
良質なCISM-CNのPDF問題集でCISM-CN試験問題を試せます
一番最新のISACA CISM-CN試験問題集PDF2023年更新
質問 # 88
業務系統更新後執行漏洞評估的主要目標是什麼?
- A. 改進變更控制流程。
- B. 審查控制措施的有效性
- C. 更新威脅態勢。
- D. 確定運營損失。
正解:B
解説:
The primary objective of performing a vulnerability assessment following a business system update is to review the effectiveness of controls. A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed1. A business system update is a process of modifying or enhancing an information system to improve its functionality, performance, security, or compatibility. A business system update may introduce new features, fix bugs, patch vulnerabilities, or comply with new standards or regulations2. Performing a vulnerability assessment following a business system update is important because it helps to:
* Review the effectiveness of controls that are implemented to protect the information sys-tem from threats and risks
* Identify any new or residual vulnerabilities that may have been introduced or exposed by the update
* Evaluate the impact and likelihood of potential incidents that may exploit the vulnerabili-ties
* Prioritize and implement appropriate actions to address the vulnerabilities
* Verify and validate the security posture and compliance of the updated information sys-tem Therefore, the primary objective of performing a vulnerability assessment following a business system update is to review the effectiveness of controls that are designed to ensure the confidentiality, integrity, and availability of the information system and its dat a. The other options are not the primary objectives of performing a vulnerability as-sessment following a business system update. Determining operational losses is not an objective, but rather a possible consequence of not performing a vulnerability as-sessment or not addressing the identified vulnerabilities. Improving the change control process is not an objective, but rather a possible outcome of performing a vulnerability assessment and incorporating its results and recommendations into the change man-agement cycle. Updating the threat landscape is not an objective, but rather a prereq-uisite for performing a vulnerability assessment that requires using up-to-date sources of threat intelligence and vulnerability information. Reference: 1: Vulnerability As-sessment - NIST 2: System Update - Techopedia : Vulnerability Assessment vs Penetra-tion Testing - Imperva : Change Control Process - NIST : Threat Landscape - NIST
質問 # 89
组织正在将其事件响应能力与公共云服务提供商保持一致。信息安全经理的首要行动应该是什么?
- A. 确定提供商事件响应团队的技能组合。
- B. 评估供应商的审计记录和监控控制。
- C. 审查提供商的事件定义和通知标准。
- D. 更新事件升级流程。
正解:D
解説:
Reviewing the provider's incident definitions and notification criteria is the FIRST course of action when aligning the organization's incident response capability with a public cloud service provider. This is because the organization needs to understand how the provider defines and classifies incidents, what their roles and responsibilities are, and how they will communicate with the organization in case of an incident. This will help the organization align its own incident response processes and expectations with the provider's and ensure a coordinated and effective response.
質問 # 90
如果民事訴訟是組織響應安全事件的目標,則主要步驟應該是:
- A. 聯繫執法部門。
- B. 使用標準服務器備份實用程序捕獲證據。
- C. 記錄監管鏈。
- D. 在安全區域重新啟動受影響的計算機以搜索證據。
正解:C
質問 # 91
恢復時間目標 (RTO) 是以下哪項的輸出?
- A. 災難恢復計劃 (DRP)
- B. 服務級別協議 (SLA)
- C. 業務連續性計劃 (BCP)
- D. 業務影響分析 (BIA)
正解:D
解説:
Business impact analysis (BIA) is the process that provides the output of recovery time objectives (RTOs), which are the maximum acceptable time frames for restoring business functions or processes after a disruption. Business continuity plan (BCP) is the document that describes the strategies and procedures for ensuring the continuity of critical business functions or processes in the event of a disruption. Disaster recovery plan (DRP) is the document that describes the technical steps and resources for restoring IT systems and data in the event of a disruption. Service level agreement (SLA) is the document that defines the expectations and obligations between a service provider and a service consumer, such as availability, performance, and security. Reference: https://www.isaca.org/resources/isaca-journal/issues/2018/volume-1/business-impact-analysis-bia-and-disaster-recovery-planning-drp https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/service-level-agreements-in-the-cloud
質問 # 92
管理层已宣布收购一家新公司。母公司的信息安全经理担心,在两家公司的整合过程中,访问权限的冲突可能会导致关键信息外泄。为了最好地解决这个问题,信息安全经理应该:
- A. 在收购整合发生时审查访问权限。
- B. 执行访问权限的风险评估。
- C. 实施一致的访问控制标准。
- D. 将对管理访问权限冲突的担忧升级。
正解:B
解説:
Performing a risk assessment of the access rights is the best way to address the concern of conflicting access rights during the integration of two companies. A risk assessment will help to identify and prioritize the threats and vulnerabilities that affect the access rights of both companies, as well as the potential impact and likelihood of information exposure. A risk assessment will also provide a basis for selecting and evaluating the controls to mitigate the risks. According to NIST, a risk assessment is an essential component of risk management and should be performed before implementing any security controls1. The other options are not the best ways to address the concern of conflicting access rights during the integration of two companies, but rather possible subsequent actions based on the risk assessment. Reviewing access rights as the acquisition integration occurs may be too late or too slow to prevent information exposure. Escalating concerns for conflicting access rights to management may not be effective without evidence or recommendations from a risk assessment. Implementing consistent access control standards may not be feasible or desirable for different systems or business units. Reference: 1: NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments 2: M&A integration strategy is crucial for deal success but remains difficult: PwC 3: The 10 steps to successful M&A integration | Bain & Company : Cracking the code to successful post-merger integration
質問 # 93
進行法醫調查時,以下哪一項最重要?
- A. 記錄分析步驟
- B. 分析系統內存
- C. 維持監管鏈
- D. 捕獲完整系統映像
正解:C
質問 # 94
組織的安全策略是禁止訪問筆記本電腦和台式機上的 USB 存儲設備。以下哪一項是給予政策例外的最有力的理由?
- A. 收益大於潛在風險。
- B. 用戶接受不合規的風險。
- C. 根據用戶角色啟用USB存儲設備。
- D. 訪問權限僅限於只讀。
正解:A
解説:
The strongest justification for granting an exception to the security policy that disables access to USB storage devices on laptops and desktops is that the benefit is greater than the potential risk. A security policy is a document that defines the goals, objec-tives, principles, roles, responsibilities, and requirements for protecting information and systems in an organization. A security policy should be based on a risk assessment that identifies and evaluates the threats and vulnerabilities that affect the organiza-tion's assets, as well as the potential impact and likelihood of incidents. A security pol-icy should also be aligned with the organization's business objectives and risk appe-tite1. However, there may be situations where a security policy cannot be fully enforced or complied with due to technical, operational, or business reasons. In such cases, an exception to the policy may be requested and granted by an authorized person or body, such as a security manager or a policy committee. An exception to a security policy should be justified by a clear and compelling reason that outweighs the risk of non-compliance. An exception to a security policy should also be documented, approved, monitored, reviewed, and revoked as necessary2. The strongest justification for grant-ing an exception to the security policy that disables access to USB storage devices on laptops and desktops is that the benefit is greater than the potential risk. USB storage devices are portable devices that can store large amounts of data and can be easily connected to laptops and desktops via USB ports. They can provide several benefits for users and organizations, such as:
* Enhancing data mobility and accessibility
* Improving data backup and recovery
* Supporting data sharing and collaboration
* Enabling data encryption and authentication
However, USB storage devices also pose significant security risks for users and organi-zations, such as:
* Introducing malware or viruses to laptops and desktops
* Exposing sensitive data to unauthorized access or disclosure
* Losing or stealing data due to device loss or theft
* Violating security policies or regulations
Therefore, an exception to the security policy that disables access to USB storage de-vices on laptops and desktops should only be granted if the benefit of using them is greater than the potential risk of compromising them. For example, if a user needs to transfer a large amount of data from one laptop to another in a remote location where there is no network connection available, and the data is encrypted and protected by a strong password on the USB device, then the benefit of using the USB device may be greater than the risk of losing or exposing it. The other options are not the strongest justifications for granting an exception to the security policy that disables access to USB storage devices on laptops and desktops. Enabling USB storage devices based on user roles is not a justification, but rather a possible way of implementing a more gran-ular or flexible security policy that allows different levels of access for different types of users3. Users accepting the risk of noncompliance is not a justification, but rather a requirement for requesting an exception to a security policy that acknowledges their responsibility and accountability for any consequences of noncompliance4. Accessing being restricted to read-only is not a justification, but rather a possible control that can reduce the risk of introducing malware or viruses from USB devices to laptops and desktops5. Reference: 1: Information Security Policy - NIST 2: Policy Exception Man-agement - ISACA 3: Deploy and manage Removable Storage Access Control using In-tune - Microsoft Learn 4: Policy Exception Request Form - University of California 5: Re-movable Media Policy Writing Tips - CurrentWare
質問 # 95
以下哪一項是保護高價值資產或處理存在信任問題的環境的最佳縱深防禦實施?
- A. 重疊冗餘
- B. 劃分
- C. 多重身份驗證
- D. 持續監控
正解:B
解説:
Compartmentalization is the best defense-in-depth implementation for protecting high value assets or for handling environments that have trust concerns because it is a strategy that divides the network or system into smaller segments or compartments, each with its own security policies, controls, and access rules. Compartmentalization helps to isolate and protect the most sensitive or critical data and functions from unauthorized or malicious access, as well as to limit the damage or impact of a breach or compromise. Compartmentalization also helps to enforce the principle of least privilege, which grants users or processes only the minimum access rights they need to perform their tasks. Therefore, compartmentalization is the correct answer.
Reference:
https://www.csoonline.com/article/3667476/defense-in-depth-explained-layering-tools-and-processes-for-better-security.html
https://www.fortinet.com/resources/cyberglossary/defense-in-depth
https://sciencepublishinggroup.com/journal/paperinfo?journalid=542&doi=10.11648/j.ajai.20190302.11
質問 # 96
以下哪一项 BEST 表示组织已在规定的恢复时间目标 (RTO) 内有效地测试了其业务连续性和灾难恢复计划?
- A. 正在满足监管要求。
- B. 业务需求正在得到满足。
- C. 正在满足内部合规要求。
- D. 正在满足风险管理目标。
正解:B
質問 # 97
信息安全经理正在协助开发新外包服务的提案请求 (RFP)。这将要求第三方能够访问关键的业务信息。安全经理应该主要关注定义:
- A. 外包过程的安全要求。
- B. 风险报告方法。
- C. 安全指标
- D. 服务水平协议 (SLA)
正解:A
解説:
Security requirements for the process being outsourced are the specifications and standards that the third party must comply with to ensure the confidentiality, integrity and availability of the critical business information. They define the roles and responsi-bilities of both parties, the security controls and measures to be implemented, the se-curity objectives and expectations, the security risks and mitigation strategies, and the security monitoring and reporting mechanisms. Security requirements are essential to protect the information assets of the organization and to establish a clear and en-forceable contractual relationship with the third party.
Reference:
* 1 Outsourcing Strategies for Information Security: Correlated Losses and Security Exter-nalities - SpringerLink
* 2 What requirements must outsourcing services comply with for the European market? - CBI
* 3 Outsourcing cybersecurity: What services to outsource, what to keep in house - Infosec Institute
* 4 BCFSA outsourcing and information security guidelines - BLG
質問 # 98
一家組織正在利用平板電腦取代輪班員工共享的台式電腦。這些平板電腦包含關鍵業務數據,本質上被盜的風險會增加,以下哪一項最能幫助減輕這種風險”
- A. 進行移動設備風險評估
- B. 部署移動設備管理 (MDM)
- C. 創建可接受的使用政策。
- D. 實現遠程擦除功能。
正解:A
解説:
A key risk indicator (KRI) is a metric that provides an early warning of potential exposure to a risk. A KRI should be relevant, measurable, timely, and actionable. The most important factor in an organization's selection of a KRI is the criticality of information, which means that the KRI should reflect the value and sensitivity of the information assets that are exposed to the risk. For example, a KRI for data breach risk could be the number of unauthorized access attempts to a database that contains confidential customer data. The criticality of information helps to prioritize the risks and focus on the most significant ones. Reference: https://www.isaca.org/credentialing/cism https://www.wiley.com/en-us/CISM+Certified+Information+Security+Manager+Study+Guide-p-9781119801948
質問 # 99
針對組織外部 Web 應用程序的滲透測試顯示了多個漏洞。以下哪一項是最令人擔憂的?
- A. 漏洞是由於用戶驗收測試 (UAT) 不足引起的
- B. 內部測試未發現漏洞
- C. 滲透測試前未簽署參與規則表
- D. 其中一個漏洞的利用代碼已公開
正解:D
解説:
Exploit code for one of the vulnerabilities is publicly available presents the greatest concern because it means that anyone can easily exploit the vulnerability and compromise the web application. This increases the risk of data breach, denial of service, or other malicious attacks. Therefore, exploit code for one of the vulnerabilities is publicly available is the correct answer.
Reference:
https://www.imperva.com/learn/application-security/penetration-testing/
https://www.netspi.com/blog/technical/web-application-penetration-testing/are-you-testing-your-web-application-for-vulnerabilities/
質問 # 100
當有關信息安全投資的管理決策基於以下因素時,它們將是最有效的:
- A. 管理層正式接受風險分析,
- B. 報告一致且定期的風險評估。
- C. 根據安全事件歷史確定的年度預期損失 (ALE),
- D. 識別和分析威脅和漏洞的過程。
正解:B
質問 # 101
以下哪一项最有助于保护企业免受高级持续性威胁 (APT) 的侵害?
- A. 定期防病毒更新
- B. 威胁情报
- C. 更新的安全策略
- D. 定义的安全标准
正解:D
質問 # 102
以下哪项是将访谈作为业务影响分析 (BIA) 流程的一部分进行的最重要原因?
- A. 提高主要利益相关者的信息安全意识
- B. 从尽可能多的相关利益相关者那里获得输入
- C. 确保提供投入的利益相关者承担相关风险
- D. 促进 BIA 之后的定性风险评估
正解:C
質問 # 103
以下哪一項提供了最好的證據來證明最近建立的信息安全計劃是有效的?
- A. 定期傳達 IT 平衡計分卡。
- B. 高級管理層報告的垃圾郵件有所減少。
- C. 報告的事件數量有所增加
- D. 與 IT 事件相關的工單數量保持一致
正解:C
解説:
The number of reported incidents has increased is the best evidence that a recently established information security program is effective because it indicates that the organization has improved its detection and reporting capabilities and has raised awareness among employees about security issues. Regular IT balanced scorecards are communicated is not a good evidence because it does not measure the actual performance or outcomes of the security program. Senior management has reported fewer junk emails is not a good evidence because it does not reflect the overall security posture or maturity of the organization. The number of tickets associated with IT incidents have stayed consistent is not a good evidence because it does not show any improvement or reduction in security incidents or risks. Reference: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security-using-iso-27004 https://www.isaca.org/resources/isaca-journal/issues/2014/volume-6/how-to-measure-the-effectiveness-of-your-information-security-management-system
質問 # 104
以下哪项为信息安全经理提供了组织应对网络攻击能力的最准确指示?
- A. 红队练习
- B. 模拟网络钓鱼练习
- C. 黑盒渗透测试
- D. 事件响应计划的演练
正解:A
質問 # 105
以下哪一项 BEST 有助于有效的事件响应测试?
- A. 模拟真实的测试场景
- B. 主要业务变更后测试
- C. 每季度审查测试结果
- D. 包括测试中的所有业务单元
正解:A
質問 # 106
在建立必須遵守適用的數據隱私法規的新數據保護計劃時,應首先執行以下哪項操作?
- A. 評估數據保護所需的隱私技術。
- B. 創建存儲個人數據的系統清單。
- C. 加密系統和網絡上存儲的所有個人數據。
- D. 更新紀律流程以解決侵犯隱私的問題。
正解:B
質問 # 107
以下哪项是定期审查网络安全威胁态势的主要原因?
- A. 培训信息安全专业人员以减轻新威胁
- B. 确定扩展组织信息安全的机会
- C. 将新兴趋势与现有组织安全态势进行比较
- D. 将最坏的情况传达给高级管理层
正解:C
質問 # 108
......
100%無料Isaca Certification CISM-CN問題集PDFお試しサンプル認定ガイドカバー率:https://jp.fast2test.com/CISM-CN-premium-file.html