Updated Feb 15, 2023 CISM Exam Dumps - PDF Questions and Testing Engine [Q180-Q202]

4.5/5 - (4 votes)

Updated Feb 15, 2023 CISM Exam Dumps – PDF Questions and Testing Engine

New (2023) ISACA CISM Exam Dumps

NO.180 An internal audit has found that critical patches were not implemented within the timeline established by policy without a valid reason. Which of the following is the BEST course of action to address the audit findings?

Evaluate patch management training.

Monitor and notify IT staff of critical patches

Perform regular audits on the implementation of critical patches.

Assess the patch management process

NO.181 Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?

The information security department has difficulty filling vacancies.

The chief information officer (CIO) approves security policy changes.

The information security oversight committee only meets quarterly.

The data center manager has final signoff on all security projects.

NO.182 An organization has acquired a company in a foreign country to gain an advantage in a new market Which of the following is the FIRST step the information security manager should take?

Apply the existing information security program to the acquired company

Evaluate the information security laws that apply to the acquired company

Merge the two existing information security programs

Determine which country’s information security regulations will be used

NO.183 After an information security business case has been approved by senior management, it should be:

used to design functional requirements for the solution.

used as the foundation for a risk assessment.

referenced to build architectural blueprints for the solution.

reviewed at key intervals to ensure intended outcomes.

NO.184 Which of the following is the MOST likely to change an organization’s culture to one that is more security conscious?

Adequate security policies and procedures

Periodic compliance reviews

Security steering committees

Security awareness campaigns

NO.185 When designing an information security quarterly report to management, the MOST important element to be considered should be the:

information security metrics.

knowledge required to analyze each issue.

linkage to business area objectives.

baseline against which metrics are evaluated.

NO.186 What is the MOST important item to be included in an information security policy?

The definition of roles and responsibilities

The scope of the security program

The key objectives of the security program

Reference to procedures and standards of the security program

NO.187 The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:

periodically testing the incident response plans.

regularly testing the intrusion detection system (IDS).

establishing mandatory training of all personnel.

periodically reviewing incident response procedures.

NO.188 What should be an information security manager’s FIRST course of action when an organization is subject to a new regulatory requirement?

Submit a business case to support compliance.

Perform a gap analysis,

Complete a control assessment.

Update the risk register.

NO.189 The FIRST step in developing an information security management program is to:

identify business risks that affect the organization.

clarify organizational purpose for creating the program.

assign responsibility for the program.

assess adequacy of controls to mitigate business risks.

NO.190 Which of the following would BEST address the risk of data leakage?

File backup procedures

Database integrity checks

Acceptable use policies

Incident response procedures

NO.191 A risk assessment should be conducted:

once a year for each business process and subprocess.

every three to six months for critical business processes.

by external parties to maintain objectivity.

annually or whenever there is a significant change.

NO.192 Authorization can BEST be accomplished by establishing:

whether users are who they say they are

who users can do when they are granted system access.

how users identify themselves to information systems.

the ownership of the data

NO.193 Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?

Include security responsibilities in the job description

Require the administrator to obtain security certification

Train the system administrator on penetration testing and vulnerability assessment

Train the system administrator on risk assessment

NO.194 An organization utilizes a third party to classify its customers’ personally identifiable information (PII). What is the BEST way to hold the third party accountable for data leaks?

Include detailed documentation requirements within the formal statement of work.

Submit a formal request for proposal (RFP) containing detailed documentation of requirements.

Ensure a nondisclosure agreement is signed by both parties’ senior management.

Require the service provider to sign off on the organization’s acceptable use policy.

NO.195 Information classification is a fundamental step in determining:

whether risk analysis objectives are met.

who has ownership of information.

the type of metrics that should be captured.

the security strategy that should be used.

NO.196 When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost estimates?

Business continuity coordinator

Information security manager

Business process owners

Industry averages benchmarks

NO.197 Which of the following is the BEST way to improve the timely reporting of information security incidents?

Perform periodic simulations with the incident response team.

Regularly reassess and update the incident response plan.

Integrate an intrusion detection system (IDS) in the DMZ

Incorporate security procedures in help desk processes

NO.198 After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:

increase its customer awareness efforts in those regions.

implement monitoring techniques to detect and react to potential fraud.

outsource credit card processing to a third party.

make the customer liable for losses if they fail to follow the bank’s advice.

NO.199 Following a significant change to the underlying code of an application, it is MOST important for the information security manager to:

inform senior management

update the risk assessment

validate the user acceptance testing

modify key risk indicators

NO.200 An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:

bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.

establish baseline standards for all locations and add supplemental standards as required.

bring all locations into conformity with a generally accepted set of industry best practices.

establish a baseline standard incorporating those requirements that all jurisdictions have in common.

NO.201 Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:

baseline.

strategy.

procedure.

policy.

NO.202 To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to.

create a separate account for the programmer as a power user.

log all of the programmers’ activity for review by supervisor.

have the programmer sign a letter accepting full responsibility.

perform regular audits of the application.

3. Information Security Program Development and Management – 27%

The next area that you should learn will evaluate your knowledge base whether it contains the following or not:

Knowledge and ability to implement the proper effectiveness and procedures of information security along with its policies;
Knowledge of the certifications, training, and skills required for information security;
Knowledge and skills in managing, identifying, and defining the necessary requirements for internal and external resources;
Knowledge and skills in implementing the rules into contracts, agreements, and third-party management processes;
Knowledge of the techniques to communicate this program to the stakeholders.

Updated Verified Pass CISM Exam – Real Questions and Answers: https://www.actualtests4sure.com/CISM-test-questions.html