Get Ready with CISM-CN Exam Dumps (2024) [Q104-Q123]

Get Ready with CISM-CN Exam Dumps (2024)

Realistic CISM-CN Dumps are Available for Instant Access

NEW QUESTION # 104
当存在以下情况时，重新评估风险最为关键：

• A. 威胁格局的变化。
• B. 安全策略的改变。
• C. 更新安全报告的管理请求。
• D. 对实施缓解控制的阻力。

Answer: A

NEW QUESTION # 105
以下哪項是防範新興高級持續威脅 (APT) 行為者的最佳方法？

• A. 為事件響應團隊提供持續培訓
• B. 更新信息安全意識材料
• C. 實現蜜罐環境
• D. 實施主動系統監控

Answer: D

NEW QUESTION # 106
在业务系统更新后执行漏洞评估的主要目标是什么？

• A. 更新威胁态势。
• B. 审查控制的有效性
• C. 确定运营损失。
• D. 改进变更控制过程。

Answer: B

Explanation:
The primary objective of performing a vulnerability assessment following a business system update is to review the effectiveness of controls. A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed1. A business system update is a process of modifying or enhancing an information system to improve its functionality, performance, security, or compatibility. A business system update may introduce new features, fix bugs, patch vulnerabilities, or comply with new standards or regulations2. Performing a vulnerability assessment following a business system update is important because it helps to:
* Review the effectiveness of controls that are implemented to protect the information sys-tem from threats and risks
* Identify any new or residual vulnerabilities that may have been introduced or exposed by the update
* Evaluate the impact and likelihood of potential incidents that may exploit the vulnerabili-ties
* Prioritize and implement appropriate actions to address the vulnerabilities
* Verify and validate the security posture and compliance of the updated information sys-tem Therefore, the primary objective of performing a vulnerability assessment following a business system update is to review the effectiveness of controls that are designed to ensure the confidentiality, integrity, and availability of the information system and its dat a. The other options are not the primary objectives of performing a vulnerability as-sessment following a business system update. Determining operational losses is not an objective, but rather a possible consequence of not performing a vulnerability as-sessment or not addressing the identified vulnerabilities. Improving the change control process is not an objective, but rather a possible outcome of performing a vulnerability assessment and incorporating its results and recommendations into the change man-agement cycle. Updating the threat landscape is not an objective, but rather a prereq-uisite for performing a vulnerability assessment that requires using up-to-date sources of threat intelligence and vulnerability information. Reference: 1: Vulnerability As-sessment - NIST 2: System Update - Techopedia : Vulnerability Assessment vs Penetra-tion Testing - Imperva : Change Control Process - NIST : Threat Landscape - NIST

NEW QUESTION # 107
以下哪项提供了最近建立的信息安全程序有效的最佳证据？

• A. 报告的事件数量有所增加
• B. 高级管理层报告垃圾邮件减少了。
• C. 与 IT 事件相关的工单数量保持一致
• D. 定期传达 IT 平衡计分卡。

Answer: A

Explanation:
The number of reported incidents has increased is the best evidence that a recently established information security program is effective because it indicates that the organization has improved its detection and reporting capabilities and has raised awareness among employees about security issues. Regular IT balanced scorecards are communicated is not a good evidence because it does not measure the actual performance or outcomes of the security program. Senior management has reported fewer junk emails is not a good evidence because it does not reflect the overall security posture or maturity of the organization. The number of tickets associated with IT incidents have stayed consistent is not a good evidence because it does not show any improvement or reduction in security incidents or risks. Reference: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security-using-iso-27004 https://www.isaca.org/resources/isaca-journal/issues/2014/volume-6/how-to-measure-the-effectiveness-of-your-information-security-management-system

NEW QUESTION # 108
以下哪项 BEST 能够将信息安全治理整合到公司治理中？

• A. 高级管理层对信息安全战略的批准
• B. 完善的信息安全政策和标准
• C. 整个组织的明确权限线
• D. 具有业务代表的信息安全指导委员会

Answer: D

NEW QUESTION # 109
對於信息安全經理來說，集成組織的各種保障功能非常重要，主要是為了：

• A. 安全意識文化
• B. 一致的安全性。
• C. 遵守政策
• D. 全面審核

Answer: B

Explanation:
Consistent security is the primary reason for integrating the various assurance functions of an organization for the information security manager because it ensures that the security policies and standards are applied uniformly and effectively across different domains, processes, and systems of the organization. Comprehensive audits are not the primary reason for integrating the various assurance functions, but rather a possible outcome or benefit of doing so. A security-aware culture is not the primary reason for integrating the various assurance functions, but rather a desirable state or goal of the organization. Compliance with policy is not the primary reason for integrating the various assurance functions, but rather a basic requirement or expectation of the organization. Reference: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-4/integrating-assurance-functions https://www.isaca.org/resources/isaca-journal/issues/2017/volume-3/how-to-measure-the-effectiveness-of-your-information-security-management-system

NEW QUESTION # 110
以下哪一項是幫助員工了解其信息安全責任的最有效方法？

• A. 傳達違反政策的紀律程序。
• B. 要求員工參加信息安全意識培訓。
• C. 在職位描述中包含信息安全職責。
• D. 要求員工簽署保密協議。

Answer: B

NEW QUESTION # 111
信息安全状态报告管理中包含以下哪项最重要？

• A. 关键风险指标（KRIs）
• B. 审查信息安全政策
• C. 最近的安全事件列表
• D. 信息安全预算请求

Answer: A

Explanation:
Key risk indicators (KRIs) are the most useful to include in an information security status report for management because they measure and report the level of risk exposure or performance against predefined risk thresholds or targets, and alert management of any deviations or issues that may require attention or action. List of recent security events is not very useful to include in an information security status report for management because it does not provide any analysis or evaluation of the events or their impact on the organization's objectives or performance. Review of information security policies is not very useful to include in an information security status report for management because it does not reflect any progress or results of implementing or enforcing the policies. Information security budget requests are not very useful to include in an information security status report for management because they do not indicate any value or benefit of investing in information security initiatives or controls. Reference: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security-using-iso-27004

NEW QUESTION # 112
為了在災難期間保持運行，組織應調用以下哪一項計劃？

• A. 災難恢復計劃 (DRP)
• B. 事件響應計劃
• C. 業務連續性計劃 (BCP)
• D. 業務應急計劃

Answer: C

NEW QUESTION # 113
信息安全經理正在努力將媒體溝通程序納入安全事件溝通計劃中。最重要的是包括：

• A. 經批准的當地媒體聯繫人名錄
• B. 組織內的單點聯繫人
• C. 預先準備的媒體聲明
• D. 聯繫執法部門的程序

Answer: B

Explanation:
A single point of contact within the organization is the most important element to include when incorporating media communication procedures into the security incident communication plan because it helps to ensure a consistent and accurate message to the public and avoid confusion or misinformation. A single point of contact is a designated person who is authorized and trained to communicate with the media on behalf of the organization during a security incident. The single point of contact should coordinate with the incident response team, senior management, legal counsel, and public relations to prepare and deliver timely and appropriate statements to the media, as well as to respond to any inquiries or requests. A single point of contact also helps to prevent unauthorized or conflicting disclosures from other employees or stakeholders that may harm the organization's reputation or legal position. Therefore, a single point of contact within the organization is the correct answer.
Reference:
https://www.lifars.com/2020/09/communication-during-incident-response/
https://ifpo.org/resource-links/articles-and-reports/public-and-media-relations/planning-for-effective-media-relations-during-a-critical-incident/
https://www.techtarget.com/searchsecurity/tip/Incident-response-How-to-implement-a-communication-plan.

NEW QUESTION # 114
恢復時間目標 (RTO) 是以下哪項的輸出？

• A. 災難恢復計劃 (DRP)
• B. 服務級別協議 (SLA)
• C. 業務影響分析 (BIA)
• D. 業務連續性計劃 (BCP)

Answer: C

Explanation:
Business impact analysis (BIA) is the process that provides the output of recovery time objectives (RTOs), which are the maximum acceptable time frames for restoring business functions or processes after a disruption. Business continuity plan (BCP) is the document that describes the strategies and procedures for ensuring the continuity of critical business functions or processes in the event of a disruption. Disaster recovery plan (DRP) is the document that describes the technical steps and resources for restoring IT systems and data in the event of a disruption. Service level agreement (SLA) is the document that defines the expectations and obligations between a service provider and a service consumer, such as availability, performance, and security. Reference: https://www.isaca.org/resources/isaca-journal/issues/2018/volume-1/business-impact-analysis-bia-and-disaster-recovery-planning-drp https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/service-level-agreements-in-the-cloud

NEW QUESTION # 115
當適當降低風險的預防性控制不可行時，以下哪項是信息安全經理最重要的行動？

• A. 評估潛在威脅
• B. 評估漏洞
• C. 識別不可接受的風險級別
• D. 管理影響

Answer: D

Explanation:
When preventive controls to appropriately mitigate risk are not feasible, the most important action for the information security manager is to manage the impact, which means taking measures to reduce the likelihood or severity of the consequences of the risk. Managing the impact can involve using alternative controls, such as engineering, administrative, or personal protective controls, that can lower the exposure or harm to the organization. The other options, such as identifying unacceptable risk levels, assessing vulnerabilities, or evaluating potential threats, are part of the risk assessment process, but they are not actions to mitigate risk when preventive controls are not feasible. Reference:
https://bcmmetrics.com/risk-mitigation-evaluating-your-controls/
https://www.osha.gov/safety-management/hazard-prevention
https://www.cdc.gov/niosh/topics/hierarchy/default.html

NEW QUESTION # 116
当出于分析目的授予供应商远程访问机密信息时，以下哪项是最重要的安全考虑因素？

• A. 供应商必须同意组织的信息安全政策，
• B. 数据在传输过程中加密，并在供应商站点处于静止状态。
• C. 供应商必须能够修改数据。
• D. 数据受定期访问日志审查。

Answer: A

NEW QUESTION # 117
以下哪项 BEST 支持信息安全事件期间的有效沟通7

• A. 角色描述中定义的职责
• B. 预先确定的服务水平协议 (SLA)
• C. 频繁的事件响应培训课程
• D. 集中控制监控能力

Answer: B

Explanation:
The best way to support effective communication during information security incidents is to have predetermined service level agreements (SLAs) because they define the expectations and responsibilities of the parties involved in the incident response process, and specify the communication channels, methods, and frequency for reporting and updating on the incident status and resolution. Frequent incident response training sessions are not very effective because they do not address the communication needs or challenges during an actual incident. Centralized control monitoring capabilities are not very effective because they do not address the communication needs or challenges during an actual incident. Responsibilities defined within role descriptions are not very effective because they do not address the communication needs or challenges during an actual incident. Reference: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-5/incident-response-lessons-learned https://www.isaca.org/resources/isaca-journal/issues/2018/volume-3/incident-response-lessons-learned

NEW QUESTION # 118
以下哪一方应负责确定处理客户信息的应用程序的访问级别？

• A. 信息安全撕裂
• B. 商业客户
• C. 业务单元管理
• D. 身份和访问管理团队

Answer: C

NEW QUESTION # 119
託管組織的數據中心容納服務器、應用程序
為組織製定物理訪問控制策略的最佳方法？

• A. 審查客戶的安全策略。
• B. 設計單點登錄 (SSO) 或聯合訪問。
• C. 為每個系統和應用程序制定訪問控制要求。
• D. 進行風險評估以確定安全風險和緩解控制措施。

Answer: D

NEW QUESTION # 120
在開發安全事件的分類方法時，類別必須：

• A. 由事件處理程序創建。
• B. 符合行業標準。
• C. 已達成一致的定義。
• D. 符合報告要求。

Answer: C

Explanation:
When developing a categorization method for security incidents, the categories MUST have agreed-upon definitions. This is because having clear and consistent definitions for each category of incidents will help to ensure a common understanding and communication among the incident response team and other stakeholders. It will also facilitate the accurate and timely identification, classification, reporting and analysis of incidents. Having agreed-upon definitions will also help to avoid confusion, ambiguity and inconsistency in the incident management process

NEW QUESTION # 121
基於異常的入侵檢測系統 (IDS) 通過收集以下數據來運行：

• A. 異常網絡行為並將其用作測量正常活動的基線
• B. 異常網絡行為並向防火牆發出指令以丟棄惡意連接
• C. 正常網絡行為並將其用作測量異常活動的基線
• D. 來自歷史數據的攻擊模式簽名

Answer: C

Explanation:
An anomaly-based intrusion detection system (IDS) operates by gathering data on normal network behavior and using it as a baseline for measuring abnormal activity. This is important because it allows the IDS to detect any activity that is outside of the normal range of usage for the network, which can help to identify potential malicious activity or security threats. Additionally, the IDS will monitor for any changes in the baseline behavior and alert the administrator if any irregularities are detected. By contrast, signature-based IDSs operate by gathering attack pattern signatures from historical data and comparing them against incoming traffic in order to identify malicious activity.

NEW QUESTION # 122
网上银行识别出正在进行的成功网络攻击。银行应该首先：

• A. 关闭整个网络。
• B. 隔离受影响的网段。
• C. 向董事会报告根本原因。
• D. 评估个人身份信息 (Pll) 是否被泄露。

Answer: B

NEW QUESTION # 123
......

Download Exam CISM-CN Practice Test Questions with 100% Verified Answers: https://www.actual4exams.com/CISM-CN-valid-dump.html