Proper study guides for Renovate Isaca Certified Information Security Manager certified begins with Isaca CISM preparation products which designed to deliver the Virtual CISM questions by making you pass the CISM test at your first time. Try the free CISM demo right now.
NEW QUESTION 1
Investments in information security technologies should be based on:
- A. vulnerability assessment
- B. value analysi
- C. business climat
- D. audit recommendation
Investments in security technologies should be based on a value analysis and a sound business case. Demonstrated value takes precedence over the current business climate because it is ever changing. Basing decisions on audit recommendations would be reactive in nature and might not address the key business needs comprehensively. Vulnerability assessments are useful, but they do not determine whether the cost is justified.
NEW QUESTION 2
An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?
- A. Security metrics reports
- B. Risk assessment reports
- C. Business impact analysis (BIA)
- D. Return on security investment report
Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA.
NEW QUESTION 3
If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:
- A. obtaining evidence as soon as possibl
- B. preserving the integrity of the evidenc
- C. disconnecting all IT equipment involve
- D. reconstructing the sequence of event
The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a chain of custody procedure to maintain the evidence (in order to be accepted in a court of law). All other options are pan of the investigative procedure, but they are not as important as preserving the integrity of the evidence.
NEW QUESTION 4
Effective IT governance is BEST ensured by:
- A. utilizing a bottom-up approac
- B. management by the IT departmen
- C. referring the matter to the organization's legal departmen
- D. utilizing a top-down approac
Effective IT governance needs to be a top-down initiative, with the board and executive management setting clear policies, goals and objectives and providing for ongoing monitoring of the same. Focus on the regulatory issues and management priorities may not be reflected effectively by a bottom-up approach. IT governance affects the entire organization and is not a matter concerning only the management of IT. The legal department is part of the overall governance process, but cannot take full responsibility.
NEW QUESTION 5
Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?
- A. Number of controls implemented
- B. Percent of control objectives accomplished
- C. Percent of compliance with the security policy
- D. Reduction in the number of reported security incidents
Control objectives are directly related to business objectives; therefore, they would be the best metrics. Number of controls implemented does not have a direct relationship with the results of a security program. Percentage of compliance with the security policy and reduction in the number of security incidents are not as broad as choice B.
NEW QUESTION 6
The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify:
- A. weaknesses in network and server securit
- B. ways to improve the incident response proces
- C. potential attack vectors on the network perimete
- D. the optimum response to internal hacker attack
An internal attack and penetration test are designed to identify weaknesses in network and
server security. They do not focus as much on incident response or the network perimeter.
NEW QUESTION 7
Which of the following steps should be performed FIRST in the risk assessment process?
- A. Staff interviews
- B. Threat identification
- C. Asset identification and valuation
- D. Determination of the likelihood of identified risks
The first step in the risk assessment methodology is a system characterization, or identification and valuation, of all of the enterprise's assets to define the boundaries of the assessment. Interviewing is a valuable tool to determine qualitative information about an organization's objectives and tolerance for risk. Interviews are used in subsequent steps. Identification of threats comes later in the process and should not be performed prior to an inventory since many possible threats will not be applicable if there is no asset at risk. Determination of likelihood comes later in the risk assessment process.
NEW QUESTION 8
- A. notification
- B. warrantie
- C. liabilitie
- D. geographic coverag
Privacy policies must contain notifications and opt-out provisions: they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.
NEW QUESTION 9
Which of the following actions should be taken when an online trading company discovers a network attack in progress?
- A. Shut off all network access points
- B. Dump all event logs to removable media
- C. Isolate the affected network segment
- D. Enable trace logging on all event
Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business to continue processing. Shutting off all network access points would create a denial of service that could result in loss of revenue. Dumping event logs and enabling trace logging, while perhaps useful, would not mitigate the immediate threat posed by the network attack.
NEW QUESTION 10
After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:
- A. transferre
- B. treate
- C. accepte
- D. terminate
When the cost of control is more than the cost of the risk, the risk should be accepted. Transferring, treating or terminating the risk is of limited benefit if the cost of that control is more than the cost of the risk itself.
NEW QUESTION 11
In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:
- A. ensure access to individual functions can be granted to individual users onl
- B. implement role-based access control in the applicatio
- C. enforce manual procedures ensuring separation of conflicting dutie
- D. create service accounts that can only be used by authorized team member
Role-based access control is the best way to implement appropriate segregation of duties. Roles will have to be defined once and then the user could be changed from one role to another without redefining the content of the role each time. Access to individual functions will not ensure appropriate segregation of duties. Giving a user access to all functions and implementing, in parallel, a manual procedure ensuring segregation of duties is not an effective method, and would be difficult to enforce and monitor. Creating service accounts that can be used by authorized team members would not provide any help unless their roles are properly segregated.
NEW QUESTION 12
When residual risk is minimized:
- A. acceptable risk is probabl
- B. transferred risk is acceptabl
- C. control risk is reduce
- D. risk is transferabl
Since residual risk is the risk that remains after putting into place an effective risk management program, it is probable that the organization will decide that it is an acceptable risk if sufficiently minimized. Transferred risk is risk that has been assumed by a third party, therefore its magnitude is not relevant. Accordingly, choices B and D are incorrect since transferred risk does not necessarily indicate whether risk is at an acceptable level. Minimizing residual risk will not reduce control risk.
NEW QUESTION 13
Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?
- A. Design
- B. Implementation
- C. Application security testing
- D. Feasibility
Information security should be considered at the earliest possible stage. Security requirements must be defined before you enter into design specification, although changes in design may alter these requirements later on. Security requirements defined during system implementation are typically costly add-ons that are frequently ineffective. Application security testing occurs after security has been implemented.
NEW QUESTION 14
Information security policies should:
- A. address corporate network vulnerabilitie
- B. address the process for communicating a violatio
- C. be straightforward and easy to understan
- D. be customized to specific groups and role
As high-level statements, information security policies should be straightforward and easy to understand. They arc high-level and, therefore, do not address network vulnerabilities directly or the process for communicating a violation. As policies, they should provide a uniform message to all groups and user roles.
NEW QUESTION 15
The PRIORITY action to be taken when a server is infected with a virus is to:
- A. isolate the infected server(s) from the networ
- B. identify all potential damage caused by the infectio
- C. ensure that the virus database files are curren
- D. establish security weaknesses in the firewal
The priority in this event is to minimize the effect of the virus infection and to prevent it from spreading by removing the infected server(s) from the network. After the network is secured from further infection, the damage assessment can be performed, the virus database updated and any weaknesses sought.
NEW QUESTION 16
The MOST important reason for formally documenting security procedures is to ensure:
- A. processes are repeatable and sustainabl
- B. alignment with business objective
- C. auditability by regulatory agencie
- D. objective criteria for the application of metric
Without formal documentation, it would be difficult to ensure that security processes are performed in the proper manner every time that they are performed. Alignment with business objectives is not a function of formally documenting security procedures. Processes should not be formally documented merely to satisfy an audit requirement. Although potentially useful in the development of metrics, creating formal documentation to assist in the creation of metrics is a secondary objective.
NEW QUESTION 17
Acceptable risk is achieved when:
- A. residual risk is minimize
- B. transferred risk is minimize
- C. control risk is minimize
- D. inherent risk is minimize
Residual risk is the risk that remains after putting into place an effective risk management program; therefore, acceptable risk is achieved when this amount is minimized. Transferred risk is risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk. Control risk is the risk that controls may not prevent/detect an incident with a measure of control effectiveness. Inherent risk cannot be minimized.
NEW QUESTION 18
Recovery point objectives (RPOs) can be used to determine which of the following?
- A. Maximum tolerable period of data loss
- B. Maximum tolerable downtime
- C. Baseline for operational resiliency
- D. Time to restore backups
The RPO is determined based on the acceptable data loss in the case of disruption of
operations. It indicates the farthest point in time prior to the incident to which it is acceptable to recover the data. RPO effectively quantifies the permissible amount of data loss in the case of interruption. It also dictates the frequency of backups required for a given data set since the smaller the allowable gap in data, the more frequent that backups must occur.
NEW QUESTION 19
Security monitoring mechanisms should PRIMARILY:
- A. focus on business-critical informatio
- B. assist owners to manage control risk
- C. focus on detecting network intrusion
- D. record all security violation
Security monitoring must focus on business-critical information to remain effectively usable by and credible to business users. Control risk is the possibility that controls would not detect an incident or error condition, and therefore is not a correct answer because monitoring would not directly assist in managing this risk. Network intrusions are not the only focus of monitoring mechanisms; although they should record all security violations, this is not the primary objective.
NEW QUESTION 20
A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following?
- A. Invalid logon attempts
- B. Write access violations
- C. Concurrent logons
- D. Firewall logs
Since the password for the shared administrative account was obtained through guessing, it is probable that there were multiple unsuccessful logon attempts before the correct password was deduced. Searching the logs for invalid logon attempts could, therefore, lead to the discovery of this unauthorized activity. Because the account is shared, reviewing the logs for concurrent logons would not reveal unauthorized activity since concurrent usage is common in this situation. Write access violations would not necessarily be observed since the information was merely copied and not altered. Firewall logs would not necessarily contain information regarding logon attempts.
NEW QUESTION 21
Which of the following provides the BKST confirmation that the business continuity/disaster recovery plan objectives have been achieved?
- A. The recovery time objective (RTO) was not exceeded during testing
- B. Objective testing of the business continuity/disaster recovery plan has been carried out consistently
- C. The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing
- D. Information assets have been valued and assigned to owners per the business continuity plan, disaster recovery plan
Consistent achievement of recovery time objective (RTO) objectives during testing provides the most objective evidence that business continuity/disaster recovery plan objectives have been achieved. The successful testing of the business continuity/disaster recover) plan within the stated RTO objectives is the most indicative evidence that the business needs are being met. Objective testing of the business continuity/ disaster recovery plan will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.. Mere valuation and assignment of information assets to owners (per the business continuity/disaster recovery plan) will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.
NEW QUESTION 22
An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:
- A. source routin
- B. broadcast propagatio
- C. unregistered port
- D. nonstandard protocol
If the firewall allows source routing, any outsider can carry out spoofing attacks by stealing the internal (private) IP addresses of the organization. Broadcast propagation, unregistered ports and nonstandard protocols do not create a significant security exposure.
NEW QUESTION 23
Which of the following is MOST likely to be discretionary?
- A. Policies
- B. Procedures
- C. Guidelines
- D. Standards
Policies define security goals and expectations for an organization. These are defined in more specific terms within standards and procedures. Standards establish what is to be done while procedures describe how it is to be done. Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary.
NEW QUESTION 24
A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?
- A. Enforce the existing security standard
- B. Change the standard to permit the deployment
- C. Perform a risk analysis to quantify the risk
- D. Perform research to propose use of a better technology
Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be given without conducting such an analysis. Enforcing existing standards is a good practice; however, standards need to be continuously examined in light of new technologies and the risks they present. Standards should not be changed without an appropriate risk assessment.
NEW QUESTION 25
Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?
- A. Update platform-level security settings
- B. Conduct disaster recovery test exercises
- C. Approve access to critical financial systems
- D. Develop an information security strategy paper
Developing a strategy paper on information security would be the most appropriate. Approving access would be the job of the data owner. Updating platform-level security and conducting recovery test exercises would be less essential since these are administrative tasks.
NEW QUESTION 26
100% Valid and Newest Version CISM Questions & Answers shared by Surepassexam, Get Full Dumps HERE: https://www.surepassexam.com/CISM-exam-dumps.html (New 631 Q&As)