• Home
  • Blogs
  • 100% Pass Top-selling CISM Exams - New 2022 ISACA Pratice Exam [Q784-Q807]

100% Pass Top-selling CISM Exams - New 2022 ISACA Pratice Exam [Q784-Q807]

Share

100% Pass Top-selling CISM Exams - New 2022 ISACA Pratice Exam

Isaca Certification Dumps CISM Exam for Full Questions - Exam Study Guide

NEW QUESTION 784
A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?

  • A. Prepare an impact assessment report.
  • B. Obtain approval from senior management.
  • C. Conduct a penetration test.
  • D. Back up the firewall configuration and policy files.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
An impact assessment report needs to be prepared first by providing the justification for the change, analysis of the changes to be made, the impact if the change does not work as expected, priority of the change and urgency of the change request. Choices B.
C and D could be important steps, but the impact assessment report should be performed before the other steps.

 

NEW QUESTION 785
Which of the following is the BEST method or technique to ensure the effective implementation of an information security program?

  • A. Implement logical access controls to the information systems.
  • B. Improve the employees' knowledge of security policies.
  • C. Obtain the support of the board of directors.
  • D. Improve the content of the information security awareness program.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Options B and (' are measures proposed to ensure the efficiency of the information security program implementation, but are of less significance than obtaining the aid and support of the board of directors. Option D is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program.

 

NEW QUESTION 786
An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?

  • A. Results of the latest independent security review
  • B. Security in storage and transmission of sensitive data
  • C. Security technologies in place at the facility
  • D. Provider's level of compliance with industry standards

Answer: B

Explanation:
Explanation
Mow the outsourcer protects the storage and transmission of sensitive information will allow an information security manager to understand how sensitive data will be protected. Choice B is an important but secondary consideration. Choice C is incorrect because security technologies are not the only components to protect the sensitive customer information. Choice D is incorrect because an independent security review may not include analysis on how sensitive customer information would be protected.

 

NEW QUESTION 787
Adding security requirements late in the software development life cycle (SDLC) would MOST likely result in:

  • A. compensating controls.
  • B. operational efficiency.
  • C. cost savings.
  • D. clearer understanding of requirements.

Answer: A

 

NEW QUESTION 788
Which of the following is the BEST method to protect consumer private information for an online public website?

  • A. Apply strong authentication to online accounts.
  • B. Encrypt consumer's data in transit and at rest.
  • C. Use secure encrypted transport layer.
  • D. Apply a masking policy to the consumer data.

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT

 

NEW QUESTION 789
Security audit reviews should PRIMARILY:

  • A. ensure that controls are cost-effective.
  • B. focus on preventive controls.
  • C. ensure controls are technologically current.
  • D. ensure that controls operate as required.

Answer: D

Explanation:
The primary objective of a security review or audit should be to provide assurance on the adequacy of security controls. Reviews should focus on all forms of control, not just on preventive control. Cost-effectiveness and technological currency are important but not as critical.

 

NEW QUESTION 790
For an organization with a large and complex IT infrastructure, which of the following elements of a disaster recovery hot site service will require the closest monitoring?

  • A. Employee access
  • B. Systems configurations
  • C. Audit rights
  • D. Number of subscribers

Answer: B

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT

 

NEW QUESTION 791
Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?

  • A. Penetration tests
  • B. Vulnerability scans
  • C. Security audits
  • D. Code reviews

Answer: A

Explanation:
A penetration test is normally the only security assessment that can link vulnerabilities together by exploiting them sequentially. This gives a good measurement and prioritization of risks. Other security assessments such as vulnerability scans, code reviews and security audits can help give an extensive and thorough risk and vulnerability overview', but will not be able to test or demonstrate the final consequence of having several vulnerabilities linked together. Penetration testing can give risk a new perspective and prioritize based on the end result of a sequence of security problems.

 

NEW QUESTION 792
Which of the following is the MOST important factor when designing information security architecture?

  • A. Development methodologies
  • B. Technical platform interfaces
  • C. Scalability of the network
  • D. Stakeholder requirements

Answer: D

Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements. Interoperability and scalability, as well as development methodologies, are all important but are without merit if a technologically-elegant solution is achieved that does not meet the needs of the business.

 

NEW QUESTION 793
When making an outsourcing decision, which of the following functions is MOST important to retain within the organization?

  • A. Risk assessment
  • B. Security governance
  • C. Security management
  • D. Incident response

Answer: B

 

NEW QUESTION 794
Which of the following provides the MOST comprehensive understanding of an organization's information security posture?

  • A. The organization's security incident trends
  • B. External audit findings
  • C. Risk management metrics
  • D. Results of vulnerability assessments

Answer: C

 

NEW QUESTION 795
The BEST defense against phishing attempts within an organization is:

  • A. filtering of e-mail.
  • B. an intrusion detection system (IDS).
  • C. strengthening of firewall rules.
  • D. an intrusion protection system (IPS).

Answer: A

Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT

 

NEW QUESTION 796
The recovery point objective (RPO) requires which of the following?

  • A. After-image processing
  • B. Before-image restoration
  • C. Disaster declaration
  • D. System restoration

Answer: B

Explanation:
The recovery point objective (RPO) is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Disaster declaration is independent of this processing checkpoint. Restoration of the system can occur at a later date, as does the return to normal, after-image processing.

 

NEW QUESTION 797
A security risk assessment exercise should be repeated at regular intervals because:

  • A. omissions in earlier assessments can be addressed.
  • B. repetitive assessments allow various methodologies.
  • C. they help raise awareness on security in the business.
  • D. business threats are constantly changing.

Answer: D

Explanation:
Explanation/Reference:
Explanation:
As business objectives and methods change, the nature and relevance of threats change as well. Choice B does not, by itself, justify regular reassessment. Choice C is not necessarily true in all cases. Choice D is incorrect because there are better ways of raising security awareness than by performing a risk assessment.

 

NEW QUESTION 798
Which of the following situations would MOST inhibit the effective implementation of security governance:

  • A. Budgetary constraints
  • B. High-level sponsorship
  • C. Conflicting business priorities
  • D. The complexity of technology

Answer: B

Explanation:
Explanation/Reference:
Explanation:
The need for senior management involvement and support is a key success factor for the implementation of appropriate security governance. Complexity of technology, budgetary constraints and conflicting business priorities are realities that should be factored into the governance model of the organization, and should not be regarded as inhibitors.

 

NEW QUESTION 799
Which of the following is MOST important to have in place to effectively manage security incidents that could potentially escalate to disasters?

  • A. Senior management commitment to funding the disaster recovery program
  • B. Alignment of incident management activities with business continuity and disaster recovery plans
  • C. Well-defined disaster recovery time and recovery point objectives (RTOs and RPOs)
  • D. An incident response team with a clear understanding of their roles and responsibilities

Answer: B

 

NEW QUESTION 800
What is the MAIN reason for an organization to develop an incident response plan?

  • A. Provide a process for notifying stakeholders of the incident.
  • B. Identify training requirements for the incident response team.
  • C. Trigger immediate recovery procedures.
  • D. Prioritize treatment based on incident criticality.

Answer: C

 

NEW QUESTION 801
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:

  • A. storage capacity and shelf life.
  • B. business strategy and direction.
  • C. application systems and media.
  • D. regulatory and legal requirements.

Answer: C

Explanation:
Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and shelf life are important but secondary issues.

 

NEW QUESTION 802
Which of the following is the GREATEST benefit of information asset classification to an organization?

  • A. It helps to minimize the cost of regulatory compliance efforts
  • B. It demonstrates the value of information assets for financial reporting.
  • C. It measures qualitative value of the information.
  • D. It helps to optimize the investment in protecting information assets.

Answer: D

 

NEW QUESTION 803
As part of an international expansion plan, an organization has acquired a company located in another jurisdiction. Which of the following would be the BEST way to maintain any effective information security program?

  • A. Ensure information security is included in any change control efforts
  • B. Merge the two information security programs to establish continuity
  • C. Determine new factors that could influence the information security strategy
  • D. Implement the current information security program in the acquired company

Answer: C

 

NEW QUESTION 804
To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?

  • A. Time server
  • B. Database server
  • C. Proxy server
  • D. Domain name server (DNS)

Answer: A

Explanation:
Explanation
To accurately reconstruct the course of events, a time reference is needed and that is provided by the time server. The other choices would not assist in the correlation and review of these logs.

 

NEW QUESTION 805
Recovery time objectives (RTOs) are BEST determined by

  • A. business managers.
  • B. database administrators.
  • C. business continuity officers.
  • D. executive management.

Answer: A

 

NEW QUESTION 806
Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:

  • A. recommend a risk assessment and implementation only if the residual risks are accepted.
  • B. recommend revision of current policy.
  • C. conduct a risk assessment and allow or disallow based on the outcome.
  • D. recommend against implementation because it violates the company's policies.

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Whenever the company's policies cannot be followed, a risk assessment should be conducted to clarify the risks. It is then up to management to accept the risks or to mitigate them. Management determines the level of risk they are willing to take. Recommending revision of current policy should not be triggered by a single request.

 

NEW QUESTION 807
......

Authentic Best resources for CISM Online Practice Exam: https://www.surepassexams.com/CISM-exam-bootcamp.html

CISM Test Engine Practice Exam: https://drive.google.com/open?id=1GpMF5QRlo1I8KsdTRKrMxH-_5pMp4sES

Related Blogs

more
ISACA CISM Certification Practice Exam

Copyright © 2026 SUREPASSEXAMS.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.

Disclaimers:
SurePassExams doesn't offer Real Amazon Exam Questions.