Download Certified Information Security Manager.CISM.BrainDumps.2019-01-24.426q.vcex

Vendor: ISACA
Exam Code: CISM
Exam Name: Certified Information Security Manager
Date: Jan 24, 2019
File Size: 391 KB

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Demo Questions

Question 1
Risk assessment is MOST effective when performed:
  1. at the beginning of security program development.
  2. on a continuous basis.
  3. while developing the business case for the security program.
  4. during the business change process.
Correct answer: B
Explanation:
Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.
Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.
Question 2
Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?
  1. Justification of the security budget must be continually made.
  2. New vulnerabilities are discovered every day.
  3. The risk environment is constantly changing.
  4. Management needs to be continually informed about emerging risks.
Correct answer: C
Explanation:
The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed.
The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed.
Question 3
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
  1. Identify the vulnerable systems and apply compensating controls
  2. Minimize the use of vulnerable systems
  3. Communicate the vulnerability to system users
  4. Update the signatures database of the intrusion detection system (IDS)
Correct answer: A
Explanation:
The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.
The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.
Question 4
Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?
  1. Business impact analysis (BIA)
  2. Penetration testing
  3. Audit and review
  4. Threat analysis
Correct answer: B
Explanation:
Penetration testing focuses on identifying vulnerabilities. None of the other choices would identify vulnerabilities introduced by changes.
Penetration testing focuses on identifying vulnerabilities. None of the other choices would identify vulnerabilities introduced by changes.
Question 5
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
  1. Countermeasure cost-benefit analysis
  2. Penetration testing
  3. Frequent risk assessment programs
  4. Annual loss expectancy (ALE) calculation
Correct answer: A
Explanation:
In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but. alone, will not justify a control.
In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but. alone, will not justify a control.
Question 6
An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
  1. eliminating the risk.
  2. transferring the risk.
  3. mitigating the risk.
  4. accepting the risk.
Correct answer: C
Explanation:
Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance so the insurance company can take the risk. Implementing additional controls is an example of mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.
Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance so the insurance company can take the risk. Implementing additional controls is an example of mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.
Question 7
Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
  1. Manager
  2. Custodian
  3. User
  4. Owner
Correct answer: D
Explanation:
Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information classification levels. Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc. The information custodian is responsible for day-to-day security tasks such as protecting information, backing up information, etc. Users are the lowest level. They use the data, but do not classify the data. The owner classifies the data.
Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information classification levels. Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc. The information custodian is responsible for day-to-day security tasks such as protecting information, backing up information, etc. Users are the lowest level. They use the data, but do not classify the data. The owner classifies the data.
Question 8
The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:
  1. determining the scope for inclusion in an information security program.
  2. defining the level of access controls.
  3. justifying costs for information resources.
  4. determining the overall budget of an information security program.
Correct answer: B
Explanation:
The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.
The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.
Question 9
An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?
  1. Key performance indicators (KPIs)
  2. Business impact analysis (BIA)
  3. Gap analysis
  4. Technical vulnerability assessment
Correct answer: C
Explanation:
Gap analysis would help identify the actual gaps between the desired state and the current implementation of information security management. BIA is primarily used for business continuity planning. Technical vulnerability assessment is used for detailed assessment of technical controls, which would come later in the process and would not provide complete information in order to identify gaps.
Gap analysis would help identify the actual gaps between the desired state and the current implementation of information security management. BIA is primarily used for business continuity planning. Technical vulnerability assessment is used for detailed assessment of technical controls, which would come later in the process and would not provide complete information in order to identify gaps.
Question 10
When performing a qualitative risk analysis, which of the following will BEST produce reliable results?
  1. Estimated productivity losses
  2. Possible scenarios with threats and impacts
  3. Value of information assets
  4. Vulnerability assessment
Correct answer: B
Explanation:
Listing all possible scenarios that could occur, along with threats and impacts, will better frame the range of risks and facilitate a more informed discussion and decision. Estimated productivity losses, value of information assets and vulnerability assessments would not be sufficient on their own.
Listing all possible scenarios that could occur, along with threats and impacts, will better frame the range of risks and facilitate a more informed discussion and decision. Estimated productivity losses, value of information assets and vulnerability assessments would not be sufficient on their own.
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!