[Mar-2023] CISM Free Sample Questions to Practice One Year Update [Q51-Q74]

[Mar-2023] CISM Free Sample Questions to Practice One Year Update

Download CISM exam with ISACA CISM Real Exam Questions

ISACA CISM Exam Certification Details:

Duration	240 mins
Number of Questions	150
Exam Code	CISM
Exam Price ISACA Member	$575 (USD)
Passing Score	450/800

3. Information Security Program Development and Management – 27%

The next area that you should learn will evaluate your knowledge base whether it contains the following or not:

• Knowledge and skills in managing, identifying, and defining the necessary requirements for internal and external resources;
• Knowledge of the certifications, training, and skills required for information security;
• Knowledge of the techniques to communicate this program to the stakeholders.
• Knowledge and skills in implementing the rules into contracts, agreements, and third-party management processes;
• Knowledge and ability to implement the proper effectiveness and procedures of information security along with its policies;

 

NEW QUESTION 51
Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?

• A. Annualized loss expectancy (ALE)
• B. Acceptable level of potential business impacts
• C. Historical cost of the asset
• D. Cost versus benefit of additional mitigating controls

Answer: D

Explanation:
Explanation/Reference:
Explanation:
The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important.

 

NEW QUESTION 52
Which of the following would a security manager establish to determine the target for restoration of normal processing?

• A. Maximum tolerable outage (MTO)
• B. Recover time objective (RTO)
• C. Recovery point objectives (RPOs)
• D. Services delivery objectives (SDOs)

Answer: B

Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Recovery time objective (RTO) is the length of time from the moment of an interruption until the time the process must be functioning at a service level sufficient to limit financial and operational impacts to an acceptable level. Maximum tolerable outage (MTO) is the maximum time for which an organization can operate in a reduced mode. Recovery point objectives (RPOs) relate to the age of the data required for recovery.
Services delivery objectives (SDOs) are the levels of service required in reduced mode.

 

NEW QUESTION 53
The FIRST step in developing an information security management program is to:

• A. assign responsibility for the program.
• B. identify business risks that affect the organization.
• C. clarify organizational purpose for creating the program.
• D. assess adequacy of controls to mitigate business risks.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
In developing an information security management program, the first step is to clarify the organization's purpose for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After clarifying the purpose, the other choices are assigned and acted upon.

 

NEW QUESTION 54
An information security manager has researched several options for handling ongoing security concerns and will be presenting these solutions to business managers. Which of the following with BEST enable business managers to make an informed decision?

• A. Gap analysis
• B. Business impact analysis (BIA)
• C. Risk analysis
• D. Cost-benefit analysis

Answer: B

 

NEW QUESTION 55
Who should be responsible for determining the classification of data within a database used in conjunction with an enterprise application?

• A. Information security manager
• B. Database architect
• C. Database administrator
• D. Data owner

Answer: D

 

NEW QUESTION 56
Which of the following parties should be responsible for determining access levels to an application that processes client information?

• A. The information security tear
• B. The identity and access management team
• C. Business unit management
• D. The business client

Answer: C

 

NEW QUESTION 57
During the initiation phase of the system development life cycle (SDLC) for a software project, information security activities should address:

• A. benchmarking security metrics.
• B. cost-benefit analyses.
• C. security objectives.
• D. baseline security controls.

Answer: C

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT

 

NEW QUESTION 58
Which of the following is the MOST appropriate method to protect a password that opens a confidential file?

• A. Reverse lookup translation
• B. Digital signatures
• C. Out-of-band channels
• D. Delivery path tracing

Answer: C

Explanation:
Out-of-band channels are useful when it is necessary, for confidentiality, to break a message into two parts that are then sent by different means. Digital signatures only provide nonrepudiation. Reverse lookup translation involves converting ;in Internet Protocol (IP) address to a username. Delivery path tracing shows the route taken but does not confirm the identity of the sender.

 

NEW QUESTION 59
Which of the following is MOST appropriate for inclusion in an information security strategy?

• A. Business controls designated as key controls
• B. Firewall rule sets, network defaults and intrusion detection system (IDS) settings
• C. Security processes, methods, tools and techniques
• D. Budget estimates to acquire specific security tools

Answer: C

Explanation:
Explanation
A set of security objectives, processes, methods, tools and techniques together constitute a security strategy.
Although IT and business governance are intertwined, business controls may not be included in a security strategy. Budgets will generally not be included in an information security strategy. Additionally, until information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available. Firewall rule sets, network defaults and intrusion detection system (IDS) settings are technical details subject to periodic change, and are not appropriate content for a strategy document.

 

NEW QUESTION 60
Which of the following is the PRIMARY reason for conducting post-incident reviews?

• A. To ensure regulatory compliance
• B. To determine the level of required remediation
• C. To review lessons learned
• D. To establish the cost of remediation

Answer: C

 

NEW QUESTION 61
Which of the following is the MOST important element in the evaluation of inherent security risks?

• A. Cast of countermeasures
• B. Residual risk
• C. Control effectiveness
• D. Impact to the organization

Answer: D

 

NEW QUESTION 62
Which of the following is MOST helpful when justifying the funding required for a compensating control?

• A. Threat assessment
• B. Risk analysis
• C. Business case
• D. Business impact analysis (B1A)

Answer: C

 

NEW QUESTION 63
A newly hired information security manager reviewing an existing security investment plan is MOST likely to be concerned when the plan:

• A. identifies potential impacts that the implementation may have on business processes
• B. focuses on compliance with common international security standards
• C. has summarized IT costs for implementation rather than providing detail
• D. is based solely on a review of security threats and vulnerabilities in existing IT systems

Answer: D

Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT

 

NEW QUESTION 64
Which of the following metrics provides the BEST indication of the effectiveness of a security awareness campaign?

• A. User approval rating of security awareness classes
• B. Percentage of users who have taken the courses
• C. The number of reported security events
• D. Quiz scores for users who took security awareness classes

Answer: C

 

NEW QUESTION 65
Which of the following is MOST important to consider when determining the effectiveness of the Information security governance program?

• A. Maturity models
• B. Risk tolerance levels
• C. Key performance indicators (KPIs)
• D. Key risk indicators (KRIs)

Answer: D

 

NEW QUESTION 66
An organization has acquired a company in a foreign country to gain an advantage in a new market Which of the following is the FIRST step the information security manager should take?

• A. Apply the existing information security program to the acquired company
• B. Evaluate the information security laws that apply to the acquired company
• C. Determine which country's information security regulations will be used
• D. Merge the two existing information security programs

Answer: B

 

NEW QUESTION 67
Which of the following is MOST likely to reduce the effectiveness of a signature-based intrusion detection system (IDS)?

• A. The activities being monitored deviate from what is considered normal.
• B. The environment is complex.
• C. The pattern of normal behavior changes quickly and dramatically.
• D. The information regarding monitored activities becomes stale.

Answer: C

 

NEW QUESTION 68
Which of the following are the essential ingredients of a business impact analysis (B1A)?

• A. Downtime tolerance, resources and criticality
• B. Structure of the crisis management team
• C. Business continuity testing methodology being deployed
• D. Cost of business outages in a year as a factor of the security budget

Answer: A

Explanation:
Explanation/Reference:
Explanation:
The main purpose of a BIA is to measure the downtime tolerance, associated resources and criticality of a business function. Options B, C and D are all associated with business continuity planning, but are not related to the BIA.

 

NEW QUESTION 69
The PRIMARY goal in developing an information security strategy is to:

• A. ensure that legal and regulatory requirements are met
• B. educate business process owners regarding their duties.
• C. support the business objectives of the organization.
• D. establish security metrics and performance monitoring.

Answer: C

Explanation:
Explanation
The business objectives of the organization supersede all other factors. Establishing metrics and measuring performance, meeting legal and regulatory requirements, and educating business process owners are all subordinate to this overall goal.

 

NEW QUESTION 70
The BEST way to establish a recovery time objective (RTO) that balances cost with a realistic recovery time frame is to:

• A. analyze cost metrics.
• B. perform a business impact analysis.
• C. conduct a risk assessment.
• D. determine daily downtime cost.

Answer: B

 

NEW QUESTION 71
Which of the following is the MOST important step in risk ranking?

• A. Vulnerability analysis
• B. Threat assessment
• C. Impact assessment
• D. Mitigation cost

Answer: C

Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation

 

NEW QUESTION 72
An information security manager has been asked to identify potential threats to the organization's information. Which of the following should be done FIRST'

• A. Engage a third-parry consultant
• B. Select a governance framework.
• C. Develop a risk profile.
• D. Review cyber insurance coverage.

Answer: C

 

NEW QUESTION 73
Which is MOST important when aligning security priorities with business unit strategies?

• A. Risk mitigation plans
• B. Business impact analysis (BIA)
• C. Gap analysis
• D. Stakeholder feedback

Answer: D

 

NEW QUESTION 74
......

As for the tasks that you should be able to perform, they include the following:

• Determine the risk factors to ensure proper management;
• To enable a consistent and precise information risk management program, it should be integrated into the business and IT processes.
• Effectively manage risks and determine whether information security controls are appropriate or not;

 

Real exam questions are provided for Isaca Certification tests, which can make sure you 100% pass: https://validdumps.actual4test.com/CISM_examcollection.html