CISM Free Update With 100% Exam Passing Guarantee [2021]
[Oct-2021] Verified ISACA Exam Dumps with CISM Exam Study Guide
NEW QUESTION 358
The PRIMARY reason for using metrics to evaluate information security is to:
- A. justify budgetary expenditures.
- B. enable steady improvement.
- C. identify security weaknesses.
- D. raise awareness on security issues.
Answer: B
Explanation:
Explanation/Reference:
Explanation:
The purpose of a metric is to facilitate and track continuous improvement. It will not permit the identification of all security weaknesses. It will raise awareness and help in justifying certain expenditures, but this is not its main purpose.
NEW QUESTION 359
Which of the following is the MOST effective way to protect the authenticity of data in transit?
- A. Digital signature
- B. Hash value
- C. Public key
- D. Private key
Answer: B
NEW QUESTION 360
A business impact analysis should be periodically executed
- A. analyze the importance of assets.
- B. validate vulnerabilities on environmental changes.
- C. check compliance with regulations.
- D. verify the effectiveness of controls.
Answer: B
NEW QUESTION 361
Who within an organization is accountable for ensuring incident notification and escalation processes are in place?
- A. Senior management
- B. Security operations center management
- C. Data owner
- D. Information security manager
Answer: A
NEW QUESTION 362
Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23.00 hrs.)?
- A. The update's success or failure is not known until Monday
- B. Technical personnel are not available to support the operation
- C. Systems are vulnerable to new viruses during the intervening week
- D. Most new viruses* signatures are identified over weekends
Answer: C
Explanation:
Updating virus signature files on a weekly basis carries the risk that the systems will be vulnerable to viruses released during the week; far more frequent updating is essential. All other issues are secondary to this very serious exposure.
NEW QUESTION 363
A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following?
- A. Firewall logs
- B. Invalid logon attempts
- C. Write access violations
- D. Concurrent logons
Answer: B
Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE
Explanation:
Since the password for the shared administrative account was obtained through guessing, it is probable that there were multiple unsuccessful logon attempts before the correct password was deduced. Searching the logs for invalid logon attempts could, therefore, lead to the discovery of this unauthorized activity. Because the account is shared, reviewing the logs for concurrent logons would not reveal unauthorized activity since concurrent usage is common in this situation. Write access violations would not necessarily be observed since the information was merely copied and not altered. Firewall logs would not necessarily contain information regarding logon attempts.
NEW QUESTION 364
Secure customer use of an e-commerce application can BEST be accomplished through:
- A. strong passwords.
- B. two-factor authentication.
- C. digital signatures.
- D. data encryption.
Answer: D
Explanation:
Explanation/Reference:
Explanation:
Encryption would be the preferred method of ensuring confidentiality in customer communications with an e-commerce application. Strong passwords, by themselves, would not be sufficient since the data could still be intercepted, while two-factor authentication would be impractical. Digital signatures would not provide a secure means of communication. In most business-to-customer (B-to-C) web applications, a digital signature is also not a practical solution.
NEW QUESTION 365
A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?
- A. Create a strong random password
- B. Track usage of the account by audit trails
- C. Prevent the system from being accessed remotely
- D. Ask for a vendor patch
Answer: A
Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Creating a strong random password reduces the risk of a successful brute force attack by exponentially increasing the time required. Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risks. Vendor patches are not always available, tracking usage is a detective control and will not prevent an attack.
NEW QUESTION 366
Which of the following vulnerabilities presents the GREATEST risk of external hackers gaining access to the corporate network?
- A. Excessive administrative rights to an internal database
- B. Missing patches on a workstation
- C. Internal hosts running unnecessary services
- D. Inadequate logging
Answer: A
NEW QUESTION 367
The MOST important component of a privacy policy is:
- A. warranties.
- B. geographic coverage.
- C. notifications.
- D. liabilities.
Answer: C
Explanation:
Privacy policies must contain notifications and opt-out provisions: they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.
NEW QUESTION 368
Ensuring that an organization can conduct security reviews within third-party facilities is PRIMARILY enabled by:
- A. audit guidelines
- B. service level agreements (SLAs)
- C. contractual agreements
- D. acceptance of the organization's security policies
Answer: B
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
NEW QUESTION 369
Which of the following is MOST important to understand when developing a meaningful information security strategy?
- A. International security standards
- B. Organizational goals
- C. Regulatory environment
- D. Organizational risks
Answer: B
Explanation:
Alignment of security with business objectives requires an understanding of what an organization is trying to accomplish. The other choices are all elements that must be considered, but their importance is secondary and will vary depending on organizational goals.
NEW QUESTION 370
Which of the following is MOST important to include in a post-incident review following a data breach?
- A. A review of the forensics chain of custody
- B. Evaluations of the adequacy of existing controls
- C. An evaluation of the effectiveness of the information security strategy
- D. Documentation of regulatory reporting requirements
Answer: B
NEW QUESTION 371
The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:
- A. disconnect the mail server from the network.
- B. change the root password of the system.
- C. implement multifactor authentication.
- D. rebuild the system from the original installation medium.
Answer: D
Explanation:
Explanation
Rebuilding the system from the original installation medium is the only way to ensure all security vulnerabilities and potential stealth malicious programs have been destroyed. Changing the root password of the system does not ensure the integrity of the mail server. Implementing multifactor authentication is an aftermeasure and does not clear existing security threats. Disconnecting the mail server from the network is an initial step, but does not guarantee security.
NEW QUESTION 372
The likelihood of a successful attack is a function of:
- A. value and desirability to the intruder
- B. threat and vulnerability levels
- C. incentive and capability of the intruder
- D. opportunity and asset value
Answer: C
Explanation:
Section: INFORMATION RISK MANAGEMENT
NEW QUESTION 373
......
Authentic Best resources for CISM Online Practice Exam: https://www.dumpsfree.com/CISM-valid-exam.html
CISM Test Engine Practice Exam: https://drive.google.com/open?id=1blFq31mN10oOlbFteY9czK-bKvXPKlUB