Best Way To Study For ISACA CISM-CN Exam Brilliant CISM-CN Exam Questions PDF [Q314-Q334]

Best Way To Study For ISACA CISM-CN Exam Brilliant CISM-CN Exam Questions PDF

Updated Verified Pass CISM-CN Exam - Real Questions and Answers

NEW QUESTION # 314
以下哪项最有助于确保将适当的安全控制内置到软件中？

• A. 在部署之前执行安全测试
• B. 在整个开发过程中集成安全性
• C. 在开发活动中提供实施标准
• D. 为软件开发团队提供安全培训

Answer: C

NEW QUESTION # 315
下列何者最能將資訊安全治理納入公司治理？

• A. 具有業務代表的資訊安全指導委員會
• B. 高階管理層批准資訊安全策略
• C. 整個組織中明確的權力界限
• D. 完善的資訊安全政策與標準

Answer: A

Explanation:
Explanation
= The best way to enable the integration of information security governance into corporate governance is to establish an information security steering committee with business representation. An information security steering committee is a group of senior executives and managers from different business units and functions who are responsible for overseeing, directing, and supporting the information security program and strategy of the organization. An information security steering committee with business representation can enable the integration of information security governance into corporate governance by providing the following benefits12:
Align the information security objectives and priorities with the business objectives and priorities, and ensure that the information security program and strategy support and enable the achievement of the organizational goals and performance.
Communicate and promote the value and importance of information security to the board of directors, senior management, and other stakeholders, and ensure that information security is considered and incorporated in the decision making and planning processes of the organization.
Provide guidance and direction to the information security manager and the information security team, and ensure that they have the necessary authority, resources, and support to implement and maintain the information security program and strategy effectively and efficiently.
Monitor and evaluate the performance and outcomes of the information security program and strategy, and ensure that they are aligned with the expectations and requirements of the organization and its stakeholders, as well as the relevant laws, regulations, standards, and best practices.
Identify and address the issues, challenges, and opportunities related to information security, and ensure that the information security program and strategy are continuously improved and updated to reflect the changes and developments in the internal and external environment.
The other options are not the best way to enable the integration of information security governance into corporate governance, as they are less comprehensive, effective, or influential than establishing an information security steering committee with business representation. Well-documented information security policies and standards are important components of the information security program and strategy, but they are not sufficient to enable the integration of information security governance into corporate governance, as they may not reflect or align with the business needs, priorities, or expectations, and they may not be communicated, implemented, or enforced properly or consistently across the organization. Clear lines of authority across the organization are important factors for the information security governance structure, but they are not sufficient to enable the integration of information security governance into corporate governance, as they may not ensure the involvement, participation, or support of the senior executives, managers, and other stakeholders who are responsible for or affected by information security. Senior management approval of the information security strategy is an important outcome of the information security governance process, but it is not sufficient to enable the integration of information security governance into corporate governance, as it may not ensure the alignment, communication, or monitoring of the information security strategy with the business strategy, and it may not ensure the accountability, responsibility, or authority of the information security manager and the information security team12. References = CISM Domain 1: Information Security Governance (ISG) [2022 update], Information Security Governance for CISM | Pluralsight, Aligning Information Security with Business Strategy - ISACA, Aligning Information Security with Business Objectives - ISACA

NEW QUESTION # 316
以下哪一項是信息資產分類的最大好處？

• A. 支持職責分離
• B. 幫助確定恢復點目標 (RPO)
• C. 定義資源所有權
• D. 為實施需要了解的政策提供基礎

Answer: D

Explanation:
The greatest benefit of information asset classification is providing a basis for imple-menting a need-to-know policy. Information asset classification is a process of catego-rizing information based on its level of sensitivity and importance, and applying appro-priate security controls based on the level of risk associated with that information1. A need-to-know policy is a principle that states that access to information should be granted only to those individuals who require it to perform their official duties or tasks2. The purpose of a need-to-know policy is to limit the exposure of sensitive information to unauthorized or unnecessary parties, and to reduce the risk of data breaches, leaks, or misuse. Information asset classification provides a basis for implementing a need-to-know policy by:
* Defining the value and protection requirements of different types of information
* Labeling the information with the appropriate classification level, such as public, internal, confidential, secret, or top secret
* Establishing the roles and responsibilities of information owners, custodians, and users
* Enforcing access controls and encryption for the information
* Documenting the security policies and procedures for the information By providing a basis for implementing a need-to-know policy, information asset classi-fication can help organizations to protect their sensitive information, comply with rele-vant laws and regulations, and achieve their business objectives. The other options are not the greatest benefits of information asset classification. Helping to determine the recovery point objective (RPO) is not a benefit, but rather a consequence of applying security controls based on the classification level. RPO is the acceptable amount of data loss in case of a disruption3. Supporting segregation of duties is not a benefit, but rather a prerequisite for implementing a need-to-know policy. Segregation of duties is a principle that states that no single individual should have control over two or more phases of a business process or transaction that are susceptible to errors or fraud4. De-fining resource ownership is not a benefit, but rather a component of information asset classification. Resource ownership is the assignment of accountability and authority for an information asset to an individual or a group5. Reference: 1: Information Classifi-cation - Advisera 2: Need-to-Know Principle - NIST 3: Recovery Point Objective - NIST 4: Segregation of Duties - NIST 5: Resource Ownership - NIST : Information Classification in Information Security - GeeksforGeeks : Information Asset Classification Policy - UCI

NEW QUESTION # 317
一個組織正在實施信息安全治理框架。為了向利益相關者傳達該計劃的有效性，最重要的是建立：

• A. 安全策略的監控進程。
• B. 每個里程碑的指標。
• C. 控制自我評估 (CSA) 過程。
• D. 向利益相關者自動報告。

Answer: B

NEW QUESTION # 318
如果實施得當，安全傳輸協議可以保護交易：

• A. 在客戶端桌面上。
• B. 來自竊聽。
• C. 在服務器的數據庫中。
• D. 來自拒絕服務 (DoS) 攻擊。

Answer: B

NEW QUESTION # 319
為了支持有效的風險決策，下列何者最重要？

• A. 已建立的風險域
• B. 由中階管理人員組成的審計委員會
• C. 明確定義和批准的控制措施
• D. 風險報告程序

Answer: D

Explanation:
Explanation
To support effective risk decision making, it is most important to have risk reporting procedures in place. Risk reporting procedures define how, when, and to whom risk information is communicated within the organization. Risk reporting procedures ensure that risk information is timely, accurate, consistent, and relevant for the decision makers. Risk reporting procedures also facilitate the monitoring and review of risk management activities and outcomes. Risk reporting procedures enable the organization to align its risk appetite and tolerance with its business objectives and strategies. Established risk domains are not the most important factor for effective risk decision making. Risk domains are categories or areas of risk that reflect the organization's structure, objectives, and operations. Risk domains help to organize and prioritize risk information, but they do not necessarily support the communication and analysis of risk information for decision making. An audit committee consisting of mid-level management is not the most important factor for effective risk decision making. An audit committee is a subcommittee of the board of directors that oversees the internal and external audit functions of the organization. An audit committee should consist of independent and qualified members, preferably from the board of directors or senior management, not mid-level management. An audit committee provides assurance and oversight on the effectiveness of risk management, but it does not directly support risk decision making. Well-defined and approved controls are not the most important factor for effective risk decision making. Controls are measures or actions that reduce the likelihood or impact of risk events. Well-defined and approved controls are essential for implementing risk responses and mitigating risks, but they do not directly support the identification, analysis, and evaluation of risks for decision making. References = CISM Review Manual 15th Edition, page 207-208.
Established risk domains are important for effective risk decision making because they provide a basis for categorizing risks and assessing their impact on the organization. Risk domains are also used to assign risk ownership and prioritize risk management activities. Having established risk domains in place helps ensure that risks are properly identified and addressed, and enables organizations to make informed and effective decisions about risk. Risk reporting procedures, an audit committee consisting of mid-level management, and well-defined and approved controls are all important components of an effective risk management program, but established risk domains are the most important for effective risk decision making.

NEW QUESTION # 320
事件後檢討的主要目標應該是：

• A. 確定如何改善事件處理流程。
• B. 確定事件發生的原因。
• C. 確定策略變更以防止再次發生。
• D. 確定事件對企業造成的成本。

Answer: A

Explanation:
Explanation
The primary goal of a post-incident review is to identify areas for improvement in the incident handling process. The focus is on evaluating the effectiveness of incident response procedures, technical controls, communication channels, coordination among teams, documentation, and any other relevant aspects. The post-incident review should also provide recommendations for corrective actions, preventive measures, and lessons learned that can help reduce the likelihood and impact of future incidents12. References = CISM Review Manual 15th Edition, page 1251; CISM Item Development Guide, page 72

NEW QUESTION # 321
下列何者最能確保及時、可靠地存取服務？

• A. 復原時間目標 (RTO)
• B. 可用性
• C. 真實性
• D. 不可否認性

Answer: B

NEW QUESTION # 322
事后审查发现，用户错误导致了重大违规行为。在审查过程中确定以下哪项最重要？

• A. 违规发生的时间和地点
• B. 针对用户错误的适当惩戒程序
• C. 用户错误的根本原因
• D. 用户造成的先前事件的证据

Answer: C

NEW QUESTION # 323
當資訊安全計劃與以下方面緊密結合時，它最能取得成功：

• A. 公認的產業架構。
• B. 資訊安全最佳實務。
• C. 資訊安全策略。
• D. 資訊安全策略。

Answer: C

Explanation:
Explanation
An information security program is best positioned for success when it is closely aligned with the information security strategy, which defines the organization's vision, mission, goals, objectives, and risk appetite for information security. The information security strategy provides the direction and guidance for developing and implementing the information security program, ensuring that it supports the organization's business processes and objectives. The information security strategy also helps to establish the scope, boundaries, roles, responsibilities, and resources for the information security program.
References = CISM Manual, Chapter 3: Information Security Program Development (ISPD), Section 3.1:
Information Security Strategy1
1: https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles

NEW QUESTION # 324
在以下情况中，如果第三方提供商发生信息安全事件，谁应为数据丢失负责？

• A. 承载数据的服务提供者
• B. 信息安全经理
• C. 业务数据所有者
• D. 事件响应团队

Answer: C

Explanation:
The business data owner is accountable for data loss in the event of an information security incident at a third-party provider because they are ultimately responsible for the protection and use of their data, regardless of where it is stored or processed. The information security manager is not accountable for data loss at a third-party provider, but rather responsible for implementing and enforcing the security policies and standards that govern the relationship with the provider. The service provider that hosts the data is not accountable for data loss at their site, but rather liable for any breach of contract or service level agreement that may result from such an incident. The incident response team is not accountable for data loss at a third-party provider, but rather responsible for responding to and managing the incident according to the incident response plan. Reference: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-1/data-ownership-and-custodianship-in-the-cloud https://www.isaca.org/resources/isaca-journal/issues/2018/volume-3/incident-response-lessons-learned

NEW QUESTION # 325
一个组织的质量过程可以通过提供以下内容来最好地支持安全管理：

• A. 安全系统文档的存储库。
• B. 安全策略指导。
• C. 确保满足安全要求。
• D. 安全配置控件。

Answer: C

Explanation:
An organization's quality process can BEST support security management by providing assurance that security requirements are met. This means that the quality process can be used to ensure that security controls are being implemented as intended and that they are achieving the desired results. This helps to ensure that the organization is properly protected and that it is in compliance with security regulations and standards.

NEW QUESTION # 326
下列哪一項是組織選擇關鍵風險指標 (KRI) 時最重要的因素？

• A. 目標受眾
• B. 投資報酬率（ROI）
• C. 訊息的重要性
• D. 合規要求

Answer: C

Explanation:
Explanation
A key risk indicator (KRI) is a metric that provides an early warning of potential exposure to a risk. A KRI should be relevant, measurable, timely, and actionable. The most important factor in an organization's selection of a KRI is the criticality of information, which means that the KRI should reflect the value and sensitivity of the information assets that are exposed to the risk. For example, a KRI for data breach risk could be the number of unauthorized access attempts to a database that contains confidential customer data. The criticality of information helps to prioritize the risks and focus on the most significant ones. References:
https://www.isaca.org/credentialing/cism
https://www.wiley.com/en-us/CISM+Certified+Information+Security+Manager+Study+Guide-p-978111980194

NEW QUESTION # 327
以下哪种方法是证明信息安全程序提供适当覆盖的最佳方式？

• A. 漏洞扫描报告
• B. 成熟度评估
• C. 安全风险分析
• D. 差距评估

Answer: B

NEW QUESTION # 328
事件回應過程中根除階段的主要目標是：

• A. 從受影響的系統取得取證證據。
• B. 提供有效的事件分類和遏制。
• C. 消除威脅並恢復受影響的系統
• D. 保持嚴格的監管鏈。

Answer: C

Explanation:
Explanation
The primary goal of the eradication phase in an incident response process is to remove the threat and restore affected systems because it eliminates any traces or remnants of malicious activity or compromise from the systems or network, and returns them to their normal or secure state. Maintaining a strict chain of custody is not a goal of the eradication phase, but rather a requirement for preserving and documenting digital evidence throughout the incident response process. Providing effective triage and containment of the incident is not a goal of the eradication phase, but rather a goal of the containment phase, which isolates and stops the spread of malicious activity or compromise. Obtaining forensic evidence from the affected system is not a goal of the eradication phase, but rather a goal of the identification phase, which collects and analyzes data or artifacts related to malicious activity or compromise. References:
https://www.isaca.org/resources/isaca-journal/issues/2017/volume-5/incident-response-lessons-learned
https://www.isaca.org/resources/isaca-journal/issues/2018/volume-3/incident-response-lessons-learned

NEW QUESTION # 329
以下哪項是風險緩解的示例？

• A. 購買保險
• B. 停止與風險相關的活動
• C. 執行成本效益分析
• D. 改進安全控制

Answer: D

Explanation:
Risk mitigation refers to the processes and strategies that organizations use to reduce the likelihood or impact of potential risks. Improving security controls is a classic example of risk mitigation. By implementing or enhancing security controls, organizations can reduce the risk of security incidents or breaches, such as data theft or unauthorized access. For example, implementing strong passwords, regularly updating software and systems, and training employees on security best practices are all ways to improve security controls and mitigate risk. Other examples of risk mitigation include implementing disaster recovery and business continuity plans, conducting regular security assessments and audits, and purchasing insurance.

NEW QUESTION # 330
平衡記分卡最有效地實現資訊安全：

• A. 風險管理
• B. 專案管理
• C. 治理
• D. 效能

Answer: C

Explanation:
Explanation
A balanced scorecard enables information security governance by providing a framework for aligning security objectives with business goals and measuring performance against them. The other choices are not directly related to governance but may be supported by it.
A balanced scorecard is a strategic management tool that describes the cause-and-effect linkages between four high-level perspectives of strategy and execution: financial, customer, internal process, and learning and growth2. It helps organizations communicate and monitor their vision and strategy across different levels and functions2.

NEW QUESTION # 331
資安經理指出，在記錄票證後，幫助台沒有適當升級安全事件。下列哪一項是解決此問題的最佳自動化控制？

• A. 在說明台工作流程中實施自動漏洞掃描
• B. 將事件回應工作流程整合到幫助台票務系統中
• C. 將自動化服務等級協定 (SLA) 報告整合到幫助台票務系統中
• D. 將所有安全事件的預設設定變更為最高優先權

Answer: B

Explanation:
Explanation
The best automated control to resolve the issue of security incidents not being appropriately escalated by the help desk is to integrate incident response workflow into the help desk ticketing system. This will ensure that the help desk staff follow the predefined steps and procedures for handling and escalating security incidents, based on the severity, impact, and urgency of each incident. The incident response workflow will also provide clear guidance on who to notify, when to notify, and how to notify the relevant stakeholders and authorities.
This will improve the efficiency, effectiveness, and consistency of the incident response process.
References = CISM Review Manual, 16th Edition, page 2901; A Practical Approach to Incident Management Escalation2

NEW QUESTION # 332
下列哪一項是遏制 Web 應用程式防火牆偵測到的 SQL 注入攻擊的最佳方法？

• A. 重新設定網頁應用程式防火牆以阻止攻擊。
• B. 強制更改 SQL 資料庫的密碼。
• C. 阻止攻擊來源的 IP。
• D. 更新 Web 應用程式防火牆上的偵測模式。

Answer: A

Explanation:
Explanation
According to the CISM Review Manual, one of the best ways to contain an SQL injection attack that has been detected by a web application firewall is to reconfigure the web application firewall to block the attack. This means that the web application firewall should be updated with the latest detection patterns and rules that can identify and prevent SQL injection attacks. By doing so, the web application firewall can reduce the impact and damage of the attack, and prevent further exploitation of the vulnerable database1 The other options are not as effective as reconfiguring the web application firewall to block the attack. Force password changes on the SQL database is a reactive measure that does not address the root cause of the problem, and may cause data loss or corruption if not done properly. Updating the detection patterns on the web application firewall is a preventive measure that can help to detect SQL injection attacks, but it does not stop them from happening in the first place. Blocking IPs from where the attack originates is a defensive measure that can limit or stop some SQL injection attacks, but it does not protect all possible sources of malicious traffic, and may also affect legitimate users or applications1 References = 1: CISM Review Manual, 16th Edition, ISACA, 2020, pp. 32-33...

NEW QUESTION # 333
基于 Web 的应用程序的数据输入功能已外包给第三方服务提供商，他们将在远程站点工作，以下哪个问题是信息安全经理最关心的问题？

• A. 未强制执行基于服务器的恶意软件保护
• B. 应用程序未使用安全通信协议
• C. 业务流程只有一级错误检查
• D. 应用程序配置了限制性访问控制

Answer: D

Explanation:
The greatest concern for an information security manager in this situation would be the security of the data that is being processed by the third-party service provider working from a remote site. This could be a concern because the data may not be adequately protected from unauthorized access, manipulation, or theft. A secure communications protocol should be used to ensure the confidentiality and integrity of the data in transit. Additionally, the information security manager should ensure that the third-party service provider has appropriate security controls in place to protect the data, such as access controls, error checking, and malware protection. This information can be found in the ISACA's Certified Information Security Manager (CISM) Study Manual, Section 5.2.

NEW QUESTION # 334
......

Updated PDF (New 2024) Actual ISACA CISM-CN Exam Questions: https://lead2pass.examdumpsvce.com/CISM-CN-valid-exam-dumps.html