Certified Information Security Manager CISM (CISM) — Questions 826896

896 questions total · 12pages · All types, answers revealed

Page 11

Page 12 of 12

826
Multi-Selectmedium

Which THREE of the following are typical roles in an incident response team? (Select THREE)

Select 3 answers
A.IR manager
B.Human resources representative
C.Forensic investigators
D.Security analysts
E.Internal audit representative
AnswersA, C, D

Coordinates the IR team and processes.

Why this answer

The IR team typically includes an IR manager, security analysts, forensic investigators, communications lead, legal counsel, and executive sponsor.

827
MCQhard

A global financial services firm with 15,000 employees has recently experienced a significant data breach due to inadequate oversight of third-party vendors. The breach originated from a cloud service provider that had been granted elevated access without a formal risk assessment or contract review. The board has directed the CISO to overhaul the information security governance framework to prevent recurrence. Currently, the organization has a decentralized security model where each business unit manages its own vendor relationships. The CISO proposes a centralized governance body. Which of the following is the BEST course of action to establish effective governance over third-party risk?

A.Establish a central third-party risk management program with a defined policy and vendor assessment process
B.Conduct quarterly penetration tests on all third-party systems
C.Provide annual security awareness training for employees managing vendors
D.Mandate that all vendor contracts include data protection clauses
AnswerA

Centralized program ensures consistent governance and oversight of all vendor relationships.

Why this answer

Option C is correct because it directly addresses the root cause: lack of oversight. A formal third-party risk management (TPRM) program with centralized policies and vendor assessments provides consistent governance. Option A (contract clauses) is reactive and not comprehensive; Option B (training) addresses awareness but not process; Option D (penetration testing) is a technical control, not governance.

828
MCQeasy

A manufacturing company has an incident response plan that includes a communication plan. However, during a recent ransomware incident, the team realized that the external legal counsel was not listed in the plan. The incident requires consultation with legal due to potential regulatory implications. The incident response manager needs to address this gap quickly. What should the manager do?

A.Notify legal counsel after the incident is resolved
B.Use only internal legal department instead of external counsel
C.Ignore legal counsel involvement for this incident
D.Add the legal counsel to the incident response plan immediately
AnswerD

Updating the plan to include all necessary stakeholders is essential for effective communication.

Why this answer

The manager should add legal counsel to the communication plan immediately to ensure they are included in future incidents. Ignoring them or delaying notification could worsen regulatory consequences. Using internal legal might not be sufficient for external counsel needs.

829
MCQmedium

After detecting a ransomware infection on a file server, the incident response team performs containment and eradication. Which step should be prioritized during the recovery phase to minimize business impact?

A.Contact the attackers to negotiate a decryption key
B.Reimage all servers in the same network segment
C.Identify and patch the vulnerability used for entry
D.Restore data from verified clean backups
AnswerD

Restoring from backups is the primary recovery method.

Why this answer

Restoring data from clean backups is the most direct way to recover operations without paying ransom. Identifying the vulnerability (B) is part of eradication, not recovery. Negotiating with attackers (A) is discouraged.

Reimaging all servers (D) may be excessive and cause more downtime.

830
MCQhard

A security manager is evaluating risk treatment options for a high-risk vulnerability. Drag each option to the correct risk treatment category. Options: - Apply a vendor patch - Purchase cyber insurance - Decommission the system - Accept the risk with formal sign-off - Install a WAF (Web Application Firewall) Categories: - Mitigate - Transfer - Avoid - Accept

Answer options not yet available.

Why this answer

Risk mitigation reduces the likelihood or impact: applying a patch and installing a WAF are mitigation. Transfer shifts risk to a third party: cyber insurance. Avoid eliminates the risk by removing the system: decommissioning.

Acceptance is formal acknowledgment: accept with sign-off.

Exam trap

Candidates may misclassify insurance as mitigation because it reduces financial impact, but it is transfer. Also, decommissioning is clearly avoidance, not mitigation.

831
Multi-Selecthard

A security policy is being developed. Which THREE steps are part of the policy development lifecycle? (Select THREE)

Select 3 answers
A.Drafting the policy based on input
B.Conducting penetration testing
C.Stakeholder consultation to gather input
D.Implementing the policy in firewalls
E.Gap analysis against existing policies and standards
AnswersA, C, E

Drafting is the core step in policy creation.

Why this answer

The lifecycle includes analysis, consultation, drafting, review, approval, training, and monitoring.

832
MCQhard

A multinational organization needs to comply with GDPR and CCPA. What is the best approach for the information security program?

A.Implement a unified privacy framework covering all regulations
B.Adopt the most restrictive requirements from any regulation
C.Outsource compliance to a third-party provider
D.Create separate security programs for each region
AnswerA

A unified framework ensures compliance while maintaining efficiency.

Why this answer

A unified privacy framework (e.g., ISO/IEC 27701 or NIST Privacy Framework) allows the organization to map overlapping requirements from GDPR and CCPA into a single set of controls, reducing duplication and ensuring consistent data protection across jurisdictions. This approach leverages common principles like data minimization, consent management, and breach notification, which are foundational to both regulations, while accommodating specific differences such as GDPR's 72-hour breach notification versus CCPA's broader definition of personal information.

Exam trap

Cisco often tests the misconception that 'most restrictive' is always best, but the trap here is that regulatory compliance requires a tailored, risk-based approach rather than a blanket adoption of the strictest rule, which can lead to inefficiency and non-compliance with specific regional obligations.

How to eliminate wrong answers

Option B is wrong because adopting the most restrictive requirements from any regulation (e.g., GDPR's stricter consent rules) may impose unnecessary operational overhead and cost without addressing unique CCPA obligations like the right to opt out of data sales, leading to compliance gaps. Option C is wrong because outsourcing compliance to a third-party provider transfers accountability but not liability; the organization remains legally responsible under both GDPR (Article 28) and CCPA (Section 1798.140) for data processing activities, and a third party cannot fully manage internal security program governance. Option D is wrong because creating separate security programs for each region introduces fragmentation, increasing complexity and risk of inconsistent data handling, which contradicts the principle of a unified information security program and may violate GDPR's requirement for a single Data Protection Officer (DPO) overseeing cross-border operations.

833
MCQhard

During a major cybersecurity incident, the crisis management team (CMT) has been activated. Which of the following is the PRIMARY responsibility of the CEO as a member of the CMT?

A.Authorizing external communications and resource allocation
B.Updating the incident response playbook
C.Directing the technical containment efforts
D.Conducting forensic analysis of affected systems
AnswerA

The CEO makes high-level decisions about communications and resources.

Why this answer

The CEO provides strategic direction and approves major decisions, such as activating business continuity or communicating externally, while the CISO leads the technical response.

834
MCQhard

An organization's IDS logs show multiple outbound connections to an external IP address from a server that normally communicates only internally. The logs indicate the process is running under the SYSTEM account. Which of the following BEST describes the likely root cause?

A.A backdoor installed via a previous compromise
B.A misconfigured application
C.An authorized administrative activity
D.A privilege escalation exploit
AnswerA

Outbound connections from SYSTEM account are a classic indicator of a backdoor or remote access Trojan (RAT) placed after initial compromise.

Why this answer

The SYSTEM account is the highest-privileged local account on Windows, and outbound connections from a server that normally only communicates internally strongly indicate a backdoor. A backdoor installed via a previous compromise would allow an attacker to maintain persistent remote access, often running as SYSTEM to evade detection and control the server. This matches the observed behavior of unauthorized outbound traffic from a privileged process.

Exam trap

Cisco often tests the distinction between the immediate symptom (outbound connections) and the underlying root cause (a backdoor from a prior compromise), leading candidates to mistakenly choose privilege escalation (D) because they focus on the SYSTEM account rather than the established persistence.

How to eliminate wrong answers

Option B is wrong because a misconfigured application would typically run under a specific service account, not the SYSTEM account, and would likely exhibit consistent, predictable traffic patterns rather than suspicious outbound connections to an external IP. Option C is wrong because authorized administrative activity would be documented, use approved tools, and would not normally originate from the SYSTEM account for outbound connections; administrators typically use their own accounts or run commands with elevated privileges temporarily. Option D is wrong because a privilege escalation exploit would elevate a process from a lower-privileged account to SYSTEM, but the logs already show the process running under SYSTEM, indicating the compromise occurred earlier and the backdoor is now active; privilege escalation is a step in the attack chain, not the root cause of the outbound connections.

835
MCQmedium

Which of the following best describes the role of a security architect in a security program?

A.Designs security controls and integrates them into IT systems
B.Performs penetration testing to identify vulnerabilities
C.Develops and delivers security awareness training
D.Monitors security alerts and responds to incidents
AnswerA

The security architect focuses on designing secure systems and architectures.

Why this answer

The security architect designs and oversees the implementation of security solutions and ensures they align with the overall architecture.

836
Multi-Selecthard

An organization is updating its information security strategy. Which THREE elements should be included to ensure alignment with business objectives? (Select THREE)

Select 3 answers
A.Risk appetite and tolerance levels defined by the board
B.Compliance requirements from applicable regulations
C.Daily monitoring schedule for security operations center
D.A detailed list of firewall ports to block
E.Multi-year roadmap with key milestones
AnswersA, B, E

Risk appetite guides security investments and priorities.

Why this answer

Strategy must be driven by business needs, risk appetite, and regulatory requirements.

837
MCQhard

During a major data breach investigation, legal counsel advises the incident response team to preserve attorney-client privilege over communications with external forensic investigators. Which of the following actions BEST supports this objective?

A.Have all communications with the forensic firm go through the CISO.
B.Avoid documenting any findings related to the breach until after litigation is resolved.
C.Ensure the forensic engagement letter includes a clause acknowledging attorney-client privilege.
D.Direct the forensic investigators to report to legal counsel and mark all deliverables as privileged.
AnswerD

This ensures the work is done under legal direction and protected by privilege.

Why this answer

Option D is correct because directing forensic investigators to report directly to legal counsel and marking all deliverables as privileged establishes a clear legal framework for attorney-client privilege. This ensures that communications and work product are protected from discovery in litigation, as they are created under the direction of legal counsel for the purpose of providing legal advice.

Exam trap

Cisco often tests the misconception that a contractual clause or routing through a senior executive (like the CISO) is sufficient to preserve privilege, when in fact the legal control and direction by counsel is the critical factor.

How to eliminate wrong answers

Option A is wrong because having all communications go through the CISO does not automatically create attorney-client privilege; the CISO is a technical role, not legal counsel, and such communications may be deemed business communications rather than privileged legal advice. Option B is wrong because avoiding documentation of findings violates standard incident response best practices and may lead to spoliation of evidence, which can result in legal sanctions; privilege does not require destruction of evidence. Option C is wrong because a clause in the engagement letter acknowledging privilege is insufficient; privilege is determined by the actual control and purpose of the work, not merely a contractual statement, and without legal counsel directing the work, the clause may be disregarded by a court.

838
Multi-Selectmedium

Which TWO of the following are components of an incident response programme?

Select 2 answers
A.Incident response plan
B.Vendor contracts
C.Risk assessment
D.Business impact analysis (BIA)
E.Incident response policy
AnswersA, E

The plan outlines strategy and procedures.

Why this answer

IR policy and IR plan are core components; vendor contacts are part of the plan, and BIA is not a direct IR component.

839
MCQeasy

Which of the following best describes the difference between risk appetite and risk tolerance?

A.Risk appetite is the maximum risk tolerance
B.Risk tolerance is the total risk, and risk appetite is the residual risk
C.Risk appetite is the amount of risk an organization is willing to accept, while risk tolerance is the acceptable variation around that appetite for specific objectives
D.Risk appetite is qualitative, and risk tolerance is quantitative
AnswerC

This is the standard definition.

Why this answer

Option C correctly distinguishes risk appetite as the broad, strategic level of risk an organization is willing to accept in pursuit of its objectives, while risk tolerance is the specific, measurable deviation allowed from that appetite for individual objectives or risks. This aligns with the ISACA CISM Review Manual, which defines risk appetite as the 'amount of risk an entity is willing to accept in pursuit of its mission' and risk tolerance as the 'acceptable level of variation relative to the achievement of objectives.' Understanding this distinction is critical for establishing proper risk management thresholds and ensuring that security controls are aligned with business goals.

Exam trap

The trap here is that candidates confuse risk appetite with risk tolerance by assuming they are synonyms or that one is a subset of the other in a purely quantitative sense, when in fact appetite is the strategic boundary and tolerance is the tactical wiggle room within that boundary for specific objectives.

How to eliminate wrong answers

Option A is wrong because risk appetite is not the maximum risk tolerance; rather, risk appetite sets the overall boundary, and risk tolerance defines the acceptable variance within that boundary for specific objectives. Option B is wrong because risk tolerance is not the total risk, nor is risk appetite the residual risk; residual risk is the risk remaining after controls are applied, which is a separate concept from both appetite and tolerance. Option D is wrong because both risk appetite and risk tolerance can be expressed in qualitative or quantitative terms; the distinction is not based on measurement type but on scope and specificity.

840
Multi-Selectmedium

A CISO is developing a security strategy. Which THREE elements should be included in a multi-year security roadmap?

Select 3 answers
A.Milestones for achieving target capability maturity levels
B.Current vulnerability scan results
C.Detailed network architecture diagrams
D.Resource allocation for each initiative
E.Alignment with business strategic goals
AnswersA, D, E

Milestones help track progress and ensure the roadmap is actionable.

Why this answer

A roadmap should include milestones, resource allocation, and alignment with business objectives to guide implementation over time.

841
MCQmedium

An incident has been declared as P2 (high severity). According to the incident classification, what is the expected response timeframe and notification requirement?

A.Scheduled remediation with minimal notification.
B.Management notification and response during business hours.
C.Standard response with no specific notification.
D.Executive notification and 24/7 response.
AnswerB

P2 is high severity with significant impact.

Why this answer

P2 incidents require management notification and response during business hours.

842
MCQeasy

What is the recommended timeframe for holding a lessons learned meeting after an incident has been resolved?

A.Within 2 weeks
B.Within 1 month
C.Within 3 months
D.Within 24 hours
AnswerA

Two weeks balances freshness with time to prepare.

Why this answer

Conducting the meeting within two weeks ensures details are fresh and improvements can be implemented quickly.

843
MCQmedium

A security awareness program includes phishing simulations. After six months, the click rate has decreased from 15% to 8%, but the number of reported phishing emails has also dropped. The CISO wants to measure the effectiveness of the program. Which metric would best indicate sustained improvement in security behavior?

A.Pass rate on post-training knowledge assessments
B.Number of security incidents caused by phishing
C.Number of employees who completed training
D.Phishing click rate trend over the last 12 months
AnswerD

A sustained downward trend in click rate indicates improved recognition and behavior.

Why this answer

A sustained low click rate over time, with increasing or stable reporting rates, is a leading indicator of improved security awareness. A decreasing click rate alone may be confounded by other factors, but combined with reporting trends it shows behavioral change.

844
MCQhard

During a data breach investigation, legal counsel instructs the forensics team to preserve evidence under attorney-client privilege. Which of the following actions is most critical to maintain that privilege?

A.Use a separate, isolated network for forensic analysis
B.Limit distribution of forensic reports to individuals with a need-to-know and under legal direction
C.Encrypt all forensic images with a strong algorithm
D.Destroy all preliminary notes after the final report is issued
AnswerB

Controlling access and keeping communications within the legal team helps protect privilege.

Why this answer

To preserve attorney-client privilege, communications and work product must be kept confidential and not shared with third parties unless protected by common interest or waiver.

845
MCQhard

A technology startup has grown rapidly and its risk management practices are informal. The CEO has a very high risk appetite and frequently overrides risk management recommendations to accelerate product launches. After a serious data breach involving customer payment information, the board of directors demands a formal risk management program. The risk manager is tasked with changing the risk culture. The startup has limited resources but must meet contractual obligations to protect customer data. What is the most effective first step?

A.Develop and communicate a revised risk appetite statement approved by the board
B.Outsource all information security operations to a managed service provider
C.Immediately deploy a suite of technical security controls
D.Recommend the termination of the CEO for previous risk decisions
AnswerA

Correct; this aligns the organization's risk tolerance and guides behavior.

Why this answer

Option D is correct because developing and communicating a revised risk appetite statement aligned with the board's risk tolerance sets the foundation for a risk-aware culture. It provides clear guidance for decision-making. Option A is insufficient without a cultural shift; technical controls may be undermined.

Option B is drastic and not directly a risk management action. Option C transfers responsibility but does not change internal culture or ensure compliance.

846
Multi-Selectmedium

A financial services company is updating its risk treatment plan for a high-risk legacy system that processes customer data. The risk owner has recommended acceptance of the risk. Which TWO conditions must be met for the risk acceptance to be valid according to ISACA CISM (Certified Information Security Manager) best practices?

Select 2 answers
A.The risk acceptance must be formally documented and signed off by the risk owner.
B.The risk acceptance must be subject to periodic review to ensure it remains acceptable.
C.The risk acceptance must include a detailed plan to reduce the risk level within one year.
D.The risk acceptance must be approved by the board of directors.
E.The risk owner must agree to implement compensating controls within a defined timeline.
AnswersA, B

Formal documentation and risk owner sign-off are key requirements for risk acceptance.

Why this answer

Risk acceptance requires formal documentation and approval by the risk owner (business owner). Periodic review is also necessary to ensure the risk remains acceptable. The board does not approve all accepted risks; only those exceeding certain thresholds.

Controls should be documented but are not required if risk is accepted.

847
MCQhard

A CISO is planning the security programme budget and wants to justify the investment to the CFO. The organization has a moderate risk appetite and an IT budget of $10 million. What is the most appropriate budget range for the security programme based on industry benchmarks?

A.$500,000 to $1,000,000
B.$1,500,000 to $2,000,000
C.$1,000,000 to $1,500,000
D.$200,000 to $500,000
AnswerC

This is 10-15%, the typical range for a mature programme.

Why this answer

For a mature security programme, industry benchmarks suggest 10-15% of IT budget. For a $10M IT budget, that is $1M to $1.5M. 0.2-0.5% of revenue is another benchmark but not directly applicable here without revenue data.

848
MCQhard

A security manager needs to justify an increase in the security budget. Which approach provides the strongest quantitative justification?

A.Comparing the budget to industry benchmarks
B.Presenting the number of vulnerabilities discovered
C.Showing the return on investment using avoided breach costs
D.Listing all pending compliance requirements
AnswerC

ROI based on avoided losses is a strong financial argument.

Why this answer

Quantifying the financial impact of risks avoided (e.g., using annualized loss expectancy) provides a compelling business case.

849
MCQhard

An information security manager is developing a security scorecard for the board. Which combination of metrics BEST provides a balanced view of security program effectiveness?

A.Number of security incidents and percentage of systems with critical patches applied within SLA
B.Percentage of employees who completed security awareness training and number of reported phishing emails
C.Number of security incidents and mean time to detect (MTTD)
D.Phishing click rate and percentage of systems with critical patches applied within SLA
AnswerA

Incidents is a lagging indicator; patch compliance is a leading indicator, providing a balanced view.

Why this answer

Leading indicators (patch compliance) predict future performance, while lagging indicators (breach count) measure past outcomes. Both are needed for balance.

850
MCQmedium

An organization has decided to adopt a risk-based approach to information security. What is the FIRST step the information security manager should take to implement this approach?

A.Identify and assess information assets and their associated threats and vulnerabilities.
B.Define the organization's risk appetite and risk tolerance levels.
C.Implement security controls based on industry best practices.
D.Select a risk management framework such as ISO 31000 or NIST RMF.
AnswerA

Risk identification and assessment form the foundation.

Why this answer

The first step in implementing a risk-based approach is to identify and assess information assets along with their associated threats and vulnerabilities. This foundational activity provides the necessary context for all subsequent risk management decisions, including defining risk appetite, selecting a framework, and implementing controls. Without a clear understanding of what assets exist and what risks they face, any further steps would be based on assumptions rather than evidence.

Exam trap

The trap here is that candidates often confuse the sequence of risk management activities, mistakenly believing that defining risk appetite or selecting a framework should come first, when in fact asset identification and risk assessment are the prerequisite steps that inform all other decisions.

How to eliminate wrong answers

Option B is wrong because defining risk appetite and risk tolerance levels requires prior knowledge of the assets and risks; without asset identification, risk appetite cannot be meaningfully set. Option C is wrong because implementing controls based on industry best practices without first understanding the specific risks can lead to misallocated resources and ineffective security, violating the core principle of a risk-based approach. Option D is wrong because selecting a risk management framework (e.g., ISO 31000 or NIST RMF) is a tactical decision that should follow the initial identification and assessment of assets and risks to ensure the framework is applied to the correct scope.

851
MCQhard

A mature security program allocates 12% of IT budget to security. Which combination of budget components is most balanced for a program seeking to improve detection and response capabilities?

A.Personnel 40%, Technology 30%, Services 20%, Training 10%
B.Personnel 20%, Technology 50%, Services 20%, Training 10%
C.Personnel 50%, Technology 20%, Services 20%, Training 10%
D.Personnel 30%, Technology 30%, Services 30%, Training 10%
AnswerA

This allocation prioritizes skilled staff and tools for detection/response.

Why this answer

For improving detection and response, investment in technology (SIEM, SOAR) and personnel (SOC analysts) is most critical, with services for assessments and training for skills.

852
MCQmedium

An organization's security budget is 8% of the IT budget. Industry benchmarks suggest 10-15% for mature programs. Which of the following should the CISO do FIRST to justify an increase?

A.Reduce other IT expenses to free up funds
B.Present a cost-benefit analysis showing breach avoidance value
C.Request additional budget for emerging threats
D.Highlight the percentage gap compared to peers
AnswerB

ROI justification demonstrates business value.

Why this answer

Linking budget requests to specific risk reductions and potential breach costs provides a business case for investment.

853
MCQmedium

An organization's incident response team has completed the initial response to a ransomware incident. During the post-incident review, they identify that the detection was delayed because security logs from different systems were not correlated. The team wants to improve detection capabilities. What should the team recommend as the primary improvement?

A.Hire additional security analysts to manually correlate logs
B.Increase the amount of logging on all systems
C.Implement a Security Information and Event Management (SIEM) system
D.Reduce log retention to lower storage costs
AnswerC

SIEM correlates logs from multiple sources to detect incidents in a timely manner.

Why this answer

A SIEM system is the primary improvement because it aggregates and correlates security logs from diverse sources in real time, enabling automated detection of patterns like ransomware propagation that manual or siloed logging cannot achieve. By normalizing log formats and applying correlation rules, a SIEM reduces detection latency and provides actionable alerts, directly addressing the identified gap in log correlation.

Exam trap

The trap here is that candidates may think increasing logging (Option B) is sufficient, but without correlation, more logs simply create more noise and do not improve detection speed or accuracy.

How to eliminate wrong answers

Option A is wrong because manually correlating logs is not scalable, introduces human latency, and is error-prone; it does not solve the core issue of delayed detection due to lack of automated correlation. Option B is wrong because increasing logging volume without correlation only amplifies the noise and storage burden, making it harder to detect incidents quickly. Option D is wrong because reducing log retention would delete historical data needed for forensic analysis and trend detection, worsening detection capabilities rather than improving them.

854
MCQeasy

Which of the following best describes the primary purpose of an information security program?

A.To ensure 100% system availability
B.To eliminate all security risks
C.To manage security risks in alignment with business strategy
D.To achieve compliance with all applicable regulations
AnswerC

Program ensures security supports business objectives.

Why this answer

The primary purpose of an information security program is to manage security risks in alignment with business strategy, ensuring that security controls and investments support organizational objectives while balancing risk acceptance, mitigation, transfer, and avoidance. This aligns with the CISM framework, which emphasizes that security is a business enabler, not a technical silo. A program that fails to align with business strategy may over-prioritize technical controls, leading to wasted resources or misaligned risk tolerance levels.

Exam trap

Cisco often tests the misconception that compliance equals security, leading candidates to choose Option D, but the CISM exam emphasizes that compliance is a baseline, not a comprehensive risk management strategy.

How to eliminate wrong answers

Option A is wrong because 100% system availability is an operational goal, not a security program objective; security programs focus on confidentiality, integrity, and availability (CIA triad) but recognize that 100% availability is neither feasible nor cost-effective, as it would require eliminating all planned maintenance and redundancy trade-offs. Option B is wrong because eliminating all security risks is impossible; the goal is to reduce risks to an acceptable level defined by the organization's risk appetite, as residual risk always remains. Option D is wrong because compliance is a subset of risk management, not the primary purpose; a security program must address risks beyond regulatory requirements, such as emerging threats or business-specific vulnerabilities not covered by regulations.

855
MCQhard

An organization is subject to GDPR, PCI DSS, and SOX. What is the BEST approach to manage compliance with multiple regulations?

A.Assign each regulation to a separate compliance team
B.Develop a control framework that maps to all regulations
C.Implement the most stringent requirements for all
D.Focus only on the regulation with the highest fines
AnswerB

A unified framework streamlines compliance and reduces overlap.

Why this answer

A unified compliance framework that maps common controls to multiple regulations reduces duplication and cost.

856
MCQhard

An organization's governance framework requires regular reporting to the board. Which reporting frequency and format is MOST effective for a board with limited security expertise?

A.Monthly dashboard of technical control effectiveness metrics
B.Quarterly report summarizing key risk indicators and business impact
C.Annual presentation of the overall security risk register
D.Weekly technical briefings on incidents and vulnerabilities
AnswerB

Balanced frequency and business context.

Why this answer

A quarterly report summarizing key risk indicators (KRIs) and business impact is most effective for a board with limited security expertise because it aligns with the board's strategic oversight role, focusing on risk exposure and business outcomes rather than technical details. This frequency balances timeliness with the board's typical meeting cadence, ensuring actionable insights without overwhelming non-technical members.

Exam trap

The trap here is that candidates confuse operational reporting (e.g., weekly technical briefings) with governance reporting, failing to recognize that the board's role is strategic oversight, not tactical management, and thus requires less frequent, business-focused summaries rather than detailed technical data.

How to eliminate wrong answers

Option A is wrong because a monthly dashboard of technical control effectiveness metrics, such as firewall rule hit counts or patch compliance percentages, provides granular operational data that is too detailed and frequent for a board lacking security expertise, leading to information overload and misalignment with strategic governance. Option C is wrong because an annual presentation of the overall security risk register is too infrequent for effective governance; risks can change rapidly, and the board needs more regular updates to make timely decisions on resource allocation and risk appetite adjustments. Option D is wrong because weekly technical briefings on incidents and vulnerabilities are operational in nature, requiring deep security knowledge to interpret, and the high frequency distracts the board from its strategic duties, such as approving policies and overseeing risk management.

857
MCQhard

A multinational corporation is expanding its cloud infrastructure across multiple regions. The risk team has identified that the shared responsibility model for cloud security is not well understood by business units. After a recent audit, several misconfigurations led to a data exposure incident that affected one region. The CISO wants to implement a risk management program that ensures consistent control across all regions. As the risk manager, what is the most effective course of action to reduce the risk of similar incidents?

A.Transfer the risk to cloud providers by renegotiating contracts to include liability clauses.
B.Develop and enforce cloud security baseline standards and conduct regular compliance audits.
C.Implement a cloud access security broker (CASB) to monitor all cloud activities centrally.
D.Accept the risk as inherent to cloud adoption and focus resources on incident response.
AnswerB

Standards and audits address the root cause by ensuring consistent understanding and adherence.

Why this answer

Developing and enforcing cloud security baseline standards and conducting regular compliance audits directly address the root cause of misconfigurations due to lack of understanding. A CASB provides monitoring but does not enforce standards. Transferring risk to cloud providers shifts liability but does not prevent misconfigurations.

Acceptance with focus on incident response is reactive and does not reduce likelihood.

858
MCQmedium

An organization wants to implement a defense-in-depth strategy for its web application. Which set of controls best exemplifies this approach?

A.Single sign-on and multi-factor authentication
B.Web application firewall (WAF), input validation, and security awareness training
C.Encryption at rest and in transit
D.Intrusion detection system and vulnerability scanner
AnswerB

WAF (network), input validation (application), and training (human layer) provide layered defense.

Why this answer

Defense-in-depth uses multiple layers: network, host, application, and monitoring controls.

859
MCQhard

During a risk assessment, an organization identifies a critical vulnerability in a legacy system that cannot be patched. The system's availability is crucial for business operations. Which of the following risk treatment strategies is MOST appropriate?

A.Risk mitigation by implementing compensating controls
B.Risk acceptance with formal sign-off by senior management
C.Risk transfer through cyber insurance
D.Risk avoidance by decommissioning the system
AnswerB

Why this answer

When a critical vulnerability cannot be patched and the system must remain available for business operations, risk acceptance is the most appropriate strategy because it formally acknowledges the residual risk after all feasible controls have been considered. Senior management sign-off is required because the risk exceeds the organization's risk appetite, and acceptance documents the decision to operate with the known vulnerability. This approach aligns with the CISM principle that risk acceptance is a valid treatment when the cost of other treatments exceeds the benefit or when no other treatment is feasible.

Exam trap

The trap here is that candidates often choose risk mitigation (compensating controls) because it seems proactive, but the question explicitly states the vulnerability 'cannot be patched' and the system is 'crucial for business operations,' making formal acceptance by senior management the required CISM answer when residual risk remains after all feasible controls.

Why the other options are wrong

A

Compensating controls are a form of mitigation, but the question says the system cannot be patched; however, compensating controls can still reduce risk. The key is that the vulnerability cannot be fixed, so mitigation may not be fully effective. The best answer is acceptance if no controls are cost-effective.

C

Insurance transfers financial risk but not operational risk; the vulnerability remains.

D

Decommissioning would avoid risk but is not acceptable because the system is critical.

860
MCQeasy

A small business owner wants to establish an information security program but has limited budget and staff. Which of the following frameworks would be most appropriate to guide the program?

A.ISO/IEC 27001
B.NIST Cybersecurity Framework
C.COBIT 2019
D.PCI DSS
AnswerB

Flexible and adaptable, with tiers for maturity.

Why this answer

The NIST Cybersecurity Framework (CSF) is the most appropriate choice because it is designed to be flexible and scalable, allowing small businesses with limited budget and staff to implement a risk-based information security program using a prioritized, outcome-driven approach. Unlike ISO/IEC 27001, which requires formal certification and extensive documentation, or COBIT 2019, which is geared toward enterprise IT governance, the NIST CSF provides a customizable set of core functions (Identify, Protect, Detect, Respond, Recover) that can be adopted incrementally without heavy resource investment.

Exam trap

The trap here is that candidates often choose ISO/IEC 27001 because it is the most well-known security standard, but they overlook its heavy documentation and certification requirements, which are impractical for a small business with limited budget and staff.

How to eliminate wrong answers

Option A is wrong because ISO/IEC 27001 is a formal management system standard that demands comprehensive documentation, internal audits, and certification processes, which are typically too resource-intensive for a small business with limited budget and staff. Option C is wrong because COBIT 2019 is a governance framework focused on aligning IT with business objectives and managing enterprise IT processes, not a lightweight security program guide suitable for a small business. Option D is wrong because PCI DSS is a specific compliance standard for organizations that handle credit card data, not a general information security framework, and it imposes rigid requirements that may not align with the business's broader security needs.

861
MCQmedium

An organization has experienced a P2 incident. According to standard incident severity definitions, which response timeframe is typically expected?

A.Scheduled remediation at the next maintenance window
B.Response during business hours
C.Response within 72 hours
D.24/7 response until resolved
AnswerB

P2 incidents are handled during normal business hours.

Why this answer

P2 (high) incidents require a response during business hours, as they have significant but not critical impact.

862
Multi-Selectmedium

An organization experiences a data breach involving personal information. Which TWO actions should be taken as part of incident response? (Choose two.)

Select 2 answers
A.Immediately issue a press release without consulting legal.
B.Notify the relevant data protection authority within the required timeframe.
C.Ignore the incident if no customers have complained.
D.Conduct a post-incident review to identify lessons learned.
E.Delete all system logs to prevent further exposure.
AnswersB, D

Option B is correct as it is required by regulations.

Why this answer

Option B is correct because data breach notification laws (e.g., GDPR Article 33, CCPA) require organizations to notify the relevant data protection authority within a specified timeframe (e.g., 72 hours under GDPR) once the breach is confirmed. This is a mandatory legal obligation in incident response to avoid penalties and demonstrate regulatory compliance.

Exam trap

Cisco often tests the misconception that immediate public disclosure or log deletion is acceptable, but the trap here is confusing 'transparency' with 'legal notification' and 'evidence preservation' with 'security through obscurity'.

863
MCQmedium

When selecting security controls based on NIST SP 800-53, which control family is MOST directly related to protecting the confidentiality of data?

A.Identification and Authentication (IA)
B.System and Communications Protection (SC)
C.Audit and Accountability (AU)
D.Access Control (AC)
AnswerD

Access control enforces permissions, protecting confidentiality.

Why this answer

Access control (AC) family includes controls that restrict access to data, directly protecting confidentiality.

864
MCQhard

During an incident investigation, the team discovers that an attacker used a valid user's credentials to access a sensitive database. The user's account had multi-factor authentication (MFA) enabled. How is this MOST likely possible?

A.MFA was not properly configured
B.The attacker guessed the MFA token
C.The user approved a fraudulent MFA prompt
D.The attacker used a man-in-the-middle attack
AnswerC

Attackers can bombard users with MFA requests until they approve one.

Why this answer

MFA fatigue attacks involve repeatedly sending push notifications until the user approves one. Option A is less likely; Option C would not bypass MFA; Option D is not direct.

865
MCQeasy

An information security manager is designing a risk dashboard for the board of directors. Which of the following key risk indicators (KRIs) would be MOST effective for monitoring changes in the organization's security posture related to third-party risk?

A.Average time to patch critical vulnerabilities in internal systems.
B.Number of third-party vendors with critical or high-risk security findings.
C.Number of successful phishing attacks against employees.
D.Percentage of vendors that have undergone security assessment in the last 12 months.
AnswerB

This is a leading KRI as it measures the current risk level from vendors, which can predict potential incidents.

Why this answer

KRIs should be leading indicators that predict risk changes. The number of third-party vendors with critical security findings is a direct measure of third-party risk and can indicate a rising risk trend before an incident occurs.

866
MCQmedium

A risk manager is evaluating a control that reduces the likelihood of a threat from high to low. The cost of the control is $100,000 annually. The expected loss without the control is $500,000 per year. Which of the following should the risk manager recommend?

A.Avoid the risk by discontinuing the process
B.Transfer the risk through insurance
C.Implement the control
D.Accept the risk
AnswerC

Net benefit: $400,000 loss reduction minus $100,000 cost = $300,000 savings.

Why this answer

The control reduces the annualized loss expectancy (ALE) from $500,000 to a much lower value (since likelihood drops from high to low). The annual cost of the control is $100,000, which is significantly less than the $500,000 expected loss without it. Implementing the control provides a positive return on investment (ROI) and is the most cost-effective risk mitigation strategy.

Exam trap

The trap here is that candidates may incorrectly assume that any control costing $100,000 is too expensive, failing to perform a proper cost-benefit comparison against the $500,000 expected loss, or they may confuse risk reduction with risk transfer or avoidance without evaluating financial justification.

How to eliminate wrong answers

Option A is wrong because avoiding the risk by discontinuing the process would eliminate the business benefit entirely, which is an extreme measure not justified when a cost-effective control exists. Option B is wrong because transferring the risk through insurance would still involve paying premiums (likely exceeding $100,000 annually) and does not reduce the likelihood of the threat; it only shifts financial impact. Option D is wrong because accepting the risk would mean tolerating an expected annual loss of $500,000, which is far greater than the $100,000 cost of the control, making it financially imprudent.

867
MCQmedium

Which control family from NIST SP 800-53 is MOST directly associated with ensuring that users have appropriate access rights?

A.System and Communications Protection (SC)
B.Identification and Authentication (IA)
C.Personnel Security (PS)
D.Access Control (AC)
AnswerD

AC covers policies and procedures for assigning and managing access.

Why this answer

The Access Control (AC) family specifically addresses user access management.

868
MCQhard

A financial institution's security program must comply with PCI DSS, GDPR, and SOX. Which approach is MOST efficient to manage overlapping compliance requirements?

A.Develop three separate control sets for each regulation
B.Focus only on the requirements of the strictest regulation
C.Implement a single control set mapped to all applicable regulations
D.Engage external auditors to manage compliance for each regulation
AnswerC

A unified control framework eliminates redundancy and streamlines compliance.

Why this answer

Option C is correct because implementing a single control set mapped to all applicable regulations (PCI DSS, GDPR, SOX) leverages common controls to satisfy overlapping requirements efficiently. This approach reduces duplication of effort, simplifies audit preparation, and ensures consistent security posture across the organization. For example, access control requirements under PCI DSS 7.1, GDPR Article 32, and SOX Section 404 can be addressed by a unified identity and access management (IAM) policy with role-based access controls (RBAC) and logging.

Exam trap

The trap here is that candidates may think focusing on the strictest regulation (Option B) is efficient, but they overlook that each regulation has unique non-overlapping requirements (e.g., GDPR's breach notification timeline vs. PCI DSS's quarterly scans) that must be addressed separately.

How to eliminate wrong answers

Option A is wrong because developing three separate control sets for each regulation leads to redundant work, increased complexity, and potential conflicts between controls, wasting resources without improving security. Option B is wrong because focusing only on the strictest regulation (e.g., PCI DSS) may miss unique requirements from other regulations (e.g., GDPR's data subject rights or SOX's financial reporting controls), causing non-compliance. Option D is wrong because engaging external auditors to manage compliance for each regulation does not address the underlying need for an efficient internal control framework; it outsources responsibility without resolving overlapping requirements and can be cost-prohibitive.

869
MCQmedium

Which capability maturity model (CMM) level is characterized by security processes being standardized and documented across the organization?

A.Level 4 - Managed
B.Level 1 - Initial
C.Level 3 - Defined
D.Level 2 - Repeatable
AnswerC

Level 3 processes are standardized and documented organization-wide.

Why this answer

CMM Level 3 (Defined) involves standardized, documented processes.

870
MCQhard

A company has implemented a security awareness program with quarterly phishing simulations. The click rate has remained at 15% for the past two quarters. What is the most effective next step?

A.Increase the frequency of simulations to monthly
B.Implement mandatory remediation training for users who click
C.Discontinue simulations as they are not effective
D.Reduce the difficulty of simulations to lower the click rate
AnswerB

Targeted training addresses behavior and reinforces learning.

Why this answer

Since the click rate is stagnating, the program needs to be adjusted. Remediation training targeted at those who click, combined with increased simulation complexity, can drive improvement.

871
MCQmedium

A company experiences ransomware that encrypts critical servers. Backups are available but were taken 2 weeks ago. What is the best course?

A.Restore from backups immediately
B.Restore from backups after verifying no residual malware and performing security scans
C.Rebuild servers from scratch
D.Pay the ransom
AnswerB

Correct: Ensures a clean environment before restoration.

Why this answer

Restore from backups after verifying no residual malware and performing security scans to ensure clean restoration.

872
MCQhard

An organization has implemented a data classification policy but notices that employees often mark documents as 'internal use only' even when they contain personally identifiable information (PII). Which of the following is the most effective corrective action for the information security program?

A.Revise the data classification policy to simplify categories.
B.Conduct random audits and reprimand employees who misclassify data.
C.Increase the frequency of data classification training for all employees.
D.Deploy a data loss prevention (DLP) system that automatically classifies documents based on content inspection.
AnswerD

Automates classification, reducing user error and ensuring consistent labeling.

Why this answer

Correct answer is C because automating classification based on content reduces reliance on user discretion. Option A (more training) may help but is not as effective as automation. Option B (auditing and reprimanding) is punitive and may not address root cause.

Option D (policy revision) alone does not enforce compliance.

873
Multi-Selectmedium

Which TWO are common challenges in incident management?

Select 2 answers
A.Inadequate communication between teams
B.Lack of executive support
C.Too many technical staff
D.Over-reliance on automation
E.Excessive documentation
AnswersA, B

Correct: Poor communication leads to delays and errors.

Why this answer

Inadequate communication between teams is a common challenge in incident management because it leads to misaligned response efforts, delayed escalation, and incomplete information sharing. Without structured communication channels (e.g., defined IRT roles, bridge lines, or incident command systems), critical indicators like IoCs or containment steps may be missed, prolonging the incident lifecycle.

Exam trap

Cisco often tests the misconception that operational issues like 'too many staff' or 'excessive documentation' are primary challenges, when in fact the core problems are communication breakdowns and lack of executive sponsorship.

874
MCQmedium

Which of the following metrics would be MOST useful for measuring the effectiveness of a phishing simulation program?

A.Percentage of employees who failed the simulation
B.Phishing click rate over time
C.Time taken to complete the simulation
D.Number of phishing emails reported
AnswerB

Trend analysis shows improvement or decline in user awareness.

Why this answer

Trending click rates over time show whether user behavior is improving, directly measuring program effectiveness.

875
MCQhard

An organization has a distributed incident response team across multiple time zones. During a critical incident, communication delays occur due to different work hours. Which strategy BEST improves coordination and response time?

A.Require all team members to work overlapping shifts
B.Implement a follow-the-sun incident response model
C.Designate a single incident commander for the entire response
D.Outsource incident response to a managed security service provider
AnswerB

Follow-the-sun ensures continuous coverage by handing off between regions.

Why this answer

The follow-the-sun model aligns incident response handoffs with time zone shifts, ensuring continuous coverage without requiring all team members to work overlapping shifts. This reduces communication delays by transferring active incident ownership to the next available region, maintaining momentum and minimizing response time during critical incidents.

Exam trap

Cisco often tests the misconception that a single incident commander can manage a global incident effectively, but the trap here is that candidates overlook the operational reality of time zone gaps and choose centralized command over a distributed handoff model.

How to eliminate wrong answers

Option A is wrong because requiring overlapping shifts does not eliminate handoff delays and can lead to fatigue or reduced coverage during off-hours, failing to address the root cause of time zone gaps. Option C is wrong because a single incident commander cannot be available 24/7 across multiple time zones, creating a bottleneck and increasing delays when the commander is off-duty. Option D is wrong because outsourcing to an MSSP introduces external coordination overhead, potential loss of organizational context, and contractual delays, which do not inherently resolve internal time zone communication issues.

876
MCQhard

During a review of the information security program, the security manager discovers that the program's objectives are not aligned with the organization's strategic business goals. What is the best course of action?

A.Justify the existing objectives to management to demonstrate their value.
B.Revise the program objectives to align with business goals.
C.Implement additional security controls to compensate for the misalignment.
D.Escalate the issue to the board of directors without changes.
AnswerB

Why this answer

The CISM framework emphasizes that an information security program must be directly aligned with the organization's strategic business goals to ensure that security investments support business objectives rather than hinder them. Revising the program objectives to align with business goals (Option B) is the correct course of action because it ensures that security controls, risk appetite, and resource allocation are driven by business needs, not isolated technical requirements. This alignment is a core principle of the Information Security Program domain, as misalignment can lead to wasted resources, reduced executive support, and increased business risk.

Exam trap

ISACA often tests the misconception that adding more controls or escalating issues can substitute for strategic alignment, but the CISM exam specifically requires candidates to recognize that program objectives must be revised to match business goals before any other action is taken.

Why the other options are wrong

A

This does not address the misalignment; the objectives should be revised to match business goals.

C

Adding controls does not fix the strategic misalignment.

D

Escalation is not the first step; the manager should propose a solution.

877
MCQmedium

Refer to the exhibit. An analyst sees this alert on the network. What is the most appropriate immediate action?

A.Ignore the alert as it is likely false positive
B.Investigate the source endpoint for compromise
C.Block the source IP 10.0.1.50
D.Block the destination IP 203.0.113.5
AnswerB

Correct: The internal system is likely compromised and needs examination.

Why this answer

The alert indicates a potential command-and-control (C2) communication, likely involving a beaconing pattern to an external IP. Investigating the source endpoint for compromise is the most appropriate immediate action because it allows the incident responder to determine if the host is actively compromised, collect forensic evidence, and contain the threat before it escalates. Blocking IPs prematurely could destroy evidence or alert the attacker, while ignoring the alert risks missing a confirmed breach.

Exam trap

The trap here is that candidates often choose to block the destination IP (Option D) thinking it stops the attack, but CISM emphasizes that the immediate priority is to investigate and contain the compromised host, not just disrupt the network-level indicator.

How to eliminate wrong answers

Option A is wrong because ignoring the alert assumes it is a false positive without verification, which violates the CISM principle of validating alerts before dismissal; beaconing traffic to an external IP is a classic indicator of compromise that warrants investigation. Option C is wrong because blocking the source IP 10.0.1.50 may disrupt legitimate traffic and could alert the attacker, but more importantly, it does not address the root cause—the endpoint may still be compromised and could communicate via alternate IPs or protocols. Option D is wrong because blocking the destination IP 203.0.113.5 might stop the current C2 channel, but it does not remediate the compromised host, and the attacker could pivot to another C2 server; immediate containment should focus on the endpoint.

878
MCQhard

A multinational financial institution uses a third-party Managed Security Service Provider (MSSP) for 24/7 monitoring of its security infrastructure. During a targeted attack, the MSSP’s analysts detected anomalous activity on a critical server at 2:00 AM. However, due to the service level agreement (SLA) which allows up to 12 hours for notification of lower-priority incidents, the MSSP classified the incident as medium severity and did not notify the internal incident response team until 2:00 PM. By then, the attacker had exfiltrated sensitive customer data. The internal team is conducting a post-incident review. What is the PRIMARY issue that led to the delay?

A.The MSSP analysts lacked technical skills to recognize the incident's true severity
B.The incident severity was incorrectly classified as medium
C.The internal incident response team was not available until 2:00 PM
D.The SLA for notification of medium-severity incidents was too long
AnswerD

The SLA allowed a 12-hour delay which was exploited by the attacker.

Why this answer

The SLA had a notification window that was too long for this type of incident. The classification as medium severity might have been appropriate, but the SLA aggravated the delay. The team's availability and the MSSP's technical skills are secondary or not the root cause.

879
Multi-Selecteasy

Which THREE are components of the Plan phase in a security program lifecycle (e.g., ISO 27001 PDCA)?

Select 3 answers
A.Risk assessment
B.Strategy alignment with business objectives
C.Monitoring and review
D.Implementation of controls
E.Policy development
AnswersA, B, E

Risk assessment is foundational to planning.

Why this answer

Risk assessment is a core component of the Plan phase in the ISO 27001 PDCA (Plan-Do-Check-Act) security program lifecycle. During this phase, the organization identifies, analyzes, and evaluates information security risks to establish the context, scope, and risk treatment criteria that will guide the selection of controls and objectives. Without a formal risk assessment, the subsequent phases lack a risk-based foundation, making the program reactive rather than proactive.

Exam trap

The trap here is that candidates often confuse the Plan phase with the Do phase, incorrectly selecting 'Implementation of controls' (Option D) because they assume planning includes deploying controls, whereas in the PDCA model, implementation is strictly a Do-phase activity.

880
Multi-Selectmedium

Which TWO of the following are appropriate criteria for escalating an incident to the crisis management team (CMT)? (Select TWO.)

Select 2 answers
A.The incident could cause severe reputational damage
B.The incident involves a new type of malware not seen before
C.The incident originated from a third-party supplier
D.The incident has potential for major financial loss or regulatory penalties
E.The incident requires coordination with multiple external vendors
AnswersA, D

Reputational risk at a high level requires executive involvement.

Why this answer

Potential for major financial loss or regulatory penalties and severe reputational damage are key triggers for CMT activation. Technical complexity alone is not sufficient.

881
Multi-Selecthard

An organization is designing a policy exception management process. Which THREE elements are critical for this process to be effective?

Select 3 answers
A.Approval by the CISO or designated authority
B.Automatic approval if no response within 24 hours
C.Formal documentation of the exception request
D.Ability for any employee to request an exception
E.An expiration date for the exception
AnswersA, C, E

Ensures consistent decision-making and oversight.

Why this answer

Effective exception management requires formal documentation, time limits, and review by appropriate authority to prevent misuse.

882
Multi-Selectmedium

An organization is updating its incident response plan. Which TWO components should be included to ensure effective evidence handling? (Select TWO.)

Select 2 answers
A.A template for incident notifications
B.Evidence handling procedures
C.Contact information for law enforcement
D.A list of acceptable forensic tools
E.Chain of custody forms
AnswersB, E

Procedures define how evidence is collected and preserved.

Why this answer

Evidence handling procedures and chain of custody documentation are essential for preserving evidence integrity.

883
MCQmedium

An organization's incident response team is conducting a lessons learned meeting after a major incident. Which outcome is MOST critical to document?

A.Root cause analysis
B.Detailed timeline of events
C.List of tools used
D.Total cost of the incident
AnswerA

Root cause identifies underlying issues to prevent recurrence.

Why this answer

The root cause analysis is the most critical outcome to document because it identifies the underlying technical failure that allowed the incident to occur, enabling the organization to implement permanent corrective actions. Without a documented root cause, the incident response process cannot transition from containment to prevention, and the organization risks repeating the same failure. In CISM's Incident Management domain, the lessons learned phase specifically aims to improve future response capability by addressing systemic weaknesses, which requires a clear understanding of why the incident happened.

Exam trap

The trap here is that candidates often confuse the 'lessons learned' meeting with a post-incident debrief focused on operational details, leading them to select the timeline or cost as the most critical outcome, when CISM specifically emphasizes the root cause as the key driver for process improvement and risk reduction.

How to eliminate wrong answers

Option B is wrong because a detailed timeline of events, while useful for reconstruction and legal purposes, is a supporting artifact rather than the primary outcome; it does not by itself drive process improvement or prevent recurrence. Option C is wrong because a list of tools used is operational metadata that may be helpful for inventory or procurement but does not address the root cause or corrective actions required by the lessons learned process. Option D is wrong because the total cost of the incident is a financial metric important for reporting and insurance, but it does not contribute to identifying the technical or procedural gaps that need remediation to prevent future incidents.

884
MCQhard

An organization's third-party risk management program has been in place for two years. Which of the following is the MOST critical action to ensure the program remains effective?

A.Conducting a one-time risk assessment before contract signing
B.Performing annual reassessments for all vendors
C.Maintaining a list of all vendors and their criticality
D.Implementing continuous monitoring of high-risk vendors
AnswerD

Continuous monitoring detects changes promptly, reducing risk exposure.

Why this answer

Continuous monitoring of high-risk vendors is the most critical action because it provides real-time or near-real-time visibility into security posture changes, such as new vulnerabilities, configuration drifts, or breach indicators, which static annual assessments cannot catch. This aligns with the NIST SP 800-137 framework for continuous monitoring and is essential for adapting to evolving threats in a third-party ecosystem.

Exam trap

The trap here is that candidates confuse 'maintaining a list' (a static, necessary but insufficient step) with the active, risk-driven monitoring required to keep the program effective over time.

How to eliminate wrong answers

Option A is wrong because a one-time risk assessment before contract signing is a point-in-time snapshot that fails to account for changes in the vendor's security posture, threat landscape, or regulatory requirements over the two-year program lifespan. Option B is wrong because performing annual reassessments for all vendors is resource-intensive and inefficient; it treats low-risk vendors the same as high-risk ones, missing the need for risk-based prioritization and more frequent checks on critical vendors. Option C is wrong because maintaining a list of all vendors and their criticality is a foundational inventory task, but it is a passive administrative activity that does not actively monitor or verify the ongoing effectiveness of security controls.

885
MCQhard

A financial institution is hit by a Distributed Denial of Service (DDoS) attack that is overwhelming their internet-facing services. The incident response team activates the plan, but the attack continues to escalate. The CEO is under pressure and asks the incident response manager whether they should pay the ransom demand (the attackers also sent an extortion note demanding payment to stop the attack). The manager must advise the CEO on the best course of action.

A.Engage a DDoS scrubbing service to filter malicious traffic
B.Implement rate limiting on the firewall
C.Shut down all external-facing services
D.Pay the ransom to stop the attack immediately
AnswerA

Scrubbing services can absorb and filter attack traffic while allowing legitimate traffic.

Why this answer

Using DDoS scrubbing services (cloud-based or on-premise) is the recommended technical defense. Paying the ransom encourages future attacks and does not guarantee the attack will stop. Rate limiting may affect legitimate traffic.

Shutting down external access is too drastic and impacts business.

886
MCQeasy

Which of the following is the PRIMARY goal of incident containment?

A.To gather evidence for prosecution.
B.To recover systems to normal operation.
C.To identify the root cause.
D.To prevent further damage and limit the scope of the incident.
AnswerD

Core objective of containment.

Why this answer

The primary goal of incident containment is to stop the incident from spreading and to limit the scope of damage. This is the immediate priority because, without containment, the attacker may continue to compromise additional systems, exfiltrate data, or escalate privileges. Options A, B, and C are important subsequent steps but are secondary to the urgent need to halt the incident's progression.

Exam trap

Cisco often tests the distinction between containment and later phases like eradication or recovery, trapping candidates who confuse the immediate goal of stopping damage with the downstream goal of restoring operations.

How to eliminate wrong answers

Option A is wrong because gathering evidence for prosecution is a goal of forensic investigation, not the primary goal of containment; containment may even involve actions that alter evidence, so evidence collection is typically deferred. Option B is wrong because recovering systems to normal operation is the goal of the eradication and recovery phase, which occurs after containment has been successfully achieved. Option C is wrong because identifying the root cause is the goal of analysis and investigation, which is performed after containment to understand how the incident occurred and prevent recurrence.

887
MCQmedium

An organization wants to measure the effectiveness of its security awareness programme. Which metric is a leading indicator of improved security culture?

A.Number of security incidents attributed to human error
B.Number of phishing emails reported by employees
C.Percentage of employees who completed annual training
D.Average score on knowledge assessment tests
AnswerB

Increased reporting indicates better recognition and engagement.

Why this answer

An increase in the number of phishing emails reported by employees indicates that they are actively recognizing and reporting suspicious activity, which is a leading indicator of improved security awareness and culture.

888
MCQeasy

In the context of incident severity classification, which of the following best describes a P3 (medium) incident?

A.Significant impact requiring management notification and business hours response
B.Minimal impact with scheduled remediation
C.Critical business impact requiring 24/7 response and executive notification
D.Limited impact with standard response and no immediate escalation
AnswerD

This is the correct definition for P3.

Why this answer

A P3 (medium) incident is defined as having limited impact on business operations, allowing for a standard response during normal business hours without requiring immediate escalation. This classification typically applies to incidents that do not affect critical systems or sensitive data, and can be resolved through normal change management processes without urgent intervention.

Exam trap

The trap here is that candidates confuse 'limited impact' with 'minimal impact' — P3 requires a standard response during business hours, while P4 allows scheduled remediation, and mixing these up leads to selecting Option B.

How to eliminate wrong answers

Option A is wrong because a P3 incident does not require management notification or a business-hours response; that description aligns with a P2 (high) incident where impact is significant but not critical. Option B is wrong because 'minimal impact with scheduled remediation' describes a P4 (low) incident, which has negligible business effect and can be deferred to a maintenance window. Option C is wrong because 'critical business impact requiring 24/7 response and executive notification' defines a P1 (critical) incident, which demands immediate escalation and round-the-clock remediation.

889
MCQmedium

After a security incident, the board holds the CISO accountable. The CISO argues that the incident was caused by a failure in the third-party risk management process. Which of the following governance deficiencies is most likely the root cause?

A.There was no board-approved policy for assessing and monitoring third-party risk.
B.The third-party contract did not specify security requirements.
C.The organization did not implement technical controls to monitor third-party access.
D.The incident response plan did not cover third-party related incidents.
AnswerA

Governance requires board-level policies to define expectations and oversight.

Why this answer

The board holds the CISO accountable because governance ultimately flows from the board's approval of policies. Without a board-approved third-party risk management policy, there is no authoritative mandate to enforce security requirements, conduct assessments, or monitor vendors. This governance gap means the organization lacks the foundational directive that drives all downstream processes, making it the most likely root cause of the incident.

Exam trap

Cisco often tests the distinction between governance (board-level policy) and management (operational implementation), so candidates mistakenly pick a visible operational failure (like a missing contract clause or technical control) instead of recognizing that the root cause is the absence of a board-approved policy that would have mandated those controls.

How to eliminate wrong answers

Option B is wrong because a contract without security requirements is an operational or procurement failure, not a governance deficiency; governance is about policy and oversight, not contractual language. Option C is wrong because failing to implement technical controls is an operational or implementation issue, not a governance deficiency; governance sets the framework for such controls, but their absence is a management failure. Option D is wrong because an incident response plan that omits third-party scenarios is a planning or operational gap, not a governance deficiency; governance ensures policies exist, not that every specific scenario is covered in a plan.

890
MCQmedium

An organization has a policy to share indicators of compromise (IoCs) with an Information Sharing and Analysis Center (ISAC). This activity is most closely associated with which phase of incident management?

A.Preparation
B.Post-incident activity
C.Containment, eradication, and recovery
D.Detection and analysis
AnswerB

Post-incident includes lessons learned and threat intelligence sharing with ISACs.

Why this answer

Sharing IoCs with ISACs is a post-incident activity aimed at improving collective defense and preventing future incidents.

891
MCQeasy

An information security manager is asked to report on the effectiveness of the security program. Which metric would BEST indicate governance effectiveness?

A.Percentage of security initiatives directly linked to business strategy
B.Number of critical vulnerabilities identified
C.Number of audit findings per quarter
D.Mean time to detect and respond to incidents
AnswerA

Directly measures governance alignment.

Why this answer

Governance effectiveness is measured by how well the security program aligns with and supports business objectives. Option A directly reflects this alignment by showing the percentage of security initiatives tied to business strategy, which is a key indicator of strategic governance rather than operational or tactical performance.

Exam trap

The trap here is that candidates confuse operational or tactical metrics (like vulnerability counts, audit findings, or incident response times) with governance metrics, which must demonstrate strategic alignment and value to the business.

How to eliminate wrong answers

Option B is wrong because the number of critical vulnerabilities identified is an operational metric that measures threat exposure, not governance effectiveness. Option C is wrong because audit findings per quarter indicate compliance or control deficiencies, which are tactical or operational, not strategic governance. Option D is wrong because mean time to detect and respond to incidents is a security operations metric (MTTD/MTTR) that measures incident response efficiency, not governance alignment with business strategy.

892
Multi-Selecthard

Which THREE of the following are appropriate members of a crisis management team (CMT) for a major cybersecurity incident? (Select three.)

Select 3 answers
A.General Counsel (GC)
B.Chief Information Security Officer (CISO)
C.Security analyst
D.Chief Executive Officer (CEO)
E.Forensic investigator
AnswersA, B, D

GC handles legal and regulatory matters.

Why this answer

The General Counsel (GC) is a critical member of the CMT because a major cybersecurity incident (e.g., a data breach involving PII) triggers legal obligations under regulations like GDPR, HIPAA, or SOX. The GC provides real-time advice on legal hold, breach notification timelines, and attorney-client privilege, ensuring the organization's response does not create additional liability or waive legal protections.

Exam trap

The trap here is confusing operational roles (Security Analyst, Forensic Investigator) with strategic, decision-making CMT members, leading candidates to select technical responders who execute tasks rather than executives who govern the incident response.

893
Multi-Selectmedium

Which TWO of the following are key components of an information security program governance structure? (Select TWO.)

Select 2 answers
A.A steering committee that includes senior management and business unit leaders.
B.An incident response plan that defines roles and procedures.
C.Regular reporting to the board of directors on security metrics and risks.
D.A vulnerability scanning schedule and remediation SLAs.
E.A firewall policy that specifies allowed and denied traffic.
AnswersA, C

A steering committee ensures alignment with business strategy and provides oversight.

Why this answer

A steering committee that includes senior management and business unit leaders is a key component of an information security program governance structure because it provides strategic oversight, aligns security initiatives with business objectives, and ensures accountability at the executive level. This committee typically authorizes policies, reviews risk appetite, and approves resource allocation, which are essential for effective governance.

Exam trap

ISACA often tests the distinction between governance (strategic oversight and decision-making) and management (operational execution and controls), so candidates mistakenly select operational items like incident response plans or vulnerability schedules as governance components.

894
MCQhard

An organization uses the ISO 31000 risk management framework. During the risk evaluation phase, it determines that a certain risk has a low likelihood but very high impact. The organization's risk appetite is moderate. Which of the following is the MOST appropriate risk treatment decision?

A.Accept the risk due to low likelihood
B.Avoid the risk by discontinuing the activity that generates it
C.Transfer the risk through insurance
D.Mitigate the risk by implementing controls to reduce impact
AnswerD

Mitigation reduces the impact to an acceptable level, aligning with moderate risk appetite.

Why this answer

Option D is correct because ISO 31000's risk evaluation phase requires aligning treatment decisions with the organization's risk appetite. With a moderate risk appetite, a low-likelihood but very-high-impact risk cannot simply be accepted (as it exceeds appetite), nor is avoidance necessary since the likelihood is low. Mitigation through controls that reduce the impact is the most balanced approach, bringing the residual risk within the moderate appetite threshold.

Exam trap

The trap here is that candidates mistakenly equate low likelihood with low overall risk, leading them to choose acceptance (Option A), but CISM tests that risk appetite must be explicitly considered—a very high impact can still exceed appetite even if likelihood is low.

How to eliminate wrong answers

Option A is wrong because accepting a risk with very high impact, even if low likelihood, violates a moderate risk appetite—acceptance is only appropriate when residual risk falls within appetite, which it does not here. Option B is wrong because avoidance (discontinuing the activity) is a drastic measure typically reserved for risks that exceed appetite and cannot be cost-effectively mitigated; here, the low likelihood does not warrant complete cessation. Option C is wrong because transferring risk via insurance does not reduce the impact or likelihood—it only shifts financial consequences, and the organization still retains operational and reputational impact, which may still exceed its moderate risk appetite.

895
MCQhard

An organization is implementing a security controls framework and must decide on prioritization. According to defense-in-depth principles, which approach should be taken first?

A.Select all controls from NIST SP 800-53 without prioritization
B.Deploy business-enabling controls that support operations
C.Implement compensating controls to address gaps in existing controls
D.Prioritize critical controls that address the most significant risks
AnswerD

Critical controls form the foundation of defense-in-depth.

Why this answer

Defense-in-depth starts with critical controls that protect against the most likely threats, often following frameworks like CIS Critical Controls, which prioritize foundational controls.

896
MCQeasy

Which of the following is the PRIMARY role of the board of directors in information security governance?

A.Managing the day-to-day security operations.
B.Implementing security controls and technologies.
C.Providing strategic direction and oversight of the security program.
D.Developing detailed security policies and procedures.
AnswerC

The board ensures security aligns with business strategy.

Why this answer

The board of directors holds the ultimate fiduciary responsibility for the organization, including its information security posture. Their primary role is to provide strategic direction and oversight, ensuring that the security program aligns with business objectives, risk appetite, and regulatory requirements. This includes approving the overall security strategy, reviewing key risk indicators, and holding management accountable for security performance, not executing tactical tasks.

Exam trap

ISACA often tests the distinction between governance (board) and management (CISO/IT) roles, and the trap here is that candidates mistakenly assign tactical implementation duties to the board because they confuse oversight with execution.

How to eliminate wrong answers

Option A is wrong because managing day-to-day security operations is the responsibility of the security operations center (SOC) and operational staff, not the board. Option B is wrong because implementing security controls and technologies is a tactical function performed by security engineers and IT teams, not the board. Option D is wrong because developing detailed security policies and procedures is a management-level task typically handled by the CISO and security team, while the board provides high-level approval and oversight of the policy framework.

Page 11

Page 12 of 12

Certified Information Security Manager CISM CISM Questions 826–896 | Page 12/12 | Courseiva