©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM
v2 CISM Topic 4, INFORMATION SECURITY PROGRAM
MANAGEMENT EXAM STUDY GUIDE
A data leakage prevention (DLP) solution has identified that several employees are
sending confidential company data to their personal email addresses in violation of
company policy. The information security manager should FIRST: - Answer✔️✔️-
initiate an investigation to determine the full extent of noncompliance
To address the issue that performance pressures on IT may conflict with
information security controls, it is MOST important that: - Answer✔️✔️-senior
management provides guidance and dispute resolution
When developing security standards, which of the following would be MOST
appropriate to include? - Answer✔️✔️-Acceptable use of IT assets
Which of the following would be MOST effective in the strategic alignment of
security initiatives? - Answer✔️✔️-Policies are created with input from business unit
managers.
Which of the following would be the MOST effective countermeasure against
malicious programming that rounds down transaction amounts and transfers them
1
,©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM
to the perpetrator's account? - Answer✔️✔️-Implement controls for continuous
monitoring of middleware transactions.
The BEST way to mitigate the risk associated with a social engineering attack is to:
- Answer✔️✔️-perform a user-knowledge gap assessment of information security
practices
When considering whether to adopt a new information security framework, an
organization's information security manager should FIRST: - Answer✔️✔️-compare
the framework with the current business strategy
A data-hosting organization's data center houses servers, applications, and data for
a large number of geographically dispersed customers. Which of the following
strategies would be the BEST approach for developing a physical access control
policy for the organization? - Answer✔️✔️-Conduct a risk assessment to determine
security risks and mitigating controls.
After detecting an advanced persistent threat (APT), which of the following should
be the information security manager's FIRST step? - Answer✔️✔️-Notify
management.
2
,©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM
A new system has been developed that does not comply with password-aging rules.
This noncompliance can BEST be identified through: - Answer✔️✔️-an internal
audit assessment
Which of the following is the GREATEST security threat when an organization
allows remote access to a virtual private network (VPN)? - Answer✔️✔️-VPN
traffic could be sniffed and captured.
In which of the following ways can an information security manager BEST ensure
that security controls are adequate for supporting business goals and objectives? -
Answer✔️✔️-Using the risk management process
The authorization to transfer the handling of an internal security incident to a third-
party support provider is PRIMARILY defined by the: - Answer✔️✔️-chain of
custody.
Which of the following outsourced services has the GREATEST need for security
monitoring? - Answer✔️✔️-Web site hosting
Which of the following is done PRIMARILY to address the integrity of
information? - Answer✔️✔️-Assignment of appropriate control permissions
An organization has a policy in which all criminal activity is prosecuted. What is
MOST important for the information security manager to ensure when an
3
, ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM
employee is suspected of using a company computer to commit fraud? -
Answer✔️✔️-The employee's log files are backed-up.
A multinational organization's information security manager has been advised that
the city in which a contracted regional data center is located is experiencing civil
unrest. The information security manager should FIRST: - Answer✔️✔️-verify the
provider's ability to protect the organization's data.
When defining responsibilities with a cloud computing vendor, which of the
following should be regarded as a shared responsibility between user and provider?
- Answer✔️✔️-Data ownership
An organization is considering whether to allow employees to use personal
computing devices for business purposes. To BEST facilitate senior management's
decision, the information security manager should: - Answer✔️✔️-conduct a risk
assessment.
A business unit uses an e-commerce application with a strong password policy.
Many customers complain that they cannot remember their passwords because
they are too long and complex. The business unit states it is imperative to improve
the customer experience. The information security manager should FIRST: -
Answer✔️✔️-research alternative secure methods of identity verification.
4
v2 CISM Topic 4, INFORMATION SECURITY PROGRAM
MANAGEMENT EXAM STUDY GUIDE
A data leakage prevention (DLP) solution has identified that several employees are
sending confidential company data to their personal email addresses in violation of
company policy. The information security manager should FIRST: - Answer✔️✔️-
initiate an investigation to determine the full extent of noncompliance
To address the issue that performance pressures on IT may conflict with
information security controls, it is MOST important that: - Answer✔️✔️-senior
management provides guidance and dispute resolution
When developing security standards, which of the following would be MOST
appropriate to include? - Answer✔️✔️-Acceptable use of IT assets
Which of the following would be MOST effective in the strategic alignment of
security initiatives? - Answer✔️✔️-Policies are created with input from business unit
managers.
Which of the following would be the MOST effective countermeasure against
malicious programming that rounds down transaction amounts and transfers them
1
,©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM
to the perpetrator's account? - Answer✔️✔️-Implement controls for continuous
monitoring of middleware transactions.
The BEST way to mitigate the risk associated with a social engineering attack is to:
- Answer✔️✔️-perform a user-knowledge gap assessment of information security
practices
When considering whether to adopt a new information security framework, an
organization's information security manager should FIRST: - Answer✔️✔️-compare
the framework with the current business strategy
A data-hosting organization's data center houses servers, applications, and data for
a large number of geographically dispersed customers. Which of the following
strategies would be the BEST approach for developing a physical access control
policy for the organization? - Answer✔️✔️-Conduct a risk assessment to determine
security risks and mitigating controls.
After detecting an advanced persistent threat (APT), which of the following should
be the information security manager's FIRST step? - Answer✔️✔️-Notify
management.
2
,©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM
A new system has been developed that does not comply with password-aging rules.
This noncompliance can BEST be identified through: - Answer✔️✔️-an internal
audit assessment
Which of the following is the GREATEST security threat when an organization
allows remote access to a virtual private network (VPN)? - Answer✔️✔️-VPN
traffic could be sniffed and captured.
In which of the following ways can an information security manager BEST ensure
that security controls are adequate for supporting business goals and objectives? -
Answer✔️✔️-Using the risk management process
The authorization to transfer the handling of an internal security incident to a third-
party support provider is PRIMARILY defined by the: - Answer✔️✔️-chain of
custody.
Which of the following outsourced services has the GREATEST need for security
monitoring? - Answer✔️✔️-Web site hosting
Which of the following is done PRIMARILY to address the integrity of
information? - Answer✔️✔️-Assignment of appropriate control permissions
An organization has a policy in which all criminal activity is prosecuted. What is
MOST important for the information security manager to ensure when an
3
, ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM
employee is suspected of using a company computer to commit fraud? -
Answer✔️✔️-The employee's log files are backed-up.
A multinational organization's information security manager has been advised that
the city in which a contracted regional data center is located is experiencing civil
unrest. The information security manager should FIRST: - Answer✔️✔️-verify the
provider's ability to protect the organization's data.
When defining responsibilities with a cloud computing vendor, which of the
following should be regarded as a shared responsibility between user and provider?
- Answer✔️✔️-Data ownership
An organization is considering whether to allow employees to use personal
computing devices for business purposes. To BEST facilitate senior management's
decision, the information security manager should: - Answer✔️✔️-conduct a risk
assessment.
A business unit uses an e-commerce application with a strong password policy.
Many customers complain that they cannot remember their passwords because
they are too long and complex. The business unit states it is imperative to improve
the customer experience. The information security manager should FIRST: -
Answer✔️✔️-research alternative secure methods of identity verification.
4
