Tips to Pass CISM Exam (31 to 40)

Exam Code: CISM (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Certified Information Security Manager
Certification Provider: Isaca
Free Today! Guaranteed Training- Pass CISM Exam.

2021 Dec CISM testing engine

Q31. An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management? 

A. Security metrics reports 

B. Risk assessment reports 

C. Business impact analysis (BIA) 

D. Return on security investment report 



Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA. 

Q32. When an organization is implementing an information security governance program, its board of directors should be responsible for: 

A. drafting information security policies. 

B. reviewing training and awareness programs. 

C. setting the strategic direction of the program. 

D. auditing for compliance. 



A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company's vision and business goals. The board must incorporate the governance program into the overall corporate business strategy. Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and focus to the policies. Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices. Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance. 

Q33. Which of the following steps in conducting a risk assessment should be performed FIRST? 

A. Identity business assets 

B. Identify business risks 

C. Assess vulnerabilities 

D. Evaluate key controls 



Risk assessment first requires one to identify the business assets that need to be protected before identifying the threats. The next step is to establish whether those threats represent business risk by identifying the likelihood and effect of occurrence, followed by assessing the vulnerabilities that may affect the security of the asset. This process establishes the control objectives against which key controls can be evaluated. 

Q34. An outcome of effective security governance is: 

A. business dependency assessment 

B. strategic alignment. 

C. risk assessment. 

D. planning. 



Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management. Strategic alignment is an outcome of effective security governance. Where there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process. 

Q35. When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSI.), confidentiality is MOST vulnerable to which of the following? 

A. IP spoofing 

B. Man-in-the-middle attack 

C. Repudiation 

D. Trojan 



A Trojan is a program that gives the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user. IP spoofing will not work because IP is not used as an authentication mechanism. Man-in-the-middle attacks are not possible if using SSL with client-side certificates. Repudiation is unlikely because client-side certificates authenticate the user. 

Leading CISM exam answers:

Q36. Logging is an example of which type of defense against systems compromise? 

A. Containment 

B. Detection 

C. Reaction 

D. Recovery 



Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans. 

Q37. What is the MOST important factor in the successful implementation of an enterprise wide information security program? 

A. Realistic budget estimates 

B. Security awareness 

C. Support of senior management 

D. Recalculation of the work factor 



Without the support of senior management, an information security program has little chance of survival. A company's leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources. Security awareness is important, but not the most important factor. Recalculation of the work factor is a part of risk management. 

Q38. The value of information assets is BEST determined by: 

A. individual business managers. 

B. business systems analysts. 

C. information security management. 

D. industry averages benchmarking. 



Individual business managers are in the best position to determine the value of information assets since they are most knowledgeable of the assets' impact on the business. Business systems developers and information security managers are not as knowledgeable regarding the impact on the business. Peer companies' industry averages do not necessarily provide detailed enough information nor are they as relevant to the unique aspects of the business. 

Q39. The MAIN reason why asset classification is important to a successful information security program is because classification determines: 

A. the priority and extent of risk mitigation efforts. 

B. the amount of insurance needed in case of loss. 

C. the appropriate level of protection to the asset. 

D. how protection levels compare to peer organizations. 



Protection should be proportional to the value of the asset. Classification is based upon the value of the asset to the organization. The amount of insurance needed in case of loss may not be applicable in each case. Peer organizations may have different classification schemes for their assets. 

Q40. The MOST important component of a privacy policy is: 

A. notifications. 

B. warranties. 

C. liabilities. 

D. geographic coverage. 



Privacy policies must contain notifications and opt-out provisions: they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific. 

see more CISM dumps