Cism 7
Uploaded by
isaac kabaseleCism 7
Uploaded by
isaac kabaseleWe recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
Isaca
Exam Questions CISM
Certified Information Security Manager
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
About Exambible
Your Partner of IT Exam
Found in 1998
Exambible is a company specialized on providing high quality IT exam practice study materials, especially Cisco CCNA, CCDA,
CCNP, CCIE, Checkpoint CCSE, CompTIA A+, Network+ certification practice exams and so on. We guarantee that the
candidates will not only pass any IT exam at the first attempt but also get profound understanding about the certificates they have
got. There are so many alike companies in this industry, however, Exambible has its unique advantages that other companies could
not achieve.
Our Advances
* 99.9% Uptime
All examinations will be up to date.
* 24/7 Quality Support
We will provide service round the clock.
* 100% Pass Rate
Our guarantee that you will pass the exam.
* Unique Gurantee
If you do not pass the exam at the first time, we will not only arrange FULL REFUND for you, but also provide you another
exam of your claim, ABSOLUTELY FREE!
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
NEW QUESTION 1
- (Topic 2)
Which of the following is the PRIMARY objective of a business impact analysis (BIA)?
A. Determine recovery priorities.
B. Define the recovery point objective (RPO).
C. Confirm control effectiveness.
D. Analyze vulnerabilities.
Answer: A
Explanation:
The primary objective of a business impact analysis (BIA) is to determine recovery priorities. The BIA is used to identify and analyze the potential effects of an
incident on the organization, including the financial impact, operational impact, and reputational impact. The BIA also helps to identify critical resources and
processes, determine recovery objectives and strategies, and develop recovery plans. Reference: Certified Information Security Manager (CISM) Study Manual,
Chapter 4, Business Impact Analysis.
NEW QUESTION 2
- (Topic 2)
Data entry functions for a web-based application have been outsourced to a third-party service provider who will work from a remote site Which of the following
issues would be of GREATEST concern to an information security manager?
A. The application does not use a secure communications protocol
B. The application is configured with restrictive access controls
C. The business process has only one level of error checking
D. Server-based malware protection is not enforced
Answer: D
Explanation:
Server-based malware protection is not enforced is the issue that would be of GREATEST concern to an information security manager, as it exposes the web-
based application and its data to potential threats from malicious software that can compromise the confidentiality, integrity, and availability of the information.
Server-based malware protection is a security control that monitors and blocks malicious activities on the server where the application runs, such as viruses,
worms, trojans, ransomware, etc. Without server-based malware protection, the web-based application may be vulnerable to attacks that can damage or destroy
the data stored on the server, or disrupt the normal functioning of the application. The other issues are also important, but not as critical as server-based malware
protection. The application does not use a secure communications protocol may expose sensitive data in transit to eavesdropping or interception by unauthorized
parties. The application is configured with restrictive access controls may limit the access rights of legitimate users to authorized resources, but it does not prevent
unauthorized users from accessing them through other means. The business process has only one level of error checking may result in incorrect or inconsistent
data entry or processing, but it does not guarantee data quality or accuracy. References = CISM Review Manual, 16th Edition, page 1751; CISM Review
Questions, Answers & Explanations Manual, 10th Edition, page 812
NEW QUESTION 3
- (Topic 1)
An organization is implementing an information security governance framework. To communicate the program's effectiveness to stakeholders, it is MOST
important to establish:
A. a control self-assessment (CSA) process.
B. automated reporting to stakeholders.
C. a monitoring process for the security policy.
D. metrics for each milestone.
Answer: D
Explanation:
= Establishing metrics for each milestone is the best way to communicate the program’s effectiveness to stakeholders, as it provides a clear and measurable way
to track the progress, performance, and outcomes of the information security governance framework. Metrics are quantifiable indicators that can be used to
evaluate the achievement of specific objectives, goals, or standards. Metrics can also help to demonstrate the value, benefits, and return on investment of the
information security program, as well as to identify and address the gaps, issues, or risks. Metrics for each milestone should be aligned with the organization’s
strategy, vision, and mission, as well as with the expectations and needs of the stakeholders. Metrics for each milestone should also be SMART (specific,
measurable, achievable, relevant, and time-bound), as well as consistent, reliable, and transparent.
The other options are not as important as establishing metrics for each milestone, as they do not provide a comprehensive and holistic way to communicate the
program’s effectiveness to stakeholders. A control self-assessment (CSA) process is a technique to involve the staff in assessing the design, implementation, and
effectiveness of the information security controls. It can help to increase the awareness, ownership, and accountability of the staff, as well as to identify and
mitigate the risks. However, a CSA process alone is not enough to communicate the program’s effectiveness to stakeholders, as it does not measure the overall
performance or maturity of the information security program. Automated reporting to stakeholders is a method to provide timely, accurate, and consistent
information to the stakeholders about the status, results, and issues of the information security program. It can help to facilitate the communication, collaboration,
and decision making among the stakeholders, as well as to ensure the compliance and transparency of the information security program. However, automated
reporting alone is not enough to communicate the program’s effectiveness to stakeholders, as it does not evaluate the achievement or impact of the information
security program. A monitoring process for the security policy is a process to ensure that the security policy is implemented, enforced, and reviewed in accordance
with the organization’s objectives, standards, and regulations. It can help to maintain the relevance, adequacy, and effectiveness of the security policy, as well as
to incorporate the feedback, changes, and improvements. However, a monitoring process alone is not enough to communicate the program’s effectiveness to
stakeholders, as it does not cover the other aspects of the information security program, such as governance, risk management, incident management, or
business continuity. References =
? CISM Review Manual, 16th Edition, ISACA, 2022, pp. 211-212, 215-216, 233-234, 237-238.
? CISM Questions, Answers & Explanations Database, ISACA, 2022, QID 1018.
? CISM domain 1: Information security governance [Updated 2022], Infosec, 1.
? Key Performance Indicators for Security Governance, Part 1, ISACA Journal, Volume 6, 2020, 2.
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
NEW QUESTION 4
- (Topic 1)
Which of the following is MOST helpful in determining an organization's current capacity to mitigate risks?
A. Capability maturity model
B. Vulnerability assessment
C. IT security risk and exposure
D. Business impact analysis (BIA)
Answer: A
Explanation:
A capability maturity model (CMM) is a framework that helps organizations assess and improve their processes and capabilities in various domains, such as
software development, project management, information security, and others1. A CMM defines a set of levels or stages that represent the degree of maturity or
effectiveness of an organization’s processes and capabilities in a specific domain. Each level has a set of criteria or characteristics that an organization must meet
to achieve that level of maturity. A CMM also provides guidance and best practices on how to progress from one level to another, and how to measure and monitor
the performance and improvement of the processes and capabilities2.
A CMM is most helpful in determining an organization’s current capacity to mitigate risks, because it provides a systematic and objective way to evaluate the
strengths and weaknesses of the organization’s processes and capabilities related to risk management. A CMM can help an organization identify the gaps and
opportunities for improvement in its risk management practices, and prioritize the actions and resources needed to address them. A CMM can also help an
organization benchmark its risk management maturity against industry standards or best practices, and demonstrate its compliance with regulatory or contractual
requirements3.
The other options are not as helpful as a CMM in determining an organization’s current capacity to mitigate risks, because they are either more specific, limited, or
dependent on a CMM. A vulnerability assessment is a process of identifying and analyzing the vulnerabilities in an organization’s systems, networks, or
applications, and their potential impact on the organization’s assets, operations, or reputation. A vulnerability assessment can help an organization identify the
sources and levels of risk, but it does not provide a comprehensive or holistic view of the organization’s risk management maturity or effectiveness4. IT security
risk and exposure is a measure of the likelihood and impact of a security breach or incident on an organization’s IT assets, operations, or reputation. IT security
risk and exposure can help an organization quantify and communicate the level of risk, but it does not provide a framework or guidance on how to improve the
organization’s risk management processes or capabilities5. A business impact analysis (BIA) is a process of identifying and evaluating the potential effects of a
disruption or disaster on an organization’s critical business functions, processes, or resources. A BIA can help an organization determine the priorities and
requirements for business continuity and disaster recovery, but it does not provide a method or standard for assessing or enhancing the organization’s risk
management maturity or effectiveness. References = 1: CMMI Institute - What is CMMI? - Capability Maturity Model Integration 2: Capability Maturity Model and
Risk Register Integration: The Right … 3: Performing Risk Assessments of Emerging Technologies - ISACA 4: CISM Review Manual 15th Edition, Chapter 4,
Section 4.2 5: CISM Review Manual 15th Edition, Chapter 4, Section 4.3 : CISM Review Manual 15th Edition, Chapter 4, Section 4.4
NEW QUESTION 5
- (Topic 1)
Which of the following would be MOST useful to a newly hired information security manager who has been tasked with developing and implementing an
information security strategy?
A. The capabilities and expertise of the information security team
B. The organization's mission statement and roadmap
C. A prior successful information security strategy
D. The organization's information technology (IT) strategy
Answer: B
Explanation:
= The most useful source of information for a newly hired information security manager who has been tasked with developing and implementing an information
security strategy is the organization’s mission statement and roadmap. The mission statement defines the organization’s purpose, vision, values, and goals, and
the roadmap outlines the organization’s strategic direction, priorities, and initiatives. By reviewing the mission statement and roadmap, the information security
manager can understand the organization’s business objectives, risk appetite, and security needs, and align the information security strategy with them. The
information security strategy should support and enable the organization’s mission and roadmap, and provide the security governance, policies, standards, and
controls to protect the organization’s information assets and processes.
The capabilities and expertise of the information security team (A) are important factors for the information security manager to consider, but they are not the most
useful source of information for developing and implementing an information security strategy. The information security team is responsible for executing and
maintaining the information security program and activities, such as risk management, security awareness, incident response, and compliance. The information
security manager should assess the capabilities and expertise of the information security team to identify the strengths, weaknesses, opportunities, and threats,
and to plan the resource allocation, training, and development of the team. However, the capabilities and expertise of the information security team do not directly
inform the information security strategy, which should be driven by the organization’s business objectives, risk appetite, and security needs.
A prior successful information security strategy © is a possible source of information for the information security manager to refer to, but it is not the most useful
one. A prior successful information security strategy is a strategy that has been implemented and evaluated by another organization or a previous information
security manager, and has achieved the desired security outcomes and benefits. The information security manager can learn from the best practices, lessons
learned, and challenges of a prior successful information security strategy, and apply them to the current organization or situation. However, a prior successful
information security strategy may not be relevant, applicable, or suitable for the organization, as it may not reflect the current or future business objectives, risk
appetite, and security needs of the organization, or the changing threat landscape and business environment.
The organization’s information technology (IT) strategy (D) is also a possible source of information for the information security manager to consult, but it is not the
most useful one. The IT strategy is a strategy that defines the IT vision, goals, and initiatives of the organization, and how IT supports and enables the business
processes and activities. The information security manager should review the IT strategy to understand the IT infrastructure, systems, and services of the
organization, and how they relate to the information security program and activities. However, the IT strategy is not the primary driver of the information security
strategy, which should be aligned with the organization’s business objectives, risk appetite, and security needs, and not only with the IT objectives, capabilities,
and requirements.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Strategy Development, page 23-241
NEW QUESTION 6
- (Topic 1)
Which of the following is MOST helpful for determining which information security policies should be implemented by an organization?
A. Risk assessment
B. Business impact analysis (BIA)
C. Vulnerability assessment
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
D. Industry best practices
Answer: A
Explanation:
Information security policies are high-level statements or rules that define the goals and objectives of information security in an organization, and provide the
framework and direction for implementing and enforcing security controls and processes1. Information security policies should be aligned with the organization’s
business goals and objectives, and reflect the organization’s risk appetite and tolerance2. Therefore, the most helpful activity for determining which information
security policies should be implemented by an organization is a risk assessment.
A risk assessment is a systematic process of identifying, analyzing, and evaluating the risks that an organization faces, and determining the appropriate risk
responses3. A risk assessment helps to determine the following aspects of information security policies:
? The scope and applicability of the policies, based on the assets, threats, and vulnerabilities that affect the organization’s security objectives and requirements.
? The level and type of security controls and processes that are needed to mitigate the risks, based on the likelihood and impact of the risk scenarios and the cost-
benefit analysis of the risk responses.
? The roles and responsibilities of the stakeholders involved in the implementation and enforcement of the policies, based on the risk ownership and accountability.
? The metrics and indicators that are used to measure and monitor the effectiveness and compliance of the policies, based on the risk appetite and tolerance.
The other options, such as a business impact analysis (BIA), a vulnerability assessment, or industry best practices, are not as helpful as a risk assessment for
determining which information security policies should be implemented by an organization, because they have the following limitations:
? A business impact analysis (BIA) is a process of identifying and evaluating the potential effects of disruptions or incidents on the organization’s critical business
functions and processes, and determining the recovery priorities and objectives. A BIA can help to support the risk assessment by providing information on the
impact and criticality of the assets and processes, but it cannot identify or analyze the threats and vulnerabilities that pose risks to the organization, or determine
the appropriate risk responses or controls.
? A vulnerability assessment is a process of identifying and measuring the weaknesses or flaws in the organization’s systems, networks, or applications that could
be exploited by threat actors. A vulnerability assessment can help to support the risk assessment by providing information on the vulnerabilities and exposures that
affect the organization’s security posture, but it cannot identify or analyze the threats or likelihood that could exploit the vulnerabilities, or determine the
appropriate risk responses or controls.
? Industry best practices are the standards or guidelines that are widely accepted and followed by the information security community or the organization’s
industry sector, based on the experience and knowledge of the experts and practitioners. Industry best practices can help to inform and guide the development
and implementation of information security policies, but they cannot replace or substitute the risk assessment, as they may not reflect the organization’s specific
context, needs, and objectives, or address the organization’s unique risks and challenges.
References = 1: CISM Review Manual 15th Edition, page 29 2: CISM Review Manual 15th Edition, page 30 3: CISM Review Manual 15th Edition, page 121 : CISM
Review Manual 15th Edition, page 122 : CISM Review Manual 15th Edition, page 123 : CISM Review Manual 15th Edition, page 124 : CISM Review Manual 15th
Edition, page 125 : CISM Review Manual 15th Edition, page 126
NEW QUESTION 7
- (Topic 1)
Which of the following will have the GREATEST influence on the successful adoption of an information security governance program?
A. Security policies
B. Control effectiveness
C. Security management processes
D. Organizational culture
Answer: D
Explanation:
Organizational culture is the set of shared values, beliefs, and norms that influence the way employees think, feel, and behave in the workplace. It affects how
employees perceive the importance of information security, how they comply with security policies and procedures, and how they support security initiatives and
goals. A strong security culture can foster a sense of ownership, responsibility, and accountability among employees, as well as a positive attitude toward security
awareness and training. A weak security culture can lead to resistance, indifference, or hostility toward security efforts, as well as increased risks of human errors,
negligence, or malicious actions. Therefore, organizational culture has the greatest influence on the successful adoption of an information security governance
program, which requires the commitment and involvement of all levels of the organization. References = CISM Review Manual 15th Edition, page 30- 31. Learn
more:
NEW QUESTION 8
- (Topic 1)
Penetration testing is MOST appropriate when a:
A. new system is about to go live.
B. new system is being designed.
C. security policy is being developed.
D. security incident has occurred,
Answer: A
Explanation:
= Penetration testing is most appropriate when a new system is about to go live, because it is a method of evaluating the security of a system by simulating an
attack from a malicious source. Penetration testing can help to identify and exploit vulnerabilities, assess the impact and risk of a breach, and provide
recommendations for remediation and improvement. Penetration testing can also help to validate the effectiveness of the security controls and policies
implemented for the new system, and ensure compliance with relevant standards and regulations. Penetration testing is usually performed after the system has
undergone other types of testing, such as functional, performance, and usability testing, and before the system is deployed to the production environment.
Penetration testing is not as appropriate when a new system is being designed, because the system is still in the early stages of development and may not have all
the features and functionalities implemented. Penetration testing at this stage may not provide a realistic or comprehensive assessment of the system’s security,
and may cause delays or disruptions in the development process. Penetration testing is also not as appropriate when a security policy is being developed,
because the policy is a high-level document that defines the goals, objectives, and principles of information security for the organization. Penetration testing is a
technical and operational activity that tests the implementation and enforcement of the policy, not the policy itself. Penetration testing is also not as appropriate
when a security incident has occurred, because the incident may have already compromised the system and caused damage or loss. Penetration testing at this
stage may not be able to prevent or mitigate the incident, and may interfere with the incident response and recovery efforts. Penetration testing after an incident
may be useful for forensic analysis and lessons learned, but it is not the primary or immediate response to an incident. References = CISM Review Manual, 16th
Edition, ISACA, 2021, pages 229-230, 233-234.
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
NEW QUESTION 9
- (Topic 1)
Which of the following is the BEST approach for governing noncompliance with security requirements?
A. Base mandatory review and exception approvals on residual risk,
B. Require users to acknowledge the acceptable use policy.
C. Require the steering committee to review exception requests.
D. Base mandatory review and exception approvals on inherent risk.
Answer: A
Explanation:
= Residual risk is the risk that remains after applying security controls. It reflects the actual exposure of the organization to noncompliance issues. Therefore,
basing mandatory review and exception approvals on residual risk is the best approach for governing noncompliance with security requirements. It ensures that
the organization is aware of the potential impact and likelihood of noncompliance and can make informed decisions about accepting, mitigating, or transferring the
risk. References = CISM Review Manual 15th Edition, page 78.
NEW QUESTION 10
- (Topic 1)
Which of the following is the BEST evidence of alignment between corporate and information security governance?
A. Security key performance indicators (KPIs)
B. Project resource optimization
C. Regular security policy reviews
D. Senior management sponsorship
Answer: D
Explanation:
Alignment between corporate and information security governance means that the information security program supports the organizational goals and objectives,
and is integrated into the enterprise governance structure. The best evidence of alignment is the senior management sponsorship, which demonstrates the
commitment and support of the top-level executives and board members for the information security program. Senior management sponsorship also ensures that
the information security program has adequate resources, authority, and accountability to achieve its objectives and address the risks and issues that affect the
organization. Senior management sponsorship also helps to establish a culture of security awareness and compliance throughout the organization, and to
communicate the value and benefits of the information security program to the stakeholders.
References =
? CISM Review Manual 15th Edition, page 1631
? CISM 2020: Information Security & Business Process Alignment, video 22
? Certified Information Security Manager (CISM), page 33
NEW QUESTION 10
- (Topic 1)
Which of the following would be the BEST way for an information security manager to improve the effectiveness of an organization’s information security
program?
A. Focus on addressing conflicts between security and performance.
B. Collaborate with business and IT functions in determining controls.
C. Include information security requirements in the change control process.
D. Obtain assistance from IT to implement automated security cantrals.
Answer: B
Explanation:
The best way for an information security manager to improve the effectiveness of an organization’s information security program is to collaborate with business
and IT functions in determining controls. Collaboration is a key factor for ensuring that the information security program is aligned with the organization’s business
objectives, risk appetite, and security strategy, and that it supports the business processes and activities. Collaboration also helps to gain the buy-in, involvement,
and ownership of the business and IT functions, who are the primary stakeholders and users of the information security program. Collaboration also facilitates the
communication, coordination, and integration of the information security program across the organization, and enables the information security manager to
understand the needs, expectations, and challenges of the business and IT functions, and to propose the most appropriate and effective security controls and
solutions.
Focusing on addressing conflicts between security and performance (A) is a possible way to improve the effectiveness of an information security program, but not
the best one. Security and performance are often competing or conflicting goals, as security controls may introduce overhead, complexity, or delays that affect the
efficiency, usability, or availability of the systems or processes. Addressing these conflicts may help to optimize the balance and trade-off between security and
performance, and to enhance the user satisfaction and acceptance of the security controls. However, focusing on addressing conflicts between security and
performance does not necessarily improve the alignment, integration, or communication of the information security program with the business and IT functions, nor
does it ensure the involvement or ownership of the stakeholders.
Including information security requirements in the change control process © is also a possible way to improve the effectiveness of an information security program,
but not the best one. The change control process is a process that manages the initiation, approval, implementation, and review of changes to the systems or
processes, such as enhancements, updates, or fixes. Including information security requirements in the change control process may help to ensure that the
changes do not introduce new or increased security risks or impacts, and that they comply with the security policies, standards, and procedures. However,
including information security requirements in the change control process does not necessarily improve the collaboration, communication, or coordination of the
information security program with the business and IT functions, nor does it ensure the buy-in or involvement of the stakeholders.
Obtaining assistance from IT to implement automated security controls (D) is also a possible way to improve the effectiveness of an information security program,
but not the best one. Automated security controls are security controls that are implemented by using software, hardware, or other technologies, such as
encryption, firewalls, or antivirus, to perform security functions or tasks without human intervention. Obtaining assistance from IT to implement automated security
controls may help to improve the efficiency, consistency, or reliability of the security controls, and to reduce the human errors, negligence, or malicious actions.
However, obtaining assistance from IT to implement automated security controls does not necessarily improve the collaboration, communication, or integration of
the information security program with the business and IT functions, nor does it ensure the ownership or involvement of the stakeholders. References = CISM
Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Strategy Development, Subsection: Collaboration, page
24-251
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
NEW QUESTION 12
- (Topic 1)
Which of the following is the PRIMARY role of an information security manager in a software development project?
A. To enhance awareness for secure software design
B. To assess and approve the security application architecture
C. To identify noncompliance in the early design stage
D. To identify software security weaknesses
Answer: B
Explanation:
The primary role of an information security manager in a software development project is to assess and approve the security application architecture. The security
application architecture is the design and structure of the software application that defines how the application components interact with each other and with
external systems, and how the application implements the security requirements, principles, and best practices. The information security manager is responsible
for ensuring that the security application architecture is aligned with the organization’s information security policies, standards, and guidelines, and that it meets
the business objectives, functional specifications, and user expectations. The information security manager is also responsible for reviewing and evaluating the
security application architecture for its completeness, correctness, consistency, and compliance, and for identifying and resolving any security issues, risks, or
gaps. The information security manager is also responsible for approving the security application architecture before the software development project proceeds to
the next phase, such as coding, testing, or deployment.
References = CISM Review Manual, 16th Edition, Chapter 3: Information Security Program Development and Management, Section: Information Security Program
Development, page 1581; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question
80, page 742.
NEW QUESTION 13
- (Topic 1)
Of the following, who is in the BEST position to evaluate business impacts?
A. Senior management
B. Information security manager
C. IT manager
D. Process manager
Answer: D
Explanation:
The process manager is the person who is responsible for overseeing and managing the business processes and functions that are essential for the
organization’s operations and objectives. The process manager has the most direct and detailed knowledge of the inputs, outputs, dependencies, resources, and
performance indicators of the business processes and functions. Therefore, the process manager is in the best position to evaluate the business impacts of a
disruption or an incident that affects the availability, integrity, or confidentiality of the information assets and systems that support the business processes and
functions. The process manager can identify and quantify the potential losses, damages, or consequences that could result from the disruption or incident, such as
revenue loss, customer dissatisfaction, regulatory non-compliance, reputational harm, or legal liability. The process manager can also provide input and feedback
to the information security manager and the senior management on the business continuity and disaster recovery plans, the risk assessment and treatment, and
the security controls and measures that are needed to protect and recover the business processes and functions. References = CISM Review Manual 15th Edition,
page 2301; CISM Practice Quiz, question 1302
NEW QUESTION 14
- (Topic 1)
When remote access to confidential information is granted to a vendor for analytic purposes, which of the following is the MOST important security consideration?
A. Data is encrypted in transit and at rest at the vendor site.
B. Data is subject to regular access log review.
C. The vendor must be able to amend data.
D. The vendor must agree to the organization's information security policy,
Answer: D
Explanation:
When granting remote access to confidential information to a vendor, the most important security consideration is to ensure that the vendor complies with the
organization’s information security policy. The information security policy defines the roles, responsibilities, rules, and standards for accessing, handling, and
protecting the organization’s information assets. The vendor must agree to the policy and sign a contract that specifies the terms and conditions of the access, the
security controls to be implemented, the monitoring and auditing mechanisms, the incident reporting and response procedures, and the penalties for non-
compliance or breach. The policy also establishes the organization’s right to revoke the access at any time if the vendor violates the policy or poses a risk to the
organization.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Policies, page 34; CISM Review
Questions, Answers & Explanations Manual, 10th Edition, Question 44, page 45.
NEW QUESTION 19
- (Topic 1)
Which of the following would BEST ensure that security is integrated during application development?
A. Employing global security standards during development processes
B. Providing training on secure development practices to programmers
C. Performing application security testing during acceptance testing
D. Introducing security requirements during the initiation phase
Answer: D
Explanation:
Introducing security requirements during the initiation phase would BEST ensure that security is integrated during application development because it would allow
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
the security objectives and controls to be defined and aligned with the business needs and risk appetite before any design or coding is done. This would also
facilitate the security by design approach, which is the most effective method to enhance the security of applications and application development activities1.
Introducing security requirements early would also enable the collaboration between security professionals and developers, the identification and specification of
security architectures, and the integration and testing of security controls throughout the development life cycle2. Employing global security standards during
development processes (A) would help to ensure the consistency and quality of security practices, but it would not necessarily ensure that security is integrated
during application development. Providing training on secure development practices to programmers (B) would help to raise the awareness and skills of
developers, but it would not ensure that security is integrated during application development. Performing application security testing during acceptance testing ©
would help to verify the security of the application before deployment, but it would not ensure that security is integrated during application development. It would
also be too late to identify and remediate any security issues that could have been prevented or mitigated earlier in the development
process. References = 1: Five Key Components of an Application Security Program - ISACA1; 2: CISM Domain – Information Security Program Development |
Infosec2
NEW QUESTION 22
- (Topic 1)
Which of the following is MOST important to have in place as a basis for developing an effective information security program that supports the organization's
business goals?
A. Metrics to drive the information security program
B. Information security policies
C. A defined security organizational structure
D. An information security strategy
Answer: D
Explanation:
An information security strategy is the most important element to have in place as a basis for developing an effective information security program that supports
the organization’s business goals. An information security strategy is a high-level plan that defines the vision, mission, objectives, scope, and principles of
information security for the organization1. It also aligns the information security program with the organization’s strategy, culture, risk appetite, and governance
framework2. An information security strategy provides the direction, guidance, and justification for the information security program, and ensures that the program
is consistent, coherent, and comprehensive3. An information security strategy also helps to prioritize the information security initiatives, allocate the resources, and
measure the performance and value of the information security program4.
The other options are not as important as an information security strategy, because they are either derived from or dependent on the strategy. Metrics are used to
drive the information security program, but they need to be based on the strategy and aligned with the goals and objectives of the program. Information security
policies are the rules and standards that implement the information security strategy and define the expected behavior and responsibilities of the stakeholders. A
defined security organizational structure is the way the information security roles and functions are organized and coordinated within the organization, and it should
reflect the strategy and the governance model. References = 1: CISM Review Manual 15th Edition, Chapter 1, Section 1.1 2: CISM Review Manual 15th Edition,
Chapter 1, Section 1.2 3: CISM Review Manual 15th Edition, Chapter 1, Section 1.3 4: CISM Review Manual 15th Edition, Chapter 1, Section 1.4 : CISM Review
Manual 15th Edition, Chapter 1, Section 1.5 : CISM Review Manual 15th Edition, Chapter 1, Section 1.6 : CISM Review Manual 15th Edition, Chapter 1, Section
1.7
NEW QUESTION 23
- (Topic 1)
A post-incident review identified that user error resulted in a major breach. Which of the following is MOST important to determine during the review?
A. The time and location that the breach occurred
B. Evidence of previous incidents caused by the user
C. The underlying reason for the user error
D. Appropriate disciplinary procedures for user error
Answer: C
Explanation:
The underlying reason for the user error is the most important factor to determine during the post-incident review, as this helps the information security manager to
understand the root cause of the breach, and to implement corrective and preventive actions to avoid similar incidents in the future. The underlying reason for the
user error may be related to the lack of training, awareness, guidance, or motivation of the user, or to the complexity, usability, or design of the system or process
that the user was using. By identifying the underlying reason for the user error, the information security manager can address the human factor of the information
security program, and improve the security culture and behavior of the organization. The time and location that the breach occurred, evidence of previous incidents
caused by the user, and appropriate disciplinary procedures for user error are not the most important factors to determine during the post-incident review, as they
do not provide a comprehensive and holistic understanding of the breach, and may not help to prevent or reduce the likelihood or impact of future incidents.
References = CISM Review Manual 2023, page 1671; CISM Review Questions, Answers & Explanations Manual 2023, page 382; ISACA CISM - iSecPrep, page
233
NEW QUESTION 28
- (Topic 1)
An organization is going through a digital transformation process, which places the IT organization in an unfamiliar risk landscape. The information security
manager has been tasked with leading the IT risk management process. Which of the following should be given the HIGHEST priority?
A. Identification of risk
B. Analysis of control gaps
C. Design of key risk indicators (KRIs)
D. Selection of risk treatment options
Answer: A
Explanation:
= Identification of risk is the first and most important step in the IT risk management process, especially when the organization is undergoing a digital
transformation that introduces new technologies, processes, and business models. Identification of risk involves determining the sources, causes, and potential
consequences of IT-related risks that may affect the organization’s objectives, assets, and stakeholders. Identification of risk also helps to establish the risk
context, scope, and criteria for the subsequent risk analysis, evaluation, and treatment. Without identifying the risks, the information security manager cannot
effectively assess the risk exposure, prioritize the risks, implement appropriate controls, monitor the risk performance, or communicate the risk information to the
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
relevant parties.
References = CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section: Risk Identification, page 841; CISM Review Questions,
Answers & Explanations Manual, 10th Edition, Question 34, page 352.
NEW QUESTION 31
- (Topic 1)
Which of the following should be the FIRST step to gain approval for outsourcing to address a security gap?
A. Collect additional metrics.
B. Perform a cost-benefit analysis.
C. Submit funding request to senior management.
D. Begin due diligence on the outsourcing company.
Answer: B
Explanation:
The first step to gain approval for outsourcing to address a security gap is to perform a cost-benefit analysis, because it helps to evaluate the feasibility and
viability of the outsourcing option and compare it with other alternatives. A cost-benefit analysis is a method of estimating and comparing the costs and benefits of
a project or a decision, in terms of financial, operational, and strategic aspects. A cost-benefit analysis can help to:
? Identify and quantify the expected costs and benefits of outsourcing, such as the initial and ongoing expenses, the potential savings and revenues, the quality
and efficiency of the service, the risks and opportunities, and the alignment with the business objectives and requirements
? Assess and prioritize the criticality and urgency of the security gap, and the impact and likelihood of the related threats and vulnerabilities
? Determine the optimal level and scope of outsourcing, such as the type, duration, and frequency of the service, the roles and responsibilities of the parties
involved, and the performance and security standards and metrics
? Justify and communicate the rationale and value proposition of outsourcing, and provide evidence and support for the decision making process
? Establish and document the criteria and process for selecting and evaluating the outsourcing provider, and the contractual and legal terms and conditions
A cost-benefit analysis should be performed before submitting a funding request to senior management, because it can help to demonstrate the need and the
return on investment of the outsourcing project, and to secure the budget and the resources. A cost-benefit analysis should also be performed before beginning
due diligence on the outsourcing company, because it can help to narrow down the list of potential candidates and to focus on the most relevant and suitable ones.
Collecting additional metrics may be a part of the cost-benefit analysis, but it is not the first step, because it requires a clear definition and understanding of the
objectives and scope of the outsourcing project.
References = CISM Review Manual, 16th Edition, ISACA, 2021, pages 173-174, 177-178.
NEW QUESTION 35
- (Topic 1)
Which of the following is the BEST way to achieve compliance with new global regulations related to the protection of personal information?
A. Execute a risk treatment plan.
B. Review contracts and statements of work (SOWs) with vendors.
C. Implement data regionalization controls.
D. Determine current and desired state of controls.
Answer: D
Explanation:
The best way to achieve compliance with new global regulations related to the protection of personal information is to determine the current and desired state of
controls, as this helps the information security manager to identify the gaps and requirements for compliance, and to prioritize and implement the necessary
actions and measures to meet the regulatory standards. The current state of controls refers to the existing level of protection and compliance of the personal
information, while the desired state of controls refers to the target level of protection and compliance that is required by the new regulations. By comparing the
current and desired state of controls, the information security manager can assess the maturity and effectiveness of the information security program, and plan and
execute a risk treatment plan to address the risks and issues related to the protection of personal information. Executing a risk treatment plan, reviewing contracts
and statements of work (SOWs) with vendors, and implementing data regionalization controls are also important, but not as important as determining the current
and desired state of controls, as they are dependent on the outcome of the gap analysis and the risk assessment, and may not be sufficient or appropriate to
achieve compliance with the new regulations. References = CISM Review Manual 2023, page 491; CISM Review Questions, Answers & Explanations Manual
2023, page 352; ISACA CISM - iSecPrep, page 203
NEW QUESTION 37
- (Topic 1)
Which of the following should be the PRIMARY consideration when developing an incident response plan?
A. The definition of an incident
B. Compliance with regulations
C. Management support
D. Previously reported incidents
Answer: C
Explanation:
Management support is the primary consideration when developing an incident response plan, as it is essential for obtaining the necessary resources, authority,
and commitment for the plan. Management support also helps to ensure that the plan is aligned with the organization’s business objectives, risk appetite, and
security strategy, and that it is communicated and enforced across the organization. Management support also facilitates the coordination and collaboration among
different stakeholders, such as business units, IT functions, legal, public relations, and external parties, during an incident response.
The definition of an incident (A) is an important component of the incident response plan, as it provides the criteria and thresholds for identifying, classifying, and
reporting security incidents. However, the definition of an incident is not the primary consideration, as it is derived from the organization’s security policies,
standards, and procedures, and may vary depending on the context and impact of the incident.
Compliance with regulations (B) is also an important factor for the incident response plan, as it helps to ensure that the organization meets its legal and contractual
obligations, such as notifying the authorities, customers, or partners of a security breach, preserving the evidence, and reporting the incident outcomes. However,
compliance with regulations is not the primary consideration, as it is influenced by the nature and scope of the incident, and the applicable laws and regulations in
different jurisdictions.
Previously reported incidents (D) are a valuable source of information and lessons learned for the incident response plan, as they help to identify the common
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
types, causes, and impacts of security incidents, as well as the strengths and weaknesses of the current incident response processes and capabilities. However,
previously reported incidents are not the primary consideration, as they are not predictive or comprehensive of the future incidents, and may not reflect the
changing threat landscape and business environment. References = CISM Review Manual, 16th Edition, Chapter 4: Information Security Incident Management,
Section: Incident Response Plan, page 181-1821
Learn more:
NEW QUESTION 38
- (Topic 1)
An organization is planning to outsource the execution of its disaster recovery activities. Which of the following would be MOST important to include in the
outsourcing agreement?
A. Definition of when a disaster should be declared
B. Requirements for regularly testing backups
C. Recovery time objectives (RTOs)
D. The disaster recovery communication plan
Answer: C
Explanation:
The most important thing to include in the outsourcing agreement for disaster recovery activities is the recovery time objectives (RTOs). RTOs are the maximum
acceptable time frames within which the critical business processes and information systems must be restored after a disaster or disruption. RTOs are based on
the business impact analysis (BIA) and the risk assessment, and they reflect the business continuity requirements and expectations of the organization. By
including the RTOs in the outsourcing agreement, the organization can ensure that the service provider is aware of and committed to meeting the agreed service
levels and minimizing the downtime and losses in the event of a disaster. The other options are not as important as the RTOs, although they may be relevant and
useful to include in the outsourcing agreement depending on the scope and nature of the disaster recovery services. References = CISM Review Manual 15th
Edition, page 2471; CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, Question ID: 1033
NEW QUESTION 41
- (Topic 1)
When investigating an information security incident, details of the incident should be shared:
A. widely to demonstrate positive intent.
B. only with management.
C. only as needed,
D. only with internal audit.
Answer: C
Explanation:
When investigating an information security incident, details of the incident should be shared only as needed, according to the principle of least privilege and the
need-to-know basis. This means that only the authorized and relevant parties who have a legitimate purpose and role in the incident response process should
have access to the incident information, and only to the extent that is necessary for them to perform their duties. Sharing incident details only as needed helps to
protect the confidentiality, integrity, and availability of the incident information, as well as the privacy and reputation of the affected individuals and the organization.
Sharing incident details only as needed also helps to prevent unauthorized disclosure, modification, deletion, or misuse of the incident information, which could
compromise the investigation, evidence, remediation, or legal actions.
References = CISM Review Manual, 16th Edition, Chapter 4: Information Security Incident Management, Section: Incident Response Process, page 2311; CISM
Review Questions, Answers & Explanations Manual, 10th Edition, Question 49, page 462.
NEW QUESTION 44
- (Topic 1)
Which of the following is MOST important to consider when determining asset valuation?
A. Asset recovery cost
B. Asset classification level
C. Cost of insurance premiums
D. Potential business loss
Answer: D
Explanation:
Potential business loss is the most important factor to consider when determining asset valuation, as it reflects the impact of losing or compromising the asset on
the organization’s objectives and operations. Asset recovery cost, asset classification level, and cost of insurance premiums are also relevant, but not as important
as potential business loss, as they do not capture the full value of the asset to the organization. References = CISM Review Manual 2023, page 461; CISM Review
Questions, Answers & Explanations Manual 2023, page 292
NEW QUESTION 49
- (Topic 1)
If civil litigation is a goal for an organizational response to a security incident, the PRIMARY step should be to:
A. contact law enforcement.
B. document the chain of custody.
C. capture evidence using standard server-backup utilities.
D. reboot affected machines in a secure area to search for evidence.
Answer: B
Explanation:
Documenting the chain of custody is the PRIMARY step for an organizational response to a security incident if civil litigation is a goal because it ensures the
integrity, authenticity, and admissibility of the evidence collected from the incident. The chain of custody is the process of documenting the history of the evidence,
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
including its identification, collection, preservation, transportation, analysis, storage, and presentation in court. The chain of custody should include information
such as the date, time, location, description, source, owner, handler, and purpose of each evidence item, as well as any changes, modifications, or transfers that
occurred to the evidence. Documenting the chain of custody can help to prevent the evidence from being tampered with, altered, lost, or destroyed, and to
demonstrate that the evidence is relevant, reliable, and original12. Contacting law enforcement (A) is not the PRIMARY step for an organizational response to a
security incident if civil litigation is a goal, but rather a possible or optional step depending on the nature, severity, and jurisdiction of the incident. Contacting law
enforcement may help to obtain legal assistance, guidance, or support, but it may also involve risks such as loss of control, confidentiality, or reputation. Therefore,
contacting law enforcement should be done after careful consideration of the legal obligations, contractual agreements, and organizational policies12. Capturing
evidence using standard server-backup utilities © is not the PRIMARY step for an organizational response to a security incident if civil litigation is a goal, but rather
a technical step that should be done after documenting the chain of custody. Capturing evidence using standard server-backup utilities may help to preserve the
state of the systems or networks involved in the incident, but it may also introduce changes or errors that could compromise the validity or quality of the evidence.
Therefore, capturing evidence using standard server-backup utilities should be done using forensically sound methods and tools, and following the documented
chain of custody12. Rebooting affected machines in a secure area to search for evidence (D) is not the PRIMARY step for an organizational response to a security
incident if civil litigation is a goal, but rather a technical step that should be done after documenting the chain of custody. Rebooting affected machines in a secure
area may help to isolate and analyze the systems or networks involved in the incident, but it may also cause the loss or alteration of the evidence, such as volatile
memory, temporary files, or logs. Therefore, rebooting affected machines in a secure area should be done with caution and following the documented chain of
custody12. References = 1: CISM Review Manual 15th Edition, page 310-3111; 2: CISM Domain 4: Information Security Incident Management (ISIM) [2022
update]2
NEW QUESTION 51
- (Topic 1)
An organization's marketing department wants to use an online collaboration service, which is not in compliance with the information security policy, A risk
assessment is performed, and risk acceptance is being pursued. Approval of risk acceptance should be provided by:
A. the chief risk officer (CRO).
B. business senior management.
C. the information security manager.
D. the compliance officer.
Answer: B
Explanation:
Risk acceptance is the decision to accept the level of residual risk after applying security controls, and to tolerate the potential impact and consequences of a
security incident. Approval of risk acceptance should be provided by business senior management, as they are the owners and accountable parties of the business
processes, activities, and assets that are exposed to the risk. Business senior management should also have the authority and responsibility to allocate the
resources, personnel, and budget to implement and monitor the risk acceptance decision, and to report and escalate the risk acceptance status to the board of
directors or the executive management.
The chief risk officer (CRO) (A) is a senior executive who oversees the organization’s risk management function, and provides guidance, direction, and support for
the identification, assessment, treatment, and monitoring of risks across the organization. The CRO may be involved in the risk acceptance process, such as by
reviewing, endorsing, or advising the risk acceptance decision, but the CRO is not the ultimate approver of risk acceptance, as the CRO is not the owner or
accountable party of the business processes, activities, and assets that are exposed to the risk.
The information security manager © is the manager who leads and coordinates the information security function, and provides guidance, direction, and support for
the development, implementation, and maintenance of the information security program and activities. The information security manager may be involved in the
risk acceptance process, such as by conducting the risk assessment, recommending the risk treatment options, or documenting the risk acceptance decision, but
the information security manager is not the ultimate approver of risk acceptance, as the information security manager is not the owner or accountable party of the
business processes, activities, and assets that are exposed to the risk.
The compliance officer (D) is the officer who oversees the organization’s compliance function, and provides guidance, direction, and support for the identification,
assessment, implementation, and monitoring of the compliance requirements and obligations across the organization. The compliance officer may be involved in
the risk acceptance process, such as by verifying, validating, or advising the risk acceptance decision, but the compliance officer is not the ultimate approver of risk
acceptance, as the compliance officer is not the owner or accountable party of the business processes, activities, and assets that are exposed to the risk.
References = CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section: Risk Treatment, Subsection: Risk Acceptance, page 95-961
NEW QUESTION 55
- (Topic 1)
Which of the following is MOST important to ensuring information stored by an organization is protected appropriately?
A. Defining information stewardship roles
B. Defining security asset categorization
C. Assigning information asset ownership
D. Developing a records retention schedule
Answer: C
Explanation:
The most important factor to ensuring information stored by an organization is protected appropriately is assigning information asset ownership. Information asset
ownership is the process of identifying and assigning the roles and responsibilities of the individuals or groups who have the authority and accountability for the
information assets and their protection. Information asset owners are responsible for defining the business value, classification, and security requirements of the
information assets, as well as granting the access rights and privileges to the information users and custodians. Information asset owners are also responsible for
monitoring and reviewing the security performance and compliance of the information assets, and reporting and resolving any security issues or incidents. By
assigning information asset ownership, the organization can ensure that the information assets are properly identified, categorized, protected, and managed
according to their importance, sensitivity, and regulatory obligations. References = CISM Review Manual, 16th Edition, Chapter 1: Information Security
Governance, Section: Data Classification, page 331; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 62, page 572.
NEW QUESTION 58
- (Topic 1)
Which of the following BEST enables an information security manager to determine the comprehensiveness of an organization's information security strategy?
A. Internal security audit
B. External security audit
C. Organizational risk appetite
D. Business impact analysis (BIA)
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
Answer: C
Explanation:
The organizational risk appetite is the best indicator of the comprehensiveness of an information security strategy. The risk appetite defines the level of risk that
the organization is willing to accept in pursuit of its objectives. The information security strategy should align with the risk appetite and provide a framework for
managing the risks that the organization faces. An internal or external security audit can assess the effectiveness of the information security strategy, but not its
comprehensiveness. A business impact analysis (BIA) can identify the critical business processes and assets that need to be protected, but not the overall scope
and direction of the information security strategy. References = CISM Review Manual 2023, page 36 1; CISM Practice Quiz 2
NEW QUESTION 59
- (Topic 1)
Which of the following is the MOST effective way to help staff members understand their responsibilities for information security?
A. Communicate disciplinary processes for policy violations.
B. Require staff to participate in information security awareness training.
C. Require staff to sign confidentiality agreements.
D. Include information security responsibilities in job descriptions.
Answer: B
Explanation:
The most effective way to help staff members understand their responsibilities for information security is to require them to participate in information security
awareness training. Information security awareness training is a program that educates and motivates the staff members about the importance, benefits, and
principles of information security, and the roles and responsibilities that they have in protecting the information assets and resources of the organization.
Information security awareness training also provides the staff members with the necessary knowledge, skills, and tools to comply with the information security
policies, procedures, and standards of the organization, and to prevent, detect, and report any information security incidents or issues. Information security
awareness training also helps to create and maintain a positive and proactive information security culture among the staff members, and to increase their
confidence and competence in performing their information security duties.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Culture, page 281; CISM Review
Manual, 16th Edition, Chapter 3: Information Security Program Development and Management, Section: Information Security Awareness, Training and Education,
pages 197-1982.
NEW QUESTION 61
- (Topic 1)
When properly implemented, secure transmission protocols protect transactions:
A. from eavesdropping.
B. from denial of service (DoS) attacks.
C. on the client desktop.
D. in the server's database.
Answer: A
Explanation:
Secure transmission protocols are network protocols that ensure the integrity and security of data transmitted across network connections. The specific network
security protocol used depends on the type of protected data and network connection. Each protocol defines the techniques and procedures required to protect the
network data from unauthorized or malicious attempts to read or exfiltrate information1. One of the most common threats to network data is eavesdropping, which
is the interception and analysis of network traffic by an unauthorized third party. Eavesdropping can compromise the confidentiality, integrity, and availability of
network data, and can lead to data breaches, identity theft, fraud, espionage, and sabotage2. Therefore, secure transmission protocols protect transactions from
eavesdropping by using encryption, authentication, and integrity mechanisms to prevent unauthorized access and modification of network data. Encryption is the
process of transforming data into an unreadable format using a secret key, so that only authorized parties can decrypt and access the data. Authentication is the
process of verifying the identity and legitimacy of the parties involved in a network communication, using methods such as passwords, certificates, tokens, or
biometrics. Integrity is the process of ensuring that the data has not been altered or corrupted during transmission, using methods such as checksums, hashes, or
digital signatures3. Some examples of secure transmission protocols are:
? Secure Sockets Layer (SSL) and Transport Layer Security (TLS), which are widely used protocols for securing web, email, and other application layer
communications over the Internet. SSL and TLS use symmetric encryption, asymmetric encryption, and digital certificates to establish secure sessions between
clients and servers, and to encrypt and authenticate the data exchanged.
? Internet Protocol Security (IPsec), which is a protocol and algorithm suite that secures data transferred over public networks like the Internet. IPsec operates at
the network layer and provides end-to-end security for IP packets. IPsec uses two main protocols: Authentication Header (AH), which provides data integrity and
authentication, and Encapsulating Security Payload (ESP), which provides data confidentiality, integrity, and authentication. IPsec also uses two modes: transport
mode, which protects the payload of IP packets, and tunnel mode, which protects the entire IP packet.
? Secure Shell (SSH), which is a protocol that allows secure remote login and command execution over insecure networks. SSH uses encryption, authentication,
and integrity to protect the data transmitted between a client and a server. SSH also supports port forwarding, which allows secure tunneling of other network
services through SSH connections.
References = 1: 6 Network Security Protocols You Should Know | Cato Networks 2: Eavesdropping Attacks - an overview | ScienceDirect Topics 3: Network
Security Protocols
- an overview | ScienceDirect Topics : SSL/TLS (Secure Sockets Layer/Transport Layer Security) - Definition : IPsec - Wikipedia : Secure Shell - Wikipedia
NEW QUESTION 66
- (Topic 1)
Which of the following is MOST important to include in a post-incident review following a data breach?
A. An evaluation of the effectiveness of the information security strategy
B. Evaluations of the adequacy of existing controls
C. Documentation of regulatory reporting requirements
D. A review of the forensics chain of custom
Answer: B
Explanation:
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
= A post-incident review is a process of analyzing and learning from a security incident, such as a data breach, to improve the security posture and resilience of an
organization. A post-incident review should include the following elements12:
? A clear and accurate description of the incident, including its scope, impact, timeline, root cause, and contributing factors.
? A detailed assessment of the effectiveness and efficiency of the incident response process, including the roles and responsibilities, communication channels,
coordination mechanisms, escalation procedures, tools and resources, documentation, and reporting.
? An evaluation of the adequacy of existing controls, such as policies, standards, procedures, technical measures, awareness, and training, to prevent, detect, and
mitigate similar incidents in the future.
? A list of actionable recommendations and improvement plans, based on the lessons learned and best practices, to address the identified gaps and weaknesses
in the security strategy, governance, risk management, and incident management.
? A follow-up and monitoring mechanism to ensure the implementation and verification of the recommendations and improvement plans.
The most important element to include in a post-incident review following a data breach is the evaluation of the adequacy of existing controls, because it directly
relates to the security objectives and requirements of the organization, and provides the basis for enhancing the security posture and resilience of the organization.
Evaluating the existing controls helps to identify the vulnerabilities and risks that led to the data breach, and to determine the appropriate corrective and preventive
actions to reduce the likelihood and impact of similar incidents in the future. Evaluating the existing controls also helps to align the security strategy and
governance with the business goals and objectives, and to ensure the compliance with legal, regulatory, and contractual obligations.
The other elements, such as an evaluation of the effectiveness of the information security strategy, documentation of regulatory reporting requirements, and a
review of the forensics chain of custody, are also important, but not as important as the evaluation of the existing controls. An evaluation of the effectiveness of the
information security strategy is a broader and more strategic activity that may not be directly relevant to the specific incident, and may require more time and
resources to conduct. Documentation of regulatory reporting requirements is a necessary and mandatory task, but it does not provide much insight or value for
improving the security posture and resilience of the organization. A review of the forensics chain of custody is a technical and procedural activity that ensures the
integrity and admissibility of the digital evidence collected during the incident investigation, but it does not address the root cause or the mitigation of the incident.
References = 1: CISM Exam Content Outline | CISM Certification | ISACA 2: CISM Review Manual 15th Edition, page 147
NEW QUESTION 71
- (Topic 1)
Which of the following would be MOST helpful to identify worst-case disruption scenarios?
A. Business impact analysis (BIA)
B. Business process analysis
C. SWOT analysis
D. Cast-benefit analysis
Answer: A
Explanation:
A business impact analysis (BIA) is the process of identifying and evaluating the potential effects of disruptions to critical business functions or processes. A BIA
helps to determine the recovery priorities, objectives, and strategies for the organization in the event of a disaster or crisis. A BIA also helps to identify the worst-
case disruption scenarios, which are the scenarios that would cause the most severe impact to the organization in terms of financial, operational, reputational, or
legal consequences. By conducting a BIA, the organization can assess the likelihood and impact of various disruption scenarios, and plan accordingly to mitigate
the risks and ensure business continuity and resilience. References = CISM Review Manual 15th Edition, page 181, page 183.
NEW QUESTION 73
- (Topic 1)
Which of the following activities MUST be performed by an information security manager for change requests?
A. Perform penetration testing on affected systems.
B. Scan IT systems for operating system vulnerabilities.
C. Review change in business requirements for information security.
D. Assess impact on information security risk.
Answer: D
NEW QUESTION 75
- (Topic 1)
Who is BEST suited to determine how the information in a database should be classified?
A. Database analyst
B. Database administrator (DBA)
C. Information security analyst
D. Data owner
Answer: D
Explanation:
= Data owner is the best suited to determine how the information in a database should be classified, because data owner is the person who has the authority and
responsibility for the data and its protection. Data owner is accountable for the business value, quality, integrity, and security of the data. Data owner also defines
the data classification criteria and levels based on the data sensitivity, criticality, and regulatory requirements. Data owner assigns the data custodian and grants
the data access rights to the data users. Data owner reviews and approves the data classification policies and procedures, and ensures the compliance with them.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Data Classification, page 331
NEW QUESTION 77
- (Topic 1)
An organization's main product is a customer-facing application delivered using Software as a Service (SaaS). The lead security engineer has just identified a
major security vulnerability at the primary cloud provider. Within the organization, who is PRIMARILY accountable for the associated task?
A. The information security manager
B. The data owner
C. The application owner
D. The security engineer
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
Answer: C
Explanation:
= The application owner is primarily accountable for the associated task because they are responsible for ensuring that the application meets the business
requirements and objectives, as well as the security and compliance standards. The application owner is also the one who defines the roles and responsibilities of
the application team, including the security engineer, and oversees the development, testing, deployment, and maintenance of the application. The application
owner should work with the cloud provider to address the security vulnerability and mitigate the risk. The information security manager, the data owner, and the
security engineer are not primarily accountable for the associated task, although they may have some roles and responsibilities in supporting the application
owner. The information security manager is responsible for establishing and maintaining the information security program and aligning it with the business
objectives and strategy. The data owner is responsible for defining the classification, usage, and protection requirements of the data. The security engineer is
responsible for implementing and testing the security controls and features of the application. References = CISM Review Manual 2023, Chapter 1, Section 1.2.2,
page 18; CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, Question ID: 115.
NEW QUESTION 81
- (Topic 1)
What is the BEST way to reduce the impact of a successful ransomware attack?
A. Perform frequent backups and store them offline.
B. Purchase or renew cyber insurance policies.
C. Include provisions to pay ransoms ih the information security budget.
D. Monitor the network and provide alerts on intrusions.
Answer: A
Explanation:
Performing frequent backups and storing them offline is the best way to reduce the impact of a successful ransomware attack, as this allows the organization to
restore its data and systems without paying the ransom or losing valuable information. Purchasing or renewing cyber insurance policies may help cover some of
the costs and losses associated with a ransomware attack, but it does not prevent or mitigate the attack itself. Including provisions to pay ransoms in the
information security budget may encourage more attacks and does not guarantee the recovery of the data or the removal of the malware. Monitoring the network
and providing alerts on intrusions may help detect and respond to a ransomware attack, but it does not reduce the impact of a successful attack that has already
encrypted or exfiltrated the data. References = CISM Review Manual 2023, page 1661; CISM Review Questions, Answers & Explanations Manual 2023, page 312;
CISM Exam Overview - Vinsys3
NEW QUESTION 86
- (Topic 1)
When developing an asset classification program, which of the following steps should be completed FIRST?
A. Categorize each asset.
B. Create an inventor
C. &
D. Create a business case for a digital rights management tool.
E. Implement a data loss prevention (OLP) system.
Answer: B
Explanation:
Creating an inventory is the FIRST step in developing an asset classification program because it helps to identify and list all the information systems assets of the
organization that need to be protected and classified. An inventory should include the asset name, description, owner, custodian, location, type, value, and other
relevant attributes. Creating an inventory also enables the establishment of the ownership and custody of the assets, which are essential for defining the roles and
responsibilities for asset protection and classification12. Categorizing each asset (A) is a subsequent step in developing an asset classification program, after
creating an inventory. Categorizing each asset involves assigning a security level or category to each asset based on its value, sensitivity, and criticality to the
organization. The security level or category determines the protection level and controls required for each asset12. Creating a business case for a digital rights
management tool © is not a step in developing an asset classification program, but rather a possible outcome or recommendation based on the asset classification
results. A digital rights management tool is a type of control that can help to enforce the security policies and objectives for the classified assets, such as
preventing unauthorized access, copying, or distribution of the assets3. Implementing a data loss prevention (DLP) system (D) is also not a step in developing an
asset classification program, but rather a possible outcome or recommendation based on the asset
classification results. A DLP system is a type of control that can help to monitor, detect, and prevent the loss or leakage of the classified assets, such as through
email, web, or removable media4. References = 1: CISM Review Manual 15th Edition, page 77-781; 2: IT Asset Valuation, Risk Assessment and Control
Implementation Model - ISACA2; 3: What is Digital Rights Management? - Definition from Techopedia3; 4: What is Data Loss Prevention (DLP)? - Definition from
Techopedia4
NEW QUESTION 89
- (Topic 1)
Which of the following is the PRIMARY benefit of implementing a vulnerability assessment process?
A. Threat management is enhanced.
B. Compliance status is improved.
C. Security metrics are enhanced.
D. Proactive risk management is facilitated.
Answer: D
Explanation:
The primary benefit of implementing a vulnerability assessment process is to facilitate proactive risk management. A vulnerability assessment process is a
systematic and periodic evaluation of the security posture of an information system or network, which identifies and measures the weaknesses and exposures that
may be exploited by threats. By implementing a vulnerability assessment process, the organization can proactively identify and prioritize the risks, and implement
appropriate controls and mitigation strategies to reduce the likelihood and impact of potential incidents. The other options are possible benefits of implementing a
vulnerability assessment process, but they are not the primary one. References = CISM Review Manual 15th Edition, page 1731; CISM Review Questions,
Answers & Explanations Database - 12 Month Subscription, Question ID: 1029
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
NEW QUESTION 90
- (Topic 1)
Security administration efforts will be greatly reduced following the deployment of which of the following techniques?
A. Discretionary access control
B. Role-based access control
C. Access control lists
D. Distributed access control
Answer: B
Explanation:
Role-based access control (RBAC) is a policy-neutral access control mechanism that assigns access privileges to defined roles in the organization and then
makes each user a member of the appropriate roles. RBAC reduces security administration efforts by simplifying the management of access rights across different
users and resources. RBAC also enables consistent and efficient enforcement of the principle of least privilege, which grants users only the minimum rights
required to perform their assigned tasks. RBAC can also facilitate the implementation of separation of duties, which prevents users from having conflicting or
incompatible responsibilities. RBAC is among the most widely used methods in the information security tool kit1. References = CIS Control 6: Access Control
Management - Netwrix, CISSP certification: RBAC (Role based access control), What is RBAC? (Role Based Access Control) - IONOS
NEW QUESTION 94
- (Topic 1)
Reviewing which of the following would be MOST helpful when a new information security manager is developing an information security strategy for a non-
regulated organization?
A. Management's business goals and objectives
B. Strategies of other non-regulated companies
C. Risk assessment results
D. Industry best practices and control recommendations
Answer: A
Explanation:
When a new information security manager is developing an information security strategy for a non-regulated organization, reviewing the management’s business
goals and objectives would be the most helpful. This is because the information security strategy should be aligned with and support the organization’s vision,
mission, values, and strategic direction. The information security strategy should also enable the organization to achieve its desired outcomes, such as increasing
revenue, reducing costs, enhancing customer satisfaction, or improving operational efficiency. By reviewing the management’s business goals and objectives, the
information security manager can understand the business context, needs, and expectations of the organization, and design the information security strategy
accordingly. The information security manager can also communicate the value proposition and benefits of the information security strategy to the management
and other stakeholders, and gain their support and commitment.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Strategy, page 211; CISM Review
Questions, Answers & Explanations Manual, 10th Edition, Question 48, page 452.
NEW QUESTION 98
- (Topic 1)
Which of the following is the BEST course of action for an information security manager to align security and business goals?
A. Conducting a business impact analysis (BIA)
B. Reviewing the business strategy
C. Defining key performance indicators (KPIs)
D. Actively engaging with stakeholders
Answer: D
Explanation:
= According to the CISM Review Manual, the information security manager should actively engage with stakeholders to align security and business goals. This
means understanding the business needs, expectations, and risk appetite of the stakeholders, and communicating the value and benefits of security initiatives to
them. By engaging with stakeholders, the information security manager can also gain their support and commitment for security programs and projects, and
ensure that security objectives are aligned with business strategy and priorities. References = CISM Review Manual, 16th Edition, ISACA, 2020, page 23.
NEW QUESTION 100
- (Topic 1)
The BEST way to identify the risk associated with a social engineering attack is to:
A. monitor the intrusion detection system (IDS),
B. review single sign-on (SSO) authentication lags.
C. test user knowledge of information security practices.
D. perform a business risk assessment of the email filtering system.
Answer: C
Explanation:
The best way to identify the risk associated with a social engineering attack is to test user knowledge of information security practices. Social engineering is a type
of attack that exploits human psychology and behavior to manipulate, deceive, or influence users into divulging sensitive information, granting unauthorized
access, or performing malicious actions. Therefore, user knowledge of information security practices is a key factor that affects the likelihood and impact of a social
engineering attack. By testing user knowledge of information security practices, such as through quizzes, surveys, or simulated attacks, the information security
manager can measure the level of awareness, understanding, and compliance of the users, and identify the gaps, weaknesses, or vulnerabilities that need to be
addressed.
Monitoring the intrusion detection system (IDS) (A) is a possible way to detect a social engineering attack, but not to identify the risk associated with it. An IDS is a
system that monitors network or system activities and alerts or responds to any suspicious or malicious events. However, an IDS may not be able to prevent or
recognize all types of social engineering attacks, especially those that rely on human interaction, such as phishing, vishing, or baiting. Moreover, monitoring the
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
IDS is a reactive rather than proactive approach, as it only reveals the occurrence or consequences of a social engineering attack, not the potential or likelihood of
it.
Reviewing single sign-on (SSO) authentication lags (B) is not a relevant way to identify the risk associated with a social engineering attack. SSO is a method of
authentication that allows users to access multiple applications or systems with one set of credentials. Authentication lags are delays or failures in the
authentication process that may affect the user experience or performance. However, authentication lags are not directly related to social engineering attacks, as
they do not indicate the user’s knowledge of information security practices, nor the attacker’s attempts or success in compromising the user’s credentials or
access.
Performing a business risk assessment of the email filtering system (D) is also not a relevant way to identify the risk associated with a social engineering attack. An
email filtering system is a system that scans, filters, and blocks incoming or outgoing emails based on predefined rules or criteria, such as spam, viruses, or
phishing. A business risk assessment is a process that evaluates the potential threats, vulnerabilities, and impacts to the organization’s business objectives,
processes, and assets. However, performing a business risk assessment of the email filtering system does not address the risk associated with a social
engineering attack, as it only focuses on the technical aspects and performance of the system, not the human factors and behavior of the users.
References = CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section: Risk Identification, Subsection: Threat Identification, page
87-881
NEW QUESTION 103
- (Topic 1)
Which of the following is the MOST important reason to conduct interviews as part of the business impact analysis (BIA) process?
A. To facilitate a qualitative risk assessment following the BIA
B. To increase awareness of information security among key stakeholders
C. To ensure the stakeholders providing input own the related risk
D. To obtain input from as many relevant stakeholders as possible
Answer: D
Explanation:
The most important reason to conduct interviews as part of the business impact analysis (BIA) process is to obtain input from as many relevant stakeholders as
possible. A BIA is a process of identifying and analyzing the potential effects of disruptive events on the organization’s critical business functions, processes, and
resources. A BIA helps to determine the recovery priorities, objectives, and strategies for the organization’s continuity planning. Interviews are one of the methods
to collect data and information for the BIA, and they involve direct and interactive communication with the stakeholders who are involved in or affected by the
business functions, processes, and resources. By conducting interviews, the information security manager can obtain input from as many relevant stakeholders as
possible, such as business owners, managers, users, customers, suppliers, regulators, and partners. This can help to ensure that the BIA covers the full scope
and complexity of the organization’s business activities, and that the BIA reflects the accurate, current, and comprehensive views and expectations of the
stakeholders. Interviews can also help to validate, clarify, and supplement the data and information obtained from other sources, such as surveys, questionnaires,
documents, or systems. Interviews can also help to build rapport, trust, and collaboration among the stakeholders, and to increase their awareness, involvement,
and commitment to the information security and continuity planning.
References = CISM Review Manual, 16th Edition, Chapter 3: Information Security Program Development and Management, Section: Business Impact Analysis
(BIA), pages 178-1801; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 65, page 602.
NEW QUESTION 106
- (Topic 1)
An organization has acquired a company in a foreign country to gain an advantage in a new market. Which of the following is the FIRST step the information
security manager should take?
A. Determine which country's information security regulations will be used.
B. Merge the two existing information security programs.
C. Apply the existing information security program to the acquired company.
D. Evaluate the information security laws that apply to the acquired company.
Answer: D
Explanation:
The information security manager should first evaluate the information security laws that apply to the acquired company, as they may differ from the laws of the
parent organization. This will help the information security manager to understand the legal and regulatory requirements, risks, and challenges that the acquired
company faces in its operating environment. The information security manager can then determine the best approach to align the information security programs of
the two entities, taking into account the different laws and regulations, as well as the business objectives and strategies of the acquisition. References = : CISM
Review Manual 15th Edition, page 32.
NEW QUESTION 108
- (Topic 1)
Which of the following is an information security manager's MOST important course of action when responding to a major security incident that could disrupt the
business?
A. Follow the escalation process.
B. Identify the indicators of compromise.
C. Notify law enforcement.
D. Contact forensic investigators.
Answer: A
Explanation:
When responding to a major security incident that could disrupt the business, the information security manager’s most important course of action is to follow the
escalation process. The escalation process is a predefined set of steps and procedures that define who should be notified, when, how, and with what information in
the event of a security incident. The escalation process helps to ensure that the appropriate stakeholders, such as senior management, business units, legal
counsel, public relations, and external parties, are informed and involved in the incident response process. The escalation process also helps to coordinate the
actions and decisions of the incident response team and the business continuity team, and to align the incident response objectives with the business priorities and
goals. The escalation process should be documented and communicated as part of the incident response plan, and should be reviewed and updated regularly to
reflect the changes in the organization’s structure, roles, and responsibilities. References =
? CISM Review Manual 15th Edition, page 1631
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
? CISM 2020: Incident Management and Response, video 32
? Incident Response Models3
NEW QUESTION 113
- (Topic 1)
Which of the following is MOST critical when creating an incident response plan?
A. Identifying vulnerable data assets
B. Identifying what constitutes an incident
C. Decumenting incident notification and escalation processes
D. Aligning with the risk assessment process
Answer: C
Explanation:
= Documenting incident notification and escalation processes is the most critical step when creating an incident response plan, as this ensures that the
appropriate stakeholders are informed and involved in the response process. Identifying vulnerable data assets, what constitutes an incident, and aligning with the
risk assessment process are important, but not as critical as documenting the communication and escalation procedures. References = CISM Review Manual
2023, page 1631; CISM Review Questions, Answers & Explanations Manual 2023, page 282
NEW QUESTION 118
- (Topic 1)
Which of the following is the PRIMARY reason to monitor key risk indicators (KRIs) related to information security?
A. To alert on unacceptable risk
B. To identify residual risk
C. To reassess risk appetite
D. To benchmark control performance
Answer: A
Explanation:
Key risk indicators (KRIs) are metrics that measure the level of risk exposure and the likelihood of occurrence of potential adverse events that can affect the
organization’s objectives and performance. KRIs are used to monitor changes in the risk environment and to provide early warning signals for potential issues that
may require management attention or intervention. KRIs are also used to communicate the risk status and trends to the relevant stakeholders and to support risk-
based decision making12.
The primary reason to monitor KRIs related to information security is to alert on unacceptable risk. Unacceptable risk is the level of risk that exceeds the
organization’s risk appetite, tolerance, or threshold, and that poses a significant threat to the organization’s assets, operations, reputation, or compliance.
Unacceptable risk can result from internal or external factors, such as cyberattacks, data breaches, system failures, human errors, fraud, natural disasters, or
regulatory changes. Unacceptable risk can have severe consequences for the organization, such as financial losses, legal liabilities, operational disruptions,
customer dissatisfaction, or reputational damage12.
By monitoring KRIs related to information security, the organization can identify and assess the sources, causes, and impacts of unacceptable risk, and take timely
and appropriate actions to mitigate, transfer, avoid, or accept the risk. Monitoring KRIs can also help the organization to evaluate the effectiveness and efficiency
of the existing information security controls, policies, and procedures, and to identify and implement any necessary improvements or enhancements. Monitoring
KRIs can also help the organization to align its information security strategy and objectives with its business strategy and objectives, and
to ensure compliance with the relevant laws, regulations, standards, and best practices12. While monitoring KRIs related to information security can also serve
other purposes, such as identifying residual risk, reassessing risk appetite, or benchmarking control performance, these are not the primary reason for monitoring
KRIs. Residual risk is the level of risk that remains after applying the risk treatment options, and it should be within the organization’s risk appetite, tolerance, or
threshold. Reassessing risk appetite is the process of reviewing and adjusting the amount and type of risk that the organization is willing to take in pursuit of its
objectives, and it should be done periodically or when there are significant changes in the internal or external environment. Benchmarking control performance is
the process of comparing the organization’s information security controls with those of other organizations or industry standards, and it should be done to identify
and adopt the best practices or to demonstrate compliance12. References = Integrating KRIs and KPIs for Effective Technology Risk Management, The Power of
KRIs in Enterprise Risk Management (ERM) - Metricstream, What Is a Key Risk Indicator? With Characteristics and Tips, KRI Framework for Operational Risk
Management | Workiva, Key risk indicator - Wikipedia
NEW QUESTION 119
- (Topic 3)
Which of the following BEST enables an organization to enhance its incident response plan processes and procedures?
A. Security risk assessments
B. Lessons learned analysis
C. Information security audits
D. Key performance indicators (KPIs)
Answer: B
Explanation:
Lessons learned analysis is the best way to enable an organization to enhance its incident response plan processes and procedures because it helps to identify
the strengths and weaknesses of the current plan, capture the feedback and recommendations from the incident responders and stakeholders, and implement the
necessary improvements and corrective actions for future incidents. Security risk assessments are not directly related to enhancing the incident response plan, but
rather to identifying and evaluating the security risks and controls of the organization. Information security audits are not directly related to enhancing the incident
response plan, but rather to verifying and validating the compliance and effectiveness of the security policies and standards of the organization. Key performance
indicators (KPIs) are not directly related to enhancing the incident response plan, but rather to measuring and reporting the performance and progress of the
security objectives and initiatives of the organization. References: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-5/incident-response-lessons-
learned https://www.isaca.org/resources/isaca-journal/issues/2017/volume-1/security-risk-assessment-for-a-cloud-based-enterprise- resource-planning-system
https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security- using-iso-27004
https://www.isaca.org/resources/isaca-journal/issues/2017/volume-3/how-to-measure-the-effectiveness-of-your-information-security-management-system
NEW QUESTION 122
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
- (Topic 3)
Which of the following BEST indicates the organizational benefit of an information security solution?
A. Cost savings the solution brings to the information security department
B. Reduced security training requirements
C. Alignment to security threats and risks
D. Costs and benefits of the solution calculated over time
Answer: D
Explanation:
The best option to indicate the organizational benefit of an information security solution is D. Costs and benefits of the solution calculated over time. This is
because costs and benefits of the solution calculated over time, also known as the return on security investment (ROSI), can help to measure and demonstrate the
value and effectiveness of the information security solution in terms of reducing risks, enhancing performance, and achieving strategic goals. ROSI can also help
to justify the allocation and optimization of the resources and budget for the information security solution, and to compare and prioritize different security
alternatives. ROSI can be calculated by using various methods and formulas, such as the annualized loss expectancy (ALE), the annualized rate of occurrence
(ARO), and the cost-benefit analysis (CBA).
Costs and benefits of the solution calculated over time, also known as the return on security investment (ROSI), can help to measure and demonstrate the value
and effectiveness of the information security solution in terms of reducing risks, enhancing performance, and achieving strategic goals. (From CISM Manual or
related resources) References = CISM Review Manual 15th Edition, Chapter 3, Section 3.1.3, page 1311; CISM Review Questions, Answers & Explanations
Manual 9th Edition, Question 99, page 26; How to Calculate Return on Security Investment (ROSI) - Infosec2
NEW QUESTION 127
- (Topic 3)
During the due diligence phase of an acquisition, the MOST important course of action for an information security manager is to:
A. perform a risk assessment.
B. review the state of security awareness.
C. review information security policies.
D. perform a gap analysis.
Answer: A
Explanation:
According to the CISM Review Manual, performing a risk assessment is the most important course of action for an information security manager during the due
diligence phase of an acquisition, as it helps to identify and evaluate the potential threats, vulnerabilities and impacts that may affect the information assets of the
target organization. A risk assessment also provides the basis for performing a gap analysis, reviewing the information security policies and awareness, and
developing a remediation plan.
References = CISM Review Manual, 27th Edition, Chapter 3, Section 3.4.1, page 1411.
NEW QUESTION 132
- (Topic 1)
The effectiveness of an information security governance framework will BEST be enhanced if:
A. consultants review the information security governance framework.
B. a culture of legal and regulatory compliance is promoted by management.
C. risk management is built into operational and strategic activities.
D. IS auditors are empowered to evaluate governance activities
Answer: C
Explanation:
The effectiveness of an information security governance framework will best be enhanced if risk management is built into operational and strategic activities. This
is because risk management is a key component of information security governance, which is the process of establishing and maintaining a framework to provide
assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations, and are
effectively managed and measured. Risk management involves identifying, analyzing, evaluating, treating, monitoring, and communicating information security
risks that may affect the organization’s objectives, assets, and stakeholders. By integrating risk management into operational and strategic activities, the
organization can ensure that information security risks are considered and addressed in every decision and action, and that the information security governance
framework is aligned with the organization’s risk appetite and tolerance. This also helps to optimize the allocation of resources, enhance the performance and
value of information security, and improve the accountability and transparency of information security governance.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Governance Framework, page 181;
CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section: Risk Management, page 812; CISM Review Questions, Answers &
Explanations Manual, 10th Edition, Question 53, page 493.
NEW QUESTION 136
- (Topic 1)
Which of the following is the PRIMARY reason for granting a security exception?
A. The risk is justified by the cost to the business.
B. The risk is justified by the benefit to security.
C. The risk is justified by the cost to security.
D. The risk is justified by the benefit to the business.
Answer: D
Explanation:
= A security exception is a formal authorization to deviate from a security policy, standard, or control, due to a valid business reason or requirement. The primary
reason for granting a security exception is that the risk associated with the deviation is justified by the benefit to the business, such as increased efficiency,
productivity, customer satisfaction, or competitive advantage. The security exception should be approved by the appropriate authority, such as the senior
management or the risk committee, based on a risk assessment and a cost-benefit analysis. The security exception should also be documented, communicated,
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
monitored, and reviewed periodically123. References =
? 1: CISM Review Manual 15th Edition, page 364
? 2: CISM Practice Quiz, question 1132
? 3: Security Policy Exception Management, section “Security Policy Exception Management Process”
NEW QUESTION 137
- (Topic 1)
The PRIMARY benefit of introducing a single point of administration in network monitoring is that it:
A. reduces unauthorized access to systems.
B. promotes efficiency in control of the environment.
C. prevents inconsistencies in information in the distributed environment.
D. allows administrative staff to make management decisions.
Answer: B
Explanation:
A single point of administration in network monitoring is a centralized system that allows network administrators to manage and monitor the entire network from
one location. A single point of administration can provide several benefits, such as:
? Promoting efficiency in control of the environment: A single point of administration can simplify and streamline the network management tasks, such as
configuration, troubleshooting, performance optimization, security updates, backup and recovery, etc. It can also reduce the time and cost of network maintenance
and administration, as well as improve the consistency and quality of network services.
? Reducing unauthorized access to systems: A single point of administration can enhance the network security by implementing centralized authentication,
authorization and auditing mechanisms. It can also enforce consistent security policies and standards across the network, and detect and respond to any
unauthorized or malicious activities.
? Preventing inconsistencies in information in the distributed environment: A single point of administration can ensure the data integrity and availability by
synchronizing and replicating the data across the network nodes. It can also provide a unified view of the network status and performance, and facilitate the
analysis and reporting of network data.
? Allowing administrative staff to make management decisions: A single point of administration can support the decision-making process by providing relevant and
timely information and feedback to the network administrators. It can also enable the administrators to implement changes and improvements to the network based
on the business needs and objectives.
Therefore, the primary benefit of introducing a single point of administration in network monitoring is that it promotes efficiency in control of the environment, as it
simplifies and streamlines the network management tasks and improves the network performance and quality. References = CISM Review Manual, 16th Edition
eBook | Digital | English1, Chapter 4: Information Security Program Development and Management, Section 4.3: Information Security Program Resources,
Subsection 4.3.1: Information Security
Infrastructure and Architecture, Page 205.
NEW QUESTION 141
- (Topic 1)
An information security manager is reporting on open items from the risk register to senior management. Which of the following is MOST important to communicate
with regard to these risks?
A. Responsible entities
B. Key risk indicators (KRIS)
C. Compensating controls
D. Potential business impact
Answer: D
Explanation:
The most important information to communicate with regard to the open items from the risk register to senior management is the potential business impact of
these risks. The potential business impact is the estimated consequence or loss that the organization may suffer if the risk materializes or occurs. The potential
business impact can be expressed in quantitative or qualitative terms, such as financial, operational, reputational, legal, or strategic impact. Communicating the
potential business impact of the open items from the risk register helps senior management to understand the severity and urgency of these risks, and to prioritize
the risk response actions and resources accordingly. Communicating the potential business impact also helps senior management to align the risk management
objectives and activities with the business objectives and strategies, and to ensure that the risk appetite and tolerance of the organization are respected and
maintained.
References = CISM Review Manual, 16th Edition, Chapter 2: Information Risk
Management, Section: Risk Assessment, page 831; CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section: Risk Reporting, page
1012.
NEW QUESTION 142
- (Topic 3)
Which of the following is the BEST way to help ensure alignment of the information security program with organizational objectives?
A. Establish an information security steering committee.
B. Employ a process-based approach for information asset classification.
C. Utilize an industry-recognized risk management framework.
D. Provide security awareness training to board executives.
Answer: A
Explanation:
The best way to help ensure alignment of the information security program with organizational objectives is A. Establish an information security steering
committee. This is because an information security steering committee is a cross-functional group of senior executives and managers who provide strategic
direction, oversight, and support for the information security program. An information security steering committee can help to ensure that the information security
program is aligned with the organizational objectives by:
Communicating and promoting the vision, mission, and value of information security to the organization and its stakeholders Defining and approving the
information security policies, standards, and procedures Establishing and monitoring the information security goals, metrics, and performance indicators
Allocating and prioritizing the resources and budget for information security initiatives and projects
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
Resolving any conflicts or issues that may arise between the information security function and the business units Reviewing and endorsing the information security
risk assessment and treatment plans Ensuring compliance with the legal, regulatory, and contractual obligations regarding information security
An information security steering committee is a cross-functional group of senior executives and managers who provide strategic direction, oversight, and support
for the information security program. (From CISM Manual or related resources)
References = CISM Review Manual 15th Edition, Chapter 1, Section 1.2.2, page 20; CISM Review Questions, Answers & Explanations Manual 9th Edition,
Question 9, page 3; Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition
NEW QUESTION 147
- (Topic 3)
Within the confidentiality, integrity, and availability (CIA) triad, which of the following activities BEST supports the concept of confidentiality?
A. Ensuring hashing of administrator credentials
B. Enforcing service level agreements (SLAs)
C. Ensuring encryption for data in transit
D. Utilizing a formal change management process
Answer: C
Explanation:
Ensuring encryption for data in transit is the best activity that supports the concept of confidentiality within the CIA triad, as it protects the data from unauthorized
access or interception while it is being transmitted over a network. Encryption is a technique that transforms data into an unreadable form using a secret key, so
that only authorized parties who have the key can decrypt and access the data. Encryption standards include AES (Advanced Encryption Standard) and DES
(Data Encryption Standard).
References = CISM Review Manual 2022, page 321; CISM Exam Content Outline, Domain 1, Knowledge Statement 1.12; The CIA triad: Definition, components
and examples3; CIA Triad - GeeksforGeeks4
NEW QUESTION 148
- (Topic 3)
Which of the following BEST enables an organization to maintain legally admissible evidence7
A. Documented processes around forensic records retention
B. Robust legal framework with notes of legal actions
C. Chain of custody forms with points of contact
D. Forensic personnel training that includes technical actions
Answer: C
Explanation:
Chain of custody forms with points of contact are the best way to enable an organization to maintain legally admissible evidence because they document the
sequence of control, transfer, and analysis of the evidence, and every person who handled it, the dates and times, and the purpose for each action1. They also
ensure the authenticity and integrity of the evidence, and prevent tampering or loss1. Documented processes around forensic records retention are not sufficient to
maintain legally admissible evidence because they do not track or verify the handling of the evidence. Robust legal framework with notes of legal actions are not
sufficient to maintain legally admissible evidence because they do not record or validate the preservation of the evidence. Forensic personnel training that includes
technical actions are not sufficient to maintain legally admissible evidence because they do not account or certify the custody of the evidence.
References: 1
https://www.researchgate.net/publication/326079761_Digital_Chain_of_Custody
NEW QUESTION 151
- (Topic 3)
Senior management has just accepted the risk of noncompliance with a new regulation What should the information security manager do NEX*P
A. Report the decision to the compliance officer
B. Update details within the risk register.
C. Reassess the organization's risk tolerance.
D. Assess the impact of the regulation.
Answer: B
Explanation:
Updating details within the risk register is the next step for the information security manager to do after senior management has accepted the risk of
noncompliance with a new regulation because it records and communicates the risk status, impact, and response strategy to the relevant stakeholders. Reporting
the decision to the compliance officer is not the next step, but rather a possible subsequent step that involves informing and consulting with the compliance officer
about the risk acceptance and its implications. Reassessing the organization’s risk tolerance is not the next step, but rather a possible subsequent step that
involves reviewing and adjusting the organization’s risk appetite and thresholds based on the risk acceptance and its implications. Assessing the impact of the
regulation is not the next step, but rather a previous step that involves analyzing and evaluating the potential consequences and likelihood of noncompliance with
the regulation. References: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security-using-
iso-27004 https://www.isaca.org/resources/isaca-journal/issues/2017/volume-3/how-to-measure-the-effectiveness-of-your-information-security-management-
system
NEW QUESTION 152
- (Topic 3)
Which of the following should be an information security manager's FIRST course of action when one of the organization's critical third-party providers experiences
a data breach?
A. Inform the public relations officer.
B. Inform customers of the breach.
C. Invoke the incident response plan.
D. Monitor the third party's response.
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
Answer: C
Explanation:
The information security manager’s first course of action when one of the organization’s critical third-party providers experiences a data breach should be to
invoke the incident response plan that has been established for such scenarios. The incident response plan should define the roles and responsibilities,
communication channels, escalation procedures, and recovery actions for dealing with a third-party data breach. Invoking the incident response plan will help to
contain the impact, assess the damage, coordinate the response, and restore the normal operations as soon as possible.
References = CISM Review Manual, 16th Edition, page 290
NEW QUESTION 153
- (Topic 3)
The MOST important information for influencing management’s support of information security is:
A. an demonstration of alignment with the business strategy.
B. An identification of the overall threat landscape.
C. A report of a successful attack on a competitor.
D. An identification of organizational risks.
Answer: A
Explanation:
The most important information for influencing management’s support of information security is an demonstration of alignment with the business strategy because
it shows how information security contributes to the achievement of the organization’s goals and objectives, and adds value to the organization’s performance
and competitiveness. An identification of the overall threat landscape is not very important because it does not indicate how information security addresses or
mitigates the threats or risks. A report of a successful attack on a competitor is not very important because it does not indicate how information security prevents or
responds to such attacks. An identification of organizational risks is not very important because it does not indicate how information security manages or reduces
the risks. References: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-4/technical-security-standards-for-information-systems
https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/how-to-align-security-initiatives-with-business-goals-and-objectives
NEW QUESTION 157
- (Topic 3)
An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to
have access to critical business information. The security manager should focus PRIMARILY on defining:
A. service level agreements (SLAs)
B. security requirements for the process being outsourced.
C. risk-reporting methodologies.
D. security metrics
Answer: B
Explanation:
An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to
have access to critical business information. The security manager should focus primarily on defining security requirements for the process being outsourced.
Security requirements are the specifications of what needs to be done to protect the information assets from unauthorized access, use, disclosure, modification, or
destruction. Security requirements should be aligned with the organization’s risk appetite and business objectives, and should cover both technical and
organizational aspects of the service delivery. Security requirements should also be clear, concise, measurable, achievable, realistic, and testable. References =
CISM Review Manual (Digital Version), Chapter 3: Information Security Risk Management, Section 3.1: Risk Identification, p. 115-1161. CISM Review Manual
(Print Version), Chapter 3: Information Security Risk Management, Section 3.1: Risk Identification, p. 115-1162. CISM ITEM DEVELOPMENT GUIDE, Domain 3:
Information Security Program Development and Management, Task Statement 3.1, p. 193. Security requirements for the process being outsourced are the
specifications and standards that the third party must comply with to ensure the confidentiality, integrity and availability of the critical business information. They
define the roles and responsi-bilities of both parties, the security controls and measures to be implemented, the se-curity objectives and expectations, the security
risks and mitigation strategies, and the security monitoring and reporting mechanisms. Security requirements are essential to protect the information assets of the
organization and to establish a clear and en-forceable contractual relationship with the third party.
References:
•1 Outsourcing Strategies for Information Security: Correlated Losses and Security Exter- nalities - SpringerLink
•2 What requirements must outsourcing services comply with for the European market? - CBI
•3 Outsourcing cybersecurity: What services to outsource, what to keep in house - Infosec Institute
•4 BCFSA outsourcing and information security guidelines - BLG
NEW QUESTION 162
- (Topic 3)
A newly appointed information security manager has been asked to update all security- related policies and procedures that have been static for five years or
more. What should be done NEXT?
A. Update in accordance with the best business practices.
B. Perform a risk assessment of the current IT environment.
C. Gain an understanding of the current business direction.
D. Inventory and review current security policies.
Answer: D
Explanation:
The next step for the information security manager should be to inventory and review the current security policies to understand the existing security requirements,
controls, and gaps. This will help to identify the areas that need to be updated, revised, or replaced to align with the current business needs and objectives, as well
as the legal and regulatory requirements. Updating the policies in accordance with the best business practices, performing a risk assessment of the current IT
environment, or gaining an understanding of the current business direction are important activities, but they should be done after reviewing the current security
policies.
References = CISM Review Manual, 16th Edition eBook1, Chapter 1: Information Security Governance, Section: Information Security Policies, Standards,
Procedures and Guidelines, Subsection: Information Security Policies, Page 28.
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
NEW QUESTION 166
- (Topic 3)
Which of the following is the MOST important function of an information security steering committee?
A. Assigning data classifications to organizational assets
B. Developing organizational risk assessment processes
C. Obtaining multiple perspectives from the business
D. Defining security standards for logical access controls
Answer: C
Explanation:
An information security steering committee is a group of senior executives and managers from different business units and functions who provide strategic
direction, oversight, and support for the information security program. The most important function of the committee is to obtain multiple perspectives from the
business, as this helps to ensure that the information security program aligns with the business goals, needs, and culture, and that the security decisions reflect the
interests and expectations of the stakeholders.
References = CISM Review Manual 2022, page 331; CISM Exam Content Outline, Domain 1, Knowledge Statement 1.22; Improve Security Governance With a
Security Steering Committee2; The Role of the Corporate Information Security Steering Committee3
NEW QUESTION 171
- (Topic 3)
The categorization of incidents is MOST important for evaluating which of the following?
A. Appropriate communication channels
B. Allocation of needed resources
C. Risk severity and incident priority
D. Response and containment requirements
Answer: C
Explanation:
The categorization of incidents is most important for evaluating the risk severity and incident priority, as these factors determine the impact and urgency of the
incident, and the appropriate level of response and escalation. The categorization of incidents helps to classify the incidents based on their type, source, cause,
scope, and affected assets or services. By categorizing incidents, the information security manager can assess the potential or actual harm to the organization, its
stakeholders, and its objectives, and assign a priority level that reflects the need for immediate action and resolution. The risk severity and incident priority also
influence the allocation of resources, the response and containment requirements, and the communication channels, but they are not the primary purpose of
categorization.
References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.4.1, page 2371; CISM Online Review Course, Module 4, Lesson 4, Topic 12; CIRT Case
Classification (Draft) - FIRST3
NEW QUESTION 173
- (Topic 3)
Which of the following is MOST important to include in an information security status report management?
A. List of recent security events
B. Key risk indication (KRIs)
C. Review of information security policies
D. information security budget requests
Answer: B
Explanation:
Key risk indicators (KRIs) are the most useful to include in an information security status report for management because they measure and report the level of risk
exposure or performance against predefined risk thresholds or targets, and alert management of any deviations or issues that may require attention or action. List
of recent security events is not very useful to include in an information security status report for management because it does not provide any analysis or
evaluation of the events or their impact on the organization’s objectives or performance. Review of information security policies is not very useful to include in an
information security status report for management because it does not reflect any progress or results of implementing or enforcing the policies. Information security
budget requests are not very useful to include in an information security status report for management because they do not indicate any value or benefit of
investing in information security initiatives or controls. References: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/how-to-measure-the-
effectiveness-of-information-security-using-iso-27004
NEW QUESTION 176
......
Your Partner of IT Exam visit - https://www.exambible.com
We recommend you to try the PREMIUM CISM Dumps From Exambible
https://www.exambible.com/CISM-exam/ (415 Q&As)
Relate Links
100% Pass Your CISM Exam with Exambible Prep Materials
https://www.exambible.com/CISM-exam/
Contact us
We are proud of our high-quality customer service, which serves you around the clock 24/7.
Viste - https://www.exambible.com/
Your Partner of IT Exam visit - https://www.exambible.com
Powered by TCPDF (www.tcpdf.org)
You might also like
- Isaca - Examcollection.cism - Dumps.2024 Feb 20.by - Carl.437q.vceNo ratings yetIsaca - Examcollection.cism - Dumps.2024 Feb 20.by - Carl.437q.vce20 pages
- ISACA CISM Exam Supplement Questions AnswersNo ratings yetISACA CISM Exam Supplement Questions Answers53 pages
- Information Systems Security: Shanghai Wireless Cafe100% (2)Information Systems Security: Shanghai Wireless Cafe12 pages
- INFORMATION SECURITY Program Essentials-2No ratings yetINFORMATION SECURITY Program Essentials-237 pages
- Certified Information Security Manager: Isaca CISM Dumps Available Here atNo ratings yetCertified Information Security Manager: Isaca CISM Dumps Available Here at5 pages
- Protecting Information Assets: Reviewer and Guide QuestionsNo ratings yetProtecting Information Assets: Reviewer and Guide Questions6 pages
- CISM Practice Questions To Prep For The ExamNo ratings yetCISM Practice Questions To Prep For The Exam25 pages
- 2020 Full CISM Practice Exam 150 Questions80% (10)2020 Full CISM Practice Exam 150 Questions156 pages
- Certified Information Security Manager (CISM) - Mock ExamNo ratings yetCertified Information Security Manager (CISM) - Mock Exam10 pages
- Model Design of Information Security Governance Assessment With Collaborative Integration of Cobit 5 and ItilNo ratings yetModel Design of Information Security Governance Assessment With Collaborative Integration of Cobit 5 and Itil6 pages
- Essential CISM - Updated For The 15th Edition CISM Review Manual - Phil Martin50% (2)Essential CISM - Updated For The 15th Edition CISM Review Manual - Phil Martin578 pages
- Research On IS Risk Model and ValidationNo ratings yetResearch On IS Risk Model and Validation10 pages
- CNIT 125: Information Security Professional (Cissp Preparation)No ratings yetCNIT 125: Information Security Professional (Cissp Preparation)62 pages
- Project Management Metrics Kpis and Dashboards A Guide To 4jt68xeml1No ratings yetProject Management Metrics Kpis and Dashboards A Guide To 4jt68xeml15 pages
- Optimization of The Maintenance and Productivity of Industrial OrganizationNo ratings yetOptimization of The Maintenance and Productivity of Industrial Organization10 pages
- Key Performance Indicators For The Teach PDFNo ratings yetKey Performance Indicators For The Teach PDF12 pages
- SIP Report Bindu 2022527012 30.11.2023-v1No ratings yetSIP Report Bindu 2022527012 30.11.2023-v120 pages
- Presentation of Business Communication 1No ratings yetPresentation of Business Communication 114 pages
- 18 Best KPIs and Metrics For The Agile CEO - InsiNo ratings yet18 Best KPIs and Metrics For The Agile CEO - Insi16 pages
- Effects of Taxation On Financial Performance of Small and Medium Enterprises in The Democratic Republic of Congo, Bunia CityNo ratings yetEffects of Taxation On Financial Performance of Small and Medium Enterprises in The Democratic Republic of Congo, Bunia City114 pages
- The Difference Engine An Articulate Marketing Guide100% (1)The Difference Engine An Articulate Marketing Guide255 pages
- (EST Booklet) Semester 2 - 22.23 - AIESEC PakistanNo ratings yet(EST Booklet) Semester 2 - 22.23 - AIESEC Pakistan86 pages
- Top 11 HR Metrics That High Performance Cultures TrackNo ratings yetTop 11 HR Metrics That High Performance Cultures Track30 pages
- Agile and Devops Quizz @accenture - UpdatesNo ratings yetAgile and Devops Quizz @accenture - Updates39 pages
- 100 Business Analyst Interview Questions and Answers 1753416701No ratings yet100 Business Analyst Interview Questions and Answers 175341670162 pages
- Key Performance Indicators - Signposts To Loss PreventionNo ratings yetKey Performance Indicators - Signposts To Loss Prevention2 pages
- KPI and Supplier Performance Scorecard Tool100% (1)KPI and Supplier Performance Scorecard Tool7 pages