• Home
  • Articles
  • [Q127-Q150] Try CISM Free Now! Real Exam Question Answers Updated [Dec 07, 2023]

[Q127-Q150] Try CISM Free Now! Real Exam Question Answers Updated [Dec 07, 2023]

Share

Try CISM Free Now! Real Exam Question Answers Updated [Dec 07, 2023]

Get Ready to Pass the CISM exam with ISACA Latest Practice Exam 

NEW QUESTION # 127
A newly hired information security manager reviewing an existing security investment plan is MOST likely to be concerned when the plan:

  • A. has summarized IT costs for implementation rather than providing detail
  • B. is based solely on a review of security threats and vulnerabilities in existing IT systems
  • C. identifies potential impacts that the implementation may have on business processes
  • D. focuses on compliance with common international security standards

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT


NEW QUESTION # 128
The MOST complete business case for security solutions is one that.

  • A. includes appropriate justification.
  • B. identifies incidents and losses.
  • C. details regulatory requirements.
  • D. explains the current risk profile.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Management is primarily interested in security solutions that can address risks in the most cost-effective way. To address the needs of an organization, a business case should address appropriate security solutions in line with the organizational strategy.


NEW QUESTION # 129
When developing an escalation process for an incident response plan, the information security manager should PRIMARILY consider the:

  • A. affected stakeholders.
  • B. incident response team.
  • C. availability of technical resources.
  • D. media coverage.

Answer: B


NEW QUESTION # 130
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?

  • A. Frequent risk assessment programs
  • B. Penetration testing
  • C. Countermeasure cost-benefit analysis
  • D. Annual loss expectancy (ALE) calculation

Answer: C

Explanation:
In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but. alone, will not justify a control.


NEW QUESTION # 131
An information security manager has observed multiple exceptions for a number of different security controls. Which of the following should be the information security manager's FIRST course of action?

  • A. Inform respective risk owners of the impact of exceptions.
  • B. Prioritize the risk and implement treatment options.
  • C. Report the noncompliance to the board of directors.
  • D. Design mitigating controls for the exceptions.

Answer: B


NEW QUESTION # 132
The MOST useful way to describe the objectives in the information security strategy is through:

  • A. overall control objectives of the security program.
  • B. calculation of annual loss expectations.
  • C. attributes and characteristics of the 'desired state."
  • D. mapping the IT systems to key business processes.

Answer: C

Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired. Control objectives are developed after strategy and policy development. Mapping IT systems to key business processes does not address strategy issues. Calculation of annual loss expectations would not describe the objectives in the information security strategy.


NEW QUESTION # 133
Which of the following is the BEST approach for an organization desiring to protect its intellectual property?

  • A. Conduct awareness sessions on intellectual property policy
  • B. Require all employees to sign a nondisclosure agreement
  • C. Promptly remove all access when an employee leaves the organization
  • D. Restrict access to a need-to-know basis

Answer: D

Explanation:
Explanation
Security awareness regarding intellectual property policy will not prevent violations of this policy. Requiring all employees to sign a nondisclosure agreement and promptly removing all access when an employee leaves the organization are good controls, but not as effective as restricting access to a need-to- know basis.


NEW QUESTION # 134
Which of the following is MOST important for an information security manager to regularly report to senior management?

  • A. Threat analysis reports
  • B. Impact of unremediated risks
  • C. Results of penetration tests
  • D. Audit reports

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 135
An organization has remediated a security flaw in a system. Which of the following should be done NEXT?

  • A. Allocate budget for penetration testing
  • B. Assess the residual risk.
  • C. Share lessons learned with the organization
  • D. Update the system's documentation

Answer: B


NEW QUESTION # 136
An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:

  • A. broadcast propagation.
  • B. nonstandard protocols.
  • C. source routing.
  • D. unregistered ports.

Answer: C

Explanation:
If the firewall allows source routing, any outsider can carry out spoofing attacks by stealing the internal (private) IP addresses of the organization. Broadcast propagation, unregistered ports and nonstandard protocols do not create a significant security exposure.


NEW QUESTION # 137
Which of the following is the MOST likely outcome from the implementation of a security governance framework?

  • A. Compliance with international standards
  • B. Cost reduction of information security initiatives
  • C. Realized business value from information security initiatives
  • D. Increased availability of information systems

Answer: C


NEW QUESTION # 138
Which of the following would BEST prepare an information security manager for regulatory reviews?

  • A. Ensure all regulatory inquiries are sanctioned by the legal department
  • B. Assign an information security administrator as regulatory liaison
  • C. Assess previous regulatory reports with process owners input
  • D. Perform self-assessments using regulatory guidelines and reports

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Self-assessments provide the best feedback on readiness and permit identification of items requiring remediation. Directing regulators to a specific person or department, or assessing previous reports, is not as effective. The legal department should review all formal inquiries but this does not help prepare for a regulatory review.


NEW QUESTION # 139
Which of the following would BEST ensure that security risk assessment is integrated into the life cycle of major IT projects?

  • A. Applying global security standards to the IT projects
  • B. Training project managers on risk assessment
  • C. Integrating the risk assessment into the internal audit program
  • D. Having the information security manager participate on the project setting committees

Answer: A


NEW QUESTION # 140
Senior management commitment and support will MOST likely be offered when the value of information security governance is presented from a:

  • A. compliance perspective.
  • B. risk perspective.
  • C. threat perspective.
  • D. policy perspective.

Answer: D

Explanation:
Section: INFORMATION SECURITY GOVERNANCE


NEW QUESTION # 141
Which of the following devices, when placed in a demilitarized zone (DMZ), would be considered the MOST significant exposure?

  • A. Mail relay server
  • B. Application server
  • C. Proxy server
  • D. Database server

Answer: D

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 142
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following?

  • A. IP spoofing
  • B. Man-in-the-middle attack
  • C. Trojan
  • D. Repudiation

Answer: C

Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT
Explanation:
A Trojan is a program that gives the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user. IP spoofing will not work because IP is not used as an authentication mechanism. Man-in-the-middle attacks are not possible if using SSL with client-side certificates. Repudiation is unlikely because client-side certificates authenticate the user.


NEW QUESTION # 143
An advantage of antivirus software schemes based on change detection is that they have:

  • A. the highest probability of avoiding false alarms.
  • B. to be updated less frequently than activity monitors.
  • C. a chance of detecting current and future viral strains.
  • D. a more flexible directory of viral signatures.

Answer: C


NEW QUESTION # 144
An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective.
Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?

  • A. Business case
  • B. Gap analysis
  • C. Cost-benefit analysis
  • D. Risk assessment

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 145
If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST

  • A. implement controls to mitigate the risk to an acceptable level
  • B. transfer risk to a third party to avoid cost of impact
  • C. assess the gap between current and acceptable level of risk
  • D. recommend that management avoids the business activity

Answer: C


NEW QUESTION # 146
Which of the following will ensure confidentiality of content when accessing an email system over the Internet?

  • A. Digital signatures
  • B. Data masking
  • C. Multifactor authentication (MFA)
  • D. Digital encryption

Answer: D


NEW QUESTION # 147
An organization is planning to open a new office in another country. Sensitive data will be routinely sent between the two offices. What should be the information security manager s FIRST course of action?

  • A. Identify applicable regulatory requirements to establish security policies
  • B. Apply the current corporate security policies to the new office.
  • C. Update privacy policies to include the other country's laws and regulations.
  • D. Encrypt the data for transfer to the head office based on security manager approval

Answer: B


NEW QUESTION # 148
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?

  • A. System analyst
  • B. Information security manager
  • C. Process owner
  • D. Quality control manager

Answer: C

Explanation:
Process owners implement information protection controls as determined by the business' needs. Process owners have the most knowledge about security requirements for the business application for which they are responsible. The system analyst, quality control manager, and information security manager do not possess the necessary knowledge or authority to implement and maintain the appropriate level of business security.


NEW QUESTION # 149
The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is:

  • A. Secure Sockets Layer (SSL).
  • B. IP Security (IPSec).
  • C. Secure/Multipurpose Internet Mail Extensions (S/MIME ).
  • D. Secure Shell (SSH).

Answer: A

Explanation:
Explanation
Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications providing end point authentication and communications privacy over the Internet. In typical use, all data transmitted between the customer and the business are, therefore, encrypted by the business's web server and remain confidential.
SSH File Transfer Protocol (SFTP) is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer. IP Security (IPSec) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. There are two modes of IPSec operation:
transport mode and tunnel mode. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of e-mail encapsulated in MIME; it is not a web transaction protocol.


NEW QUESTION # 150
......

Pass Your Next CISM Certification Exam Easily & Hassle Free: https://www.testpdf.com/CISM-exam-braindumps.html

Get Prepared for Your CISM Exam With Actual ISACA Study Guide!: https://drive.google.com/open?id=18W2I4w7hVXPHf_nkp4JTKjVSgL_9Aigy

Related Articles

more
ISACA CISM Certification Practice Exam