• Home
  • Blogs
  • Real CISM are Uploaded by Prep4King provide 2021 Latest CISM Practice Tests Dumps [Q143-Q168]

Real CISM are Uploaded by Prep4King provide 2021 Latest CISM Practice Tests Dumps [Q143-Q168]

Share

Real CISM are Uploaded by Prep4King provide 2021 Latest CISM Practice Tests Dumps.

All CISM Dumps and Certified Information Security Manager Training Courses Help candidates to study and pass the Certified Information Security Manager Exams hassle-free!

NEW QUESTION 143
The MAIN goal of an information security strategic plan is to:

  • A. establish security governance.
  • B. protect information assets and resources.
  • C. develop a data protection plan.
  • D. develop a risk assessment plan.

Answer: B

Explanation:
The main goal of an information security strategic plan is to protect information assets and resources. Developing a risk assessment plan and H data protection plan, and establishing security governance refer to tools utilized in the security strategic plan that achieve the protection of information assets and resources.

 

NEW QUESTION 144
The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:

  • A. financial value.
  • B. regulatory' requirements.
  • C. business requirements.
  • D. IT resource availability.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
The criticality to business should always drive the decision. Regulatory requirements could be more flexible than business needs. The financial value of an asset could not correspond to its business value. While a consideration, IT resource availability is not a primary factor.

 

NEW QUESTION 145
The MOST basic requirement for an information security governance program is to:

  • A. be based on a sound risk management approach.
  • B. provide best practices for security- initiatives.
  • C. provide adequate regulatory compliance.
  • D. be aligned with the corporate business strategy.

Answer: D

Explanation:
Explanation
To receive senior management support, an information security program should be aligned with the corporate business strategy. Risk management is a requirement of an information security program which should take into consideration the business strategy. Security governance is much broader than just regulatory compliance.
Best practice is an operational concern and does not have a direct impact on a governance program.

 

NEW QUESTION 146
An organization has implemented a bring your own device (BYOD)} program. Witch of the following is the GREATEST risk to the organization?

  • A. Lack of nonrepudiation
  • B. Data leakage
  • C. Device theft
  • D. Device incompatibility

Answer: C

 

NEW QUESTION 147
Which of the following is the BEST option for addressing regulations that will adversely affect the allocation of information security program resources?

  • A. Prioritize compliance efforts based on probability.
  • B. Delay implementation of compliance activities.
  • C. Determine compliance levels of peer organizations.
  • D. Conduct assessments for management decisions.

Answer: D

 

NEW QUESTION 148
Which of the following is MOST important for an information security manager to verify when selecting a third-party forensics provider?

  • A. Technical capabilities of the provider
  • B. Existence of a right-to-audit clause
  • C. Existence of the provider's Incident response plan
  • D. Results of the provider's business continuity tests

Answer: B

 

NEW QUESTION 149
An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?

  • A. Right to audit
  • B. Nondisclosure agreement
  • C. Proper firewall implementation
  • D. Dedicated security manager for monitoring compliance

Answer: A

Explanation:
Explanation
Right to audit would be the most useful requirement since this would provide the company the ability to perform a security audit/assessment whenever there is a business need to examine whether the controls are working effectively at the third party. Options B, C and D are important requirements and can be examined during the audit. A dedicated security manager would be a costly solution and not always feasible for most situations.

 

NEW QUESTION 150
Which of the following is the GREATEST benefit of information asset classification?

  • A. Supporting segregation of duties
  • B. Defining resource ownership
  • C. Helping to determine the recovery point objective (RPO)
  • D. Providing a basis for implementing a need-to-know policy

Answer: D

 

NEW QUESTION 151
Which of the following is the BEST way to align security and business strategies?

  • A. Include security risk as part of corporate risk management.
  • B. Develop a balanced scorecard for security.
  • C. Integrate information security governance into corporate governance.
  • D. Establish key performance indicators (KPIs) for business through security processes.

Answer: D

 

NEW QUESTION 152
Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers?

  • A. Liability limits
  • B. Service levels
  • C. Termination conditions
  • D. Privacy restrictions

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT
Explanation:
Service levels are key to holding third parties accountable for adequate delivery of services. This is more important than termination conditions, privacy restrictions or liability limitations.

 

NEW QUESTION 153
Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?

  • A. Regression analysis
  • B. Gap analysis
  • C. Business impact analysis
  • D. Risk analysis

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Recovery time objectives (RTOs) are a primary deliverable of a business impact analysis. RTOs relate to the financial impact of a system not being available. A gap analysis is useful in addressing the differences between the current state and an ideal future state. Regression analysis is used to test changes to program modules. Risk analysis is a component of the business impact analysis.

 

NEW QUESTION 154
Which of the following is the MOST important element of a response plan for IT security incidents?

  • A. Requirements for investigative evidence
  • B. Test plans for containment and recovery procedures
  • C. Guidelines for preserving digital evidence
  • D. Appropriate team members

Answer: A

 

NEW QUESTION 155
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

  • A. data privacy policy of the headquarters' country.
  • B. data privacy directive applicable globally.
  • C. corporate data privacy policy.
  • D. data privacy policy where data are collected.

Answer: D

Explanation:
As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.

 

NEW QUESTION 156
A new key business application has gone to production. What is the Most important reason to classify and determine the sensitivity of the data used by this application?

  • A. To ensure countermeasures are proportional to risk
  • B. To update the business impact analysis (BIA)
  • C. To minimize the cost of controls.
  • D. To determine retention requirements

Answer: A

 

NEW QUESTION 157
To minimize the business impact from information security incidents it is MOST important to

  • A. attain timely identification of incidents
  • B. keep all incident-related data confidential
  • C. reduce staff costs for incident recovery
  • D. streamline the post-incident review process

Answer: A

 

NEW QUESTION 158
Which of the following provides the MOST relevant evidence of incident response maturity?

  • A. Red team testing results
  • B. Tabletop exercise results
  • C. Independent audit assessment
  • D. Average incident closure time

Answer: C

Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE

 

NEW QUESTION 159
A new regulation has been announced that requires mandatory reporting of security incidents that affect personal client information. Which of the following should be the information security manager's FIRST course of action?

  • A. Inform senior management of the new regulation.
  • B. Update the security incident management process.
  • C. Determine impact to the business.
  • D. Review the current security policy.

Answer: D

 

NEW QUESTION 160
Information security governance is PRIMARILY driven by:

  • A. technology constraints.
  • B. litigation potential.
  • C. business strategy.
  • D. regulatory requirements.

Answer: C

Explanation:
Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy.

 

NEW QUESTION 161
Which of the following actions should lake place immediately after a security breach is reported to an information security manager?

  • A. Determine impact
  • B. Isolate the incident
  • C. Notify affected stakeholders
  • D. Confirm the incident

Answer: D

Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE
Explanation:
Before performing analysis of impact, resolution, notification or isolation of an incident, it must be validated as a real security incident.

 

NEW QUESTION 162
A business unit has requested IT to implement simple authentication using IDs and passwords. The information security policy requires using multi-factor authentication. The information security manager should FIRST:

  • A. implement two-factor authentication.
  • B. assess alignment with business objectives.
  • C. perform a risk assessment
  • D. escalate the request to senior management

Answer: C

 

NEW QUESTION 163
The purpose of a corrective control is to:

  • A. mitigate impact.
  • B. indicate compromise.
  • C. reduce adverse events.
  • D. ensure compliance.

Answer: A

Explanation:
Corrective controls serve to reduce or mitigate impacts, such as providing recovery capabilities. Preventive controls reduce adverse events, such as firewalls. Compromise can be detected by detective controls, such as intrusion detection systems (IDSs). Compliance could be ensured by preventive controls, such as access controls.

 

NEW QUESTION 164
Which of the following should be reviewed to obtain a structured overview of relevant information about an information security investment?

  • A. Quantitative risk analysis report
  • B. Security balanced scorecard
  • C. Business case
  • D. Information security strategy

Answer: C

 

NEW QUESTION 165
When speaking to an organization's human resources department about information security, an information security manager should focus on the need for:

  • A. security awareness training for employees.
  • B. recruitment of technical IT employees.
  • C. periodic risk assessments.
  • D. an adequate budget for the security program.

Answer: A

Explanation:
Explanation
An information security manager has to impress upon the human resources department the need for security awareness training for all employees. Budget considerations are more of an accounting function. The human resources department would become involved once they are convinced for the need of security awareness training. Recruiting IT-savvy staff may bring in new employees with better awareness of information security, but that is not a replacement for the training requirements of the other employees. Periodic risk assessments may or may not involve the human resources department function.

 

NEW QUESTION 166
A risk assessment report shows that phishing attacks are an emerging threat for an organization that supports online financial services. Which of the following is the information security manager's BEST course of action?

  • A. Implement spam protection.
  • B. Conduct corporate awareness training.
  • C. Transfer risk with insurance coverage.
  • D. Update antivirus software

Answer: B

 

NEW QUESTION 167
The PRIMARY reason for using metrics to evaluate information security is to:

  • A. justify budgetary expenditures.
  • B. enable steady improvement.
  • C. identify security weaknesses.
  • D. raise awareness on security issues.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
The purpose of a metric is to facilitate and track continuous improvement. It will not permit the identification of all security weaknesses. It will raise awareness and help in justifying certain expenditures, but this is not its main purpose.

 

NEW QUESTION 168
......

Valid Way To Pass ISACA's CISM Exam with : https://www.prep4king.com/CISM-exam-prep-material.html

Free Test Engine For Certified Information Security Manager Certification Exams: https://drive.google.com/open?id=1jAMJgkXUfgrHPZfYGj8kajwP5Fl8W7tW

 

Related Blogs

more
ISACA CISM Certification Practice Exam

Prep4King will provide you with the best valid & training material for you to practice. You can get an good result with the help by our high quality study material.

Latest Update

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 PREP4KING.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor. Privacy Policy