
2024 Valid CISM test answers & ISACA Exam PDF
Free ISACA CISM Exam Questions and Answer from Training Expert Fast2test
NEW QUESTION # 171
Which of the following is the MOST effective way for senior management to support the integration of information security governance into corporate governance?
- A. Establish a steering committee with representation from across the organization.
- B. Promote organization-wide information security awareness campaigns.
- C. Appoint a business manager as heard of information security.
- D. Develop the information security strategy based on the enterprise strategy.
Answer: D
Explanation:
Section: INFORMATION SECURITY GOVERNANCE
NEW QUESTION # 172
Which of the following is the BEST method to obtain senior management buy-in for an information security investment?
- A. Providing benchmark results from alternate vendors
- B. Demonstrating the reduction in risk
- C. Communicating the end-of-life support plan from vendor
- D. Including sign-off from key stakeholders
Answer: B
NEW QUESTION # 173
An information security manager has recently been notified of potential security risks associated with a third- party service provider. What should be done NEXT to address this concern?
- A. Conduct a risk analysis
- B. Escalate to the chief risk officer
- C. Conduct a vulnerability analysis
- D. Determine compensating controls
Answer: A
Explanation:
Section: INFORMATION RISK MANAGEMENT
NEW QUESTION # 174
For an organization with a large and complex IT infrastructure, which of the following elements of a disaster recovery hot site service will require the closest monitoring?
- A. Number of subscribers
- B. Employee access
- C. Audit tights
- D. Systems configurations
Answer: D
NEW QUESTION # 175
An organization that has outsourced its incident management capabilities just discovered a significant privacy breach by an unknown attacker. Which of the following is the important action of the information security manager?
- A. Notify the outsourcer of the privacy breach.
- B. Alert the appropriate law enforcement authorities.
- C. Refer to the organization's response plan.
- D. Follow the outsourcer's response plan.
Answer: A
NEW QUESTION # 176
Previously accepted risk should be:
- A. accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
- B. re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.
- C. avoided next time since risk avoidance provides the best protection to the company.
- D. removed from the risk log once it is accepted.
Answer: B
Explanation:
Acceptance of risk should be regularly reviewed to ensure that the rationale for the initial risk acceptance is still valid within the current business context. The rationale for initial risk acceptance may no longer be valid due to change(s) and. hence, risk cannot be accepted permanently. Risk is an inherent part of business and it is impractical and costly to eliminate all risk. Even risks that have been accepted should be monitored for changing conditions that could alter the original decision.
NEW QUESTION # 177
Which of the following roles is MOST appropriate to determine access rights for specific users of an application?
- A. System administrator
- B. Data owner
- C. Data custodian
- D. Senior management
Answer: B
Explanation:
Explanation
The data owner is the most appropriate role to determine access rights for specific users of an application because they have legal rights and complete control over data elements4. They are also responsible for approving data glossaries and definitions, ensuring the accuracy of information, and supervising operations related to data quality5. The data custodian is responsible for the safe custody, transport, and storage of the data and implementation of business rules, but not for determining access rights4. The system administrator is responsible for managing the security and storage infrastructure of data sets according to the organization's data governance policies, but not for determining access rights5. Senior management is responsible for setting the strategic direction and priorities for data governance, but not for determining access rights5. References: 5
https://www.cpomagazine.com/cyber-security/data-owners-vs-data-stewards-vs-data-custodians-the-3-types-of-
4
https://cloudgal42.com/data-privacy-difference-between-data-owner-controller-and-data-custodian-processor/
NEW QUESTION # 178
When performing a risk assessment, the MOST important consideration is that:
- A. assets have been identified and appropriately valued.
- B. management supports risk mitigation efforts.
- C. attack motives, means and opportunities be understood.
- D. annual loss expectations (ALEs) have been calculated for critical assets.
Answer: A
Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Identification and valuation of assets provides the basis for risk management efforts as it relates to the criticality and sensitivity of assets. Management support is always important, but is not relevant when determining the proportionality of risk management efforts. ALE calculations are only valid if assets have first been identified and appropriately valued. Motives, means and opportunities should already be factored in as a part of a risk assessment.
NEW QUESTION # 179
Which of the following is the MOST important reason to document information security incidents that are reported across the organization?
- A. Evaluate the security posture of the organization.
- B. Identify unmitigated risk.
- C. Support business investments in security
- D. Prevent incident recurrence.
Answer: D
NEW QUESTION # 180
Which of the following roles is BEST able to influence the security culture within an organization?
- A. Chief information officer (CIO)
- B. Chief executive officer (CEO)
- C. Chief operating officer (COO)
- D. Chief information security officer (CISO)
Answer: D
Explanation:
Explanation
The Chief Information Security Officer (CISO) is responsible for leading and coordinating an organization's information security program, and as such, is in a prime position to influence the security culture within the organization. The CISO is responsible for setting policies and standards, educating employees about security risks and best practices, and ensuring that the organization is taking appropriate measures to mitigate security risks. By demonstrating a strong commitment to information security, the CISO can help to create a security-aware culture within the organization.
NEW QUESTION # 181
An organization is considering moving one of its critical business applications to a cloud hosting service.
The cloud provider may not provide the same level of security for this application as the organization. Which of the following will provide the BEST information to help maintain the security posture?
- A. Vulnerability assessment
- B. Risk assessment
- C. Cloud security strategy
- D. Risk governance framework
Answer: B
Explanation:
Section: INFORMATION RISK MANAGEMENT
NEW QUESTION # 182
Which of the following is an advantage of a centralized information security organizational structure?
- A. It provides a faster turnaround for security requests.
- B. It is easier to promote security awareness.
- C. It is more responsive to business unit needs.
- D. It is easier to manage and control.
Answer: D
Explanation:
Explanation
It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. Decentralized operations allow security administrators to be more responsive. Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.
NEW QUESTION # 183
What should be an organization'e. MAIN concern when evaluating an Infrastructure as a Service (laaS) cloud computing model for an e-commerce application?
- A. Application ownership
- B. Internal audit requirements
- C. Where the application resides
- D. Availability of providers services
Answer: D
NEW QUESTION # 184
Which of the following would be important to include in a bring your own device (BYOD) policy with regard to lost or stolen devices? The need for employees to:
- A. seek advice from the mobile service provider.
- B. initiate the company's incident reporting process.
- C. notify local law enforcement.
- D. request a remote wipe of the device.
Answer: D
NEW QUESTION # 185
Which of the following is the PRIMARY purpose of establishing an information security governance framework?
- A. To proactively address security objectives
- B. To reduce security audit issues
- C. To minimize security risks
- D. To enhance business continuity planning
Answer: C
NEW QUESTION # 186
......
ISACA CISM certification is a highly respected certification for information security professionals. Certified Information Security Manager certification is designed for individuals who are responsible for managing, designing, and overseeing the information security programs of their organizations. Certified Information Security Manager certification is recognized worldwide and demonstrates the individual’s commitment to maintaining their knowledge and skills in the field of information security.
Top ISACA CISM Courses Online: https://www.fast2test.com/CISM-premium-file.html
CISM Practice Dumps - Verified By Fast2test Updated 672 Questions: https://drive.google.com/open?id=1vppzEE2qSMKAeo2ytw6VovNy2GAL2SJw