• Home
  • Blogs
  • Real CISM Exam PDF Test Engine Practice Test Questions [Q243-Q265]

Real CISM Exam PDF Test Engine Practice Test Questions [Q243-Q265]

Share

Real CISM Exam PDF Test Engine Practice Test Questions

ISACA CISM Real 2022 Braindumps Mock Exam Dumps


CISM (Certified Information Security Manager) is a certification intended for those professionals who are involved in the information security management. This certificate is issued by ISACA, and it will help you demonstrate your commitment to information security, identify critical issues within your company, enhance security programs, and bring you the credibility to support information security. This option can bring you the visibility you need.

 

NEW QUESTION 243
Which of the following should be the MOST important consideration when reporting sensitive risk-related information to stakeholders?

  • A. Ensuring nonrepudiation of communication
  • B. Customizing the communication to the audience
  • C. Consulting with the public relations director
  • D. Transmitting the internal communication securely

Answer: B

 

NEW QUESTION 244
In business-critical applications, user access should be approved by the:

  • A. business management.
  • B. information security manager.
  • C. data owner.
  • D. data custodian.

Answer: C

Explanation:
Explanation
A data owner is in the best position to validate access rights to users due to their deep understanding of business requirements and of functional implementation within the application. This responsibility should be enforced by the policy. An information security manager will coordinate and execute the implementation of the role-based access control. A data custodian will ensure that proper safeguards are in place to protect the data from unauthorized access; it is not the data custodian's responsibility to assign access rights. Business management is not. in all cases, the owner of the data.

 

NEW QUESTION 245
An unauthorized user gained access to a merchant's database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities?

  • A. Copy the database log file to a protected server.
  • B. Isolate the server from the network.
  • C. Shut down and power off the server.
  • D. Duplicate the hard disk of the server immediately.

Answer: B

Explanation:
Isolating the server will prevent further intrusions and protect evidence of intrusion activities left in memory and on the hard drive. Some intrusion activities left in virtual memory may be lost if the system is shut down. Duplicating the hard disk will only preserve the evidence on the hard disk, not the evidence in virtual memory, and will not prevent further unauthorized access attempts. Copying the database log file to a protected server will not provide sufficient evidence should the organization choose to pursue legal recourse.

 

NEW QUESTION 246
Which of the following is the MOST important outcome of testing incident response plans?

  • A. Internal procedures are improved.
  • B. An action plan is available for senior management.
  • C. Areas requiring investment are identified.
  • D. Staff is educated about current threats.

Answer: A

 

NEW QUESTION 247
A company is considering a new automated system that requires implementation of wireless devices for data capture. Even though wireless is not an approved technology, senior management has accepted the risk and approved a Proof-of-Concept (POC) to evaluate the technology and proposed solution. Which of the following is the information security manager s BEST course of action?

  • A. Implement a wireless intrusion detection system (IDS).
  • B. Develop corporate wireless standards.
  • C. Provide personnel with wireless security training.
  • D. Sandbox the proposed solution.

Answer: C

 

NEW QUESTION 248
Which of the following defines the triggers within a business continuity plan (BCP)?

  • A. Gap analysis
  • B. Needs of the organization
  • C. Information security policy
  • D. Disaster recovery plan (DRP)

Answer: C

 

NEW QUESTION 249
The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:

  • A. implement secure sockets layer (SSL) encryption.
  • B. provide a high assurance of identity.
  • C. ensure the confidentiality of sensitive material.
  • D. allow deployment of the active directory.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
The primary purpose of a public key infrastructure (PKI) is to provide strong authentication. Confidentiality is a function of the session keys distributed by the PKI. An active directory can use PKI for authentication as well as using other means. Even though secure sockets layer (SSL) encryption requires keys to authenticate, it is not the main reason for deploying PKI.

 

NEW QUESTION 250
An information security manager is implementing controls to protect the organization's data. The FIRST step in this process should be to:

  • A. classify the data.
  • B. implement access controls.
  • C. monitor access to the data.
  • D. encrypt the data.

Answer: A

 

NEW QUESTION 251
Who is ultimately responsible for the organization's information?

  • A. Data custodian
  • B. Chief information security officer (CISO)
  • C. Chief information officer (CIO)
  • D. Board of directors

Answer: D

Explanation:
Explanation/Reference:
Explanation:
The board of directors is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management's directives. The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization's information.

 

NEW QUESTION 252
An information security organization should PRIMARILY:

  • A. be responsible for setting up and documenting the information security responsibilities of the information security team members.
  • B. ensure that the information security expectations are conveyed to employees.
  • C. support the business objectives of the company by providing security-related support services.
  • D. ensure that the information security policies of the company are in line with global best practices and standards.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
The information security organization is responsible for options B and D within an organization, but they are not its primary mission. Reviewing and adopting appropriate standards (option C) is a requirement.
The primary objective of an information security organization is to ensure that security supports the overall business objectives of the company.

 

NEW QUESTION 253
Which of the following is the KST way to align security and business strategies?

  • A. Establish key performance indicators (KPls) for business through security processes.
  • B. Integrate information security governance into corporate governance
  • C. Develop a balanced scorecard for security
  • D. Include security risk as part of corporate risk management,

Answer: A

 

NEW QUESTION 254
Which of the following is MOST critical for the successful implementation and maintenance of a security policy?

  • A. Management support and approval for the implementation and maintenance of a security policy
  • B. Enforcement of security rules by providing punitive actions for any violation of security rules
  • C. Assimilation of the framework and intent of a written security policy by all appropriate parties
  • D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

Answer: C

Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE
Explanation:
Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value. Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user's education on the importance of security.

 

NEW QUESTION 255
Information security should be:

  • A. a balance between technical and business requirements.
  • B. driven by regulatory requirements.
  • C. defined by the board of directors.
  • D. focused on eliminating all risks.

Answer: A

Explanation:
Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements. It is not practical or feasible to eliminate all risks. Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction in support of the business goals and objectives.

 

NEW QUESTION 256
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GRF.ATEST weakness in recovery capability?

  • A. The time of declaration determines site access priority
  • B. The provider services all major companies in the area
  • C. The hot site may have to be shared with other customers
  • D. Exclusive use of the hot site is limited to six weeks

Answer: B

Explanation:
Sharing a hot site facility is sometimes necessary in the case of a major disaster. Also, first come, first served usually determines priority of access based on general industry practice. Access to a hot site is not indefinite; the recovery plan should address a long-term outage. In case of a disaster affecting a localized geographical area, the vendor's facility and capabilities could be insufficient for all of its clients, which will all be competing for the same resource. Preference will likely be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients based locally.

 

NEW QUESTION 257
A risk management approach to information protection is:

  • A. managing risks to an acceptable level, commensurate with goals and objectives.
  • B. accepting the security posture provided by commercial security products.
  • C. managing risk tools to ensure that they assess all information protection vulnerabilities.
  • D. implementing a training program to educate individuals on information protection and risks.

Answer: A

Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Risk management is identifying all risks within an organization, establishing an acceptable level of risk and effectively managing risks which may include mitigation or transfer. Accepting the security- posture provided by commercial security products is an approach that would be limited to technology components and may not address all business operations of the organization. Education is a part of the overall risk management process. Tools may be limited to technology and would not address non-technology risks.

 

NEW QUESTION 258
Which of the following BEST demonstrates return on investment (ROI) for an information security initiative?

  • A. Risk heat map
  • B. Business impact analysis (BIA)
  • C. Information security program roadmap
  • D. Business case

Answer: D

 

NEW QUESTION 259
Management is questioning the need for several items in the information security budget proposal. Which of the following would have been MOST helpful prior to budget submission?

  • A. Educating management on information security best practices
  • B. Benchmarking information security efforts of industry competitors
  • C. Obtaining better pricing from information security service vendors
  • D. Presenting a report of current threats to the organization

Answer: D

 

NEW QUESTION 260
Who should drive the risk analysis for an organization?

  • A. Security manager
  • B. Quality manager
  • C. Senior management
  • D. Legal department

Answer: A

Explanation:
Explanation
Although senior management should support and sponsor a risk analysis, the know-how and the management of the project will be with the security department. Quality management and the legal department will contribute to the project.

 

NEW QUESTION 261
Investment in security technology and processes should be based on:

  • A. clear alignment with the goals and objectives of the organization.
  • B. safeguards that are inherent in existing technology.
  • C. success cases that have been experienced in previous projects.
  • D. best business practices.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Organization maturity level for the protection of information is a clear alignment with goals and objectives of the organization. Experience in previous projects is dependent upon other business models which may not be applicable to the current model. Best business practices may not be applicable to the organization's business needs. Safeguards inherent to existing technology are low cost but may not address all business needs and/or goals of the organization.

 

NEW QUESTION 262
Which of the following will BEST enable an effective information asset classification process?

  • A. Including security requirements in the classification process
  • B. Analyzing audit findings
  • C. Assigning ownership
  • D. Reviewing the recovery time objective (RTO) requirements of the asset

Answer: A

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT

 

NEW QUESTION 263
Which of the following is the MOST effective method for assessing the effectiveness of a security awareness program?

  • A. Tabletop test
  • B. Post-incident review
  • C. Vulnerability scan
  • D. Social engineering test

Answer: D

 

NEW QUESTION 264
While implementing information security governance an organization should FIRST:

  • A. adopt security standards.
  • B. determine security baselines.
  • C. establish security policies.
  • D. define the security strategy.

Answer: D

Explanation:
Explanation
The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. Adopting suitable security- standards, performing risk assessment and implementing security policy are steps that follow the definition of the security strategy.

 

NEW QUESTION 265
......


What Is CISM Certification All About?

Earning CISM, or Certified Information Security Manager, is a credible way to prove your capacity to handle various security programs. Through your expertise, this helps in building a strategic team that complies with the standards set by the company. And as a result of your management, this boosts business productivity for better outcomes and product retention. Furthermore, the certification allows you to transition into a coveted individual in the enterprise leadership scope.

 

Prepare For The CISM Question Papers In Advance: https://www.actualtestsquiz.com/CISM-test-torrent.html

Released ISACA CISM Updated Questions PDF: https://drive.google.com/open?id=1RUcHsPQgafur9DaPDTADAEjojltWTV15

Related Blogs

more
ISACA CISM Certification Practice Exam

ActualTestsQuiz offers best test Quiz materials to help all candidates pass exams and obtain certification successfully all over the world. If you are eager to obtain a certification, we will be your best select.

Latest Update

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 ACTUALTESTSQUIZ.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor. Privacy Policy