Free ISACA CISM Exam Questions & Answer from Training Expert TrainingQuiz [Q322-Q339]

Share

Free ISACA CISM Exam Questions and Answer from Training Expert TrainingQuiz

Top ISACA CISM Courses Online

NEW QUESTION # 322
Measuring which of the following is the MOST accurate way to determine the alignment of an information security strategy with organizational goals?

  • A. Percentage of controls integrated into business processes
  • B. Number of business cases reviewed by senior management
  • C. Number of blocked intrusion attempts
  • D. Trends in the number of identified threats to the business

Answer: A

Explanation:
Measuring the percentage of controls integrated into business processes is the most accurate way to determine the alignment of an information security strategy with organizational goals, as this reflects the extent to which the information security program supports and enables the business objectives and activities, and reduces the friction and resistance from the business stakeholders. The percentage of controls integrated into business processes also indicates the maturity and effectiveness of the information security program, and the level of awareness and acceptance of the information security policies and standards among the business users. Number of blocked intrusion attempts, number of business cases reviewed by senior management, and trends in the number of identified threats to the business are not the most accurate ways to determine the alignment of an information security strategy with organizational goals, as they do not measure the impact and value of the information security program on the business performance and outcomes, and may not reflect the business priorities and expectations. Reference = CISM Review Manual 2023, page 291; CISM Review Questions, Answers & Explanations Manual 2023, page 372; ISACA CISM - iSecPrep, page 223; CISM Exam Overview - Vinsys4


NEW QUESTION # 323
Which of the following is MOST important for building 4 robust information security culture within an organization?

  • A. Mature information security awareness training across the organization
  • B. Strict enforcement of employee compliance with organizational security policies
  • C. Security controls embedded within the development and operation of the IT environment
  • D. Senior management approval of information security policies

Answer: A

Explanation:
= Mature information security awareness training across the organization is the most important factor for building a robust information security culture, because it helps to educate and motivate the employees to understand and adopt the security policies, procedures, and best practices that are aligned with the organizational goals and values. Information security awareness training should be tailored to the specific roles, responsibilities, and needs of the employees, and should cover the relevant topics, such as:
The importance and value of information assets and the potential risks and threats to them The legal, regulatory, and contractual obligations and compliance requirements related to information security The organizational security policies, standards, and guidelines that define the expected and acceptable behaviors and actions regarding information security The security controls and tools that are implemented to protect the information assets and how to use them effectively and efficiently The security incidents and breaches that may occur and how to prevent, detect, report, and respond to them The security best practices and tips that can help to enhance the security posture and culture of the organization Information security awareness training should be delivered through various methods and channels, such as:
Online courses, webinars, videos, podcasts, and quizzes that are accessible and interactive Classroom sessions, workshops, seminars, and simulations that are engaging and practical Posters, flyers, newsletters, emails, and social media that are informative and catchy Games, competitions, rewards, and recognition that are fun and incentivizing Information security awareness training should be conducted regularly and updated frequently, to ensure that the employees are aware of the latest security trends, challenges, and solutions, and that they can demonstrate their knowledge and skills in a consistent and effective manner.
Mature information security awareness training can help to create a positive and proactive security culture that fosters trust, collaboration, and innovation among the employees and the organization, and that supports the achievement of the strategic objectives and the mission and vision of the organization.
Reference = CISM Review Manual, 16th Edition, ISACA, 2021, pages 144-146, 149-150.


NEW QUESTION # 324
Which of the following would BEST mitigate accidental data loss events?

  • A. Enforce a data hard drive encryption policy.
  • B. Obtain senior management support for the information security strategy.
  • C. Conduct periodic user awareness training.
  • D. Conduct a data loss prevention (DLP) audit.

Answer: C

Explanation:
Explanation
Conducting periodic user awareness training is the best way to mitigate accidental data loss events because it can educate the users on the causes, consequences, and prevention of data loss, and increase their awareness of the security policies and procedures of the organization. User awareness training can also help users to identify and report potential data loss incidents, and to adopt good practices such as backing up data, encrypting data, and using secure channels for data transmission and storage.
References: The article Mistakes Happen-Mitigating Unintentional Data Loss from the ISACA Journal 2018 states that "user awareness training is the most effective way to prevent unintentional data loss" and that "user awareness training should include information on the types and sources of data loss, the impact and cost of data loss, the legal and regulatory requirements for data protection, the organization's data security policies and procedures, the roles and responsibilities of users in data security, the best practices and tools for data security, and the reporting and escalation process for data loss incidents" (p. 2)1. The Data Spill Management Guide from the Cyber.gov.au website also states that "user awareness training is an important preventative measure to reduce the likelihood of data spills" and that "user awareness training should cover topics such as data classification, data handling, data storage, data transmission, data disposal, and data spill reporting" (p. 2)


NEW QUESTION # 325
Which of the following is the PRIMARY reason to perform regular reviews of the cybersecurity threat landscape?

  • A. To communicate worst-case scenarios to senior management
  • B. To train information security professionals to mitigate new threats
  • C. To determine opportunities for expanding organizational information security
  • D. To compare emerging trends with the existing organizational security posture

Answer: D

Explanation:
The primary reason to perform regular reviews of the cybersecurity threat landscape is to compare emerging trends with the existing organizational security posture, as this helps the information security manager to identify and prioritize the gaps and risks that need to be addressed. The cybersecurity threat landscape is dynamic and constantly evolving, and the organization's security posture may not be adequate or aligned with the current and future threats. By reviewing the threat landscape regularly, the information security manager can assess the effectiveness and maturity of the security program, and recommend appropriate actions and controls to improve the security posture and reduce the likelihood and impact of cyberattacks. References = CISM Review Manual 2023, page 831; CISM Review Questions, Answers & Explanations Manual 2023, page 322; ISACA CISM - iSecPrep, page 173


NEW QUESTION # 326
Which of the following is the GREATEST benefit of information asset classification?

  • A. Providing a basis for implementing a need-to-know policy
  • B. Helping to determine the recovery point objective (RPO)
  • C. Supporting segregation of duties
  • D. Defining resource ownership

Answer: A

Explanation:
The greatest benefit of information asset classification is providing a basis for imple-menting a need-to-know policy. Information asset classification is a process of catego-rizing information based on its level of sensitivity and importance, and applying appro-priate security controls based on the level of risk associated with that information1. A need-to-know policy is a principle that states that access to information should be granted only to those individuals who require it to perform their official duties or tasks2. The purpose of a need-to-know policy is to limit the exposure of sensitive information to unauthorized or unnecessary parties, and to reduce the risk of data breaches, leaks, or misuse. Information asset classification provides a basis for implementing a need-to-know policy by:
* Defining the value and protection requirements of different types of information
* Labeling the information with the appropriate classification level, such as public, internal, confidential, secret, or top secret
* Establishing the roles and responsibilities of information owners, custodians, and users
* Enforcing access controls and encryption for the information
* Documenting the security policies and procedures for the information By providing a basis for implementing a need-to-know policy, information asset classi-fication can help organizations to protect their sensitive information, comply with rele-vant laws and regulations, and achieve their business objectives. The other options are not the greatest benefits of information asset classification. Helping to determine the recovery point objective (RPO) is not a benefit, but rather a consequence of applying security controls based on the classification level. RPO is the acceptable amount of data loss in case of a disruption3. Supporting segregation of duties is not a benefit, but rather a prerequisite for implementing a need-to-know policy. Segregation of duties is a principle that states that no single individual should have control over two or more phases of a business process or transaction that are susceptible to errors or fraud4. De-fining resource ownership is not a benefit, but rather a component of information asset classification. Resource ownership is the assignment of accountability and authority for an information asset to an individual or a group5. Reference: 1: Information Classifi-cation - Advisera 2: Need-to-Know Principle - NIST 3: Recovery Point Objective - NIST 4: Segregation of Duties - NIST 5: Resource Ownership - NIST : Information Classification in Information Security - GeeksforGeeks : Information Asset Classification Policy - UCI


NEW QUESTION # 327
What does a network vulnerability assessment intend to identify?

  • A. Security design flaws
  • B. Misconfiguration and missing updates
  • C. Malicious software and spyware
  • D. 0-day vulnerabilities

Answer: B

Explanation:
Explanation/Reference:
Explanation:
A network vulnerability assessment intends to identify known vulnerabilities based on common misconfigurations and missing updates. 0-day vulnerabilities by definition are not previously known and therefore are undetectable. Malicious software and spyware are normally addressed through antivirus and antispyware policies. Security design flaws require a deeper level of analysis.


NEW QUESTION # 328
In a business impact analysis, the value of an information system should be based on the overall cost:

  • A. of recovery.
  • B. to recreate.
  • C. of emergency operations.
  • D. if unavailable.

Answer: D

Explanation:
Explanation
The value of an information system should be based on the cost incurred if the system were to become unavailable. The cost to design or recreate the system is not as relevant since a business impact analysis measures the impact that would occur if an information system were to become unavailable. Similarly, the cost of emergency operations is not as relevant.


NEW QUESTION # 329
Which is the BEST method to evaluate the effectiveness of an alternate processing site when continuous uptime is required?

  • A. Full interruption test
  • B. Simulation test
  • C. Tabletop test
  • D. Parallel test

Answer: D

Explanation:
Explanation
A parallel test is the best method to evaluate the effectiveness of an alternate processing site when continuous uptime is required. A parallel test involves processing the same transactions or data at both the primary and the alternate site simultaneously, and comparing the results for accuracy and consistency. A parallel test can validate the functionality, performance, and reliability of the alternate site without disrupting the normal operations at the primary site. A parallel test can also identify and resolve any issues or discrepancies between the two sites before a real disaster occurs. A parallel test can provide a high level of assurance and confidence that the alternate site can support the organization's continuity requirements.
References = CISM Review Manual, 16th Edition, Chapter 3: Information Security Program Development and Management, Section: Business Continuity Plan (BCP) Testing, page 1861; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 56, page 522.
A parallel test is the best method to evaluate the effectiveness of an alternate processing site when continuous uptime is required because it involves processing data at both the primary and alternate sites simultaneously without disrupting the normal operations1. A full interruption test would cause downtime and potential loss of data or revenue2. A simulation test would not provide a realistic assessment of the alternate site's capabilities3. A tabletop test would only involve a discussion of the procedures and scenarios without actually testing the site4.
1: CISM Exam Content Outline | CISM Certification | ISACA 2: CISM - ISACA Certified Information Security Manager Exam Prep - NICCS 3: Prepare for the ISACA Certified Information Security Manager Exam: CISM ... 4: CISM: Certified Information Systems Manager | Official ISACA ... - NICCS


NEW QUESTION # 330
Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

  • A. To define security roles and responsibilities
  • B. To establish incident severity levels
  • C. To determine return on investment (ROI)
  • D. To determine the criticality of information assets

Answer: D

Explanation:
A business impact analysis (BIA) is a process that identifies and evaluates the potential effects of disruptions to critical business operations as a result of a disaster, accident or emergency. The primary purpose of a BIA is to determine the criticality of information assets and the impact of their unavailability on the organization's mission, objectives and reputation. (From CISM Review Manual 15th Edition)


NEW QUESTION # 331
Which of the following parties should be responsible for determining access levels to an application that processes client information?

  • A. Business unit management
  • B. The identity and access management team
  • C. The information security tear
  • D. The business client

Answer: A

Explanation:
Explanation
The business client should be responsible for determining access levels to an application that processes client information, because the business client is the owner of the data and the primary stakeholder of the application. The business client has the best knowledge and understanding of the business requirements, objectives, and expectations of the application, and the sensitivity, value, and criticality of the data. The business client can also define the roles and responsibilities of the users and the access rights and privileges of the users based on the principle of least privilege and the principle of separation of duties. The business client can also monitor and review the access levels and the usage of the application, and ensure that the access levels are aligned with the organization's information security policies and standards.
The information security team, the identity and access management team, and the business unit management are all involved in the process of determining access levels to an application that processes client information, but they are not the primary responsible party. The information security team provides guidance, support, and oversight to the business client on the information security best practices, controls, and standards for the application, and ensures that the access levels are consistent with the organization's information security strategy and governance. The identity and access management team implements, maintains, and audits the access levels and the access control mechanisms for the application, and ensures that the access levels are compliant with the organization's identity and access management policies and procedures. The business unit management approves, authorizes, and sponsors the access levels and the access requests for the application, and ensures that the access levels are aligned with the business unit's goals and strategies. References = ISACA, CISM Review Manual, 16th Edition, 2020, pages 125-126, 129-130, 133-134, 137-138.
ISACA, CISM Review Questions, Answers & Explanations Database, 12th Edition, 2020, question ID
1037.


NEW QUESTION # 332
Data owners are normally responsible for which of the following?

  • A. Administering security over database records
  • B. Applying emergency changes to application data
  • C. Migrating application code changes to production
  • D. Determining the level of application security required

Answer: D

Explanation:
Explanation
Data owners approve access to data and determine the degree of protection that should be applied (data classification). Administering database security, making emergency changes to data and migrating code to production are infrastructure tasks performed by custodians of the data.


NEW QUESTION # 333
Which of the following is MOST appropriate to communicate to senior management regarding information risk?

  • A. Emerging security technologies
  • B. Defined risk appetite
  • C. Vulnerability scanning progress
  • D. Risk profile changes

Answer: D

Explanation:
Risk profile changes are the most appropriate to communicate to senior management regarding information risk because they reflect the current level and nature of the risks that the organization faces and how they may affect its objectives and performance. Senior management needs to be aware of any changes in the risk profile so that they can make informed decisions and allocate resources accordingly. Risk profile changes also help senior management monitor the effectiveness of the risk management process and identify any gaps or weaknesses that need to be addressed.
Reference = Communicating Information Security Risk Simply and Effectively, Part 1, CISM Domain 2: Information Risk Management (IRM) [2022 update]


NEW QUESTION # 334
Which of the following provides the MOST useful information for identifying security control gaps on an application server?

  • A. Internal audit reports
  • B. Threat models
  • C. Risk assessments
  • D. Penetration testing

Answer: D

Explanation:
Penetration testing is the most useful method for identifying security control gaps on an application server because it simulates real-world attacks and exploits the vulnerabilities and weaknesses of the application server. Penetration testing can reveal the actual impact and risk of the security control gaps, and provide recommendations for remediation and improvement.
References: The CISM Review Manual 2023 defines penetration testing as "a method of evaluating the security of an information system or network by simulating an attack from a malicious source" and states that
"penetration testing can help identify security control gaps and provide evidence of the potential impact and risk of the gaps" (p. 185). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale for this answer: "Penetration testing is the correct answer because it is the most useful method for identifying security control gaps on an application server, as it simulates real-world attacks and exploits the vulnerabilities and weaknesses of the application server, and provides recommendations for remediation and improvement" (p. 95). Additionally, the web search result 4 states that "penetration testing is a valuable tool for discovering security gaps in your application server and network infrastructure" and that
"penetration testing can help you assess the effectiveness and efficiency of your security controls, and identify the areas that need improvement or enhancement" (p. 1).


NEW QUESTION # 335
When developing security standards, which of the following would be MOST appropriate to include?

  • A. Operating system requirements
  • B. Inventory management
  • C. Accountability for licenses
  • D. Acceptable use of IT assets

Answer: D

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


NEW QUESTION # 336
A senior executive asks the information security manager to bypass the organization's Internet traffic filters due to a business need.
Which of the following should be the information security manager's NEXT course of action?

  • A. Notify the IT network manager and make an approval decision jointly.
  • B. Accept the request immediately based on the business criticality.
  • C. Deny the request as noncompliant with policy
  • D. Document the risk and mark for future review.

Answer: D


NEW QUESTION # 337
What is the PRIMARY objective of implementing standard security configurations?

  • A. Control vulnerabilities and reduce threats from changed configurations.
  • B. Maintain a flexible approach to mitigate potential risk to unsupported systems.
  • C. Compare configurations between supported and unsupported systems.
  • D. Minimize the operational burden of managing and monitoring unsupported systems.

Answer: A

Explanation:
The primary objective of implementing standard security configurations is to control vulnerabilities and reduce threats from changed configurations. Standard security configurations are the baseline settings and parameters that define the desired security level and functionality of information systems and devices. By implementing standard security configurations, the organization can ensure that the information systems and devices are configured in a consistent and secure manner, and that any deviations or changes from the standard are detected and corrected. This can help to prevent or mitigate potential security incidents caused by misconfigurations, unauthorized modifications, or malicious attacks.
References: The CISM Review Manual 2023 states that "the information security manager is responsible for ensuring that the security configuration of information systems is in compliance with the security policies and standards of the organization" and that "the information security manager should establish and implement standard security configurations for information systems and devices, and monitor and review the security configuration on a regular basis and take corrective actions when deviations or violations are detected" (p.
138). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale for this answer: "Control vulnerabilities and reduce threats from changed configurations is the correct answer because it is the primary objective of implementing standard security configurations, as it helps to maintain the security posture and functionality of information systems and devices, and to prevent or mitigate potential security incidents caused by misconfigurations, unauthorized modifications, or malicious attacks" (p. 63). Additionally, the article Standard Security Configurations from the ISACA Journal 2017 states that "standard security configurations are the baseline settings and parameters that define the desired security level and functionality of information systems and devices" and that "standard security configurations can help to control vulnerabilities and reduce threats from changed configurations by ensuring that the information systems and devices are configured in a consistent and secure manner, and that any deviations or changes from the standard are detected and corrected" (p. 1)


NEW QUESTION # 338
Which of the following is a viable containment strategy for a distributed denial of service (DDoS) attack?

  • A. Block IP addresses used by the attacker
  • B. Redirect the attacker's traffic
  • C. Disable firewall ports exploited by the attacker.
  • D. Power off affected servers

Answer: B

Explanation:
Explanation
Redirecting the attacker's traffic is a viable containment strategy for a distributed denial of service (DDoS) attack because it helps to divert the malicious traffic away from the target server and reduce the impact of the attack. A DDoS attack is an attempt by attackers to overwhelm a server or a network with a large volume of requests or packets, preventing legitimate users from accessing the service or resource. Redirecting the attacker's traffic is a technique that involves changing the DNS settings or routing tables to send the attacker's traffic to another destination, such as a sinkhole, a honeypot, or a scrubbing center. A sinkhole is a server that absorbs and discards the malicious traffic. A honeypot is a decoy server that mimics the target server and collects information about the attacker's behavior and techniques. A scrubbing center is a service that filters out the malicious traffic and forwards only the legitimate traffic to the target server. Redirecting the attacker's traffic helps to contain the DDoS attack by reducing the load on the target server and preserving its availability and performance. Therefore, redirecting the attacker's traffic is the correct answer.
References:
* https://www.fortinet.com/resources/cyberglossary/implement-ddos-mitigation-strategy
* https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-response-strategy
* https://www.cloudflare.com/learning/ddos/glossary/sinkholing/.


NEW QUESTION # 339
......


The CISM certification is highly respected in the information security industry and is recognized globally. It is an excellent way for professionals to demonstrate their knowledge and expertise in the field and to advance their careers. Certified Information Security Manager certification provides a competitive advantage for professionals seeking employment or promotion in the field of information security management, and it can lead to increased earning potential and job opportunities.

 

New (2025) ISACA CISM Exam Dumps: https://actualtests.trainingquiz.com/CISM-training-materials.html