100% Valid and Newest Version CISM Questions & Answers shared by Certleader

https://www.certleader.com/CISM-dumps.html (415 Q&As)

CISM Dumps

Certified Information Security Manager

https://www.certleader.com/CISM-dumps.html

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

NEW QUESTION 1
- (Topic 2)
Data entry functions for a web-based application have been outsourced to a third-party service provider who will work from a remote site Which of the following
issues would be of GREATEST concern to an information security manager?

A. The application does not use a secure communications protocol

B. The application is configured with restrictive access controls
C. The business process has only one level of error checking
D. Server-based malware protection is not enforced

Answer: D

Explanation:
Server-based malware protection is not enforced is the issue that would be of GREATEST concern to an information security manager, as it exposes the web-
based application and its data to potential threats from malicious software that can compromise the confidentiality, integrity, and availability of the information.
Server-based malware protection is a security control that monitors and blocks malicious activities on the server where the application runs, such as viruses,
worms, trojans, ransomware, etc. Without server-based malware protection, the web-based application may be vulnerable to attacks that can damage or destroy
the data stored on the server, or disrupt the normal functioning of the application. The other issues are also important, but not as critical as server-based malware
protection. The application does not use a secure communications protocol may expose sensitive data in transit to eavesdropping or interception by unauthorized
parties. The application is configured with restrictive access controls may limit the access rights of legitimate users to authorized resources, but it does not prevent
unauthorized users from accessing them through other means. The business process has only one level of error checking may result in incorrect or inconsistent
data entry or processing, but it does not guarantee data quality or accuracy. References = CISM Review Manual, 16th Edition, page 1751; CISM Review
Questions, Answers & Explanations Manual, 10th Edition, page 812

NEW QUESTION 2
- (Topic 1)
Which of the following is the BEST indicator of an organization's information security status?

A. Intrusion detection log analysis

B. Controls audit
C. Threat analysis
D. Penetration test

Answer: B

Explanation:
A controls audit is the best indicator of an organization’s information security status, as it provides an independent and objective assessment of the design,
implementation, and effectiveness of the information security controls. A controls audit can also identify the strengths and weaknesses of the information security
program, as well as the compliance with the policies, standards, and regulations. A controls audit can cover various aspects of information security, such as
governance, risk management, incident management, business continuity, and technical security. A controls audit can be conducted by internal or external
auditors, depending on the scope, purpose, and frequency of the audit.
The other options are not as good as a controls audit, as they do not provide a comprehensive and holistic view of the information security status. Intrusion
detection log analysis is a technique to monitor and analyze the network or system activities for signs of unauthorized or malicious access or attacks. It can help to
detect and respond to security incidents, but it does not measure the overall performance or maturity of the information security program. Threat analysis is a
process to identify and evaluate the potential sources, methods, and impacts of threats to the information assets. It can help to prioritize and mitigate the risks, but
it does not verify the adequacy or functionality of the information security controls. Penetration test is a simulated attack on the network or system to evaluate the
vulnerability and exploitability of the information security defenses. It can help to validate and improve the technical security, but it does not assess the non-
technical aspects of information security, such as governance, policies, or awareness. References =
? CISM Review Manual, 16th Edition, ISACA, 2022, pp. 211-212, 215-216, 233-234, 237-238.
? CISM Questions, Answers & Explanations Database, ISACA, 2022, QID 1012.

NEW QUESTION 3
- (Topic 1)
Which of the following is MOST helpful in determining an organization's current capacity to mitigate risks?

A. Capability maturity model

B. Vulnerability assessment
C. IT security risk and exposure
D. Business impact analysis (BIA)

Answer: A

Explanation:
A capability maturity model (CMM) is a framework that helps organizations assess and improve their processes and capabilities in various domains, such as
software development, project management, information security, and others1. A CMM defines a set of levels or stages that represent the degree of maturity or
effectiveness of an organization’s processes and capabilities in a specific domain. Each level has a set of criteria or characteristics that an organization must meet
to achieve that level of maturity. A CMM also provides guidance and best practices on how to progress from one level to another, and how to measure and monitor
the performance and improvement of the processes and capabilities2.
A CMM is most helpful in determining an organization’s current capacity to mitigate risks, because it provides a systematic and objective way to evaluate the
strengths and weaknesses of the organization’s processes and capabilities related to risk management. A CMM can help an organization identify the gaps and
opportunities for improvement in its risk management practices, and prioritize the actions and resources needed to address them. A CMM can also help an
organization benchmark its risk management maturity against industry standards or best practices, and demonstrate its compliance with regulatory or contractual
requirements3.
The other options are not as helpful as a CMM in determining an organization’s current capacity to mitigate risks, because they are either more specific, limited, or
dependent on a CMM. A vulnerability assessment is a process of identifying and analyzing the vulnerabilities in an organization’s systems, networks, or
applications, and their potential impact on the organization’s assets, operations, or reputation. A vulnerability assessment can help an organization identify the
sources and levels of risk, but it does not provide a comprehensive or holistic view of the organization’s risk management maturity or effectiveness4. IT security
risk and exposure is a measure of the likelihood and impact of a security breach or incident on an organization’s IT assets, operations, or reputation. IT security
risk and exposure can help an organization quantify and communicate the level of risk, but it does not provide a framework or guidance on how to improve the

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

organization’s risk management processes or capabilities5. A business impact analysis (BIA) is a process of identifying and evaluating the potential effects of a
disruption or disaster on an organization’s critical business functions, processes, or resources. A BIA can help an organization determine the priorities and
requirements for business continuity and disaster recovery, but it does not provide a method or standard for assessing or enhancing the organization’s risk
management maturity or effectiveness. References = 1: CMMI Institute - What is CMMI? - Capability Maturity Model Integration 2: Capability Maturity Model and
Risk Register Integration: The Right … 3: Performing Risk Assessments of Emerging Technologies - ISACA 4: CISM Review Manual 15th Edition, Chapter 4,
Section 4.2 5: CISM Review Manual 15th Edition, Chapter 4, Section 4.3 : CISM Review Manual 15th Edition, Chapter 4, Section 4.4

NEW QUESTION 4
- (Topic 1)
An information security manager learns that IT personnel are not adhering to the information security policy because it creates process inefficiencies. What should
the information security manager do FIRST?

A. Conduct user awareness training within the IT function.

B. Propose that IT update information security policies and procedures.
C. Determine the risk related to noncompliance with the policy.
D. Request that internal audit conduct a review of the policy development process,

Answer: C

Explanation:
The information security manager should first determine the risk related to noncompliance with the policy, as this will help to understand the impact and likelihood
of the policy violation and the potential consequences for the organization. The information security manager can then use the risk assessment results to
communicate the importance of the policy to the IT personnel, propose any necessary changes to the policy or the processes, or request an audit of the policy
development process, depending on the situation. Conducting user awareness training, updating policies and procedures, or requesting an audit are possible
actions that the information security manager can take after determining the risk, but they are not the first step. References = CISM Review Manual, 16th Edition,
Chapter 2: Information Risk Management, Section: Risk Assessment, page 86; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question
59, page 60.

NEW QUESTION 5
- (Topic 1)
Which of the following MUST happen immediately following the identification of a malware incident?

A. Preparation
B. Recovery
C. Containment
D. Eradication

Answer: C

Explanation:
Containment is the action that MUST happen immediately following the identification of a malware incident because it aims to isolate the affected systems or
networks from the rest of the environment and prevent the spread or escalation of the malware. Containment can involve disconnecting the systems or networks
from the internet, blocking or filtering certain ports or protocols, or creating separate VLANs or subnets for the isolated systems or networks. Containment is part of
the incident response process and should be performed as soon as possible after detecting a malware incident12. Preparation (A) is the phase that happens
before the identification of a malware incident, where the organization establishes the incident response plan, team, roles, resources, and tools. Preparation is
essential for ensuring the readiness and capability of the organization to respond to malware incidents effectively and efficiently12. Recovery (B) is the phase that
happens after the containment and eradication of a malware incident, where the organization restores the normal operations of the systems or networks, verifies
the functionality and security of the systems or networks, and implements the preventive
and corrective measures to avoid or mitigate future malware incidents. Recovery is the final phase of the incident response process and should be performed after
ensuring that the malware incident is fully resolved and the systems or networks are clean and secure12. Eradication (D) is the phase that happens after the
containment of a malware incident, where the organization removes the malware and its traces from the systems or networks, identifies the root cause and impact
of the malware incident, and collects and preserves the evidence for analysis and investigation. Eradication is an important phase of the incident response
process, but it does not happen immediately after the identification of a malware incident12. References = 1: CISM Review Manual 15th Edition, page 308-3091; 2:
Cybersecurity Incident Response Exercise Guidance - ISACA2

NEW QUESTION 6
- (Topic 1)
Which of the following methods is the BEST way to demonstrate that an information security program provides appropriate coverage?

A. Security risk analysis

B. Gap assessment
C. Maturity assessment
D. Vulnerability scan report

Answer: B

Explanation:
A gap assessment is the best way to demonstrate that an information security program provides appropriate coverage, as it compares the current state of the
information security program with the desired state based on the organization’s objectives, policies, standards, and regulations. A gap assessment can identify the
strengths and weaknesses of the information security program, as well as the areas that need improvement or alignment. A gap assessment can also provide
recommendations and action plans to close the gaps and achieve the desired level of information security coverage.
The other options are not as good as a gap assessment, as they do not provide a comprehensive and holistic view of the information security coverage. Security
risk analysis is a process to identify and evaluate the risks to the information assets and the impact of potential threats and vulnerabilities. It can help to prioritize
and mitigate the risks, but it does not measure the compliance or performance of the information security program. Maturity assessment is a process to measure
the level of maturity of the information security program based on a predefined model or framework. It can help to benchmark and improve the information security
program, but it does not account for the specific needs and expectations of the organization. Vulnerability scan report is a document that shows the results of a
scan on the network or system to identify the existing or potential vulnerabilities. It can help to validate and improve the technical security, but it does not assess
the non-technical aspects of information security, such as governance, policies, or awareness. References =
? CISM Review Manual, 16th Edition, ISACA, 2022, pp. 211-212, 215-216, 233-234,
237-238.

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

? CISM Questions, Answers & Explanations Database, ISACA, 2022, QID 1015.
? CISM domain 3: Information security program development and management [2022 update], Infosec Certifications, 2.

NEW QUESTION 7
- (Topic 1)
Which of the following is MOST helpful for determining which information security policies should be implemented by an organization?

A. Risk assessment
B. Business impact analysis (BIA)
C. Vulnerability assessment
D. Industry best practices

Answer: A

Explanation:
Information security policies are high-level statements or rules that define the goals and objectives of information security in an organization, and provide the
framework and direction for implementing and enforcing security controls and processes1. Information security policies should be aligned with the organization’s
business goals and objectives, and reflect the organization’s risk appetite and tolerance2. Therefore, the most helpful activity for determining which information
security policies should be implemented by an organization is a risk assessment.
A risk assessment is a systematic process of identifying, analyzing, and evaluating the risks that an organization faces, and determining the appropriate risk
responses3. A risk assessment helps to determine the following aspects of information security policies:
? The scope and applicability of the policies, based on the assets, threats, and vulnerabilities that affect the organization’s security objectives and requirements.
? The level and type of security controls and processes that are needed to mitigate the risks, based on the likelihood and impact of the risk scenarios and the cost-
benefit analysis of the risk responses.
? The roles and responsibilities of the stakeholders involved in the implementation and enforcement of the policies, based on the risk ownership and accountability.
? The metrics and indicators that are used to measure and monitor the effectiveness and compliance of the policies, based on the risk appetite and tolerance.
The other options, such as a business impact analysis (BIA), a vulnerability assessment, or industry best practices, are not as helpful as a risk assessment for
determining which information security policies should be implemented by an organization, because they have the following limitations:
? A business impact analysis (BIA) is a process of identifying and evaluating the potential effects of disruptions or incidents on the organization’s critical business
functions and processes, and determining the recovery priorities and objectives. A BIA can help to support the risk assessment by providing information on the
impact and criticality of the assets and processes, but it cannot identify or analyze the threats and vulnerabilities that pose risks to the organization, or determine
the appropriate risk responses or controls.
? A vulnerability assessment is a process of identifying and measuring the weaknesses or flaws in the organization’s systems, networks, or applications that could
be exploited by threat actors. A vulnerability assessment can help to support the risk assessment by providing information on the vulnerabilities and exposures that
affect the organization’s security posture, but it cannot identify or analyze the threats or likelihood that could exploit the vulnerabilities, or determine the
appropriate risk responses or controls.
? Industry best practices are the standards or guidelines that are widely accepted and followed by the information security community or the organization’s
industry sector, based on the experience and knowledge of the experts and practitioners. Industry best practices can help to inform and guide the development
and implementation of information security policies, but they cannot replace or substitute the risk assessment, as they may not reflect the organization’s specific
context, needs, and objectives, or address the organization’s unique risks and challenges.
References = 1: CISM Review Manual 15th Edition, page 29 2: CISM Review Manual 15th Edition, page 30 3: CISM Review Manual 15th Edition, page 121 : CISM
Review Manual 15th Edition, page 122 : CISM Review Manual 15th Edition, page 123 : CISM Review Manual 15th Edition, page 124 : CISM Review Manual 15th
Edition, page 125 : CISM Review Manual 15th Edition, page 126

NEW QUESTION 8
- (Topic 1)
Penetration testing is MOST appropriate when a:

A. new system is about to go live.

B. new system is being designed.
C. security policy is being developed.
D. security incident has occurred,

Answer: A

Explanation:
= Penetration testing is most appropriate when a new system is about to go live, because it is a method of evaluating the security of a system by simulating an
attack from a malicious source. Penetration testing can help to identify and exploit vulnerabilities, assess the impact and risk of a breach, and provide
recommendations for remediation and improvement. Penetration testing can also help to validate the effectiveness of the security controls and policies
implemented for the new system, and ensure compliance with relevant standards and regulations. Penetration testing is usually performed after the system has
undergone other types of testing, such as functional, performance, and usability testing, and before the system is deployed to the production environment.
Penetration testing is not as appropriate when a new system is being designed, because the system is still in the early stages of development and may not have all
the features and functionalities implemented. Penetration testing at this stage may not provide a realistic or comprehensive assessment of the system’s security,
and may cause delays or disruptions in the development process. Penetration testing is also not as appropriate when a security policy is being developed,
because the policy is a high-level document that defines the goals, objectives, and principles of information security for the organization. Penetration testing is a
technical and operational activity that tests the implementation and enforcement of the policy, not the policy itself. Penetration testing is also not as appropriate
when a security incident has occurred, because the incident may have already compromised the system and caused damage or loss. Penetration testing at this
stage may not be able to prevent or mitigate the incident, and may interfere with the incident response and recovery efforts. Penetration testing after an incident
may be useful for forensic analysis and lessons learned, but it is not the primary or immediate response to an incident. References = CISM Review Manual, 16th
Edition, ISACA, 2021, pages 229-230, 233-234.

NEW QUESTION 9
- (Topic 1)
Which of the following BEST enables staff acceptance of information security policies?

A. Strong senior management support

B. Gomputer-based training
C. Arobust incident response program
D. Adequate security funding

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

Answer: A

Explanation:
= Strong senior management support is the best factor to enable staff acceptance of information security policies, as it demonstrates the commitment and
leadership of the organization’s top executives in promoting and enforcing a security culture. Senior management support can also help ensure that the
information security policies are aligned with the business goals and values, communicated effectively to all levels of the organization, and integrated into the
performance evaluation and reward systems. Senior management support can also help overcome any resistance or challenges from other stakeholders, such as
business units, customers, or regulators123. References =
? 1: CISM Review Manual 15th Edition, page 26-274
? 2: CISM Practice Quiz, question 1102
? 3: Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, page 5-6

NEW QUESTION 10
- (Topic 1)
Which of the following BEST facilitates effective incident response testing?

A. Including all business units in testing

B. Simulating realistic test scenarios
C. Reviewing test results quarterly
D. Testing after major business changes

Answer: B

Explanation:
Effective incident response testing is a process of verifying and validating the incident response plan, procedures, roles, and resources that are designed to
respond to and recover from information security incidents. The purpose of testing is to ensure that the incident response team and the organization are prepared,
capable, and confident to handle any potential or actual incidents that could affect the business continuity, reputation, and value. The best way to facilitate effective
testing is to simulate realistic test scenarios that reflect the most likely or critical threats and vulnerabilities that could cause an incident, and the most relevant or
significant impacts and consequences that could result from an incident. Simulating realistic test scenarios can help to evaluate the adequacy, accuracy, and
applicability of the incident response plan, procedures, roles, and resources, as well as to identify and address any gaps, weaknesses, or errors that could hinder
or compromise the incident response process. Simulating realistic test scenarios can also help to enhance the skills, knowledge, and experience of the incident
response team and the organization, as well as to improve the communication, coordination, and collaboration among the stakeholders involved in the incident
response process. Simulating realistic test scenarios
can also help to measure and report the effectiveness and efficiency of the incident response process, and to provide feedback and recommendations for
improvement and optimization. References = CISM Review Manual 15th Edition, page 2401; CISM Practice Quiz, question 1362

NEW QUESTION 10
- (Topic 1)
Which of the following is the BEST evidence of alignment between corporate and information security governance?

A. Security key performance indicators (KPIs)

B. Project resource optimization
C. Regular security policy reviews
D. Senior management sponsorship

Answer: D

Explanation:
Alignment between corporate and information security governance means that the information security program supports the organizational goals and objectives,
and is integrated into the enterprise governance structure. The best evidence of alignment is the senior management sponsorship, which demonstrates the
commitment and support of the top-level executives and board members for the information security program. Senior management sponsorship also ensures that
the information security program has adequate resources, authority, and accountability to achieve its objectives and address the risks and issues that affect the
organization. Senior management sponsorship also helps to establish a culture of security awareness and compliance throughout the organization, and to
communicate the value and benefits of the information security program to the stakeholders.
References =
? CISM Review Manual 15th Edition, page 1631
? CISM 2020: Information Security & Business Process Alignment, video 22
? Certified Information Security Manager (CISM), page 33

NEW QUESTION 11
- (Topic 1)
Which of the following is the BEST indication of an effective information security awareness training program?

A. An increase in the frequency of phishing tests

B. An increase in positive user feedback
C. An increase in the speed of incident resolution
D. An increase in the identification rate during phishing simulations

Answer: D

Explanation:
An effective information security awareness training program should aim to improve the knowledge, skills and behavior of the employees regarding information
security. One of the ways to measure the effectiveness of such a program is to conduct phishing simulations, which are mock phishing attacks that test the
employees’ ability to identify and report phishing emails. An increase in the identification rate during phishing simulations indicates that the employees have
learned how to recognize and avoid phishing attempts, which is one of the common threats to information security. Therefore, this is the best indication of an
effective information security awareness training program among the given options.
The other options are not as reliable or relevant as indicators of an effective information security awareness training program. An increase in the frequency of
phishing tests does not necessarily mean that the employees are learning from them or that the tests are aligned with the learning objectives of the program. An
increase in positive user feedback may reflect the satisfaction or engagement of the employees with the program, but it does not measure the actual learning
outcomes or behavior changes. An increase in the speed of incident resolution may be influenced by other factors, such as the availability and efficiency of the

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

incident response team, the severity and complexity of the incidents, or the tools and processes used for incident management. Moreover, the speed of incident
resolution does not reflect the prevention or reduction of incidents, which is a more desirable goal of an information security awareness training program.
References =
? CISM Review Manual, 16th Edition, ISACA, 2022, pp. 201-202, 207-208.
? CISM Questions, Answers & Explanations Database, ISACA, 2022, QID 1001.

NEW QUESTION 12
- (Topic 1)
When choosing the best controls to mitigate risk to acceptable levels, the information security manager's decision should be MAINLY driven by:

A. best practices.
B. control framework
C. regulatory requirements.
D. cost-benefit analysis,

Answer: D

Explanation:
Cost-benefit analysis (CBA) is a method of comparing the costs and benefits of different alternatives for achieving a desired outcome. CBA can help information
security managers to choose the best controls to mitigate risk to acceptable levels by providing a rational and objective basis for decision making. CBA can also
help information security managers to justify their choices to senior management, stakeholders, and auditors by demonstrating the value and return on investment
of the selected controls. CBA can also help information security managers to prioritize and allocate resources for implementing and maintaining the controls12.
CBA involves the following steps12:
? Identify the objectives and scope of the analysis
? Identify the alternatives and options for achieving the objectives
? Identify and quantify the costs and benefits of each alternative
? Compare the costs and benefits of each alternative using a common metric or criteria
? Select the alternative that maximizes the net benefit or minimizes the net cost
? Perform a sensitivity analysis to test the robustness and validity of the results
? Document and communicate the results and recommendations
CBA is mainly driven by the information security manager’s decision, but it can also take into account other factors such as best practices, control frameworks,
and regulatory requirements. However, these factors are not the primary drivers of CBA, as they may not always reflect the specific needs and context of the
organization. Best practices are general guidelines or recommendations that may not suit every situation or environment. Control frameworks are standardized
models or methodologies that may not cover all aspects or dimensions of information security. Regulatory requirements are mandatory rules or obligations that
may not address all risks or threats faced by the organization. Therefore, CBA is the best method to choose the most appropriate and effective controls to mitigate
risk to acceptable levels, as it considers the costs and benefits of each control in relation to the organization’s objectives, resources, and environment12.
References = CISM Domain 2: Information Risk Management (IRM) [2022 update], Five Key Considerations When Developing Information Security Risk
Treatment Plans

NEW QUESTION 15
- (Topic 1)
Which of the following BEST supports information security management in the event of organizational changes in security personnel?

A. Formalizing a security strategy and program

B. Developing an awareness program for staff
C. Ensuring current documentation of security processes
D. Establishing processes within the security operations team

Answer: C

Explanation:
Ensuring current documentation of security processes is the best way to support information security management in the event of organizational changes in
security personnel. Documentation of security processes provides a clear and consistent reference for the roles, responsibilities, procedures, and standards of the
information security program. It helps to maintain the continuity and effectiveness of the security operations, as well as the compliance with the security policies
and regulations. Documentation of security processes also facilitates the knowledge transfer and training of new or existing security personnel, as well as the
communication and collaboration with other stakeholders. By ensuring current documentation of security processes, the information security manager can
minimize the impact of organizational changes in security personnel, and ensure a smooth transition and alignment of the security program. References = CISM
Review Manual 15th Edition, page 43, page 45.

NEW QUESTION 16
- (Topic 1)
Which of the following would be the BEST way for an information security manager to improve the effectiveness of an organization’s information security
program?

A. Focus on addressing conflicts between security and performance.

B. Collaborate with business and IT functions in determining controls.
C. Include information security requirements in the change control process.
D. Obtain assistance from IT to implement automated security cantrals.

Answer: B

Explanation:
The best way for an information security manager to improve the effectiveness of an organization’s information security program is to collaborate with business
and IT functions in determining controls. Collaboration is a key factor for ensuring that the information security program is aligned with the organization’s business
objectives, risk appetite, and security strategy, and that it supports the business processes and activities. Collaboration also helps to gain the buy-in, involvement,
and ownership of the business and IT functions, who are the primary stakeholders and users of the information security program. Collaboration also facilitates the
communication, coordination, and integration of the information security program across the organization, and enables the information security manager to
understand the needs, expectations, and challenges of the business and IT functions, and to propose the most appropriate and effective security controls and
solutions.
Focusing on addressing conflicts between security and performance (A) is a possible way to improve the effectiveness of an information security program, but not

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

the best one. Security and performance are often competing or conflicting goals, as security controls may introduce overhead, complexity, or delays that affect the
efficiency, usability, or availability of the systems or processes. Addressing these conflicts may help to optimize the balance and trade-off between security and
performance, and to enhance the user satisfaction and acceptance of the security controls. However, focusing on addressing conflicts between security and
performance does not necessarily improve the alignment, integration, or communication of the information security program with the business and IT functions, nor
does it ensure the involvement or ownership of the stakeholders.
Including information security requirements in the change control process © is also a possible way to improve the effectiveness of an information security program,
but not the best one. The change control process is a process that manages the initiation, approval, implementation, and review of changes to the systems or
processes, such as enhancements, updates, or fixes. Including information security requirements in the change control process may help to ensure that the
changes do not introduce new or increased security risks or impacts, and that they comply with the security policies, standards, and procedures. However,
including information security requirements in the change control process does not necessarily improve the collaboration, communication, or coordination of the
information security program with the business and IT functions, nor does it ensure the buy-in or involvement of the stakeholders.
Obtaining assistance from IT to implement automated security controls (D) is also a possible way to improve the effectiveness of an information security program,
but not the best one. Automated security controls are security controls that are implemented by using software, hardware, or other technologies, such as
encryption, firewalls, or antivirus, to perform security functions or tasks without human intervention. Obtaining assistance from IT to implement automated security
controls may help to improve the efficiency, consistency, or reliability of the security controls, and to reduce the human errors, negligence, or malicious actions.
However, obtaining assistance from IT to implement automated security controls does not necessarily improve the collaboration, communication, or integration of
the information security program with the business and IT functions, nor does it ensure the ownership or involvement of the stakeholders. References = CISM
Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Strategy Development, Subsection: Collaboration, page
24-251

NEW QUESTION 17
- (Topic 1)
Which of the following BEST ensures information security governance is aligned with corporate governance?

A. A security steering committee including IT representation

B. A consistent risk management approach
C. An information security risk register
D. Integration of security reporting into corporate reporting

Answer: D

Explanation:
The best way to ensure information security governance is aligned with corporate governance is to integrate security reporting into corporate reporting. This will
enable the board and senior management to oversee and monitor the performance and effectiveness of the information security program, as well as the alignment
of information security objectives and strategies with business goals and risk appetite. Security reporting should provide relevant, timely, accurate, and actionable
information to support decision making and accountability. The other options are important components of information security governance, but they do not ensure
alignment with corporate governance by themselves. References = CISM Review Manual 15th Edition, page 411; CISM Review Questions, Answers &
Explanations Database - 12 Month Subscription, Question ID: 1027

NEW QUESTION 19
- (Topic 1)
Which of the following is the MOST important criterion when deciding whether to accept residual risk?

A. Cost of replacing the asset

B. Cost of additional mitigation
C. Annual loss expectancy (ALE)
D. Annual rate of occurrence

Answer: C

Explanation:
= Annual loss expectancy (ALE) is the most important criterion when deciding whether to accept residual risk, because it represents the expected monetary loss
for an asset due to a risk over a one-year period. ALE is calculated by multiplying the annual rate of occurrence (ARO) of a risk event by the single loss expectancy
(SLE) of the asset. ARO is the estimated frequency of a risk event occurring within a one-year period, and SLE is the estimated cost of a single occurrence of a
risk event. ALE helps to compare the cost and benefit of different risk responses, such as avoidance, mitigation, transfer, or acceptance. Risk acceptance is
appropriate when the ALE is lower than the cost of other risk responses, or when the risk is unavoidable or acceptable within the organization’s risk appetite and
tolerance. ALE also helps to prioritize the risks that need more attention and resources.
References = CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section: Risk Assessment, page 831; CISM Review Questions,
Answers & Explanations Manual, 10th Edition, Question 22, page 242

NEW QUESTION 22
- (Topic 1)
Which of the following is the PRIMARY role of an information security manager in a software development project?

A. To enhance awareness for secure software design

B. To assess and approve the security application architecture
C. To identify noncompliance in the early design stage
D. To identify software security weaknesses

Answer: B

Explanation:
The primary role of an information security manager in a software development project is to assess and approve the security application architecture. The security
application architecture is the design and structure of the software application that defines how the application components interact with each other and with
external systems, and how the application implements the security requirements, principles, and best practices. The information security manager is responsible
for ensuring that the security application architecture is aligned with the organization’s information security policies, standards, and guidelines, and that it meets
the business objectives, functional specifications, and user expectations. The information security manager is also responsible for reviewing and evaluating the
security application architecture for its completeness, correctness, consistency, and compliance, and for identifying and resolving any security issues, risks, or
gaps. The information security manager is also responsible for approving the security application architecture before the software development project proceeds to
the next phase, such as coding, testing, or deployment.

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

References = CISM Review Manual, 16th Edition, Chapter 3: Information Security Program Development and Management, Section: Information Security Program
Development, page 1581; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question
80, page 742.

NEW QUESTION 26
- (Topic 1)
An organization plans to offer clients a new service that is subject to regulations. What should the organization do FIRST when developing a security strategy in
support of this new service?

A. Determine security controls for the new service.

B. Establish a compliance program,
C. Perform a gap analysis against the current state
D. Hire new resources to support the service.

Answer: C

Explanation:
A gap analysis is a process of comparing the current state of an organization’s security posture with the desired or required state, and identifying the gaps or
discrepancies that need to be addressed. A gap analysis helps to determine the current level of compliance with relevant regulations, standards, and best
practices, and to prioritize the actions and resources needed to achieve the desired level of compliance1. A gap analysis should be performed first when
developing a security strategy in support of a new service that is subject to regulations, because it provides the following benefits2:
? It helps to understand the scope and impact of the new service on the organization’s security objectives, risks, and controls.
? It helps to identify the legal, regulatory, and contractual requirements that apply to the new service, and the potential penalties or consequences of non-
compliance.
? It helps to assess the effectiveness and efficiency of the existing security controls, and to identify the gaps or weaknesses that need to be remediated or
enhanced.
? It helps to align the security strategy with the business goals and objectives of the new service, and to ensure the security strategy is consistent and coherent
across the organization.
? It helps to communicate the security requirements and expectations to the stakeholders involved in the new service, and to obtain their support and commitment.
The other options, such as determining security controls for the new service, establishing a compliance program, or hiring new resources to support the service,
are not the first steps when developing a security strategy in support of a new service that is subject to regulations, because they depend on the results and
recommendations of the gap analysis. Determining security controls for the new service requires a clear understanding of the security requirements and risks
associated with the new service, which can be obtained from the gap analysis. Establishing a compliance program requires a systematic and structured approach
to implement, monitor, and improve the security controls and processes that ensure compliance, which can be based on the gap analysis. Hiring new resources to
support the service requires a realistic and justified estimation of the human and financial resources needed to achieve the security objectives and compliance,
which can be derived from the gap analysis. References = 1: What is a Gap Analysis? |
Smartsheet 2: CISM Review Manual 15th Edition, page 121 : CISM Review Manual 15th Edition, page 122 : CISM Review Manual 15th Edition, page 123 : CISM
Review Manual 15th Edition, page 124 : CISM Review Manual 15th Edition, page 125 Learn more:
* 1. infosectrain.com2. resources.infosecinstitute.com3. resources.infosecinstitute.com4. resources.infosecinstitute.com+2 more

NEW QUESTION 28
- (Topic 1)
An information security manager learns of a new standard related to an emerging technology the organization wants to implement. Which of the following should
the information security manager recommend be done FIRST?

A. Determine whether the organization can benefit from adopting the new standard.
B. Obtain legal counsel's opinion on the standard's applicability to regulations,
C. Perform a risk assessment on the new technology.
D. Review industry specialists’ analyses of the new standard.

Answer: A

Explanation:
= The first step that the information security manager should recommend when learning of a new standard related to an emerging technology is to determine
whether the organization can benefit from adopting the new standard. This involves evaluating the business objectives, needs, and requirements of the
organization, as well as the potential advantages, disadvantages, and challenges of implementing the new technology and the new standard. The information
security manager should also consider the alignment of the new standard with the organization’s existing policies, procedures, and standards, as well as the
impact of the new standard on the organization’s information security governance, risk management, program, and incident management. By conducting a
preliminary analysis of the feasibility, suitability, and desirability of the new standard, the information security manager can provide a sound basis for further
decision making and planning.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Standards, page 391; CISM Review
Questions, Answers & Explanations Manual, 10th Edition, Question 43, page 412.

NEW QUESTION 30
- (Topic 1)
Which of the following is MOST important for building 4 robust information security culture within an organization?

A. Mature information security awareness training across the organization

B. Strict enforcement of employee compliance with organizational security policies
C. Security controls embedded within the development and operation of the IT environment
D. Senior management approval of information security policies

Answer: A

Explanation:
= Mature information security awareness training across the organization is the most important factor for building a robust information security culture, because it
helps to educate and motivate the employees to understand and adopt the security policies, procedures, and best practices that are aligned with the organizational
goals and values. Information security awareness training should be tailored to the specific roles, responsibilities, and needs of the employees, and should cover
the relevant topics, such as:
? The importance and value of information assets and the potential risks and threats to them

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

? The legal, regulatory, and contractual obligations and compliance requirements related to information security
? The organizational security policies, standards, and guidelines that define the expected and acceptable behaviors and actions regarding information security
? The security controls and tools that are implemented to protect the information assets and how to use them effectively and efficiently
? The security incidents and breaches that may occur and how to prevent, detect, report, and respond to them
? The security best practices and tips that can help to enhance the security posture and culture of the organization
Information security awareness training should be delivered through various methods and channels, such as:
? Online courses, webinars, videos, podcasts, and quizzes that are accessible and interactive
? Classroom sessions, workshops, seminars, and simulations that are engaging and practical
? Posters, flyers, newsletters, emails, and social media that are informative and catchy
? Games, competitions, rewards, and recognition that are fun and incentivizing Information security awareness training should be conducted regularly and updated
frequently, to ensure that the employees are aware of the latest security trends, challenges, and solutions, and that they can demonstrate their knowledge and
skills in a consistent and effective manner.
Mature information security awareness training can help to create a positive and proactive security culture that fosters trust, collaboration, and innovation among
the employees and the organization, and that supports the achievement of the strategic objectives and the mission and vision of the organization.
References = CISM Review Manual, 16th Edition, ISACA, 2021, pages 144-146, 149-150.

NEW QUESTION 32
- (Topic 1)
An organization needs to comply with new security incident response requirements. Which of the following should the information security manager do FIRST?

A. Create a business case for a new incident response plan.

B. Revise the existing incident response plan.
C. Conduct a gap analysis.
D. Assess the impact to the budget,

Answer: C

Explanation:
Before implementing any changes to the security incident response plan, the information security manager should first conduct a gap analysis to identify the
current state of the plan and compare it with the new requirements. A gap analysis is a systematic process of evaluating the differences between the current and
desired state of a system, process, or program. A gap analysis can help to identify the strengths and weaknesses of the existing plan, the gaps that need to be
addressed, the priorities and dependencies of the actions, and the resources and costs involved. A gap analysis can also help to create a business case for the
changes and justify the investment. A gap analysis can be conducted using various methods and tools, such as frameworks, standards, benchmarks,
questionnaires, interviews, audits, or tests1234.
References =
? CISM Review Manual 15th Edition, page 1631
? CISM certified information security manager study guide, page 452
? How To Conduct An Information Security Gap Analysis3
? PROACTIVE DETECTION - GOOD PRACTICES GAP ANALYSIS RECOMMENDATIONS4

NEW QUESTION 33
- (Topic 1)
Of the following, who is in the BEST position to evaluate business impacts?

A. Senior management
B. Information security manager
C. IT manager
D. Process manager

Answer: D

Explanation:
The process manager is the person who is responsible for overseeing and managing the business processes and functions that are essential for the
organization’s operations and objectives. The process manager has the most direct and detailed knowledge of the inputs, outputs, dependencies, resources, and
performance indicators of the business processes and functions. Therefore, the process manager is in the best position to evaluate the business impacts of a
disruption or an incident that affects the availability, integrity, or confidentiality of the information assets and systems that support the business processes and
functions. The process manager can identify and quantify the potential losses, damages, or consequences that could result from the disruption or incident, such as
revenue loss, customer dissatisfaction, regulatory non-compliance, reputational harm, or legal liability. The process manager can also provide input and feedback
to the information security manager and the senior management on the business continuity and disaster recovery plans, the risk assessment and treatment, and
the security controls and measures that are needed to protect and recover the business processes and functions. References = CISM Review Manual 15th Edition,
page 2301; CISM Practice Quiz, question 1302

NEW QUESTION 37
- (Topic 1)
In violation of a policy prohibiting the use of cameras at the office, employees have been issued smartphones and tablet computers with enabled web cameras.
Which of the following should be the information security manager's FIRST course of action?

A. Revise the policy.

B. Perform a root cause analysis.
C. Conduct a risk assessment,
D. Communicate the acceptable use policy.

Answer: C

Explanation:
= The information security manager’s first course of action in this situation should be to conduct a risk assessment, which is a process of identifying, analyzing,
and evaluating the information security risks that arise from the violation of the policy prohibiting the use of cameras at the office. The risk assessment can help to
determine the likelihood and impact of the unauthorized or inappropriate use of the cameras on the smartphones and tablet computers, such as capturing,
transmitting, or disclosing sensitive or confidential information, compromising the privacy or security of the employees, customers, or partners, or violating the legal
or regulatory requirements. The risk assessment can also help to identify and prioritize the appropriate risk treatment options, such as implementing technical,

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

administrative, or physical controls to disable, restrict, or monitor the camera usage, enforcing the policy compliance and awareness, or revising the policy to
reflect the current business needs and environment. The risk assessment can also help to communicate and report the risk level and status to the senior
management and the relevant stakeholders, and to provide feedback and recommendations for improvement and optimization of the policy and the risk
management process.
Revising the policy, performing a root cause analysis, and communicating the acceptable use policy are all possible courses of action that the information security
manager can take after conducting the risk assessment, but they are not the first ones. Revising the policy is a process of updating and modifying the policy to
align with the business objectives and strategy, to address the changes and challenges in the business and threat environment, and to incorporate the feedback
and suggestions from the risk assessment and the stakeholders. Performing a root cause analysis is a process of investigating and identifying the underlying
causes and factors that led to the violation of the policy, such as the lack of awareness, training, or enforcement, the inconsistency or ambiguity of the policy, or the
conflict or gap between the policy and the business requirements or expectations. Communicating the acceptable use policy is a process of informing and
educating the employees and the other users of the smartphones and tablet computers about the purpose, scope, and content of the policy, the roles and
responsibilities of the users, the benefits and consequences of complying or violating the policy, and the methods and channels of reporting or resolving any policy
issues or incidents. References = CISM Review Manual 15th Edition, pages 51-531; CISM Practice Quiz, question 1482

NEW QUESTION 39
- (Topic 1)
The MOST important reason for having an information security manager serve on the change management committee is to:

A. identify changes to the information security policy.

B. ensure that changes are tested.
C. ensure changes are properly documented.
D. advise on change-related risk.

Answer: D

Explanation:
The most important reason for having an information security manager serve on the change management committee is to advise on change-related risk. Change
management is the process of planning, implementing, and controlling changes to the organization’s IT systems, processes, or services, in order to achieve the
desired outcomes and minimize the negative impacts1. Change-related risk is the possibility of adverse consequences or events resulting from the changes, such
as security breaches, system failures, data loss, compliance violations, or customer dissatisfaction2.
The information security manager is responsible for ensuring that the organization’s information assets are protected from internal and external threats, and that
the information security objectives and requirements are aligned with the business goals and strategies3. Therefore, the information security manager should serve
on the change management committee to advise on change-related risk, and to ensure that the changes are consistent with the information security policy,
standards, and best practices. The information security manager can also help to identify and assess the potential security risks and impacts of the changes, and
to recommend and implement appropriate security controls and measures to mitigate them. The information security manager can also help to monitor and
evaluate the effectiveness and performance of the changes, and to identify and resolve any security issues or incidents that may arise from the changes4.
The other options are not as important as advising on change-related risk, because they are either more specific, limited, or dependent on the information security
manager’s role. Identifying changes to the information security policy is a task that the information security manager may perform as part of the change
management process, but it is not the primary reason for serving on the change management committee. The information security policy is the document that
defines the organization’s information security principles, objectives, roles, and responsibilities, and it should be reviewed and updated regularly to reflect the
changes in the organization’s environment, needs, and risks5. However, identifying changes to the information security policy is not as important as advising on
change-related risk, because the policy is a high-level document that does not provide specific guidance or details on how to implement or manage the changes.
Ensuring that changes are tested is a quality assurance activity that the change management committee may perform or oversee as part of the change
management process, but it is not the primary reason for having an information security manager on the committee. Testing is the process of verifying and
validating that the changes meet the expected requirements, specifications, and outcomes, and that they do not introduce any errors, defects, or vulnerabilities.
However, ensuring that changes are tested is not as important as advising on change-related risk, because testing is a technical or operational activity that does
not address the strategic or holistic aspects of change-related risk. Ensuring changes are properly documented is a governance activity that the change
management committee may perform or oversee as part of the change management process, but it is not the primary reason for having an information security
manager on the committee. Documentation is the process of recording and maintaining the information and evidence related to the changes, such as the change
requests, approvals, plans, procedures, results, reports, and lessons learned. However, ensuring changes are properly documented is not as important as advising
on change-related risk, because documentation is a procedural or administrative activity that does not provide any analysis or evaluation of change-related risk.
References = 1: CISM Review Manual 15th Edition, Chapter 2, Section 2.5 2: CISM Review Manual 15th Edition, Chapter 2, Section 2.5 3: CISM Review Manual
15th Edition, Chapter 1, Section 1.1 4: CISM Review Manual 15th Edition, Chapter 2, Section 2.5 5: CISM Review Manual 15th Edition, Chapter 1, Section 1.3 :
CISM Review Manual 15th Edition, Chapter 2, Section 2.5 : CISM Review Manual 15th Edition, Chapter 2, Section 2.5

NEW QUESTION 44
- (Topic 1)
Which of the following provides an information security manager with the MOST accurate indication of the organization's ability to respond to a cyber attack?

A. Walk-through of the incident response plan

B. Black box penetration test
C. Simulated phishing exercise
D. Red team exercise

Answer: D

Explanation:
A red team exercise is a simulated cyber attack conducted by a group of ethical hackers or security experts (the red team) against an organization’s network,
systems, and staff (the blue team) to test the organization’s ability to detect, respond, and recover from a real cyber attack. A red team exercise provides an
information security manager with the most accurate indication of the organization’s ability to respond to a cyber attack, because it mimics the tactics, techniques,
and procedures of real threat actors, and challenges the organization’s security posture, incident response plan, and security awareness in a realistic and
adversarial scenario12. A red team exercise can measure the following aspects of the organization’s cyber attack response capability3:
? The effectiveness and efficiency of the security controls and processes in preventing, detecting, and mitigating cyber attacks
? The readiness and performance of the incident response team and other stakeholders in following the incident response plan and procedures
? The communication and coordination among the internal and external parties involved in the incident response process
? The resilience and recovery of the critical assets and functions affected by the cyber attack
? The lessons learned and improvement opportunities identified from the cyber attack simulation
The other options, such as a walk-through of the incident response plan, a black box penetration test, or a simulated phishing exercise, are not as accurate as a
red team exercise in indicating the organization’s ability to respond to a cyber attack, because they have the following limitations4 :
? A walk-through of the incident response plan is a theoretical and hypothetical exercise that involves reviewing and discussing the incident response plan and
procedures with the relevant stakeholders, without actually testing them in a live environment. A walk-through can help to familiarize the participants with the

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

incident response roles and responsibilities, and to identify any gaps or inconsistencies in the plan, but it cannot measure the actual performance and effectiveness
of the incident response process under a real cyber attack scenario.
? A black box penetration test is a technical and targeted exercise that involves testing the security of a specific system or application, without any prior knowledge
or access to its internal details or configuration. A black box penetration test can help to identify the vulnerabilities and weaknesses of the system or application,
and to simulate the perspective and behavior of an external attacker, but it cannot test the security of the entire network or organization, or the response of the
incident response team and other stakeholders to a cyber attack.
? A simulated phishing exercise is a social engineering and awareness exercise that involves sending fake emails or messages to the organization’s staff, to test
their ability to recognize and report phishing attempts. A simulated phishing exercise can help to measure the level of security awareness and training of the staff,
and to simulate one of the most common cyber attack vectors, but it cannot test the security of the network or systems, or the response of the incident response
team and other stakeholders to a cyber attack.
References = 1: What is a Red Team Exercise? | Redscan 2: Red Team vs Blue Team: How They Differ and Why You Need Both | CISA 3: Red Team Exercises:
What They Are and How to Run Them | Rapid7 4: What is a Walkthrough Test? | Definition and Examples | ISACA : Penetration Testing Types: Black Box, White
Box, and Gray Box | CISA

NEW QUESTION 45
- (Topic 1)
Which of the following would BEST ensure that security is integrated during application development?

A. Employing global security standards during development processes

B. Providing training on secure development practices to programmers
C. Performing application security testing during acceptance testing
D. Introducing security requirements during the initiation phase

Answer: D

Explanation:
Introducing security requirements during the initiation phase would BEST ensure that security is integrated during application development because it would allow
the security objectives and controls to be defined and aligned with the business needs and risk appetite before any design or coding is done. This would also
facilitate the security by design approach, which is the most effective method to enhance the security of applications and application development activities1.
Introducing security requirements early would also enable the collaboration between security professionals and developers, the identification and specification of
security architectures, and the integration and testing of security controls throughout the development life cycle2. Employing global security standards during
development processes (A) would help to ensure the consistency and quality of security practices, but it would not necessarily ensure that security is integrated
during application development. Providing training on secure development practices to programmers (B) would help to raise the awareness and skills of
developers, but it would not ensure that security is integrated during application development. Performing application security testing during acceptance testing ©
would help to verify the security of the application before deployment, but it would not ensure that security is integrated during application development. It would
also be too late to identify and remediate any security issues that could have been prevented or mitigated earlier in the development
process. References = 1: Five Key Components of an Application Security Program - ISACA1; 2: CISM Domain – Information Security Program Development |
Infosec2

NEW QUESTION 48
- (Topic 1)
Network isolation techniques are immediately implemented after a security breach to:

A. preserve evidence as required for forensics

B. reduce the extent of further damage.
C. allow time for key stakeholder decision making.
D. enforce zero trust architecture principles.

Answer: B

Explanation:
Network isolation techniques are immediately implemented after a security breach to reduce the extent of further damage by limiting the access and
communication of the compromised systems or networks with the rest of the environment. This can help prevent the spread of malware, the exfiltration of data, or
the escalation of privileges by the attackers. Network isolation techniques can include disconnecting the affected systems or networks from the internet, blocking or
filtering certain ports or protocols, or creating separate VLANs or subnets for the isolated systems or networks. Network isolation techniques are part of the incident
response process and should be performed as soon as possible after detecting a security breach. References = CISM Review Manual 15th Edition, page
308-3091; CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, Question ID: 1162

NEW QUESTION 52
- (Topic 1)
In order to understand an organization's security posture, it is MOST important for an organization's senior leadership to:

A. evaluate results of the most recent incident response test.

B. review the number of reported security incidents.
C. ensure established security metrics are reported.
D. assess progress of risk mitigation efforts.

Answer: D

Explanation:
According to the CISM Review Manual, an organization’s security posture is the overall condition of its information security, which is determined by the
effectiveness of its security program and the alignment of its security objectives with its business goals. To understand the security posture, the senior leadership
needs to have a holistic view of the security risks and the actions taken to address them. Therefore, assessing the progress of risk mitigation efforts is the most
important activity for the senior leadership, as it provides them with the information on how well the security program is performing and whether it is meeting the
expected outcomes. Evaluating the results of the most recent incident
response test, reviewing the number of reported security incidents, and ensuring established security metrics are reported are all useful activities for the senior
leadership, but they are not sufficient to understand the security posture. They only provide partial or isolated information on the security performance, which may
not reflect the overall security condition or the alignment with the business objectives. References = CISM Review Manual, 16th Edition, Chapter 1, Information
Security Governance, pages 28-29.

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

NEW QUESTION 53
- (Topic 1)
The MOST appropriate time to conduct a disaster recovery test would be after:

A. major business processes have been redesigned.

B. the business continuity plan (BCP) has been updated.
C. the security risk profile has been reviewed
D. noncompliance incidents have been filed.

Answer: B

Explanation:
The most appropriate time to conduct a disaster recovery test would be after the business continuity plan (BCP) has been updated, as it ensures that the disaster
recovery plan (DRP) is aligned with the current business requirements, objectives, and priorities. The BCP should be updated regularly to reflect any changes in
the business environment, such as new threats, risks, processes, technologies, or regulations. The disaster recovery test should validate the effectiveness and
efficiency of the DRP, as well
as identify any gaps, issues, or improvement opportunities123. References =
? 1: CISM Review Manual 15th Edition, page 2114
? 2: CISM Practice Quiz, question 1042
? 3: Business Continuity Planning and Disaster Recovery Testing, section “Testing the Plan”

NEW QUESTION 57
- (Topic 1)
In which cloud model does the cloud service buyer assume the MOST security responsibility?

A. Disaster Recovery as a Service (DRaaS)

B. Infrastructure as a Service (laaS)
C. Platform as a Service (PaaS)
D. Software as a Service (SaaS)

Answer: B

Explanation:
Infrastructure as a Service (IaaS) is a cloud model in which the cloud service provider (CSP) offers the basic computing resources, such as servers, storage,
network, and virtualization, as a service over the internet. The cloud service buyer (CSB) is responsible for installing, configuring, managing, and securing the
operating systems, applications, data, and middleware on top of the infrastructure. Therefore, the CSB assumes the most security responsibility in the IaaS model,
as it has to protect the confidentiality, integrity, and availability of its own assets and information in the cloud environment.
In contrast, in the other cloud models, the CSP takes over more security responsibility from the CSB, as it provides more layers of the service stack. In Disaster
Recovery as a Service (DRaaS), the CSP offers the replication and recovery of the CSB’s data and applications in the event of a disaster. In Platform as a Service
(PaaS), the CSP offers the development and deployment tools, such as programming languages, frameworks, libraries, and databases, as a service. In Software
as a Service (SaaS), the CSP offers the complete software applications, such as email, CRM, or ERP, as a service. In these models, the CSB has less control and
visibility over the underlying infrastructure, platform, or software, and has to rely on the CSP’s security measures and contractual agreements.
References = CISM Review Manual, 16th Edition, Chapter 3: Information Security Program Development and Management, Section: Information Security Program
Management, Subsection: Cloud Computing, page 140-1411

NEW QUESTION 58
- (Topic 1)
Which of the following is the BEST method to protect against emerging advanced persistent threat (APT) actors?

A. Providing ongoing training to the incident response team

B. Implementing proactive systems monitoring
C. Implementing a honeypot environment
D. Updating information security awareness materials

Answer: B

Explanation:
= Proactive systems monitoring is the best method to protect against emerging APT actors because it can help detect and respond to anomalous or malicious
activities on the network, such as unauthorized access, data exfiltration, malware infection, or command and control communication. Proactive systems monitoring
can also help identify the source, scope, and impact of an APT attack, as well as provide evidence for forensic analysis and remediation. Proactive systems
monitoring can include tools such as intrusion detection and prevention systems (IDPS), security information and event management (SIEM) systems, network
traffic analysis, endpoint detection and response (EDR), and threat intelligence feeds.
References = CISM Review Manual 15th Edition, page 201-2021; CISM Practice Quiz, question 922

NEW QUESTION 63
- (Topic 1)
Which of the following messages would be MOST effective in obtaining senior management's commitment to information security management?

A. Effective security eliminates risk to the business.

B. Adopt a recognized framework with metrics.
C. Security is a business product and not a process.
D. Security supports and protects the business.

Answer: D

Explanation:
The message that security supports and protects the business is the most effective in obtaining senior management’s commitment to information security
management. This message emphasizes the value and benefits of security for the organization’s strategic goals, mission, and vision. It also aligns security with
the business needs and expectations, and demonstrates how security can enable and facilitate the business processes and functions. The other messages are not
as effective because they either overstate the role of security (A), focus on technical aspects rather than business outcomes (B), or confuse the nature and

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

purpose of security ©. References = CISM Review Manual 2022, page 23; CISM Item Development Guide 2022, page 9; CISM Information Security Governance
Certified Practice Exam - CherCherTech

NEW QUESTION 68
- (Topic 1)
Which of the following is the BEST approach to reduce unnecessary duplication of compliance activities?

A. Documentation of control procedures

B. Standardization of compliance requirements
C. Automation of controls
D. Integration of assurance efforts

Answer: B

Explanation:
= Standardization of compliance requirements is the best approach to reduce unnecessary duplication of compliance activities, as it allows for a common
understanding of the objectives and expectations of various stakeholders, such as regulators, auditors, customers, and business partners. Standardization also
facilitates the alignment of compliance activities with the organization’s risk appetite and tolerance, and enables the identification and elimination of redundant or
conflicting controls. References = CISM Review Manual, 27th Edition, page 721; CISM Review Questions, Answers & Explanations Database, 12th Edition,
question 952 Learn more:

NEW QUESTION 71
- (Topic 1)
Which of the following is the BEST way to achieve compliance with new global regulations related to the protection of personal information?

A. Execute a risk treatment plan.

B. Review contracts and statements of work (SOWs) with vendors.
C. Implement data regionalization controls.
D. Determine current and desired state of controls.

Answer: D

Explanation:
The best way to achieve compliance with new global regulations related to the protection of personal information is to determine the current and desired state of
controls, as this helps the information security manager to identify the gaps and requirements for compliance, and to prioritize and implement the necessary
actions and measures to meet the regulatory standards. The current state of controls refers to the existing level of protection and compliance of the personal
information, while the desired state of controls refers to the target level of protection and compliance that is required by the new regulations. By comparing the
current and desired state of controls, the information security manager can assess the maturity and effectiveness of the information security program, and plan and
execute a risk treatment plan to address the risks and issues related to the protection of personal information. Executing a risk treatment plan, reviewing contracts
and statements of work (SOWs) with vendors, and implementing data regionalization controls are also important, but not as important as determining the current
and desired state of controls, as they are dependent on the outcome of the gap analysis and the risk assessment, and may not be sufficient or appropriate to
achieve compliance with the new regulations. References = CISM Review Manual 2023, page 491; CISM Review Questions, Answers & Explanations Manual
2023, page 352; ISACA CISM - iSecPrep, page 203

NEW QUESTION 75
- (Topic 1)
An organization is planning to outsource the execution of its disaster recovery activities. Which of the following would be MOST important to include in the
outsourcing agreement?

A. Definition of when a disaster should be declared

B. Requirements for regularly testing backups
C. Recovery time objectives (RTOs)
D. The disaster recovery communication plan

Answer: C

Explanation:
The most important thing to include in the outsourcing agreement for disaster recovery activities is the recovery time objectives (RTOs). RTOs are the maximum
acceptable time frames within which the critical business processes and information systems must be restored after a disaster or disruption. RTOs are based on
the business impact analysis (BIA) and the risk assessment, and they reflect the business continuity requirements and expectations of the organization. By
including the RTOs in the outsourcing agreement, the organization can ensure that the service provider is aware of and committed to meeting the agreed service
levels and minimizing the downtime and losses in the event of a disaster. The other options are not as important as the RTOs, although they may be relevant and
useful to include in the outsourcing agreement depending on the scope and nature of the disaster recovery services. References = CISM Review Manual 15th
Edition, page 2471; CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, Question ID: 1033

NEW QUESTION 80
- (Topic 1)
A security incident has been reported within an organization. When should an inforrnation security manager contact the information owner? After the:

A. incident has been confirmed.

B. incident has been contained.
C. potential incident has been logged.
D. incident has been mitigated.

Answer: A

Explanation:
= The information security manager should contact the information owner after the incident has been confirmed, as this is the first step of the incident response
process. The information owner is the person who has the authority and responsibility for the information asset that is affected by the incident. The information

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

owner needs to be informed of the incident as soon as possible, as they may have to make decisions or take actions regarding the protection, recovery, or
restoration of the information asset. The information owner may also have to communicate with other stakeholders, such as the business units, customers,
regulators, or media, depending on the nature and impact of the incident.
The other options are not the correct time to contact the information owner, as they occur later in the incident response process. Contacting the information owner
after the incident has been contained, mitigated, or logged may delay the notification and escalation of the incident, as well as the involvement and collaboration of
the information owner. Moreover, contacting the information owner after the incident has been contained or mitigated may imply that the incident response team
has already taken actions that may affect the information asset without the consent or approval of the information owner. Contacting the information owner after a
potential incident has been logged may cause unnecessary alarm or confusion, as the potential incident may not be a real or significant incident, or it may not
affect the information owner’s asset. References =
? CISM Review Manual, 16th Edition, ISACA, 2022, pp. 219-220, 226-227.
? CISM Questions, Answers & Explanations Database, ISACA, 2022, QID 1009.

NEW QUESTION 81
- (Topic 1)
An information security manager developing an incident response plan MUST ensure it includes:

A. an inventory of critical data.

B. criteria for escalation.
C. a business impact analysis (BIA).
D. critical infrastructure diagrams.

Answer: B

Explanation:
An incident response plan is a set of procedures and guidelines that define the roles and responsibilities of the incident response team, the steps to follow in the
event of an incident, and the communication and escalation protocols to ensure timely and effective resolution of incidents. One of the essential components of an
incident response plan is the criteria for escalation, which specify the conditions and thresholds that trigger the escalation of an incident to a higher level of
authority or a different function within the organization. The criteria for escalation may depend on factors such as the severity, impact, duration, scope, and
complexity of the incident, as well as the availability and capability of the incident response team. The criteria for escalation help to ensure that incidents are
handled by the appropriate personnel, that management is kept informed and involved, and that the necessary resources and support are provided to resolve the
incident. References = https://blog.exigence.io/a-practical-approach-to-incident- management-escalation
https://www.uc.edu/content/dam/uc/infosec/docs/Guidelines/Information_Security_Incident_Response_Escalation_Guideline.pdf

NEW QUESTION 84
- (Topic 1)
A PRIMARY purpose of creating security policies is to:

A. define allowable security boundaries.

B. communicate management's security expectations.
C. establish the way security tasks should be executed.
D. implement management's security governance strategy.

Answer: D

Explanation:
A security policy is a formal statement of the rules and principles that govern the protection of information assets in an organization. A security policy defines the
scope, objectives, roles and responsibilities, and standards of the information security program. A primary purpose of creating security policies is to implement
management’s security governance strategy, which is the framework that guides the direction and alignment of information security with the business goals and
objectives. A security policy translates the management’s vision and expectations into specific and measurable requirements and controls that can be
implemented and enforced by the information security staff and other stakeholders. A security policy also helps to establish the accountability and authority of the
information security function and to demonstrate the commitment and support of the senior management for the information security program.
References =
? CISM Review Manual 15th Edition, page 1631
? CISM 2020: IT Security Policies2
? CISM domain 1: Information security governance [Updated 2022]3
? What is CISM? - Digital Guardian4

NEW QUESTION 85
- (Topic 1)
An online bank identifies a successful network attack in progress. The bank should FIRST:

A. isolate the affected network segment.

B. report the root cause to the board of directors.
C. assess whether personally identifiable information (Pll) is compromised.
D. shut down the entire network.

Answer: A

Explanation:
The online bank should first isolate the affected network segment, as this is the most effective way to contain the attack and prevent it from spreading to other
parts of the network or compromising more data or systems. Isolating the affected network segment also helps to preserve the evidence and facilitate the
investigation and recovery process. Reporting the root cause to the board of directors, assessing whether personally identifiable information (Pll) is compromised,
and shutting down the entire network are not the first actions that the online bank should take, as they may not be feasible or appropriate at the time of the attack,
and may cause more disruption, confusion, or damage to the business operations and reputation. References = CISM Review Manual 2023, page 1641; CISM
Review Questions, Answers & Explanations Manual 2023, page 362; ISACA CISM - iSecPrep, page 213

NEW QUESTION 87
- (Topic 1)
Which of the following should be done FIRST when establishing a new data protection program that must comply with applicable data privacy regulations?

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

A. Evaluate privacy technologies required for data protection.

B. Encrypt all personal data stored on systems and networks.
C. Update disciplinary processes to address privacy violations.
D. Create an inventory of systems where personal data is stored.

Answer: D

Explanation:
= The first step when establishing a new data protection program that must comply with applicable data privacy regulations is to create an inventory of systems
where personal data is stored. Personal data is any information that relates to an identified or identifiable natural person, such as name, address, email, phone
number, identification number, location data, biometric data, or online identifiers. Data privacy regulations are laws and rules that govern the collection, processing,
storage, transfer, and disposal of personal data, and that grant rights and protections to the data subjects, such as the right to access, rectify, erase, or restrict the
use of their personal data. Examples of data privacy regulations are the General Data Protection Regulation (GDPR) in the European Union, the California
Consumer Privacy Act (CCPA) in the United States, and the Personal Data Protection Act (PDPA) in Singapore. Creating an inventory of systems where personal
data is stored is essential for the data protection program, because it helps to:
? Identify the sources, types, and locations of personal data that the organization collects and holds, and the purposes and legal bases for which they are used.
? Assess the risks and impacts associated with the personal data, and the compliance requirements and obligations under the applicable data privacy regulations.
? Implement appropriate technical and organizational measures to protect the personal data from unauthorized or unlawful access, use, disclosure, modification, or
loss, such as encryption, pseudonymization, access control, backup, or audit logging.
? Establish policies, procedures, and processes to manage the personal data throughout their life cycle, and to respond to the requests and complaints from the
data subjects or the data protection authorities.
? Monitor and review the performance and effectiveness of the data protection
program, and report and resolve any data breaches or incidents.
References = CISM Review Manual, 16th Edition, Chapter 3: Information Security Program Development and Management, Section: Data Protection, pages
202-2051; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 71, page 662.

NEW QUESTION 91
- (Topic 1)
An information security team has discovered that users are sharing a login account to an application with sensitive information, in violation of the access policy.
Business management indicates that the practice creates operational efficiencies. What is the information security manager's BEST course of action?

A. Enforce the policy.

B. Modify the policy.
C. Present the risk to senior management.
D. Create an exception for the deviation.

Answer: C

Explanation:
The information security manager’s best course of action is to present the risk to senior management, because this is a case of conflicting objectives and priorities
between the information security team and the business management. The information security manager should explain the potential impact and likelihood of a
security breach due to the violation of the access policy, as well as the possible legal, regulatory, and reputational consequences. The information security
manager should also provide alternative solutions that can achieve both operational efficiency and security compliance, such as implementing single sign-on, role-
based access control, or multi-factor authentication. The information security manager should not enforce the policy without senior management’s approval,
because this could cause operational disruption and business dissatisfaction. The information security manager should not modify the policy without a proper risk
assessment and approval process, because this could weaken the security posture and expose the organization to more threats. The information security manager
should not create an exception for the deviation without a formal risk acceptance and documentation process, because this could create inconsistency and
ambiguity in the policy enforcement and accountability. References = CISM Review Manual, 16th Edition, ISACA, 2021, pages 127- 128, 138-139, 143-144.

NEW QUESTION 94
- (Topic 1)
Which of the following MUST be defined in order for an information security manager to evaluate the appropriateness of controls currently in place?

A. Security policy
B. Risk management framework
C. Risk appetite
D. Security standards

Answer: C

Explanation:
= Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. It is a key factor that influences the information
security strategy and objectives, as well as the selection and implementation of security controls. Risk appetite must be defined in order for an information security
manager to evaluate the appropriateness of controls currently in place, as it provides the basis for determining whether the controls are sufficient, excessive, or
inadequate to address the risks faced by the organization. The information security manager should align the controls with the risk appetite of the organization,
ensuring that the controls are effective, efficient, and economical. References = CISM Review Manual 15th Edition, page 29, page 31.

NEW QUESTION 99
- (Topic 1)
Which of the following is MOST important to include in a post-incident review following a data breach?

A. An evaluation of the effectiveness of the information security strategy

B. Evaluations of the adequacy of existing controls
C. Documentation of regulatory reporting requirements
D. A review of the forensics chain of custom

Answer: B

Explanation:
= A post-incident review is a process of analyzing and learning from a security incident, such as a data breach, to improve the security posture and resilience of an

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

organization. A post-incident review should include the following elements12:

? A clear and accurate description of the incident, including its scope, impact, timeline, root cause, and contributing factors.
? A detailed assessment of the effectiveness and efficiency of the incident response process, including the roles and responsibilities, communication channels,
coordination mechanisms, escalation procedures, tools and resources, documentation, and reporting.
? An evaluation of the adequacy of existing controls, such as policies, standards, procedures, technical measures, awareness, and training, to prevent, detect, and
mitigate similar incidents in the future.
? A list of actionable recommendations and improvement plans, based on the lessons learned and best practices, to address the identified gaps and weaknesses
in the security strategy, governance, risk management, and incident management.
? A follow-up and monitoring mechanism to ensure the implementation and verification of the recommendations and improvement plans.
The most important element to include in a post-incident review following a data breach is the evaluation of the adequacy of existing controls, because it directly
relates to the security objectives and requirements of the organization, and provides the basis for enhancing the security posture and resilience of the organization.
Evaluating the existing controls helps to identify the vulnerabilities and risks that led to the data breach, and to determine the appropriate corrective and preventive
actions to reduce the likelihood and impact of similar incidents in the future. Evaluating the existing controls also helps to align the security strategy and
governance with the business goals and objectives, and to ensure the compliance with legal, regulatory, and contractual obligations.
The other elements, such as an evaluation of the effectiveness of the information security strategy, documentation of regulatory reporting requirements, and a
review of the forensics chain of custody, are also important, but not as important as the evaluation of the existing controls. An evaluation of the effectiveness of the
information security strategy is a broader and more strategic activity that may not be directly relevant to the specific incident, and may require more time and
resources to conduct. Documentation of regulatory reporting requirements is a necessary and mandatory task, but it does not provide much insight or value for
improving the security posture and resilience of the organization. A review of the forensics chain of custody is a technical and procedural activity that ensures the
integrity and admissibility of the digital evidence collected during the incident investigation, but it does not address the root cause or the mitigation of the incident.
References = 1: CISM Exam Content Outline | CISM Certification | ISACA 2: CISM Review Manual 15th Edition, page 147

NEW QUESTION 101

- (Topic 1)
Which of the following would be MOST helpful to identify worst-case disruption scenarios?

A. Business impact analysis (BIA)

B. Business process analysis
C. SWOT analysis
D. Cast-benefit analysis

Answer: A

Explanation:
A business impact analysis (BIA) is the process of identifying and evaluating the potential effects of disruptions to critical business functions or processes. A BIA
helps to determine the recovery priorities, objectives, and strategies for the organization in the event of a disaster or crisis. A BIA also helps to identify the worst-
case disruption scenarios, which are the scenarios that would cause the most severe impact to the organization in terms of financial, operational, reputational, or
legal consequences. By conducting a BIA, the organization can assess the likelihood and impact of various disruption scenarios, and plan accordingly to mitigate
the risks and ensure business continuity and resilience. References = CISM Review Manual 15th Edition, page 181, page 183.

NEW QUESTION 106

- (Topic 1)
Which of the following activities MUST be performed by an information security manager for change requests?

A. Perform penetration testing on affected systems.

B. Scan IT systems for operating system vulnerabilities.
C. Review change in business requirements for information security.
D. Assess impact on information security risk.

Answer: D

NEW QUESTION 110

- (Topic 1)
Which of the following is MOST helpful for protecting an enterprise from advanced persistent threats (APTs)?

A. Updated security policies

B. Defined security standards
C. Threat intelligence
D. Regular antivirus updates

Answer: C

Explanation:
Threat intelligence is the most helpful method for protecting an enterprise from advanced persistent threats (APTs), as it provides relevant and actionable
information about the sources, methods, and intentions of the adversaries who conduct APTs. Threat intelligence can help to identify and anticipate the APTs that
target the enterprise, as well as to enhance the detection, prevention, and response capabilities of the information security program. Threat intelligence can also
help to reduce the impact and duration of the APTs, as well as to improve the resilience and recovery of the enterprise. Threat intelligence can be obtained from
various sources, such as internal data, external feeds, industry peers, government agencies, or security vendors.
The other options are not as helpful as threat intelligence, as they do not provide a specific and timely way to protect the enterprise from APTs. Updated security
policies are important to establish the rules, roles, and responsibilities for information security within the enterprise, as well as to align the information security
program with the business objectives, standards, and regulations. However, updated security policies alone are not enough to protect the enterprise from APTs, as
they do not address the dynamic and sophisticated nature of the APTs, nor do they provide the technical or operational measures to counter the APTs. Defined
security standards are important to specify the minimum requirements and best practices for information security within the enterprise, as well as to ensure the
consistency, quality, and compliance of the information security program. However, defined security standards alone are not enough to protect the enterprise from
APTs, as they do not account for the customized and targeted nature of the APTs, nor do they provide the situational or contextual awareness to deal with the
APTs. Regular antivirus updates are important to keep the antivirus software up to date with the latest signatures and definitions of the known malware, viruses,
and other malicious code. However, regular antivirus updates alone are not enough to protect the enterprise from APTs, as they do not detect or prevent the
unknown or zero-day malware, viruses, or other malicious code that are often used by the APTs, nor do they provide the behavioral or heuristic analysis to identify
the APTs. References =
? CISM Review Manual, 16th Edition, ISACA, 2022, pp. 211-212, 215-216, 233-234,

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

237-238.
? CISM Questions, Answers & Explanations Database, ISACA, 2022, QID 1021.
? Advanced Persistent Threats and Nation-State Actors 1
? Book Review: Advanced Persistent Threats 2
? Advanced Persistent Threat (APT) Protection 3
? Establishing Advanced Persistent Security to Combat Long-Term Threats 4
? What is the difference between Anti - APT (Advanced Persistent Threat) and ATP (Advanced Threat Protection)5

NEW QUESTION 111

- (Topic 1)
Who is BEST suited to determine how the information in a database should be classified?

A. Database analyst
B. Database administrator (DBA)
C. Information security analyst
D. Data owner

Answer: D

Explanation:
= Data owner is the best suited to determine how the information in a database should be classified, because data owner is the person who has the authority and
responsibility for the data and its protection. Data owner is accountable for the business value, quality, integrity, and security of the data. Data owner also defines
the data classification criteria and levels based on the data sensitivity, criticality, and regulatory requirements. Data owner assigns the data custodian and grants
the data access rights to the data users. Data owner reviews and approves the data classification policies and procedures, and ensures the compliance with them.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Data Classification, page 331

NEW QUESTION 116

- (Topic 1)
Which of the following service offerings in a typical Infrastructure as a Service (laaS) model will BEST enable a cloud service provider to assist customers when
recovering from a security incident?

A. Availability of web application firewall logs.

B. Capability of online virtual machine analysis
C. Availability of current infrastructure documentation
D. Capability to take a snapshot of virtual machines

Answer: D

Explanation:
A snapshot is a point-in-time copy of the state of a virtual machine (VM) that can be used to restore the VM to a previous state in case of a security incident or a
disaster. A snapshot can capture the VM’s disk, memory, and device configuration, allowing for a quick and easy recovery of the VM’s data and functionality.
Snapshots can also be used to create backups, clones, or replicas of VMs for testing, analysis, or migration purposes. Snapshots are a common service offering in
Infrastructure as a Service (IaaS) models, where customers can provision and manage VMs on demand from a cloud service provider (CSP). A CSP that offers the
capability to take snapshots of VMs can assist customers when recovering from a security incident by providing them with the following benefits12:
? Faster recovery time: Snapshots can reduce the downtime and data loss caused by a security incident by allowing customers to quickly revert their VMs to a
known good state. Snapshots can also help customers avoid the need to reinstall or reconfigure their VMs after an incident, saving time and resources.
? Easier incident analysis: Snapshots can enable customers to perform online or offline analysis of their VMs after an incident, without affecting the production
environment. Customers can use snapshots to examine the VM’s disk, memory, and logs for evidence of compromise, root cause analysis, or forensic
investigation. Customers can also use snapshots to test and validate their incident response plans or remediation actions before applying them to the production
VMs.
? Enhanced security posture: Snapshots can improve the security posture of customers by enabling them to implement best practices such as backup and restore,
disaster recovery, and business continuity. Snapshots can help customers protect their VMs from accidental or malicious deletion, corruption, or modification, as
well as from environmental or technical disruptions. Snapshots can also help customers comply with regulatory or contractual requirements for data retention,
availability, or integrity. References = What is Disaster Recovery as a Service? | CSA - Cloud Security Alliance, What Is Cloud Incident Response (IR)?
CrowdStrike

NEW QUESTION 121

- (Topic 1)
Which of the following BEST indicates that information security governance and corporate governance are integrated?

A. The information security team is aware of business goals.

B. The board is regularly informed of information security key performance indicators (KPIs),
C. The information security steering committee is composed of business leaders.
D. A cost-benefit analysis is conducted on all information security initiatives.

Answer: C

Explanation:
The information security steering committee is composed of business leaders is the best indicator that information security governance and corporate governance
are integrated, as this shows that the information security program is aligned with the business objectives and strategies, and that the information security manager
has the support and involvement of the senior management. The information security steering committee is responsible for overseeing the information security
program, setting the direction and scope, approving policies and standards, allocating resources, and monitoring performance and compliance. The information
security steering committee also ensures that the information security risks are communicated and addressed at the board level, and that the information security
program is consistent with the corporate governance framework and culture. The information security team is aware of business goals, the board is regularly
informed of information security key performance indicators (KPIs), and a cost- benefit analysis is conducted on all information security initiatives are also
important, but
not as important as the information security steering committee is composed of business leaders, as they do not necessarily imply that the information security
governance and corporate governance are integrated, and that the information security program has the authority and accountability to achieve its goals.
References = CISM Review Manual 2023, page 271; CISM Review Questions, Answers & Explanations Manual 2023, page 342; ISACA CISM - iSecPrep, page
193

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

NEW QUESTION 124

- (Topic 1)
Security administration efforts will be greatly reduced following the deployment of which of the following techniques?

A. Discretionary access control

B. Role-based access control
C. Access control lists
D. Distributed access control

Answer: B

Explanation:
Role-based access control (RBAC) is a policy-neutral access control mechanism that assigns access privileges to defined roles in the organization and then
makes each user a member of the appropriate roles. RBAC reduces security administration efforts by simplifying the management of access rights across different
users and resources. RBAC also enables consistent and efficient enforcement of the principle of least privilege, which grants users only the minimum rights
required to perform their assigned tasks. RBAC can also facilitate the implementation of separation of duties, which prevents users from having conflicting or
incompatible responsibilities. RBAC is among the most widely used methods in the information security tool kit1. References = CIS Control 6: Access Control
Management - Netwrix, CISSP certification: RBAC (Role based access control), What is RBAC? (Role Based Access Control) - IONOS

NEW QUESTION 126

- (Topic 1)
An organization has acquired a company in a foreign country to gain an advantage in a new market. Which of the following is the FIRST step the information
security manager should take?

A. Determine which country's information security regulations will be used.

B. Merge the two existing information security programs.
C. Apply the existing information security program to the acquired company.
D. Evaluate the information security laws that apply to the acquired company.

Answer: D

Explanation:
The information security manager should first evaluate the information security laws that apply to the acquired company, as they may differ from the laws of the
parent organization. This will help the information security manager to understand the legal and regulatory requirements, risks, and challenges that the acquired
company faces in its operating environment. The information security manager can then determine the best approach to align the information security programs of
the two entities, taking into account the different laws and regulations, as well as the business objectives and strategies of the acquisition. References = : CISM
Review Manual 15th Edition, page 32.

NEW QUESTION 129

- (Topic 1)
Which of the following is the MOST important factor of a successful information security program?

A. The program follows industry best practices.

B. The program is based on a well-developed strategy.
C. The program is cost-efficient and within budget,
D. The program is focused on risk management.

Answer: D

Explanation:
A successful information security program is one that aligns with the business objectives and strategy, supports the business processes and functions, and
protects the information assets from threats and vulnerabilities. The most important factor of such a program is that it is focused on risk management, which means
that it identifies, assesses, treats, and monitors the information security risks that could affect the business continuity, reputation, and value. Risk management
helps to prioritize the security activities and resources, allocate the appropriate budget and resources, implement the necessary controls and measures, and
evaluate the effectiveness and efficiency of the program. Risk management also enables the program to adapt to the changing business and threat environment,
and to continuously improve the security posture and performance. A program that follows industry best practices, is based on a well-developed strategy, and is
cost-efficient and within budget are all desirable attributes, but they are not sufficient to ensure the success of the program without a risk management focus.
References = CISM Review Manual 15th Edition, page 411; CISM Practice Quiz, question 1242

NEW QUESTION 131

- (Topic 1)
An information security manager learns that a risk owner has approved exceptions to replace key controls with weaker compensating controls to improve process
efficiency. Which of the following should be the GREATEST concern?

A. Risk levels may be elevated beyond acceptable limits.

B. Security audits may report more high-risk findings.
C. The compensating controls may not be cost efficient.
D. Noncompliance with industry best practices may result.

Answer: A

Explanation:
Replacing key controls with weaker compensating controls may introduce new vulnerabilities or increase the likelihood or impact of existing threats, thus raising
the risk levels beyond the acceptable limits defined by the risk appetite and tolerance of the organization. This may expose the organization to unacceptable losses
or damages, such as financial, reputational, legal, or operational. Therefore, the information security manager should be most concerned about the potential
elevation of risk levels and ensure that the risk owner is aware of the consequences and accountable for the decision.
References = CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section: Risk Treatment, page 941.

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

NEW QUESTION 134

- (Topic 1)
Which of the following is MOST important to ensure when developing escalation procedures for an incident response plan?

A. Each process is assigned to a responsible party.

B. The contact list is regularly updated.
C. Minimum regulatory requirements are maintained.
D. Senior management approval has been documented.

Answer: B

Explanation:
= The contact list is the most important element of the escalation procedures for an incident response plan, as it ensures that the appropriate stakeholders are
notified and involved in the incident management process. A contact list should include the names, roles, responsibilities, phone numbers, email addresses, and
backup contacts of the key personnel involved in the incident response, such as the incident response team, senior management, legal counsel, public relations,
law enforcement, and external service providers. The contact list should be regularly updated and tested to ensure its accuracy and availability123. References =
? 1: Information Security Incident Response Escalation Guideline2, page 4
? 2: A Practical Approach to Incident Management Escalation1, section “Step 2: Log the escalation and record the related incident problems that occurred”
? 3: Computer Security Incident Handling Guide4, page 18

NEW QUESTION 135

- (Topic 1)
Which of the following is the PRIMARY reason to perform regular reviews of the cybersecurity threat landscape?

A. To compare emerging trends with the existing organizational security posture

B. To communicate worst-case scenarios to senior management
C. To train information security professionals to mitigate new threats
D. To determine opportunities for expanding organizational information security

Answer: A

Explanation:
The primary reason to perform regular reviews of the cybersecurity threat landscape is to compare emerging trends with the existing organizational security
posture, as this helps the information security manager to identify and prioritize the gaps and risks that need to be addressed. The cybersecurity threat landscape
is dynamic and constantly evolving, and the organization’s security posture may not be adequate or aligned with the current and future threats. By reviewing the
threat landscape regularly, the information security manager can assess the effectiveness and maturity of the security program, and recommend appropriate
actions and controls to improve the security posture and reduce
the likelihood and impact of cyberattacks. References = CISM Review Manual 2023, page 831; CISM Review Questions, Answers & Explanations Manual 2023,
page 322; ISACA CISM - iSecPrep, page 173

NEW QUESTION 136

- (Topic 1)
Which of the following is the PRIMARY reason to monitor key risk indicators (KRIs) related to information security?

A. To alert on unacceptable risk

B. To identify residual risk
C. To reassess risk appetite
D. To benchmark control performance

Answer: A

Explanation:
Key risk indicators (KRIs) are metrics that measure the level of risk exposure and the likelihood of occurrence of potential adverse events that can affect the
organization’s objectives and performance. KRIs are used to monitor changes in the risk environment and to provide early warning signals for potential issues that
may require management attention or intervention. KRIs are also used to communicate the risk status and trends to the relevant stakeholders and to support risk-
based decision making12.
The primary reason to monitor KRIs related to information security is to alert on unacceptable risk. Unacceptable risk is the level of risk that exceeds the
organization’s risk appetite, tolerance, or threshold, and that poses a significant threat to the organization’s assets, operations, reputation, or compliance.
Unacceptable risk can result from internal or external factors, such as cyberattacks, data breaches, system failures, human errors, fraud, natural disasters, or
regulatory changes. Unacceptable risk can have severe consequences for the organization, such as financial losses, legal liabilities, operational disruptions,
customer dissatisfaction, or reputational damage12.
By monitoring KRIs related to information security, the organization can identify and assess the sources, causes, and impacts of unacceptable risk, and take timely
and appropriate actions to mitigate, transfer, avoid, or accept the risk. Monitoring KRIs can also help the organization to evaluate the effectiveness and efficiency
of the existing information security controls, policies, and procedures, and to identify and implement any necessary improvements or enhancements. Monitoring
KRIs can also help the organization to align its information security strategy and objectives with its business strategy and objectives, and
to ensure compliance with the relevant laws, regulations, standards, and best practices12. While monitoring KRIs related to information security can also serve
other purposes, such as identifying residual risk, reassessing risk appetite, or benchmarking control performance, these are not the primary reason for monitoring
KRIs. Residual risk is the level of risk that remains after applying the risk treatment options, and it should be within the organization’s risk appetite, tolerance, or
threshold. Reassessing risk appetite is the process of reviewing and adjusting the amount and type of risk that the organization is willing to take in pursuit of its
objectives, and it should be done periodically or when there are significant changes in the internal or external environment. Benchmarking control performance is
the process of comparing the organization’s information security controls with those of other organizations or industry standards, and it should be done to identify
and adopt the best practices or to demonstrate compliance12. References = Integrating KRIs and KPIs for Effective Technology Risk Management, The Power of
KRIs in Enterprise Risk Management (ERM) - Metricstream, What Is a Key Risk Indicator? With Characteristics and Tips, KRI Framework for Operational Risk
Management | Workiva, Key risk indicator - Wikipedia

NEW QUESTION 137

- (Topic 1)
Which of the following is the BEST indication ofa successful information security culture?

A. Penetration testing is done regularly and findings remediated.

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

B. End users know how to identify and report incidents.

C. Individuals are given roles based on job functions.
D. The budget allocated for information security is sufficient.

Answer: B

Explanation:
The best indication of a successful information security culture is that end users know how to identify and report incidents. This shows that the end users are
aware of the information security policies, procedures, and practices of the organization, and that they understand their roles and responsibilities in protecting the
information assets and resources. It also shows that the end users are engaged and committed to the information security goals and objectives of the organization,
and that they are willing to cooperate and collaborate with the information security team and other stakeholders in preventing, detecting, and responding to
information security incidents. A successful information security culture is one that fosters a positive attitude and behavior toward information security among all
members of the organization, and that aligns the information security strategy with the business strategy and the organizational culture1.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Culture, page 281.

NEW QUESTION 140

- (Topic 1)
An organization finds it necessary to quickly shift to a work-fromhome model with an increased need for remote access security.
Which of the following should be given immediate focus?

A. Moving to a zero trust access model

B. Enabling network-level authentication
C. Enhancing cyber response capability
D. Strengthening endpoint security

Answer: D

Explanation:
Strengthening endpoint security is the most immediate focus when shifting to a work-from- home model with an increased need for remote access security, as this
reduces the risk of unauthorized access, data leakage, malware infection, and other threats that may compromise the confidentiality, integrity, and availability of
the organization’s information assets. Moving to a zero trust access model, enabling network-level authentication, and enhancing cyber response capability are
also important, but not as urgent as strengthening endpoint security, as they require more time, resources, and planning to implement effectively. References =
CISM Review Manual 2023, page 1561; CISM Review Questions, Answers & Explanations Manual 2023, page 302; ISACA CISM - iSecPrep, page 153

NEW QUESTION 145

- (Topic 3)
The MOST useful technique for maintaining management support for the information security program is:

A. informing management about the security of business operations.

B. implementing a comprehensive security awareness and training program.
C. identifying the risks and consequences of failure to comply with standards.
D. benchmarking the security programs of comparable organizations.

Answer: A

Explanation:
= According to the CISM Review Manual, one of the key success factors for an information security program is to maintain management support and commitment.
This can be achieved by providing regular reports to management on the security status of the organization, the effectiveness of the security controls, and the
alignment of the security program with the business objectives and strategy. By informing management about the security of business operations, the information
security manager can demonstrate the value and benefits of the security program, and ensure that management is aware of the security risks and issues that need
to be addressed. This technique can also help to build trust and confidence between the information security manager and the senior management, and foster a
culture of security within the organization1
The other options are not as effective as informing management about the security of business operations. Implementing a comprehensive security awareness and
training program is important, but it is mainly targeted at the end users and staff, not the senior management. Identifying the risks and consequences of failure to
comply with standards can help to justify the need for security controls, but it can also create a negative impression of the security program as being too restrictive
or punitive. Benchmarking the security programs of comparable organizations can provide some insights and best practices, but it may not reflect the specific
needs and context of the organization, and it may not be relevant or applicable to the management’s expectations and priorities1 References = 1: CISM Review
Manual, 16th Edition, ISACA, 2020, pp. 28-29…

NEW QUESTION 148

- (Topic 3)
Which of the following BEST enables an organization to enhance its incident response plan processes and procedures?

A. Security risk assessments

B. Lessons learned analysis
C. Information security audits
D. Key performance indicators (KPIs)

Answer: B

Explanation:
Lessons learned analysis is the best way to enable an organization to enhance its incident response plan processes and procedures because it helps to identify
the strengths and weaknesses of the current plan, capture the feedback and recommendations from the incident responders and stakeholders, and implement the
necessary improvements and corrective actions for future incidents. Security risk assessments are not directly related to enhancing the incident response plan, but
rather to identifying and evaluating the security risks and controls of the organization. Information security audits are not directly related to enhancing the incident
response plan, but rather to verifying and validating the compliance and effectiveness of the security policies and standards of the organization. Key performance
indicators (KPIs) are not directly related to enhancing the incident response plan, but rather to measuring and reporting the performance and progress of the
security objectives and initiatives of the organization. References: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-5/incident-response-lessons-
learned https://www.isaca.org/resources/isaca-journal/issues/2017/volume-1/security-risk-assessment-for-a-cloud-based-enterprise- resource-planning-system
https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security- using-iso-27004

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

https://www.isaca.org/resources/isaca-journal/issues/2017/volume-3/how-to-measure-the-effectiveness-of-your-information-security-management-system

NEW QUESTION 152

- (Topic 3)
Which of the following BEST indicates the organizational benefit of an information security solution?

A. Cost savings the solution brings to the information security department

B. Reduced security training requirements
C. Alignment to security threats and risks
D. Costs and benefits of the solution calculated over time

Answer: D

Explanation:
The best option to indicate the organizational benefit of an information security solution is D. Costs and benefits of the solution calculated over time. This is
because costs and benefits of the solution calculated over time, also known as the return on security investment (ROSI), can help to measure and demonstrate the
value and effectiveness of the information security solution in terms of reducing risks, enhancing performance, and achieving strategic goals. ROSI can also help
to justify the allocation and optimization of the resources and budget for the information security solution, and to compare and prioritize different security
alternatives. ROSI can be calculated by using various methods and formulas, such as the annualized loss expectancy (ALE), the annualized rate of occurrence
(ARO), and the cost-benefit analysis (CBA).
Costs and benefits of the solution calculated over time, also known as the return on security investment (ROSI), can help to measure and demonstrate the value
and effectiveness of the information security solution in terms of reducing risks, enhancing performance, and achieving strategic goals. (From CISM Manual or
related resources) References = CISM Review Manual 15th Edition, Chapter 3, Section 3.1.3, page 1311; CISM Review Questions, Answers & Explanations
Manual 9th Edition, Question 99, page 26; How to Calculate Return on Security Investment (ROSI) - Infosec2

NEW QUESTION 156

- (Topic 3)
During which of the following development phases is it MOST challenging to implement security controls?

A. Post-implementation phase
B. Implementation phase
C. Development phase
D. Design phase

Answer: C

Explanation:
The development phase is the stage of the system development life cycle (SDLC) where the system requirements, design, architecture, and implementation are
performed. The development phase is most challenging to implement security controls because it involves complex and dynamic processes that may not be well
understood or documented. Security controls are essential for ensuring the confidentiality, integrity, and availability of the system and its data, as well as for
complying with regulatory and contractual obligations. However, security controls may also introduce additional costs, risks, and constraints to the development
process, such as:
? Increased complexity and overhead of testing, verification, validation, and maintenance
? Reduced flexibility and agility of changing requirements or design
? Increased dependency on external vendors or third parties for security services or products
? Increased vulnerability to errors, defects, or vulnerabilities in the code or configuration
? Increased difficulty in measuring and reporting on security performance or effectiveness
Therefore, implementing security controls in the development phase requires careful planning, coordination, communication, and collaboration among all
stakeholders involved in the SDLC. It also requires a clear understanding of the security objectives, scope, criteria, standards, policies, procedures, roles,
responsibilities, and resources for the system. Moreover, it requires a proactive approach to identifying and mitigating potential threats or risks that may affect the
security of the system.
References = CISM Manual1, Chapter 3: Information Security Program Development (ISPD), Section 3.1: System Development Life Cycle (SDLC)2
1: https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles 2: https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles

NEW QUESTION 159

......

The Leader of IT Certification visit - https://www.certleader.com

 100% Valid and Newest Version CISM Questions & Answers shared by Certleader
https://www.certleader.com/CISM-dumps.html (415 Q&As)

Thank You for Trying Our Product

* 100% Pass or Money Back

All our products come with a 90-day Money Back Guarantee.
* One year free update
You can enjoy free update one year. 24x7 online support.
* Trusted by Millions
We currently serve more than 30,000,000 customers.
* Shop Securely
All transactions are protected by VeriSign!

100% Pass Your CISM Exam with Our Prep Materials Via below:

https://www.certleader.com/CISM-dumps.html

The Leader of IT Certification visit - https://www.certleader.com

Powered by TCPDF (www.tcpdf.org)