QUESTION NO: 1393 During the security review of organizational servers, it was found that a file server containingconfidential human resources (HR) data was accessible to all user IDs. As a FIRST step, thesecurity manager should:A. copy sample files as evidence.B. remove access privileges to the folder containing the data.C. report this situation to the data owner.D. train the HR team on properly controlling file permissions.Answer: CExplanation: The data owner should be notified prior to any action being taken. Copying sample files asevidence is not advisable since it breaches confidentiality requirements on the file. Removingaccess privileges to the folder containing the data should be done by the data owner or by thesecurity manager in consultation with the data owner, however, this would be done only afterformally reporting the incident. Training the human resources (MR) team on properly controllingfile permissions is the method to prevent such incidents in the future, but should take place oncethe incident reporting and investigation activities are completed.QUESTION NO: 1394 If an organization considers taking legal action on a security incident, the information securitymanager should focus PRIMARILY on:A. obtaining evidence as soon as possible.B. preserving the integrity of the evidence.Isaca CISM Exam"Pass Any Exam. Any Time." - www.actualtests.com782 A risk profile support effective security decisions PRIMARILY because it:A. defines how the best mitigate future risks.B. identifies priorities for risk reduction.C. enables comparison with industry best practices.D. describes security threats.Answer: BExplanation: QUESTION NO: 1431 The PRIMARY goal of a post-incident review should be to:A. determine why the incident occurred.B. determine how to improve the incident handling process.C. identify policy changes to prevent a recurrence.D. establish the cost of the incident to the business.Answer: CExplanation: QUESTION NO: 1432 Which of the following activities is used to determine the effect of a disruptive event?Isaca CISM Exam"Pass Any Exam. Any Time." - www.actualtests.com805 A. Require sign-off on acceptable use policies.B. Require regular security awareness training.C. Provide detailed security procedures.D. Perform a gap analysis.Answer: CExplanation: QUESTION NO: 1477 Which of the following is the MOST effective way to address an organization's security concernsduring contract negotiations with a third party?A. Ensure security is involved in the procurement process.B. Communicate security policy with the third-party vendor.C. Review the third-party contract with the organization's legal department.D. Conduct an information security audit on the third-party vendor.Answer: AExplanation: QUESTION NO: 1478 Which of the following is the BEST method to ensure that data owners take responsibility forimplementing information security processes?Isaca CISM Exam"Pass Any Exam. Any Time." www.actualtests.com828 Explanation: QUESTION NO: 1518 What should be an information security manager's FIRST course of action upon learning of asecurity threat that has occurred in the industry for the first time?A. Update the relevant information security policy.B. Perform a control gap analysis of the organization's environment.C. Revise the organization's incident response plan.D. Examine responses of victims that have been exposed to similar threats.Answer: BExplanation: QUESTION NO: 1519 An organization was forced to pay a ransom to regain access to a critical database that had beenencrypted in a ransomware attack. What would have BEST prevented the need to make thisransom payment?A. Storing backups on a segregated networkB. Training employees on ransomwareC. Ensuring all changes are approvedD. Verifying the firewall is configured properlyIsaca CISM Exam"Pass Any Exam. Any Time." - www.actualtests.com849 Answer: AExplanation: QUESTION NO: 1546 During an incident, which of the following entities would MOST likely be contacted directly by anorganization's incident response team without management approval?A. Industry regulatorsB. Technology vendorC. Law enforcementD. Internal auditAnswer: DExplanation: QUESTION NO: 1547 The BEST way to minimize errors in the response to an incident is to:A. follow standard operating procedures.B. analyze the situation during the incident.C. implement vendor recommendations.D. reference system administration manuals.Answer: AIsaca CISM Exam"Pass Any Exam. Any Time." - www.actualtests.com863 Answer: AExplanation: QUESTION NO: 1564 When implementing a new risk assessment methodology, which of the following is the MOSTimportant requirement?A. Risk assessments must be conducted by certified staff.B. The methodology must be approved by the chief executive officer.C. Risk assessments must be reviewed annually.D. The methodology used must be consistent across the organization.Answer: DExplanation: QUESTION NO: 1565 Over the last year, an information security manager has performed risk assessments on multiplethird-party vendors. Which of the following criteria would be MOST helpful in determining theassociated level of risk applied to each vendor?A. Corresponding breaches associated with each vendorB. Compensating controls in place to protect information securityC. Compliance requirements associated with the regulationD. Criticality of the service to the organizationIsaca CISM Exam"Pass Any Exam. Any Time." - www.actualtests.com872 Explanation: QUESTION NO: 1586 Which of the following is the BEST method to protect against data exposure when a mobile deviceis stolen?A. Remote wipe capabilityB. Password protectionC. InsuranceD. EncryptionAnswer: AExplanation: QUESTION NO: 1587 Which of the following is MOST helpful in protecting against hacking attempts on the productionnetwork?A. Intrusion prevention systems (IPSs)B. Network penetration testingC. Security information and event management (SIEM) toolsD. Decentralized honeypot networksAnswer: AIsaca CISM Exam"Pass Any Exam. Any Time." www.actualtests.com883 Explanation: QUESTION NO: 1588 An information security manager has discovered an external break-in to the corporate network.Which of the following actions should be taken FIRST?A. Switch on trace logging.B. Copy event logs to a different server.C. Isolate the affected portion of the network.D. Shut down the network.Answer: CExplanation: QUESTION NO: 1589 Which of the following is MOST important for an information security manager to verify whenselecting a third-party forensics provider?A. Technical capabilities of the providerB. Existence of the provider’s incident response planC. Results of the provider’s business continuity testsD. Existence of a right-to-audit clauseAnswer: AIsaca CISM Exam"Pass Any Exam. Any Time." - www.actualtests.com884 Explanation: QUESTION NO: 1590 An online trading company discovers that a network attack has penetrated the firewall. Whatshould be the information security manager’s FIRST response?A. Notify the regulatory agency of the incidentB. Evaluate the impact to the business.C. Implement mitigating controlsD. Examine firewall logs to identify the attacker.Answer: CExplanation: QUESTION NO: 1591 Which of the following is an organization’s BEST approach for media communications whenexperiencing a disaster?A. Defer public comment until partial recovery has been achieved.B. Report high-level details of the losses and recovery strategy to the media.C. Authorize a qualified representative to convey specially drafted messages.D. Hold a press conference and advise the media to refer to legal authorities.Answer: CIsaca CISM Exam"Pass Any Exam. Any Time." - www.actualtests.com885 Explanation: Isaca CISM Exam"Pass Any Exam. Any Time." - www.actualtests.com886