CISM練習試験と学習ガイドは厳密検証された最新な672問題 [Q149-Q168]

Share

CISM練習試験と学習ガイドは厳密検証されたFast2test最新な672問題

2024年最新のな厳密検証された合格させるCISM学習ガイドベズトお試しセット


CISM認定は、情報セキュリティ管理に関与している専門家にとって貴重な認定です。認証はグローバルに認識されており、情報セキュリティ管理の重要なドメインをカバーしています。認定の対象となるには、候補者は関連する実務経験を持ち、認定試験に合格する必要があります。


ISACA CISM(認定情報セキュリティマネージャー)認定試験は、情報セキュリティの専門家のための世界的に認められた認定です。情報セキュリティ管理の分野における個人の知識と専門知識を評価および検証するように設計されています。 CISM認定は、利用可能な最も有名な情報セキュリティ認証の1つと考えられており、雇用主は非常に求められています。

 

質問 # 149
A small organization has a contract with a multinational cloud computing vendor. Which of the following would present the GREATEST concern to an information security manager if omitted from the contract?

  • A. Authority of the subscriber to approve access to its data
  • B. Commingling of subscribers' data on the same physical server
  • C. Right of the subscriber to conduct onsite audits of the vendor
  • D. Escrow of software code with conditions for code release

正解:A

解説:
Explanation
The greatest concern to an information security manager if omitted from the contract with a multinational cloud computing vendor would be the authority of the subscriber to approve access to its data. This is because the subscriber's data may be subject to different legal and regulatory requirements in different jurisdictions, and the subscriber may lose control over who can access, process, or disclose its data. The subscriber should have the right to approve or deny access to its data by the vendor or any third parties, and to ensure that the vendor complies with the applicable data protection laws and standards. The authority of the subscriber to approve access to its data is also one of the key elements of the ISACA Cloud Computing Management Audit/Assurance Program1.
References = CISM Review Manual, 16th Edition eBook2, Chapter 3: Information Security Program Development and Management, Section: Information Security Program Management, Subsection: Cloud Computing, Page 142.


質問 # 150
An organization's information security manager is performing a post-incident review of a security incident in which the following events occurred:
* A bad actor broke into a business-critical FTP server by brute forcing an administrative password
* The third-party service provider hosting the server sent an automated alert message to the help desk, but was ignored
* The bad actor could not access the administrator console, but was exposed to encrypted data transferred to the server
* After three hours, the bad actor deleted the FTP directory, causing incoming FTP attempts by legitimate customers to fail Which of the following could have been prevented by conducting regular incident response testing?

  • A. Ignored alert messages
  • B. The server being compromised
  • C. Stolen data
  • D. The brute force attack

正解:A

解説:
Ignored alert messages could have been prevented by conducting regular incident response testing because it would have ensured that the help desk staff are familiar with and trained on how to handle different types of alert messages from different sources, and how to escalate them appropriately. The server being compromised could not have been prevented by conducting regular incident response testing because it is related to security vulnerabilities or weaknesses in the server configuration or authentication mechanisms. The brute force attack could not have been prevented by conducting regular incident response testing because it is related to security threats or attacks from external sources. Stolen data could not have been prevented by conducting regular incident response testing because it is related to security breaches or incidents that may occur despite the incident response plan or process. Reference: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-5/incident-response-lessons-learned https://www.isaca.org/resources/isaca-journal/issues/2018/volume-3/incident-response-lessons-learned


質問 # 151
The effectiveness of the information security process is reduced when an outsourcing organization:

  • A. standardizes on a single access-control software product
  • B. receives additional revenue when security service levels are met
  • C. is responsible for information security governance activities
  • D. incurs penalties for failure to meet security service-level agreements

正解:C

解説:
Section: INFORMATION SECURITY GOVERNANCE


質問 # 152
An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:

  • A. conflicting security controls with organizational needs.
  • B. implementing appropriate controls to reduce risk.
  • C. strong protection of information resources.
  • D. proving information security's protective abilities.

正解:A

解説:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
The needs of the organization were not taken into account, so there is a conflict. This example is not strong protection; it is poorly configured. Implementing appropriate controls to reduce risk is not an appropriate control as it is being used. This does not prove the ability to protect, but proves the ability to interfere with business.


質問 # 153
In a large organization, defining recovery time objectives (RTOs) is PRIMARILY the responsibility of;

  • A. the business unit manager.
  • B. senior management
  • C. the information security manager.
  • D. the IT manager

正解:A


質問 # 154
Which of the following should be the PRIMARY basis for an information security strategy?

  • A. The organization's vision and mission
  • B. Audit and regulatory requirements
  • C. Results of a comprehensive gap analysis
  • D. Information security policies

正解:A

解説:
Explanation
The organization's vision and mission should be the PRIMARY basis for an information security strategy, as they define the purpose and direction of the organization and its information security needs. A comprehensive gap analysis is a tool to identify the current state and desired state of information security, and the actions needed to close the gap. Information security policies are the high-level statements of management's intent and expectations for information security, and are derived from the information security strategy. Audit and regulatory requirements are external factors that influence the information security strategy, but are not the primary basis for it. References = CISM Review Manual, 16th Edition, pages 17-181; CISM Review Questions, Answers & Explanations Manual, 10th Edition, page 782 The primary basis for an information security strategy should be the organization's vision and mission. The organization's vision and mission should be the foundation for the security strategy, and should inform and guide the security policies, procedures, and practices that are implemented. The results of a comprehensive gap analysis, information security policies, and audit and regulatory requirements should all be taken into consideration when developing the security strategy, but should not be the primary basis.


質問 # 155
What is the MOST important element to include when developing user security awareness material?

  • A. Easy-to-read and compelling information
  • B. Information regarding social engineering
  • C. Senior management endorsement
  • D. Detailed security policies

正解:A

解説:
Making security awareness material easy and compelling to read is the most important success factor. Users must be able to understand, in easy terms, complex security concepts in a way that makes compliance more accessible. Choice A would also be important but it needs to be presented in an adequate format. Detailed security policies might not necessarily be included in the training materials. Senior management endorsement is important for the security program as a whole and not necessarily for the awareness training material.


質問 # 156
In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:

  • A. implement role-based access control in the application.
  • B. ensure access to individual functions can be granted to individual users only.
  • C. enforce manual procedures ensuring separation of conflicting duties.
  • D. create service accounts that can only be used by authorized team members.

正解:A

解説:
Role-based access control is the best way to implement appropriate segregation of duties. Roles will have to be defined once and then the user could be changed from one role to another without redefining the content of the role each time. Access to individual functions will not ensure appropriate segregation of duties. Giving a user access to all functions and implementing, in parallel, a manual procedure ensuring segregation of duties is not an effective method, and would be difficult to enforce and monitor. Creating service accounts that can be used by authorized team members would not provide any help unless their roles are properly segregated.


質問 # 157
Which of the following is the MOST important element of an information security strategy?

  • A. Adoption of a control framework
  • B. Time frames for delivery
  • C. Complete policies
  • D. Defined objectives

正解:D

解説:
Without defined objectives, a strategy-the plan to achieve objectives-cannot be developed. Time frames for delivery are important but not critical for inclusion in the strategy document. Similarly, the adoption of a control framework is not critical to having a successful information security strategy. Policies are developed subsequent to, and as a part of, implementing a strategy.


質問 # 158
Which of the following devices, when placed in a demilitarized zone (DMZ), would be considered a significant exposure?

  • A. Intrusion detection server
  • B. Proxy server
  • C. Web server
  • D. Authentication server

正解:D

解説:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT


質問 # 159
An information security manager has been informed of a new vulnerability in an online banking application, and patch to resolve this issue is expected to be released in the next 72 hours. The information security manager's MOST important course of action should be to:

  • A. run the application system in offline mode.
  • B. identify and implement mitigating controls.
  • C. assess the risk and advise senior management.
  • D. perform a business impact analysis (BIA).

正解:C

解説:
Section: INFORMATION RISK MANAGEMENT


質問 # 160
An organization plans to utilize Software as a Service (SaaS) and is in the process of selecting a vendor. What should the information security manager do FIRST to support this initiative?

  • A. Review independent security assessment reports for each vendor.
  • B. Analyze the risks and propose mitigating controls.
  • C. Benchmark each vendor's services with industry best practices.
  • D. Define information security requirements and processes.

正解:A


質問 # 161
Which of the following is the BEST way to achieve compliance with new global regulations related to the protection of personal information?

  • A. Execute a risk treatment plan.
  • B. Review contracts and statements of work (SOWs) with vendors.
  • C. Determine current and desired state of controls.
  • D. Implement data regionalization controls.

正解:C


質問 # 162
What is the role of the information security manager in finalizing contract negotiations with service providers?

  • A. To ensure that clauses for periodic audits are included
  • B. To perform a risk analysis on the outsourcing process
  • C. To update security standards for the outsourced process
  • D. To obtain a security standard certification from the provider

正解:C


質問 # 163
When conducting a post-incident review, the GREATEST benefit of collecting mean time to resolution (MTTR) data is the ability to:

  • A. verify compliance with the service level agreement (SLA).
  • B. provide metrics for reporting to senior management.
  • C. learn of potential areas of improvement.
  • D. reduce the costs of future preventive controls.

正解:C

解説:
Section: INCIDENT MANAGEMENT AND RESPONSE


質問 # 164
Which of the following is the BEST way to facilitate the alignment between an organization's information security program and business objectives?

  • A. The information security governance committee includes representation from key business areas.
  • B. Information security is considered at the feasibility stage of all IT projects.
  • C. The information security program is audited by the internal audit department.
  • D. The chief executive officer reviews and approves the information security program.

正解:A

解説:
Section: INFORMATION SECURITY GOVERNANCE
Explanation/Reference:


質問 # 165
The department head of application development has decided to accept the risks identified in a recent assessment. No recommendations will be implemented, even though the recommendations are required by regulatory oversight. What should the information security manager do NEXT?

  • A. Implement the recommendations.
  • B. Perform a risk reassessment.
  • C. Review the risk monitoring plan.
  • D. Formally document the decision.

正解:D


質問 # 166
The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?

  • A. Systems programmer
  • B. Data owner
  • C. Data custodian
  • D. Security administrator

正解:A

解説:
A systems programmer should not have privileges to modify the access control list (ACL) because this would give the programmer unlimited control over the system. The data owner would request and approve updates to the ACL, but it is not a violation of the separation of duties principle if the data owner has update rights to the ACL. The data custodian and the security administrator could carry out the updates on the ACL since it is part of their duties as delegated to them by the data owner.


質問 # 167
When outsourcing application development to a third party, which of the following is the BEST way to ensure the organization's security requirements are met?

  • A. Perform independent security testing of the developed applications
  • B. Require the third-party provider to document its security methodology.
  • C. Provide training in secure application coding to the third-party staff.
  • D. Include a right to audit the system development lifecycle in the contract.

正解:A


質問 # 168
......


Certified Information Security Manager(CISM)試験は、情報システム監査および制御協会(ISACA)が提供するプロフェッショナル認定試験です。CISM資格は、情報セキュリティ管理の専門家向けの認定として、グローバルに認知されています。CISM試験は、組織内で情報セキュリティプログラムを管理、設計、監視する個人の知識とスキルをテストするように設計されています。

 

究極のガイドはCISM最新時間限定今すぐダウンロード!:https://jp.fast2test.com/CISM-premium-file.html

2024年最新のな厳密検証された合格できるCISM試験にはリアル問題と解答:https://drive.google.com/open?id=1NfCtUc_M9aNkt5KK9FBynYzQCdrmLrtq


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어