident response experts from highly regarded peer organizations
- D. Recognized threat intelligence communities
Answer: D
Explanation:
Incident response experts are still considered local resources hired by the peer orgs. Also why would you want to go to your peers and shows them your weakness . You would want to consult with intel communities for guidance . Consultants would cost you and open source recon wouldnt be the best option due to its inherent risks .
NEW QUESTION # 673
Which of the following should be the MOST important consideration when reporting sensitive risk-related information to stakeholders?
- A. Ensuring nonrepudiation of communication
- B. Transmitting the internal communication securely
- C. Consulting with the public relations director
- D. Customizing the communication to the audience
Answer: D
NEW QUESTION # 674
Phishing is BEST mitigated by which of the following?
- A. Security monitoring software
- B. Two-factor authentication
- C. Encryption
- D. User awareness
Answer: D
Explanation:
Explanation
Phishing can best be detected by the user. It can be mitigated by appropriate user awareness. Security monitoring software would provide some protection, but would not be as effective as user awareness.
Encryption and two-factor authentication would not mitigate this threat.
NEW QUESTION # 675
An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?
- A. Meet with stakeholders
- B. Research best practices
- C. Establish change control procedures
- D. Identify critical systems
Answer: A
Explanation:
Explanation
No new process will be successful unless it is adhered to by all stakeholders; to the extent stakeholders have input, they can be expected to follow the process. Without consensus agreement from the stakeholders, the scope of the research is too wide; input on the current environment is necessary to focus research effectively. It is premature to implement procedures without stakeholder consensus and research. Without knowing what the process will be the parameters to baseline are unknown as well.
NEW QUESTION # 676
......
The CISM exam cannot be taken by every IT professional because a potential candidate should have at least five years of experience in information security and three years of experience in at least three or more of the following sectors:
- Information security governance.
- Information security governance;
- Information security incident management;
- Information security program development and management;
Furthermore, the experience mentioned above should be gained not less than ten years before applying for the exam or within five years after passing it.
CISM dumps Sure Practice with 1180 Questions: https://exams4sure.briandumpsprep.com/CISM-prep-exam-braindumps.html
