CISM Information Security Governance • Complete Question Bank
Complete CISM Information Security Governance question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. Access Control List (ACL) on border router: access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 172.16.0.0 0.15.255.255 any access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 0.0.0.0 0.255.255.255 any access-list 100 permit ip any any
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Firewall blocking unauthorized traffic
Intrusion detection system alerting on anomalies
Restoring system from backup after breach
Security warning banners on login
Additional authentication for legacy systems
Drag a concept onto its matching description — or click a concept then click the description.
Average time to detect an incident
Average time to remediate an incident
Average time between system failures
Contractual commitment for service levels
Indicator of risk level change
Refer to the exhibit. ``` Policy: Access Control Effective Date: 2024-01-01 Review Date: 2024-12-31 Owner: CISO Scope: All employees and contractors Statement: Access to internal systems must be granted based on the principle of least privilege. Exceptions must be approved by the data owner and documented. ```
Refer to the exhibit. ``` Risk Register Excerpt: Risk ID: R001 Risk Description: Unauthorized disclosure of sensitive customer data due to weak encryption. Inherent Risk: High Control Effectiveness: Partially effective Residual Risk: High Risk Owner: CISO Risk Treatment: Accept ```
Refer to the exhibit. ``` Audit Finding Report: Audit ID: A-2025-003 Date: 2025-03-15 Scope: Information Security Governance Finding: The organization's information security strategy does not include measurable objectives aligned with business goals. The strategy document states: 'To protect information assets from threats.' There are no defined key performance indicators (KPIs) or targets. Recommendation: Develop a security strategy with specific, measurable objectives linked to business outcomes. ```
Refer to the exhibit. ``` SECURITY GOVERNANCE REPORT - Q4 20XX ======================================= Risk Appetite: Moderate (defined by board) Key Risk Indicator: % Systems with critical vulnerabilities > 30 days old Current Value: 8% Threshold: <5% (Red), 5-10% (Yellow), >10% (Green) Status: YELLOW Action Plan: Accelerate patching for high-risk assets ```
Refer to the exhibit.
```
$ cat governance_policy.json
{
"policyName": "Information Security Governance Policy",
"version": "2.0",
"scope": "All business units and subsidiaries",
"roles": {
"board": "Approve risk appetite and review security performance quarterly",
"ceo": "Provide strategic direction and resources",
"ciso": "Develop and implement security program",
"businessManagers": "Ensure compliance within their units",
"internalAudit": "Independent assurance on governance effectiveness"
},
"processes": {
"riskAssessment": "Annual risk assessment and quarterly updates",
"strategyAlignment": "Annual review of security strategy with business strategy",
"reporting": "Quarterly dashboard to board, monthly to management"
}
}
```Refer to the exhibit. ``` NETWORK ARCHITECTURE DESCRIPTION - Internet edge: Firewall cluster (active-active) with IPS - DMZ: Web servers, external-facing applications - Internal network segregated into VLANs by business unit - Management network for system administrators - Security Operations Center (SOC) monitors all traffic - Remote access via VPN with multi-factor authentication - Data centers: Tier 3 physical security and environmental controls ```
Exhibit: ! crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime 86400 ! crypto ipsec transform-set TS esp-aes esp-sha-hmac ! crypto map VPN 10 ipsec-isakmp set peer 10.1.1.1 set transform-set TS match address 101 ! interface FastEthernet0/0 crypto map VPN !
Exhibit:
{
"classification_scheme": {
"labels": [
{"id": "P", "name": "Public"},
{"id": "C", "name": "Confidential"},
{"id": "R", "name": "Restricted"},
{"id": "U", "name": "Unclassified"}
]
}
}Exhibit: [ERROR] [2025-04-01 14:23:45] GRC Policy Update Failed: Insufficient privileges for user 'jdoe' to modify policy 'SOX-101'. Required role: 'PolicyAdmin', user roles: ['Auditor','ComplianceReader'].
Refer to the exhibit. ``` Security Policy – Data Classification Category A: Public – No restrictions on disclosure. Category B: Internal – Limited to employees; no external sharing without approval. Category C: Confidential – Access on a need-to-know basis; encryption required for transmission. Category D: Restricted – Highest sensitivity; requires encryption at rest and in transit, dual control for access, and quarterly audits. ```