Certified Information Security Manager CISM (CISM) — Questions 175

500 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQmedium

After implementing controls, an organization reassesses a risk and finds that the residual risk level exceeds the established risk tolerance. What is the most appropriate next step?

A.Re-assess the risk using a different methodology
B.Lower the risk tolerance to match the residual risk
C.Seek management approval for acceptance or implement additional controls
D.Ignore the residual risk since controls are already in place
AnswerC

This aligns with risk management process.

Why this answer

Option C is correct because the organization must decide to either accept (with authorization) or further treat the risk. Option A is wrong because ignoring is not acceptable. Option B is wrong because lowering tolerance without justification is not appropriate.

Option D is wrong because re-assessment alone does not resolve the issue.

2
MCQmedium

During a merger, the acquiring company's CISO must integrate the security governance of the target company. The target company has no formal security governance. What is the FIRST step the CISO should take?

A.Conduct a security awareness training for the target company's employees.
B.Perform a comprehensive risk assessment of the target company's security posture.
C.Align the target company's security policies with the acquirer's policies.
D.Implement the acquirer's security governance framework immediately.
AnswerB

Initial assessment informs integration strategy.

Why this answer

Without a formal security governance structure, the CISO must first understand the target company's current security posture through a comprehensive risk assessment. This step identifies vulnerabilities, threats, and gaps in controls, providing the baseline data needed to prioritize integration efforts and align with the acquirer's governance framework. Skipping this assessment risks implementing policies that are irrelevant or ineffective against the target's actual risks.

Exam trap

ISACA often tests the principle that governance integration must begin with understanding the current state (risk assessment) rather than jumping to policy alignment or implementation, which is a common mistake candidates make by assuming immediate enforcement is the first step.

How to eliminate wrong answers

Option A is wrong because conducting security awareness training before understanding the target's risk profile and existing security gaps is premature; training should be tailored to identified risks and policies, not implemented in a vacuum. Option C is wrong because aligning security policies without first assessing the target's current state can result in policies that conflict with existing technical controls or fail to address critical vulnerabilities. Option D is wrong because immediately implementing the acquirer's governance framework without a risk assessment may disrupt operations, miss unknown threats, and create resistance due to lack of contextual understanding.

3
MCQeasy

You are the information security program manager for a government agency. The agency has a highly regulated environment and is in the process of updating its incident response plan. During a tabletop exercise, it becomes clear that the detection capabilities are strong, but the response coordination between IT, legal, and public affairs is poor. This caused delays in containing a simulated ransomware attack. The existing program includes an incident response policy but no formal procedures for cross-department coordination. The agency's leadership wants quick improvement with minimal budget impact. What should you recommend?

A.Outsource incident response to a managed security service provider (MSSP).
B.Create a dedicated incident response team that reports directly to the CISO.
C.Purchase a new SIEM solution to improve detection accuracy.
D.Develop a detailed incident response coordination plan with defined roles and communication channels, and conduct quarterly joint exercises.
AnswerD

Cost-effective and directly improves coordination.

Why this answer

Correct answer is C because creating structured coordination procedures and conducting regular joint exercises directly addresses the coordination gap at low cost. Option A (new SIEM) does not fix coordination. Option B (outsourcing) is expensive and may not align with government requirements.

Option D (separate team) could be costly and does not leverage existing staff.

4
MCQmedium

A multinational corporation is implementing a new information security program. The program manager needs to ensure that security requirements are integrated into the procurement process for third-party services. Which of the following is the most effective approach?

A.Include security requirements after contract signing
B.Require third parties to self-attest compliance
C.Embed security clauses in request for proposals (RFPs)
D.Conduct periodic security audits of third parties
AnswerC

This ensures security is a contractual requirement from the start.

Why this answer

Option C is correct because integrating security requirements into the procurement lifecycle ensures that contractual obligations are legally binding. Option A is wrong because post-contract negotiations are less effective and may face resistance. Option B is wrong because periodic reviews are reactive.

Option D is wrong because it shifts responsibility without proper integration.

5
MCQmedium

You are the CISO of a retail company that is planning to implement a new e-commerce platform. The information security program currently consists of a set of high-level policies, but there are no detailed standards or guidelines for secure development. The development team uses agile methodologies and is accustomed to rapid releases. They have resisted security reviews in the past, citing delays. You need to integrate security into the development lifecycle without causing friction. The company's risk appetite is moderate; they accept some risk for speed but not if it leads to major breaches. The board expects you to manage this risk effectively. Which approach should you take?

A.Provide annual security training to all developers.
B.Assign a security champion to each development team and create a lightweight secure coding checklist.
C.Establish a separate security team that reviews all code after development is complete.
D.Implement a mandatory security gate before each release, requiring a full security review.
AnswerB

Incorporates security into the process without heavy process overhead.

Why this answer

Correct answer is A because embedding a security champion in each team provides ongoing guidance without slowing down development drastically. Option B (gate process) will cause friction and likely be bypassed. Option C (separate team review) may cause delays and resentment.

Option D (training only) may not change behavior effectively.

6
MCQhard

A global e-commerce company is designing its information security program. The CISO wants to implement a defense-in-depth strategy for the web application layer. Which combination of controls best achieves this objective?

A.SSL/TLS encryption and VPN access
B.Web application firewall (WAF) and intrusion detection system (IDS)
C.WAF, input validation, and security logging
D.Regular patching and vulnerability scanning
AnswerC

Combines prevention, detection, and monitoring.

Why this answer

Option B is correct because defense-in-depth requires multiple layers of controls: detection (WAF), prevention (input validation), and response (monitoring). Option A is wrong as IDS alone is detection only. Option C is wrong as patching is a single layer.

Option D is wrong as encryption provides confidentiality but not attack prevention.

7
MCQhard

During an internal audit, it is discovered that business units frequently purchase cloud services without involving the IT security department. Which governance deficiency does this scenario most clearly demonstrate?

A.Inadequate security awareness training
B.Lack of an incident response plan
C.Absence of a procurement security policy
D.Weak access control over cloud resources
AnswerC

A procurement policy should require security review before purchasing cloud services.

Why this answer

The lack of a procurement security policy that mandates involvement of IT security indicates a gap in governance controls. Option A (weak access controls) might be a consequence but not the root deficiency. Option B (inadequate training) is not primary.

Option C (lack of incident response) is unrelated to procurement.

8
MCQeasy

During an incident, the incident response team is communicating with affected stakeholders. According to best practices, which of the following should be communicated FIRST?

A.A summary of actions taken so far
B.Detailed technical analysis
C.A timeline of all events
D.The root cause of the incident
AnswerA

A high-level summary keeps stakeholders informed while the team works on deeper analysis.

Why this answer

Initial communication should provide a high-level summary of the situation and immediate actions taken to inform stakeholders without overwhelming them with technical details. Option B is correct.

9
MCQhard

An organization is under a DDoS attack that is saturating their internet link. The incident response team needs to mitigate the attack. Which action should be taken first?

A.Activate cloud-based DDoS mitigation services.
B.Shut down all public-facing services.
C.Implement rate limiting on the perimeter firewall.
D.Contact the ISP to null-route the attack IPs.
AnswerA

Correct: Scalable and effective.

Why this answer

Option D is correct because cloud-based DDoS mitigation services are designed to absorb large-scale attacks. Rate limiting may be insufficient; null-routing can block legitimate traffic; shutting down services is a last resort.

10
MCQmedium

An employee emails a spreadsheet containing employee salaries to all staff by mistake. According to the exhibit, what is the minimum handling requirement that was violated?

A.HighlyConfidential handling requirements
B.Confidential handling requirements
C.Internal handling requirements
D.Public handling requirements
AnswerB

Salaries are confidential; email lacks encryption and need-to-know.

Why this answer

Option B is correct because salary information is typically classified as 'confidential' or 'highlyConfidential' depending on context, but the exhibit shows 'confidential' requires encryption in transit and need-to-know access. Sending to all staff violates need-to-know. Option A is wrong because 'public' allows disclosure.

Option C is wrong because 'internal' allows internal use, but not to all staff. Option D is wrong because 'highlyConfidential' includes additional controls, but the minimum violated is confidential.

11
MCQmedium

An organization has implemented a new security policy requiring multi-factor authentication for all remote access. Several users complain about the inconvenience. What is the BEST course of action for the security manager?

A.Allow exceptions for senior executives
B.Delay implementation until user acceptance improves
C.Revoke remote access for non-compliant users
D.Provide training on the importance of MFA
AnswerD

Training addresses the root cause of complaints—lack of understanding—and promotes compliance.

Why this answer

Option B is correct because training helps users understand the importance and reduces resistance. Option A is too drastic initially. Option C undermines security.

Option D delays necessary protection.

12
MCQeasy

Refer to the exhibit. The exhibit shows network traffic from a server to a database. What does this pattern MOST likely indicate?

A.Query optimization issue
B.SQL injection attempt
C.Normal application load
D.Database server crash
AnswerB

SQL injection tools often create many connections to execute queries, matching the pattern.

Why this answer

A rapid increase in connections to a database in a short time is typical of an automated SQL injection tool testing and exploiting vulnerabilities. Normal application load would be steadier, and a crash would show no connections. Option C is correct.

13
MCQmedium

Refer to the exhibit. A system administrator reviews the log and notices repeated failed SSH attempts from the same IP address. What is the most appropriate risk response?

A.Change the password policy to require 12-character passwords.
B.Increase logging verbosity to capture more details.
C.Disable SSH access and use console only.
D.Implement account lockout after 3 failed attempts.
AnswerD

This control directly mitigates brute-force attacks by locking accounts.

Why this answer

Option D is correct because implementing an account lockout policy after 3 failed attempts directly mitigates brute-force SSH attacks by preventing further authentication attempts from the same IP address. This is a standard risk response (risk reduction) that limits the attacker's ability to guess credentials without requiring changes to the SSH protocol or disabling remote access entirely.

Exam trap

The trap here is that candidates confuse preventive controls (password policy) with detective controls (logging) or overcorrect with risk avoidance (disabling SSH), instead of recognizing that a targeted brute-force attack is best addressed with a specific technical control like account lockout that directly blocks the attack pattern.

How to eliminate wrong answers

Option A is wrong because changing the password policy to require 12-character passwords is a preventive control that reduces the likelihood of successful password guessing, but it does not stop repeated failed SSH attempts from the same IP address in real time; the attacker can still attempt unlimited guesses. Option B is wrong because increasing logging verbosity only improves detection and forensic analysis, not prevention or response; it does not stop the ongoing attack or reduce risk. Option C is wrong because disabling SSH access and using console only is an extreme risk avoidance that eliminates remote administration entirely, which is often operationally impractical and not the most appropriate response for a targeted brute-force attempt.

14
Multi-Selecthard

Which of the following are key components of a mature information security program? (Select 2)

Select 2 answers
A.Comprehensive risk management process
B.Adoption of cloud security tools
C.Continuous monitoring and improvement
D.Single point of failure for security decisions
AnswersA, C

Why this answer

A comprehensive risk management process is a foundational component of a mature information security program because it ensures that security controls are aligned with business objectives through systematic identification, assessment, and treatment of risks. This process, often guided by frameworks like ISO 31000 or NIST SP 800-39, enables prioritization of resources based on risk appetite and tolerance, rather than relying on ad-hoc or reactive measures. Without this, the program lacks the structured governance needed to adapt to evolving threats and regulatory requirements.

Exam trap

The trap here is that candidates mistake tactical tools or organizational shortcuts (like a single security decision-maker) for program maturity, when CISM emphasizes that maturity is defined by process integration, governance, and continuous improvement, not by technology adoption or centralized authority.

Why the other options are wrong

B

Tool adoption is not a program component; it's an implementation detail.

D

Mature programs distribute accountability.

15
Multi-Selectmedium

Which TWO of the following are key indicators of a potential insider threat incident? (Select exactly 2)

Select 2 answers
A.Multiple failed login attempts from an external IP address
B.An increase in network traffic to a known malicious domain
C.A user accessing large volumes of data not related to their job function
D.An employee logging in during non-business hours and downloading files
E.A user updating their password as required by policy
AnswersC, D

This suggests data theft or espionage.

Why this answer

Option C is correct because a user accessing large volumes of data unrelated to their job function is a classic behavioral anomaly indicating potential data exfiltration. This pattern often precedes an insider threat incident, as the user may be collecting sensitive information for unauthorized purposes, such as selling it or using it for personal gain. Security information and event management (SIEM) systems typically flag such access based on deviations from baseline user behavior, triggering further investigation.

Exam trap

The trap here is that candidates often confuse external attack indicators (like failed logins or malicious domain traffic) with insider threat indicators, failing to recognize that insider threats are characterized by anomalous internal behavior, not external network events.

16
MCQeasy

An organization wants to ensure that its security program aligns with business objectives. Which activity is most important?

A.Regularly meeting with business unit leaders to understand needs and risks.
B.Conducting vulnerability scans twice a year.
C.Developing a security awareness campaign.
D.Purchasing an advanced threat detection system.
AnswerA

Direct engagement ensures security supports business objectives.

Why this answer

Engaging business units ensures that security priorities support strategic goals and are integrated into operations.

17
MCQhard

You are the incident response manager for a financial services company. The company has a hybrid infrastructure with on-premises servers and cloud services. At 2:00 AM, the SIEM generates a critical alert: a database server in the DMZ is communicating with a known malicious IP address on port 443. The server contains customer PII. The on-call security analyst reports that the server is running and the connection is active. The incident response plan states that any confirmed compromise of PII must be reported to the regulator within 72 hours. You have the following options: A) Immediately isolate the server by disconnecting it from the network, then begin forensic analysis. B) Leave the server connected to gather more intelligence about the attacker's actions, but block only the malicious IP at the firewall. C) Shut down the server to preserve evidence and prevent data exfiltration. D) Copy the server's disk over the network for forensic analysis before taking any action. Which option is the BEST course of action?

A.Isolate the server immediately
B.Shut down the server
C.Copy the disk over the network
D.Block the malicious IP and monitor the server
AnswerD

This stops the exfiltration while allowing observation of other activities.

Why this answer

Option D is the best course of action because it balances the need to stop the immediate data exfiltration threat with the preservation of forensic evidence and the regulatory requirement to report a PII breach within 72 hours. By blocking only the malicious IP at the firewall, you sever the active command-and-control (C2) channel on port 443 while keeping the server running, which allows you to collect volatile data (e.g., memory, active processes, network connections) and perform live forensics without destroying evidence. This approach also avoids the risk of losing critical evidence that would occur with a hard shutdown or isolation, and it provides time to confirm the scope of the compromise before the 72-hour clock starts for regulatory reporting.

Exam trap

ISACA often tests the misconception that shutting down or isolating a server immediately is always the safest action, but in reality, this destroys volatile evidence and can violate forensic chain-of-custody requirements, making Option D the correct balance between containment and evidence preservation.

How to eliminate wrong answers

Option A is wrong because immediately isolating the server by disconnecting it from the network will sever the active C2 channel but also destroy volatile evidence (e.g., memory contents, active network connections) and may trigger anti-forensic mechanisms in the malware, such as self-deletion or encryption of logs. Option B is wrong because shutting down the server (power-off) will cause loss of volatile memory (RAM), which often contains encryption keys, active malware processes, and network session data critical for understanding the attacker's actions; it also risks damaging the integrity of the disk if the malware has write-caching or pending writes. Option C is wrong because copying the disk over the network while the server is actively compromised could alert the attacker to your actions, may fail if the malware interferes with network file transfers, and does not address the immediate data exfiltration risk—the malicious IP is still active and the connection is ongoing.

18
MCQeasy

An organization's security program includes a risk assessment process. Which step should be performed FIRST?

A.Identify assets and their value
B.Calculate the level of risk
C.Establish the risk assessment context
D.Determine the likelihood of threats
AnswerC

Setting the scope, objectives, and criteria is the initial step in risk assessment.

Why this answer

Option D is correct because establishing context (scope, criteria, and risk appetite) must precede other steps. Option A is wrong because asset identification comes after context. Option B is wrong because likelihood is assessed after identification.

Option C is wrong because calculation comes later.

19
MCQmedium

Which of the following best describes the primary purpose of an Information Security Program?

A.To reduce the number of security incidents to zero.
B.To ensure compliance with all relevant laws and regulations.
C.To align security efforts with business objectives and manage risk.
D.To implement technical security controls across all systems.
AnswerC

Why this answer

The primary purpose of an Information Security Program is to align security efforts with business objectives and manage risk to an acceptable level. This ensures that security investments and activities directly support the organization's mission, rather than operating in isolation. A program focused solely on compliance or technical controls may fail to address the dynamic risk landscape and business needs.

Exam trap

The trap here is that candidates often mistake compliance (Option B) as the primary goal, but CISM emphasizes that compliance is a subset of risk management, and the program's core purpose is to enable business objectives by managing risk, not just to satisfy auditors.

Why the other options are wrong

A

Zero incidents is unrealistic; the program aims to manage risk, not eliminate all incidents.

B

Compliance is part of the program but not the primary purpose; the program should support business goals.

D

Technical controls are a component, but the program includes governance, policies, and processes.

20
Multi-Selecthard

Which THREE characteristics indicate a higher maturity level in a security program maturity model?

Select 3 answers
A.Reactive approach to incidents
B.Continuous improvement
C.Automated security controls
D.Ad hoc processes
E.Quantitative performance metrics
AnswersB, C, E

Mature programs regularly refine processes based on lessons learned.

Why this answer

Options B, C, and E are correct. Continuous improvement, quantitative metrics, and automated controls are hallmarks of mature processes. Option A is wrong ad hoc processes are low maturity.

Option D is wrong reactive approach is low maturity.

21
Multi-Selecthard

Which THREE of the following are common challenges in implementing an information security program across a large enterprise?

Select 3 answers
A.Cultural resistance to security controls from business units.
B.Overreliance on automated security tools.
C.Inconsistent enforcement of security policies across subsidiaries.
D.Lack of security awareness training for end users.
E.Legacy systems that cannot be patched or upgraded.
AnswersA, C, E

Often seen when security is perceived as hindering productivity.

Why this answer

Correct answers are A, C, and E. Option A (cultural resistance to security controls) is common. Option C (legacy systems that cannot be patched) is a technical challenge.

Option E (inconsistent enforcement across business units) reflects governance issues. Option B (lack of security awareness training) is a symptom but not an implementation challenge per se; training can be provided. Option D (overreliance on automated tools) is less common.

22
MCQeasy

A small marketing firm with 50 employees experiences a ransomware attack. The IT administrator quickly isolates the infected workstations by disconnecting them from the network. The company has a backup strategy that performs nightly backups to an on-premises NAS device. The administrator restores the affected systems from the most recent backup, but some files remain encrypted. The users report that the backups from the last two days show corruption as well. The firm does not have a formal incident response plan. The owner is anxious to get back to work and asks the administrator what to do next. What should the administrator do?

A.Restore from an older backup taken before the infection
B.Contact law enforcement immediately
C.Pay the ransom to get the decryption key
D.Run a full antivirus scan on the restored systems
AnswerA

Older backups are likely unencrypted and can be restored after verifying integrity.

Why this answer

Restoring from an older backup (before the ransomware infection occurred) is the most likely way to get clean data. Paying the ransom is not recommended as it encourages attackers and there is no guarantee. Contacting law enforcement is a good step but not the immediate technical solution.

Running an antivirus scan is insufficient for decryption.

23
MCQmedium

Given the exhibit, what is the MOST appropriate action for the information security manager?

A.Request board approval to accept the risk level
B.Declare a security crisis and mobilize incident response
C.Escalate to the board for immediate decision
D.Implement the action plan to reduce KRI value
AnswerD

Yellow status needs management action as planned.

Why this answer

Option B is correct because the KRI is in the yellow zone (5-10%) and requires management attention and accelerated patching. Option A is wrong because escalation is for red status. Option C is wrong because immediate remediation is for critical issues.

Option D is wrong because acceptance board approval is for risks that exceed appetite, but here it is within tolerance.

24
MCQeasy

An information security manager is developing a security strategy for a financial institution. Which of the following should be the PRIMARY driver for selecting security controls?

A.The latest cybersecurity threats reported in the industry.
B.Past security incidents that caused significant financial loss.
C.Business requirements derived from risk assessment and compliance obligations.
D.The security budget allocated for the fiscal year.
AnswerC

Controls must align with business needs and risk appetite.

Why this answer

Business requirements derived from risk assessment and compliance obligations are the primary driver because they directly align security controls with the institution's specific risk appetite, regulatory mandates (e.g., PCI DSS, SOX, GDPR), and operational needs. This ensures controls are cost-effective and prioritized based on actual exposure rather than reactive or budget-driven decisions.

Exam trap

The trap here is that candidates often pick 'past security incidents' (Option B) because it feels intuitive, but CISM emphasizes a proactive, risk-based governance approach where business requirements and compliance drive control selection, not historical events or budget constraints.

How to eliminate wrong answers

Option A is wrong because focusing solely on the latest cybersecurity threats can lead to chasing trends and implementing controls that do not address the institution's unique risk profile, resulting in wasted resources and potential gaps. Option B is wrong because past incidents, while informative, represent a reactive approach that may not cover emerging or unexperienced risks, and can over-prioritize controls for rare events while ignoring systemic vulnerabilities. Option D is wrong because letting the security budget dictate control selection can result in underfunding critical areas or over-investing in low-priority controls, bypassing the risk-based prioritization that governance frameworks require.

25
MCQhard

Refer to the exhibit. This error log indicates a failure in which component of information security governance?

A.Policy enforcement
B.Access control
C.Segregation of duties
D.Audit trail
AnswerB

The user lacks necessary permissions, indicating an access control issue.

Why this answer

The error shows that a user lacks privileges to update a policy, indicating a breakdown in access control. Option A (segregation of duties) is about dividing tasks to prevent fraud, not about insufficient privileges. Option C (policy enforcement) is broader and refers to compliance with policies, not updating them.

Option D (audit trail) is about logging, which is functioning as the error was logged.

26
MCQhard

You are the information security manager for a mid-sized e-commerce company with 500 employees. The company recently experienced a data breach where an attacker exploited a vulnerability in a third-party payment processing API, resulting in the exposure of 10,000 customer credit card numbers. The breach was detected by an external forensics team 90 days after the initial compromise. The board is concerned about the company's ability to detect and respond to incidents. Currently, the company has a part-time security team of three people who focus on firewall management and antivirus updates. There is no formal incident response plan, and security monitoring is limited to basic log review once a week. The CISO has asked you to recommend a course of action to improve the security posture, with a focus on governance and oversight. Which of the following is the BEST course of action?

A.Immediately implement a PCI DSS compliance program to ensure all payment data handling meets industry standards.
B.Develop and implement an incident response plan, establish a security operations center (SOC) with 24/7 monitoring, and define clear roles and responsibilities.
C.Purchase and deploy a next-generation firewall and endpoint detection and response (EDR) tools across the network.
D.Outsource all security operations to a managed security service provider (MSSP) with a focus on threat intelligence.
AnswerB

This addresses governance, detection, and response holistically.

Why this answer

Option B is correct because the core governance issue is the lack of a formal incident response plan and adequate monitoring. Establishing a SOC with 24/7 monitoring directly addresses the 90-day detection gap, while defining roles and responsibilities ensures accountability and oversight, which are key governance principles. This approach aligns with the CISM focus on establishing processes and oversight rather than just deploying technology.

Exam trap

The trap here is that candidates often choose a technology-focused answer (like C or D) because it seems more concrete, but the CISM exam emphasizes that governance and oversight—such as having a formal plan and defined roles—must come before technology investments to ensure effective security management.

How to eliminate wrong answers

Option A is wrong because PCI DSS compliance is a standard for handling payment card data, but it does not directly address the lack of incident detection and response capabilities; it focuses on preventive controls and data security, not on governance of incident response. Option C is wrong because purchasing next-generation firewalls and EDR tools is a tactical, technology-centric solution that does not establish the governance framework, incident response plan, or monitoring processes needed to detect and respond to breaches in a timely manner. Option D is wrong because outsourcing to an MSSP without first having an internal incident response plan and defined roles can lead to a lack of ownership and oversight; it shifts responsibility but does not fix the governance gap, and the board's concern is about the company's own ability to detect and respond.

27
MCQmedium

During an incident investigation, the forensic analyst discovers that a malware sample communicates with an external IP address. The organization's incident response plan requires a decision on whether to block the IP at the firewall. What should the incident response team do FIRST?

A.Monitor the connection further without taking action.
B.Block the IP address immediately to prevent data exfiltration.
C.Notify law enforcement about the IP address.
D.Check threat intelligence feeds to confirm maliciousness.
AnswerD

Verification through threat intelligence ensures the action is justified.

Why this answer

Option D is correct because the incident response team must first validate the maliciousness of the IP address using threat intelligence feeds before taking any irreversible action. Blocking an IP without confirmation could disrupt legitimate business operations or tip off an attacker, and the CISM framework emphasizes evidence-based decision-making during incident response.

Exam trap

The trap here is that candidates often choose 'Block the IP immediately' (Option B) because they equate speed with effective containment, but CISM stresses that containment actions must be risk-informed and validated to avoid collateral damage and legal liability.

How to eliminate wrong answers

Option A is wrong because passively monitoring a confirmed malware communication without action risks ongoing data exfiltration and violates the principle of timely containment. Option B is wrong because immediately blocking the IP without verification could cause a denial of service to legitimate services hosted on that IP (e.g., a shared CDN or cloud provider) and may destroy forensic evidence of the C2 channel. Option C is wrong because notifying law enforcement is premature before internal validation and containment; law enforcement notification typically occurs after the organization has confirmed maliciousness and secured its own evidence chain.

28
MCQmedium

An organization is developing an information security program for a new subsidiary. Which approach BEST ensures that the subsidiary's program complements the parent's?

A.Replicate the parent's policies exactly
B.Adopt a recognized international standard such as ISO 27001
C.Perform a separate risk assessment for the subsidiary
D.Outsource security management to a third party
AnswerB

A common standard facilitates interoperability and consistency across entities.

Why this answer

Option D is correct because adopting a recognized international standard like ISO 27001 provides a common framework that can be tailored, ensuring consistency while allowing for local adaptation. Option A is wrong because exact replication may not fit. Option B is wrong separate assessments may create divergence.

Option C is wrong outsourcing does not ensure complement.

29
MCQeasy

During an incident, the CIRT leader decides to contain a compromised server by disconnecting it from the network. However, this action may result in loss of volatile forensics data. What should the CIRT leader do?

A.Proceed with disconnection immediately to prevent further damage
B.Keep the server connected but block all inbound/outbound traffic
C.Perform a full disk imaging before disconnection
D.Collect volatile data (memory, processes) before disconnecting
AnswerD

This preserves forensic evidence while allowing containment.

Why this answer

Option D is correct because volatile data (e.g., memory contents, running processes, network connections) is lost when power is removed or the network interface is disabled. The CIRT leader must follow the order of volatility (RFC 3227) and capture this data first to preserve forensic evidence before containment actions that alter the system state.

Exam trap

The trap here is that candidates may prioritize containment speed (Option A) over forensic preservation, forgetting that volatile data is irrecoverable once the system is powered off or disconnected.

How to eliminate wrong answers

Option A is wrong because immediate disconnection destroys volatile evidence (e.g., memory, active network sessions) that may be critical for attribution and root cause analysis. Option B is wrong because blocking all traffic does not prevent the server from being remotely wiped or overwritten by an attacker, and it still risks loss of volatile data if the system crashes or is shut down. Option C is wrong because full disk imaging captures only non-volatile data; volatile data (e.g., RAM, process list) must be collected separately before any power-off or disconnection.

30
MCQeasy

A security manager is developing a new information security program for a mid-sized company. Which of the following should be the FIRST step?

A.Implement technical controls
B.Conduct a risk assessment
C.Purchase security tools
D.Develop security policies
AnswerB

A risk assessment identifies threats, vulnerabilities, and impacts, guiding the security program's priorities.

Why this answer

Option B is correct because a risk assessment is the foundational step to identify threats and vulnerabilities before designing controls. Option A is premature without understanding risks. Option C is incorrect because purchasing tools should follow risk assessment.

Option D is incorrect because policies should be based on risk assessment results.

31
MCQhard

Refer to the exhibit. Based on the exhibit, what is the security implication of this S3 bucket policy?

A.Denies all access except from 10.0.0.0/8
B.Allows only users from 10.0.0.0/8 to read and write
C.Allows any authenticated user to read and write objects
D.Allows any user from internal network to read objects, but any user can write objects from anywhere
AnswerD

The first statement restricts reads to the internal IP range, but the second statement has no IP restriction, allowing writes globally.

Why this answer

The policy allows GetObject only from the internal IP range (10.0.0.0/8), but PutObject is allowed from any IP without restriction. This means anyone on the internet can write objects to the bucket. Option B is correct.

32
Multi-Selectmedium

Which TWO are essential elements of an information security program?

Select 2 answers
A.Vulnerability scanning tools
B.Risk management process
C.Network firewall
D.Security awareness training
E.Incident response plan
AnswersD, E

Education is a key element of a security program.

Why this answer

Security awareness training and incident response plan are core program components. Risk management is also critical but not listed as correct here per question design. Options A and D are correct.

Option B is a tool, not an element. Option C is fundamental but we need exactly two; awareness and incident response are both essential. Option E is a technology control.

33
MCQeasy

An organization's security governance committee has approved a new security policy. What is the NEXT critical step to ensure the policy's effectiveness?

A.Implement technical controls to enforce the policy.
B.Conduct an audit to measure compliance.
C.Communicate the policy to all relevant stakeholders and provide training.
D.Enforce disciplinary actions for non-compliance.
AnswerC

Awareness and understanding are prerequisites for compliance.

Why this answer

Option B is correct because communication and training are essential for adoption. Option A is wrong because implementation without communication leads to non-compliance. Option C is wrong because auditing before implementation is premature.

Option D is wrong because enforcement without understanding is ineffective.

34
MCQhard

An organization's risk management policy requires a quantitative risk assessment for all new projects. The project team estimates that a data breach could occur once every 5 years with an average loss of $2 million. What is the annualized loss expectancy (ALE)?

A.$400,000
B.$10,000,000
C.$500,000
D.$2,000,000
AnswerA

ALE = $2,000,000 * 0.2 = $400,000.

Why this answer

Option A is correct: ALE = SLE x ARO, where SLE = $2M and ARO = 0.2, so ALE = $400,000. Option B is wrong because it uses frequency 1/5 but misapplies. Option C and D are incorrect calculations.

35
Multi-Selecthard

An organization suspects a data breach. Which two actions should the incident response team take before notifying affected customers? (Choose two.)

Select 2 answers
A.Determine the root cause of the breach.
B.Confirm that the breach actually occurred.
C.Implement full remediation.
D.Consult with legal counsel regarding notification obligations.
E.Assess the impact on affected individuals.
AnswersB, E

Correct: Essential before any notification.

Why this answer

Options A and C are correct because confirming the breach occurred and assessing the impact on affected individuals are prerequisites for notification. Root cause and remediation can follow, and legal consultation is important but often done in parallel.

36
MCQmedium

A company is restructuring its security governance due to rapid growth. The CISO reports to the CIO. What is the PRIMARY risk of this reporting structure?

A.Compliance with regulations may become difficult
B.The security budget may be insufficient
C.Cooperation between IT and security may decrease
D.Security objectives may be overridden by IT operational goals
AnswerD

Conflict of interest reduces independence.

Why this answer

Option B is correct because security performance may be subordinated to IT operational priorities. Option A is wrong as budget control may exist but is secondary. Option C is wrong as compliance is not directly affected.

Option D is wrong because cooperation can still exist.

37
Multi-Selecthard

Which THREE of the following are essential components of an information security risk management framework?

Select 3 answers
A.Incident response planning
B.Risk identification
C.Compliance auditing
D.Risk assessment
E.Risk treatment
AnswersB, D, E

First step in risk management.

Why this answer

Options A, B, and D are correct as risk identification, assessment, and treatment are core processes. Option C is wrong because incident response is part of security operations, not the risk management framework itself (though related). Option E is wrong because compliance auditing is a separate assurance activity.

38
MCQmedium

During a ransomware incident, the incident response team identifies that the encryption process is still ongoing. The CISO decides to isolate affected systems to prevent further spread. Which of the following is the MOST appropriate next step?

A.Disconnect all network cables to stop the encryption.
B.Contact law enforcement before any internal actions.
C.Restore systems from the most recent backup immediately.
D.Preserve forensic evidence before taking any recovery actions.
AnswerD

Preserving evidence ensures that the incident can be investigated properly.

Why this answer

Option D is correct because preserving forensic evidence is critical before any recovery actions, especially during an ongoing ransomware incident. The encryption process may still be active, and taking immediate recovery steps (like disconnecting cables or restoring backups) could destroy volatile data (e.g., encryption keys in memory, process artifacts, network connections) that are essential for understanding the attack vector, identifying the ransomware variant, and supporting legal or law enforcement actions. The CISO's decision to isolate systems helps contain the spread, but the next priority must be evidence preservation to ensure a thorough investigation and potential prosecution.

Exam trap

The trap here is that candidates often confuse immediate containment (disconnecting cables) with the forensic imperative to preserve volatile evidence, leading them to choose Option A, but CISM emphasizes that evidence preservation takes precedence over hasty recovery actions during an active incident.

How to eliminate wrong answers

Option A is wrong because disconnecting all network cables (a hard power-off or network isolation) can destroy volatile forensic evidence in memory (e.g., encryption keys, running processes, network connections) and may leave systems in an inconsistent state, potentially complicating decryption or recovery. Option B is wrong because contacting law enforcement before any internal actions is not the most appropriate immediate step; while law enforcement should be notified eventually, the priority during an active incident is to contain and preserve evidence, not to delay internal response for external notification. Option C is wrong because restoring systems from the most recent backup immediately, while the encryption is still ongoing, could reintroduce the ransomware if the backup is compromised or if the encryption process is not fully halted, and it also risks overwriting valuable forensic data that could identify the attack's origin.

39
MCQmedium

A large e-commerce company detects a sophisticated attack that has compromised a web application server. The server contains customer payment card information. The incident response team is activated. During triage, the team discovers that the attacker has gained administrative access and installed a backdoor. The company's public relations department wants to issue a press release as soon as possible to maintain customer trust. Legal counsel advises that the breach must be reported to regulators within 72 hours. The technical team is working on containment. What is the MOST important priority for the incident manager at this point?

A.Conduct a thorough forensic investigation to determine the full extent of the breach before taking action.
B.Immediately report the breach to regulators to comply with the 72-hour requirement.
C.Focus on containing the breach and eradicating the threat before any disclosure.
D.Authorize the press release to manage public perception.
AnswerC

Containment stops further damage; communication follows.

Why this answer

Option A is correct because containment and eradication take precedence over communication and reporting. Premature disclosure (B) could cause panic and legal issues. Reporting (C) can be done after containment.

Full investigation (D) can delay containment.

40
MCQmedium

After containing an incident, the incident response team is ready to proceed. According to NIST SP 800-61, what is the next phase?

A.Communication
B.Recovery
C.Eradication
D.Lessons Learned
AnswerC

Correct: Eradication removes the threat from the environment.

Why this answer

Option C is correct because NIST's incident response lifecycle includes Eradication after Containment. Recovery and Lessons Learned come later, and Communication occurs throughout.

41
MCQmedium

An information security manager is developing a program metric to report to senior management. Which metric best demonstrates the effectiveness of the information security program?

A.Number of security incidents reported
B.Percentage of systems with up-to-date patches
C.Mean time to detect (MTTD) security incidents
D.Number of security awareness training sessions held
AnswerC

Why this answer

Mean time to detect (MTTD) is a key indicator of detection capability, directly reflecting program effectiveness. Senior management cares about how quickly threats are identified.

Exam trap

Number of security incidents is often chosen, but it doesn't indicate effectiveness; a high number could mean better detection.

Why the other options are wrong

A

Does not show effectiveness; could indicate increased reporting.

B

Operational metric, not strategic for senior management.

D

Activity metric, not outcome-based.

42
MCQhard

An incident has been declared involving a ransomware attack that encrypted critical servers. The organization has backups, but the backups were also encrypted. Which of the following is the BEST course of action?

A.Analyze the ransomware to find a decryptor
B.Rebuild the servers from clean images
C.Restore from offline backups
D.Pay the ransom to obtain decryption key
AnswerB

Rebuilding from clean system images ensures a secure, malware-free environment; data may need to be restored from alternate sources.

Why this answer

Since backups are compromised, rebuilding servers from clean images ensures a known good state. Paying the ransom is not recommended, and analyzing the ransomware may not yield a timely decryptor. Option C is correct.

43
Matchingmedium

Match each security role to its primary responsibility.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Senior executive responsible for security strategy

Oversees daily security operations and team

Designs security infrastructure and controls

Evaluates compliance and effectiveness of controls

Executes incident response procedures

Why these pairings

Roles in an information security program.

44
MCQhard

A security program manager is reviewing the results of a recent internal audit that identified several security gaps. The manager must prioritize remediation efforts. Which factor should be given the MOST weight?

A.Likelihood of exploitation
B.Business impact of the vulnerability
C.Availability of compensating controls
D.Cost of remediation
AnswerB

Impact determines potential harm to the organization and guides prioritization.

Why this answer

Option C is correct because business impact (potential financial, reputational, or operational damage) is the primary driver for prioritization. Option A is a constraint, not a priority factor. Option B is important but impact often outweighs likelihood.

Option D may reduce urgency but not replace impact.

45
MCQeasy

Given the exhibit, what is the MOST significant governance gap in the described architecture?

A.Weak authentication for remote access
B.No defined security governance board or oversight mechanism
C.Insufficient physical security in data centers
D.Lack of intrusion detection for internal traffic
AnswerB

Architecture lacks governance structure; roles and accountabilities not defined.

Why this answer

Option B is correct because the architecture description does not indicate a defined ownership or governance layer for the security controls. Option A is wrong as controls exist. Option C is wrong as MFA is there.

Option D is wrong as monitoring exists. The gap is governance oversight, not technical.

46
MCQmedium

An organization calculates that the single loss expectancy (SLE) for a server failure is $10,000, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

A.$5,000
B.$10,000
C.$20,000
D.$2,500
AnswerA

Calculation: $10,000 × 0.5 = $5,000.

Why this answer

Option A is correct because ALE = SLE × ARO = $10,000 × 0.5 = $5,000. Option B is wrong because it multiplies by 2. Option C is wrong because it divides by 2.

Option D is wrong because it uses an arbitrary number.

47
Multi-Selecthard

Which TWO criteria should an organization use to prioritize incidents during triage?

Select 2 answers
A.Number of users affected
B.Time of detection
C.Potential business impact
D.Skill level of the responding analyst
E.Sensitivity of the data involved
AnswersC, E

Business impact directly influences priority.

Why this answer

Options B and E are correct: business impact and data sensitivity are key factors. Option A is wrong because the time of detection does not inherently define priority. Option C is wrong because the skill of the analyst is not a triage criterion.

Option D is wrong because the number of affected users is a proxy, but business impact is more holistic.

48
MCQeasy

Which of the following is the PRIMARY responsibility of a steering committee in an information security program?

A.Approving individual security policies
B.Providing strategic direction and oversight
C.Conducting vulnerability assessments
D.Implementing security controls
AnswerB

Why this answer

The steering committee's primary role is to provide strategic direction and oversight for the information security program, ensuring alignment with business objectives and risk appetite. This includes approving the overall security strategy, budget, and major initiatives, rather than engaging in operational tasks like policy drafting or technical assessments.

Exam trap

The trap here is that candidates confuse the steering committee's strategic oversight role with the tactical or operational duties of other roles, such as the CISO or security analysts, leading them to select options like approving policies or conducting assessments.

Why the other options are wrong

A

Policy approval is an operational task, not the primary strategic role of the steering committee.

C

Technical assessments are performed by operational teams, not the steering committee.

D

Implementation is an operational responsibility, not a steering committee function.

49
MCQhard

An organization has multiple business units with different risk tolerances. How should the security program address this?

A.Develop risk-based security policies for each business unit
B.Apply a single enterprise-wide security policy
C.Define a minimum baseline and allow units to exceed it
D.Decentralize security management to each unit
AnswerA

Tailored policies align with varying risk tolerances.

Why this answer

Risk-based policies per unit allow customization to each unit's risk appetite while maintaining overall governance. Option A is correct. Option B imposes a one-size-fits-all.

Option C may not be sufficient for high-risk units. Option D lacks central coordination.

50
MCQmedium

A multinational corporation is establishing an information security governance framework. The board has approved a top-down approach where security policies are created at the corporate level and adapted locally. Which of the following is a key benefit of this approach?

A.It allows each subsidiary to develop security policies that best fit their local legal environment.
B.It reduces the time required to implement security policies across the entire organization.
C.It minimizes the need for local security teams to understand the corporate strategy.
D.It ensures a consistent baseline of security controls while allowing for local regulatory adjustments.
AnswerD

This balances uniformity with flexibility.

Why this answer

Option A is correct because consistent baseline policies ensure minimum security across all units, while local adaptation allows for regulatory compliance. Option B is wrong because local adaptation may reduce consistency. Option C is wrong because top-down reduces time to enforce baseline.

Option D is wrong because local teams still have some autonomy.

51
Multi-Selecteasy

Which TWO of the following are key components of an information security risk assessment? (Choose two.)

Select 2 answers
A.Threat identification
B.Security policy development
C.Incident response planning
D.Control implementation
E.Asset identification
AnswersA, E

Threats must be identified to assess risk.

Why this answer

Options A and D are correct because risk assessment involves asset identification and threat identification. Option B is incorrect because control implementation is risk treatment, not assessment. Option C is incorrect because incident response planning is post-event.

Option E is incorrect because policy development is governance.

52
MCQeasy

A user reports that their computer is behaving oddly, and an IT technician finds a suspicious file in the startup folder. The technician is not sure if this is an incident. What should the technician do FIRST?

A.Document the findings and continue monitoring
B.Escalate to the security team
C.Run an antivirus scan
D.Delete the suspicious file
AnswerB

Escalating ensures proper handling and investigation by security professionals.

Why this answer

When unsure, the best practice is to escalate to the security team to investigate further. Deleting the file could destroy evidence, and scanning may not be sufficient. Option B is correct.

53
MCQhard

Based on the exhibit, what is the MOST likely issue?

A.A system is infected with malware that is beaconing to a command and control server.
B.A user is streaming video from a legitimate site.
C.A software update is being downloaded from an external site.
D.A network scan is being performed from the internal IP.
AnswerA

The combination of IDS alert and periodic connections is indicative of C2 activity.

Why this answer

The IDS alert indicates a malware beacon, and the firewall log shows periodic outbound connections to an external IP, which is typical of command and control traffic.

54
Multi-Selecteasy

When establishing an information security program, which TWO of the following are key components of governance?

Select 2 answers
A.Security awareness training
B.Vulnerability management
C.Steering committee
D.Security policies
E.Incident response plan
AnswersC, D

A steering committee provides strategic direction and oversight.

Why this answer

Options A and D are correct. Security policies (A) define the framework, and a steering committee (D) provides oversight and alignment. Options B, C, and E are operational components, not governance.

55
MCQhard

An information security manager reviews the suspicious activity log shown in the exhibit. The payroll file is supposed to be encrypted and only accessible internally. What is the MOST likely cause for the failed download?

A.The user's encryption certificate has expired
B.The file was not encrypted before being uploaded
C.The user lacked permission to decrypt the file
D.The external IP is blocked by the firewall
AnswerC

The 'Encryption key not found' error implies the user does not have the decryption key, likely due to insufficient permissions.

Why this answer

Option D is correct because the status 'Encryption key not found' indicates that the user does not have the necessary decryption key, likely due to lack of permission. Option A is wrong because certificate expiry would show a different error. Option B is wrong because if the file were not encrypted, it would download successfully.

Option C is wrong because if the external IP were blocked, the download would not initiate.

56
Multi-Selecthard

An organization is conducting a risk assessment for a new cloud-based HR system. Which THREE of the following are key considerations when evaluating the inherent risk?

Select 3 answers
A.Organization's risk appetite
B.Likelihood of threat actors targeting the system
C.Effectiveness of existing security controls
D.Sensitivity of the data stored and processed
E.Ease of exploiting vulnerabilities in the system
AnswersB, D, E

Threat likelihood is a core component of inherent risk.

Why this answer

Inherent risk is the risk level before any security controls are applied. When evaluating inherent risk for a new cloud-based HR system, the likelihood of threat actors targeting the system (B) is a key factor because it directly influences the probability of a risk event occurring, independent of any existing or planned controls. This assessment considers the system's exposure, attractiveness to attackers, and the threat landscape specific to cloud HR platforms.

Exam trap

ISACA often tests the distinction between inherent risk and residual risk, trapping candidates who confuse control effectiveness (C) or risk appetite (A) as factors in inherent risk evaluation.

57
MCQmedium

During a security assessment, an organization discovers that its patch management process is not consistently applied across all systems. Which of the following controls would best address this deficiency as part of the information security program?

A.Require all system administrators to manually approve patches before deployment.
B.Increase the frequency of vulnerability scans to weekly.
C.Conduct additional security awareness training for system administrators.
D.Implement a configuration management database (CMDB) linked to an automated patch deployment tool.
AnswerD

CMDB provides system inventory; automation ensures consistent patching.

Why this answer

Correct answer is B because a configuration management database (CMDB) with automated patching ensures consistent application. Option A (manual patch approval) is slow and error-prone. Option C (monthly vulnerability scans) detects but does not fix.

Option D (security awareness training) is unrelated to patching.

58
MCQhard

A global financial services firm uses a Monte Carlo simulation model to quantify the potential financial impact of cyber events. The model inputs include historical loss data, threat intelligence, and control effectiveness. Over the past year, the model has consistently underestimated actual losses by an average of 40%. The risk manager suspects model risk but the quantitative team argues the model is peer-reviewed. The board is concerned about the accuracy of risk reporting. What is the best course of action for the risk manager?

A.Perform a comprehensive model validation and sensitivity analysis
B.Increase the risk appetite to accommodate the underestimation
C.Replace the quantitative model with a qualitative risk assessment
D.Adjust the model parameters to align with observed losses
AnswerA

Correct; this identifies flaws in the model and ensures reliability.

Why this answer

Option A is correct because performing model validation and sensitivity analysis will help identify assumptions, data quality, or structural issues causing the underestimation. Option B is incorrect because simply adjusting parameters to match past incidents overfits and may not predict future losses accurately. Option C is incorrect because abandoning a quantitative model for qualitative may lose objectivity, though it could be considered if model risk cannot be reduced.

Option D is incorrect because increasing risk appetite does not address the model error; it could mask the problem.

59
MCQhard

An organization's security team detects an unusual spike in outbound traffic from a database server to an external IP address during a routine security scan. The database server contains sensitive customer data. Which of the following is the MOST appropriate initial response?

A.Notify the data protection officer and legal team.
B.Review firewall logs to confirm data exfiltration.
C.Run a full antivirus scan on the database server.
D.Isolate the database server from the network to stop the traffic.
AnswerD

Containment is a top priority to limit impact.

Why this answer

Isolating the database server is the most appropriate initial response because it immediately halts the suspected data exfiltration, containing the incident and preventing further loss of sensitive customer data. In incident management, the priority is to stop the active threat before performing any investigative or notification steps, as per the NIST SP 800-61 incident response lifecycle (Preparation, Detection & Analysis, Containment, Eradication & Recovery). Delaying containment to review logs or run scans allows the exfiltration to continue, increasing the potential damage.

Exam trap

The trap here is that candidates often confuse 'investigation' with 'response' and choose to review logs first (Option B), failing to recognize that in an active incident, containment must precede any forensic analysis to prevent further damage.

How to eliminate wrong answers

Option A is wrong because notifying the data protection officer and legal team is a post-containment step; performing notification before containment wastes critical time and does not stop the ongoing data loss. Option B is wrong because reviewing firewall logs to confirm data exfiltration is a forensic step that should occur after containment; waiting to confirm the exfiltration allows the malicious traffic to continue, potentially exfiltrating more data. Option C is wrong because running a full antivirus scan on the database server is a reactive, slow process that does not address the immediate network-level threat; the spike in outbound traffic indicates an active data transfer, not necessarily a virus, and scanning does not stop the traffic.

60
MCQeasy

An incident response plan (IRP) is being tested. Which metric is MOST indicative of the team's effectiveness during an exercise?

A.Total cost of the exercise
B.Number of tools used
C.Mean time to detect (MTTD)
D.Volume of logs generated
AnswerC

MTTD measures how quickly incidents are identified.

Why this answer

Option A is correct because time to detect is a key performance indicator. Option B is wrong because number of tools used does not indicate effectiveness. Option C is wrong because cost of the exercise is not a performance metric.

Option D is wrong because volume of logs is not directly tied to response quality.

61
Multi-Selecthard

Which THREE are key components of an effective post-incident review?

Select 3 answers
A.Document lessons learned
B.Increase security budget
C.Assign blame
D.Update incident response plan
E.Determine root cause
AnswersA, D, E

Correct: Capturing what worked and what didn't drives future improvements.

Why this answer

Determining root cause, documenting lessons learned, and updating the incident response plan are essential.

62
MCQeasy

An information security manager is developing a security scorecard for the board. Which of the following should be included to BEST demonstrate governance performance?

A.Total number of security incidents this quarter
B.Percentage of systems patched within 30 days
C.Employee security training completion rate
D.Number of risk acceptances approved vs. rejected
AnswerD

Directly reflects governance and risk appetite.

Why this answer

Option B is correct because risk acceptance tracking shows how the board's risk appetite is applied. Option A is wrong because patch rate is operational. Option C is wrong as incident count is reactive.

Option D is wrong as training completion is awareness, not governance.

63
MCQhard

Given the exhibit output from a web server, which connection is MOST suspicious and likely indicates a command-and-control (C2) channel?

A.Connection to 10.0.0.1:54321
B.The listening socket on port 443
C.Connection to 203.0.113.5:44333
D.Connection to 10.0.0.2:54322
AnswerC

External IP with non-standard high port, common for C2.

Why this answer

Connection to 203.0.113.5:44333 is the most suspicious because it uses a non-standard high port (44333) to an external IP address, which is a common technique for C2 traffic to evade detection by blending with HTTPS-like traffic. Legitimate web servers typically connect to well-known ports (e.g., 80, 443) or internal services, not arbitrary external high ports. The exhibit likely shows a netstat output where this outbound connection to an external IP on an unusual port stands out as anomalous.

Exam trap

The trap here is that candidates may focus on the high port numbers (54321, 54322) as suspicious, but the key differentiator is the external IP address versus internal RFC 1918 addresses, which is a classic C2 indicator.

How to eliminate wrong answers

Option A is wrong because 10.0.0.1:54321 is a private IP address (RFC 1918) and port 54321 is often used for legitimate internal services like backup or monitoring, making it less suspicious for C2. Option B is wrong because a listening socket on port 443 is standard for HTTPS web servers and is expected behavior, not indicative of a C2 channel. Option D is wrong because 10.0.0.2:54322 is also a private IP address on a high port, which could be a legitimate internal service or database connection, and lacks the external threat profile of a C2 channel.

64
Multi-Selecteasy

Which TWO of the following are key elements of an information security governance framework, as defined by COBIT?

Select 2 answers
A.Value delivery
B.Incident response
C.Resource management
D.Strategic alignment
E.Risk management
AnswersA, D

Governance should ensure that security investments deliver value to the organization.

Why this answer

Strategic alignment and value delivery are two of the five key governance areas per COBIT. Compliance and resource management are also elements, but the question asks which TWO are specifically key. Incident response is operational, not a governance element.

65
Multi-Selecteasy

Which THREE of the following are key phases of the incident management lifecycle according to NIST or ISO? (Choose three.)

Select 3 answers
A.Detection & Analysis
B.Encryption
C.Board reporting
D.Containment, Eradication & Recovery
E.Preparation
AnswersA, D, E

Option B is correct as it is a key phase.

Why this answer

Options A, B, D are correct as they are standard phases. Option C is not a phase; Option E is not a formal phase.

66
MCQhard

During a data breach investigation, the team discovers that an attacker exfiltrated data via encrypted HTTPS to a server abroad. Which forensic step is most critical?

A.Capture memory from the endpoint to find encryption keys
B.Analyze firewall logs for the connection
C.Decrypt the traffic using the server's private key
D.Trace the IP address to identify the attacker
AnswerA

Correct: Memory may contain the symmetric keys used for the HTTPS session.

Why this answer

Capturing memory from the endpoint may reveal encryption keys used for the HTTPS session, allowing decryption.

67
MCQmedium

An organization's security steering committee meets quarterly but lacks decision-making authority. Projects are delayed due to lack of prioritization. What is the most effective improvement?

A.Increase meeting frequency to weekly
B.Outsource project prioritization to external consultants
C.Empower the committee with budget and resource allocation authority
D.Replace committee members with senior executives
AnswerC

This gives the committee the ability to prioritize and execute decisions.

Why this answer

Option A is correct because empowering the committee with authority over budget and resources directly addresses the root cause. Option B increases frequency but does not solve authority issue. Option C changes personnel but not authority.

Option D outsources prioritization, which may not align with business needs.

68
Multi-Selecteasy

Which TWO of the following are primary objectives of a security awareness program?

Select 2 answers
A.Improve password sharing practices
B.Increase the security budget
C.Reduce the number of security incidents
D.Change employee security behavior
E.Ensure compliance with regulations
AnswersC, D

Reducing incidents is a direct outcome of effective awareness.

Why this answer

Options A and B are correct. Changing employee behavior and reducing security incidents are core objectives. Option C is wrong compliance is a benefit but not the primary objective.

Option D is wrong increasing budget is not an awareness objective. Option E is wrong improving password sharing is counterproductive.

69
MCQmedium

An organization has multiple security tools that generate alerts. The incident response team is overwhelmed by the volume of alerts. Which of the following is the BEST approach to manage this issue?

A.Increase the number of incident response staff.
B.Implement a security information and event management (SIEM) system.
C.Disable all low-priority alerts.
D.Implement alert triage and prioritization processes.
AnswerD

Option D is correct because implementing triage and prioritization reduces alert fatigue by focusing on critical alerts.

Why this answer

Option D is correct because implementing triage and prioritization reduces alert fatigue by focusing on critical alerts. Option A is wrong because it does not address the root cause. Option B is wrong because disabling alerts may hide real threats.

Option C is wrong because SIEM is a tool that may still generate many alerts without process.

70
MCQeasy

An incident response team discovers that an employee's workstation is infected with malware. The workstation contains sensitive customer data. Which of the following is the MOST appropriate containment strategy?

A.Shut down the workstation immediately.
B.Perform a full system wipe and reinstall the OS.
C.Disconnect the workstation from the network.
D.Copy all files to a secure server and then disconnect.
AnswerC

Network isolation is a quick and effective containment measure.

Why this answer

Disconnecting the workstation from the network (Option C) is the most appropriate containment strategy because it immediately stops the malware from communicating with command-and-control servers, prevents lateral movement to other systems, and preserves the volatile evidence (e.g., running processes, memory contents) needed for forensic analysis. This aligns with the NIST SP 800-61 incident response containment phase, which prioritizes isolation over destruction or data exfiltration risk.

Exam trap

The trap here is that candidates often confuse 'containment' with 'eradication' and choose a destructive option like shutdown or wipe, failing to recognize that containment must preserve evidence and prevent spread without destroying forensic artifacts.

How to eliminate wrong answers

Option A is wrong because shutting down the workstation immediately destroys volatile evidence (e.g., active network connections, memory-resident malware, encryption keys) and may trigger anti-forensic mechanisms in the malware. Option B is wrong because performing a full system wipe and OS reinstall destroys all evidence before forensic analysis can determine the root cause, scope of compromise, and whether sensitive customer data was exfiltrated. Option D is wrong because copying all files to a secure server before disconnecting risks spreading the malware to the server and may alter file timestamps or trigger malware behavior during the copy process, violating forensic integrity.

71
Multi-Selecthard

Which TWO of the following are key responsibilities of an information security governance committee?

Select 2 answers
A.Perform vulnerability assessments on critical systems.
B.Set the organization's risk appetite.
C.Approve major changes to information security policies.
D.Review and approve the information security strategy.
E.Conduct daily monitoring of security events.
AnswersC, D

Policy approval is a key governance function.

Why this answer

The information security governance committee is a high-level body responsible for strategic oversight. Approving major changes to information security policies (Option C) is a core governance function, ensuring that policy updates align with business objectives and regulatory requirements before implementation. This is distinct from operational tasks like vulnerability assessments or daily monitoring.

Exam trap

The trap here is that candidates confuse governance-level responsibilities (policy approval, strategy review) with operational or tactical tasks (vulnerability assessments, daily monitoring), or they mistakenly assign risk appetite setting to the governance committee instead of the board of directors.

72
MCQmedium

Based on the SIEM alert exhibit, which immediate action should the incident responder take?

A.Block the source IP 10.0.0.55 at the firewall
B.Lock the user account 'jsmith'
C.Increase logging level for the destination server
D.Contact the user 'jsmith' to verify activity
AnswerB

Locking the account prevents further brute-force.

Why this answer

The SIEM alert indicates a successful brute-force login from source IP 10.0.0.55 to the destination server using the account 'jsmith'. Locking the user account immediately stops the attacker from further exploiting the compromised credentials, which is the most direct containment action. Blocking the IP alone would not prevent re-authentication if the attacker switches IPs, and contacting the user wastes critical time during an active incident.

Exam trap

The trap here is that candidates often choose to block the source IP, thinking it stops the attack, but fail to realize the attacker already has valid credentials and can pivot from any IP, making account lockout the only effective containment step.

How to eliminate wrong answers

Option A is wrong because blocking the source IP at the firewall does not address the fact that the attacker already has valid credentials for 'jsmith' and could simply use a different IP to continue the attack. Option C is wrong because increasing logging level is a forensic step that does not contain the active threat; it only gathers more data after the fact. Option D is wrong because contacting the user 'jsmith' to verify activity introduces unnecessary delay and assumes the user is not the attacker, whereas the SIEM alert shows a successful brute-force, indicating the account is already compromised and must be locked immediately.

73
MCQmedium

A multinational corporation is designing an information security strategy to support its global operations. Which approach best ensures that the strategy is actionable and measurable?

A.Conduct a cost-benefit analysis of security controls
B.Base the strategy on industry best practices
C.Define KPIs and KRIs aligned with business goals
D.Adopt a leading-edge technology roadmap
AnswerC

KPIs and KRIs provide quantifiable metrics to monitor performance and risk, making the strategy actionable.

Why this answer

Defining key performance indicators (KPIs) and key risk indicators (KRIs) tied to business goals allows the organization to track progress and effectiveness. Option A relies solely on external best practices, which may not fit the specific context. Option B focuses on cost-benefit analysis, which is important but not sufficient for actionability.

Option D addresses technology adoption without a measurement framework.

74
MCQmedium

An organization's security program includes a set of metrics reported quarterly to the board. Which metric best demonstrates the effectiveness of the security awareness program?

A.Percentage of employees who completed training
B.Number of security incidents
C.Number of policy violations
D.Reduction in phishing click-through rate
AnswerD

Directly measures whether employees apply training to real threats.

Why this answer

Option C is correct because a reduction in phishing click-through rate directly measures behavior change from awareness training. Option A reflects overall incidents, not just awareness. Option B measures completion, not effectiveness.

Option D may be influenced by many factors.

75
MCQhard

A multinational corporation is experiencing significant security incidents due to inconsistent security policies across subsidiaries. The CISO proposes implementing a centralized governance model. However, business unit leaders argue that local regulations require autonomy. Which approach best balances governance with local compliance?

A.Implement a single global security policy with mandatory compliance
B.Delegate all security decisions to local business units
C.Develop a framework of minimum security requirements, allowing local augmentation
D.Outsource security governance to a third-party managed service
AnswerC

This approach balances global consistency with local regulatory needs.

Why this answer

Option B is correct because it allows a minimum set of requirements while enabling local augmentation to meet specific regulatory needs. Option A is too rigid and may conflict with local laws. Option C gives up central control entirely.

Option D outsources governance, which may not address local nuances.

Page 1 of 7

Page 2

All pages