• Home
  • Articles
  • May-2024 Pass ISACA CISM Exam in First Attempt Easily [Q93-Q113]

May-2024 Pass ISACA CISM Exam in First Attempt Easily [Q93-Q113]

Share

May-2024 Pass ISACA CISM Exam in First Attempt Easily

Free CISM Exam Files Downloaded Instantly 100% Dumps & Practice Exam

NEW QUESTION # 93
Which of the following is MOST effective in monitoring an organization's existing risk?

  • A. Vulnerability assessment results
  • B. Periodic updates to risk register
  • C. Risk management dashboards
  • D. Security information and event management (SIEM) systems

Answer: C

Explanation:
Explanation
Risk management dashboards are the MOST effective in monitoring an organization's existing risk because they provide a visual and interactive representation of the key risk indicators (KRIs) and metrics that reflect the current risk posture and performance of the organization. Risk management dashboards can help to communicate the risk information to various stakeholders, identify trends and patterns, compare actual results with targets and thresholds, and support decision making and risk response12. Periodic updates to risk register (A) are important to maintain the accuracy and relevance of the risk information, but they are not the most effective in monitoring the existing risk because they do not provide a real-time or dynamic view of the risk situation. Security information and event management (SIEM) systems are effective in monitoring the security events and incidents that may indicate potential or actual threats to the organization, but they are not the most effective in monitoring the existing risk because they do not provide a comprehensive or holistic view of the risk context and impact. Vulnerability assessment results (D) are effective in monitoring the weaknesses and exposures of the organization's assets and systems, but they are not the most effective in monitoring the existing risk because they do not provide a quantitative or qualitative measure of the risk likelihood and consequence. References = 1: CISM Review Manual 15th Edition, page 316-3171; 2: CISM Domain 2:
Information Risk Management (IRM) [2022 update]2


NEW QUESTION # 94
Which of the following is MOST important for an information security manager to regularly report to senior management?

  • A. Results of penetration tests
  • B. Threat analysis reports
  • C. Audit reports
  • D. Impact of unremediated risks

Answer: D

Explanation:
Explanation/Reference:


NEW QUESTION # 95
An organization is creating a risk mitigation plan that considers redundant power supplies to reduce the business risk associated with critical system outages. Which type of control is being considered?

  • A. Preventive
  • B. Corrective
  • C. Deterrent
  • D. Detective

Answer: A


NEW QUESTION # 96
Which of the following parties should be responsible for determining access levels to an application that processes client information?

  • A. The business client
  • B. The information security tear
  • C. Business unit management
  • D. The identity and access management team

Answer: C

Explanation:
Explanation
The business client should be responsible for determining access levels to an application that processes client information, because the business client is the owner of the data and the primary stakeholder of the application. The business client has the best knowledge and understanding of the business requirements, objectives, and expectations of the application, and the sensitivity, value, and criticality of the data. The business client can also define the roles and responsibilities of the users and the access rights and privileges of the users based on the principle of least privilege and the principle of separation of duties. The business client can also monitor and review the access levels and the usage of the application, and ensure that the access levels are aligned with the organization's information security policies and standards.
The information security team, the identity and access management team, and the business unit management are all involved in the process of determining access levels to an application that processes client information, but they are not the primary responsible party. The information security team provides guidance, support, and oversight to the business client on the information security best practices, controls, and standards for the application, and ensures that the access levels are consistent with the organization's information security strategy and governance. The identity and access management team implements, maintains, and audits the access levels and the access control mechanisms for the application, and ensures that the access levels are compliant with the organization's identity and access management policies and procedures. The business unit management approves, authorizes, and sponsors the access levels and the access requests for the application, and ensures that the access levels are aligned with the business unit's goals and strategies. References = ISACA, CISM Review Manual, 16th Edition, 2020, pages 125-126, 129-130, 133-134, 137-138.
ISACA, CISM Review Questions, Answers & Explanations Database, 12th Edition, 2020, question ID
1037.


NEW QUESTION # 97
When developing a security architecture, which of the following steps should be executed FIRST?

  • A. Developing security procedures
  • B. Defining roles and responsibilities
  • C. Specifying an access control methodology
  • D. Defining a security policy

Answer: D

Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE
Explanation:
Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.


NEW QUESTION # 98
What is the BEST way to ensure that contract programmers comply with organizational security policies?

  • A. Create penalties for noncompliance in the contracting agreement
  • B. Explicitly refer to contractors in the security standards
  • C. Perform periodic security reviews of the contractors
  • D. Have the contractors acknowledge in writing the security policies

Answer: C

Explanation:
Periodic reviews are the most effective way of obtaining compliance. None of the other options detects the failure of contract programmers to comply.


NEW QUESTION # 99
Which of the following would BEST ensure the success of information security governance within an organization?

  • A. Security policy training provided to all managers
  • B. Steering committees enforce compliance with laws and regulations
  • C. Security training available to all employees on the intranet
  • D. Steering committees approve security projects

Answer: D

Explanation:
Explanation
The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer. Awareness training is important at all levels in any medium, and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee.


NEW QUESTION # 100
If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:

  • A. implement controls to mitigate the risk to an acceptable level.
  • B. assess the gap between current and acceptable level of risk.
  • C. recommend that management avoid the business activity
  • D. transfer risk to a third party to avoid cost of impact.

Answer: B


NEW QUESTION # 101
Reviewing security objectives and ensuring the integration of security across business units is PRIMARILY the focus of the:

  • A. executive management
  • B. chief information security officer (CISO).
  • C. board of directors.
  • D. steering committee.

Answer: D


NEW QUESTION # 102
Which of the following mechanisms is the MOST secure way to implement a secure wireless network?

  • A. Filter media access control (MAC) addresses
  • B. Use a Wi-Fi Protected Access (WPA2) protocol
  • C. Web-based authentication
  • D. Use a Wired Equivalent Privacy (WEP) key

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT
Explanation:
WPA2 is currently one of the most secure authentication and encryption protocols for mainstream wireless products. MAC address filtering by itself is not a good security mechanism since allowed MAC addresses can be easily sniffed and then spoofed to get into the network. WEP is no longer a secure encryption mechanism for wireless communications. The WEP key can be easily broken within minutes using widely available software. And once the WEP key is obtained, all communications of every other wireless client are exposed. Finally, a web-based authentication mechanism can be used to prevent unauthorized user access to a network, but it will not solve the wireless network's main security issues, such as preventing network sniffing.


NEW QUESTION # 103
Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?

  • A. Acceptable level of potential business impacts
  • B. Historical cost of the asset
  • C. Annualized loss expectancy (ALE)
  • D. Cost versus benefit of additional mitigating controls

Answer: D

Explanation:
Explanation
The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important.


NEW QUESTION # 104
Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?

  • A. Monitor intrusion detection system (IDS) and firewall logs closely
  • B. Establish clear rules of engagement
  • C. Request a list of the software to be used
  • D. Provide clear directions to IT staff

Answer: B

Explanation:
Explanation
It is critical to establish a clear understanding on what is permissible during the engagement. Otherwise, the tester may inadvertently trigger a system outage or inadvertently corrupt files. Not as important, but still useful, is to request a list of what software will be used. As for monitoring the intrusion detection system (IDS) and firewall, and providing directions to IT staff, it is better not to alert those responsible for monitoring (other than at the management level), so that the effectiveness of that monitoring can be accurately assessed.


NEW QUESTION # 105
A data leakage prevention (DLP) solution has identified that several employees are sending confidential company data to their personal email addresses in violation of company policy. The information security manager should FIRST:

  • A. notify senior management that employees are breaching policy
  • B. initiate an investigation to determine the full extent of noncompliance
  • C. limit access to the Internet for employees involved
  • D. contact the employees involved to retake security awareness training

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 106
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

  • A. Chief operating officer (COO)
  • B. Legal counsel
  • C. Internal auditor
  • D. Information security manager

Answer: A

Explanation:
Explanation
The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives. The chief internal auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business. Since a security manager is looking to this group for direction, they are not in the best position to oversee formation of this group.


NEW QUESTION # 107
Which of the following is the BEST method for determining whether a firewall has been configured to provide a comprehensive perimeter defense?

  • A. A simulated denial of service (DoS) attack against the firewall
  • B. A validation of the current firewall rule set
  • C. A port scan of the firewall from an internal source
  • D. A ping test from an external source

Answer: B


NEW QUESTION # 108
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?

  • A. To mitigate technical risks
  • B. To receive an independent view of security exposures
  • C. To identify a complete list of vulnerabilities
  • D. To have an independent certification of network security

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure.
Mitigating technical risks is not a direct result of a penetration test. A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities.


NEW QUESTION # 109
Which of the following provides the GREATEST assurance that an organization allocates appropriate resources to respond to information security events?

  • A. Incident classification procedures
  • B. An approved IT staffing plan
  • C. Threat analysis and intelligence reports
  • D. Information security policies and standards

Answer: A


NEW QUESTION # 110
Which is the MOST important driver for effectively communicating the progress of a new information security program's implementation to key stakeholders?

  • A. Documenting risk that could impact achievement of program objectives
  • B. facilitating stakeholder undemanding of program-related technology concepts
  • C. Designing universal key performance indicators (KPIs) for the program
  • D. Understanding stakeholder needs that influence program objectives

Answer: D

Explanation:
32:35


NEW QUESTION # 111
Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?

  • A. Include security responsibilities in the job description
  • B. Train the system administrator on penetration testing and vulnerability assessment
  • C. Require the administrator to obtain security certification
  • D. Train the system administrator on risk assessment

Answer: A

Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
The first step to improve accountability is to include security responsibilities in a job description. This documents what is expected and approved by the organization. The other choices are methods to ensure that the system administrator has the training to fulfill the responsibilities included in the job description.


NEW QUESTION # 112
An online bank identifies a successful network attack in progress. The bank should FIRST:

  • A. shut down the entire network.
  • B. report the root cause to the board of directors.
  • C. assess whether personally identifiable information (Pll) is compromised.
  • D. isolate the affected network segment.

Answer: D


NEW QUESTION # 113
......


The CISM certification exam is an essential tool for IT professionals who are responsible for managing and overseeing information security programs. It demonstrates that the individual has the necessary expertise to develop and implement effective information security strategies. Certified Information Security Manager certification provides numerous benefits, including a competitive advantage in the job market, access to a global network of professionals, and the ability to stay up-to-date with the latest trends and best practices.

 

Free Exam Updates CISM dumps with test Engine Practice: https://www.preppdf.com/ISACA/CISM-prepaway-exam-dumps.html

Updated Verified CISM dumps Q&As - 100% Pass Guaranteed: https://drive.google.com/open?id=1H8VlP46IKiO-v5wml6BDM9DwvBpXsLLj

Related Articles

more
ISACA CISM Certification Practice Exam