
[2024年12月03日] 合格率取得する秘訣はCISM認定試験エンジンPDF
CISM試験問題集合格できるには更新された2024年12月テスト問題集
質問 # 538
Which of the following risk scenarios is MOST likely to emerge from a supply chain attack?
- A. Unreliable delivery of hardware and software resources by a supplier
- B. Loss of customers due to unavailability of products
- C. Compromise of critical assets via third-party resources
- D. Unavailability of services provided by a supplier
正解:C
質問 # 539
Which of the following is the MOST effective way for an information security manager to ensure that security is incorporated into an organization's project development processes?
- A. Participate in project initiation, approval, and funding.
- B. Integrate organization's security requirements into project management.
- C. Develop good communications with the project management office (PMO).
- D. Conduct security reviews during design, testing, and implementation.
正解:B
質問 # 540
When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?
- A. Information security manager
- B. Business management
- C. System users
- D. Operations manager
正解:A
解説:
Explanation
The escalation process in critical situations should involve the information security manager as the first contact so that appropriate escalation steps are invoked as necessary. Choices A, B and D would be notified accordingly.
質問 # 541
Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application?
- A. Security metrics
- B. Version control
- C. Change management
- D. Patch management
正解:C
解説:
Explanation/Reference:
Explanation:
Change management controls the process of introducing changes to systems. Failure to have good change management may introduce new weaknesses into otherwise secure systems. Patch management corrects discovered weaknesses by applying a correction to the original program code. Security metrics provide a means for measuring effectiveness. Version control is a subset of change management.
質問 # 542
Priore implementing a bring your own device (BYOD) program, it is MOST important to:
- A. develop an acceptable use policy.
- B. review currently utilized applications.
- C. select mobile device management (MDM) software.
- D. survey employees for requested applications.
正解:A
質問 # 543
The PRIMARY advantage of a network intrusion detection system (IDS) is that it can:
- A. identify an attack on the network.
- B. simulate denial-of-service attacks.
- C. detect network vulnerabilities
- D. block undesirable network traffic
正解:A
質問 # 544
Which of the following is MOST helpful in determining an organization's current capacity to mitigate risks?
- A. Vulnerability assessment
- B. IT security risk and exposure
- C. Business impact analysis (BIA)
- D. Capability maturity model
正解:D
解説:
Explanation
A capability maturity model (CMM) is a framework that helps organizations assess and improve their processes and capabilities in various domains, such as software development, project management, information security, and others1. A CMM defines a set of levels or stages that represent the degree of maturity or effectiveness of an organization's processes and capabilities in a specific domain. Each level has a set of criteria or characteristics that an organization must meet to achieve that level of maturity. A CMM also provides guidance and best practices on how to progress from one level to another, and how to measure and monitor the performance and improvement of the processes and capabilities2.
A CMM is most helpful in determining an organization's current capacity to mitigate risks, because it provides a systematic and objective way to evaluate the strengths and weaknesses of the organization's processes and capabilities related to risk management. A CMM can help an organization identify the gaps and opportunities for improvement in its risk management practices, and prioritize the actions and resources needed to address them. A CMM can also help an organization benchmark its risk management maturity against industry standards or best practices, and demonstrate its compliance with regulatory or contractual requirements3.
The other options are not as helpful as a CMM in determining an organization's current capacity to mitigate risks, because they are either more specific, limited, or dependent on a CMM. A vulnerability assessment is a process of identifying and analyzing the vulnerabilities in an organization's systems, networks, or applications, and their potential impact on the organization's assets, operations, or reputation. A vulnerability assessment can help an organization identify the sources and levels of risk, but it does not provide a comprehensive or holistic view of the organization's risk management maturity or effectiveness4. IT security risk and exposure is a measure of the likelihood and impact of a security breach or incident on an organization's IT assets, operations, or reputation. IT security risk and exposure can help an organization quantify and communicate the level of risk, but it does not provide a framework or guidance on how to improve the organization's risk management processes or capabilities5. A business impact analysis (BIA) is a process of identifying and evaluating the potential effects of a disruption or disaster on an organization's critical business functions, processes, or resources. A BIA can help an organization determine the priorities and requirements for business continuity and disaster recovery, but it does not provide a method or standard for assessing or enhancing the organization's risk management maturity or effectiveness. References = 1: CMMI Institute - What is CMMI? - Capability Maturity Model Integration 2: Capability Maturity Model and Risk Register Integration:
The Right ... 3: Performing Risk Assessments of Emerging Technologies - ISACA 4: CISM Review Manual
15th Edition, Chapter 4, Section 4.2 5: CISM Review Manual 15th Edition, Chapter 4, Section 4.3 : CISM Review Manual 15th Edition, Chapter 4, Section 4.4
質問 # 545
Which of the following approaches to communication with senior management BEST enables an information security manager to maximize the effectiveness of the information security program?
- A. Reporting on industry security threats with potential impact to business objectives
- B. Conducting periodic one-on-one meetings to align security with business objectives
- C. Providing regular status of updates to security policies and standards
- D. Participating in operational review meetings to discuss daily operations and dependencies
正解:B
質問 # 546
The PRIMARY goal of a post-incident review should be to:
- A. establish the cost of the incident to the business.
- B. determine how to improve the incident handling process.
- C. identify policy changes to prevent a recurrence.
- D. determine why the incident occurred.
正解:C
質問 # 547
When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/disaster recovery plans is because:
- A. service level agreements may not otherwise be met.
- B. this is a requirement of the security policy.
- C. the asset inventory must be maintained.
- D. software licenses may expire in the future without warning.
正解:A
解説:
The key requirement is to preserve availability of business operations. Choice A is a correct compliance requirement, but is not the main objective in this case. Choices B and C are supplementary requirements for business continuity/disaster recovery planning.
質問 # 548
Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?
- A. Feasibility
- B. User testing
- C. Specification
- D. Programming
正解:A
解説:
Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds. Risk should also be considered in the specification phase where the controls are designed, but this would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in choice A or C.
質問 # 549
Which of the following is the MOST important reason to monitor information risk on a continuous basis?
- A. The cost of controls can be minimized.
- B. Risk assessment errors can be identified.
- C. The risk profile can change over time.
- D. The effectiveness of controls can be verified.
正解:C
解説:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
質問 # 550
Senior management is concerned a security solution may not adequately protect its multiple global data centers following recent industry breaches. What should be done NEXT?
- A. Perform a gap analysis.
- B. Conduct a business impact analysis (BIA).
- C. Perform a risk assessment.
- D. Require an internal audit review.
正解:C
質問 # 551
When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST?
- A. Access control should fall back to no synchronized mode
- B. System logs should record all user activity for later analysis
- C. The firewall should block all inbound traffic during the outage
- D. All systems should block new logins until the problem is corrected
正解:A
解説:
The best mechanism is for the system to fallback to the original process of logging on individually to each system. Blocking traffic and new logins would be overly restrictive to the conduct of business, while recording all user activity would add little value.
質問 # 552
Which of the following is the BEST method for determining whether a firewall has been configured to provide a comprehensive perimeter defense9
- A. A simulated denial of service (DoS) attack against the firewall
- B. A validation of the current firewall rule set
- C. A port scan of the firewall from an internal source
- D. A ping test from an external source
正解:B
解説:
Explanation
A validation of the current firewall rule set is the best method for determining whether a firewall has been configured to provide a comprehensive perimeter defense because it verifies that the firewall rules are consistent, accurate, and effective in allowing or blocking traffic according to the security policies and standards of the organization. A port scan of the firewall from an internal source is not a good method because it does not test the firewall's behavior from an external perspective, which is more relevant for perimeter defense. A ping test from an external source is not a good method because it only tests the firewall's availability and responsiveness, not its security or functionality. A simulated denial of service (DoS) attack against the firewall is not a good method because it only tests the firewall's resilience and performance under high traffic load, not its security or functionality. References:
https://www.isaca.org/resources/isaca-journal/issues/2016/volume-4/technical-security-standards-for-information
https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/the-value-of-penetration-testing
https://www.isaca.org/resources/isaca-journal/issues/2016/volume-5/security-scanning-versus-penetration-testing
質問 # 553
Which of the following is MOST likely to be included in an enterprise information security policy?
- A. Password composition requirements
- B. Consequences of noncompliance
- C. Security monitoring strategy
- D. Audit trail review requirements
正解:B
解説:
Section: INFORMATION SECURITY GOVERNANCE
質問 # 554
Which of the following is the MOST important reason to document information security incidents that are reported across the organization?
- A. Prevent incident recurrence.
- B. Identify unmitigated risk.
- C. Support business investments in security
- D. Evaluate the security posture of the organization.
正解:A
質問 # 555
When residual risk is minimized:
- A. control risk is reduced.
- B. acceptable risk is probable.
- C. transferred risk is acceptable.
- D. risk is transferable.
正解:B
解説:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Since residual risk is the risk that remains after putting into place an effective risk management program, it is probable that the organization will decide that it is an acceptable risk if sufficiently minimized. Transferred risk is risk that has been assumed by a third party, therefore its magnitude is not relevant. Accordingly, choices B and D are incorrect since transferred risk does not necessarily indicate whether risk is at an acceptable level. Minimizing residual risk will not reduce control risk.
質問 # 556
Which of the following is the BEST defense against a brute force attack?
- A. Time-of-day restrictions
- B. Mandatory access control
- C. Intruder detection lockout
- D. Discretionary access control
正解:A
質問 # 557
Which of the following is the BEST indication of a mature information security program?
- A. Security resources are optimized.
- B. Security spending is below budget.
- C. Security incidents are managed properly.
- D. Security audit findings are reduced.
正解:A
解説:
Explanation
A mature information security program is one that is aligned with the business strategy, objectives, and culture, and that delivers value to the organization by effectively managing the information security risks and enhancing the security posture. Optimizing the security resources means that the program uses the available human, financial, and technical resources in the most efficient and effective way, and that it continuously monitors and improves the performance and maturity of the security processes and controls.
References = CISM Review Manual 2022, page 331; CISM Exam Content Outline, Domain 1, Knowledge Statement 1.22; What is a Mature Information Security Program?; How to Measure the Maturity of Your Cybersecurity Program
質問 # 558
An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
- A. eliminating the risk.
- B. mitigating the risk.
- C. accepting the risk.
- D. transferring the risk.
正解:B
解説:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance so the insurance company can take the risk. Implementing additional controls is an example of mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.
質問 # 559
Several significant risks have been identified after a centralized risk register was compiled and prioritized. The information security manager's most important action is to:
- A. provide senior management with risk treatment options.
- B. ensure that employees are aware of the risk.
- C. consult external third parties on how to treat the risk.
- D. design and implement controls to reduce the risk.
正解:A
質問 # 560
The MOST important reason for an information security manager to be involved in the change management process is to ensure that:
- A. potential vulnerabilities are identified.
- B. security controls drive technology changes.
- C. risks have been evaluated.
- D. security controls are updated regularly.
正解:B
解説:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
質問 # 561
Which of the following would BEST help to ensure appropriate security controls are built into software?
- A. Integrating security throughout the development process
- B. Providing standards for implementation during development activities
- C. Performing security testing prior to deployment
- D. Providing security training to the software development team
正解:A
質問 # 562
......
CISMテスト問題練習は2024年最新のに更新された1180問あります:https://jp.fast2test.com/CISM-premium-file.html
更新されたプレミアムCISM試験エンジンPDF:https://drive.google.com/open?id=1h8Fuiz6bI9fTR5xyFTKF-Td-Hc6fWqnA