
Updated Oct-2024 CISM Exam Practice Test Questions
Verified CISM dumps Q&As 100% Pass in First Attempt Guaranteed Updated Dump
ISACA CISM (Certified Information Security Manager) Exam is a globally recognized certification program designed for professionals who are responsible for managing, designing, and overseeing an organization's information security program. Certified Information Security Manager certification program is offered by the Information Systems Audit and Control Association (ISACA), a nonprofit organization that is dedicated to promoting the development and use of best practices and standards in information systems governance, control, and security. The CISM certification is designed to validate the knowledge and skills of information security professionals and demonstrate their competence in managing and protecting critical information assets.
The ISACA CISM exam consists of 150 multiple-choice questions that test candidates on four domains: Information Security Governance, Risk Management, Information Security Program Development and Management, and Information Security Incident Management. CISM exam is administered in a computer-based format and takes four hours to complete. To be eligible for the CISM certification, candidates must have at least five years of experience in information security management, with at least three years of experience in the four domains covered in the exam.
Isaca CISM Practice Test Questions, Isaca CISM Exam Practice Test Questions
Certified Information Security Manager (CISM) is a sought-after certification offered by ISACA. ISACA is a non-profit independent association that helps those professionals who are involved in risk management, information security, assurance, and governance. The exam that you need to pass for this certificate evaluates if you are experienced and has the knowledge for the management of the information security program.
NEW QUESTION # 184
Which of the following business units should own the data that populates an identity management system?
- A. Information security
- B. Human resources (HR)
- C. Information technology
- D. Legal
Answer: B
NEW QUESTION # 185
The effectiveness of an information security governance framework will be enhanced if:
- A. a culture of legal and regulatory compliance is promoted by management.
- B. risk management is built into operational and strategic activities.
- C. IS auditors are empowered to evaluate governance activities.
- D. consultants review the information security governance framework.
Answer: D
NEW QUESTION # 186
An organization has recently experienced unauthorized device access to its network. To proactively manage the problem and mitigate this risk, the BEST preventive control would be to:
- A. install a stateful inspection firewall to prevent unauthorized network traffic.
- B. keep an inventory of network and hardware addresses of all systems connected to the network.
- C. deploy an automated asset inventory discovery tool to identify devices that access the network.
- D. implement network-level authentication and login to regulate access of devices to the network.
Answer: D
NEW QUESTION # 187
After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?
- A. Perform a gap analysis
- B. Procure security tools
- C. Conduct a risk assessment
- D. Define security metrics
Answer: C
Explanation:
When establishing an information security program, conducting a risk assessment is key to identifying the needs of the organization and developing a security strategy. Defining security metrics, performing a gap analysis and procuring security tools are all subsequent considerations.
NEW QUESTION # 188
A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet.
Which of the following should be performed FIRST in response to this threat?
- A. Block incoming Internet mail, but permit outgoing mail
- B. Quarantine all mail servers connected to the Internet
- C. Quarantine all picture files stored on file servers
- D. Block all e-mails containing picture file attachments
Answer: D
Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE
Explanation:
Until signature files can be updated, incoming e-mail containing picture file attachments should be blocked.
Quarantining picture files already stored on file servers is not effective since these files must be intercepted before they are opened. Quarantine of all mail servers or blocking all incoming mail is unnecessary overkill since only those e-mails containing attached picture files are in question.
NEW QUESTION # 189
When designing an incident response plan to be agreed upon with a cloud computing vendor, including which of the following will BEST help to ensure the effectiveness of the plan?
- A. Requirements for onsite recovery testing
- B. A training program for the vendor staff
- C. An audit and compliance program
- D. Responsibility and accountability assignments
Answer: D
NEW QUESTION # 190
Which of the following would BEST mitigate accidental data loss events?
- A. Obtain senior management support for the information security strategy
- B. Conduct periodic user awareness training
- C. Conduct a data loss prevention audit
- D. Enforce a data hard drive encryption policy
Answer: B
NEW QUESTION # 191
Which of the following is the BEST way to help ensure alignment of the information security program with organizational objectives?
- A. Establish an information security steering committee.
- B. Utilize an industry-recognized risk management framework.
- C. Employ a process-based approach for information asset classification.
- D. Provide security awareness training to board executives.
Answer: A
Explanation:
Explanation
The best way to help ensure alignment of the information security program with organizational objectives is A.
Establish an information security steering committee. This is because an information security steering committee is a cross-functional group of senior executives and managers who provide strategic direction, oversight, and support for the information security program. An information security steering committee can help to ensure that the information security program is aligned with the organizational objectives by:
Communicating and promoting the vision, mission, and value of information security to the organization and its stakeholders Defining and approving the information security policies, standards, and procedures Establishing and monitoring the information security goals, metrics, and performance indicators Allocating and prioritizing the resources and budget for information security initiatives and projects Resolving any conflicts or issues that may arise between the information security function and the business units Reviewing and endorsing the information security risk assessment and treatment plans Ensuring compliance with the legal, regulatory, and contractual obligations regarding information security An information security steering committee is a cross-functional group of senior executives and managers who provide strategic direction, oversight, and support for the information security program. (From CISM Manual or related resources) References = CISM Review Manual 15th Edition, Chapter 1, Section 1.2.2, page 20; CISM Review Questions, Answers & Explanations Manual 9th Edition, Question 9, page 3; Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition
NEW QUESTION # 192
Which of the following would be MOST effective in reducing the impact of a distributed denial of service (DDoS) attack?
- A. Impose state limits on servers.
- B. Spread a site across multiple ISPs.
- C. Harden network security.
- D. Block the attack at the source.
Answer: B
NEW QUESTION # 193
Which of the following should be an information security manager's PRIMARY focus during the development of a critical system storing highly confidential data?
- A. Ensuring the amount of residual risk is acceptable
- B. Complying with regulatory requirement
- C. Avoiding identified system threats
- D. Reducing the number of vulnerabilities detected
Answer: B
NEW QUESTION # 194
Security awareness training is MOST likely to lead to which of the following?
- A. Increase in reported incidents
- B. Decrease in intrusion incidents
- C. Decrease in security policy changes
- D. Increase in access rule violations
Answer: A
Explanation:
Explanation/Reference:
Explanation:
Reported incidents will provide an indicator as to the awareness level of staff. An increase in reported incidents could indicate that staff is paying more attention to security. Intrusion incidents and access rule violations may or may not have anything to do with awareness levels. A decrease in changes to security policies may or may not correlate to security awareness training.
NEW QUESTION # 195
Information security controls should be designed PRIMARILY based on:
- A. a vulnerability assessment.
- B. regulatory requirements.
- C. business risk scenarios,
- D. a business impact analysis (BIA).
Answer: C
NEW QUESTION # 196
A risk assessment exercise has identified the threat of a denial of service (DoS) attack Executive management has decided to take no further action related to this risk. The MO ST likely reason for this decision is
- A. the risk assessment has not defined the likelihood of occurrence
- B. executive management is not aware of the impact potential
- C. the cost of implementing controls exceeds the potential financial losses.
- D. the reported vulnerability has not been validated
Answer: C
Explanation:
Explanation
The most likely reason for executive management to take no further action related to the risk of a denial of service (DoS) attack is that the cost of implementing controls exceeds the potential financial losses. This means that the risk is acceptable or tolerable for the organization, and that the benefits of reducing the risk do not outweigh the costs of applying the controls. This decision is based on a cost-benefit analysis, which is a common technique for evaluating and comparing different risk response options. A cost-benefit analysis considers the following factors:
The estimated impact of the risk, which is the potential loss or damage that the organization may suffer if the risk materializes. The impact can be expressed in quantitative or qualitative terms, such as monetary value, reputation, customer satisfaction, legal liability, etc.
The estimated likelihood of occurrence, which is the probability or frequency that the risk will occur within a given time period. The likelihood can be expressed in numerical or descriptive terms, such as percentage, rating, high, medium, low, etc.
The estimated cost of controls, which is the total amount of resources that the organization needs to invest in order to implement and maintain the controls. The cost can include direct and indirect expenses, such as hardware, software, personnel, training, maintenance, etc.
The estimated benefit of controls, which is the reduction in the impact or likelihood of the risk as a result of implementing the controls. The benefit can be expressed in the same terms as the impact or likelihood, such as monetary value, percentage, rating, etc.
A cost-benefit analysis can be performed using various methods, such as net present value (NPV), return on investment (ROI), internal rate of return (IRR), etc. The general principle is to compare the cost and benefit of each control option, and select the one that provides the highest net benefit or the lowest net cost. A control option is considered feasible and desirable if its benefit exceeds its cost, or if its cost is lower than the impact of the risk.
In this case, executive management has decided to take no further action related to the risk of a DoS attack, which implies that the cost of implementing controls exceeds the potential financial losses. This could be because the impact or likelihood of the risk is low, or because the cost or complexity of the controls is high, or both. For example, the organization may have a robust backup and recovery system, a diversified network infrastructure, a strong customer loyalty, or a low dependency on online services, which reduce the impact or likelihood of a DoS attack. Alternatively, the organization may face technical, financial, or operational challenges in implementing effective controls, such as firewalls, load balancers, traffic filters, or cloud services, which increase the cost or complexity of the controls. Therefore, executive management may have concluded that the risk is acceptable or tolerable, and that taking no further action is the most rational and economical choice.
The other options are not the most likely reasons for executive management to take no further action related to the risk of a DoS attack, as they indicate a lack of proper risk assessment or validation. The risk assessment should define the likelihood of occurrence and the reported vulnerability should be validated, as these are essential steps for identifying and analyzing the risk. Executive management should be aware of the impact potential, as this is a key factor for evaluating and prioritizing the risk. If any of these options were true, executive management would not have enough information or evidence to make an informed and justified decision about the risk response. References = CISM Review Manual, Chapter 2, pages 67-69 CISM Exam Content Outline | CISM Certification | ISACA, Domain 2, Task 2.2 Information Security Risk Management for CISM - Pluralsight, Module 2, Section 2.3 CISM: Information Risk Management Part 2 from Skillsoft - NICCS, Section 2.4 Executive management may not take action related to a risk if they have determined that the cost of implementing necessary controls to mitigate the risk exceeds the potential financial losses that the organization may incur if the risk were to materialize. In cases such as this, it is important for the information security team to provide the executive team with thorough cost-benefit analysis that outlines the cost of implementing the controls versus the expected losses from the risk.
NEW QUESTION # 197
Which of the following is the BEST way to obtain support for a new organization-wide information security program?
- A. Deliver an information security awareness campaign.
- B. Benchmark against similar industry organizations
- C. Establish an information security strategy committee.
- D. Publish an information security RACI chart.
Answer: C
Explanation:
Explanation
= Establishing an information security strategy committee is the best way to obtain support for a new organization-wide information security program because it involves the participation and collaboration of key stakeholders from different business functions and levels who can provide input, guidance, and endorsement for the security program. An information security strategy committee is a governance body that oversees the development, implementation, and maintenance of the security program and aligns it with the organization's strategic objectives, risk appetite, and culture. An information security strategy committee can help to obtain support for the security program by:
Communicating the vision, mission, and goals of the security program to the organization and demonstrating its value and benefits.
Establishing roles and responsibilities for the security program and ensuring accountability and ownership.
Securing adequate resources and budget for the security program and allocating them appropriately.
Resolving conflicts and issues that may arise during the security program execution and ensuring alignment with other business processes and initiatives.
Monitoring and evaluating the performance and effectiveness of the security program and ensuring continuous improvement and adaptation.
Benchmarking against similar industry organizations is a useful technique to compare and improve the security program, but it is not the best way to obtain support for a new organization-wide information security program. Benchmarking involves measuring and analyzing the security program's processes, practices, and outcomes against those of other organizations that have similar characteristics, objectives, or challenges.
Benchmarking can help to identify gaps, strengths, weaknesses, opportunities, and threats in the security program and to adopt best practices and standards that can enhance the security program's performance and maturity. However, benchmarking alone does not guarantee the support or acceptance of the security program by the organization, as it may not reflect the organization's specific needs, risks, or culture.
Delivering an information security awareness campaign is a vital component of the security program, but it is not the best way to obtain support for a new organization-wide information security program. An information security awareness campaign is a set of activities and initiatives that aim to educate and inform the organization's workforce and other relevant parties about the security program's policies, standards, procedures, and guidelines, as well as the security risks, threats, and incidents that may affect the organization.
An information security awareness campaign can help to increase the security knowledge, skills, and behaviors of the organization's members and to foster a security risk-aware culture. However, an information security awareness campaign is not sufficient to obtain support for the security program, as it may not address the strategic, operational, or financial aspects of the security program or the expectations and interests of the different stakeholders.
Publishing an information security RACI chart is a helpful tool to define and communicate the security program's roles and responsibilities, but it is not the best way to obtain support for a new organization-wide information security program. A RACI chart is a matrix that assigns the level of involvement and accountability for each task or activity in the security program to each role or stakeholder. RACI stands for Responsible, Accountable, Consulted, and Informed, which are the four possible levels of participation. A RACI chart can help to clarify the expectations, obligations, and authority of each role or stakeholder in the security program and to avoid duplication, confusion, or conflict. However, a RACI chart does not ensure the support or commitment of the roles or stakeholders for the security program, as it may not address the benefits, challenges, or resources of the security program or the feedback and input of the roles or stakeholders. References = CISM Review Manual 15th Edition, pages 97-98, 103-104, 107-108, 111-112 Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition - ISACA1 Information Security Strategy: The Key to Success - ISACA2 Deliver an information security awareness campaign is the BEST approach to obtain support for a new organization-wide information security program. An information security awareness campaign is a great way to raise awareness of the importance of information security and the impact it can have on an organization. It helps to ensure that all stakeholders understand the importance of information security and are aware of the risks associated with it. Additionally, an effective awareness campaign can help to ensure that everyone in the organization is aware of the cybersecurity policies, procedures, and best practices that must be followed.
NEW QUESTION # 198
When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?
- A. Test results of controls
- B. Cost of achieving control objectives
- C. Number of controls
- D. Effectiveness of controls
Answer: B
Explanation:
Explanation/Reference:
Explanation:
Comparison of cost of achievement of control objectives and corresponding value of assets sought to be protected would provide a sound basis for the information security manager to measure value delivery.
Number of controls has no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated. Effectiveness of controls has no correlation with the value of assets unless their costs are also evaluated. Test results of controls have no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated.
NEW QUESTION # 199
Which of the following BEST enables an information security manager to communicate the capability of security program functions?
- A. Security architecture diagrams
- B. Vulnerability scan results
- C. Security maturity assessments
- D. Key risk indicators (KRls)
Answer: C
NEW QUESTION # 200
An organization wants to integrate information security into its HR management processes. Which of the following should be the FIRST step?
- A. Provide security awareness training to HR.
- B. Benchmark the processes with best practice to identify gaps.
- C. Assess the business objectives of the processes.
- D. Calculate the return on investment (ROI).
Answer: C
Explanation:
Explanation
The first step when integrating information security into HR management processes is to assess the business objectives of the processes, which means understanding the purpose, scope, and expected outcomes of the HR functions and activities, and how they relate to the organization's strategy and goals. The assessment will help to identify the information security requirements, risks, and controls that are relevant and applicable to the HR processes, and to align the information security objectives with the business objectives.
References = CISM Review Manual 15th Edition, CISM: Overview of domains [updated 2022]
NEW QUESTION # 201
Which of the following would BEST ensure that security is integrated during application development?
- A. Introducing security requirements during the initiation phase
- B. Providing training on secure development practices to programmers
- C. Performing application security testing during acceptance testing
- D. Employing global security standards during development processes
Answer: A
NEW QUESTION # 202
Security awareness training should be provided to new employees:
- A. on an as-needed basis.
- B. before they have access to data.
- C. during system user training.
- D. along with department staff.
Answer: B
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
Security awareness training should occur before access is granted to ensure the new employee understands that security is part of the system and business process. All other choices imply that security awareness training is delivered subsequent to the granting of system access, which may place security as a secondary step.
NEW QUESTION # 203
......
Ultimate Guide to Prepare Free CISM Exam Questions and Answer: https://drive.google.com/open?id=1g2zfIWfwkw0D60DJe2qt8sp6zC2ZYEvQ
Pass Isaca Certification CISM Exam With 1180 Questions: https://www.dumpsreview.com/CISM-exam-dumps-review.html

