2023 Valid CISM FREE EXAM DUMPS QUESTIONS & ANSWERS [Q70-Q85]

2023 Valid CISM FREE EXAM DUMPS QUESTIONS & ANSWERS

Free CISM Exam Braindumps ISACA  Pratice Exam

Certification Path

The Certified Information Security Manager CISM certification includes only one CISM exams.

To be able to pass the CISM exam with a high result, you have to learn all the required skills. The domains that are covered in this test are the following:

• Information Security Program Development & Management (27%)

  Here, you need to know the methods to align the IS program requirements with those of other business functions, establish effective IS awareness and training programs, as well as design and implement operational IS metrics. As for your practical skills, it is required to know how to establish and maintain the IS program in the alignment with the IS strategy, integrate the IS requirements into the organizational processes, and compile your reports to the key stakeholders.

• Information Security Governance (24%)

  For this area, you need to know the techniques that are used to develop the IS strategies, methods to plan and implement the IS governance framework, as well as considerations for communicating with the stakeholders and senior leadership. Besides that, you need to have the skills in integrating IS governance into corporate governance to ensure that all the organizational objectives and goals are supported by the IS program. The potential candidates need to be ready to define and communicate IS responsibilities throughout the organization as well.

• Information Security Incident Management (19%)

  In this last topic, it is important to have the relevant knowledge of the external and internal incident reporting procedures and requirements, components of an incident response plan, as well as notification and escalation processes. While answering the questions from this domain, you will be tested on whether you are able to establish integration among an incident response plan, disaster recovery plan, and business continuity plan or not. Additionally, you need to have the skills in organizing, training, and equipping the incident response teams to respond to IS incidents in an effective and timely manner.

• Information Risk Management (30%)

  This section will evaluate your knowledge of gap analysis techniques related to IS, risk reporting requirements, and information asset valuation methodologies. You should also know about the methods that can be used to monitor internal and external risk factors. Your skills in identifying regulatory, organizational, legal, and other applicable requirements to manage the risk of noncompliance to acceptable levels as well as monitoring for external and internal factors will be measured.

Q70. The selection of security controls is PRIMARILY linked to:

 best practices of similar organizations

 risk appetite of the organization

 regulatory requirements

 business impact assessment

Section: INFORMATION SECURITY PROGRAM MANAGEMENT

Q71. Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:

 baseline.

 strategy.

 procedure.

 policy.

Explanation/Reference:
Explanation:
A policy is a high-level statement of an organization’s beliefs, goals, roles and objectives. Baselines assume a minimum security level throughout an organization. The information security strategy aligns the information security program with business objectives rather than making control statements. A procedure is a step-by-step process of how policy and standards will be implemented.

Q72. The PRIMARY goal of a corporate risk management program is to ensure that an organization’s:

 IT assets in key business functions are protected.

 business risks are addressed by preventive controls.

 stated objectives are achievable.

 IT facilities and systems are always available.

Section: INFORMATION RISK MANAGEMENT
Explanation:
Risk management’s primary goal is to ensure an organization maintains the ability to achieve its objectives.
Protecting IT assets is one possible goal as well as ensuring infrastructure and systems availability.
However, these should be put in the perspective of achieving an organization’s objectives. Preventive controls are not always possible or necessary; risk management will address issues with an appropriate mix of preventive and corrective controls.

Q73. Which of the following is the BEST method to defend against social engineering attacks?

 Periodically perform antivirus scans to identify malware.

 Communicate guidelines to limit information posted to public sites.

 Employ the use of a web-content filtering solution.

 Monitor for unauthorized access attempts and failed logins.

Q74. Which of the following is the FIRST task when determining an organization’s information security profile?

 Build an asset inventory

 List administrative privileges

 Establish security standards

 Complete a threat assessment

Q75. When preparing a disaster recovery plan, which of the following would BEST help in prioritizing the restoration of business systems?

 Recovery time objective (RTO)

 Annual loss expectancy (ALE)

 Service level agreement (SLA)

 System utilization requirements

Q76. Attacks using multiple methods to spread should be classified:

 each time the exposure is experienced

 depending on the method used to spread

 at the highest potential level of business impact

 using multiple classifications for each impact

Q77. The PRIMARY reason for using metrics to evaluate information security is to:

 identify security weaknesses.

 justify budgetary expenditures.

 enable steady improvement.

 raise awareness on security issues.

Explanation/Reference:
Explanation:
The purpose of a metric is to facilitate and track continuous improvement. It will not permit the identification of all security weaknesses. It will raise awareness and help in justifying certain expenditures, but this is not its main purpose.

Q78. Which of the following should provide the PRIMARY justification to approve the implementation of a disaster recovery (DR) site on the recommendation of an external audit report?

 Recovery time objectives (RTOs)

 Regulatory requirements

 Cost-benefit analysis

 Security controls at the DR site

Q79. Which of the following is the MOST effective way to identify changes in an information security environment?

 Continuous monitoring

 Security baselining

 Annual risk assessments

 Business impact analysis

Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation/Reference:

Q80. How would an information security manager balance the potentially conflicting requirements of an international organization’s security standards and local regulation?

 Give organization standards preference over local regulations

 Follow local regulations only

 Make the organization aware of those standards where local regulations causes conflicts

 Negotiate a local version of the organization standards

Explanation
Adherence to local regulations must always be the priority. Not following local regulations can prove detrimental to the group organization. Following local regulations only is incorrect since there needs to be some recognition of organization requirements. Making an organization aware of standards is a sensible step, but is not a total solution. Negotiating a local version of the organization standards is the most effective compromise in this situation.

Q81. An organization plans to leverage popular social network platforms to promote its products and services. Which of the following is the BEST course of action for the information security manager to support this initiative?

 Conduct vulnerability assessments on social network platforms

 Develop security controls for the use of social networks

 Assess the security risk associated with the use of social networks

 Establish processes to publish content on social networks

Q82. Which of the following defines the minimum security requirements that a specific system must meet?

 Security baseline

 Security procedure

 Security policy

 Security guideline

Q83. Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

 More uniformity in quality of service

 Better adherence to policies

 Better alignment to business unit needs

 More savings in total operating costs

Section: INFORMATION SECURITY GOVERNANCE
Explanation:
Decentralization of information security management generally results in better alignment to business unit needs. It is generally more expensive to administer due to the lack of economies of scale. Uniformity in quality of service tends to vary from unit to unit.

Q84. Which program element should be implemented FIRST in asset classification and control?

 Risk assessment

 Classification

 Valuation

 Risk mitigation

Explanation/Reference:
Explanation:
Valuation is performed first to identify and understand the assets needing protection. Risk assessment is performed to identify and quantify threats to information assets that are selected by the first step, valuation.
Classification and risk mitigation are steps following valuation.

Q85. An awareness program is implemented to mitigate the risk of infections introduced through the use of social media. Which of the following will BEST determine the effectiveness of the awareness program?

 A post-awareness program survey

 A quiz based on the awareness program materials

 A simulated social engineering attack

 Employee attendance rate at the awareness program

Section: INFORMATION RISK MANAGEMENT

 Loading …

The CISM certification is widely recognized as a benchmark for excellence in the information security management profession. The certification demonstrates that an individual has the knowledge and skills to develop and manage effective information security programs, and that they are committed to maintaining the highest standards of professionalism and ethics in their work.

Prepare For Realistic CISM Dumps PDF – 100% Passing Guarantee: https://www.topexamcollection.com/CISM-vce-collection.html