Certified Information Security Manager CISM (CISM) — Questions 676750

896 questions total · 12pages · All types, answers revealed

Page 9

Page 10 of 12

Page 11
676
Multi-Selecteasy

Which TWO of the following are valid risk response options?

Select 2 answers
A.Risk amplification
B.Risk neutralization
C.Risk mitigation
D.Risk acceptance
E.Risk retention
AnswersC, D

Implementing controls to reduce risk.

Why this answer

Options A and B are correct because risk mitigation (reduce) and risk acceptance are standard responses. Options C and D are wrong because risk amplification and risk neutralization are not standard terms. Option E is wrong because risk retention is a form of acceptance but the term is less common; however, many frameworks use retention as a synonym for acceptance, but the question expects 'acceptance' and 'mitigation' as clear options.

We'll correct: Actually retention is sometimes used as acceptance, but to avoid confusion, we'll stick with mitigation and acceptance as clearly correct. So E is not a standard term in COBIT/ISO 31000.

677
MCQmedium

An organization is implementing a security controls framework and needs to prioritize which controls to implement first. According to CIS Controls v8, which approach aligns with the principle of 'implementation groups'?

A.Focus only on controls that address the greatest risks regardless of group
B.Implement IG3 controls first as they are the most advanced
C.Start with all controls from IG1, then move to IG2 and IG3 as resources allow
D.Implement controls from all groups simultaneously to achieve comprehensive coverage
AnswerC

IG1 represents basic cyber hygiene controls that are essential for all organizations.

Why this answer

CIS Controls v8 defines Implementation Groups (IG1, IG2, IG3) that prioritize controls based on organizational maturity, starting with the most foundational and critical controls.

678
MCQeasy

Which of the following is the PRIMARY purpose of a security champions program?

A.Enforce compliance with security policies
B.Embed security advocates in dev teams to promote secure practices
C.Reduce the number of phishing simulations
D.Replace the need for a dedicated security team
AnswerB

Champions serve as bridges between security and development.

Why this answer

Security champions act as liaisons in development teams, promoting security practices and facilitating communication with the security team.

679
MCQmedium

During a DDoS attack, the incident response team is struggling to mitigate the attack. The team decides to engage the organization's ISP and a DDoS mitigation service. Which of the following should be done FIRST?

A.Activate the crisis management team
B.Refer to the incident response playbook for DDoS attacks
C.Notify law enforcement
D.Initiate legal hold on all relevant logs
AnswerB

The playbook provides predefined steps and contacts.

Why this answer

The IR plan should include pre-established contacts and procedures; contacting the ISP and mitigation service should follow the plan's escalation process.

680
MCQeasy

An analyst receives an alert indicating a potential data exfiltration. The alert shows a host IP address 10.10.50.200 sending large amounts of data to an external IP address 203.0.113.5 over port 443. What should the analyst do FIRST?

A.Block the external IP address immediately
B.Escalate to the incident response team
C.Verify the alert by checking logs and network traffic
D.Isolate the host from the network
AnswerC

Verification ensures the incident is real before further action.

Why this answer

Option C is correct because the first step in incident response is to validate the alert. The analyst must verify that the traffic is indeed anomalous and not legitimate (e.g., a large backup or software update) by examining logs and packet captures. Premature action without verification could disrupt business operations or destroy forensic evidence.

Exam trap

The trap here is that candidates often jump to containment (isolate or block) without first verifying the alert, confusing the urgency of a potential exfiltration with the disciplined step of validation required by the NIST SP 800-61 incident response lifecycle.

How to eliminate wrong answers

Option A is wrong because blocking the external IP immediately could be an overreaction if the traffic is legitimate (e.g., a cloud backup service), and it may destroy evidence or alert the attacker. Option B is wrong because escalation to the incident response team should occur only after the analyst has verified the alert and gathered initial evidence; premature escalation wastes resources. Option D is wrong because isolating the host without verification could disrupt critical services if the traffic is benign, and it may also tip off an insider threat or destroy volatile data.

681
Multi-Selecthard

Which TWO of the following are appropriate actions for preserving evidence during a cybersecurity incident?

Select 2 answers
A.Reboot systems to capture volatile memory
B.Create forensic bit-for-bit images of affected systems
C.Issue a legal hold to prevent deletion of relevant data
D.Disconnect affected systems from the network immediately
E.Delete temporary files to free up space
AnswersB, C

Forensic images preserve the exact state for analysis and litigation.

Why this answer

Preserving evidence includes creating forensic images and issuing legal holds to prevent spoliation. Disconnecting systems without imaging and rebooting can destroy evidence.

682
MCQhard

Based on the configuration snippet, what is the expected behavior when an incident is triggered?

A.Standard playbook executed, notification sent, auto containment applied.
B.The incident is logged but no action is taken.
C.Priority override applied, but no notification sent.
D.Auto containment applied without executing any playbook.
AnswerA

Correct: All fields are set accordingly.

Why this answer

Option B is correct because the configuration indicates the standard playbook will be executed, the incident response team will be notified, and containment actions will be automatically applied. Priority override is false, so no override occurs.

683
Multi-Selecthard

Which THREE of the following are objectives of a lessons learned meeting after an incident? (Select three.)

Select 3 answers
A.Determine what worked well and what did not
B.Assign blame for the incident
C.Share indicators of compromise with an ISAC
D.Develop recommendations for improvement
E.Identify what happened during the incident
AnswersA, D, E

Evaluating response effectiveness is a primary goal.

Why this answer

Lessons learned meetings aim to identify what happened, what worked well, and what didn't, and to develop recommendations for improvement. Sharing IoCs with ISACs is a separate activity, not a meeting objective.

684
MCQhard

A company discovers a credential compromise affecting multiple user accounts. According to best practices, what is the first step the incident response team should take?

A.Conduct a root cause analysis
B.Disable compromised accounts and reset passwords
C.Contact law enforcement
D.Notify affected users immediately
AnswerB

Containment is the immediate priority to stop further damage.

Why this answer

When a credential compromise is discovered, the immediate priority is containment to prevent further unauthorized access. Disabling compromised accounts and resetting passwords (Option B) stops the attacker from using the stolen credentials, aligning with the NIST SP 800-61 incident response lifecycle's containment phase. This action directly mitigates the active threat before any forensic analysis or notification occurs.

Exam trap

Cisco often tests the misconception that 'notify affected users' is the first step, but in incident management, containment (disabling accounts) always precedes notification to avoid alerting the adversary or causing operational chaos.

How to eliminate wrong answers

Option A is wrong because root cause analysis is a post-containment step; performing it first would leave compromised accounts active, allowing the attacker to continue lateral movement or data exfiltration. Option C is wrong because contacting law enforcement is a secondary step that typically occurs after containment and evidence preservation, and it does not immediately stop the active compromise. Option D is wrong because notifying affected users immediately could cause panic, tip off the attacker, or lead to data loss if users attempt to investigate on their own; notification should follow a coordinated communication plan after containment.

685
MCQmedium

A multinational corporation is implementing an information security governance framework. The board has requested a mechanism to ensure that security investments align with business objectives. Which of the following is the BEST approach to achieve this alignment?

A.Minimize security spending to maximize ROI.
B.Adopt a best-practice framework such as NIST CSF and implement all controls.
C.Focus on regulatory compliance to ensure legal requirements are met.
D.Develop a risk-based prioritization framework linking security initiatives to business risk appetite.
AnswerD

Directly aligns security investments with business objectives through risk management.

Why this answer

Option D is correct because a risk-based prioritization framework directly maps security initiatives to the organization's risk appetite, ensuring that investments target the most critical business risks. This aligns with the CISM principle that governance must link security activities to business objectives through risk management, not through arbitrary cost-cutting or blanket compliance.

Exam trap

The trap here is that candidates often confuse 'adopting a best-practice framework' (Option B) with proper governance, but CISM emphasizes that frameworks must be tailored to the organization's risk appetite, not implemented wholesale.

How to eliminate wrong answers

Option A is wrong because minimizing security spending to maximize ROI ignores the need to address actual risks; it assumes all spending is waste, which can leave critical assets unprotected and misalign with business objectives that require risk mitigation. Option B is wrong because adopting a best-practice framework like NIST CSF and implementing all controls without tailoring to the organization's specific risk profile leads to inefficient resource allocation and may over-invest in low-priority areas, failing to align with business goals. Option C is wrong because focusing solely on regulatory compliance ensures only legal minimums are met, which may not address the unique risk landscape or strategic business objectives, leaving the organization exposed to non-compliance-related threats.

686
MCQhard

Based on the exhibit, what is the MOST likely attack vector that led to the compromise?

A.Exploitation of the nf_conntrack table full condition
B.Credential-based attack using a compromised SSH key from the brute force attempt
C.Vulnerability in the SSH password authentication
D.Successful brute force attack from 10.0.0.50
AnswerB

The failed attempts from 10.0.0.50 likely scanned for weak credentials; the successful login from a different IP used a key, suggesting a stolen key.

Why this answer

The exhibit shows a successful SSH session from 10.0.0.50 immediately following a brute-force attempt from the same IP, and the session log indicates key-based authentication was used. A compromised SSH private key from the brute-force phase (likely harvested or cracked) allowed the attacker to authenticate without a password, making credential-based attack using a compromised SSH key the most likely vector.

Exam trap

The trap here is that candidates see the brute-force attempt and assume the attack was a direct brute-force success (Option D), but the exhibit shows key-based authentication, meaning the attacker used a compromised key, not a guessed password.

How to eliminate wrong answers

Option A is wrong because the nf_conntrack table full condition causes connection drops or timeouts, not a successful authenticated SSH session; it is a resource exhaustion issue, not an attack vector. Option C is wrong because the exhibit shows key-based authentication (no password prompt), not password authentication, so a vulnerability in SSH password authentication is irrelevant. Option D is wrong because a successful brute-force attack would require password-based login attempts to succeed, but the exhibit shows key-based authentication; the brute force may have been used to obtain the key, but the direct compromise was via the key, not brute force itself.

687
Multi-Selectmedium

An incident response plan should include which three key components to ensure effective response? (Choose three.)

Select 3 answers
A.Communication procedures for internal and external stakeholders.
B.Roles and responsibilities of the response team.
C.Detailed step-by-step technical instructions for all possible incidents.
D.A list of pre-approved vendors for forensic services.
E.A method for preserving and handling evidence.
AnswersA, B, E

Correct: Ensures timely information flow.

Why this answer

A is correct because effective incident response requires structured communication procedures to coordinate with internal stakeholders (e.g., management, legal, PR) and external parties (e.g., law enforcement, regulators, customers). Without predefined communication channels, critical updates may be delayed or mishandled, increasing organizational risk.

Exam trap

Cisco often tests the distinction between essential process-oriented components (communication, roles, evidence handling) and operational details (specific technical steps or vendor lists) that are too rigid or secondary for a high-level incident response plan.

688
MCQeasy

Based on the exhibit, which of the following is true about traffic from the internet to the internal network 10.0.0.0/8?

A.Internet traffic to 10.0.0.5 is permitted only if from 192.168.1.0/24.
B.All traffic from the internet to the internal network is denied.
C.Traffic from the internet to 10.0.0.5 port 80 is permitted.
D.Traffic from 192.168.1.0/24 to 10.0.0.5 port 80 is permitted.
AnswerB

First rule denies all IP traffic to 10.0.0.0/8.

Why this answer

The exhibit shows an access control list (ACL) that denies all traffic from any source to the 10.0.0.0/8 network. Since the ACL is applied inbound on the internet-facing interface, any traffic originating from the internet destined for the internal network 10.0.0.0/8 is implicitly denied by the explicit deny statement. Therefore, option B is correct: all traffic from the internet to the internal network is denied.

Exam trap

The trap here is that candidates often misread the direction of the ACL permit statement (10.0.0.0/8 to 192.168.1.0/24) and incorrectly assume it permits traffic from the internet to the internal network, when in fact it only permits outbound traffic from the internal network to the specified destination.

How to eliminate wrong answers

Option A is wrong because the ACL does not permit any traffic from 192.168.1.0/24 to 10.0.0.5; the only permit statement is for traffic from 10.0.0.0/8 to 192.168.1.0/24, not the reverse. Option C is wrong because the ACL contains no permit statement for traffic from the internet to 10.0.0.5 port 80; the only permit is for traffic from 10.0.0.0/8 to 192.168.1.0/24, and the explicit deny blocks all other traffic. Option D is wrong because the permit statement allows traffic from 10.0.0.0/8 to 192.168.1.0/24, not from 192.168.1.0/24 to 10.0.0.5; the direction is reversed, and the ACL does not permit any inbound traffic to the 10.0.0.0/8 network.

689
MCQhard

Based on the log entries, what is the most likely scenario?

A.A brute-force attack against the root account
B.A remote code execution attempt
C.A legitimate user repeatedly mistyping their password
D.A misconfiguration causing duplicate log entries
AnswerA

Multiple failed attempts in quick succession for the same account and IP is classic brute-force behavior.

Why this answer

The rapid succession of failed SSH login attempts for the root account from the same IP indicates a brute-force attack. Option A is not supported by the logs. Option B is unlikely due to the speed of attempts.

Option C is less likely than an active attack.

690
Multi-Selecteasy

Which TWO are key indicators of a data breach? (Choose two.)

Select 2 answers
A.System performance degradation
B.Unusual outbound network traffic
C.Increased spam emails to the organization
D.Unauthorized access to sensitive data
E.Multiple failed login attempts from a single user
AnswersB, D

Unusual outbound traffic, especially to unknown IPs, is a common sign of data exfiltration.

Why this answer

Unusual outbound network traffic is a key indicator of a data breach because it often signals data exfiltration, where an attacker is transferring stolen data to an external command-and-control (C2) server or a cloud storage endpoint. This traffic may involve unexpected protocols (e.g., DNS tunneling, HTTPS to unknown IPs) or large volumes of data leaving the network at odd hours, which can be detected by network traffic analysis tools like NetFlow or intrusion detection systems (IDS).

Exam trap

The trap here is that candidates often confuse indicators of a data breach (e.g., unauthorized access or data exfiltration) with indicators of an attack in progress (e.g., failed logins or spam), failing to distinguish between a confirmed breach and a potential security event that may or may not lead to a breach.

691
MCQmedium

Which of the following best describes the role of the chief information security officer (CISO) in a governance context?

A.The CISO delegates all strategic decisions to the CIO
B.The CISO is a peer to the board with voting rights
C.The CISO oversees the security program and reports to executive leadership
D.The CISO is primarily a technical role focused on firewall management
AnswerC

CISO is accountable for security program and reports to executives.

Why this answer

The CISO is responsible for developing and implementing the security program, reporting to executive leadership.

692
MCQmedium

An organization has a mature incident management process. After a major incident, they conduct a post-incident review. Which activity is MOST important during this review?

A.Identify individuals responsible for the incident
B.Update security tools to block similar attacks
C.Determine root causes and document lessons learned
D.Calculate the total cost of the incident
AnswerC

Root cause analysis and lessons learned drive process improvements.

Why this answer

Option C is correct because identifying root causes and improvements prevents recurrence. Option A (assigning blame) is counterproductive. Option B (updating tools) is part of improvement but not the most important.

Option D (metrics) supports analysis but is not the primary goal.

693
MCQmedium

After a ransomware attack, a company discovers that backups are also encrypted. The incident response team has isolated the affected systems. What should be the next step?

A.Attempt restoration from encrypted backups.
B.Pay the ransom to obtain decryption keys.
C.Isolate additional systems and notify law enforcement.
D.Reimage all systems from known clean media.
AnswerC

Containment and involving authorities are best practices.

Why this answer

Option C is correct because after isolating affected systems, the next priority is to contain the incident by identifying and isolating any additional compromised systems to prevent further spread, and to notify law enforcement as required by legal and regulatory obligations. This aligns with the Incident Response (IR) process, specifically the Containment, Eradication, and Recovery phases, where containment must precede any recovery attempts to avoid re-infection.

Exam trap

The trap here is that candidates often jump to recovery actions (like reimaging or restoring backups) without first ensuring containment and legal notification, confusing the order of the Incident Response phases.

How to eliminate wrong answers

Option A is wrong because attempting restoration from encrypted backups is futile—the backups are encrypted and cannot be decrypted without the attacker's key, and attempting to use them could corrupt the restoration process or waste critical time. Option B is wrong because paying the ransom does not guarantee decryption keys will be provided, and it encourages further attacks; it also violates many organizational policies and may be illegal under sanctions or regulations. Option D is wrong because reimaging all systems from known clean media is a recovery step that should only occur after containment and eradication are complete; performing it prematurely could miss hidden persistence mechanisms or fail to address the root cause.

694
MCQeasy

Which of the following security team roles is primarily responsible for designing and implementing security solutions to protect an organization's systems and data?

A.Security architect
B.Security analyst
C.GRC analyst
D.Penetration tester
AnswerA

Designs and oversees implementation of security solutions.

Why this answer

The security architect designs the overall security structure, including policies, technologies, and controls. Other roles focus on operations, analysis, or governance.

695
Multi-Selectmedium

An organization is defining objectives and key results (OKRs) for the security program. Which TWO of the following are examples of leading indicators that could be used as key results?

Select 2 answers
A.Number of security incidents
B.Phishing click rate
C.Mean time to respond (MTTR)
D.Number of data breaches
E.Patch compliance percentage
AnswersB, E

Correct. Leading indicator of user awareness.

Why this answer

Leading indicators are proactive and predictive. Phishing click rate (user behavior) and patch compliance (vulnerability management) are leading indicators.

696
MCQmedium

A large organization is implementing a security controls framework and wants to prioritize controls that provide the greatest risk reduction with the least operational friction. Which approach should the security manager adopt?

A.Implement all controls from the chosen framework simultaneously
B.Implement compensating controls only for legacy systems
C.Prioritize critical controls that address high-risk areas and enable business operations
D.Select controls based on regulatory compliance requirements only
AnswerC

This risk-based approach ensures resources are focused on the most impactful controls.

Why this answer

Prioritizing critical controls first, especially those that address the most significant risks and are business-enabling, aligns with defense-in-depth and risk-based decision making.

697
MCQeasy

A company is evaluating its risk management process. The CISM notices that risks are being assessed based on qualitative scales (low, medium, high) but decisions require quantitative data. What is the most effective action to improve the process?

A.Switch to a fully quantitative risk assessment methodology.
B.Use a hybrid approach that includes both qualitative and quantitative assessments.
C.Replace qualitative scales with precise monetary values.
D.Continue using qualitative method since it is simpler.
AnswerB

Provides comprehensive risk information for decision-making.

Why this answer

A hybrid approach (Option B) is most effective because it leverages qualitative scales for initial, rapid risk identification and prioritization, while quantitative data (e.g., ALE, SLE, ARO) provides the monetary rigor needed for cost-benefit analysis and management decisions. This aligns with ISACA's guidance that risk assessment should be tailored to the decision context, not purely one method.

Exam trap

The trap here is that candidates assume 'quantitative' is always superior, ignoring the practical need for a hybrid approach that balances qualitative speed with quantitative rigor for decision-making.

How to eliminate wrong answers

Option A is wrong because a fully quantitative methodology requires extensive historical data, precise probability estimates, and can be resource-prohibitive; it may also create a false sense of precision when data is uncertain. Option C is wrong because replacing qualitative scales with precise monetary values without a structured quantitative model (e.g., Monte Carlo simulation) ignores the inherent uncertainty in risk estimation and can lead to misleadingly exact figures. Option D is wrong because continuing with only qualitative methods fails to provide the objective monetary data required for decisions like insurance coverage or budget allocation, violating the CISM principle of aligning risk management with business needs.

698
MCQmedium

A financial institution is implementing a risk management program and needs to select a methodology that balances quantitative and qualitative factors, complies with regulatory requirements, and provides a consistent framework for risk assessment across business units. Which methodology would best meet these requirements?

A.FAIR
B.OCTAVE
C.ISO 27005
D.NIST SP 800-30
AnswerC

ISO 27005 provides a comprehensive risk management framework that supports both qualitative and quantitative approaches and is widely accepted for regulatory compliance.

Why this answer

ISO 27005 is the correct methodology because it provides a risk management framework that explicitly balances quantitative and qualitative factors, aligns with regulatory requirements like GDPR and SOX, and offers a consistent, scalable approach for risk assessment across diverse business units. It integrates seamlessly with ISO 27001, ensuring compliance and standardization.

Exam trap

The trap here is that candidates often confuse a risk assessment methodology (like FAIR or NIST SP 800-30) with a comprehensive risk management program methodology (like ISO 27005), which must include regulatory compliance and cross-unit consistency.

How to eliminate wrong answers

Option A (FAIR) is wrong because it is a quantitative-only model that focuses on financial loss quantification using Monte Carlo simulations, lacking the qualitative balancing and regulatory compliance framework required for a multi-business-unit environment. Option B (OCTAVE) is wrong because it is a self-directed, qualitative methodology designed for organizational risk assessment but does not inherently comply with external regulatory standards or provide a consistent framework for cross-unit integration. Option D (NIST SP 800-30) is wrong because it is a qualitative risk assessment guide for US federal agencies, not a comprehensive risk management program methodology, and it lacks the explicit regulatory compliance and quantitative-qualitative balance required for a financial institution.

699
MCQmedium

An organization has experienced a ransomware attack that encrypted critical servers. The incident has been classified as P1. Which of the following is the FIRST action the incident response team should take according to the IR plan?

A.Perform root cause analysis to determine how the ransomware entered.
B.Begin forensic imaging of all affected servers for evidence preservation.
C.Notify the CEO and activate the crisis management team.
D.Contain the incident by isolating affected systems from the network.
AnswerD

Containment is the immediate priority to stop the spread of ransomware.

Why this answer

For a P1 incident, the IR plan dictates immediate containment to prevent further spread, followed by notification to the executive sponsor and activation of the crisis management team.

700
MCQeasy

Which of the following is the PRIMARY reason for having a pre-established forensic retainer agreement before an incident occurs?

A.To ensure the forensic firm is familiar with the organization's environment.
B.To reduce the time needed to bring forensic experts on board during an incident.
C.To lock in a favorable pricing structure.
D.To ensure the forensic firm has the necessary certifications.
AnswerB

A pre-signed retainer eliminates contract negotiation delays.

Why this answer

The primary reason for a pre-established forensic retainer agreement is to reduce the time needed to bring forensic experts on board during an incident. In incident management, every minute of delay can allow an attacker to exfiltrate data or destroy evidence; a retainer bypasses the procurement and contracting process, enabling immediate deployment of the forensic team to preserve volatile memory and capture network artifacts.

Exam trap

Cisco often tests the distinction between operational readiness (speed of response) and secondary benefits (cost, familiarity, certifications), and the trap here is that candidates choose a plausible but non-primary reason like 'familiarity with the environment' instead of recognizing that the retainer's core value is eliminating procurement delays during a crisis.

How to eliminate wrong answers

Option A is wrong because while familiarity with the environment can be beneficial, it is not the primary reason for a retainer; the retainer's main purpose is speed of engagement, not pre-incident knowledge transfer. Option C is wrong because locking in a favorable pricing structure is a secondary financial benefit, not the primary driver for incident response readiness. Option D is wrong because ensuring the forensic firm has necessary certifications is a due diligence step that should be verified during vendor selection, but it is not the core reason for having a retainer agreement in place before an incident.

701
Multi-Selectmedium

Which TWO of the following are essential components of an effective information security governance framework? (Select exactly two.)

Select 2 answers
A.Implementation of a SIEM system
B.Automated patch management system
C.Process for aligning security strategy with business strategy
D.Intrusion prevention system (IPS)
E.Defined roles and responsibilities for security decisions
AnswersC, E

Ensures security supports business.

Why this answer

Option C is correct because an effective information security governance framework must include a process for aligning security strategy with business strategy. This ensures that security initiatives support organizational objectives, risk tolerance, and regulatory requirements, rather than operating in isolation. Without this alignment, security investments may conflict with business goals, leading to inefficiencies or reduced adoption.

Exam trap

The trap here is that candidates confuse operational security tools (SIEM, patch management, IPS) with governance components, which are about strategy, roles, and oversight, not specific technologies.

702
MCQhard

A security manager is preparing a risk report for the board of directors. Which of the following should be included to best support strategic risk-based decisions?

A.Operational metrics such as number of firewalls and intrusion detection alerts
B.List of all past security incidents and their root causes
C.Detailed vulnerability scan results and patch levels
D.Summary of top risks, risk appetite alignment, and treatment status
AnswerD

Board requires strategic overview.

Why this answer

The board requires strategic-level information to make risk-based decisions. Option D provides a summary of top risks, alignment with risk appetite, and treatment status, which directly supports strategic oversight. Operational details like firewall counts or patch levels are tactical and do not convey the business impact or risk posture needed for board-level decisions.

Exam trap

The trap here is that candidates confuse operational or technical details (like vulnerability scans or incident lists) with strategic risk information, failing to recognize that the board needs aggregated, business-aligned summaries to make informed decisions.

How to eliminate wrong answers

Option A is wrong because operational metrics such as number of firewalls and intrusion detection alerts are tactical, not strategic; they do not convey risk exposure or alignment with business objectives. Option B is wrong because a list of all past security incidents and root causes is historical and reactive, lacking forward-looking risk prioritization and treatment status. Option C is wrong because detailed vulnerability scan results and patch levels are technical and granular, overwhelming the board with data that does not summarize risk in business terms or show alignment with risk appetite.

703
MCQmedium

An organization is conducting a root cause analysis after a data breach. Which of the following sequences BEST aligns with the 5 Whys approach from a CISM perspective?

A.Management failure → Process failure → Technical cause
B.Process failure → Technical cause → Management failure
C.Technical cause → Management failure → Process failure
D.Technical cause → Process failure → Management failure
AnswerD

This sequence identifies underlying root causes at each level.

Why this answer

The 5 Whys should drill down from technical cause to process failure to management/governance failure, as per the domain content.

704
MCQeasy

An organization's incident response plan (IRP) is being updated. Which stakeholder should be included in the IRP development to ensure legal and regulatory requirements are met?

A.Legal counsel
B.External auditors
C.Chief Information Security Officer (CISO)
D.IT manager
AnswerA

Legal counsel ensures compliance with laws and regulations.

Why this answer

Legal counsel ensures the plan complies with relevant laws and regulations, such as breach notification requirements. The CISO (A) oversees security but may not have legal expertise. IT manager (B) focuses on technical aspects.

External auditors (D) are not typically involved in plan development.

705
MCQeasy

An organization's incident response plan includes a step to 'contain the incident.' Which of the following actions is an example of containment?

A.Disconnecting an infected workstation from the network
B.Restoring data from backup
C.Analyzing log files to determine the attack vector
D.Removing malware from the system
AnswerA

This prevents further propagation of malware.

Why this answer

Disconnecting an infected workstation from the network is a classic containment action because it immediately isolates the compromised system, preventing the spread of malware or unauthorized lateral movement to other hosts. Containment focuses on limiting the scope and impact of an incident, not on remediation or investigation. This step aligns with the NIST SP 800-61 incident response lifecycle, where containment is performed before eradication and recovery.

Exam trap

ISACA often tests the distinction between containment, eradication, and recovery, and the trap here is that candidates mistake 'removing malware' (eradication) or 'restoring from backup' (recovery) for containment, because they focus on fixing the problem rather than stopping its spread first.

How to eliminate wrong answers

Option B is wrong because restoring data from backup is a recovery action, not containment; it occurs after the threat is contained and eradicated, aiming to return systems to normal operation. Option C is wrong because analyzing log files to determine the attack vector is part of identification and analysis, not containment; it helps understand the incident but does not stop its spread. Option D is wrong because removing malware from the system is an eradication action, which follows containment; containment must first isolate the threat to prevent further damage before cleanup begins.

706
MCQeasy

Based on the exhibit, what is the first action the incident response team should take?

A.Confirm the IDS alert is not a false positive.
B.Review the web server logs on 192.168.1.10 for evidence of exploitation.
C.Block the source IP 10.5.5.5 on the firewall.
D.Disable the firewall rule 'Allow-Internal-Web'.
AnswerB

Correct: Directly check if the XSS succeeded.

Why this answer

Option B is correct because the first action in incident response is to validate the alert by examining the web server logs on 192.168.1.10. This confirms whether the IDS alert corresponds to actual exploitation, such as a SQL injection attempt or directory traversal, before taking containment or eradication steps. Reviewing logs provides forensic evidence and ensures the response is based on confirmed facts, not assumptions.

Exam trap

The trap here is that candidates often jump to containment (blocking IPs or disabling rules) without first validating the alert through log analysis, which is a critical step to avoid disrupting legitimate traffic or missing forensic evidence.

How to eliminate wrong answers

Option A is wrong because confirming the IDS alert is not a false positive is a secondary step; the primary action is to gather evidence from the affected system logs to understand the attack vector. Option C is wrong because blocking the source IP 10.5.5.5 on the firewall is a containment action that should only be taken after confirming the alert is valid and understanding the scope of the incident. Option D is wrong because disabling the firewall rule 'Allow-Internal-Web' would disrupt legitimate traffic and is a premature containment measure without first verifying the alert and assessing the impact.

707
MCQeasy

During a risk assessment, a CISM identifies that the organization's data backup process has a single point of failure. The backup server is located in the same data center as the primary server. Which risk response is most appropriate?

A.Mitigate by moving the backup server to a geographically separate location.
B.Transfer the risk by purchasing business interruption insurance.
C.Avoid the risk by discontinuing the backup process.
D.Accept the risk because the cost of mitigation is high.
AnswerA

This reduces the likelihood of both servers being lost simultaneously.

Why this answer

Moving the backup server to a geographically separate location directly eliminates the single point of failure by ensuring that a localized disaster (e.g., fire, flood, power outage) at the primary data center does not simultaneously destroy both the primary and backup data. This is a classic risk mitigation strategy that reduces the likelihood and impact of data loss, aligning with the principle of geographic redundancy for disaster recovery.

Exam trap

The trap here is that candidates may confuse risk transfer (insurance) with risk mitigation (redundancy), or incorrectly assume that accepting the risk is acceptable when a clear, cost-effective mitigation exists, especially in a CISM scenario where the organization's risk appetite is not explicitly stated as high.

How to eliminate wrong answers

Option B is wrong because purchasing business interruption insurance transfers the financial risk of downtime but does not address the technical single point of failure; the backup data remains vulnerable to the same physical disaster as the primary server. Option C is wrong because discontinuing the backup process would avoid the risk of backup failure but introduces an unacceptable risk of permanent data loss, violating fundamental data protection and business continuity requirements. Option D is wrong because accepting the risk without justification is inappropriate when a cost-effective mitigation (moving the backup server) is available; the cost of mitigation is not inherently high, and the risk of total data loss typically outweighs the expense of geographic separation.

708
Multi-Selectmedium

Which of the following are key components of an information security risk management program? (Select TWO)

Select 2 answers
A.Risk assessment
B.Vulnerability scanning
C.Risk treatment
D.Incident response
AnswersA, C

Why this answer

Risk assessment is a core component of an information security risk management program because it systematically identifies, analyzes, and evaluates risks to information assets. It provides the foundational understanding of threats, vulnerabilities, and impacts necessary for informed decision-making. Without a formal risk assessment, the program lacks the data needed to prioritize and justify security investments.

Exam trap

ISACA often tests the distinction between program-level components (risk assessment, risk treatment) and operational activities (vulnerability scanning, incident response) to see if candidates understand that the risk management program is a strategic, governance framework, not a list of technical tasks.

Why the other options are wrong

B

Vulnerability scanning is a tool used within risk assessment, not a component of the program itself.

D

Incident response is a separate process, not a component of risk management.

709
Multi-Selectmedium

A security manager is measuring the security culture of the organization. Which three metrics are most appropriate?

Select 3 answers
A.Phishing simulation click rate
B.Training completion rate
C.Security budget as percentage of IT budget
D.Number of security policies published
E.Percentage of incidents due to human error
AnswersA, B, E

Measures user susceptibility to phishing.

Why this answer

These metrics directly reflect employee behavior and the effectiveness of the security culture program.

710
Multi-Selecthard

A security manager is developing OKRs for the security team. Which TWO key results are appropriate leading indicators? (Select TWO)

Select 2 answers
A.Complete 100% of privileged access reviews quarterly
B.Achieve zero critical vulnerabilities in external scans
C.Reduce number of data breaches by 20%
D.Achieve 95% patch compliance within 30 days of release
E.Decrease mean time to detect (MTTD) to under 1 hour
AnswersA, D

Access review completion is a leading indicator for IAM governance.

Why this answer

Leading indicators are proactive; patch compliance reflects current security posture, and access review completion indicates governance effectiveness.

711
MCQhard

An organization's SOC team is measured on mean time to detect (MTTD) and mean time to respond (MTTR). The security manager notices that MTTD is low but MTTR is high. What is the most likely cause?

A.The team is understaffed during off-hours
B.The vulnerability management program is ineffective
C.The SIEM is generating too many false positives
D.The incident response process lacks automation or clear procedures
AnswerD

Slow response despite quick detection points to process or automation gaps.

Why this answer

Low detection time but high response time indicates that while alerts are generated quickly, the response process is slow due to inefficiencies in triage or remediation.

712
MCQeasy

A company engages a third-party vendor to process customer data. Which of the following is the most critical step in managing the associated risk?

A.Requiring the vendor to sign a non-disclosure agreement
B.Conducting a due diligence assessment before contracting
C.Performing a vulnerability scan of the vendor's network
D.Including a clause that transfers liability to the vendor
AnswerB

Pre-contract due diligence is the most critical to identify and mitigate risks early.

Why this answer

Conducting due diligence before contracting is essential to identify risks and ensure the vendor meets security requirements. Vulnerability scans are part of due diligence but not the most critical step. NDA and liability clauses are important but secondary to initial assessment.

713
MCQhard

An organization's IR plan is tested annually. After a test, many gaps are identified. What is the best next step?

A.Update the IR plan based on lessons learned and schedule a follow-up test
B.Train all employees on the plan
C.Wait for the next scheduled test in one year
D.Purchase additional security tools
AnswerA

Correct: Continuous improvement reduces gaps.

Why this answer

Updating the plan based on lessons learned and scheduling a follow-up test improves preparedness.

714
MCQhard

During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?

A.Inadequate monitoring of DNS traffic for anomalies
B.Weak password policies
C.Unpatched web server software
D.Lack of data-at-rest encryption
AnswerA

Without monitoring DNS traffic for tunneling, exfiltration can go unnoticed for long periods.

Why this answer

The correct answer is A because DNS tunneling exfiltrates data by encoding it within DNS queries and responses, which are often allowed through firewalls without deep inspection. The attacker remained undetected for three months because the security team lacked monitoring of DNS traffic for anomalies, such as unusual query volumes, non-standard record types (e.g., TXT records), or domains with high entropy. Without DNS-specific anomaly detection or a security information and event management (SIEM) system correlating DNS logs, the exfiltration blended into normal traffic.

Exam trap

The trap here is that candidates may focus on the initial breach vector (e.g., unpatched software or weak passwords) rather than the detection failure that allowed the exfiltration to persist undetected for months, which is the core of the question.

How to eliminate wrong answers

Option B is wrong because weak password policies would not directly enable undetected data exfiltration over three months; they might allow initial access but do not explain the persistence of DNS tunneling. Option C is wrong because unpatched web server software could be an initial vector, but the question focuses on the weakness that allowed the attacker to remain undetected for so long, not the entry point. Option D is wrong because lack of data-at-rest encryption does not affect detection of outbound data exfiltration via DNS tunneling; it concerns data confidentiality if storage is compromised, not network monitoring.

715
MCQmedium

After a ransomware incident, the incident response team contains the spread and begins eradication. The team discovers that the ransomware encrypted files on a file server and also deleted shadow copies. Which of the following should the team do NEXT to support recovery?

A.Restore the encrypted files from the most recent backup.
B.Create a forensic image of the file server and affected endpoints.
C.Attempt to decrypt the files using available decryption tools.
D.Notify law enforcement immediately.
AnswerB

Preserving evidence is essential before any recovery actions.

Why this answer

After containment and eradication, the priority is to preserve evidence for root cause analysis and potential legal action. Creating a forensic image of the file server and affected endpoints captures the ransomware artifacts, encryption keys, and system state before any recovery actions that could overwrite critical data. This aligns with the CISM incident management phase of 'lessons learned' and ensures the team can determine the attack vector and prevent recurrence.

Exam trap

The trap here is that candidates assume recovery (restoring backups) is the immediate next step, but CISM emphasizes that evidence preservation must precede any recovery action to support forensic analysis and legal proceedings.

How to eliminate wrong answers

Option A is wrong because restoring from backup before forensic imaging risks destroying volatile evidence (e.g., ransomware binaries, registry keys, or network logs) that is essential for identifying the initial compromise vector. Option C is wrong because attempting decryption without first preserving evidence may alter the system state, and decryption tools are rarely available for modern ransomware; even if successful, the team loses forensic data. Option D is wrong because law enforcement notification is not an immediate technical step for recovery; it should occur after evidence preservation and as part of the incident communication plan, not before forensic imaging.

716
MCQhard

A global company is establishing an information security governance committee. Which membership composition BEST ensures alignment between security and business strategy?

A.IT operations managers and the CISO
B.Chief Information Security Officer (CISO) and IT directors only
C.Senior leaders from each business unit, the CISO, and the Chief Risk Officer
D.Chief Financial Officer (CFO), General Counsel, and CISO
AnswerC

Ensures business alignment and risk integration.

Why this answer

Option C is correct because it ensures that the information security governance committee includes senior leaders from each business unit, the CISO, and the Chief Risk Officer. This composition directly aligns security initiatives with business strategy by integrating business objectives, risk appetite, and security expertise at the strategic decision-making level, which is essential for effective governance as defined by ISACA's CISM framework.

Exam trap

The trap here is that candidates often assume a committee composed solely of IT and security roles (like the CISO and IT directors) is sufficient, but CISM emphasizes that governance requires cross-functional senior leadership to ensure security is a business enabler, not just a technical function.

How to eliminate wrong answers

Option A is wrong because IT operations managers and the CISO lack the senior business representation needed to align security with business strategy; this composition focuses on operational IT issues rather than strategic governance. Option B is wrong because the CISO and IT directors only represent the IT function, creating a siloed approach that fails to incorporate business unit perspectives and risk management oversight. Option D is wrong because while the CFO and General Counsel bring financial and legal perspectives, the absence of business unit leaders and the Chief Risk Officer limits the committee's ability to integrate security strategy with diverse business objectives and enterprise risk management.

717
MCQeasy

Which of the following is a key objective of a Security Operations Center (SOC)?

A.Conducting risk assessments
B.Developing security policies
C.Monitoring and responding to security incidents
D.Managing user access rights
AnswerC

This is the core function of a SOC.

Why this answer

The SOC's primary objectives include monitoring, detection, and response to security incidents. Risk assessment is typically a GRC function, and policy creation is a governance function.

718
MCQeasy

Which metric is most indicative of security program effectiveness?

A.Security budget spent
B.Time to patch critical vulnerabilities
C.Number of security tools deployed
D.Number of security incidents
AnswerB

This metric shows how quickly the organization mitigates high-risk exposures.

Why this answer

Time to patch critical vulnerabilities directly reflects the organization's ability to reduce exposure to known exploits, which is a key outcome of an effective security program. Unlike input metrics (budget, tools) or lagging indicators (incident count), this metric measures the speed of a critical risk-reduction process, aligning with CISM's focus on program governance and risk management.

Exam trap

The trap here is that candidates confuse activity metrics (budget spent, tools deployed) with outcome-based metrics, failing to recognize that CISM emphasizes measuring the effectiveness of risk management processes, not the volume of resources or incidents.

How to eliminate wrong answers

Option A is wrong because security budget spent is an input metric that does not measure effectiveness; a program can spend heavily yet fail to reduce risk due to poor allocation or execution. Option C is wrong because the number of security tools deployed is a vanity metric; more tools can increase complexity and blind spots without improving security posture. Option D is wrong because the number of security incidents is a lagging indicator that can be influenced by detection capabilities; a low incident count may reflect poor detection rather than true program effectiveness.

719
MCQhard

During a P1 incident, the crisis management team (CMT) is activated and meets within the first hour. Which communication practice is most appropriate for the CMT to follow when providing updates to the board of directors?

A.Send a brief status report every hour, avoiding speculation and including legal counsel review
B.Provide detailed technical updates every hour
C.Provide speculative root cause analysis to demonstrate competence
D.Wait until the incident is fully understood before any communication
AnswerA

This maintains timely communication while protecting confidentiality.

Why this answer

During a P1 incident, the CMT must provide timely, concise updates to the board to maintain trust and enable strategic decisions. Option A is correct because it balances frequency (hourly) with content discipline (avoiding speculation) and includes legal counsel review, which is critical for compliance and liability management. This aligns with the CISM Incident Management domain's emphasis on clear, non-technical communication to senior leadership.

Exam trap

The trap here is that candidates confuse the need for technical accuracy with the board's need for strategic clarity, leading them to choose detailed technical updates (Option B) instead of concise, legally vetted status reports.

How to eliminate wrong answers

Option B is wrong because detailed technical updates are inappropriate for the board, which requires high-level impact and status summaries, not technical minutiae like packet captures or system logs. Option C is wrong because speculative root cause analysis can mislead the board, create false confidence, and expose the organization to legal or reputational risk if the actual cause differs. Option D is wrong because waiting until full understanding delays critical communication, leaving the board uninformed and unable to make timely resource or public relations decisions.

720
MCQmedium

In a vendor risk assessment, a third-party vendor will have access to sensitive customer data. According to TPRM best practices, what should the organization do first?

A.Conduct a risk assessment
B.Include security requirements in the contract
C.Define exit procedures
D.Perform ongoing monitoring
AnswerA

Risk assessment determines the level of due diligence needed.

Why this answer

A risk assessment is performed to understand the risks before defining contract requirements and ongoing monitoring.

721
Multi-Selectmedium

Which THREE of the following are typical steps in a qualitative risk assessment?

Select 3 answers
A.Estimate likelihood and impact using rating scales
B.Prioritize risks based on risk ratings
C.Identify assets and threats
D.Calculate annualized loss expectancy (ALE)
E.Assign monetary values to impact
AnswersA, B, C

Rating scales (e.g., 1-5) are qualitative.

Why this answer

Option A is correct because qualitative risk assessment uses ordinal rating scales (e.g., 1-5 or Low-Medium-High) to estimate likelihood and impact based on expert judgment, not precise numerical values. This approach is standard in frameworks like ISO 27005 and NIST SP 800-30, which define qualitative analysis as relying on subjective categorization rather than hard financial data.

Exam trap

The trap here is that candidates confuse qualitative and quantitative risk assessment steps, mistakenly selecting ALE or monetary assignment as part of qualitative analysis because they recall 'risk calculation' without distinguishing the method.

722
MCQeasy

After successfully containing an incident, the incident response team discovers that the attacker exploited a previously unknown vulnerability in a web application. The vulnerability is not yet patched by the vendor. The organization's management is concerned about the risk of another attack using the same vulnerability. What should the team recommend as the immediate action to reduce this risk?

A.Implement a workaround to mitigate the vulnerability
B.Disable the web application until a patch is available
C.Report the vulnerability to the software vendor
D.Develop an in-house patch for the vulnerability
AnswerA

Workarounds can reduce risk quickly without waiting for a patch.

Why this answer

Implementing a workaround (such as a web application firewall rule or configuration change) reduces the immediate risk while waiting for a vendor patch. Developing a patch in-house is not advisable due to complexity and risk. Reporting to vendor is important but does not provide immediate protection.

Disabling the service may be too disruptive.

723
MCQhard

When designing phishing simulations, which approach best balances user learning and operational disruption?

A.Send high-difficulty simulations monthly without training
B.Start with low-difficulty simulations, increase difficulty over time, and require remediation training for clickers
C.Use low-difficulty simulations quarterly with no follow-up
D.Send random-difficulty simulations weekly and report clickers to management
AnswerB

This approach educates users and improves detection skills gradually.

Why this answer

Progressive difficulty and remediation training for clickers helps users learn while minimizing negative impact on productivity.

724
MCQmedium

An organization's security program has been in place for two years, but recently several security incidents occurred due to lack of user awareness. What is the most likely root cause?

A.The awareness program is not regularly updated or evaluated for effectiveness.
B.Lack of a security awareness program.
C.Insufficient budget for security tools.
D.Insufficient firewall rules.
AnswerA

Continuous improvement is needed; without updates, awareness decays.

Why this answer

The correct answer is A because the scenario states the security program has been in place for two years, yet incidents persist due to lack of user awareness. This indicates the awareness program exists but is not being regularly updated or evaluated for effectiveness, which is a common root cause in mature programs where content becomes stale and fails to address evolving threats like phishing or social engineering.

Exam trap

The trap here is that candidates assume any security program automatically includes an effective awareness component, but CISM emphasizes that programs must be evaluated and updated regularly; a static program is as ineffective as having none.

How to eliminate wrong answers

Option B is wrong because the scenario implies a security program exists, so the root cause is not the absence of an awareness program but its lack of updates or evaluation. Option C is wrong because insufficient budget for security tools does not directly address user awareness failures; the incidents are due to human behavior, not tooling gaps. Option D is wrong because insufficient firewall rules are a technical control issue unrelated to user awareness; firewall misconfigurations would not cause incidents stemming from a lack of user knowledge.

725
MCQmedium

A company is developing a risk treatment plan for a set of identified risks. One risk involves a third-party vendor that hosts critical data. The risk owner recommends accepting the risk. Which of the following conditions would BEST support this decision?

A.The organization has no compensating controls in place
B.The cost to mitigate is higher than the potential financial loss from a breach
C.The risk is within the organization's risk appetite but the business impact is high
D.The vendor has a history of security incidents
AnswerB

If mitigation costs outweigh the expected loss, acceptance is a sound business decision.

Why this answer

Option B is correct because risk acceptance is justified when the cost of mitigation exceeds the potential financial loss from a breach. This aligns with the cost-benefit analysis principle in risk management: if the cost to implement controls (e.g., migrating to a more secure vendor or adding encryption) is higher than the expected loss (e.g., $50,000 in breach costs vs. $100,000 in mitigation), accepting the residual risk is economically rational. The decision must still ensure the risk is within the organization's risk appetite.

Exam trap

The trap here is that candidates often confuse risk acceptance with ignoring the risk, but CISM requires that acceptance be a deliberate, documented decision based on cost-benefit analysis, not merely a default when no controls exist.

How to eliminate wrong answers

Option A is wrong because having no compensating controls means the risk is entirely unmitigated, which would typically require avoidance or transfer, not acceptance, as acceptance still assumes some level of control or tolerance. Option C is wrong because a high business impact contradicts risk acceptance; even if the risk is within risk appetite, high impact usually demands mitigation or transfer to reduce potential damage. Option D is wrong because a vendor with a history of security incidents increases the likelihood of a breach, making acceptance imprudent unless the cost of mitigation is prohibitive and the risk is formally documented as accepted.

726
Drag & Dropmedium

Arrange the steps in order for conducting a business impact analysis (BIA) in business continuity management.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

A BIA first identifies critical functions, then determines acceptable downtime, assesses impact, prioritizes recovery, and finally documents findings.

727
MCQmedium

An organization has experienced a credential compromise incident. Which playbook should the incident response team primarily use?

A.Data breach playbook
B.Ransomware playbook
C.Credential compromise playbook
D.Insider threat playbook
AnswerC

Each incident type has a dedicated playbook; credential compromise is one.

Why this answer

Playbooks are tailored to incident types; credential compromise has its own specific playbook.

728
MCQeasy

An organization's intrusion detection system alerts on a potential C2 communication from an internal host. Which phase of the incident response lifecycle should be initiated first?

A.Post-Incident Activity
B.Preparation
C.Containment, Eradication, and Recovery
D.Detection and Analysis
AnswerD

Alert triggers the detection phase.

Why this answer

When an IDS alerts on potential C2 communication, the organization must first verify the alert and determine the scope of the incident. The Detection and Analysis phase is the initial step in the incident response lifecycle, as defined by NIST SP 800-61, because it involves confirming the alert, analyzing indicators of compromise (IoCs), and assessing the severity before any containment actions are taken. Without proper detection and analysis, containment efforts could be misdirected or ineffective.

Exam trap

Cisco often tests the misconception that containment should be the immediate priority, but the trap here is that without first performing Detection and Analysis, you cannot accurately contain the threat, potentially allowing the attacker to pivot or destroy evidence.

How to eliminate wrong answers

Option A is wrong because Post-Incident Activity occurs after the incident is resolved, involving lessons learned and reporting, not as the first response to an active alert. Option B is wrong because Preparation is a proactive phase that establishes policies, tools, and training before an incident occurs, not a reactive step when a C2 alert fires. Option C is wrong because Containment, Eradication, and Recovery should only be initiated after the alert has been validated and analyzed; jumping to containment without analysis risks disrupting legitimate traffic or missing the full scope of the compromise.

729
MCQmedium

During a DDoS attack, the incident response team determines that the attack cannot be mitigated within the maximum tolerable downtime (MTD). What should happen next?

A.Notify the board of directors
B.Continue current mitigation efforts
C.Activate business continuity and disaster recovery plans
D.Declare a disaster immediately
AnswerC

Transition to BC/DR to ensure continuity.

Why this answer

When an incident cannot be resolved within MTD, the organization should escalate to business continuity and disaster recovery activation.

730
MCQhard

A company is assessing nth-party risk from a critical cloud provider. Which approach should be taken to manage this risk effectively?

A.Replace the cloud provider with an in-house solution
B.Conduct a direct audit of the provider's subcontractors
C.Ignore nth-party risk as it is out of scope
D.Require the cloud provider to contractually manage and report on their subcontractors
AnswerD

Correct. This extends risk management to the provider's supply chain.

Why this answer

Managing nth-party risk requires understanding the cloud provider's supply chain. Contractual requirements for the provider to manage their subcontractors and regular audits help mitigate downstream risks.

731
Multi-Selectmedium

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly three.)

Select 3 answers
A.Risk elimination
B.Risk transfer (sharing)
C.Risk avoidance
D.Risk mitigation (reduction)
E.Risk deferral
AnswersB, C, D

Transfer involves sharing risk with another party, e.g., insurance.

Why this answer

Option B is correct because ISO 31000 defines risk transfer (sharing) as a valid risk treatment option, where the risk is shifted to another party, such as through insurance or outsourcing. This is a standard approach in information security risk management to reduce the financial impact of a risk event.

Exam trap

ISACA often tests the distinction between 'risk elimination' and 'risk avoidance' to trap candidates who confuse the two, as elimination implies complete removal of the risk source, which is rarely achievable in information security, while avoidance means not engaging in the risky activity at all.

732
MCQmedium

When selecting security controls, a company must prioritize which controls first?

A.Controls that are least expensive
B.Controls that are easiest to implement
C.All controls from the chosen framework equally
D.Controls that address the highest risks and are critical to business operations
AnswerD

Risk-based prioritization ensures resources are focused on most impactful areas.

Why this answer

Critical controls that address the most significant risks should be implemented first.

733
MCQhard

You are the CISO of a mid-sized financial services firm that processes credit card transactions. The company has recently expanded its operations to include a mobile payment application that stores payment credentials in the cloud. The current information security program was designed primarily for the on-premises environment and has not been updated to address cloud-specific risks. The internal audit team has identified that the cloud service provider (CSP) does not have an independent third-party audit report (e.g., SOC 2) available for review. Additionally, the mobile app development team has been deploying code without formal security review, citing the need for rapid releases to compete in the market. The CEO has expressed concern about the potential for a data breach and has asked you to recommend immediate actions to strengthen the security program while minimizing business disruption. Which of the following should you recommend as the FIRST course of action?

A.Encrypt all data in transit and at rest using the organization's own encryption keys.
B.Implement compensating controls such as tokenization for all cardholder data stored in the cloud.
C.Conduct a detailed security assessment of the cloud service provider's controls and contractually require an annual SOC 2 Type II report.
D.Require the mobile app development team to undergo formal security training and implement a peer review process for all code deployments.
AnswerC

This directly addresses the gap in oversight and provides assurance over the CSP's controls.

Why this answer

Option C is the correct first course of action because the absence of an independent third-party audit report (e.g., SOC 2 Type II) means the organization has no verified assurance that the cloud service provider (CSP) has adequate security controls in place. As CISO, you must immediately assess the CSP's security posture and contractually mandate a SOC 2 Type II report to gain visibility into the effectiveness of the CSP's controls over time, which is foundational before implementing any compensating technical controls. This aligns with the CISM domain of Information Security Program governance, where vendor risk management and due diligence are critical first steps when expanding into cloud environments.

Exam trap

The trap here is that candidates often jump to implementing a technical control (like encryption or tokenization) as the immediate fix, but the CISM exam emphasizes that governance and vendor risk management—specifically obtaining independent assurance of the CSP's controls—must come first before deploying compensating technical measures.

How to eliminate wrong answers

Option A is wrong because encrypting data with the organization's own keys (client-side encryption) does not address the root cause—lack of visibility into the CSP's overall security posture; encryption is a compensating control that should follow a proper vendor risk assessment. Option B is wrong because implementing tokenization for cardholder data is a tactical data-centric control that does not resolve the immediate governance gap of having no independent audit report on the CSP; tokenization should be considered after contractual assurance is established. Option D is wrong because requiring security training and peer review for the mobile app development team, while beneficial, does not address the most critical risk—the unverified cloud provider—and would not be the first priority when the CSP's controls are completely unknown.

734
MCQeasy

An organization's incident response plan includes a ransomware playbook. After detecting ransomware on a critical server, which of the following should be the FIRST action according to best practices?

A.Notify the CEO and legal counsel before taking any action.
B.Disconnect the server from the network and isolate it.
C.Pay the ransom immediately to regain access.
D.Immediately reboot the server to remove the ransomware.
AnswerB

Containment is the priority to limit damage.

Why this answer

Option B is correct because the immediate priority in ransomware containment is to prevent lateral movement and further encryption of systems. Disconnecting the server from the network (e.g., unplugging the Ethernet cable or disabling the virtual switch port) stops the ransomware from communicating with its command-and-control (C2) server and encrypting additional network shares. This aligns with the NIST SP 800-61 incident response containment strategy, which emphasizes isolation before any other action.

Exam trap

Cisco often tests the misconception that immediate notification of executives or legal counsel is the first step, but the CISM framework prioritizes containment actions (like isolation) before communication to prevent further damage.

How to eliminate wrong answers

Option A is wrong because notifying the CEO and legal counsel before taking action introduces unnecessary delay, allowing the ransomware to spread further and encrypt more data; notification should occur after containment. Option C is wrong because paying the ransom is not a first action—it is a last-resort business decision that may encourage further attacks and does not guarantee data recovery, and it violates FBI and CISA guidelines. Option D is wrong because rebooting the server can trigger the ransomware to complete its encryption process or delete volume shadow copies, potentially causing permanent data loss and destroying forensic evidence.

735
MCQhard

Following a data breach, an organization conducts a root cause analysis using the 5 Whys technique. The analysis identifies that a misconfigured firewall allowed unauthorized access. What is the most important next step to prevent recurrence?

A.Implement a change management process to prevent unauthorized configuration changes
B.Update the firewall rule base immediately
C.Conduct a vulnerability scan on all firewalls
D.Disconnect the firewall from the network
AnswerA

Addressing the process failure that allowed the misconfiguration prevents similar issues across the organization.

Why this answer

Root cause analysis should uncover not just technical causes but also the process and governance failures that allowed the misconfiguration. Addressing the management failure (e.g., inadequate change management) provides a systemic fix.

736
MCQmedium

Based on the exhibit, an incident involves unauthorized access to a file server containing corporate training videos. No sensitive data is stored there. Which priority should the incident be assigned?

A.Critical
B.Medium
C.High
D.Low
AnswerD

Low-value data, easily restored.

Why this answer

Option D is correct because the training videos are low-value data with no sensitive information and are easily restored. Option A is wrong because no sensitive data or regulatory implications. Option B is wrong because no sensitive business data.

Option C is wrong because no operational data.

737
MCQeasy

The board of directors has requested a security metrics dashboard. Which metric would BEST demonstrate the effectiveness of the incident response process?

A.Percentage of users trained
B.Mean Time to Respond (MTTR)
C.Number of security incidents
D.Patch compliance percentage
AnswerB

MTTR indicates how quickly incidents are contained and remediated.

Why this answer

Mean Time to Respond (MTTR) directly measures the speed and effectiveness of incident response.

738
Multi-Selecthard

Which THREE of the following are essential roles in an effective information security governance structure? (Choose three.)

Select 3 answers
A.Help desk manager.
B.Board of directors.
C.Network administrator.
D.Security steering committee.
E.Chief information security officer (CISO).
AnswersB, D, E

Provides strategic oversight and direction.

Why this answer

The board of directors is essential because it holds ultimate accountability for the organization's risk posture and must approve the information security strategy, policies, and resource allocation. Without board-level oversight, security governance lacks the authority to enforce compliance and align security objectives with business goals. This aligns with the CISM framework's emphasis on top-down governance, where the board provides strategic direction and ensures adequate funding for security initiatives.

Exam trap

The trap here is that candidates confuse operational or technical roles (help desk manager, network administrator) with governance roles, failing to recognize that governance requires strategic oversight and accountability, not hands-on technical execution.

739
Multi-Selecteasy

Which TWO of the following are best practices for preserving digital evidence during an incident? (Select exactly 2)

Select 2 answers
A.Create a forensic image of the hard drive using a write blocker
B.Document the chain of custody
C.Interview witnesses before collecting data
D.Run antivirus scans on the affected system
E.Reboot the system to clear memory
AnswersA, B

Write blocker prevents alteration of original data.

Why this answer

Creating a forensic image with a write blocker (Option A) is a best practice because it captures an exact bit-for-bit copy of the storage media without altering the original data. The write blocker intercepts write commands at the hardware or software level, ensuring the integrity of the evidence. This preserves the original state for later analysis and admissibility in legal proceedings.

Exam trap

The trap here is that candidates often confuse 'preserving evidence' with 'immediate remediation'—choosing actions like rebooting or scanning that seem helpful but actually destroy volatile data or alter the evidence, while the exam emphasizes forensic soundness and legal admissibility over speed.

740
Multi-Selectmedium

Which TWO of the following are essential components of an incident response programme?

Select 2 answers
A.Incident response plan
B.Incident response policy
C.Annual penetration test
D.Vulnerability scanning schedule
E.Security awareness training
AnswersA, B

The plan provides the structured approach for responding to incidents.

Why this answer

An IR programme must include a formal policy and a documented plan. Playbooks are also important but the core components are policy and plan.

741
MCQhard

Refer to the exhibit. An audit reveals that 20% of privileged accounts were approved by the same manager without secondary review. Which control deficiency is MOST relevant to this finding?

A.Segregation of duties
B.Access review frequency
C.Provisioning delay
D.Audit log retention
AnswerA

One person approving without oversight is a segregation of duties deficiency.

Why this answer

The finding that 20% of privileged accounts were approved by the same manager without secondary review directly violates the principle of segregation of duties (SoD). In privileged access management (PAM), SoD requires that the approval of privileged account access be performed by a different individual than the requester or the manager who supervises the requester, to prevent a single point of failure and reduce the risk of unauthorized access or fraud. Without a secondary review, a single manager could approve accounts for themselves or their subordinates without independent oversight, undermining the control objective of preventing conflicts of interest.

Exam trap

Cisco often tests the distinction between a process control (like requiring a second approver) and a detective control (like access reviews or log retention), and candidates mistakenly choose access review frequency because they think 'review' solves the approval gap, but reviews happen after the fact and cannot prevent the initial improper approval.

How to eliminate wrong answers

Option B (Access review frequency) is wrong because the issue is not about how often access reviews occur (e.g., quarterly or annually), but about the lack of a secondary approval during the initial provisioning process; even frequent reviews would not catch a single manager approving their own accounts without oversight. Option C (Provisioning delay) is wrong because the finding does not relate to the timeliness of account creation or modification; a delay in provisioning does not address the control deficiency of a single manager approving privileged accounts without a second reviewer. Option D (Audit log retention) is wrong because the problem is not about how long logs are kept (e.g., 90 days vs. 1 year), but about the absence of a mandatory secondary approval step; even with perfect log retention, the control deficiency of a single approver remains unaddressed.

742
MCQhard

During a security architecture review, the security architect identifies that a new application stores sensitive customer data in plaintext in the database. The application owner argues that performance requirements prevent encryption. What is the most appropriate compensating control to reduce risk?

A.Implement strong password policies for database access
B.Network segmentation to isolate the database server
C.Conduct more frequent vulnerability scans
D.Database activity monitoring (DAM)
AnswerD

DAM monitors and alerts on suspicious database queries, compensating for lack of encryption.

Why this answer

Database activity monitoring (DAM) can detect unauthorized access or exfiltration attempts, providing visibility and alerting without impacting performance. Encryption at rest is preferred, but DAM is a compensating control when encryption is not feasible.

743
MCQmedium

During a major incident, the incident response team discovers that the incident cannot be resolved within the maximum tolerable downtime (MTD). Which of the following actions should be taken next?

A.Continue incident response efforts until resolution regardless of time
B.Declare the incident a disaster and shut down all systems
C.Notify the insurance provider immediately
D.Escalate to activate the business continuity and disaster recovery plans
AnswerD

Escalating to BC/DR activation is the correct action when the incident cannot be resolved within MTD.

Why this answer

When an incident cannot be resolved within the MTD, it triggers the transition to business continuity and disaster recovery (BC/DR) plans to maintain critical operations.

744
MCQhard

After a major incident, the lessons learned meeting is scheduled. According to best practices, when should this meeting typically be held after incident resolution?

A.Within one month
B.Within two weeks
C.Within 24 hours
D.Within one week
AnswerB

Two weeks is the standard timeframe for lessons learned meetings.

Why this answer

Best practices recommend holding the lessons learned meeting within two weeks of incident resolution to capture details while they are fresh.

745
MCQhard

A company uses a SaaS provider that processes sensitive customer data. The provider undergoes annual SOC 2 audits. Which additional step is essential to manage nth-party risk?

A.Require the provider to disclose and assess the security of its subcontractors
B.Include a right-to-audit clause for the provider
C.Conduct penetration testing on the provider's application
D.Review the SOC 2 report annually
AnswerA

This ensures visibility into the extended supply chain.

Why this answer

Nth-party risk requires understanding the provider's subcontractors; requiring disclosure and assessment of their vendors is key.

746
Multi-Selectmedium

Which of the following are key components of an Information Security Risk Management program? (Select TWO.)

Select 2 answers
A.Establishing a risk management framework
B.Conducting vulnerability scanning
C.Performing risk assessment and treatment
D.Performing internal audits
AnswersA, C

Why this answer

A is correct because establishing a risk management framework is the foundational component of an Information Security Risk Management program. It defines the policies, procedures, and governance structure for identifying, assessing, and treating risks, aligning with standards like ISO 31000 or NIST SP 800-39. Without a framework, risk management activities lack consistency and accountability.

Exam trap

The trap here is that candidates confuse operational security activities (like vulnerability scanning or internal audits) with the strategic components of a risk management program, which are the framework and the risk assessment/treatment cycle.

Why the other options are wrong

B

Vulnerability scanning is a technical control, not a program component.

D

Audit is independent assurance, not part of the risk management program itself.

747
MCQhard

A company's security program includes a policy that prohibits the use of personal devices for work. However, the CISO discovers that several executives are using personal tablets to access corporate email. What is the most appropriate action for the CISO to take?

A.Block all personal devices from the network
B.Continue monitoring but take no action
C.Update the policy to allow personal devices under strict controls
D.Discipline the executives for policy violation
AnswerC

Balances security with usability through mobile device management.

Why this answer

Option C is correct because the CISO must align security controls with business reality. Rather than enforcing an unworkable policy that executives are already circumventing, the CISO should update the policy to incorporate a mobile device management (MDM) solution that enforces device encryption, remote wipe, and conditional access via Azure AD or similar identity provider. This approach reduces risk by bringing personal devices under formal governance while maintaining executive productivity.

Exam trap

The trap here is that candidates often choose Option D (discipline) because they confuse policy enforcement with security governance, failing to recognize that the CISO's primary role is to manage risk through adaptive controls, not to punish users for using technology that the policy failed to anticipate.

How to eliminate wrong answers

Option A is wrong because blocking all personal devices from the network is technically infeasible without a network access control (NAC) solution that can fingerprint every device, and it would disrupt legitimate business operations without addressing the root cause of policy non-compliance. Option B is wrong because continued monitoring without action violates the principle of risk acceptance—the CISO has a fiduciary duty to remediate known risks, and ignoring the gap exposes the company to data breach liability under regulations like GDPR or HIPAA. Option D is wrong because disciplining executives ignores the underlying business need for mobile access and fails to address the technical gap; it may also create cultural resistance without actually securing the devices.

748
MCQeasy

Based on the exhibit, what is the MOST significant gap in incident management?

A.Inconsistent incident classification.
B.Slow response times.
C.High number of incidents.
D.Lack of documentation.
AnswerD

Option C is correct because 45 incidents (37.5%) have no documentation, indicating a process gap.

Why this answer

The exhibit shows a high volume of incidents but no evidence of structured documentation, such as incident records, post-incident reports, or standardized logging. Without proper documentation, the organization cannot perform root cause analysis, track incident trends, or demonstrate compliance, making this the most significant gap because it undermines the entire incident management lifecycle.

Exam trap

The trap here is that candidates often focus on visible symptoms like high incident volume or slow response, but CISM emphasizes that without documentation, the entire incident management process lacks accountability and continuous improvement, making it the most critical deficiency.

How to eliminate wrong answers

Option A is wrong because inconsistent incident classification, while problematic, is a symptom of a lack of standardized procedures and can be corrected with a classification scheme; it is not as foundational as missing documentation. Option B is wrong because slow response times may be a result of poor documentation (e.g., no runbooks or escalation procedures), but the exhibit does not provide response time data, so it cannot be identified as the most significant gap. Option C is wrong because a high number of incidents is a metric that indicates potential underlying issues, but without documentation, the organization cannot analyze or reduce that number; the high count itself is not a gap in the incident management process.

749
MCQmedium

An organization is implementing a security awareness program. Which metric is MOST indicative of a positive security culture?

A.Low number of incidents caused by human error
B.Low phishing simulation click rate
C.High near-miss reporting rate
D.High training completion percentage
AnswerC

Indicates proactive security behavior and trust in reporting channels.

Why this answer

A high near-miss reporting rate indicates that employees are vigilant and willing to report potential issues without fear of blame.

750
MCQmedium

Which of the following is the PRIMARY reason for an information security manager to integrate risk management into the organization's enterprise risk management (ERM) framework?

A.To ensure compliance with regulatory requirements
B.To provide a consistent risk reporting structure across the enterprise
C.To support informed decision-making by aligning security risks with business objectives
D.To reduce the cost of risk management through shared resources
AnswerC

Why this answer

Integrating information security risk into ERM ensures that security risks are considered alongside business risks, enabling better prioritization and resource allocation. This alignment helps the organization make informed decisions that balance risk appetite and business objectives. The primary driver is to support strategic decision-making, not just compliance or reporting.

Exam trap

Candidates may choose 'To comply with regulatory requirements' because regulations often mandate risk management, but the primary reason is strategic alignment with business goals, not compliance.

Why the other options are wrong

A

Compliance is a benefit but not the primary reason; integration is about strategic alignment.

B

Consistent reporting is a result of integration, not the primary reason.

D

Cost reduction is a potential benefit but not the primary strategic reason.

Page 9

Page 10 of 12

Page 11