Pass Your Next Certification Exam Fast! - ITBraindumps

Everything you need to prepare, learn & pass your certification exam easily.

CISM Study Material & Certified Information Security Manager

Valid CISM Dumps shared by Examslabs for Helping Passing CISM Exam! Examslabs now offer the newest CISM exam dumps, the Examslabs CISM exam questions have been updated and answers have been corrected get the newest Examslabs CISM dumps with Test Engine here:

http://https://www.examslabs.com/ISACA/Isaca-Certificaton/best-CISM-exam-dumps.html (631 Q&As Dumps, 30%OFF Special Discount: bmzblwH7 )


NEW QUESTION NO: 6
It is important to develop an information security baseline because it helps to define:
A. critical information resources needing protection.
B. a security policy for the entire organization.
C. the minimum acceptable security to be implemented.
D. required physical and logical access controls.
Answer: C
Explanation/Reference:
Explanation:
Developing an information security baseline helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels. Before determining the security baseline, an information security manager must establish the security policy, identify criticality levels of organization's information resources and assess the risk environment in which those resources operate.

NEW QUESTION NO: 7
Which of the following authentication methods prevents authentication replay?
A. Password hash implementation
B. Challenge/response mechanism
C. Wired Equivalent Privacy (WEP) encryption usage
D. HTTP Basic Authentication
Answer: B
Explanation/Reference:
Explanation:
A challenge *response mechanism prevents replay attacks by sending a different random challenge in each authentication event. The response is linked to that challenge. Therefore, capturing the authentication handshake and replaying it through the network will not work. Using hashes by itself will not prevent a replay. A WEP key will not prevent sniffing (it just takes a few more minutes to break the WEP key if the attacker does not already have it) and therefore will not be able to prevent recording and replaying an authentication handshake. HTTP Basic Authentication is clear text and has no mechanisms to prevent replay.

NEW QUESTION NO: 8
Which of the following is the BEST mechanism to determine the effectiveness of the incident response process?
A. Incident response metrics
B. Periodic auditing of the incident response process
C. Action recording and review
D. Post incident review
Answer: D
Explanation/Reference:
Explanation:
Post event reviews are designed to identify gaps and shortcomings in the actual incident response process so that these gaps may be improved over time. The other choices will not provide the same level of feedback in improving the process.

NEW QUESTION NO: 9
The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?
A. Data owner
B. Data custodian
C. Systems programmer
D. Security administrator
Answer: C
Explanation/Reference:
Explanation:
A systems programmer should not have privileges to modify the access control list (ACL) because this would give the programmer unlimited control over the system. The data owner would request and approve updates to the ACL, but it is not a violation of the separation of duties principle if the data owner has update rights to the ACL. The data custodian and the security administrator could carry out the updates on the ACL since it is part of their duties as delegated to them by the data owner.

NEW QUESTION NO: 10
When a security standard conflicts with a business objective, the situation should be resolved by:
A. changing the security standard.
B. changing the business objective.
C. performing a risk analysis.
D. authorizing a risk acceptance.
Answer: C
Explanation/Reference:
Explanation:
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.

NEW QUESTION NO: 11
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?
A. Implement countermeasures.
B. Eliminate the risk.
C. Transfer the risk.
D. Accept the risk.
Answer: C
Explanation/Reference:
Explanation:
Risks are typically transferred to insurance companies when the probability of an incident is low but the impact is high. Examples include: hurricanes, tornados and earthquakes. Implementing countermeasures may not be the most cost-effective approach to security management. Eliminating the risk may not be possible. Accepting the risk would leave the organization vulnerable to a catastrophic disaster which may cripple or ruin the organization. It would be more cost effective to pay recurring insurance costs than to be affected by a disaster from which the organization cannot financially recover.

NEW QUESTION NO: 12
Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?
A. Information security officer
B. Security steering committee
C. Data owner
D. Data custodian
Answer: B
Explanation/Reference:
Explanation:
Routine administration of all aspects of security is delegated, but senior management must retain overall responsibility. The information security officer supports and implements information security for senior management. The data owner is responsible for categorizing data security requirements. The data custodian supports and implements information security as directed.

NEW QUESTION NO: 13
When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:
A. aligned with the IT strategic plan.
B. based on the current rate of technological change.
C. three-to-five years for both hardware and software.
D. aligned with the business strategy.
Answer: D
Explanation/Reference:
Explanation:
Any planning for information security should be properly aligned with the needs of the business.
Technology should not come before the needs of the business, nor should planning be done on an artificial timetable that ignores business needs.

NEW QUESTION NO: 14
When developing an information security program, what is the MOST useful source of information for determining available resources?
A. Proficiency test
B. Job descriptions
C. Organization chart
D. Skills inventory
Answer: D
Explanation/Reference:
Explanation:
A skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.

NEW QUESTION NO: 15
Which of the following is an inherent weakness of signature-based intrusion detection systems?
A. A higher number of false positives
B. New attack methods will be missed
C. Long duration probing will be missed
D. Attack profiles can be easily spoofed
Answer: B
Explanation/Reference:
Explanation:
Signature-based intrusion detection systems do not detect new attack methods for which signatures have not yet been developed. False positives are not necessarily any higher, and spoofing is not relevant in this case. Long duration probing is more likely to fool anomaly-based systems (boiling frog technique).

NEW QUESTION NO: 16
Which of the following groups would be in the BEST position to perform a risk analysis for a business?
A. External auditors
B. A peer group within a similar business
C. Process owners
D. A specialized management consultant
Answer: C
Explanation/Reference:
Explanation:
Process owners have the most in-depth knowledge of risks and compensating controls within their environment. External parties do not have that level of detailed knowledge on the inner workings of the business. Management consultants are expected to have the necessary skills in risk analysis techniques but are still less effective than a group with intimate knowledge of the business.


Posted 2018/8/1 14:18:34  |  Category: ISACA  |  Tag: CISM Study MaterialCISM Reliable Study Guide BookCISMISACA
← 7391X Review Guide & 7391X Positive Feedback VMCE_V9 Valid Exam Materials & VMCE_V9 Clearer Explanation →
Recent Posts
70-461 New Dumps Free Download & 70-461 Real Dumps Free
70-339 Valid Test Camp Questions & 70-339 Study Guide Pdf
NS0-158 Real Sheets & NS0-158 Practice Exam Online
E05-001 Exam Collection - Information Storage And Management V3
1z0-347 PDF Cram Exam & 1z0-347 Free Study Material
The Latest Oracle Certification Reliable Dumps For 1z0-062 Exam Training Methods
DCPPE-200 Exam Quick Prep - DCPPE-200 Test Notes
70-773 Latest Study Guide - 70-773 Latest Test Questions Pdf
Archives
August 2018
July 2018
June 2018
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
Categories
AACE International
ACAMS
ACSM
Admission Test
Adobe
AFP
AHIP
AICPA
Alcatel-Lucent
Alfresco
AMA
Amazon
American College
API
APICS
Apple
ARM
Aruba
ASIS
ASQ
Avaya
Axis
BACB
BBPSD
BCS
BICSI
Blue Coat
Business Architecture Guild
C_ISR_60 Test Answers,SAP
Tags
AACE International Adobe AFP Amazon Apple Aruba ASQ Avaya BICSI CheckPoint Cisco Citrix Cloudera CompTIA Dell EC-COUNCIL EMC EXIN Fortinet Genesys GIAC HP IBM IIA Informatica ISC ISQI Juniper Lpi Microsoft NCLEX Network Appliance Oracle Palo Alto Networks Pegasystems PMI QlikView RedHat Salesforce SAP SASInstitute Symantec Veeam Veritas VMware