Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free ISACA CISM Exam Braindumps (page: 81)

Page 81 of 430
PDF with 1716 Questions

Which of the following authentication methods prevents authentication replay?

  1. Password hash implementation
  2. Challenge/response mechanism
  3. Wired Equivalent Privacy (WEP) encryption usage
  4. HTTP Basic Authentication

Answer(s): B

Explanation:

A challenge/response mechanism prevents replay attacks by sending a different random challenge in each authentication event. The response is linked to that challenge. Therefore, capturing the authentication handshake and replaying it through the network will not work. Using hashes by itself will not prevent a replay. A WEP key will not prevent sniffing (it just takes a few more minutes to break the WEP key if the attacker does not already have it) and therefore will not be able to prevent recording and replaying an authentication handshake. HTTP Basic Authentication is clear text and has no mechanisms to prevent replay.



An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur?

  1. Nothing, since a risk assessment was completed during development.
  2. A vulnerability assessment should be conducted.
  3. A new risk assessment should be performed.
  4. The new vendor's SAS 70 type II report should be reviewed.

Answer(s): C

Explanation:

The risk assessment process is continual and any changes to an established process should include a new- risk assessment. While a review of the SAS 70 report and a vulnerability assessment may be components of a risk assessment, neither would constitute sufficient due diligence on its own.



Which of the following is MOST important to consider when developing a business case to support the investment in an information security program?

  1. Senior management support
  2. Results of a cost-benefit analysis
  3. Results of a risk assessment
  4. Impact on the risk profile

Answer(s): D

Explanation:

The information security manager must understand the business risk profile of the organization. No model provides a complete picture, but logically categorizing the risk areas of an organization facilitates focusing on key risk management strategies and decisions. It also enables the organization to develop and implement risk treatment approaches that are relevant to the business and cost effective.



It is MOST important for an information security manager to ensure that security risk assessments are performed:

  1. consistently throughout the enterprise
  2. during a root cause analysis
  3. as part of the security business case
  4. in response to the threat landscape

Answer(s): A


Reference:

https://m.isaca.org/Certification/Additional-Resources/Documents/CISM-Item-Development-Guide_bro_Eng_0117.pdf(14)






Post your Comments and Discuss ISACA CISM exam prep with other Community members:

CISM Exam Discussions & Posts