100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
2023 CISM Exam Questions and Answers (Latest) Verified Answers with Explanations $12.99   Add to cart

Exam (elaborations)

2023 CISM Exam Questions and Answers (Latest) Verified Answers with Explanations

 0 view  0 purchase
  • Course
  • 2023 CISM
  • Institution
  • 2023 CISM

2023 CISM Exam Questions and Answers (Latest) Verified Answers with Explanations

Preview 4 out of 107  pages

  • October 2, 2024
  • 107
  • 2024/2025
  • Exam (elaborations)
  • Questions & answers
  • 2023 CISM
  • 2023 CISM
avatar-seller
Allivia
2023 CISM Exam Questions and Answers
(Latest) Verified Answers with
Explanations
What would be the BEST security measure we could use to
prevent data disclosure and data exfiltration?


A) User authentication in all applications.


B) Use very strong encryption.


C) Use very strong key storage.


D) Use very complex firewall rules. - Correct Answer ✅ C)
Use very strong key storage.


Explanation
We would want a very strong key storage, if the attackers can
get to our encryption keys, most of the other security
measures are irrelevant. Most encryption today is strong
enough to not be breakable with current technologies,
making it stronger does often not make it significantly more
secure. Complex firewall rules do not mean more secure, and
in this example is a distractor. We would want user
authentication in all applications, but not relevant for this
question.


What is the MOST important reason we have Information
Security review our contracts throughout the enterprise?


A) To ensure that both parties can perform their contractual
promises.

,2023 CISM Exam Questions and Answers
(Latest) Verified Answers with
Explanations

B) To ensure the right to audit is a requirement.


C) To ensure appropriate controls are included.


D) To ensure no confidential information is included in the
contract. - Correct Answer ✅ C) To ensure appropriate
controls are included.


As an IT auditor, Trisha is conducting a compliance review.
Which of these is she MOST likely to be performing?


A) Performing job activity analysis


B) Performing program activity analysis


C) Performing system aging analysis


D) Determine whether program changes are approved -
Correct Answer ✅ D) Determine whether program changes
are approved


Explanation
Compliance reviews determine whether the controls are
enforcing the regulations and include ensuring there are no
unauthorized changes to the production environment. The

,2023 CISM Exam Questions and Answers
(Latest) Verified Answers with
Explanations
other answers are part of a substantive review, that verify the
accuracy and reasonableness of reported information.


Of these options, when is the BEST time to have penetration
tests conducted?


A) After a high staff turnover.


B) After significant system changes.


C) After an attempted intrusion.


D) After an audit has found weaknesses in our security
controls. - Correct Answer ✅ B) After significant system
changes.


At which phase of our systems or software development
lifecycle should risk assessments be built in to ensure risks
are addressed in the project development?


A) The specifications phase.


B) The programming phase.


C) The user testing phase.

, 2023 CISM Exam Questions and Answers
(Latest) Verified Answers with
Explanations
D) The feasibility phase. - Correct Answer ✅ D) The
feasibility phase.


Explanation
We should address risk as early on in the project as possible,
of the phases listed here that would be feasibility. In the
programming or the user testing phase is way too late, if the
feasibility phase was not an option, then we would do it in
specifications, but feasibility is much better.


Our organization has just finished a companywide Information
Security user awareness training effort and we are going to
try to social engineer our employees to gauge how effective
the training was. Which of these is NOT a type of social
engineering attack?


A) Authority


B) Vishing


C) Reconnaissance


D) Scarcity - Correct Answer ✅ C) Reconnaissance


Reconnaissance is one of the phases of an attack or
penetration testing, it is not a form of social engineering.
Vishing (voice phishing), authority, and scarcity are all types
of social engineering.

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller Allivia. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $12.99. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

77254 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$12.99
  • (0)
  Add to cart