Top Isaca CISM forum Choices

Exam Code: CISM (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Certified Information Security Manager
Certification Provider: Isaca
Free Today! Guaranteed Training- Pass CISM Exam.

2021 Jan CISM download

Q171. The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is: 

A. Secure Sockets Layer (SSL). 

B. Secure Shell (SSH). 

C. IP Security (IPSec). 

D. Secure/Multipurpose Internet Mail Extensions (S/MIME ). 



Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications providing end point authentication and communications privacy over the Internet. In typical use, all data transmitted between the customer and the business are, therefore, encrypted by the business's web server and remain confidential. SSH File Transfer Protocol (SFTP) is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer. IP Security (IPSec) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. There are two modes of IPSec operation: transport mode and tunnel mode. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of e-mail encapsulated in MIME; it is not a web transaction protocol. 

Q172. Which two components PRIMARILY must be assessed in an effective risk analysis? 

A. Visibility and duration 

B. Likelihood and impact 

C. Probability and frequency 

D. Financial impact and duration 



The probability or likelihood of the event and the financial impact or magnitude of the event must be assessed first. Duration refers to the length of the event; it is important in order to assess impact but is secondary. Once the likelihood is determined, the frequency is also important to determine overall impact. 

Q173. The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for: 

A. determining the scope for inclusion in an information security program. 

B. defining the level of access controls. 

C. justifying costs for information resources. 

D. determining the overall budget of an information security program. 



The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program. 

Q174. Reviewing which of the following would BEST ensure that security controls are effective? 

A. Risk assessment policies 

B. Return on security investment 

C. Security metrics 

D. User access rights 



Reviewing security metrics provides senior management a snapshot view and trends of an organization's security posture. Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working. Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself. Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness. 

Q175. A risk mitigation report would include recommendations for: 

A. assessment. 

B. acceptance 

C. evaluation. 

D. quantification. 



Acceptance of a risk is an alternative to be considered in the risk mitigation process. Assessment. evaluation and risk quantification are components of the risk analysis process that are completed prior to determining risk mitigation solutions. 

Refresh CISM practice test:

Q176. An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur? 

A. Nothing, since a risk assessment was completed during development. 

B. A vulnerability assessment should be conducted. 

C. A new risk assessment should be performed. 

D. The new vendor's SAS 70 type II report should be reviewed. 



The risk assessment process is continual and any changes to an established process should include a new- risk assessment. While a review of the SAS 70 report and a vulnerability assessment may be components of a risk assessment, neither would constitute sufficient due diligence on its own. 

Q177. The purpose of a corrective control is to: 

A. reduce adverse events. 

B. indicate compromise. 

C. mitigate impact. 

D. ensure compliance. 



Corrective controls serve to reduce or mitigate impacts, such as providing recovery capabilities. Preventive controls reduce adverse events, such as firewalls. Compromise can be detected by detective controls, such as intrusion detection systems (IDSs). Compliance could be ensured by preventive controls, such as access controls. 

Q178. Which of the following attacks is BEST mitigated by utilizing strong passwords? 

A. Man-in-the-middle attack 

B. Brute force attack 

C. Remote buffer overflow 

D. Root kit 



A brute force attack is normally successful against weak passwords, whereas strong passwords would not prevent any of the other attacks. Man-in-the-middle attacks intercept network traffic, which could contain passwords, but is not naturally password-protected. Remote buffer overflows rarely require a password to exploit a remote host. Root kits hook into the operating system's kernel and, therefore, operate underneath any authentication mechanism. 

Q179. Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas? 

A. Platform security 

B. Entitlement changes 

C. Intrusion detection 

D. Antivirus controls 



Data owners are responsible for assigning user entitlements and approving access to the systems for which they are responsible. Platform security, intrusion detection and antivirus controls are all within the responsibility of the information security manager. 

Q180. Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk? 

A. Ensure that all IT risks are identified 

B. Evaluate the impact of information security risks 

C. Demonstrate that IT mitigating controls are in place 

D. Suggest new IT controls to mitigate operational risk 



The job of the information security officer on such a team is to assess the risks to the business operation. Choice A is incorrect because information security is not limited to IT issues. Choice C is incorrect because at the time a team is formed to assess risk, it is premature to assume that any demonstration of IT controls will mitigate business operations risk. Choice D is incorrect because it is premature at the time of the formation of the team to assume that any suggestion of new IT controls will mitigate business operational risk. 

see more CISM dumps