Free Access to ISACA.CISM.v2025-07-07.q684 with Valid Practice Test (Page 110)

Question 541

A risk management program will be MOST effective when:

A.business units are involved in risk assessments
B.risk assessments are repeated periodically
C.risk appetite is sustained for a long period
D.risk assessments are conducted by a third party

Question 542

While conducting a test of a business continuity plan (BCP). which of the following is the MOST important consideration?

A.The test is scheduled to reduce operational impact
B.The test addresses the critical components
C.The test simulates actual prime-time processing conditions.
D.The test involves IT members in the test process

Question 543

An incident response team has established that an application has been breached. Which of the following should be done NEXT?

A.Maintain the affected systems in a forensically acceptable state
B.Conduct a risk assessment on the affected application
C.Inform senior management of the breach.
D.Isolate the impacted systems from the rest of the network

Question 544

Reviewing which of the following would be MOST helpful when a new information security manager is developing an information security strategy for a non-regulated organization?

A.Management's business goals and objectives
B.Strategies of other non-regulated companies
C.Risk assessment results
D.Industry best practices and control recommendations

Question 545

A newly appointed information security manager of a retailer with multiple stores discovers an HVAC (heating, ventilation, and air conditioning) vendor has remote access to the stores to enable real-time monitoring and equipment diagnostics. Which of the following should be the information security manager's FIRST course of action?

A.Conduct a penetration test of the vendor.
B.Review the vendor's technical security controls
C.Review the vendor contract
D.Disconnect the real-time access

Correct Answer: C

Explanation
Reviewing the vendor contract should be the information security manager's first course of action when discovering an HVAC vendor has remote access to the stores to enable real-time monitoring and equipment diagnostics. The vendor contract should specify the terms and conditions of the vendor's access to the retailer's network, such as the scope, purpose, duration, frequency, and method of access. The vendor contract should also define the roles and responsibilities of both parties regarding security, privacy, compliance, liability, and incident response. Reviewing the vendor contract will help the information security manager to understand the contractual obligations and expectations of both parties, and to identify any gaps or issues that need to be addressed or resolved1. The other options are not the first course of action for the information security manager when discovering an HVAC vendor has remote access to the stores. Conducting a penetration test of the vendor may be a useful way to assess the vendor's security posture and potential vulnerabilities, but it should be done with the vendor's consent and cooperation, and after reviewing the vendor contract2. Reviewing the vendor's technical security controls may be a necessary step to verify the vendor's compliance with security standards and best practices, but it should be done after reviewing the vendor contract and in accordance with the agreed-upon audit procedures3. Disconnecting the real-time access may be a drastic measure that could disrupt the vendor's service delivery and violate the vendor contract, unless there is a clear and imminent threat or breach that warrants such action. References: 1: Vendor Access:
Addressing the Security Challenge with Urgency - BeyondTrust 2: Penetration Testing - NIST 3: Reduce Risk from Third Party Access | BeyondTrust : Third-Party Vendor Security Risk Management & Prevention

Question 541

Question 542

Question 543

Question 544

Question 545

Download PDF File