Isaca CISM Actual Questions

Certified Information Security Manager Questions and Answers

Question 53

Which of the following is the BEST indicator of an emerging incident?

Options:

A weakness identified within an organization's information systems

Customer complaints about lack of website availability

A recent security incident at an industry competitor

Attempted patching of systems resulting in errors

Question 54

In order to gain organization-wide support for an information security program, which of the following is MOST important to consider?

Options:

Maturity of the security policy

Clarity of security roles and responsibilities

Corporate culture

Corporate risk framework

Answer:

Explanation:

Corporate culture is the most important factor to consider when trying to gain organization-wide support for an information security program because it reflects the values, beliefs, and behaviors of the organization and its members. Corporate culture influences how the organization perceives, prioritizes, and responds to information security risks and issues, and how it adopts and implements information security policies and practices. By understanding and aligning with the corporate culture, the information security manager can communicate the benefits and value of the information security program, and foster a positive and collaborative security culture across the organization.

[References: The CISM Review Manual 2023 states that “corporate culture is the set of shared values, beliefs, and behaviors that characterize the organization and its members” and that “corporate culture affects how the organization views and manages information security risks and issues, and how it supports and implements information security policies and practices” (p. 81). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale for this answer: “Corporate culture is the correct answer because it is the most important factor to consider when trying to gain organization-wide support for an information security program, as it reflects the values, beliefs, and behaviors of the organization and its members, and influences how they perceive, prioritize, and respond to information security risks and issues, and how they adopt and implement information security policies and practices” (p. 23). Additionally, the article Building a Culture of Security from the ISACA Journal 2019 states that “corporate culture is the key factor that determines the success or failure of an information security program” and that “corporate culture can be either an enabler or a barrier for information security, depending on how well it aligns with the information security objectives, values, and practices of the organization” (p. 1), , , , , , , ]

Question 55

An organization's research department plans to apply machine learning algorithms on a large data set containing customer names and purchase history. The risk of personal data leakage is considered high impact. Which of the following is the BEST risk treatment option in this situation?

Options:

Accept the risk, as the benefits exceed the potential consequences.

Mitigate the risk by applying anonymization on the data set.

Transfer the risk by purchasing insurance.

Mitigate the risk by encrypting the customer names in the data set.

Question 56

Which of the following is the BEST way to contain an SQL injection attack that has been detected by a web application firewall?

Options:

Force password changes on the SQL database.

Reconfigure the web application firewall to block the attack.

Update the detection patterns on the web application firewall.

Block the IPs from where the attack originates.

Summer Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Certified Information Security Manager Questions and Answers

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce