Online Access Free ISACA.CISM.v2024-04-24.q336 Practice Test (Page 39)

CISM Exam Question 186

Which of the following is the FIRST step to establishing an effective information security program?

A.Assign accountability.

B.Perform a business impact analysis (BIA).

C.Create a business case.

D.Conduct a compliance review.

CISM Exam Question 187

Which of the following is the PRIMARY responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations?

A.Require remote wipe capabilities for devices.

B.Conduct security awareness training.

C.Review and update existing security policies.

D.Enforce passwords and data encryption on the devices.

Correct Answer: C

Explanation
The primary responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations is to review and update existing security policies. Security policies are the foundation of an organi-zation's security program, as they define the goals, objectives, principles, roles, respon-sibilities, and requirements for protecting information and systems. Security policies should be reviewed and updated regularly to reflect changes in the organization's envi-ronment, needs, risks, and technologies1. Implementing the use of company-owned mobile devices in its operations is a significant change that may introduce new threats and vulnerabilities, as well as new opportunities and benefits, for the organiza-tion. Therefore, the information security manager should review and update existing security policies to address the following aspects2:
*The scope, purpose, and ownership of company-owned mobile devices
*The acceptable and unacceptable use of company-owned mobile devices
*The security standards and best practices for company-owned mobile devices
*The roles and responsibilities of users, managers, IT staff, and vendors regarding compa-ny-owned mobile devices
*The procedures for provisioning, managing, monitoring, and decommissioning company-owned mobile devices
*The incident response and reporting process for company-owned mobile devices By reviewing and updating existing security policies, the information security manager can ensure that the organization's security program is aligned with its business objec-tives and risk appetite, as well as compliant with applicable laws and regulations. The other options are not the primary responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations. They are possible actions or controls that may be derived from or support-ed by the updated security policies. Requiring remote wipe capabilities for devices is a technical control that can help prevent data loss or theft in case of device loss or com-promise3. Conducting security awareness training is an administrative control that can help educate users about the security risks and responsibilities associated with using company-owned mobile devices. Enforcing passwords and data encryption on the de-vices is a technical control that can help protect data confidentiality and integrity on company-owned mobile devices. References:
1: Information Security Policy - NIST 2: Mobile Device Security Policy - SANS 3: Remote Wipe: What It Is
& How It Works - Lifewire : Security Awareness Training - NIST : Mobile Device Encryption - NIST

CISM Exam Question 188

Which of the following is the BEST reason for reevaluating an information security program?

A.Misalignment between information security priorities and business objectives

B.Noncompliance with information security policies and procedures

C.Change in senior management

D.Ineffectiveness of the information security strategy execution

CISM Exam Question 189

When developing a tabletop test plan for incident response testing, the PRIMARY purpose of the scenario should be to:

A.give the business a measure of the organization's overall readiness

B.provide participants with situations to ensure understanding of their roles

C.measure management engagement as part of an incident response team

D.challenge the incident response team to solve the problem under pressure

CISM Exam Question 190

Which of the following should an information security manager perform FIRST when an organization's residual risk has increased?

A.Assess the business impact.

B.Communicate the information to senior management.

C.Implement security measures to reduce the risk.

D.Transfer the risk to third parties.

Other Version: 1910ISACA.CISM.v2024-10-14.q528; 606ISACA.CISM.v2024-07-14.q167; 1266ISACA.CISM.v2023-09-14.q160; 1233ISACA.CISM.v2023-09-09.q151; 1232ISACA.CISM.v2023-08-22.q180; 1009ISACA.CISM.v2023-07-28.q152; 1045ISACA.CISM.v2023-05-16.q111; 1081ISACA.CISM.v2023-05-10.q114; 1025ISACA.CISM.v2023-03-07.q88; 4414ISACA.CISM.v2022-09-16.q374; 8295ISACA.CISM.v2022-08-01.q522; 56ISACA.Ipassleader.CISM.v2022-06-09.by.josephine.1215q.pdf; 11807ISACA.CISM.v2022-04-15.q999; 14860ISACA.CISM.v2021-10-30.q999

Latest Upload: 324ISACA.CGEIT.v2025-09-19.q537; 155Fortinet.FCP_FWF_AD-7.4.v2025-09-18.q62; 156Scrum.SAFe-Practitioner.v2025-09-18.q63; 146Workday.Workday-Prism-Analytics.v2025-09-17.q17; 131Oracle.1Z0-1055-24.v2025-09-17.q28; 129Oracle.1Z1-182.v2025-09-17.q32; 247Nutanix.NCP-US-6.5.v2025-09-16.q73; 266Oracle.1z0-071.v2025-09-16.q232; 204Oracle.1Z1-922.v2025-09-16.q125; 327CyberArk.PAM-CDE-RECERT.v2025-09-15.q100

CISM Exam Question 186

CISM Exam Question 187

CISM Exam Question 188

CISM Exam Question 189

CISM Exam Question 190

Download PDF File