• Home
  • Articles
  • Verified CISM Dumps Q&As - CISM Test Engine with Correct Answers [Q109-Q134]

Verified CISM Dumps Q&As - CISM Test Engine with Correct Answers [Q109-Q134]

Share

Verified CISM Dumps Q&As - CISM Test Engine with Correct Answers

Pass Your CISM Dumps as PDF Updated on 2023 With 188 Questions


What Are the Important Exam Requirements You Need to Know?

Just like all other Isaca certification exams, CISM consists of 150 questions. These are structured in multiple-choice type, with a time limit of up to 4 hours or 240 minutes. The converted scale scores range from 200 to 800. In order to pass the test, you have to get at least 450 points. On the other hand, the exam fee differs for members and non-members. If you're a member, you only have to pay $575 while the non-members have to shell out $760.

Before taking the test, you will be given two delivery options. The first one is by in-person at a testing site. The second one is via a remote set-up in an online setting. Both options allow you to choose your preferred language options. As of this writing, there are 4 selections, including English, Japanese, Chinese Simplified, and Spanish.

Another thing to remember is the exam registration. You cannot take the CISM test if you will not register with Isaca and schedule it ahead. But don't worry because it doesn't mean that you have to sit for the exam as soon as possible after registration. You are given 12 months from the date of enrollment to take it. Henceforth, you have to take into account the eligibility period.


If you're wondering what kind of certificate is needed to become an efficient information security (IS)/IT professional, this is no other than the CISM certification from Isaca. It is well-acknowledged by companies around the world because of its strategic way of highlighting your abilities and developing your career. So, if you want to stay relevant despite the tough industry competition, getting this certification is a viable step.

 

NEW QUESTION 109
An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:

  • A. initiate awareness training to counter social engineering.
  • B. immediately advise senior management of the elevated risk.
  • C. increase monitoring activities to provide early detection of intrusion.
  • D. perform a comprehensive assessment of the organization's exposure to the hacker's techniques.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Information about possible significant new risks from credible sources should be provided to management along with advice on steps that need to be taken to counter the threat. The security manager should assess the risk, but senior management should be immediately advised. It may be prudent to initiate an awareness campaign subsequent to sounding the alarm if awareness training is not current. Monitoring activities should also be increased.

 

NEW QUESTION 110
Investments in information security technologies should be based on:

  • A. vulnerability assessments.
  • B. audit recommendations.
  • C. business climate.
  • D. value analysis.

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Investments in security technologies should be based on a value analysis and a sound business case.
Demonstrated value takes precedence over the current business climate because it is ever changing.
Basing decisions on audit recommendations would be reactive in nature and might not address the key business needs comprehensively. Vulnerability assessments are useful, but they do not determine whether the cost is justified.

 

NEW QUESTION 111
The FIRST step in developing an information security management program is to:

  • A. assess adequacy of controls to mitigate business risks.
  • B. assign responsibility for the program.
  • C. identify business risks that affect the organization.
  • D. clarify organizational purpose for creating the program.

Answer: D

Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
In developing an information security management program, the first step is to clarify the organization's purpose for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After clarifying the purpose, the other choices are assigned and acted upon.

 

NEW QUESTION 112
Which of the following BEST describes an intrusion detection system (IDS) that learns the system behaviors prior to detecting potential intrusions?

  • A. Network-based IDS
  • B. Anomaly-based IDS
  • C. Application-based IDS
  • D. Host-based IDS

Answer: B

 

NEW QUESTION 113
Which of the following should an information security manager do NEXT after creating a roadmap to execute the strategy for an information security program?

  • A. Develop a project plan to implement the strategy.
  • B. Obtain consensus on the strategy from the executive board.
  • C. Review alignment with business goals.
  • D. Define organizational risk tolerance.

Answer: A

 

NEW QUESTION 114
A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?

  • A. Conduct a penetration test.
  • B. Prepare an impact assessment report.
  • C. Obtain approval from senior management.
  • D. Back up the firewall configuration and policy files.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
An impact assessment report needs to be prepared first by providing the justification for the change, analysis of the changes to be made, the impact if the change does not work as expected, priority of the change and urgency of the change request. Choices B. C and D could be important steps, but the impact assessment report should be performed before the other steps.

 

NEW QUESTION 115
Which of the following BEST validates that security controls are implemented in a new business process?

  • A. Benchmark the process against industry practices
  • B. Assess the process according to information security policy.
  • C. Review the process for conformance with information security best practices.
  • D. Verify the use of a recognized control framework.

Answer: B

 

NEW QUESTION 116
Which of the following contributes MOST to the effective implementation of an information security strategy?

  • A. Endorsement by senior management
  • B. Regular security awareness training
  • C. Implementation of security standards
  • D. Reporting of security metrics

Answer: A

Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT

 

NEW QUESTION 117
When outsourcing information security administration, it is MOST important for an organization to include:

  • A. insurance requirements
  • B. service level agreements (SLAs)
  • C. nondisclosure agreements (NDAs)
  • D. contingency plans

Answer: C

Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE

 

NEW QUESTION 118
Which of the following is MOST important for an information security manager to communicate to senior management regarding the security program?

  • A. User roles and responsibilities
  • B. Potential risks and exposures
  • C. Impact analysis results
  • D. Security architecture changes

Answer: C

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation

 

NEW QUESTION 119
Which of the following characteristics is important to a bank in a high-value online financial transaction system?

  • A. Authentication
  • B. Identification
  • C. Audit monitoring
  • D. Confidentiality

Answer: D

 

NEW QUESTION 120
Which of the following should be the PRIMARY consideration when selecting a recovery site?

  • A. Regulatory requirements
  • B. Recovery point objective
  • C. Recovery time objective
  • D. Geographical location

Answer: C

 

NEW QUESTION 121
An information security manager learns that IT personnel are not adhering to the information security policy because it creates process inefficiencies. What should the information security manager do FIRST?

  • A. Determine the risk related to noncompliance with the policy.
  • B. Conduct user awareness training within the IT function.
  • C. Request that internal audit conduct a review of the policy development process,
  • D. Propose that IT update information security policies and procedures.

Answer: A

 

NEW QUESTION 122
Which of the following poses the GREATEST risk to the operational effectiveness of an incident response team?

  • A. The lack of automated communication channels
  • B. The lack of a security information and event management (SIEM) system
  • C. The lack of forensic investigation skills
  • D. The lack of delegated authority

Answer: D

 

NEW QUESTION 123
Which of the following is the BEST way to evaluate the impact of threat events on an organization's IT operations?

  • A. Scenario analysis
  • B. Controls review
  • C. Risk assessment
  • D. Penetration testing

Answer: D

 

NEW QUESTION 124
When an organization is implementing an information security governance program, its board of directors should be responsible for:

  • A. drafting information security policies.
  • B. auditing for compliance.
  • C. setting the strategic direction of the program.
  • D. reviewing training and awareness programs.

Answer: C

Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company's vision and business goals. The board must incorporate the governance program into the overall corporate business strategy. Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and focus to the policies. Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices. Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance.

 

NEW QUESTION 125
When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?

  • A. Develop a compliance risk assessment
  • B. Develop policies that meet all mandated requirements
  • C. Create separate policies to address each regulation
  • D. Incorporate policy statements provided by regulators

Answer: B

Explanation:
Explanation
It will be much more efficient to craft all relevant requirements into policies than to create separate versions.
Using statements provided by regulators will not capture all of the requirements mandated by different regulators. A compliance risk assessment is an important tool to verify that procedures ensure compliance once the policies have been established.

 

NEW QUESTION 126
Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract?

  • A. All equipment is provided "at time of disaster, not on floor"
  • B. The facility is subject to a "first-come, first-served" policy
  • C. A hot site facility will be shared in multiple disaster declarations
  • D. Equipment may be substituted with equivalent model

Answer: A

Explanation:
Equipment provided "at time of disaster (ATOD), not on floor" means that the equipment is not available but will be acquired by the commercial hot site provider ON a best effort basis. This leaves the customer at the mercy of the marketplace. If equipment is not immediately available, the recovery will be delayed. Many commercial providers do require sharing facilities in cases where there are multiple simultaneous declarations, and that priority may be established on a first-come, first-served basis. It is also common for the provider to substitute equivalent or better equipment, as they are frequently upgrading and changing equipment.

 

NEW QUESTION 127
The risk of mishandling alerts identified by an intrusion detection system (IDS) would be the GREATEST when:

  • A. operations and monitoring are handled by different teams.
  • B. IDS sensors are misconfigured.
  • C. standard operating procedures are not formalized.
  • D. the IT infrastructure is diverse.

Answer: C

Explanation:
Section: INFORMATION RISK MANAGEMENT

 

NEW QUESTION 128
An organization manages payroll and accounting systems for multiple client companies Which of the following contract terms would indicate a potential weakness for a disaster recovery hot site?

  • A. Timestamp of declaration will determine priority of access to facility
  • B. Servers will be provided at time of disaster (not on floor).
  • C. Exclusive use of hot site is limited to six weeks (following declaration)
  • D. Work-area size Is limited but can be augmented with nearby office space

Answer: B

 

NEW QUESTION 129
To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:

  • A. audit management.
  • B. operational units.
  • C. legal counsel.
  • D. end users.

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
Procedures at the operational level must be developed by or with the involvement of operational units that will use them. This will ensure that they are functional and accurate. End users and legal counsel are normally not involved in procedure development. Audit management generally oversees information security operations but does not get involved at the procedural level.

 

NEW QUESTION 130
Which of the following is the BEST option for addressing regulations that will adversely affect the allocation of information security program resources?

  • A. Conduct assessments for management decisions
  • B. Prioritize compliance efforts based on probability.
  • C. Determine compliance levels of peer organizations.
  • D. Delay implementation of compliance activities.

Answer: A

Explanation:
Section: INFORMATION SECURITY GOVERNANCE

 

NEW QUESTION 131
Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract?

  • A. All equipment is provided "at time of disaster, not on floor"
  • B. The facility is subject to a "first-come, first-served" policy
  • C. A hot site facility will be shared in multiple disaster declarations
  • D. Equipment may be substituted with equivalent model

Answer: A

Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE
Explanation:
Equipment provided "at time of disaster (ATOD), not on floor" means that the equipment is not available but will be acquired by the commercial hot site provider ON a best effort basis. This leaves the customer at the mercy of the marketplace. If equipment is not immediately available, the recovery will be delayed. Many commercial providers do require sharing facilities in cases where there are multiple simultaneous declarations, and that priority may be established on a first-come, first-served basis. It is also common for the provider to substitute equivalent or better equipment, as they are frequently upgrading and changing equipment.

 

NEW QUESTION 132
At what stage of the applications development process should the security department initially become involved?

  • A. At programming
  • B. When requested
  • C. At testing
  • D. At detail requirements

Answer: D

Explanation:
Explanation
Information security has to be integrated into the requirements of the application's design. It should also be part of the information security governance of the organization. The application owner may not make a timely request for security involvement. It is too late during systems testing, since the requirements have already been agreed upon. Code reviews are part of the final quality assurance process.

 

NEW QUESTION 133
To meet operational business needs. IT staff bypassed the change process and applied an unauthorized update to a critical business system Which of the following is the information security manager's BEST course of action?

  • A. Instruct IT staff to revert the unauthorized update
  • B. Consult with supervisors of IT staff regarding disciplinary action
  • C. Update the system configuration item to reflect the change
  • D. Assess the security risks introduced by the change.

Answer: D

 

NEW QUESTION 134
......

Pass ISACA CISM Exam Info and Free Practice Test: https://www.trainingdumps.com/CISM_exam-valid-dumps.html

ISACA CISM Real Exam Questions and Answers FREE: https://drive.google.com/open?id=1M6lyBEoTLHZXycNrSEOOPvwtjmmzOPCJ 

Related Articles

more
ISACA CISM Certification Practice Exam

TrainingDumps offers you the latest and useful exam training dumps, with which you can face the coming exam more relaxed.

Latest Training Dumps

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 TrainingDumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy