Isaca Updated CISM Exam Questions and Answers by mabli

A post-incident review is a process of analyzing an incident and its impact, identifying the root causes, and recommending corrective actions to prevent recurrence. The first step of a post-incident review is to perform root cause analysis, which is the process of identifying the underlying factors that contributed to the occurrence and severity of the incident. Root cause analysis helps to determine the most effective and efficient solutions to address the problem and avoid future incidents. References = CISM Review Manual, 16th Edition, Chapter 5, Section 5.5.2.11

Performing an analysis of the change is the first step in addressing the issue of an IT employee making a change to a firewall rule outside of the change control process because it helps to understand the reason, impact, and risk of the change and to decide whether to approve, reject, or reverse it. Requiring that the change be reversed is not the first step because it may cause more disruption or damage without proper analysis and testing. Reviewing the change management process is not the first step because it does not address the specific issue or incident at hand, but rather focuses on improving the process for future changes. Reporting the event to senior management is not the first step because it does not resolve the issue or incident, but rather escalates it without sufficient information or recommendation. References: https://www.isaca.org/resources/isaca-journal/issues/2018/volume-3/change-management-in-the-age-of-digital-transformation https://www.isaca.org/resources/isaca-jour nal/issues/

The greatest concern with the situation of privileged employee access requests to production servers being approved but not logged is the lack of accountability, which means the inability to trace or verify the actions and decisions of the privileged users. Lack of accountability can lead to security risks such as unauthorized changes, data breaches, fraud, or misuse of privileges. Logging user actions is a key component of privileged access management (PAM), which helps to monitor, detect, and prevent unauthorized privileged access to critical resources. The other options, such as lack of availability, improper authorization, or inadequate authentication, are not directly related to the situation of not logging user actions. References:

https://www.microsoft.com/en-us/security/business/security-101/what-is-privileged-access-management-pam

https://www.ekransystem.com/en/blog/privileged-user-monitoring-best-practices

https://www.beyondtrust.com/resources/glossary/privileged-access-management-pam

Baseline controls are the minimum set of security requirements that apply to all information systems in an organization, regardless of their specific functions or characteristics. They are derived from the organization’s security policies, standards, and best practices, and they reflect the organization’s risk appetite and tolerance. Baseline controls provide a consistent and comprehensive foundation for the security of the information systems, and they can be tailored or supplemented by additional controls as needed for specific systems or situations. The other options are not as comprehensive as baseline controls, as they may only address certain aspects or aspects of the security requirements, or they may vary depending on the system or the context. For example, risk assessment results are an important input for defining the security requirements, but they are not the requirements themselves. Audit findings are an output of evaluating the compliance and effectiveness of the security requirements, but they are not the requirements themselves. Key risk indicators (KRIs) are metrics that measure the level of risk exposure and performance of the security requirements, but they are not the requirements themselves. References =

CISM Review Manual 15th Edition, page 113: “Baseline controls are the minimum security requirements that apply to all systems within the organization.”

CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, question 478: “Baseline controls are the minimum security requirements that apply to all systems within the organization. They are derived from the organization’s security policies, standards, and best practices, and they reflect the organization’s risk appetite and tolerance.”