File Info
| Exam | Certified Information Security Manager |
| Number | CISM |
| File Name | Financial.CISM.SelfTestEngine.2018-09-05.426q.tqb |
| Size | 2 MB |
| Posted | Sep 05, 2018 |
| Download | Financial.CISM.SelfTestEngine.2018-09-05.426q.tqb |
How to open VCEX & EXAM Files?
Files with VCEX & EXAM extensions can be opened by ProfExam Simulator.
Coupon: MASTEREXAM
With discount: 20%
Demo Questions
Question 1
Risk assessment is MOST effective when performed:
- at the beginning of security program development.
- on a continuous basis.
- while developing the business case for the security program.
- during the business change process.
Correct answer: B
Explanation:
Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective. Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.
Question 2
Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?
- Justification of the security budget must be continually made.
- New vulnerabilities are discovered every day.
- The risk environment is constantly changing.
- Management needs to be continually informed about emerging risks.
Correct answer: C
Explanation:
The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed. The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed.
Question 3
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered.
Which of the following should be carried out FIRST to mitigate the risk during this time period?
- Identify the vulnerable systems and apply compensating controls
- Minimize the use of vulnerable systems
- Communicate the vulnerability to system users
- Update the signatures database of the intrusion detection system (IDS)
Correct answer: A
Explanation:
The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option. The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.
