
New TroytecDumps CISM Exam Questions| Real CISM Dumps Updated on Mar 25, 2024
CISM Braindumps – CISM Questions to Get Better Grades
NEW QUESTION # 63
Which of the following will ensure confidentiality of content when accessing an email system over the Internet?
- A. Digital signatures
- B. Data masking
- C. Multi-factor authentication
- D. Digital encryption
Answer: D
Explanation:
Explanation
Digital encryption is the process of transforming data into an unreadable form using a secret key or algorithm.
Digital encryption will ensure the confidentiality of content when accessing an email system over the Internet, as it prevents unauthorized parties from intercepting, viewing, or modifying the email messages. Digital encryption can be applied to both the email content and the email transmission, using different methods such as symmetric encryption, asymmetric encryption, or hybrid encryption. Digital encryption can also provide other benefits such as authentication, integrity, and non-repudiation, depending on the encryption scheme and the use of digital signatures or certificates. References = CISM Review Manual 15th Edition, page 101, page
102.
NEW QUESTION # 64
Which of the following would BEST enable an effective response to a network-based attack?
- A. Maintaining an incident playbook
- B. Notifying the network service provider of incidents
- C. Deploying counterattacks on the source network
- D. Enabling network time protocol synchronization
Answer: A
NEW QUESTION # 65
The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:
- A. patterns of suspicious access.
- B. weaknesses in network security.
- C. how an attack was launched on the network.
- D. potential attacks on the internal network.
Answer: D
Explanation:
Explanation
The most important function of an intrusion detection system (IDS) is to identify potential attacks on the network. Identifying how the attack was launched is secondary. It is not designed specifically to identify weaknesses in network security or to identify patterns of suspicious logon attempts.
NEW QUESTION # 66
Which of the following BEST enables the assignment of risk and control ownership?
- A. Developing an information security strategy
- B. Aligning to an industry-recognized control framework
- C. Obtaining senior management buy-in
- D. Adopting a risk management framework
Answer: C
Explanation:
Obtaining senior management buy-in is the best way to enable the assignment of risk and control ownership because it helps to establish the authority and accountability of the risk and control owners, as well as to provide them with the necessary resources and support to perform their roles. Risk and control ownership refers to the assignment of specific responsibilities and accountabilities for managing risks and controls to individuals or groups within the organization. Obtaining senior management buy-in helps to ensure that risk and control ownership is aligned with the organizational objectives, structure, and culture, as well as to communicate the expectations and benefits of risk and control ownership to all stakeholders. Therefore, obtaining senior management buy-in is the correct answer.
Reference:
https://www.protechtgroup.com/en-au/blog/risk-control-management
https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/working%20papers/23_getting_risk_ownership_right.ashx
https://www.linkedin.com/pulse/risk-controls-who-owns-them-david-tattam
NEW QUESTION # 67
Which of the following would help to change an organization's security culture?
- A. Develop procedures to enforce the information security policy
- B. Periodically audit compliance with the information security policy
- C. Implement strict technical security controls
- D. Obtain strong management support
Answer: D
Explanation:
Explanation/Reference:
Explanation:
Management support and pressure will help to change an organization's culture. Procedures will support an information security policy, but cannot change the culture of the organization. Technical controls will provide more security to an information system and staff; however, this does not mean the culture will be changed. Auditing will help to ensure the effectiveness of the information security policy; however, auditing is not effective in changing the culture of the company.
NEW QUESTION # 68
Which of the following is the BEST way to improve the timely reporting of information security incidents?
- A. Regularly reassess and update the incident response plan.
- B. Integrate an intrusion detection system (IDS) in the DMZ
- C. Perform periodic simulations with the incident response team.
- D. Incorporate security procedures in help desk processes
Answer: A
NEW QUESTION # 69
A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to:
- A. rebuild the server with original media and relevant patches.
- B. rebuild the server from the last verified backup.
- C. place the web server in quarantine.
- D. shut down the server in an organized manner.
Answer: A
Explanation:
The original media should be used since one can never be sure of all the changes a super-user may have made nor the timelines in which these changes were made. Rebuilding from the last known verified backup is incorrect since the verified backup may have been compromised by the super-user at a different time. Placing the web server in quarantine should have already occurred in the forensic process. Shut down in an organized manner is out of sequence and no longer a problem. The forensic process is already finished and evidence has already been acquired.
NEW QUESTION # 70
The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify:
- A. the optimum response to internal hacker attacks.
- B. ways to improve the incident response process.
- C. potential attack vectors on the network perimeter.
- D. weaknesses in network and server security.
Answer: D
Explanation:
Explanation/Reference:
Explanation:
An internal attack and penetration test are designed to identify weaknesses in network and server security.
They do not focus as much on incident response or the network perimeter.
NEW QUESTION # 71
Security administration efforts will be greatly reduced following the deployment of which of the following techniques?
- A. Distributed access control
- B. Discretionary access control
- C. Access control lists
- D. Role-based access control
Answer: D
Explanation:
Explanation
Role-based access control (RBAC) is a policy-neutral access control mechanism that assigns access privileges to defined roles in the organization and then makes each user a member of the appropriate roles. RBAC reduces security administration efforts by simplifying the management of access rights across different users and resources. RBAC also enables consistent and efficient enforcement of the principle of least privilege, which grants users only the minimum rights required to perform their assigned tasks. RBAC can also facilitate the implementation of separation of duties, which prevents users from having conflicting or incompatible responsibilities. RBAC is among the most widely used methods in the information security tool kit1.
References = CIS Control 6: Access Control Management - Netwrix, CISSP certification: RBAC (Role based access control), What is RBAC? (Role Based Access Control) - IONOS
NEW QUESTION # 72
Management decisions concerning information security investments will be MOST effective when they are based on:
- A. an annual loss expectancy (ALE) determined from the history of security events,
- B. a process for identifying and analyzing threats and vulnerabilities.
- C. the formalized acceptance of risk analysis by management,
- D. the reporting of consistent and periodic assessments of risks.
Answer: D
Explanation:
Explanation
Management decisions concerning information security investments will be most effective when they are based on the reporting of consistent and periodic assessments of risks. This will help management to understand the current and emerging threats, vulnerabilities, and impacts that affect the organization's information assets and business processes. It will also help management to prioritize the allocation of resources and funding for the most critical and cost-effective security controls and solutions. The reporting of consistent and periodic assessments of risks will also enable management to monitor the performance and effectiveness of the information security program, and to adjust the security strategy and objectives as needed. References = CISM Review Manual 15th Edition, page 28.
NEW QUESTION # 73
Recommendations for enterprise investment in security technology should be PRIMARILY based on:
- A. the organization s risk tolerance
- B. adherence to international standards
- C. availability of financial resources
- D. alignment with business needs
Answer: A
Explanation:
Explanation
Verified answer: According to the CISM Review Manual, 15th Edition, Chapter 3, Section 3.2.1.1,
"Recommendations for enterprise investment in security technology should be primarily based on the organization's risk tolerance."1 Comprehensive and Detailed Explanation: The organization's risk tolerance is the degree of uncertainty that the organization is willing to accept in order to pursue its objectives. It reflects the organization's appetite for risk and its ability to cope with potential losses or disruptions. The higher the risk tolerance, the more aggressive and innovative the security investments can be, as they can help achieve faster growth or competitive advantage. The lower the risk tolerance, the more conservative and defensive the security investments should be, as they can help protect the organization's assets and reputation from potential threats.
References: 1: CISM Review Manual, 15th Edition, Chapter 3, Section 3.2.1.1
NEW QUESTION # 74
When residual risk is minimized:
- A. transferred risk is acceptable.
- B. risk is transferable.
- C. control risk is reduced.
- D. acceptable risk is probable.
Answer: D
Explanation:
Since residual risk is the risk that remains after putting into place an effective risk management program, it is probable that the organization will decide that it is an acceptable risk if sufficiently minimized. Transferred risk is risk that has been assumed by a third party, therefore its magnitude is not relevant. Accordingly, choices B and D are incorrect since transferred risk does not necessarily indicate whether risk is at an acceptable level. Minimizing residual risk will not reduce control risk.
NEW QUESTION # 75
An organization has outsourced many application development activities to a third party that uses contract programmers extensively. Which of the following would provide the BEST assurance that the third party's contract programmers comply with the organization's security policies?
- A. Perform periodic security assessments of the contractors' activities.
- B. Require annual signed agreements of adherence to security policies
- C. Conduct periodic vulnerability scans of the application.
- D. Include penalties for noncompliance in the contracting agreement.
Answer: C
NEW QUESTION # 76
The PRIMARY reason for creating a business case when proposing an information security project is to:
- A. ensure relevant business parties are involved in the project.
- B. establish the value of the project in relation to business objectives.
- C. ensure comprehensive security controls are identified.
- D. establish the value of the project with regard to regulatory compliance.
Answer: B
NEW QUESTION # 77
Which of the following is the BEST control to protect customer personal information that is stored in the cloud?
- A. Strong encryption methods
- B. Strong physical access controls
- C. Appropriate data anonymization
- D. Timely deletion of digital records
Answer: A
Explanation:
Explanation
Strong encryption methods are the BEST control to protect customer personal information that is stored in the cloud, because they help to prevent unauthorized access, disclosure, modification, or deletion of the data by encrypting it at rest and in transit. Encryption is the process of transforming data into an unreadable format using a secret key or algorithm, so that only authorized parties can decrypt and access the data. Encryption can help to protect the confidentiality, integrity, and availability of the data, as well as to comply with legal and regulatory requirements.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 72: "Encryption is the process of transforming data into an unreadable format using a secret key or algorithm." CISM Review Manual, 16th Edition, ISACA, 2020, p. 73: "Encryption can help to protect the confidentiality, integrity, and availability of data, as well as to comply with legal and regulatory requirements for data protection." Saas Data Security: Protecting Your Customers' Information In The Cloud - Fresent's Blog: "Encryption and Data Protection: One of the most effective ways to protect sensitive data in the cloud is to encrypt it both at rest and in transit. Encryption is the process of transforming data into an unreadable format using a secret key or algorithm, so that only authorized parties can decrypt and access the data."
NEW QUESTION # 78
A critical component of a continuous improvement program for information security is:
- A. measuring processes and providing feedback.
- B. tying corporate security standards to a recognized international standard.
- C. developing a service level agreement (SLA) for security.
- D. ensuring regulatory compliance.
Answer: A
Explanation:
If an organization is unable to take measurements that will improve the level of its safety program. then continuous improvement is not possible. Although desirable, developing a service level agreement (SLA) for security, tying corporate security standards to a recognized international standard and ensuring regulatory compliance are not critical components for a continuous improvement program.
NEW QUESTION # 79
Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?
- A. Establish clear rules of engagement
- B. Request a list of the software to be used
- C. Monitor intrusion detection system (IDS) and firewall logs closely
- D. Provide clear directions to IT staff
Answer: A
Explanation:
Explanation/Reference:
Explanation:
It is critical to establish a clear understanding on what is permissible during the engagement. Otherwise, the tester may inadvertently trigger a system outage or inadvertently corrupt files. Not as important, but still useful, is to request a list of what software will be used. As for monitoring the intrusion detection system (IDS) and firewall, and providing directions to IT staff, it is better not to alert those responsible for monitoring (other than at the management level), so that the effectiveness of that monitoring can be accurately assessed.
NEW QUESTION # 80
Which of the following are the MOST important criteria when selecting virus protection software?
- A. Product market share and annualized cost
- B. Ability to interface with intrusion detection system (IDS) software and firewalls
- C. Ease of maintenance and frequency of updates
- D. Alert notifications and impact assessments for new viruses
Answer: C
Explanation:
Explanation
For the software to be effective, it must be easy to maintain and keep current. Market share and annualized cost, links to the intrusion detection system (IDS) and automatic notifications are all secondary in nature.
NEW QUESTION # 81
The MOST important success factor to design an effective IT security awareness program is to:
- A. ensure senior management is represented.
- B. customize the content to the target audience.
- C. avoid technical content but give concrete examples.
- D. ensure that all the staff is trained.
Answer: B
Explanation:
Explanation/Reference:
Explanation:
Awareness training can only be effective if it is customized to the expectations and needs of attendees.
Needs will be quite different depending on the target audience and will vary between business managers, end users and IT staff; program content and the level of detail communicated will therefore be different.
Other criteria are also important; however, the customization of content is the most important factor.
NEW QUESTION # 82
An organization wants to ensure its confidential data is isolated in a multi-tenanted environment at a well-known cloud service provider. Which of the following is the BEST way to ensure the data is adequately protected?
- A. Verify the provider follows a cloud service framework standard.
- B. Review the provider's information security policies and procedures.
- C. Ensure an audit of the provider is conducted to identify control gaps
- D. Obtain documentation of the encryption management practices.
Answer: D
NEW QUESTION # 83
To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to.
- A. perform regular audits of the application.
- B. create a separate account for the programmer as a power user.
- C. have the programmer sign a letter accepting full responsibility.
- D. log all of the programmers' activity for review by supervisor.
Answer: D
Explanation:
It is not always possible to provide adequate segregation of duties between programming and operations in order to meet certain business requirements. A mitigating control is to record all of the programmers' actions for later review by their supervisor, which would reduce the likelihood of any inappropriate action on the part of the programmer. Choices A, C and D do not solve the problem.
NEW QUESTION # 84
The BEST time to perform a penetration test is after:
- A. various infrastructure changes are made.
- B. an attempted penetration has occurred.
- C. an audit has reported weaknesses in security controls.
- D. a high turnover in systems staff.
Answer: A
Explanation:
Explanation/Reference:
Explanation:
Changes in the systems infrastructure are most likely to inadvertently introduce new exposures.
Conducting a test after an attempted penetration is not as productive since an organization should not wait until it is attacked to test its defenses. Any exposure identified by an audit should be corrected before it would be appropriate to test. A turnover in administrative staff does not warrant a penetration test, although it may- warrant a review of password change practices and configuration management.
NEW QUESTION # 85
......
The benefit in Obtaining the CISM Exam Certification
- CISM supports candidate knowledge and experience in the assigned region and shows their capacity for responding to any challenge.
- A internationally accepted as the characteristic of excellence for the IS audit professional.
- Candidates with this certification for the best part they earn 47.54% higher pay.
- Allows candidate capability in IS audit, control and security profession.
- CISM can likewise offer a profession jump as an advancement by separating candidates from different people who are not CISM confirmed
CISM Exam Dumps - Try Best CISM Exam Questions: https://www.troytecdumps.com/CISM-troytec-exam-dumps.html
Get New CISM Certification – Valid Exam Dumps Questions: https://drive.google.com/open?id=1KHjYpDcJS99IXD3ZfRDWJb8Uhe3NnAVq