Certified Information Security Manager CISM (CISM) — Questions 751825

896 questions total · 12pages · All types, answers revealed

Page 10

Page 11 of 12

Page 12
751
Multi-Selecthard

An organization has a high residual risk after implementing all feasible controls. According to CISM best practices, which of the following should the information security manager do? (Select TWO.)

Select 2 answers
A.Escalate to senior management for risk acceptance
B.Document the risk in the risk register and accept it
C.Implement additional compensating controls
D.Immediately perform a new risk assessment
AnswersA, C

Why this answer

When residual risk remains high after all feasible controls are implemented, the information security manager should escalate the risk to senior management for formal risk acceptance (Option A). This aligns with CISM best practices, as senior management holds the authority to accept risks that exceed the organization's risk appetite. Additionally, implementing compensating controls (Option C) can further reduce residual risk to an acceptable level, even if primary controls are already in place.

Exam trap

The trap here is that candidates confuse 'documenting and accepting' (Option B) as sufficient, overlooking the CISM requirement that risk acceptance must be formally escalated to and approved by senior management, not just recorded by the security manager.

Why the other options are wrong

B

Documentation alone is not sufficient; escalation is needed for high residual risk.

D

A new assessment may be done later, but the immediate action is to escalate and consider additional controls.

752
MCQhard

After a major security incident, the board of directors requests a review of the information security program. Which of the following metrics would be MOST useful to demonstrate the effectiveness of the program over the past year?

A.Percentage of employees who completed security awareness training
B.Number of security incidents detected and contained within defined SLAs
C.Total cost of security investments compared to industry benchmarks
D.Number of vulnerabilities identified in the latest penetration test
AnswerB

Why this answer

The number of incidents detected and contained within defined SLAs directly measures the program's ability to detect and respond to threats, which is a key indicator of operational effectiveness. Other metrics may be useful but do not directly measure the program's performance in protecting the organization.

Exam trap

Candidates often choose 'Percentage of employees completing security training' because training is a common control, but it doesn't measure actual incident response effectiveness.

Why the other options are wrong

A

Training completion is a leading indicator but does not measure program effectiveness in handling incidents.

C

Cost comparison does not indicate how well the program performed.

D

Vulnerability counts are point-in-time and not a comprehensive measure of program effectiveness.

753
MCQmedium

A company has recently adopted COBIT 2019 as its governance framework. The board is requesting a concise report on the effectiveness of the security program. Which reporting structure best aligns with COBIT's guidance?

A.List of all security incidents and their impacts
B.Dashboard showing alignment of security goals with enterprise goals, using KRIs and KPIs
C.Compliance status with all applicable regulations
D.Detailed technical vulnerabilities discovered during penetration tests
AnswerB

This directly addresses COBIT's governance objectives.

Why this answer

COBIT 2019 emphasizes the alignment of IT and security goals with enterprise goals through a cascading goals cascade. A dashboard that maps security goals to enterprise goals using Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) directly reflects this principle, providing a concise, strategic view of program effectiveness rather than operational details.

Exam trap

The trap here is that candidates often confuse operational reporting (incidents, vulnerabilities, compliance checklists) with the strategic, goal-aligned reporting that COBIT requires for governance-level communication to the board.

How to eliminate wrong answers

Option A is wrong because a list of all security incidents and their impacts is an operational, reactive metric that does not demonstrate strategic alignment with enterprise goals as required by COBIT's governance focus. Option C is wrong because compliance status with regulations is a subset of security effectiveness and does not address the broader alignment of security goals with enterprise objectives that COBIT mandates. Option D is wrong because detailed technical vulnerabilities from penetration tests are tactical, granular data points that do not provide the high-level, goal-aligned performance view COBIT's reporting structure requires.

754
MCQeasy

A CISO is deciding on the organizational structure for the information security team. Which reporting structure is most likely to ensure the security function has sufficient independence and authority?

A.Reporting to the Chief Information Officer (CIO)
B.Reporting to the Chief Operating Officer (COO)
C.Reporting to the Chief Financial Officer (CFO)
D.Reporting to the CEO or board of directors
AnswerD

This structure provides independence from IT and operations, enhancing authority and objectivity.

Why this answer

Reporting to the CEO or board of directors ensures the information security function operates independently from operational and IT management, preventing conflicts of interest where security decisions could be overridden by cost or performance pressures. This structure aligns with the CISM principle that the CISO must have sufficient authority to enforce security policies across the entire organization without reporting to a function that may prioritize other objectives over security.

Exam trap

Cisco often tests the misconception that reporting to the CIO is acceptable because IT and security are closely related, but the CISM exam emphasizes that independence from IT is critical to avoid conflicts of interest in risk management decisions.

How to eliminate wrong answers

Option A is wrong because reporting to the CIO creates a conflict of interest where the security team may be pressured to approve insecure IT projects or bypass controls to meet delivery deadlines, undermining independent risk assessment. Option B is wrong because the COO focuses on operational efficiency and cost reduction, which can lead to underinvestment in security controls that are perceived as slowing down business processes. Option C is wrong because the CFO prioritizes financial performance and cost containment, which may result in security budget cuts or delayed implementation of critical security measures to meet short-term financial targets.

755
MCQeasy

A security analyst detects a potential data exfiltration from a critical server. According to incident response best practices, what is the first action the analyst should take?

A.Disconnect the server from the network immediately.
B.Notify the incident response manager.
C.Review firewall logs to confirm the exfiltration.
D.Take a forensic image of the server.
AnswerA

Correct: Stops exfiltration and prevents further damage.

Why this answer

Option A is correct because immediate network isolation (e.g., disconnecting the network cable or disabling the switch port) is the highest priority action to contain a confirmed data exfiltration. This stops the ongoing data transfer, preventing further loss while preserving volatile evidence in memory and active connections for later forensic analysis. Incident response frameworks like NIST SP 800-61 emphasize containment before eradication or recovery.

Exam trap

The trap here is that candidates confuse the order of incident response phases, mistakenly believing that notification (Option B) or further analysis (Option C) should precede containment, when in fact containment is the immediate priority to stop active data loss.

How to eliminate wrong answers

Option B is wrong because notifying the incident response manager is a secondary step that should occur after containment actions have been initiated; delaying containment to notify first could allow the exfiltration to continue. Option C is wrong because reviewing firewall logs to confirm the exfiltration wastes critical time when the analyst has already detected the exfiltration; confirmation should have been part of the detection phase, and the priority now is containment. Option D is wrong because taking a forensic image is a preservation step that should follow containment; imaging while the server is still connected risks losing volatile data and allows the exfiltration to continue during the imaging process.

756
MCQmedium

In which reporting model does the CISO have a direct reporting line to the CEO while also reporting to the CIO on operational matters?

A.Solid line to CEO, dotted line to CIO
B.Solid line to CIO, dotted line to CEO
C.Dotted line to both CEO and CIO
D.Solid line to both CEO and CIO
AnswerA

This structure balances strategic and operational reporting.

Why this answer

A dotted line reporting to the CIO and solid line to the CEO gives the CISO strategic authority while maintaining operational alignment.

757
MCQeasy

A small e-commerce company with 50 employees and limited IT budget is establishing its first formal information security program. The company processes customer payment data and must comply with PCI DSS. The CEO wants to balance security with operational costs. The IT manager proposes investing in a state-of-the-art security information and event management (SIEM) system costing $100,000 annually. The CISO, however, recommends a more phased approach. Considering the company's size, budget constraints, and compliance requirements, what should be the CISO's primary recommendation?

A.Implement the SIEM system immediately to achieve real-time threat detection.
B.Outsource all security operations to a managed security service provider (MSSP).
C.Develop a custom security software solution tailored to the company's payment processing system.
D.Deploy a firewall, antivirus software, and enforce strong access controls as baseline security measures.
AnswerD

These are essential, cost-effective controls that meet PCI DSS requirements and protect against common threats.

Why this answer

The correct action is to implement a firewall, antivirus, and basic access controls as foundational measures that address PCI DSS requirements cost-effectively. A SIEM (A) is too expensive and complex for a small organization. Outsourcing to an MSSP (C) may be considered later but is not the first step.

Developing custom software (D) is unnecessary and wastes resources.

758
MCQmedium

During a P1 (critical) security incident involving a ransomware attack that has encrypted critical servers, which role is primarily responsible for coordinating the overall response and ensuring timely communication to executive leadership?

A.Incident response manager
B.Security analyst
C.Forensic investigator
D.Communications lead
AnswerA

The IR manager leads the response and communicates with executives.

Why this answer

In a P1 ransomware incident, the incident response manager (IRM) is responsible for orchestrating the overall response, prioritizing containment over eradication, and ensuring that executive leadership receives timely, accurate status updates. Unlike technical roles, the IRM owns the incident command structure, coordinates cross-functional teams, and manages communication escalations to stakeholders, which is critical when encrypted servers demand immediate business continuity decisions.

Exam trap

Cisco often tests the distinction between tactical roles (analyst, forensic investigator) and the strategic coordination role (incident response manager), leading candidates to mistakenly choose the communications lead because they confuse 'communication to executives' with the overall coordination responsibility.

How to eliminate wrong answers

Option B (Security analyst) is wrong because a security analyst focuses on technical triage, log analysis, and initial containment actions, not on coordinating the overall response or communicating with executives. Option C (Forensic investigator) is wrong because a forensic investigator is responsible for preserving evidence and performing root-cause analysis, not for managing the incident response lifecycle or executive updates. Option D (Communications lead) is wrong because while the communications lead handles external and internal messaging, they do not own the overall response coordination; they report to the incident response manager who retains strategic authority.

759
MCQmedium

An organization has experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame within which the organization must notify the relevant supervisory authority?

A.72 hours
B.48 hours
C.24 hours
D.96 hours
AnswerA

GDPR mandates notification within 72 hours of becoming aware of a personal data breach.

Why this answer

GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to rights and freedoms.

760
MCQmedium

An information security manager is designing a security awareness program. Which approach BEST addresses the different learning needs of various employee groups?

A.Use only phishing simulations as training
B.Focus training only on high-risk groups such as system administrators
C.Provide the same annual training to all employees to ensure consistency
D.Deliver role-based training: secure coding for developers, social engineering for executives, and basic awareness for all
AnswerD

Role-based training addresses specific risks associated with each role.

Why this answer

Role-based training ensures that each group receives content relevant to their responsibilities.

761
MCQeasy

A security analyst receives an alert indicating a potential data exfiltration from a server. Which of the following should be the FIRST step in the incident response process?

A.Perform a forensic analysis.
B.Escalate to senior management.
C.Isolate the server from the network.
D.Verify the alert to confirm it is not a false positive.
AnswerD

Option C is correct because the first step in incident response is to verify the alert to avoid unnecessary response to false positives.

Why this answer

The first step in the incident response process is to verify the alert to confirm it is not a false positive. Prematurely isolating the server or escalating without validation can disrupt legitimate operations and waste resources. Verification ensures that the incident response team acts on confirmed threats, aligning with the NIST SP 800-61 incident response lifecycle's detection and analysis phase.

Exam trap

The trap here is that candidates often jump to containment (isolating the server) as the first step, but the CISM framework emphasizes that verification must precede any response action to avoid acting on false positives.

How to eliminate wrong answers

Option A is wrong because performing a forensic analysis before verifying the alert could waste investigative resources on a false positive and may alter volatile data if the system is not properly preserved. Option B is wrong because escalating to senior management without first confirming the alert's validity bypasses the initial triage step and may cause unnecessary alarm or misdirection of executive attention. Option C is wrong because isolating the server from the network without verifying the alert could disrupt business services and connectivity for a non-malicious event, violating the principle of least disruption during initial response.

762
MCQmedium

A security manager is tasked with building a business case for a new security program. Which metric is most persuasive to senior management?

A.Number of security incidents detected per month.
B.Estimated financial exposure from unmitigated risks.
C.Percentage of systems patched within 30 days.
D.Hours spent on security training.
AnswerB

Quantified risk exposure resonates with leadership.

Why this answer

Senior management is primarily concerned with financial impact and risk exposure. Estimated financial exposure from unmitigated risks directly translates technical vulnerabilities into monetary terms, enabling informed budget decisions. This aligns with the CISM focus on aligning security programs with business objectives.

Exam trap

Cisco often tests the distinction between operational/technical metrics and business/risk metrics, trapping candidates who confuse activity-based measures (e.g., training hours) with outcome-based financial justification.

How to eliminate wrong answers

Option A is wrong because the number of incidents detected per month is an operational metric that does not convey financial risk or business impact; it can even be misleading if detection capabilities improve. Option C is wrong because patch compliance percentage is a tactical, IT-focused metric that does not quantify residual risk or financial exposure to the organization. Option D is wrong because hours spent on training is an activity metric, not an outcome metric; it measures effort rather than risk reduction or financial benefit.

763
MCQmedium

An organization is implementing a security champions program. What is the primary purpose of this initiative?

A.To embed security advocates within development teams to improve secure coding practices
B.To conduct security awareness training for all employees
C.To provide a career path for security professionals
D.To replace the need for a dedicated security team
AnswerA

Champions act as liaisons, promoting security in day-to-day development.

Why this answer

Security champions embed security advocates within development teams to promote secure practices.

764
Multi-Selectmedium

An organization is implementing CIS Controls v8. Which THREE of the following are implementation groups (IGs) defined in the CIS Controls?

Select 3 answers
A.IG1: Basic cyber hygiene for small organizations.
B.IG3: Advanced controls for high-risk or regulated environments.
C.IG4: Cloud-specific controls for cloud-first organizations.
D.IG2: Intermediate controls for organizations with moderate risk.
E.IG0: Minimal controls for non-critical systems.
AnswersA, B, D

IG1 is the foundational group.

Why this answer

CIS Controls v8 defines three implementation groups: IG1 (basic cyber hygiene), IG2 (intermediate), and IG3 (advanced) based on organization size and risk.

765
MCQhard

Refer to the exhibit. An organization uses these firewall rules. After a breach, the IR team finds that the attacker gained access via SSH from an external IP. Which rule is most likely misconfigured?

A.MySQL should be blocked entirely
B.RDP should not be allowed
C.HTTPS should be inspected
D.SSH is allowed from any source instead of only internal
AnswerD

Correct: SSH should be restricted to specific trusted IPs.

Why this answer

The firewall rule allowing SSH from any source (0.0.0.0/0) is misconfigured because it permits external attackers to attempt brute-force or credential-based access via TCP port 22. The principle of least privilege dictates that SSH should be restricted to specific internal IP ranges or management jump hosts, not exposed to the internet. The IR team's finding that the attacker gained access via SSH from an external IP directly confirms this rule as the root cause.

Exam trap

The trap here is that candidates may focus on other risky services (MySQL, RDP) or security controls (HTTPS inspection) instead of identifying the specific rule that directly matches the attack vector (SSH from external IP) and its misconfiguration (permissive source).

How to eliminate wrong answers

Option A is wrong because MySQL (port 3306) is not implicated in the SSH-based breach; blocking it entirely would not prevent the SSH attack and could disrupt legitimate database services. Option B is wrong because RDP (port 3389) is not the vector used; while RDP exposure is risky, the question specifically states the attacker used SSH, so RDP being allowed is irrelevant to this incident. Option C is wrong because HTTPS inspection (port 443) is a security control for decrypting web traffic, not a rule that would allow or block SSH; failing to inspect HTTPS does not enable an SSH attack.

766
MCQmedium

Which of the following is the PRIMARY reason to include legal counsel in the incident response team?

A.To communicate with the media
B.To authorize technical containment actions
C.To advise on legal obligations and protect privilege
D.To manage technical aspects of the investigation
AnswerC

Legal counsel provides guidance on privilege, notification, and regulatory compliance.

Why this answer

Legal counsel ensures that actions taken during an incident preserve attorney-client privilege and comply with legal obligations, such as breach notification and litigation holds.

767
MCQmedium

A company is developing a business case for a new security tool. Which metric best demonstrates the value of the investment?

A.Number of security incidents
B.Percentage of budget spent on security
C.Security investment vs. loss avoidance
D.Time to implement the tool
AnswerC

Correct: Direct ROI comparison.

Why this answer

Comparing security investment to potential loss avoidance quantifies ROI in business terms.

768
MCQeasy

Which of the following is the primary purpose of having a pre-established forensic retainer agreement?

A.To reduce the time required to engage external forensics during an incident
B.To ensure the forensics firm is certified
C.To guarantee the lowest price for forensic services
D.To comply with regulatory requirements
AnswerA

A retainer ensures immediate availability without contract delays.

Why this answer

A pre-established retainer reduces the time to engage a forensics firm during an incident, ensuring rapid response.

769
MCQmedium

A company's security steering committee includes representatives from Human Resources, Legal, and Risk Management, but not from Business Operations. What is the most likely consequence of this membership gap?

A.Data breaches will occur more frequently
B.Security policies may not align with operational processes
C.Security spending will increase unexpectedly
D.The company will face regulatory fines
AnswerB

Operations provides insight into how security controls affect business workflows.

Why this answer

Without Business Operations representation, the security steering committee lacks direct insight into how security policies will interact with day-to-day operational workflows. This gap often results in policies that are technically sound but impractical to implement, causing misalignment with existing processes and potential operational friction.

Exam trap

Cisco often tests the distinction between governance-level gaps (like missing stakeholder representation) and operational-level failures (like breaches or fines), tempting candidates to pick dramatic outcomes rather than the more subtle but direct consequence of policy misalignment.

How to eliminate wrong answers

Option A is wrong because data breach frequency is not directly caused by a missing seat on a steering committee; breaches are typically the result of specific control failures or vulnerabilities, not governance structure gaps. Option C is wrong because unexpected spending increases are more often tied to reactive incident response or compliance mandates, not the absence of a single stakeholder in a governance body. Option D is wrong because regulatory fines are triggered by non-compliance with specific laws or standards (e.g., GDPR, PCI DSS), not by the composition of a steering committee; fines require a demonstrable failure to meet legal obligations.

770
MCQhard

Refer to the exhibit. What is most suspicious about this event?

A.The user jdoe is not an administrator
B.Event ID 4688 is unusual
C.The process ID is too low
D.The process name svchost.exe running from Temp folder
AnswerD

Correct: svchost.exe is a Windows system process and should not run from Temp.

Why this answer

The correct answer is D because svchost.exe is a critical Windows system process that should never run from the Temp folder. Running svchost.exe from %TEMP% is a classic indicator of malware masquerading as a legitimate process, often used to evade detection by security tools that trust the svchost.exe name. This event strongly suggests a malicious binary attempting to blend in with normal system activity.

Exam trap

The trap here is that candidates focus on the Event ID or user account details, overlooking the critical path anomaly—Cisco often tests your ability to distinguish between legitimate system processes and masquerading malware by emphasizing that svchost.exe running from any non-standard location (especially Temp) is a red flag, regardless of other normal-looking attributes.

How to eliminate wrong answers

Option A is wrong because the user jdoe not being an administrator is not inherently suspicious; many legitimate processes run under non-administrator accounts, and the focus should be on the process behavior, not the user's privilege level. Option B is wrong because Event ID 4688 (Process Creation) is a standard Windows security audit event, not unusual; it is commonly logged when any process is created, making it a normal occurrence in environments with process auditing enabled. Option C is wrong because a low process ID (PID) is not suspicious; PIDs are assigned sequentially by the kernel, and low PIDs simply indicate early boot processes or processes started soon after system startup, which is normal behavior.

771
MCQeasy

Which of the following is a leading indicator for measuring the effectiveness of a security awareness program?

A.Phishing click rate
B.Number of breaches
C.Number of security incidents
D.Mean time to detect (MTTD)
AnswerA

Phishing click rate is a leading indicator that shows how well employees are able to identify phishing attempts.

Why this answer

Leading indicators are proactive measures that predict future performance; phishing click rate reflects current behavior that influences future security incidents.

772
Multi-Selecthard

Which THREE of the following are key indicators of a mature information security governance process? (Select exactly three.)

Select 3 answers
A.Security risk appetite is defined and reported to the board
B.Mean time to patch critical vulnerabilities is under 48 hours
C.Security performance metrics are linked to business outcomes
D.Security strategy is reviewed and updated annually based on business changes
E.Number of security incidents decreased by 20% year-over-year
AnswersA, C, D

Key governance element.

Why this answer

Option A is correct because defining and reporting security risk appetite to the board is a foundational governance activity that ensures executive oversight and alignment of risk tolerance with business strategy. In a mature governance process, the board must formally approve and periodically review the risk appetite statement, which directly influences resource allocation and control prioritization. This aligns with the ISACA CISM framework, which emphasizes that governance requires board-level engagement with risk appetite as a key performance indicator.

Exam trap

The trap here is that candidates confuse operational effectiveness (e.g., fast patching or incident reduction) with governance maturity, which requires strategic alignment, board-level reporting, and defined risk appetite—not just tactical improvements.

773
Multi-Selecthard

A multinational organization is implementing a vendor risk management programme. Which THREE of the following should be included in the programme to effectively manage nth-party risk? (Select THREE.)

Select 3 answers
A.Include contractual clauses that require vendors to pass down security requirements to subcontractors
B.Include the right to audit subcontractors in vendor contracts
C.Conduct annual security assessments of all subcontractors
D.Require vendors to disclose all subcontractors and their security posture
E.Require vendors to obtain insurance for subcontractors
AnswersA, B, D

Flow-down clauses ensure requirements extend to subcontractors.

Why this answer

To manage nth-party risk, the programme should require vendors to disclose their subcontractors, include contractual clauses flowing down security requirements, and have the right to audit subcontractors. Assessing all suppliers' suppliers is impractical; focusing on high-risk vendors is more feasible.

774
MCQmedium

During a P1 incident involving a ransomware attack, the incident response manager needs to communicate with executives. Which of the following is the most appropriate approach for executive communication?

A.Include speculative root causes to show thoroughness
B.Wait until the incident is fully resolved before communicating
C.Send hourly situation reports (sitreps) focusing on business impact and key actions
D.Provide detailed technical analysis in every update
AnswerC

Hourly sitreps are appropriate for P1 incidents, focusing on impact and response actions.

Why this answer

For critical incidents, hourly sitreps (situation reports) are recommended to keep executives informed. Avoiding speculation and preserving legal privilege with counsel involvement are also key.

775
MCQmedium

During a major cybersecurity incident, the incident response team determines that the incident cannot be resolved within the maximum tolerable downtime (MTD). Which of the following actions should be taken next?

A.Conduct a root cause analysis
B.Declare a disaster and activate the BC/DR plan
C.Notify the executive sponsor and continue response efforts
D.Increase the number of incident responders
AnswerB

Correct. If the incident cannot be resolved within MTD, the organization must escalate to BC/DR to ensure business continuity.

Why this answer

When an incident cannot be resolved within MTD, the organization should escalate to business continuity and disaster recovery activation to restore operations.

776
Multi-Selecthard

Which TWO are key elements of a security awareness program designed to change employee behavior?

Select 2 answers
A.Role-based training tailored to specific job functions
B.Annual compliance training for all employees
C.Phishing simulations with remediation training for those who click
D.Posters and newsletters about security topics
AnswersA, C

Relevant training increases engagement and retention.

Why this answer

Role-based training tailors content to job functions, and phishing simulations with remediation training reinforce learning.

777
Multi-Selecthard

Which TWO of the following are key indicators that an organization's information security governance is inadequate?

Select 2 answers
A.Low budget for security awareness
B.Frequent changes to security policies without approval
C.High number of security incidents
D.Use of multiple antivirus solutions
E.Absence of a risk appetite statement
AnswersB, E

Indicates lack of governance process over policy changes.

Why this answer

Frequent changes to security policies without approval (Option B) indicate a breakdown in governance because it shows that the policy lifecycle—creation, review, approval, and communication—is not being followed. Without a formal change control process, policies become inconsistent, unenforceable, and may conflict with regulatory requirements, directly undermining the governance framework's authority and accountability.

Exam trap

The trap here is that candidates confuse operational symptoms (like low budget or high incidents) with governance failures, when CISM specifically tests whether the organization has the strategic oversight mechanisms—such as policy approval processes and risk appetite—in place.

778
MCQmedium

A security manager is developing a security scorecard for the C-suite. Which combination of metrics would be MOST appropriate for a one-page dashboard?

A.Patch compliance percentage and mean time to detect incidents.
B.Detailed vulnerability counts by severity and system owner.
C.Number of security awareness training sessions completed.
D.List of all third-party vendors and their risk ratings.
AnswerA

These are key leading and lagging indicators suitable for executives.

Why this answer

A one-page dashboard for the C-suite should include both leading and lagging indicators that provide a high-level view of security posture, such as patch compliance (leading) and mean time to detect (lagging).

779
MCQeasy

During a post-incident review, the incident response team identifies that the root cause of a data breach was a misconfigured firewall rule that allowed unrestricted inbound access from the internet. Which corrective action BEST addresses this issue?

A.Increase the frequency of penetration tests
B.Conduct a one-time review of all firewall rules
C.Restore the firewall configuration from the last known good backup
D.Implement a change management process for firewall modifications
AnswerD

Change management ensures all rule changes are authorized and reviewed, reducing risk.

Why this answer

Implementing a change management process ensures that firewall rule changes are reviewed and approved, preventing misconfigurations. A one-time review (B) is temporary. Penetration testing (C) identifies vulnerabilities but doesn't fix process.

Restoring from backup (D) does not address the configuration issue.

780
MCQeasy

Based on the exhibit, what is the MOST appropriate next step for the information security manager?

A.Recommend implementing multifactor authentication to reduce the risk
B.Accept the risk because the likelihood is only moderate
C.Reassess the risk with a higher risk appetite threshold
D.Transfer the risk by purchasing cyber insurance
AnswerA

Additional controls can lower the likelihood or impact, bringing the risk within appetite.

Why this answer

Multifactor authentication (MFA) directly mitigates the most likely attack vector for the identified risk—credential theft or brute-force attacks—by requiring a second factor (e.g., a one-time password from a hardware token or biometric) in addition to the password. Since the exhibit (not shown) indicates a moderate likelihood but high impact, implementing MFA reduces the likelihood to a more acceptable level without requiring a change in risk appetite or transferring the risk. This aligns with the CISM principle of applying cost-effective controls to reduce residual risk to within the organization's risk tolerance.

Exam trap

ISACA often tests the misconception that risk acceptance is a valid default response when likelihood is moderate, but the trap here is that acceptance requires the risk to be within the risk appetite after all cost-effective controls have been considered—not before.

How to eliminate wrong answers

Option B is wrong because accepting a risk with only moderate likelihood ignores the potential high impact; risk acceptance should only occur when the residual risk is within the organization's risk appetite after controls are applied, not as a default action. Option C is wrong because reassessing with a higher risk appetite threshold is a reactive and inappropriate approach—it artificially lowers the perceived risk rather than addressing the actual vulnerability, which violates the principle of risk management. Option D is wrong because transferring the risk via cyber insurance does not reduce the likelihood or impact of the security incident; it only provides financial compensation after a breach, and the organization still suffers operational and reputational damage, making it a less appropriate next step than implementing a preventive control like MFA.

781
MCQmedium

An organization's incident response team is handling a P2 insider threat incident involving unauthorized access to customer data. According to the incident classification, which of the following is the MOST appropriate notification and response timeframe?

A.No notification required; handle during scheduled remediation.
B.Notification to the communications lead and response within 48 hours.
C.Notification to management within 24 hours and response during business hours.
D.Immediate notification to the executive sponsor and 24/7 response.
AnswerC

P2 requires management notification and business hours response.

Why this answer

P2 incidents are high severity with significant impact, requiring management notification and response during business hours.

782
MCQmedium

A company is implementing a risk management program and needs to define risk appetite. Which of the following is the MOST appropriate statement of risk appetite for a financial institution?

A.The organization will mitigate all risks to a low level
B.The organization will not invest in high-risk projects
C.The organization accepts no level of risk
D.The organization will accept up to $5M in potential loss for operational risks
AnswerD

Quantified risk appetite supports consistent decision-making.

Why this answer

Option D is correct because a risk appetite statement for a financial institution must be quantifiable and specific to operational risk, aligning with regulatory frameworks like Basel III which require explicit loss thresholds. Stating a maximum acceptable loss of $5M provides a clear, measurable boundary for risk-taking decisions, enabling the board and management to balance risk and reward effectively.

Exam trap

The trap here is that candidates confuse risk appetite (the amount of risk accepted) with risk tolerance (the acceptable variation around that appetite) or risk avoidance, leading them to choose absolute statements like 'no risk' or 'low risk' instead of a quantifiable, business-aligned threshold.

How to eliminate wrong answers

Option A is wrong because 'mitigate all risks to a low level' implies a zero-risk posture that is impractical and costly; financial institutions must accept some risk to generate returns, and this statement lacks the quantifiable threshold needed for risk appetite. Option B is wrong because 'will not invest in high-risk projects' is too vague and absolute, ignoring that high-risk projects may be necessary for competitive advantage and can be managed within defined limits; it also fails to specify what constitutes 'high-risk' in measurable terms. Option C is wrong because 'accepts no level of risk' is unrealistic for any financial institution, as all operations carry inherent risk (e.g., credit risk, market risk), and such a statement would paralyze business activities and violate regulatory expectations for risk-based capital management.

783
Multi-Selectmedium

An incident responder is handling a phishing attack that resulted in credential theft. Which TWO actions should be taken FIRST in the containment phase?

Select 2 answers
A.Disable the user's account temporarily.
B.Notify all users about the phishing campaign.
C.Conduct a forensic analysis of the user's machine.
D.Block the phishing URL at the proxy.
E.Reset the compromised user's password.
AnswersA, E

Stops further use of the stolen credentials.

Why this answer

Disabling the user's account temporarily (A) is a first action in the containment phase because it immediately prevents the attacker from using the stolen credentials to access the network, applications, or data. This is a swift, reversible control that stops lateral movement and further compromise without requiring complex analysis. Resetting the compromised user's password (E) is also a first action because it invalidates the stolen credentials, ensuring the attacker cannot reuse them even if they attempt to authenticate later.

Both actions directly address the credential theft by removing the attacker's authentication vector.

Exam trap

The trap here is that candidates confuse 'containment' with 'eradication' or 'communication,' selecting forensic analysis or user notification as first actions, when the immediate priority is to sever the attacker's authentication path by disabling the account and resetting the password.

784
Multi-Selectmedium

Which of the following are essential components of an information security program governance framework? (Select TWO.)

Select 2 answers
A.A security steering committee with executive representation.
B.A formal risk appetite statement.
C.Documented information security policies and procedures.
D.An incident response plan.
AnswersA, C

Why this answer

A security steering committee with executive representation is essential because it provides strategic oversight, aligns security initiatives with business objectives, and ensures resource allocation and governance accountability. This committee typically includes C-level executives who approve security policies, review risk posture, and enforce compliance across the organization.

Exam trap

ISACA often tests the distinction between governance components (steering committee, policies) and operational or risk management artifacts (risk appetite statement, incident response plan), leading candidates to select familiar but incorrect operational items.

Why the other options are wrong

B

Risk appetite is part of risk management, not governance framework per se.

D

Operational plan, not a governance component.

785
MCQhard

After a major security incident, the incident response team completes the containment, eradication, and recovery phases. The CISO is now planning the post-incident activities. Which activity is MOST critical to ensure that lessons learned are effectively incorporated?

A.Publishing a public disclosure of the incident.
B.Terminating the incident response team's engagement.
C.Restoring all systems to full production status.
D.Conducting a post-incident review and updating policies.
AnswerD

This ensures that the organization learns from the incident and improves future response.

Why this answer

Conducting a post-incident review and updating policies is the most critical post-incident activity because it ensures that the root cause, response gaps, and process deficiencies are formally documented and translated into actionable improvements. This directly supports the continuous improvement cycle required by NIST SP 800-61 and ISO 27035, preventing recurrence of similar incidents.

Exam trap

ISACA often tests the distinction between operational recovery tasks (restoring systems) and strategic improvement tasks (post-incident review), leading candidates to mistakenly prioritize immediate restoration over the learning process that prevents future incidents.

How to eliminate wrong answers

Option A is wrong because public disclosure is a legal or regulatory obligation (e.g., GDPR breach notification) that does not inherently incorporate lessons learned into internal security controls. Option B is wrong because terminating the incident response team's engagement prematurely closes the feedback loop, preventing the capture of process improvements and forensic findings. Option C is wrong because restoring systems to full production status is an operational recovery step, not a learning activity; it does not address why the incident occurred or how to prevent it.

786
MCQmedium

An organization is implementing a new security policy. Which step should occur AFTER the policy is approved?

A.Stakeholder consultation
B.Gap analysis
C.Training and communication
D.Legal review
AnswerC

After approval, the policy must be communicated and trained.

Why this answer

After approval, training and awareness are essential to ensure employees understand and comply with the policy.

787
MCQhard

During a security program review, the auditor finds that incident response procedures have not been tested in over two years. What is the MOST significant risk arising from this finding?

A.Non-compliance with regulatory requirements
B.Higher financial costs due to inefficiencies
C.Increased recovery time after an incident
D.Ineffective response leading to greater damage during an incident
AnswerD

Without testing, the plan may not work, causing extended damage.

Why this answer

Option C is correct because untested procedures may be ineffective or outdated, leading to failure during a real incident. Option A is wrong increased recovery time is a symptom. Option B is wrong non-compliance is possible but not the most significant.

Option D is wrong higher costs are secondary.

788
MCQmedium

An information security manager is developing a program metric to measure the effectiveness of the security awareness training. Which metric is most appropriate?

A.Percentage of employees who completed the training.
B.Number of security incidents caused by human error.
C.Average score on post-training tests.
D.Time taken to complete the training modules.
AnswerB

Why this answer

The most appropriate metric for measuring the effectiveness of security awareness training is the reduction in security incidents caused by human error. While completion rates and test scores measure participation and knowledge retention, they do not directly indicate whether the training has changed employee behavior and reduced real-world risk. A decrease in human-error-related incidents provides direct evidence that the training is effectively influencing secure practices.

Exam trap

The trap here is that candidates often confuse training completion or test scores with effectiveness, but CISM emphasizes outcome-based metrics that demonstrate actual risk reduction, not just activity completion.

Why the other options are wrong

A

Completion does not measure learning or behavior change.

C

Test scores measure knowledge retention, but not application in real situations.

D

Time is irrelevant to effectiveness; fast completion may indicate skipping content.

789
Multi-Selectmedium

Which TWO of the following are key responsibilities of the crisis management team (CMT) during a major cybersecurity incident?

Select 2 answers
A.Restoring backups of affected servers
B.Approving external communications and public statements
C.Analyzing log files to identify the attack vector
D.Conducting technical forensic analysis of compromised systems
E.Making strategic decisions about business continuity activation
AnswersB, E

The CMT oversees communication strategy.

Why this answer

Option B is correct because the crisis management team (CMT) is responsible for high-level strategic decisions, including approving external communications and public statements to manage reputation and legal exposure during a major cybersecurity incident. This aligns with the CMT's role in coordinating response efforts and ensuring consistent messaging, as defined in incident management frameworks like NIST SP 800-61.

Exam trap

The trap here is confusing the strategic responsibilities of the CMT with the tactical or operational tasks of the technical incident response team, leading candidates to select hands-on actions like log analysis or backup restoration instead of high-level decision-making roles.

790
MCQhard

An organization uses a SIEM to correlate security events. The SIEM generates an alert for a possible brute-force attack against an admin account. The incident response team reviews the alert and finds that the account is a service account with a known password. What should the team do NEXT?

A.Notify the service owner
B.Disable the service account
C.Investigate the source IP addresses
D.Change the password for the service account
AnswerD

Changing the password invalidates the attacker's attempts.

Why this answer

The correct next step is to change the password for the service account because the alert indicates a possible brute-force attack, and a known password represents a compromised credential. Even if the account is a service account, the password must be rotated to prevent unauthorized access. This aligns with the incident response principle of containing the threat by invalidating the compromised authentication factor.

Exam trap

The trap here is that candidates confuse a service account with a user account and choose to investigate the source IP addresses first, forgetting that containment (password change) must precede investigation when a known credential is involved.

How to eliminate wrong answers

Option A is wrong because notifying the service owner is a communication step that should occur after the immediate threat is contained, not as the next action. Option B is wrong because disabling the service account would disrupt dependent services and applications, potentially causing a larger operational impact than the brute-force attempt itself. Option C is wrong because while investigating source IP addresses is a valid forensic step, it does not address the immediate risk of a known password being used in an ongoing attack; containment takes priority over investigation.

791
MCQmedium

An organization is implementing a data security program. Which of the following is the most effective approach to protect sensitive data at rest?

A.Implementing strict access control lists (ACLs)
B.Implementing data loss prevention (DLP) solutions
C.Encrypting sensitive data stored in databases and file shares
D.Conducting regular vulnerability scans on servers
AnswerC

Encryption directly protects data at rest.

Why this answer

Encryption is a fundamental control for protecting data at rest. While DLP and access controls are important, encryption provides direct confidentiality protection.

792
Multi-Selecthard

An organization is implementing a vendor tiering program for third-party risk management. Which TWO criteria should be used to classify vendors into high, medium, or low risk tiers? (Select TWO)

Select 2 answers
A.Length of contract
B.Type and sensitivity of data accessed
C.Vendor's annual revenue
D.Criticality of service provided
E.Vendor's geographic location
AnswersB, D

Determines potential impact if data is breached.

Why this answer

Data access and service criticality directly affect the potential impact of a vendor compromise.

793
Multi-Selecteasy

Which TWO of the following are key performance indicators (KPIs) commonly used to measure the effectiveness of incident management processes?

Select 2 answers
A.Percentage of incidents resolved within SLA
B.Mean Time to Detect (MTTD)
C.Mean Time to Respond (MTTR)
D.Total cost of incidents
E.Number of incidents per month
AnswersB, C

MTTD measures how quickly an incident is detected, a key indicator of detection capability.

Why this answer

Mean Time to Detect (MTTD) measures the average time between the occurrence of an incident and its detection by monitoring systems or personnel. A lower MTTD indicates faster detection, which is critical for minimizing damage and is a direct KPI for incident management effectiveness. Mean Time to Respond (MTTR) measures the average time from detection to the start of remediation actions, reflecting the efficiency of the response process.

Exam trap

The trap here is confusing 'Mean Time to Respond' (MTTR) with 'Mean Time to Resolve' (also often abbreviated MTTR), but in CISM context, MTTR for incident management specifically refers to response time, not resolution time, and candidates may incorrectly select SLA compliance or volume metrics as KPIs for process effectiveness.

794
MCQmedium

An organization is implementing a defense-in-depth strategy. Which of the following is the BEST example of a compensating control?

A.Encrypting data at rest using AES-256
B.Installing a firewall at the network perimeter
C.Requiring multi-factor authentication for remote access where strong passwords are not feasible
D.Conducting quarterly vulnerability scans
AnswerC

Multi-factor authentication compensates for the inability to enforce strong passwords.

Why this answer

Option C is the best example of a compensating control because it provides an alternative security measure (multi-factor authentication) to mitigate the risk of weak or infeasible strong passwords for remote access. Compensating controls are implemented when a primary control cannot be applied due to technical or operational constraints, and they must achieve an equivalent or greater level of security. In this scenario, MFA compensates for the lack of password strength by requiring an additional authentication factor, such as a one-time passcode (OTP) or biometric, thereby reducing the likelihood of credential compromise.

Exam trap

The trap here is that candidates often confuse compensating controls with preventive or detective controls, mistakenly selecting a strong security measure like encryption or firewalls instead of recognizing that a compensating control specifically addresses a limitation or infeasibility of a primary control.

How to eliminate wrong answers

Option A is wrong because encrypting data at rest using AES-256 is a preventive control, not a compensating control; it directly protects data confidentiality without substituting for another control. Option B is wrong because installing a firewall at the network perimeter is a preventive control that enforces access policies, not a compensating control that addresses a deficiency in another control. Option D is wrong because conducting quarterly vulnerability scans is a detective control that identifies weaknesses after they exist, not a compensating control that provides an alternative safeguard when a primary control is not feasible.

795
Multi-Selecteasy

Which TWO of the following are risk treatment strategies as defined in ISO 27005?

Select 2 answers
A.Risk analysis
B.Risk monitoring
C.Risk avoidance
D.Risk transfer
E.Risk communication
AnswersC, D

Avoidance is a risk treatment strategy.

Why this answer

Risk avoidance is a defined risk treatment strategy in ISO 27005 where the organization decides to avoid the risk by not engaging in the activity that gives rise to it, such as discontinuing a service or choosing an alternative technology. Option C is correct because ISO 27005 explicitly lists risk avoidance as one of the four primary risk treatment options (avoidance, reduction, retention, and transfer).

Exam trap

The trap here is that candidates confuse the risk management process steps (like risk analysis, monitoring, and communication) with the specific risk treatment strategies defined in ISO 27005, leading them to select options that are activities rather than treatment methods.

796
Multi-Selecthard

Which TWO of the following are recommended practices when conducting a post-incident review? (Select TWO)

Select 2 answers
A.Document lessons learned and improvement actions
B.Update the incident response plan immediately
C.Assign blame to responsible individuals
D.Identify the root cause of the incident
E.Reimage all affected systems
AnswersA, D

Lessons learned improve future response.

Why this answer

Option A is correct because documenting lessons learned and improvement actions is a core output of a post-incident review, enabling the organization to refine security controls, processes, and training. This practice aligns with the continuous improvement cycle in incident management, ensuring that each incident contributes to stronger defenses. Without this documentation, the same vulnerabilities or procedural gaps may be exploited repeatedly.

Exam trap

Cisco often tests the distinction between immediate remediation steps (like reimaging systems) and the analytical, process-improvement focus of a post-incident review, leading candidates to mistakenly select technical actions instead of documentation and root cause analysis.

797
Multi-Selectmedium

An information security manager is designing a security program for a multinational organization. Which factors should be considered when developing the program governance structure? (Select 3)

Select 3 answers
A.Legal and regulatory requirements across jurisdictions
B.Current technology architecture
C.Business strategy and objectives
D.Organizational culture and risk appetite
AnswersA, C, D

Why this answer

Legal and regulatory requirements across jurisdictions are foundational because a multinational organization must comply with diverse data protection laws (e.g., GDPR in Europe, CCPA in California, LGPD in Brazil) that directly dictate security controls, breach notification timelines, and data residency rules. The governance structure must incorporate these obligations to avoid legal penalties and ensure consistent policy enforcement across borders.

Exam trap

ISACA often tests the distinction between governance (strategy, culture, compliance) and management (architecture, tools, implementation), leading candidates to mistakenly select technology architecture as a governance factor.

Why the other options are wrong

B

Technology architecture is an operational concern, not governance.

798
Multi-Selectmedium

Which TWO of the following are essential components of an incident response (IR) plan? (Select TWO)

Select 2 answers
A.Vendor risk assessment reports
B.Detailed network architecture diagrams
C.Communication templates
D.Playbook for ransomware incidents
E.IR team roster and contact list
AnswersC, E

Important for consistent and timely stakeholder notifications.

Why this answer

The IR plan includes the IR team roster and contact list, and communication templates. Procedures for specific incident types are typically in separate playbooks.

799
MCQmedium

An information security manager is asked to justify an increase in the security budget. Which approach BEST demonstrates the value of the security program?

A.Comparing the proposed budget to industry benchmarks
B.Calculating the ROI by estimating breach avoidance and compliance cost savings
C.Highlighting the number of security tools currently in use
D.Listing all security certifications held by the team
AnswerB

ROI quantifies the financial benefit of security investments.

Why this answer

Presenting the return on investment (ROI) by quantifying avoided breach costs and compliance savings provides a business case for budget increases.

800
Multi-Selectmedium

Which TWO of the following are essential components of an incident response plan? (Select two.)

Select 2 answers
A.Communication templates
B.Vendor risk assessment reports
C.IR team roster and contact list
D.Network architecture diagrams
E.Annual security awareness training schedule
AnswersA, C

Templates ensure timely and consistent communication during an incident.

Why this answer

Essential components include the IR team roster and contact list, and communication templates for consistent messaging.

801
MCQhard

An incident response team is handling a P2 (high) incident. According to the incident severity classification, which of the following is the expected response timeframe?

A.Standard response with no escalation
B.Business hours response with management notification
C.Scheduled remediation
D.24/7 response with executive notification
AnswerB

P2 is high severity, requiring management notification and response during business hours.

Why this answer

A P2 (high) incident requires a response during business hours with management notification, as defined by the incident severity classification. This ensures that the incident is addressed promptly within operational hours while keeping management informed for potential escalation or resource allocation.

Exam trap

The trap here is confusing P2 (high) with P1 (critical), leading candidates to select the 24/7 response with executive notification, which is reserved for incidents causing severe business impact or data loss.

How to eliminate wrong answers

Option A is wrong because a standard response with no escalation is reserved for lower-severity incidents (e.g., P3 or P4), not for a P2 high-severity incident that demands management awareness. Option C is wrong because scheduled remediation applies to non-critical, low-priority incidents (e.g., P4) where a planned fix is acceptable, not for a high-severity incident requiring immediate attention. Option D is wrong because 24/7 response with executive notification is reserved for critical incidents (e.g., P1), where immediate round-the-clock action and top-level executive involvement are mandatory, exceeding the requirements for a P2 incident.

802
Multi-Selecthard

An organization is designing a security metrics dashboard for the board of directors. Which THREE metrics are most appropriate for board-level reporting?

Select 3 answers
A.Average age of security patches in days
B.Patch compliance percentage for critical systems
C.Mean time to respond (MTTR) to incidents
D.Number of intrusion detection alerts per day
E.Security investment as a percentage of IT budget
AnswersB, C, E

Indicates vulnerability management posture.

Why this answer

These metrics provide strategic insight into security effectiveness and compliance.

803
MCQeasy

A security analyst notices unusual outbound traffic from a server that is not scheduled for any data transfers. Which step should the analyst take FIRST?

A.Block the IP addresses in the outbound traffic
B.Immediately isolate the server from the network
C.Document the observation and escalate to the incident response team
D.Ignore as it may be a false positive
AnswerC

Proper escalation ensures formal handling.

Why this answer

Option C is correct because the first step in incident response is to preserve evidence and follow the established escalation path. The analyst should document the observation (including source/destination IPs, ports, protocols, and timestamps) and escalate to the incident response team (IRT) to ensure a coordinated, forensically sound investigation. Premature action like blocking or isolating could destroy volatile data or alert an attacker, violating the principle of evidence preservation outlined in NIST SP 800-61.

Exam trap

The trap here is that candidates confuse 'immediate containment' (Option B) with the first step, but CISM emphasizes that the first step in incident management is always detection and reporting (Option C), not containment, which comes after escalation and analysis.

How to eliminate wrong answers

Option A is wrong because blocking IP addresses without understanding the traffic context may destroy forensic evidence (e.g., netflow logs, packet captures) and could be a temporary measure that an attacker can easily bypass by rotating IPs; it also violates the 'do no harm' principle in incident handling. Option B is wrong because immediately isolating the server from the network can disrupt legitimate services, trigger an attacker to wipe evidence, and prevent the IRT from capturing live volatile data (e.g., memory dumps, active connections) that are critical for attribution. Option D is wrong because ignoring the traffic based on a potential false positive violates the security monitoring policy and could allow an active data exfiltration (e.g., via DNS tunneling or HTTPS beaconing) to continue undetected, leading to a data breach.

804
MCQhard

During a post-incident root cause analysis, the team uses the '5 Whys' technique and identifies a technical vulnerability as the cause. According to CISM best practices, what should be the NEXT level of analysis?

A.Determine the process failure that allowed the vulnerability to go unaddressed.
B.Immediately patch the vulnerability and move on.
C.Escalate the issue to the vendor for a software fix.
D.Identify the specific employee responsible for the vulnerability.
AnswerA

Understanding the process gap helps prevent recurrence.

Why this answer

The '5 Whys' should drill deeper to uncover process and management failures that allowed the technical vulnerability to exist.

805
MCQmedium

An organization has a decentralized governance model with security teams embedded in each business unit. The CISO is concerned about inconsistent security controls across the enterprise. What is the BEST recommendation to address this?

A.Adopt a hybrid governance model with enterprise-wide standards and local execution
B.Conduct a risk assessment to prioritize controls
C.Implement a centralized security operations center (SOC) to monitor all units
D.Move to a fully centralized governance model
AnswerA

Hybrid model enforces standards while allowing local flexibility.

Why this answer

A hybrid model combines the benefits of centralized oversight with decentralized execution, ensuring consistency while maintaining business unit flexibility.

806
Multi-Selectmedium

An organization is designing a security awareness program. Which TWO of the following should be included for developers?

Select 2 answers
A.Physical security procedures
B.Social engineering defense for executives
C.Threat modeling techniques
D.General phishing awareness
E.Secure coding practices
AnswersC, E

Helps developers identify security flaws early.

Why this answer

Developers need secure coding and threat modeling to build secure applications.

807
MCQmedium

Which of the following is the BEST approach for sharing threat intelligence indicators of compromise (IoCs) after an incident?

A.Report IoCs to law enforcement only.
B.Share IoCs with industry peers via the relevant ISAC.
C.Keep IoCs confidential to protect the organization's reputation.
D.Publish IoCs on the organization's public website.
AnswerB

ISACs provide a trusted mechanism for sharing threat information.

Why this answer

Sharing IoCs with an ISAC (Information Sharing and Analysis Center) helps the broader community defend against similar attacks, which is a key post-incident activity.

808
Multi-Selecteasy

Which TWO of the following are typical components of a security awareness program?

Select 2 answers
A.Role-based security training
B.Vulnerability scanning
C.Phishing simulations
D.Security architecture design
E.Penetration testing
AnswersA, C

Tailored training for different roles.

Why this answer

Phishing simulations and role-based training are core components of awareness programs. Penetration testing is a technical assessment, vulnerability scanning is technical, and security architecture is a design function.

809
Multi-Selectmedium

Which TWO of the following are key indicators that an organization's information security governance is effective?

Select 2 answers
A.Low variance between the approved security budget and actual spending.
B.The number of security policies that have been published.
C.High percentage of risk treatment plans implemented on time.
D.Regular reporting of security performance metrics to the board.
E.High completion rate for security awareness training.
AnswersC, D

This shows that governance decisions are being executed.

Why this answer

Option C is correct because timely implementation of risk treatment plans directly demonstrates that the organization is actively managing identified risks according to its risk appetite and governance framework. Effective governance requires not just planning but execution; a high percentage of on-time plan completion indicates that risk owners are accountable and that the risk management process is operational, which is a core objective of information security governance.

Exam trap

The trap here is that candidates often confuse operational metrics (like training completion or budget adherence) with governance effectiveness, which requires evidence of strategic oversight, risk management execution, and board-level accountability.

810
Multi-Selectmedium

Which TWO of the following are valid risk treatment options according to ISO 31000? (Choose two.)

Select 2 answers
A.Risk avoidance
B.Risk measurement
C.Risk identification
D.Risk communication
E.Risk retention
AnswersA, E

Avoiding the risk by not undertaking the activity.

Why this answer

Risk avoidance is a valid risk treatment option per ISO 31000, where the organization decides to eliminate the risk by not engaging in or discontinuing the activity that gives rise to the risk. For example, in information security, this could mean choosing not to deploy a vulnerable legacy system or terminating a high-risk third-party integration. It directly reduces exposure to zero for that specific risk scenario.

Exam trap

The trap here is that candidates confuse the steps of the risk management process (identification, analysis, evaluation, communication) with the specific treatment options, leading them to select risk measurement or risk identification as valid treatments.

811
MCQmedium

A company is designing its information security program and wants to ensure that it meets regulatory requirements across multiple jurisdictions. Which of the following approaches is most appropriate?

A.Adopt ISO 27001 as the sole framework for the program.
B.Implement a regulatory compliance framework that maps controls to applicable laws and standards.
C.Comply with the strictest regulation and ignore others.
D.Engage external legal counsel to review policies quarterly.
AnswerB

Maps controls to regulations, ensuring comprehensive and consistent compliance.

Why this answer

Option B is correct because a regulatory compliance framework that maps controls to applicable laws and standards provides a structured, auditable method to address multiple, sometimes conflicting, jurisdictional requirements. This approach ensures that each control is explicitly linked to a specific legal or regulatory obligation, facilitating compliance verification and reducing the risk of oversight. It is the most comprehensive and adaptable method for a multi-jurisdictional environment, as it allows the organization to manage overlapping and unique requirements without relying on a single standard or external review alone.

Exam trap

Cisco often tests the misconception that adopting a single, comprehensive standard like ISO 27001 is sufficient for multi-jurisdictional compliance, when in reality it must be supplemented with a mapping framework to address specific legal requirements.

How to eliminate wrong answers

Option A is wrong because adopting ISO 27001 as the sole framework does not guarantee compliance with specific jurisdictional laws (e.g., GDPR, HIPAA, PCI DSS) that have unique requirements beyond the general controls of ISO 27001; it provides a management system but not a direct mapping to each regulation. Option C is wrong because complying with the strictest regulation and ignoring others can lead to non-compliance with laws that have different or additional requirements not covered by the strictest one, such as data localization rules in one jurisdiction that are not addressed by another's stricter privacy law. Option D is wrong because engaging external legal counsel to review policies quarterly is a reactive, periodic check that does not provide a continuous, integrated framework for managing and demonstrating compliance across multiple jurisdictions; it lacks the proactive control mapping and ongoing governance needed for a comprehensive program.

812
MCQmedium

An organization's information security program is based on a risk management framework. Which of the following BEST describes the role of the information security manager in this context?

A.Setting the organization's risk appetite
B.Designing and managing the security program
C.Owning all information security risks
D.Conducting internal audits of controls
AnswerB

Why this answer

The information security manager is responsible for designing and managing the security program based on the risk management framework. This includes translating risk assessment results into security controls, policies, and procedures, and ensuring the program aligns with the organization's risk posture. The manager does not set risk appetite (that is a board-level decision) nor own all risks (risk owners are business process owners).

Exam trap

The trap here is confusing the information security manager's operational role with strategic or assurance roles, leading candidates to select 'setting risk appetite' or 'conducting internal audits' instead of the correct program management function.

Why the other options are wrong

A

Risk appetite is set by the board of directors, not the security manager.

C

Risk ownership resides with business process owners; the security manager facilitates risk management.

D

Internal audits are performed by audit function, not security management.

813
Multi-Selecthard

Which THREE elements should be included in an incident response plan to ensure effective communication during a security incident?

Select 3 answers
A.Escalation procedures for notifying management and legal
B.Communication protocols and channels for internal coordination
C.List of affected systems and data
D.Public relations strategy for external communication
E.Defined roles and responsibilities for the incident response team
AnswersA, B, E

Escalation ensures timely involvement of decision-makers.

Why this answer

Option A is correct because escalation procedures define the specific thresholds and contact paths for notifying management and legal teams when an incident exceeds predefined severity levels. This ensures that decision-makers are informed promptly to authorize critical actions like legal holds or regulatory notifications, preventing delays that could worsen the incident's impact.

Exam trap

The trap here is that candidates confuse operational data (like affected systems) with communication plan elements, or they mistakenly think a full public relations strategy must be embedded in the IR plan rather than referenced as a separate document.

814
Multi-Selectmedium

Which THREE are essential steps in incident containment? (Choose three.)

Select 3 answers
A.Root cause analysis
B.Notify external regulators
C.Disable compromised accounts
D.Isolate affected systems
E.Preserve forensic evidence
AnswersC, D, E

Disabling accounts stops attacker access through valid credentials.

Why this answer

Disabling compromised accounts is an essential containment step because it immediately cuts off an attacker's authenticated access to systems, preventing further lateral movement or data exfiltration. In Active Directory environments, this involves disabling the user or computer account via `Disable-ADAccount` or the GUI, which invalidates Kerberos tickets and NTLM hashes for that account. This action stops the attacker from using stolen credentials without destroying evidence of their activity.

Exam trap

Cisco often tests the distinction between containment steps (immediate actions to stop the incident) and post-incident activities (like root cause analysis or notification), leading candidates to mistakenly include regulatory notification or root cause analysis as part of containment.

815
Multi-Selectmedium

Which TWO regulations are MOST likely to impact an organization that processes credit card payments and handles personal data of EU residents?

Select 2 answers
A.HIPAA
B.SOX
C.GDPR
D.CCPA
E.PCI DSS
AnswersC, E

GDPR protects personal data of individuals in the EU.

Why this answer

PCI DSS applies to payment card processing, and GDPR applies to personal data of EU residents. These are the two most relevant regulations.

816
MCQeasy

Which of the following is typically a member of the crisis management team (CMT) during a major cybersecurity incident?

A.Chief executive officer (CEO)
B.Security operations center (SOC) analyst
C.Help desk manager
D.External forensics investigator
AnswerA

The CEO is a key member of the CMT for major incidents.

Why this answer

The CMT includes senior leaders such as the CEO, CFO, CISO, General Counsel, and Communications head to handle strategic decisions and external communications.

817
MCQeasy

A small business without a dedicated incident response team experiences a suspected breach. Who should be primarily responsible for leading the incident response efforts?

A.The CEO of the company.
B.The IT administrator who discovered the breach.
C.The external cybersecurity consultant on retainer.
D.The legal counsel.
AnswerC

Correct: Brings specialized skills and experience.

Why this answer

In a small business lacking a dedicated incident response team, the external cybersecurity consultant on retainer (Option C) is the most appropriate leader because they possess the specialized expertise, tools, and experience required to manage the technical aspects of incident response, such as forensic analysis, containment, and eradication. The consultant can provide an objective, skilled response without the conflicts of interest or lack of training that internal staff may have, ensuring adherence to industry frameworks like NIST SP 800-61 or SANS PICERL.

Exam trap

The trap here is that candidates often assume the IT administrator who discovered the breach should lead because they are most familiar with the systems, but CISM emphasizes that incident response requires impartial, trained leadership to avoid evidence mishandling and ensure adherence to legal and forensic best practices.

How to eliminate wrong answers

Option A is wrong because the CEO, while ultimately accountable, typically lacks the technical incident response skills and hands-on knowledge needed to lead forensic analysis, log review, or containment actions; their role is strategic oversight, not tactical response. Option B is wrong because the IT administrator who discovered the breach may be emotionally invested, lack formal incident response training, and could inadvertently destroy evidence or mishandle containment (e.g., by powering off a system instead of preserving volatile memory), leading to legal and forensic complications. Option D is wrong because legal counsel focuses on regulatory compliance, liability, and notification obligations, not on the technical execution of containment, eradication, or recovery; they should advise but not lead the operational response.

818
MCQhard

Match each information security program component to its primary focus area. Component: 1. Risk Assessment, 2. Security Awareness Training, 3. Incident Response Plan, 4. Policy Framework Focus Areas: A. Human factors and behavior B. Structured response to events C. Identification and analysis of threats D. Governance and compliance requirements Drag each component to its matching focus area.

Risk Assessment.C. Identification and analysis of threats
Security Awareness Training.A. Human factors and behavior
Incident Response Plan.B. Structured response to events
Policy Framework.D. Governance and compliance requirements

Why this answer

Risk Assessment focuses on identifying and analyzing threats. Security Awareness Training addresses human factors. Incident Response Plan provides structured response.

Policy Framework establishes governance and compliance.

Exam trap

Candidates often confuse Incident Response Plan with Risk Assessment, but incident response is about reaction, not identification.

Why the other options are wrong

Risk Assessment

This is correct matching; but in JSON we mark all false and use pbq_config.

819
MCQeasy

A company's information security manager is tasked with ensuring that security initiatives align with business goals. Which of the following best demonstrates this alignment?

A.Prioritizing security projects based solely on technical risk assessment.
B.Implementing all security controls required by regulatory standards.
C.Creating a security budget that allocates funds equally across departments.
D.Establishing security metrics that are linked to key business performance indicators.
AnswerD

This directly ties security outcomes to business success, demonstrating alignment.

Why this answer

Option D is correct because aligning security metrics with key business performance indicators (KPIs) ensures that security initiatives directly support and demonstrate value to business objectives, such as revenue protection, customer trust, or operational efficiency. This is a core principle of information security governance, where security is treated as a business enabler rather than a technical silo. For example, tracking 'mean time to detect (MTTD)' and 'mean time to respond (MTTR)' as security metrics linked to business continuity KPIs shows how security investments reduce business risk.

Exam trap

The trap here is that candidates often mistake compliance-driven or technically optimal approaches (like risk-based prioritization) as sufficient for alignment, but the CISM exam emphasizes that true alignment requires bidirectional linkage between security metrics and business performance indicators, not just technical or regulatory adherence.

How to eliminate wrong answers

Option A is wrong because prioritizing security projects solely on technical risk assessment ignores business context, such as revenue impact, customer experience, or strategic goals, leading to misalignment and potential underfunding of business-critical initiatives. Option B is wrong because implementing all controls required by regulatory standards ensures compliance but does not guarantee alignment with unique business goals; it may over-invest in low-value areas or miss controls that support competitive advantage. Option C is wrong because allocating security budget equally across departments fails to account for varying risk exposure, asset criticality, or business unit priorities, resulting in inefficient resource use and potential gaps in high-risk areas.

820
Multi-Selectmedium

An organization is updating its incident response plan. Which TWO components are essential to include for effective insider threat management? (Select TWO.)

Select 2 answers
A.A dedicated ransomware recovery procedure.
B.Procedures for coordinating with human resources and legal departments.
C.A list of all employee passwords for investigation purposes.
D.A playbook specifically for insider threat scenarios.
E.Contact information for the DDoS mitigation service provider.
AnswersB, D

Insider threats often involve employee relations and legal action.

Why this answer

Insider threats require specific playbooks and involvement of HR and legal for proper handling.

821
MCQmedium

During a P1 incident, the crisis management team (CMT) has been activated. The CEO asks for an hourly sitrep. Which of the following is the MOST appropriate content for the sitrep?

A.Current status of containment, confirmed facts, and actions taken, with legal counsel input.
B.A detailed technical analysis of the attack vector and exploited vulnerabilities.
C.Names of individuals potentially responsible for the incident.
D.Estimated financial impact and potential regulatory penalties.
AnswerA

This provides clear, factual updates while protecting privilege.

Why this answer

During a P1 incident, the CEO requires a concise, actionable sitrep focused on containment status, confirmed facts, and actions taken. Legal counsel input is critical to avoid premature attribution or disclosure that could create liability or violate data breach notification laws. This aligns with the CISM incident management principle of providing decision-ready information to executive leadership without technical clutter.

Exam trap

Cisco often tests the distinction between operational incident management (executive sitrep) and technical incident response (detailed analysis), leading candidates to choose overly technical options like B instead of the legally vetted, decision-focused summary in A.

How to eliminate wrong answers

Option B is wrong because a detailed technical analysis of the attack vector and exploited vulnerabilities is too granular for an hourly executive sitrep; it belongs in a technical incident report for the IR team. Option C is wrong because naming individuals potentially responsible before investigation and legal review can lead to defamation risks, privacy violations, and interference with law enforcement or forensic processes. Option D is wrong because estimated financial impact and regulatory penalties are premature during active containment; such estimates require post-incident assessment and are not suitable for an hourly operational update.

822
MCQhard

A risk manager is establishing risk appetite for a new product line. Which of the following best describes the relationship between risk appetite and risk tolerance?

A.Risk appetite and tolerance are interchangeable terms
B.Risk appetite is set by regulatory bodies; tolerance is set by the board
C.Risk appetite is the specific limit for each risk; tolerance is the overall willingness to accept risk
D.Risk appetite is the general approach to risk; tolerance defines acceptable variation in performance
AnswerD

This correctly distinguishes between appetite and tolerance.

Why this answer

Risk appetite is the broad, high-level amount of risk an organization is willing to accept in pursuit of its objectives, while risk tolerance translates that appetite into specific, measurable boundaries for individual risks. Option D correctly captures this relationship: appetite is the general approach, and tolerance defines the acceptable variation in performance metrics (e.g., a 5% deviation in revenue targets). This distinction is critical for aligning risk management with business strategy in information security risk management.

Exam trap

The trap here is that candidates often confuse the scope of the two terms, mistakenly thinking risk tolerance is the broader concept (Option C) or that they are synonymous (Option A), when in fact risk appetite is the overarching philosophy and tolerance is the specific, measurable boundary.

How to eliminate wrong answers

Option A is wrong because risk appetite and risk tolerance are not interchangeable; appetite is the overall willingness to accept risk, whereas tolerance is the specific, quantifiable limits applied to individual risks. Option B is wrong because risk appetite is set by the board of directors, not regulatory bodies; regulatory bodies may impose constraints, but appetite is an internal strategic decision. Option C is wrong because it reverses the definitions: risk tolerance is the specific limit for each risk, and risk appetite is the overall willingness to accept risk, not the other way around.

823
MCQeasy

Which of the following is a LEADING indicator of security performance?

A.Cost of a data breach
B.Mean time to respond (MTTR)
C.Number of security incidents
D.Patch compliance percentage
AnswerD

Measures proactive maintenance, predicting future incidents.

Why this answer

Leading indicators predict future performance. Patch compliance measures proactive security posture.

824
MCQmedium

Which incident severity level requires executive notification and a 24/7 response?

A.P3 – Medium
B.P1 – Critical
C.P4 – Low
D.P2 – High
AnswerB

P1 requires executive notification and 24/7 response.

Why this answer

P1 (critical) incidents have major business impact and require executive notification and around-the-clock response.

825
Multi-Selectmedium

Which THREE of the following are key components of an incident response plan? (Select THREE)

Select 3 answers
A.List of all employees' contact information
B.Annual budget for incident response tools
C.Communication and escalation matrix
D.Incident response procedures
E.Roles and responsibilities of team members
AnswersC, D, E

Clear communication paths are critical during an incident.

Why this answer

The communication and escalation matrix is a key component of an incident response plan because it defines the chain of command, contact paths, and escalation triggers for notifying stakeholders during an incident. This ensures that the right people are informed at the right time, preventing delays in decision-making and response actions. Without this matrix, critical incidents may be mishandled due to miscommunication or failure to escalate to senior management or legal teams.

Exam trap

Cisco often tests the distinction between operational plan components (like procedures, roles, and communication matrix) versus supporting or administrative elements (like budgets or full employee directories) to see if candidates understand what is essential for executing the response, not just managing the program.

Page 10

Page 11 of 12

Page 12