Ultimate Guide to Prepare CISM-CN Certification Exam for Isaca Certification in 2024
Use Real CISM-CN Dumps - ISACA Correct Answers updated on 2024
NEW QUESTION # 83
下列哪一項是資訊資產分類的主要目標?
- A. 減少漏洞
- B. 合規管理
- C. 風險管理
- D. 威脅最小化
Answer: C
Explanation:
Explanation
The primary objective of information asset classification is C. Risk management. This is because information asset classification is a process of assigning labels or categories to information assets based on their value, sensitivity, and criticality to the organization. Information asset classification helps the organization to identify, assess, and treat the risks associated with the information assets, and to apply the appropriate level of protection and controls to them. Information asset classification also helps the organization to comply with the legal, regulatory, and contractual obligations regarding the information assets, and to optimize the use of resources and costs for information security.
Information asset classification is a process of assigning labels or categories to information assets based on their value, sensitivity, and criticality to the organization. Information asset classification helps the organization to identify, assess, and treat the risks associated with the information assets, and to apply the appropriate level of protection and controls to them. (From CISM Manual or related resources) References = CISM Review Manual 15th Edition, Chapter 2, Section 2.2.1, page 751; CISM Review Questions, Answers & Explanations Manual 9th Edition, Question 7, page 3; Certified Information Security Manager Exam Prep Guide - Packt Subscription2
NEW QUESTION # 84
下列哪一項是幫助確保資訊安全計畫與組織目標一致的最佳方法?
- A. 建立資訊安全指導委員會。
- B. 採用以流程為基礎的方法進行資訊資產分類。
- C. 為董事會高階主管提供安全意識培訓。
- D. 利用業界認可的風險管理架構。
Answer: A
Explanation:
Explanation
The best way to help ensure alignment of the information security program with organizational objectives is A.
Establish an information security steering committee. This is because an information security steering committee is a cross-functional group of senior executives and managers who provide strategic direction, oversight, and support for the information security program. An information security steering committee can help to ensure that the information security program is aligned with the organizational objectives by:
Communicating and promoting the vision, mission, and value of information security to the organization and its stakeholders Defining and approving the information security policies, standards, and procedures Establishing and monitoring the information security goals, metrics, and performance indicators Allocating and prioritizing the resources and budget for information security initiatives and projects Resolving any conflicts or issues that may arise between the information security function and the business units Reviewing and endorsing the information security risk assessment and treatment plans Ensuring compliance with the legal, regulatory, and contractual obligations regarding information security An information security steering committee is a cross-functional group of senior executives and managers who provide strategic direction, oversight, and support for the information security program. (From CISM Manual or related resources) References = CISM Review Manual 15th Edition, Chapter 1, Section 1.2.2, page 20; CISM Review Questions, Answers & Explanations Manual 9th Edition, Question 9, page 3; Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition
NEW QUESTION # 85
下列哪一項是實施資訊安全治理架構的主要好處?
- A. 該框架提供了在平衡風險和控制的同時實現業務目標的方向。
- B. 此架構定義了風險對業務目標影響的管理責任。
- C. 此框架能夠確認業務目標和策略的有效性。
- D. 該框架提供了透過安全使用技術來最大化收入的路線圖。
Answer: A
Explanation:
Explanation
An information security governance framework is a set of principles, policies, standards, and processes that guide the development, implementation, and management of an effective information security program that supports the organization's objectives and strategy. The framework provides direction to meet business goals while balancing risks and controls, as it helps to align the information security activities with the business needs, priorities, and risk appetite, and to ensure that the security resources and investments are optimized and justified.
References = CISM Review Manual 2022, page 321; CISM Exam Content Outline, Domain 1, Knowledge Statement 1.22; CISM domain 1: Information security governance Updated 2022
NEW QUESTION # 86
在對攻擊進行事件後審查時,以下哪一項對資訊安全經理最有用?
- A. 來自入侵偵測系統 (IDS) 日誌的詳細信息
- B. 攻擊者的位置
- C. 組織的攻擊成本
- D. 攻擊者使用的操作方法
Answer: D
Explanation:
Explanation
= The method of operation used by the attacker is the most useful information for an information security manager when conducting a post-incident review of an attack. This information can help identify the root cause of the incident, the vulnerabilities exploited, the impact and severity of the attack, and the effectiveness of the existing security controls. The method of operation can also provide insights into the attacker's motives, skills, and resources, which can help improve the organization's threat intelligence and risk assessment. The cost of the attack to the organization, the location of the attacker, and the details from IDS logs are all relevant information for a post-incident review, but they are not as useful as the method of operation for improving the incident handling process and preventing future attacks. References = CISM Review Manual 2022, page
316; CISM Item Development Guide 2022, page 9; ISACA CISM: PRIMARY goal of a post-incident review should be to?
NEW QUESTION # 87
下列哪一項是資訊安全意識培訓計畫的主要好處?
- A. 評估組織安全文化
- B. 影響人類行為
- C. 定義風險責任
- D. 執行安全性策略
Answer: B
Explanation:
Explanation
Influencing human behavior is the primary benefit of an information security awareness training program because it helps to reduce the human errors and vulnerabilities that can compromise the security of data and systems. An information security awareness training program is a process or a program that informs and empowers users to protect data and computing assets from security risks and cyberattacks. It includes educational offerings that cover regulatory requirements, compliance policies, and safe computing practices.
An information security awareness training program helps to influence human behavior by raising awareness of the security threats and challenges, enhancing knowledge and skills of the security best practices and controls, and fostering a positive security culture and attitude among the users. By influencing human behavior, an information security awareness training program can improve the security posture and performance of the organization, as well as prevent or mitigate the impact of security incidents. Therefore, influencing human behavior is the correct answer.
References:
* https://www.isms.online/iso-27002/control-6-3-information-security-awareness-education-and-training/
* https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/the-benefits-of-information-security-a
* https://threatcop.com/blog/benefits-and-purpose-of-security-awareness-training/.
NEW QUESTION # 88
透過 Internet 存取電子郵件系統時,下列哪一項可以確保內容的機密性?
- A. 多重身份驗證
- B. 數位加密
- C. 數位簽名
- D. 資料屏蔽
Answer: B
Explanation:
Explanation
Digital encryption is the process of transforming data into an unreadable form using a secret key or algorithm.
Digital encryption will ensure the confidentiality of content when accessing an email system over the Internet, as it prevents unauthorized parties from intercepting, viewing, or modifying the email messages. Digital encryption can be applied to both the email content and the email transmission, using different methods such as symmetric encryption, asymmetric encryption, or hybrid encryption. Digital encryption can also provide other benefits such as authentication, integrity, and non-repudiation, depending on the encryption scheme and the use of digital signatures or certificates. References = CISM Review Manual 15th Edition, page 101, page
102.
NEW QUESTION # 89
下列哪一項是組織資訊安全狀態的最佳指標?
- A. 威脅分析
- B. 入侵偵測日誌分析
- C. 滲透測試
- D. 控制審核
Answer: D
NEW QUESTION # 90
從硬盤執行取證數據採集時創建並外部存儲磁盤哈希值的主要原因是:
- A. 意外更改時恢復原始數據。
- B. 在分析過程中驗證完整性。
- C. 在分析過程中驗證機密性。
- D. 在介質發生故障時提供備份。
Answer: B
Explanation:
The main purpose of creating and storing an external disk hash value when performing forensic data acquisition from a hard disk is to validate the integrity of the data during the analysis. This is done by comparing the original hash value of the disk to the hash value created during the acquisition process, which can be used to ensure that the data has not been tampered with or corrupted in any way. Additionally, by creating a hash value of the disk, it can be used to quickly verify the integrity of any data that is accessed from the disk in the future.
NEW QUESTION # 91
违反禁止在办公室使用摄像头的政策,向员工发放了配备网络摄像头的智能手机和平板电脑。以下哪项应该是信息安全经理的首要行动方案?
- A. 执行根本原因分析。
- B. 修改政策。
- C. 进行风险评估,
- D. 传达可接受的使用政策。
Answer: C
NEW QUESTION # 92
为了了解组织的安全状况,组织的高级领导层最重要的是:
- A. 确保报告已建立的安全指标。
- B. 评估最近一次事件响应测试的结果。
- C. 评估风险缓解工作的进展。
- D. 审查报告的安全事件的数量。
Answer: A
NEW QUESTION # 93
溝通下列哪一項最有助於獲得高階管理層對風險處理方案的支持?
- A. 行業基準
- B. 根本原因分析
- C. 定量損失
- D. 威脅分析
Answer: C
Explanation:
Explanation
communicating the quantitative loss associated with the risk scenarios and the risk treatment options would be the most helpful to gain senior management support, as it helps to demonstrate the value and effectiveness of the risk treatment options in terms of reducing the likelihood and impact of the risk. Quantitative loss also helps to compare the cost and benefit of the risk treatment options and to prioritize the most critical risks.
Industry benchmarks, threat analysis, and root cause analysis may be useful for understanding and assessing the risk, but they do not directly measure the performance of the risk treatment options.
References = Five Key Considerations When Developing Information Security Risk Treatment Plans, CISM Domain 2: Information Risk Management (IRM) [2022 update]
NEW QUESTION # 94
一家線上銀行發現正在進行的成功網路攻擊。銀行應該首先:
- A. 向董事會報告根本原因。
- B. 關閉整個網路。
- C. 評估個人識別資訊 (Pll) 是否受到洩漏。
- D. 隔離受影響的網段。
Answer: D
NEW QUESTION # 95
下列何者最能幫助組織有效管理新出現的網路風險?
- A. 充足的網路預算分配
- B. 定期內部和外部審核
- C. 網路安全政策
- D. 明確的職責範圍
Answer: C
Explanation:
Explanation
Cybersecurity policies are the high-level statements that define the organization's objectives, principles, and expectations for protecting its information assets from cyber threats. Cybersecurity policies provide the foundation for developing and implementing cybersecurity strategies, plans, procedures, standards, and guidelines. However, cybersecurity policies alone are not enough to ensure effective cybersecurity. The organization also needs to allocate sufficient budget resources to support the implementation and maintenance of cybersecurity controls, such as hardware, software, personnel, training, testing, auditing, and incident response. Sufficient cyber budget allocation demonstrates the organization's commitment to cybersecurity and enables it to achieve its cybersecurity goals. References: https://www.isaca.org/credentialing/cism
https://www.wiley.com/en-us/CISM+Certified+Information+Security+Manager+Study+Guide-p-978111980194
NEW QUESTION # 96
下列哪一個角色主要負責根據業務需求開發資訊分類架構?
- A. 高階管理層
- B. 資訊安全經理
- C. 資訊擁有者
- D. 資訊安全指導委員會
Answer: C
Explanation:
Explanation
According to the CISM Review Manual (Digital Version), Chapter 3, Section 3.2.1, Information owners are responsible for developing an information classification framework based on business needs1. They are also responsible for defining and maintaining the classification scheme, policies, and procedures for their information assets1.
The CISM Review Manual (Digital Version) also states that information owners should collaborate with other stakeholders, such as information security managers, information security steering committees, senior management, and legal counsel, to ensure that the classification framework is aligned with the organization's objectives and complies with applicable laws and regulations1.
The CISM Exam Content Outline also covers the topic of information classification frameworks in Domain 3
- Information Security Program Development and Management (27% exam weight)2. The subtopics include:
3.2.1 Information Classification Frameworks
3.2.2 Information Classification Policies
3.2.3 Information Classification Procedures
3.2.4 Information Classification Training
I hope this answer helps you prepare for your CISM exam. Good luck!
NEW QUESTION # 97
下列哪一項最能描述緩衝區溢位?
- A. 程式包含隱藏的非預期功能,會帶來安全風險
- B. 執行函數時所使用的資料超出了該函數可以處理的資料量
- C. 一種捕捉資料的隱藏通道
- D. 旨在幹擾正常操作的惡意程式碼
Answer: B
Explanation:
Explanation
A buffer overflow is a software coding error or vulnerability that occurs when a function is carried out with more data than the function can handle, resulting in adjacent memory locations being overwritten or corrupted by the excess data1. A program contains a hidden and unintended function that presents a security risk is not a buffer overflow, but rather a backdoor2. Malicious code designed to interfere with normal operations is not a buffer overflow, but rather malware3. A type of covert channel that captures data is not a buffer overflow, but rather a keylogger. References: 1 https://www.fortinet.com/resources/cyberglossary/buffer-overflow 2
https://www.fortinet.com/resources/cyberglossary/backdoor 3
https://www.fortinet.com/resources/cyberglossary/malware
https://www.fortinet.com/resources/cyberglossary/keylogger
NEW QUESTION # 98
衡量以下哪一项是确定信息安全战略与组织目标的一致性的最准确方法?
- A. 集成到业务流程中的控制百分比
- B. 高级管理层审查的业务案例数量
- C. 阻止的入侵尝试次数
- D. 已识别的业务威胁数量趋势
Answer: A
NEW QUESTION # 99
一个组织正在制定一项风险缓解计划,该计划考虑冗余电源以降低与关键系统中断相关的业务风险。正在考虑哪种类型的控制?
- A. 纠正
- B. 威慑
- C. 侦探
- D. 预防
Answer: D
NEW QUESTION # 100
平衡記分卡最有效地實現信息安全:
- A. 項目管理
- B. 風險管理
- C. 治理
- D. 性能
Answer: C
Explanation:
A balanced scorecard enables information security governance by providing a framework for aligning security objectives with business goals and measuring performance against them. The other choices are not directly related to governance but may be supported by it.
A balanced scorecard is a strategic management tool that describes the cause-and-effect linkages between four high-level perspectives of strategy and execution: financial, customer, internal process, and learning and growth2. It helps organizations communicate and monitor their vision and strategy across different levels and functions2.
NEW QUESTION # 101
......
Isaca Certification -CISM-CN Exam-Practice-Dumps: https://www.lead2passexam.com/ISACA/valid-CISM-CN-exam-dumps.html
CISM-CN Premium Files Test pdf - Free Dumps Collection: https://drive.google.com/open?id=1_0xfL4y918uk5GoAgB8lWFIqxGwOI_o0