
最適なCISM試験準備問題集でISACA CISM問題集PDFを試そう![2025]
ISACA CISM試験受験生を確実にパスさせるCISM学習問題集
質問 # 47
Which of the following is the BEST approach to make strategic information security decisions?
- A. Establish periodic senior management meetings.
- B. Establish business unit security working groups.
- C. Establish an information security steering committee.
- D. Establish regular information security status reporting.
正解:C
解説:
= According to the CISM Review Manual (Digital Version), page 9, an information security steering committee is a group of senior managers from different business units and functions who provide guidance and oversight for the information security program. An information security steering committee is the best approach to make strategic information security decisions because it can:
Ensure alignment of information security strategy with business objectives and risk appetite1 Facilitate communication and collaboration among different stakeholders and promote information security awareness and culture2 Provide direction and support for information security initiatives and projects3 Monitor and review the performance and effectiveness of the information security program4 Resolve conflicts and issues related to information security policies and practices5 Establishing regular information security status reporting, business unit security working groups, and periodic senior management meetings are useful activities for information security management, but they are not sufficient to make strategic information security decisions without the involvement and guidance of an information security steering committee. Reference = 1: CISM Review Manual (Digital Version), page 9 2: 1 3: 2 4: 3 5: 4 An Information Security Steering Committee is a group of stakeholders responsible for providing governance and guidance to the organization on all matters related to information security. The committee provides oversight and guidance on security policies, strategies, and technology implementation. It also ensures that the organization is in compliance with relevant laws and regulations. Additionally, it serves as a forum for discussing security-related issues and ensures that security is taken into account when making strategic decisions.
質問 # 48
Which of the following BEST indicates the effectiveness of the vendor risk management process?
- A. Increase in the percentage of vendors conducting mandatory security training
- B. Increase in the percentage of vendors with a completed due diligence review
- C. Increase in the percentage of vendors that have reported security breaches
- D. Increase in the percentage of vendors certified to a globally recognized security standard
正解:D
解説:
This answer best indicates the effectiveness of the vendor risk management process because it shows that the organization has established and enforced clear and consistent security requirements and expectations for its vendors, and that the vendors have demonstrated their compliance and commitment to security best practices. A globally recognized security standard, such as ISO 27001, NIST CSF, or COBIT, provides a comprehensive and objective framework for assessing and improving the security posture and performance of vendors.
質問 # 49
The MAIN reason for continuous monitoring of a security strategy is to:
- A. allocate funds for information security
- B. evaluate the implementation of the strategy.
- C. confirm benefits are being realized.
- D. optimize resource allocation.
正解:B
解説:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
質問 # 50
An organization plans to implement a document collaboration solution to allow employees to share company information. Which of the following is the MOST important control to mitigate the risk associated with the new solution?
- A. Permit only non-sensitive information on the solution.
- B. Allow a minimum number of users access to the solution.
- C. Assign write access to data owners.
- D. Have data owners perform regular user access reviews.
正解:D
質問 # 51
Which of the following would be the MOST effective incident response team structure for an organization with a large headquarters and worldwide branch offices?
- A. Outsourced
- B. Decentralized
- C. Coordinated
- D. Centralized
正解:C
解説:
Section: INCIDENT MANAGEMENT AND RESPONSE
質問 # 52
What is the MOST appropriate change management procedure for the handling of emergency program changes?
- A. Documentation is completed with approval soon after the change
- B. Formal documentation does not need to be completed before the change
- C. Business management approval must be obtained prior to the change
- D. All changes must follow the same process
正解:A
解説:
Explanation
Even in the case of an emergency change, all change management procedure steps should be completed as in the case of normal changes. The difference lies in the timing of certain events. With an emergency change, it is permissible to obtain certain approvals and other documentation on "the morning after" once the emergency has been satisfactorily resolved. Obtaining business approval prior to the change is ideal but not always possible.
質問 # 53
Which of the following would be the BEST way for an information security manager to improve the effectiveness of an organization's information security program?
- A. Collaborate with business and IT functions in determining controls.
- B. Include information security requirements in the change control process.
- C. Focus on addressing conflicts between security and performance.
- D. Obtain assistance from IT to implement automated security cantrals.
正解:A
解説:
Explanation
The best way for an information security manager to improve the effectiveness of an organization's information security program is to collaborate with business and IT functions in determining controls.
Collaboration is a key factor for ensuring that the information security program is aligned with the organization's business objectives, risk appetite, and security strategy, and that it supports the business processes and activities. Collaboration also helps to gain the buy-in, involvement, and ownership of the business and IT functions, who are the primary stakeholders and users of the information security program.
Collaboration also facilitates the communication, coordination, and integration of the information security program across the organization, and enables the information security manager to understand the needs, expectations, and challenges of the business and IT functions, and to propose the most appropriate and effective security controls and solutions.
Focusing on addressing conflicts between security and performance (A) is a possible way to improve the effectiveness of an information security program, but not the best one. Security and performance are often competing or conflicting goals, as security controls may introduce overhead, complexity, or delays that affect the efficiency, usability, or availability of the systems or processes. Addressing these conflicts may help to optimize the balance and trade-off between security and performance, and to enhance the user satisfaction and acceptance of the security controls. However, focusing on addressing conflicts between security and performance does not necessarily improve the alignment, integration, or communication of the information security program with the business and IT functions, nor does it ensure the involvement or ownership of the stakeholders.
Including information security requirements in the change control process is also a possible way to improve the effectiveness of an information security program, but not the best one. The change control process is a process that manages the initiation, approval, implementation, and review of changes to the systems or processes, such as enhancements, updates, or fixes. Including information security requirements in the change control process may help to ensure that the changes do not introduce new or increased security risks or impacts, and that they comply with the security policies, standards, and procedures. However, including information security requirements in the change control process does not necessarily improve the collaboration, communication, or coordination of the information security program with the business and IT functions, nor does it ensure the buy-in or involvement of the stakeholders.
Obtaining assistance from IT to implement automated security controls (D) is also a possible way to improve the effectiveness of an information security program, but not the best one. Automated security controls are security controls that are implemented by using software, hardware, or other technologies, such as encryption, firewalls, or antivirus, to perform security functions or tasks without human intervention. Obtaining assistance from IT to implement automated security controls may help to improve the efficiency, consistency, or reliability of the security controls, and to reduce the human errors, negligence, or malicious actions. However, obtaining assistance from IT to implement automated security controls does not necessarily improve the collaboration, communication, or integration of the information security program with the business and IT functions, nor does it ensure the ownership or involvement of the stakeholders.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section:
Information Security Strategy Development, Subsection: Collaboration, page 24-251
質問 # 54
During the selection of a Software as a Service (SaaS) vendor for a business process, the vendor provides evidence of a globally accepted information security certification. Which of the following is the MOST important consideration?
- A. The certification includes industry-recognized security controls.
- B. The certification is issued for the specific scope.
- C. The certification is easily verified.
- D. The certification was issued within the last five years.
正解:B
解説:
The most important consideration when selecting a SaaS vendor for a business process is whether the vendor's information security certification is issued for the specific scope of the service that the organization needs. A certification that covers the entire vendor organization or a different service may not be relevant or sufficient for the organization's security requirements. The certification should also include industry-recognized security controls, be issued within a reasonable time frame, and be easily verified, but these are not as critical as the scope.
Reference = CISM Review Manual, 16th Edition, page 1841; 5 Top SaaS Security Certifications for SaaS Providers
質問 # 55
Which of the following needs to be established between an IT service provider and its clients to BEST enable adequate continuity of service in preparation for an outage?
- A. Data retention policies
- B. Server maintenance plans
- C. Recovery time objectives (RTOs)
- D. Reciprocal site agreement
正解:C
質問 # 56
Which of the following groups would be in the BEST position to perform a risk analysis for a business?
- A. External auditors
- B. A specialized management consultant
- C. Process owners
- D. A peer group within a similar business
正解:C
解説:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Process owners have the most in-depth knowledge of risks and compensating controls within their environment. External parties do not have that level of detailed knowledge on the inner workings of the business. Management consultants are expected to have the necessary skills in risk analysis techniques but are still less effective than a group with intimate knowledge of the business.
質問 # 57
Which of the following statements indicates that a previously failing security program is becoming successful?
- A. The number of vulnerability false positives is decreasing.
- B. More employees and stakeholders are attending security awareness programs.
- C. Management's attention and budget are now focused on risk reduction.
- D. The number of threats has been reduced.
正解:C
質問 # 58
Which of the following is MOST important to consider when choosing a shared alternate location for computing facilities?
- A. Resource availability
- B. Incident response team training
- C. The organization's risk tolerance
- D. The organization's mission
正解:C
解説:
The organization's risk tolerance is the most important factor to consider when choosing a shared alternate location for computing facilities, because it determines the acceptable level of risk exposure and the required recovery time objectives (RTOs) and recovery point objectives (RPOs) for the organization's critical business processes and information assets. Resource availability, the organization's mission, and incident response team training are also important considerations, but they are secondary to the risk tolerance.
References = CISM Review Manual, 16th Edition, page 290
質問 # 59
Who should an information security manager contact FIRST upon discovering that a cloud-based payment system used by the organization may be infected with malware?
- A. Senior management
- B. Affected customers
- C. The incident response team
- D. Cloud service provider
正解:C
質問 # 60
The BEST way to improve the effectiveness of responding to and communicating security incidents is to ensure:
- A. the incident response plan is regularly tested.
- B. senior management is notified at the onset of incident response.
- C. the IT budget includes funding for SIEM tools to log incidents.
- D. additional staff are trained and available to assist with incident response.
正解:A
質問 # 61
An organization's HR department requires that employee account privileges be removed from all corporate IT systems within three days of termination to comply with a government regulation However, the systems all have different user directories, and it currently takes up to four weeks to remove the privileges Which of the following would BEST enable regulatory compliance?
- A. Multi-factor authentication (MFA) system
- B. Governance, risk, and compliance (GRC) system
- C. Identity and access management (IAM) system
- D. Privileged access management (PAM) system
正解:C
解説:
= An identity and access management (IAM) system is a set of processes, policies, and technologies that enable an organization to manage the identities and access rights of its users across different systems and applications1. An IAM system can help an organization to comply with the government regulation by automating the provisioning and deprovisioning of user accounts, enforcing consistent access policies, and integrating different user directories2. An IAM system can also provide audit trails and reports to demonstrate compliance with the regulation3. A multi-factor authentication (MFA) system is a method of verifying the identity of a user by requiring two or more factors, such as something the user knows, has, or is4. An MFA system can enhance the security of user authentication, but it does not address the issue of removing user privileges from different systems within three days of termination. A privileged access management (PAM) system is a solution that manages and monitors the access of privileged users, such as administrators, to critical systems and resources. A PAM system can reduce the risk of unauthorized or malicious use of privileged accounts, but it does not solve the problem of managing the access of regular users across different systems. A governance, risk, and compliance (GRC) system is a software platform that integrates the functions of governance, risk management, and compliance management. A GRC system can help an organization to align its objectives, policies, and processes with the relevant regulations, standards, and best practices, but it does not directly enable the removal of user privileges from different systems within three days of termination. References = 1: CISM Review Manual (Digital Version), page 24 2: 1 3: 2 4: CISM Review Manual (Digital Version), page 25 : CISM Review Manual (Digital Version), page 26 : CISM Review Manual (Digital Version), page 27
質問 # 62
Which of the following is necessary to ensure consistent protection for an organization's information assets?
- A. Classification model
- B. Regulatory requirements
- C. Data ownership
- D. Control assessment
正解:A
解説:
The answer to the question is A. Classification model. This is because a classification model is a system of assigning labels or categories to information assets based on their value, sensitivity, and criticality to the organization. A classification model helps to ensure consistent protection for the organization's information assets by:
Providing a common language and criteria for defining and communicating the security requirements and expectations for the information assets Enabling the identification and prioritization of the information assets that need the most protection and resources Facilitating the implementation and enforcement of the appropriate level of security controls and measures for the information assets, based on their classification Supporting the compliance with the legal, regulatory, and contractual obligations regarding the information assets, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA) A classification model is a system of assigning labels or categories to information assets based on their value, sensitivity, and criticality to the organization. A classification model helps to ensure consistent protection for the organization's information assets by providing a common language and criteria for defining and communicating the security requirements and expectations for the information assets, enabling the identification and prioritization of the information assets that need the most protection and resources, facilitating the implementation and enforcement of the appropriate level of security controls and measures for the information assets, based on their classification, and supporting the compliance with the legal, regulatory, and contractual obligations regarding the information assets. (From CISM Manual or related resources) References = CISM Review Manual 15th Edition, Chapter 2, Section 2.2.1, page 751; CISA Domain 5 - Protection of Information Assets2; CISM domain 3: Information security program development and management [2022 update]3; CISM Domain 2: Information Risk Management (IRM) [2022 update]4
質問 # 63
Which of the following is the BEST indicator of an organization's information security status?
- A. Penetration test
- B. Threat analysis
- C. Intrusion detection log analysis
- D. Controls audit
正解:D
質問 # 64
Which of the following BEST enables effective information security governance9?
- A. Periodic vulnerability assessments
- B. Advanced security technologies
- C. Security-aware corporate culture
- D. Established information security metrics
正解:C
質問 # 65
......
完全版CISM練習テスト問題集で799の別格な問題と解釈、今すぐゲットせよ:https://drive.google.com/open?id=1NfCtUc_M9aNkt5KK9FBynYzQCdrmLrtq
的確で最適なアンサー模擬試験はここにある:https://jp.fast2test.com/CISM-premium-file.html