CISM | Renovate CISM Vce 2020
Master the CISM Certified Information Security Manager content and be ready for exam day success quickly with this Actualtests CISM exam question. We guarantee it!We make it a reality and give you real CISM questions in our Isaca CISM braindumps.Latest 100% VALID Isaca CISM Exam Questions Dumps at below page. You can use our Isaca CISM braindumps and pass your exam.
Check CISM free dumps before getting the full version:
NEW QUESTION 1
Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers?
- A. Batch patches into frequent server updates
- B. Initially load the patches on a test machine
- C. Set up servers to automatically download patches
- D. Automatically push all patches to the servers
Some patches can conflict with application code. For this reason, it is very important to first test all patches in a test environment to ensure that there are no conflicts with existing application systems. For this reason, choices C and D are incorrect as they advocate automatic updating. As for frequent server updates, this is an incomplete (vague) answer from the choices given.
NEW QUESTION 2
Which of the following would BEST prepare an information security manager for regulatory reviews?
- A. Assign an information security administrator as regulatory liaison
- B. Perform self-assessments using regulatory guidelines and reports
- C. Assess previous regulatory reports with process owners input
- D. Ensure all regulatory inquiries are sanctioned by the legal department
Self-assessments provide the best feedback on readiness and permit identification of items requiring remediation. Directing regulators to a specific person or department, or assessing previous reports, is not as effective. The legal department should review all formal inquiries but this does not help prepare for a regulatory review.
NEW QUESTION 3
Which of the following is MOST important for measuring the effectiveness of a security awareness program?
- A. Reduced number of security violation reports
- B. A quantitative evaluation to ensure user comprehension
- C. Increased interest in focus groups on security issues
- D. Increased number of security violation reports
To truly judge the effectiveness of security awareness training, some means of measurable testing is necessary to confirm user comprehension. Focus groups may or may not provide meaningful feedback but, in and of themselves, do not provide metrics. An increase or reduction in the number of violation reports may not be indicative of a high level of security awareness.
NEW QUESTION 4
At what stage of the applications development process would encryption key management initially be addressed?
- A. Requirements development
- B. Deployment
- C. Systems testing
- D. Code reviews
Encryption key management has to be integrated into the requirements of the application's design. During systems testing and deployment would be too late since the requirements have already been agreed upon. Code reviews are part of the final quality assurance (QA) process and would also be too late in the process.
NEW QUESTION 5
Which of the following are the MOST important individuals to include as members of an information security steering committee?
- A. Direct reports to the chief information officer
- B. IT management and key business process owners
- C. Cross-section of end users and IT professionals
- D. Internal audit and corporate legal departments
Security steering committees provide a forum for management to express its opinion and take some ownership in the decision making process. It is imperative that business process owners be included in this process. None of the other choices includes input by business process owners.
NEW QUESTION 6
Which of the following environments represents the GREATEST risk to organizational security?
- A. Locally managed file server
- B. Enterprise data warehouse
- C. Load-balanced, web server cluster
- D. Centrally managed data switch
A locally managed file server will be the least likely to conform to organizational security policies because it is generally subject to less oversight and monitoring. Centrally managed data switches, web server clusters and data warehouses are subject to close scrutiny, good change control practices and monitoring.
NEW QUESTION 7
Security monitoring mechanisms should PRIMARILY:
- A. focus on business-critical informatio
- B. assist owners to manage control risk
- C. focus on detecting network intrusion
- D. record all security violation
Security monitoring must focus on business-critical information to remain effectively usable by and credible to business users. Control risk is the possibility that controls would not detect an incident or error condition, and therefore is not a correct answer because monitoring would not directly assist in managing this risk. Network intrusions are not the only focus of monitoring mechanisms; although they should record all security violations, this is not the primary objective.
NEW QUESTION 8
An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. The information security manager should recommend which of the following?
- A. Restrict account access to read only
- B. Log all usage of this account
- C. Suspend the account and activate only when needed
- D. Require that a change request be submitted for each download
Administrative accounts have permission to change data. This is not required for the developers to perform their tasks. Unauthorized change will damage the integrity of the data. Logging all usage of the account, suspending the account and activating only when needed, and requiring that a change request be submitted for each download will not reduce the exposure created by this excessive level of access. Restricting the account to read only access will ensure that the integrity can be maintained while permitting access.
NEW QUESTION 9
Which of the following is responsible for legal and regulatory liability?
- A. Chief security officer (CSO)
- B. Chief legal counsel (CLC)
- C. Board and senior management
- D. Information security steering group
The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
NEW QUESTION 10
Which of the following provides the BKST confirmation that the business continuity/disaster recovery plan objectives have been achieved?
- A. The recovery time objective (RTO) was not exceeded during testing
- B. Objective testing of the business continuity/disaster recovery plan has been carried out consistently
- C. The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing
- D. Information assets have been valued and assigned to owners per the business continuity plan, disaster recovery plan
Consistent achievement of recovery time objective (RTO) objectives during testing provides the most objective evidence that business continuity/disaster recovery plan objectives have been achieved. The successful testing of the business continuity/disaster recover) plan within the stated RTO objectives is the most indicative evidence that the business needs are being met. Objective testing of the business continuity/ disaster recovery plan will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.. Mere valuation and assignment of information assets to owners (per the business continuity/disaster recovery plan) will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.
NEW QUESTION 11
An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?
- A. Right to audit
- B. Nondisclosure agreement
- C. Proper firewall implementation
- D. Dedicated security manager for monitoring compliance
Right to audit would be the most useful requirement since this would provide the company the ability to perform a security audit/assessment whenever there is a business need to examine whether the controls are working effectively at the third party. Options B, C and D are important requirements and can be examined during the audit. A dedicated security manager would be a costly solution and not always feasible for most situations.
NEW QUESTION 12
The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:
- A. determining the scope for inclusion in an information security progra
- B. defining the level of access control
- C. justifying costs for information resource
- D. determining the overall budget of an information security progra
The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.
NEW QUESTION 13
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
- A. Countermeasure cost-benefit analysis
- B. Penetration testing
- C. Frequent risk assessment programs
- D. Annual loss expectancy (ALE) calculation
In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but. alone, will not justify a control.
NEW QUESTION 14
An organization's information security strategy should be based on:
- A. managing risk relative to business objective
- B. managing risk to a zero level and minimizing insurance premium
- C. avoiding occurrence of risks so that insurance is not require
- D. transferring most risks to insurers and saving on control cost
Organizations must manage risks to a level that is acceptable for their business model, goals and objectives. A zero-level approach may be costly and not provide the effective benefit of additional revenue to the organization. Long-term maintenance of this approach may not be cost effective. Risks vary as business models, geography, and regulatory- and operational processes change. Insurance covers only a small portion of risks and requires that the organization have certain operational controls in place.
NEW QUESTION 15
Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts?
- A. Use security tokens for authentication
- B. Connect through an IPSec VPN
- C. Use https with a server-side certificate
- D. Enforce static media access control (MAC) addresses
IPSec effectively prevents man-in-the-middle (MitM) attacks by including source and destination IPs within the encrypted portion of the packet. The protocol is resilient to MitM attacks. Using token-based authentication does not prevent a MitM attack; however, it may help eliminate reusability of stolen cleartext credentials. An https session can be intercepted through Domain Name Server (DNS) or Address Resolution Protocol (ARP) poisoning. ARP poisoning—a specific kind of MitM attack—may be prevented by setting static media access control (MAC) addresses. Nevertheless, DNS and NetBIOS resolution can still be attacked to deviate traffic.
NEW QUESTION 16
The MOST important reason for conducting periodic risk assessments is because:
- A. risk assessments are not always precis
- B. security risks are subject to frequent chang
- C. reviewers can optimize and reduce the cost of control
- D. it demonstrates to senior management that the security function can add valu
Risks are constantly changing. A previously conducted risk assessment may not include measured risks that have been introduced since the last assessment. Although an assessment can never be perfect and invariably contains some errors, this is not the most important reason for periodic reassessment. The fact that controls can be made more efficient to reduce costs is not sufficient. Finally, risk assessments should not be performed merely to justify the existence of the security function.
NEW QUESTION 17
An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
- A. eliminating the ris
- B. transferring the ris
- C. mitigating the ris
- D. accepting the ris
Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance so the insurance company can take the risk. Implementing additional controls is an example of mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.
NEW QUESTION 18
When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?
- A. Business management
- B. Operations manager
- C. Information security manager
- D. System users
The escalation process in critical situations should involve the information security manager as the first contact so that appropriate escalation steps are invoked as necessary. Choices A, B and D would be notified accordingly.
NEW QUESTION 19
Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?
- A. Include security responsibilities in the job description
- B. Require the administrator to obtain security certification
- C. Train the system administrator on penetration testing and vulnerability assessment
- D. Train the system administrator on risk assessment
The first step to improve accountability is to include security responsibilities in a job description. This documents what is expected and approved by the organization. The other choices are methods to ensure that the system administrator has the training to fulfill the responsibilities included in the job description.
NEW QUESTION 20
A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this?
- A. Enable access through a separate device that requires adequate authentication
- B. Implement manual procedures that require password change after each use
- C. Request the vendor to add multiple user IDs
- D. Analyze the logs to detect unauthorized access
Choice A is correct because it allows authentication tokens to be provisioned and terminated for individuals and also introduces the possibility of logging activity by individual.
Choice B is not effective because users can circumvent the manual procedures. Choice C is not the best option because vendor enhancements may take time and development, and this is a critical device. Choice D could, in some cases, be an effective complementary control but. because it is detective, it would not be the most effective in this instance.
NEW QUESTION 21
What is the BEST way to ensure data protection upon termination of employment?
- A. Retrieve identification badge and card keys
- B. Retrieve all personal computer equipment
- C. Erase all of the employee's folders
- D. Ensure all logical access is removed
Ensuring all logical access is removed will guarantee that the former employee will not be able to access company data and that the employee's credentials will not be misused. Retrieving identification badge and card keys would only reduce the capability to enter the building. Retrieving the personal computer equipment and the employee's folders are
necessary tasks, but that should be done as a second step.
NEW QUESTION 22
The FIRST step to create an internal culture that focuses on information security is to:
- A. implement stronger control
- B. conduct periodic awareness trainin
- C. actively monitor operation
- D. gain the endorsement of executive managemen
Endorsement of executive management in the form of policies provides direction and awareness. The implementation of stronger controls may lead to circumvention. Awareness training is important, but must be based on policies. Actively monitoring operations will not affect culture at all levels.
NEW QUESTION 23
An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?
- A. Security metrics reports
- B. Risk assessment reports
- C. Business impact analysis (BIA)
- D. Return on security investment report
Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA.
NEW QUESTION 24
Which of the following should be included in an annual information security budget that is submitted for management approval?
- A. A cost-benefit analysis of budgeted resources
- B. All of the resources that are recommended by the business
- C. Total cost of ownership (TC'O)
- D. Baseline comparisons
A brief explanation of the benefit of expenditures in the budget helps to convey the context of how the purchases that are being requested meet goals and objectives, which in turn helps build credibility for the information security function or program. Explanations of benefits also help engage senior management in the support of the information security program. While the budget should consider all inputs and recommendations that are received from the business, the budget that is ultimately submitted to management for approval should include only those elements that are intended for purchase. TC'O may be requested by management and may be provided in an addendum to a given purchase request, but is not usually included in an annual budget. Baseline comparisons (cost comparisons with other companies or industries) may be useful in developing a budget or providing justification in an internal review for an individual purchase, but would not be included with a request for budget approval.
NEW QUESTION 25
Which of the following would be the MOST important goal of an information security governance program?
- A. Review of internal control mechanisms
- B. Effective involvement in business decision making
- C. Total elimination of risk factors
- D. Ensuring trust in data
The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance. Review of internal control mechanisms relates more to auditing, while the total elimination of risk factors is not practical or possible. Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted.
NEW QUESTION 26
Which of the following should be the FIRST step in developing an information security plan?
- A. Perform a technical vulnerabilities assessment
- B. Analyze the current business strategy
- C. Perform a business impact analysis
- D. Assess the current levels of security awareness
Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability.
NEW QUESTION 27
The PRIMARY objective of a risk management program is to:
- A. minimize inherent ris
- B. eliminate business ris
- C. implement effective control
- D. minimize residual ris
The goal of a risk management program is to ensure that residual risk remains within manageable levels. Management of risk does not always require the removal of inherent risk nor is this always possible. A possible benefit of good risk management is to reduce insurance premiums, but this is not its primary intention. Effective controls are naturally a clear objective of a risk management program, but with the choices given, choice C is an incomplete answer.
NEW QUESTION 28
To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective?
- A. Assessment of business impact of past incidents
- B. Need of an independent review of incident causes
- C. Need for constant improvement on the security level
- D. Possible business benefits from incident impact reduction
Business benefits from incident impact reduction would be the most important goal for establishing an incident management team. The assessment of business impact of past incidents would need to be completed to articulate the benefits. Having an independent review benefits the incident management process. The need for constant improvement on the security level is a benefit to the organization.
NEW QUESTION 29
When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?
- A. Compliance with international security standard
- B. Use of a two-factor authentication syste
- C. Existence of an alternate hot site in case of business disruptio
- D. Compliance with the organization's information security requirement
Prom a security standpoint, compliance with the organization's information security requirements is one of the most important topics that should be included in the contract with third-party service provider. The scope of implemented controls in any ISO 27001-compliant organization depends on the security requirements established by each organization. Requiring compliance only with this security standard does not guarantee that a service provider complies with the organization's security requirements. The requirement to use a specific kind of control methodology is not usually stated in the contract with third-party service providers.
NEW QUESTION 30
100% Valid and Newest Version CISM Questions & Answers shared by Simply pass, Get Full Dumps HERE: https://www.simply-pass.com/Isaca-exam/CISM-dumps.html (New 631 Q&As)