[Jan-2024] CISM-CN PDF Dumps Extremely Quick Way Of Preparation [Q173-Q194]

[Jan-2024] CISM-CN PDF Dumps Extremely Quick Way Of Preparation

Download CISM-CN Dumps (2024) - Free PDF Exam Demo

NEW QUESTION # 173
以下哪项 BEST 有助于确保及时制定和执行风险应对计划？

• A. 风险管理程序培训
• B. 分配风险负责人
• C. 建立风险指标
• D. 报告已记录的缺陷

Answer: A

NEW QUESTION # 174
当强制性安全标准阻碍实现已确定的业务目标时，信息安全经理应该首先执行以下哪项？

• A. 上报给高级管理层。
• B. 执行成本效益分析。
• C. 重新审视业务目标。
• D. 推荐风险接受。

Answer: A

Explanation:
Escalate to senior management, because this could help the information security manager to inform the decision-makers of the situation, explain the implications and trade-offs, and seek their guidance and approval for the next steps2. However, this answer is not certain, and you might need to consider other factors as well.

NEW QUESTION # 175
管理層宣布收購一家新公司。母公司的信息安全經理擔心，訪問權限衝突可能會導致兩家公司整合期間關鍵信息暴露。為了最好地解決這個問題，信息安全經理應該：

• A. 實施一致的訪問控制標準。
• B. 升級對管理訪問權限衝突的擔憂。
• C. 執行訪問權限的風險評估。
• D. 在發生收購集成時檢查訪問權限。

Answer: C

Explanation:
Performing a risk assessment of the access rights is the best way to address the concern of conflicting access rights during the integration of two companies. A risk assessment will help to identify and prioritize the threats and vulnerabilities that affect the access rights of both companies, as well as the potential impact and likelihood of information exposure. A risk assessment will also provide a basis for selecting and evaluating the controls to mitigate the risks. According to NIST, a risk assessment is an essential component of risk management and should be performed before implementing any security controls1. The other options are not the best ways to address the concern of conflicting access rights during the integration of two companies, but rather possible subsequent actions based on the risk assessment. Reviewing access rights as the acquisition integration occurs may be too late or too slow to prevent information exposure. Escalating concerns for conflicting access rights to management may not be effective without evidence or recommendations from a risk assessment. Implementing consistent access control standards may not be feasible or desirable for different systems or business units. Reference: 1: NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments 2: M&A integration strategy is crucial for deal success but remains difficult: PwC 3: The 10 steps to successful M&A integration | Bain & Company : Cracking the code to successful post-merger integration

NEW QUESTION # 176
部署以下哪種技術後，安全管理工作將大大減少？

• A. 基於角色的訪問控制
• B. 自主訪問控制
• C. 訪問控制列表
• D. 分佈式訪問控制

Answer: A

NEW QUESTION # 177
供應鏈攻擊最有可能出現以下哪種風險場景？

• A. 供應商無法提供服務
• B. 由於產品缺貨而失去客戶
• C. 通過第三方資源損害關鍵資產
• D. 供應商提供的硬件和軟件資源不可靠

Answer: B

NEW QUESTION # 178
以下哪项对于信息安全治理计划的有效实施最为重要？

• A. 项目预算由高级管理层批准和监督
• B. 项目目标已被组织传达和理解。
• C. 员工接受定制的信息安全培训
• D. 记录信息安全角色和职责。

Answer: B

Explanation:
The program goals are communicated and understood by the organization is the most important factor for the effective implementation of an information security governance program because it ensures that the program is aligned with the business objectives and supported by the stakeholders. Employees receive customized information security training is not the most important factor, but rather a means to achieve the program goals and raise awareness among the staff. The program budget is approved and monitored by senior management is not the most important factor, but rather a resource to enable the program activities and measure its performance. Information security roles and responsibilities are documented is not the most important factor, but rather a way to define and assign the program tasks and accountabilities. Reference: https://www.isaca.org/resources/isaca-journal/issues/2015/volume-1/how-to-measure-the-effectiveness-of-information-security-governance https://www.isaca.org/resources/isaca-journal/issues/2016/volume-2/how-to-align-security-initiatives-with-business-goals-and-objectives

NEW QUESTION # 179
执行灾难恢复计划 (DRP) 测试时，以下哪项是最大的固有风险？

• A. 与受影响的用户缺乏沟通
• B. 结果和经验教训记录不佳
• C. 对生产环境的破坏
• D. 部门之间缺乏协调

Answer: C

Explanation:
The greatest inherent risk when performing a disaster recovery plan (DRP) test is disruption to the production environment. A DRP test involves simulating a disaster scenario to ensure that the organization's plans are effective and that it is able to recover from an incident. However, this involves running tests on the production environment, which has the potential to disrupt the normal operations of the organization. This inherent risk can be mitigated by running tests on a non-production environment or by running tests at times when disruption will be minimized.

NEW QUESTION # 180
為處理個人身份信息 (Pll) 的組織實施安全策略時；最重要的目標應該是：

• A. 安全意識培訓
• B. 強加密
• C. 數據可用性。
• D. 法規遵從性。

Answer: D

Explanation:
Regulatory compliance is the most important objective when implementing a security policy for an organization handling personally identifiable information (PII) because it helps to ensure that the organization meets the legal and ethical obligations to protect the privacy and security of PII. PII is any information that can be used to identify, contact, or locate an individual, such as name, address, email, phone number, social security number, etc. PII is subject to various laws and regulations in different jurisdictions, such as the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. Failing to comply with these regulations can result in fines, lawsuits, reputational damage, or loss of trust. Therefore, regulatory compliance is the correct answer.
Reference:
https://www.iso.org/obp/ui/en/#iso:std:iso-iec:27018:ed-2:v1:en
https://www.digitalguardian.com/blog/how-secure-personally-identifiable-information-against-loss-or-compromise
https://blog.rsisecurity.com/how-to-make-a-personally-identifiable-information-policy/

NEW QUESTION # 181
以下哪项是帮助确保组织的风险偏好将被视为风险处理过程的一部分的最佳方式？

• A. 定期向高级管理层报告风险处理情况
• B. 使用定量风险评估方法。
• C. 建立关键风险指标（KRIs）。
• D. 要求指导委员会批准风险处理计划。

Answer: D

NEW QUESTION # 182
以下哪项应该是业务连续性管理最重要的考虑因素？

• A. 识别关键业务流程
• B. 确保人身安全
• C. 保护关键信息资产
• D. 保证备份数据的可靠性

Answer: B

NEW QUESTION # 183
在信息安全事件後審查期間，應優先考慮以下哪項？

• A. 評估事件響應有效性
• B. 足夠詳細地記錄所採取的行動
• C. 評估事件響應團隊成員的表現
• D. 更新關鍵風險指標 (KRI)

Answer: A

Explanation:
During post-incident reviews, the highest priority should be given to evaluating the effectiveness of the incident response effort. This includes assessing the accuracy of the response to the incident, the timeliness of the response, and the efficiency of the response. It is important to assess the effectiveness of the response in order to identify areas for improvement and ensure that future responses can be more effective. Documenting the actions taken in sufficient detail, updating key risk indicators (KRIs), and evaluating the performance of incident response team members are all important components of a post-incident review, but evaluating incident response effectiveness should be given the highest priority.

NEW QUESTION # 184
在确定要使用哪种类型的故障转移站点时，以下哪项是最重要的考虑因素？

• A. 数据保留要求
• B. 互惠协议
• C. 恢复时间目标 (RTO)
• D. 容灾测试结果

Answer: C

Explanation:
The most important consideration when determining which type of failover site to employ is the recovery time objectives (RTOs). A failover site is a backup site that can be used to restore the functionality and operations of an organization's primary site in the event of a disaster or disruption. There are different types of failover sites, such as hot sites, warm sites, and cold sites, that vary in terms of availability, cost, and complexity. A recovery time objective (RTO) is a metric that defines the maximum acceptable amount of time that an organization can tolerate to restore a system or an application after a disaster or disruption. By determining the RTOs for each system or application, the organization can choose the most suitable type of failover site that can meet its recovery needs and expectations. For example, if the RTO for a critical system is very low, the organization may opt for a hot site that can provide immediate failover and minimal downtime. However, if the RTO for a non-critical system is high, the organization may choose a cold site that requires manual setup and activation, but has lower cost and maintenance. The other options are not the most important consideration when determining which type of failover site to employ, although they may be some factors or constraints that affect the decision. Reciprocal agreements are arrangements between two or more organizations that agree to provide backup facilities or resources to each other in case of a disaster or disruption. Reciprocal agreements can help reduce the cost and complexity of setting up and maintaining a failover site, but they may not guarantee the availability or compatibility of the backup facilities or resources. Disaster recovery test results are outcomes of testing and validating the functionality and performance of a failover site. Disaster recovery test results can help evaluate and improve the effectiveness and efficiency of a failover site, but they do not determine which type of failover site to employ. Data retention requirements are policies and regulations that define how long and in what format an organization must store its data. Data retention requirements can affect the design and configuration of a failover site, but they do not dictate which type of failover site to employ

NEW QUESTION # 185
信息安全經理正在協助制定新外包服務的徵求建議書 (RFP)。這將要求第三方能夠訪問關鍵業務信息。安全經理應主要關注定義：

• A. 安全指標
• B. 風險報告方法。
• C. 外包流程的安全要求。
• D. 服務級別協議 (SLA)

Answer: C

Explanation:
Security requirements for the process being outsourced are the specifications and standards that the third party must comply with to ensure the confidentiality, integrity and availability of the critical business information. They define the roles and responsi-bilities of both parties, the security controls and measures to be implemented, the se-curity objectives and expectations, the security risks and mitigation strategies, and the security monitoring and reporting mechanisms. Security requirements are essential to protect the information assets of the organization and to establish a clear and en-forceable contractual relationship with the third party.
Reference:
* 1 Outsourcing Strategies for Information Security: Correlated Losses and Security Exter-nalities - SpringerLink
* 2 What requirements must outsourcing services comply with for the European market? - CBI
* 3 Outsourcing cybersecurity: What services to outsource, what to keep in house - Infosec Institute
* 4 BCFSA outsourcing and information security guidelines - BLG

NEW QUESTION # 186
实施最小特权原则主要需要确定：

• A. 工作职责
• B. 身份验证控件
• C. 数据拥有者
• D. 主要危险因素。

Answer: A

Explanation:
Implementing the principle of least privilege primarily requires the identification of job duties. This principle states that users should only be given the minimum level of access necessary to perform their job duties. By identifying the specific job duties of each user, an organization can determine the minimum level of access needed, and restrict access to any unnecessary resources. This helps to minimize the potential damage that can be caused by a malicious or compromised user.

NEW QUESTION # 187
为了在提出信息安全战略时获得高层领导的支持，以下哪项最重要？

• A. 该策略解决无效的信息安全控制。
• B. 该战略符合行业基准和标准。
• C. 该战略符合管理层可接受的风险水平。
• D. 该战略涉及组织成熟度和威胁环境。

Answer: C

Explanation:
The most important factor to obtain senior leadership support when presenting an information security strategy is that the strategy aligns with management's acceptable level of risk because it ensures that the strategy is consistent and compatible with the organization's risk appetite and thresholds, and reflects management's expectations and priorities for security risk management. The strategy addresses ineffective information security controls is not a very important factor because it does not indicate how the strategy will improve or enhance the security controls or performance. The strategy aligns with industry benchmarks and standards is not a very important factor because it does not indicate how the strategy will differentiate or innovate the organization's security capabilities or practices. The strategy addresses organizational maturity and the threat environment is not a very important factor because it does not indicate how the strategy will advance or adapt the organization's security posture or resilience. Reference: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-4/technical-security-standards-for-information-systems https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/how-to-align-security-initiatives-with-business-goals-and-objectives

NEW QUESTION # 188
信息安全團隊正在計劃對現有供應商進行安全評估。以下哪種方法對於正確確定評估範圍最有幫助？

• A. 重點審查風險最高的基礎設施
• B. 審查供應商的安全策略
• C. 確定供應商是否遵循所選的安全框架規則
• D. 審查供應商合同中列出的控制措施

Answer: D

Explanation:
Reviewing controls listed in the vendor contract is the most helpful approach for properly scoping the security assessment of an existing vendor because it helps to determine the security requirements and expectations that the vendor has agreed to meet. A vendor contract is a legal document that defines the terms and conditions of the business relationship between the organization and the vendor, including the scope, deliverables, responsibilities, and obligations of both parties. A vendor contract should also specify the security controls that the vendor must implement and maintain to protect the organization's data and systems, such as encryption, authentication, access control, backup, monitoring, auditing, etc. Reviewing controls listed in the vendor contract helps to ensure that the security assessment covers all the relevant aspects of the vendor's security posture, as well as to identify any gaps or discrepancies between the contract and the actual practices. Therefore, reviewing controls listed in the vendor contract is the correct answer.
Reference:
https://medstack.co/blog/vendor-security-assessments-understanding-the-basics/
https://www.ncsc.gov.uk/files/NCSC-Vendor-Security-Assessment.pdf
https://securityscorecard.com/blog/how-to-conduct-vendor-security-assessment

NEW QUESTION # 189
以下哪一個流程最能支持事件響應有效性的評估？

• A. 事件後審查
• B. 監管鏈
• C. 事件記錄
• D. 根本原因分析

Answer: A

NEW QUESTION # 190
以下哪项预期结果最能支持投资新安全计划的决定？

• A. 增强的威胁检测能力
• B. 降低控制复杂性
• C. 增强的安全监控和报告
• D. 降低组织风险

Answer: D

NEW QUESTION # 191
如果民事訴訟是組織響應安全事件的目標，則主要步驟應該是：

• A. 使用標準服務器備份實用程序捕獲證據。
• B. 記錄監管鏈。
• C. 在安全區域重新啟動受影響的計算機以搜索證據。
• D. 聯繫執法部門。

Answer: B

NEW QUESTION # 192
以下哪一项最能保证安全策略适用于整个业务运营？

• A. 组织标准包含在意识培训中。
• B. 组织标准由技术控制强制执行。
• C. 组织标准记录在操作程序中。
• D. 组织标准需要被正式接受。

Answer: C

NEW QUESTION # 193
進行事件後審查的主要目標是：

• A. 確定控制改進。
• B. 識別漏洞
• C. 找出根本原因。
• D. 重新評估事件的影響

Answer: C

Explanation:
The primary objective of performing a post-incident review is to identify the root cause of the incident. This information is used to develop and implement corrective actions to prevent similar incidents from occurring in the future. The post-incident review process may also include a re-evaluation of the impact of the incidents, the identification of vulnerabilities, and the identification of control improvements, but the primary objective is to determine the root cause of the incident. By understanding the root cause, the organization can take proactive steps to prevent similar incidents from occurring in the future and improve the overall security posture of the organization.

NEW QUESTION # 194
......

Enhance your career with CISM-CN PDF Dumps - True ISACA Exam Questions: https://www.dumpexams.com/CISM-CN-real-answers.html

New Download free CISM-CN PDF for ISACA Practice Tests: https://drive.google.com/open?id=1ptm5y90JOxryWrWbe3oPbql-e6nwl7lP