• Home
  • Articles
  • Guide (New 2024) Actual ISACA CISM-CN Exam Questions [Q137-Q155]

Guide (New 2024) Actual ISACA CISM-CN Exam Questions [Q137-Q155]

Share

Guide (New 2024) Actual ISACA CISM-CN Exam Questions

CISM-CN Exam Dumps Pass with Updated 2024 Certified Exam Questions

NEW QUESTION # 137
在以下情況下,事件回應團隊的效率將達到最高:

  • A. 事件回應團隊定期開會審查日誌檔。
  • B. 根據吸取的經驗教訓更新事件回應流程。
  • C. 事件回應小組成員都是受過訓練的安全人員。
  • D. 使用安全資訊和事件監控 (SIEM) 系統來識別事件。

Answer: B


NEW QUESTION # 138
一家組織計劃向客戶提供一項受法規約束的新服務。在製定支持這項新服務的安全策略時,組織首先應該做什麼?

  • A. 針對目前狀態執行差距分析
  • B. 確定新服務的安全控制。
  • C. 僱用新資源來支援服務。
  • D. 建立合規計劃,

Answer: A

Explanation:
Explanation
A gap analysis is a process of comparing the current state of an organization's security posture with the desired or required state, and identifying the gaps or discrepancies that need to be addressed. A gap analysis helps to determine the current level of compliance with relevant regulations, standards, and best practices, and to prioritize the actions and resources needed to achieve the desired level of compliance1. A gap analysis should be performed first when developing a security strategy in support of a new service that is subject to regulations, because it provides the following benefits2:
It helps to understand the scope and impact of the new service on the organization's security objectives, risks, and controls.
It helps to identify the legal, regulatory, and contractual requirements that apply to the new service, and the potential penalties or consequences of non-compliance.
It helps to assess the effectiveness and efficiency of the existing security controls, and to identify the gaps or weaknesses that need to be remediated or enhanced.
It helps to align the security strategy with the business goals and objectives of the new service, and to ensure the security strategy is consistent and coherent across the organization.
It helps to communicate the security requirements and expectations to the stakeholders involved in the new service, and to obtain their support and commitment.
The other options, such as determining security controls for the new service, establishing a compliance program, or hiring new resources to support the service, are not the first steps when developing a security strategy in support of a new service that is subject to regulations, because they depend on the results and recommendations of the gap analysis. Determining security controls for the new service requires a clear understanding of the security requirements and risks associated with the new service, which can be obtained from the gap analysis. Establishing a compliance program requires a systematic and structured approach to implement, monitor, and improve the security controls and processes that ensure compliance, which can be based on the gap analysis. Hiring new resources to support the service requires a realistic and justified estimation of the human and financial resources needed to achieve the security objectives and compliance, which can be derived from the gap analysis. References = 1: What is a Gap Analysis? | Smartsheet 2: CISM Review Manual 15th Edition, page 121 : CISM Review Manual 15th Edition, page 122 : CISM Review Manual 15th Edition, page 123 : CISM Review Manual 15th Edition, page 124 : CISM Review Manual 15th Edition, page 125 Learn more:
1. infosectrain.com2. resources.infosecinstitute.com3. resources.infosecinstitute.com4.
resources.infosecinstitute.com+2 more


NEW QUESTION # 139
信息安全團隊正在計劃對現有供應商進行安全評估。以下哪種方法對於正確確定評估範圍最有幫助?

  • A. 確定供應商是否遵循所選的安全框架規則
  • B. 審查供應商的安全策略
  • C. 重點審查風險最高的基礎設施
  • D. 審查供應商合同中列出的控制措施

Answer: D

Explanation:
Reviewing controls listed in the vendor contract is the most helpful approach for properly scoping the security assessment of an existing vendor because it helps to determine the security requirements and expectations that the vendor has agreed to meet. A vendor contract is a legal document that defines the terms and conditions of the business relationship between the organization and the vendor, including the scope, deliverables, responsibilities, and obligations of both parties. A vendor contract should also specify the security controls that the vendor must implement and maintain to protect the organization's data and systems, such as encryption, authentication, access control, backup, monitoring, auditing, etc. Reviewing controls listed in the vendor contract helps to ensure that the security assessment covers all the relevant aspects of the vendor's security posture, as well as to identify any gaps or discrepancies between the contract and the actual practices. Therefore, reviewing controls listed in the vendor contract is the correct answer.
Reference:
https://medstack.co/blog/vendor-security-assessments-understanding-the-basics/
https://www.ncsc.gov.uk/files/NCSC-Vendor-Security-Assessment.pdf
https://securityscorecard.com/blog/how-to-conduct-vendor-security-assessment


NEW QUESTION # 140
以下哪项是信息安全经理在应对可能破坏业务的重大安全事件时最重要的行动方案?

  • A. 通知执法部门。
  • B. 联系法医调查员。
  • C. 遵循升级流程。
  • D. 确定妥协指标。

Answer: D


NEW QUESTION # 141
在使事件回應計畫與公司策略一致時,應先更新下列哪一項?

  • A. 災難復原計畫 (DRP)
  • B. 事件通知計劃
  • C. 安全程序
  • D. 風險因應場景

Answer: D

Explanation:
Explanation
The answer to the question is C. Risk response scenarios. This is because risk response scenarios are the predefined plans and actions that the organization will take to respond to specific types of incidents, such as cyberattacks, natural disasters, or data breaches. Risk response scenarios should be aligned with the corporate strategy, which defines the vision, mission, goals, and objectives of the organization, and guides the decision-making and resource allocation processes. By aligning the risk response scenarios with the corporate strategy, the organization can ensure that the incident response plan supports the achievement of the desired outcomes and benefits, and minimizes the impact and disruption to the business operations and performance.
Risk response scenarios are the predefined plans and actions that the organization will take to respond to specific types of incidents. Risk response scenarios should be aligned with the corporate strategy, which defines the vision, mission, goals, and objectives of the organization. (From CISM Manual or related resources) References = CISM Review Manual 15th Edition, Chapter 4, Section 4.2.2, page 2111; CISM domain 4:
Information security incident management [2022 update] | Infosec2; A Guide to Effective Incident Management Communications3


NEW QUESTION # 142
外部安全審計報告了多起控制違規事件。對於資安經理與高階管理層的溝通,下列何者最重要?

  • A. 根據根本原因分析控制所有者回應
  • B. 轉移風險的商業案例
  • C. 啟動補救活動的不合規報告
  • D. 不合規對組織風險狀況的影響

Answer: D

Explanation:
Explanation
The impact of noncompliance on the organization's risk profile is the MOST important information for the information security manager to communicate to senior management, because it helps them understand the potential consequences of not adhering to the established controls and the need for corrective actions.
Noncompliance may expose the organization to increased threats, vulnerabilities, and losses, as well as legal, regulatory, and contractual liabilities.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 84: "The information security manager should report on information security risk, including noncompliance and changes in information risk, to key stakeholders to facilitate the risk management decision-making process." CISM Review Manual, 16th Edition, ISACA, 2020, p. 85: "Noncompliance with information security policies, standards, and procedures may result in increased threats, vulnerabilities, and losses, as well as legal, regulatory, and contractual liabilities for the enterprise."


NEW QUESTION # 143
當業務案例提供以下證據時,資訊安全經理最有可能獲得新安全專案的批准:

  • A. 組織協調
  • B. 對組織的威脅
  • C. IT 策略調整
  • D. 現有控製成本

Answer: A

Explanation:
Explanation
A new security project is more likely to be approved if it aligns with the organization's goals, objectives, and strategies. This shows that the project supports the business needs and adds value to the organization. Organizational alignment is one of the key elements of a business case for information security, as stated in the CISM Review Manual, 16th Edition1, page 41. IT strategy alignment, threats to the organization, and existing control costs are also important factors to consider, but they are not as persuasive as organizational alignment in obtaining approval for a new security project. References = 1: CISM Review Manual, 16th Edition by Isaca (Author) Learn more:
1. isaca.org2. amazon.com3. gov.uk


NEW QUESTION # 144
由于高昂的控制成本,风险所有者已经接受了大量风险。在这种情况下,以下哪项应该是信息安全经理的主要关注点?

  • A. 提交风险概况以供风险负责人批准
  • B. 建立强大的持续风险监控流程
  • C. 对风险应对措施进行独立审查
  • D. 更新信息安全标准以包括可接受的风险

Answer: B


NEW QUESTION # 145
下列哪一項最能最大限度地降低將應用程式部署到生產環境時的資訊安全風險?

  • A. 擁有明確定義的變更流程
  • B. 測試過程中驗證安全性
  • C. 實施後進行滲透測試
  • D. 在生命週期的每個階段整合安全控制

Answer: B


NEW QUESTION # 146
當大型跨國組織的資訊安全經理將資料處理外包給雲端服務供應商時,最關心的問題是什麼?

  • A. 當地法律法規<D>:資料
    的備份與恢復
  • B. 供應商服務等級協定 (SLA)
  • C. 對供應商的獨立審查

Answer: A

Explanation:
Explanation
he greatest concern for an information security manager of a large multinational organization when outsourcing data processing to a cloud service provider is the local laws and regulations that may apply to the data and the cloud service provider. Local laws and regulations may vary significantly across different jurisdictions and may impose different requirements or restrictions on the data protection, privacy, security, sovereignty, retention, disclosure, transfer, or access. These laws and regulations may also create potential conflicts or inconsistencies with the organization's own policies, standards, or contractual obligations.
Therefore, an information security manager should conduct a thorough legal and regulatory analysis before outsourcing data processing to a cloud service provider and ensure that the cloud service provider complies with all the applicable laws and regulations in the relevant jurisdictions.
References = CISM Manual1, Chapter 3: Information Security Program Development (ISPD), Section 3.1:
Outsourcing2
1: https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles 2: 1 Outsourcing data processing to a cloud service provider may expose the organization to different legal and regulatory requirements depending on the location of the data and the vendor. This could affect the organization's compliance and liability in case of a breach or dispute. Therefore, the information security manager should be most concerned about the local laws and regulations that apply to the outsourcing arrangement.


NEW QUESTION # 147
下列哪一項最好為資訊安全經理提供充分的保證,確保服務提供者符合組織的資訊安全要求?

  • A. 第三方供應商 IT 系統和流程的能力
  • B. 生動展示第三方供應商的安全能力
  • C. 第三方安全控制自我評估 (CSA) 結果
  • D. 顯示符合業界標準的獨立審查報告

Answer: A

Explanation:
Explanation
A service provider is a third-party supplier that provides IT services or products to an organization. A service provider should comply with the organization's information security requirements, such as policies, standards, procedures, and controls, to ensure the confidentiality, integrity, and availability of the organization's data and systems. The best way to provide an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements is to have the ability to audit the third-party supplier's IT systems and processes. An audit is a systematic and independent examination of evidence to determine the degree of conformity to predetermined criteria. An audit can verify the effectiveness and efficiency of the service provider's security controls, identify any gaps or weaknesses, and provide recommendations for improvement. An audit can also ensure that the service provider adheres to the contractual obligations and service level agreements (SLAs) with the organization. Therefore, option B is the most appropriate answer.
Option A is not the best answer because a live demonstration of the third-party supplier's security capabilities may not be comprehensive, objective, or reliable. A live demonstration may only show the positive aspects of the service provider's security, but not reveal any hidden or potential issues. A live demonstration may also be subject to manipulation or deception by the service provider.
Option C is not the best answer because third-party security control self-assessment (CSA) results may not be accurate, complete, or consistent. A self-assessment is a process where the service provider evaluates its own security controls against a set of criteria or standards. A self-assessment may be biased, subjective, or incomplete, as the service provider may not disclose or report all the relevant information or issues. A self-assessment may also vary in quality and scope depending on the service provider's expertise, resources, and methodology.
Option D is not the best answer because an independent review report indicating compliance with industry standards may not be sufficient or specific for the organization's information security requirements. An independent review is a process where an external party evaluates the service provider's security controls against a set of industry standards or best practices, such as ISO/IEC 27001, NIST CSF, PCI DSS, etc. An independent review report may provide a general overview of the service provider's security posture, but not address the organization's unique or specific security needs, risks, or expectations. An independent review report may also be outdated, limited, or generic, as the industry standards or best practices may not reflect the current or emerging security threats or trends. References = CISM Review Manual 15th Edition1, pages
257-258; CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, QID 301.
An independent review report indicating compliance with industry standards BEST provides an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements. This is because an independent review report is an objective and reliable source of evidence that the service provider has implemented and maintained effective security controls that meet the industry standards and best practices. An independent review report can also provide assurance that the service provider has addressed any gaps or weaknesses identified in previous audits or assessments.


NEW QUESTION # 148
資訊安全事件事後檢討的主要目標是:

  • A. 最小化影響
  • B. 更新風險狀況
  • C. 防止復發。
  • D. 確定影響

Answer: C

Explanation:
Explanation
The primary objective of a post-incident review of an information security incident is to identify the root cause of the incident and determine what can be done to prevent a similar incident from happening in the future. This process helps organizations to learn from past incidents and make improvements to their security posture to reduce the risk of future incidents. By conducting a thorough post-incident review, organizations can identify areas for improvement in their security controls, policies, and procedures, and implement changes to prevent similar incidents from happening in the future. Other important objectives of a post-incident review may include updating the risk profile, minimizing impact, and determining the impact of the incident, but the main focus should be on identifying ways to prevent recurrence.


NEW QUESTION # 149
一家線上銀行發現正在進行的成功網路攻擊。銀行應該首先:

  • A. 向董事會報告根本原因。
  • B. 評估個人識別資訊 (Pll) 是否受到洩漏。
  • C. 關閉整個網路。
  • D. 隔離受影響的網段。

Answer: D


NEW QUESTION # 150
以下哪项是监控信息安全治理有效性的最佳工具?

  • A. 风险概况
  • B. 关键绩效指标 (KPI)
  • C. 业务影响分析(BIA)
  • D. 平衡计分卡

Answer: D

Explanation:
The best tool to monitor the effectiveness of information security governance is a Balanced Scorecard. A Balanced Scorecard is a performance management tool used to measure the success of an organization's information security governance. It is a strategic planning and management system that helps organizations track and measure the progress of their security initiatives by using a set of metrics across four areas: financial, customer, internal, and learning and growth. This helps organizations to assess their progress and adjust their security strategies to ensure they are meeting their desired objectives.


NEW QUESTION # 151
基於 Web 應用程序的數據輸入功能已外包給將在遠程站點工作的第三方服務提供商 以下哪一個問題是信息安全經理最關心的問題?

  • A. 業務流程只有一級錯誤檢查
  • B. 應用程序未使用安全通信協議
  • C. 不強制執行基於服務器的惡意軟件防護
  • D. 應用程序配置了限制性訪問控制

Answer: D

Explanation:
The greatest concern for an information security manager in this situation would be the security of the data that is being processed by the third-party service provider working from a remote site. This could be a concern because the data may not be adequately protected from unauthorized access, manipulation, or theft. A secure communications protocol should be used to ensure the confidentiality and integrity of the data in transit. Additionally, the information security manager should ensure that the third-party service provider has appropriate security controls in place to protect the data, such as access controls, error checking, and malware protection. This information can be found in the ISACA's Certified Information Security Manager (CISM) Study Manual, Section 5.2.


NEW QUESTION # 152
當年度審計顯示組織的業務連續性計劃 (BCP) 超過一年沒有經過審查或更新時,下列哪一項應該是資訊安全經理最關心的問題?

  • A. 缺乏 BCP 更新可能會導致未遵守內部政策。
  • B. 如果實際發生事件,過時的 BCP 可能會導致恢復效率較低。
  • C. 組織可能會因不遵循行業最佳實踐而遭受聲譽損害。
  • D. 審計結果可能會影響組織的整體風險評級。

Answer: B

Explanation:
Explanation
A BCP is a document that outlines the processes and procedures to maintain or resume critical business functions and minimize the impact of a disruption on the organization's objectives, customers, and stakeholders. A BCP should be reviewed and updated regularly to reflect the changes in the organization's environment, risks, resources, and requirements. An outdated BCP may result in less efficient recovery if an actual incident occurs, as it may not account for the current situation, dependencies, priorities, or recovery strategies. This may lead to increased downtime, losses, or damages for the organization.
References = CISM Review Manual 2022, page 3101; CISM Exam Content Outline, Domain 4, Knowledge Statement 4.82; CISM 2020: Business Continuity3; Part Two: Business Continuity and Disaster Recovery Plans


NEW QUESTION # 153
IT 项目已经超出预算,在后期制作中添加了太多的安全控制。以下哪项最有助于确保将相关控制应用于项目?

  • A. 为利益相关者提供最低信息安全要求
  • B. 在项目业务案例分析期间确定职责
  • C. 创建数据分类框架并将其提供给利益相关者
  • D. 在项目管理的各个阶段涉及信息安全

Answer: B


NEW QUESTION # 154
為了獲得組織範圍內對資訊安全計畫的支持,下列哪一項是最需要考慮的?

  • A. 企業文化
  • B. 企業風險框架
  • C. 安全角色與職責的明確性
  • D. 安全策略的成熟度

Answer: A

Explanation:
Explanation
Corporate culture is the most important factor to consider when trying to gain organization-wide support for an information security program because it reflects the values, beliefs, and behaviors of the organization and its members. Corporate culture influences how the organization perceives, prioritizes, and responds to information security risks and issues, and how it adopts and implements information security policies and practices. By understanding and aligning with the corporate culture, the information security manager can communicate the benefits and value of the information security program, and foster a positive and collaborative security culture across the organization.
References: The CISM Review Manual 2023 states that "corporate culture is the set of shared values, beliefs, and behaviors that characterize the organization and its members" and that "corporate culture affects how the organization views and manages information security risks and issues, and how it supports and implements information security policies and practices" (p. 81). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale for this answer: "Corporate culture is the correct answer because it is the most important factor to consider when trying to gain organization-wide support for an information security program, as it reflects the values, beliefs, and behaviors of the organization and its members, and influences how they perceive, prioritize, and respond to information security risks and issues, and how they adopt and implement information security policies and practices" (p. 23). Additionally, the article Building a Culture of Security from the ISACA Journal 2019 states that "corporate culture is the key factor that determines the success or failure of an information security program" and that "corporate culture can be either an enabler or a barrier for information security, depending on how well it aligns with the information security objectives, values, and practices of the organization" (p. 1)


NEW QUESTION # 155
......

Pass Guaranteed Quiz 2024 Realistic Verified Free ISACA: https://www.practicedump.com/CISM-CN_actualtests.html

CISM-CN Exam Questions - Real & Updated Questions PDF: https://drive.google.com/open?id=1FsDhzn4qsgqzKwbbd8hd-tReujjdKhDE

Related Articles

more
ISACA CISM-CN Certification Practice Exam

Copyright © 2026 PracticeDump. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimers:
PracticeDump material do not contain actual Business Architecture Guild Exam Questions or materials.
SAP, Microsoft, Google, Amazon, Certiport, Qualtrics are Registered Trade Mark.
PracticeDump website is not related to, affiliated with, endorsed or authorized by Amazon. Trademarks, certification & product names are used for reference only and belong to Amazon.
PracticeDump offers only Probable Questions and Answers. PracticeDump offer learning materials and practice tests created by subject matter experts to assist and help learner prepare for those exams.
All Certification Brands used on the website are owned by the respective brand owners. PracticeDump does not own or claim any ownership on any of the brands. The site www.practicedump.com is in no way affiliated with SAP SE.