• Home
  • Articles
  • 2023 Updated Verified Pass CISM Exam - Real Questions & Answers [Q72-Q97]

2023 Updated Verified Pass CISM Exam - Real Questions & Answers [Q72-Q97]

Share

2023 Updated Verified Pass CISM Exam - Real Questions and Answers

Dumps Moneyack Guarantee - CISM Dumps Approved Dumps

NEW QUESTION 72
Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?

  • A. Data confidentiality between client and web server
  • B. Certificate-based authentication of web client
  • C. Certificate-based authentication of web server
  • D. Multiple encryption algorithms

Answer: B

Explanation:
Web browsers have the capability of authenticating through client-based certificates; nevertheless, it is not commonly used. When using https, servers always authenticate with a certificate and, once the connection is established, confidentiality will be maintained between client and server. By default, web browsers and servers support multiple encryption algorithms and negotiate the best option upon connection.

 

NEW QUESTION 73
Risk assessment is MOST effective when performed:

  • A. on a continuous basis.
  • B. during the business change process.
  • C. while developing the business case for the security program.
  • D. at the beginning of security program development.

Answer: A

Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.

 

NEW QUESTION 74
Quantitative risk analysis is MOST appropriate when assessment data:

  • A. include customer perceptions.
  • B. contain percentage estimates.
  • C. contain subjective information.
  • D. do not contain specific details.

Answer: B

Explanation:
Explanation
Percentage estimates are characteristic of quantitative risk analysis. Customer perceptions, lack of specific details or subjective information lend themselves more to qualitative risk analysis.

 

NEW QUESTION 75
Acceptable risk is achieved when:

  • A. transferred risk is minimized.
  • B. inherent risk is minimized.
  • C. control risk is minimized.
  • D. residual risk is minimized.

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Residual risk is the risk that remains after putting into place an effective risk management program; therefore, acceptable risk is achieved when this amount is minimized. Transferred risk is risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk. Control risk is the risk that controls may not prevent/detect an incident with a measure of control effectiveness. Inherent risk cannot be minimized.

 

NEW QUESTION 76
When outsourcing application development to a third party, which of the following is the BEST way to ensure the organization's security requirements are met?

  • A. Require the third-party provider to document its security methodology.
  • B. Perform independent security testing of the developed applications
  • C. Provide training in secure application coding to the third-party staff.
  • D. Include a right to audit the system development lifecycle in the contract.

Answer: B

 

NEW QUESTION 77
An organization with a large number of users finds it necessary to improve access control applications.
Which of the following would BEST help to prevent unauthorized user access to networks and applications?

  • A. Biometric systems
  • B. Access control lists
  • C. Single sign-on
  • D. Complex user passwords

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT

 

NEW QUESTION 78
The PRIMARY reason for using metrics to evaluate information security is to:

  • A. identify security weaknesses.
  • B. raise awareness on security issues.
  • C. enable steady improvement.
  • D. justify budgetary expenditures.

Answer: C

Explanation:
The purpose of a metric is to facilitate and track continuous improvement. It will not permit the identification of all security weaknesses. It will raise awareness and help in justifying certain expenditures, but this is not its main purpose.

 

NEW QUESTION 79
Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?

  • A. Data confidentiality between client and web server
  • B. Certificate-based authentication of web client
  • C. Certificate-based authentication of web server
  • D. Multiple encryption algorithms

Answer: B

Explanation:
Explanation
Web browsers have the capability of authenticating through client-based certificates; nevertheless, it is not commonly used. When using https, servers always authenticate with a certificate and, once the connection is established, confidentiality will be maintained between client and server. By default, web browsers and servers support multiple encryption algorithms and negotiate the best option upon connection.

 

NEW QUESTION 80
Management has announced the acquisition of a new company. The information security manager of the parent company is concerned that conflicting access rights may cause critical information to be exposed during the integration of the two companies. To BEST address this concern, the information security manager should:

  • A. review access rights as the acquisition integration occurs.
  • B. implement consistent access control standards.
  • C. escalate concerns for conflicting access rights to management.
  • D. perform a risk assessment of the access rights.

Answer: D

 

NEW QUESTION 81
The MOST useful way to describe the objectives in the information security strategy is through:

  • A. mapping the IT systems to key business processes.
  • B. calculation of annual loss expectations.
  • C. overall control objectives of the security program.
  • D. attributes and characteristics of the 'desired state."

Answer: D

Explanation:
Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired. Control objectives are developed after strategy and policy development. Mapping IT systems to key business processes does not address strategy issues. Calculation of annual loss expectations would not describe the objectives in the information security strategy.

 

NEW QUESTION 82
A company has purchased a rival organization and is looking to integrate security strategies. Which of the following is the GREATEST issue to consider?

  • A. Differing security skills within the organizations
  • B. Confidential information could be leaked
  • C. Differing security technologies
  • D. The organizations have different risk appetites

Answer: D

Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT

 

NEW QUESTION 83
Which of the following is MOST important to the successful promotion of good security management practices?

  • A. Security metrics
  • B. Security baselines
  • C. Management support
  • D. Periodic training

Answer: C

Explanation:
Without management support, all other efforts will be undermined. Metrics, baselines and training are all important, but they depend on management support for their success.

 

NEW QUESTION 84
To ensure appropriate control of information processed in IT systems, security safeguards should be based PRIMARILY on:

  • A. criteria consistent with classification levels
  • B. efficient technical processing considerations
  • C. overall IT capacity and operational constraints
  • D. established guidelines

Answer: D

 

NEW QUESTION 85
Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts?

  • A. Use security tokens for authentication
  • B. Connect through an IPSec VPN
  • C. Enforce static media access control (MAC) addresses
  • D. Use https with a server-side certificate

Answer: B

Explanation:
IPSec effectively prevents man-in-the-middle (MitM) attacks by including source and destination IPs within the encrypted portion of the packet. The protocol is resilient to MitM attacks. Using token-based authentication does not prevent a MitM attack; however, it may help eliminate reusability of stolen cleartext credentials. An https session can be intercepted through Domain Name Server (DNS) or Address Resolution Protocol (ARP) poisoning. ARP poisoning-a specific kind of MitM attack-may be prevented by setting static media access control (MAC) addresses. Nevertheless, DNS and NetBIOS resolution can still be attacked to deviate traffic.

 

NEW QUESTION 86
An organization is concerned with the risk of information leakage caused by incorrect use of personally owned smart devices by employees. What is the BEST way for the information security manager to mitigate the associated risk?

  • A. Require employees to sign a nondisclosure agreement (NDA).
  • B. Implement a mobile device management (MDM) solution.
  • C. Implement a multi-factor authentication (MFA) solution.
  • D. Document a bring-your-own-device (BYOD) policy.

Answer: B

Explanation:
Section: INFORMATION RISK MANAGEMENT

 

NEW QUESTION 87
Which of the following is the GREATEST benefit of a comprehensive set of security program metrics?

  • A. Visibility to security compliance
  • B. Data to support risk assessments
  • C. Validation of risk assessment results
  • D. Evaluation of the security strategy

Answer: D

 

NEW QUESTION 88
The FIRST step to create an internal culture that focuses on information security is to:

  • A. gain the endorsement of executive management.
  • B. implement stronger controls.
  • C. conduct periodic awareness training.
  • D. actively monitor operations.

Answer: A

Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
Endorsement of executive management in the form of policies provides direction and awareness. The implementation of stronger controls may lead to circumvention. Awareness training is important, but must be based on policies. Actively monitoring operations will not affect culture at all levels.

 

NEW QUESTION 89
To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRS T crucial step an information security manager would take in ensuring business continuity planning?

  • A. Weighing the cost of implementing the plan vs. financial loss.
  • B. Assigning value to the assets.
  • C. Conducting a business impact analysis (BIA).
  • D. Conducting a qualitative and quantitative risk analysis.

Answer: C

Explanation:
Explanation
BIA is an essential component of an organization's business continuity plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. It is the first crucial step in business continuity planning. Qualitative and quantitative risk analysis will have been completed to define the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events. Assigning value to assets is part of the BIA process. Weighing the cost of implementing the plan vs. financial loss is another part of the BIA.

 

NEW QUESTION 90
Ensuring that an organization can conduct security reviews within third-party facilities is PRIMARILY enabled by:

  • A. contractual agreements
  • B. audit guidelines
  • C. acceptance of the organization's security policies
  • D. service level agreements (SLAs)

Answer: D

 

NEW QUESTION 91
During the response to a serious security breach, who is the BEST organizational staff member to communicate with external entities?

  • A. A dedicated public relations spokesperson
  • B. The incident response team leader
  • C. The resource specified in the incident response plan
  • D. The resource designated by senior management

Answer: A

 

NEW QUESTION 92
What is the MOST important factor in the successful implementation of an enterprise wide information security program?

  • A. Security awareness
  • B. Recalculation of the work factor
  • C. Realistic budget estimates
  • D. Support of senior management

Answer: D

Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
Without the support of senior management, an information security program has little chance of survival. A company's leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources. Security awareness is important, but not the most important factor. Recalculation of the work factor is a part of risk management.

 

NEW QUESTION 93
Labeling information according to its security classification:

  • A. enhances the likelihood of people handling information securely,
  • B. reduces the need to identify baseline controls for each classification.
  • C. induces the number and type of counter measures required
  • D. affects the consequences if information is handled insecurely,

Answer: C

 

NEW QUESTION 94
An organization is considering a self-service solution for the deployment of virtualized development servers.
Which of the following should be information security manager's PRIMARY concern?

  • A. Ability to remain current with patches
  • B. Segregation of servers from the production environment
  • C. Generation of excessive security event logs
  • D. Ability to maintain server security baseline

Answer: D

 

NEW QUESTION 95
Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state?

  • A. Security audit reports
  • B. Capability maturity model (CMM)
  • C. Systems and business security architecture
  • D. Balanced scorecard

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
The capability maturity model (CMM) grades each defined area of security processes on a scale of 0 to 5 based on their maturity, and is commonly used by entities to measure their existing state and then determine the desired one. Security audit reports offer a limited view of the current state of security. Balanced scorecard is a document that enables management to measure the implementation of their strategy and assists in its translation into action. Systems and business security architecture explain the security architecture of an entity in terms of business strategy, objectives, relationships, risks, constraints and enablers, and provides a business-driven and business-focused view of security architecture.

 

NEW QUESTION 96
When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?

  • A. Create separate policies to address each regulation
  • B. Incorporate policy statements provided by regulators
  • C. Develop policies that meet all mandated requirements
  • D. Develop a compliance risk assessment

Answer: C

Explanation:
It will be much more efficient to craft all relevant requirements into policies than to create separate versions. Using statements provided by regulators will not capture all of the requirements mandated by different regulators. A compliance risk assessment is an important tool to verify that procedures ensure compliance once the policies have been established.

 

NEW QUESTION 97
......

Updated PDF (New 2023) Actual ISACA CISM Exam Questions: https://getfreedumps.passreview.com/CISM-exam-questions.html

Related Articles

more
ISACA CISM Certification Practice Exam

Copyright © 2026 PassReview NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy