Certified Information Security Manager CISM (CISM) — Questions 76150

500 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
Matchingmedium

Match each data classification level to its handling requirement.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No restrictions; can be freely distributed

Access limited to employees; no external sharing

Access on need-to-know basis; encryption required

Highly sensitive; strict access control and logging

Subject to legal/compliance requirements (e.g., PII)

Why these pairings

Typical data classification categories.

77
MCQmedium

Based on the exhibit, which risk should be addressed first if the organization has limited resources?

A.R001
B.R002
C.R003
D.R004
AnswerA

R001 has the highest risk level (12).

Why this answer

R001 has the highest risk level (12) and should be prioritized for mitigation. The other risks have lower composite scores.

78
MCQhard

A global financial services firm operates in 30 countries and is subject to multiple data protection regulations, including GDPR, CCPA, and various financial services directives. The firm has a centralized information security program but struggles with inconsistent enforcement across regions. The CISO is under pressure to demonstrate compliance to the board while reducing costs. The compliance team suggests creating a separate security program for each regulation, while the IT audit team recommends adopting the most stringent regulation as the baseline. The CISO must decide on a strategy that balances compliance, efficiency, and cost. What is the best approach for the CISO to take?

A.Develop a unified set of controls that satisfy the common requirements of all regulations and map them to each regulation's specific needs.
B.Adopt ISO 27001 as the single framework and map it loosely to all regulations.
C.Create three separate security programs, one for each major regulation (GDPR, CCPA, financial directives).
D.Use the most stringent regulation (e.g., GDPR) as the baseline and accept potential gaps with other regulations.
AnswerA

A unified control framework reduces duplication, lowers costs, and simplifies compliance while covering all regulatory requirements.

Why this answer

The best approach is to develop a unified control framework that maps common security controls to multiple regulations, leveraging the fact that many requirements overlap. Option A (adopting one framework) may not cover all regulatory specificities. Option B (separate programs) is inefficient and costly.

Option D (focus on most stringent) can lead to gaps in less stringent but unique requirements.

79
Multi-Selectmedium

Which TWO actions are key components of the 'Containment' phase in incident response?

Select 2 answers
A.Restoring systems from backups
B.Implementing temporary workarounds to stop damage
C.Eradicating malware from infected systems
D.Writing a final incident report
E.Deploying patches or configuration changes to secure systems
AnswersB, E

Short-term containment prevents further harm.

Why this answer

Options B and D are correct: short-term containment stops the bleeding, and long-term containment ensures system hardening. Option A is wrong because eradication comes after containment. Option C is wrong because recovery is after eradication.

Option E is wrong because documentation happens throughout but is not a containment action.

80
MCQhard

A security operations center receives an alert from an IDS indicating possible command and control traffic. The analyst is unsure if it's a true positive. Which combination of actions should be taken first?

A.Disable the IDS signature to prevent further alerts.
B.Immediately block the source IP and escalate to the incident response team.
C.Conduct a full forensic analysis of the affected host.
D.Correlate the alert with firewall and proxy logs and review threat intelligence.
AnswerD

Correct: Validation before action.

Why this answer

Option C is correct because correlating with other logs and threat intelligence helps validate the alert before taking potentially disruptive actions. Blocking prematurely may be a false positive; disabling signatures is dangerous; full forensics is premature.

81
MCQmedium

Refer to the exhibit. An organization is implementing access controls for a new data repository that will store financial reports classified as Category C. Which of the following is the MOST appropriate control to include?

A.Require encryption of data in transit
B.Implement role-based access control (RBAC)
C.Enforce dual control for access
D.Conduct quarterly access reviews
AnswerA

Category C explicitly requires encryption for transmission.

Why this answer

Option B is correct because Category C requires encryption for transmission; encryption at rest is not mandated but optional. Option A (role-based access) is implied by 'need-to-know' but not explicitly stated; Option C (dual control) is for Category D; Option D (quarterly audits) is for Category D.

82
MCQhard

An organization has a risk appetite that allows for a maximum residual risk level of 'medium' for all operational risks. A new project introduces a risk with inherent risk level 'high' and control effectiveness rated as 'partially effective'. The risk owner proposes to accept the risk. As the CISM, what is the best course of action?

A.Accept the risk since the risk owner has agreed.
B.Transfer the risk to an insurance company.
C.Insist on additional controls to reduce residual risk to at least 'medium'.
D.Recommend revising the risk appetite to accommodate this risk.
AnswerC

This ensures residual risk aligns with appetite, which is the correct risk management approach.

Why this answer

The organization's risk appetite mandates that residual risk must be at 'medium' or lower. With an inherent risk of 'high' and controls rated 'partially effective', the residual risk remains above the acceptable threshold. Therefore, the best course is to insist on additional controls to bring residual risk down to at least 'medium', ensuring compliance with the risk appetite.

Exam trap

The trap here is that candidates may think the risk owner's acceptance is sufficient, but CISM emphasizes that risk acceptance must be within the risk appetite; otherwise, it is a violation of governance.

How to eliminate wrong answers

Option A is wrong because accepting the risk would violate the organization's risk appetite, which requires residual risk to be at 'medium' or lower; the risk owner's acceptance does not override policy. Option B is wrong because transferring the risk to insurance does not reduce the residual risk level; it only shifts financial impact, and the residual risk remains 'high' or 'medium-high', still exceeding the appetite. Option D is wrong because revising the risk appetite to accommodate a single project undermines the governance framework and sets a dangerous precedent; the risk appetite should be driven by strategic objectives, not by individual risks.

83
MCQmedium

A large retail chain with hundreds of stores uses point-of-sale (POS) systems that run an outdated operating system. The annual risk assessment identified this as a high-risk issue because the OS is no longer patched and has known vulnerabilities. The business unit manager opposes replacing all POS systems immediately due to cost and potential disruption to operations. As the risk manager, you need to recommend a risk response that balances risk reduction with business continuity. Which strategy is most appropriate?

A.Risk avoidance: immediately replace all POS systems with modern ones
B.Risk mitigation: implement compensating controls and schedule a phased upgrade
C.Risk acceptance: accept the risk because the business cannot afford replacement
D.Risk transfer: purchase cyber insurance to cover potential losses from POS attacks
AnswerB

Correct; this balances risk reduction with business continuity.

Why this answer

Option D is correct because risk mitigation through compensating controls (e.g., network segmentation, strict access controls, intrusion detection) combined with a phased upgrade reduces risk while allowing continued operations. Option A is risk avoidance but is too disruptive and costly. Option B is risk transfer via insurance, but insurance does not prevent the incident or reduce the operational impact.

Option C is risk acceptance without action, which is inappropriate for a high-risk issue.

84
MCQmedium

Refer to the exhibit. An information security manager reviews the risk register and sees that Risk ID R001 has a residual risk of High with a treatment of Accept. Which of the following best explains why this situation may indicate a governance failure?

A.The risk register should not contain risks with residual risk above low.
B.The control effectiveness rating of 'Partially effective' is too vague.
C.Accepting a high residual risk likely exceeds the board-approved risk appetite.
D.The risk owner should be a business unit head, not the CISO.
AnswerC

Governance requires that risk acceptance decisions are within the risk appetite approved by the board.

Why this answer

Option D is correct because accepting a high residual risk without board approval likely violates risk appetite policy. Option A is wrong because the CISO can be risk owner. Option B is wrong because controls are partially effective, but that's not the governance failure.

Option C is wrong because the risk register is not invalid; the issue is the treatment decision.

85
MCQhard

Match each information security program component with its correct description.

Policy.High-level statement of management intent
Standard.Mandatory requirement to support policy
Guideline.Recommended practice or advisory action
Procedure.Detailed step-by-step instructions

Why this answer

A policy is a high-level statement of intent. A standard is a mandatory requirement. A guideline is a recommended practice.

A procedure is a detailed step-by-step instruction.

Exam trap

Candidates often confuse standard with guideline; standards are mandatory, guidelines are advisory.

86
MCQmedium

An auditor reviews the BYOD policy and notes that mobile device management (MDM) logs show several devices without encryption. The policy has been in effect for 6 months. Which of the following is the most likely reason for this non-compliance?

A.The grace period allows non-compliance for 7 days
B.Employees are unaware of the encryption requirement
C.The policy does not explicitly require encryption
D.MDM is not configured to enforce encryption automatically
AnswerD

Without automated enforcement, compliance is voluntary.

Why this answer

Option D is correct because the policy lacks automated enforcement of encryption; MDM can enforce encryption if the policy requires it, but the exhibit does not mention automated enforcement. Option A is wrong because there is a clear requirement for encryption. Option B is wrong because the grace period applies to OS updates, not encryption.

Option C is wrong because encryption is explicitly required; the gap is in technical enforcement.

87
MCQeasy

A company has a small security team and limited budget. Which initial investment provides the MOST value for building an effective security program?

A.Implement an automated policy enforcement system
B.Deploy an asset inventory management tool
C.Conduct security awareness training for all employees
D.Perform a comprehensive penetration test
AnswerC

Awareness training is cost-effective and reduces phishing and other user-related risks.

Why this answer

Option A is correct because security awareness training addresses the human factor, reducing many common risks at low cost. Option B is wrong asset inventory is important but often requires tools and effort. Option C is wrong penetration testing is point-in-time and may not address ongoing risks.

Option D is wrong policy enforcement requires technology investment.

88
MCQmedium

An information security manager is designing a program for a healthcare organization. Which of the following should be the FIRST step in establishing the program?

A.Develop information security policies and procedures
B.Conduct a risk assessment
C.Select and implement security controls
D.Define security metrics and reporting
AnswerB

Why this answer

Conducting a risk assessment is the foundational first step because it identifies and prioritizes the specific threats and vulnerabilities facing the healthcare organization's sensitive data (e.g., PHI under HIPAA). Without this baseline understanding, any subsequent policies, controls, or metrics would be misaligned with actual risk exposure, leading to ineffective or wasteful security investments.

Exam trap

ISACA often tests the misconception that policy development is the logical starting point, but CISM emphasizes that risk assessment must precede all other program elements to ensure alignment with business objectives and regulatory requirements.

Why the other options are wrong

A

Policies should be based on risk assessment results, not developed first.

C

Controls are selected after risks are identified.

D

Metrics are defined after program objectives and controls are established.

89
Multi-Selectmedium

A multinational corporation is designing an information security program to align with diverse business units and regulatory requirements across different regions. The CISO is prioritizing key components that ensure the program is both comprehensive and adaptable. Which TWO components are most critical for achieving this alignment?

Select 2 answers
A.Focusing exclusively on the most stringent regulatory requirement to satisfy all others
B.Establishing a governance structure with defined roles, responsibilities, and oversight
C.Creating a control framework that maps common controls to multiple regulatory requirements
D.Adopting a single security framework such as ISO 27001 for all regions
E.Implementing separate security programs for each business unit to address unique needs
AnswersB, C

A governance structure provides the foundation for consistent decision-making and accountability across the organization.

Why this answer

A robust governance framework (B) ensures consistent oversight and accountability, while mapping controls to multiple regulations (D) enables efficiency and compliance across jurisdictions. Option A (single framework) may not cover all specific requirements; option C (separate programs) leads to duplication; option E (focus on one regulation) risks non-compliance elsewhere.

90
MCQeasy

An organization is developing its information security strategy. Which of the following should be the PRIMARY driver for defining security objectives?

A.Industry best practices
B.Historical security incidents
C.Business objectives
D.Regulatory compliance requirements
AnswerC

Security strategy must align with and enable business goals.

Why this answer

Business objectives are the primary driver because security exists to enable business goals. Option A is wrong because industry benchmarks are reference points, not primary drivers. Option B is wrong because regulatory requirements are constraints, not drivers.

Option D is wrong because historical incidents inform but don't drive strategy.

91
MCQhard

An organization is implementing a quantitative risk analysis for a critical application. The asset value is $2,000,000. The exposure factor (EF) is 0.25, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

A.$250,000
B.$1,000,000
C.$125,000
D.$500,000
AnswerA

ALE = $2,000,000 × 0.25 × 0.5 = $250,000.

Why this answer

Option B is correct because ALE = asset value × EF × ARO = $2,000,000 × 0.25 × 0.5 = $250,000. Option A is wrong because it uses EF only. Option C is wrong because it multiplies by 2 instead of 0.5.

Option D is wrong because it uses incorrect multiplication.

92
MCQhard

A large enterprise experiences a data breach involving personal identifiable information (PII) of customers. The incident response team has contained the breach and is now in the eradication phase. The CISO wants to ensure that the same vulnerability cannot be exploited again. Which action is MOST critical?

A.Change all passwords of affected accounts.
B.Notify affected customers about the breach.
C.Deploy additional endpoint protection software.
D.Patch the specific vulnerability identified.
AnswerD

Patching the vulnerability directly prevents re-exploitation.

Why this answer

Patching the specific vulnerability is the most critical action during the eradication phase because it permanently removes the root cause of the breach. Without this step, the same attack vector (e.g., an unpatched SQL injection flaw or a known CVE in a web server) remains exploitable, rendering containment efforts temporary. The CISO's goal to prevent recurrence directly requires eliminating the technical weakness, not just mitigating its symptoms.

Exam trap

ISACA often tests the distinction between containment actions (like password resets) and eradication actions (like patching), tricking candidates into choosing a visible, immediate step over the root-cause fix.

How to eliminate wrong answers

Option A is wrong because changing passwords of affected accounts is a containment and recovery action that addresses credential compromise, not the underlying vulnerability (e.g., a code injection flaw) that allowed the breach. Option B is wrong because notifying customers is a legal and public relations obligation that occurs after eradication, but it does not fix the technical root cause. Option C is wrong because deploying additional endpoint protection software is a preventive control that may detect future attacks but does not remove the existing vulnerability; the attacker could still exploit the same unpatched flaw.

93
MCQhard

An organization's information security program includes a formal exception process. When reviewing an exception request to bypass a critical control, what is the MOST important factor for the information security manager to consider?

A.The cost of implementing the control
B.The residual risk after compensating controls
C.The number of users affected by the exception
D.The duration of the exception
AnswerB

Why this answer

The most important factor when reviewing an exception request to bypass a critical control is the residual risk after compensating controls. This ensures that the organization's risk appetite is not exceeded and that the compensating controls adequately mitigate the risk to an acceptable level, as required by frameworks like ISO 27001 and NIST SP 800-53.

Exam trap

The trap here is that candidates often focus on operational or business factors (cost, user count, duration) instead of the core risk management principle that the residual risk must be acceptable to the organization.

Why the other options are wrong

A

Cost is a factor but not the most important; risk acceptance is paramount.

C

Number of users is less important than the risk exposure.

D

Duration matters but is secondary to the risk level.

94
Multi-Selecthard

An information security manager is evaluating the maturity of the organization's security program. Which of the following indicators suggest a high level of maturity? (Select TWO.)

Select 2 answers
A.All security incidents are resolved within 24 hours
B.Security metrics are included in regular executive reports
C.The program uses the latest encryption standards
D.A formal risk acceptance process is in place and used
E.The security team conducts annual penetration tests
AnswersB, D

Why this answer

Option B is correct because including security metrics in regular executive reports demonstrates that security performance is being measured, tracked, and communicated to leadership as part of ongoing governance. This aligns with a mature security program where security is integrated into business decision-making, not treated as a siloed technical function.

Exam trap

The trap here is that candidates confuse operational effectiveness (e.g., fast incident resolution or use of modern encryption) with process maturity, which is about governance, measurement, and continuous improvement rather than technical speed or tooling.

Why the other options are wrong

A

Resolution time is not necessarily an indicator of maturity; process consistency is more important.

C

Using latest technology is a tactical choice, not a maturity indicator.

E

Annual testing is a good practice but not a strong indicator of overall program maturity.

95
MCQhard

Based on the exhibit, which role is missing from the governance policy that would be essential for enforcing accountability?

A.External auditor
B.Internal audit function
C.A role with authority to enforce compliance and impose consequences
D.Chief compliance officer
AnswerC

Policy lacks enforcement mechanisms; accountability requires consequences.

Why this answer

Option D is correct because without defined consequences or enforcement responsibilities, accountability is weak. Option A is wrong because audit provides assurance, not enforcement. Option B is wrong because compliance officer may exist but isn't defined.

Option C is wrong because external auditor is not internal governance.

96
MCQmedium

During a merger, two companies with different information security programs are being integrated. The combined entity must maintain compliance with PCI DSS and GDPR. The CISO is concerned about gaps in coverage due to differing maturity levels. Which of the following is the BEST approach to harmonize the programs?

A.Adopt the more stringent security program from the acquirer across the entire entity.
B.Merge the two programs by combining all controls from each.
C.Implement a completely new framework that meets both regulations.
D.Perform a gap analysis against the requirements and prioritize remediation.
AnswerD

A gap analysis provides a clear picture of what is missing and allows for efficient resource allocation.

Why this answer

Option D is correct because a gap analysis identifies where controls are missing or insufficient, allowing for a prioritized remediation plan. Option A is wrong because adopting the higher standard may be unnecessary and costly. Option B is wrong because merging without analysis could introduce risks.

Option C is wrong because a new framework from scratch may not leverage existing investments.

97
Matchingmedium

Match each incident management phase to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Develop incident response plan and train team

Identify and validate security incidents

Isolate threat, remove malware, restore operations

Conduct lessons learned and update procedures

Notify stakeholders and regulatory bodies

Why these pairings

Incident response phases per CISM.

98
Multi-Selecthard

A security manager is presenting risk analysis results to the board. Which of the following should the manager include to effectively communicate risk? (Select THREE)

Select 3 answers
A.Monetary value of potential losses
B.Detailed technical vulnerabilities
C.Likelihood of occurrence expressed as annual probability
D.Anecdotal stories of past incidents
E.Comparison of residual risk to risk appetite
AnswersA, C, E

Why this answer

Monetary value of potential losses (A) is correct because it translates technical risk into financial terms that board members understand, enabling informed decisions on resource allocation for risk mitigation. This aligns with the CISM focus on business-aligned risk communication, where quantitative metrics like Annualized Loss Expectancy (ALE) directly support cost-benefit analysis.

Exam trap

The trap here is that candidates often select 'Detailed technical vulnerabilities' (B) thinking it demonstrates thoroughness, but the board requires business-impact language, not technical depth.

Why the other options are wrong

B

Board members typically lack technical background; focus on business impact.

D

Anecdotes are not quantitative and may skew perception.

99
MCQeasy

During incident investigation, which evidence preservation method is most important?

A.Take screenshots of the attack
B.Interview witnesses immediately
C.Create a forensic image of affected drives
D.Reboot the system to capture memory
AnswerC

Correct: Forensic imaging preserves the exact state for analysis.

Why this answer

Creating a forensic image preserves a bit-by-bit copy of the drive for analysis without altering evidence.

100
MCQeasy

Which of the following is the best indicator that an organization has effective information security governance?

A.Achievement of ISO 27001 certification
B.The security budget has increased year over year
C.Low number of security incidents
D.Security metrics are reviewed by the board quarterly
AnswerD

Board review shows that security is integrated into governance and strategic decision-making.

Why this answer

Review of security metrics by the board demonstrates governance oversight and strategic alignment. Option A (low incident count) could be due to luck. Option C (high budget) does not guarantee effectiveness.

Option D (certifications) indicates compliance, not necessarily governance performance.

101
Multi-Selecteasy

Which TWO of the following are examples of risk mitigation controls? (Choose two.)

Select 2 answers
A.Enforcing least privilege access controls
B.Implementing intrusion detection systems
C.Discontinuing a high-risk business process
D.Purchasing cyber insurance
E.Accepting the risk in a formal statement
AnswersA, B

Access controls reduce the likelihood of unauthorized access.

Why this answer

Options A and C are correct. Implementing intrusion detection systems and enforcing access controls are mitigation measures. Option B is wrong because purchasing insurance is transfer.

Option D is wrong because ignoring the risk is acceptance. Option E is wrong because discontinuing a service is avoidance.

102
MCQeasy

A small business cannot afford a dedicated security team. Which governance model is most appropriate?

A.Implement a full security program based on ISO 27001
B.Hire a virtual CISO and outsource security operations
C.Ignore security until a breach occurs
D.Delegate security to the IT manager with periodic board updates
AnswerB

This provides governance oversight and operational capability cost-effectively.

Why this answer

Option A is correct because hiring a virtual CISO and outsourcing operations provides governance expertise without full-time cost. Option B is too heavy. Option C is negligent.

Option D places governance burden on an IT manager who may lack authority.

103
MCQeasy

Based on the risk register entry, what is the primary gap in the current controls?

A.The policy exists but is not enforced technically
B.MDM is not a suitable control
C.The risk score is too low to require action
D.The likelihood of occurrence is low
AnswerA

Policy without enforcement is ineffective.

Why this answer

Option D is correct because the current control is a policy without enforcement, leaving the risk unmitigated. Option A is wrong because the risk score is 15, not low. Option B is wrong as likelihood is medium, not low.

Option C is wrong because MDM is proposed but not implemented.

104
MCQhard

Refer to the exhibit. Based on the risk register extract, which risk should the information security manager prioritize for additional treatment?

A.R-001 only
B.Neither risk requires additional treatment
C.R-002 only
D.Both R-001 and R-002
AnswerC

R-002 has a high residual risk exceeding the low risk appetite, so it needs additional treatment.

Why this answer

R-002 has a residual risk rating of 'High', which exceeds the organization's risk appetite of 'Low'. R-001's residual risk is 'Medium', which still may be acceptable depending on further analysis. Therefore, R-002 requires immediate attention.

105
MCQmedium

According to the exhibit, which role is responsible for conducting forensic analysis?

A.Incident Manager
B.Technical Lead
C.Legal Counsel
D.Communication Lead
AnswerB

Option A is correct because the Technical Lead is responsible for analysis.

Why this answer

Option A is correct because the Technical Lead is responsible for analysis. Option B is wrong because the Incident Manager coordinates. Option C is wrong because Communication Lead handles communications.

Option D is wrong because Legal Counsel provides legal guidance.

106
MCQhard

You are the information security manager for a financial services company that processes credit card transactions. The company uses a mix of on-premises servers and cloud services. During a routine vulnerability scan, you discover that one of the web servers has been compromised with a web shell that allows remote command execution. The server is part of a cluster that handles customer-facing web traffic. The incident response team is activated. The team's immediate actions include isolating the server from the network and taking a forensic image. However, the server is critical for business operations, and management is pressuring you to restore service quickly. The server's logs show that the web shell was uploaded three days ago, and during that time, the server processed approximately 10,000 transactions. The team has not yet fully analyzed the forensic image. You need to decide on the next steps. What should you do FIRST?

A.Wait for the next scheduled patch cycle to apply updates and then restore the server.
B.Restore the server from the most recent clean backup and bring it back online immediately to minimize revenue loss.
C.Notify the payment card industry (PCI) compliance auditor and request guidance on next steps.
D.Conduct a thorough analysis of the forensic image to determine the extent of data access and exfiltration.
AnswerD

Understanding the breach scope is critical for response and notification.

Why this answer

Option B is correct because before restoration, it is essential to assess the scope of the breach to determine if any sensitive data (e.g., credit card numbers) was exfiltrated. This informs legal and compliance obligations. Option A is premature without knowing the full impact.

Option C is too passive; waiting for months is not feasible. Option D may be needed later but is not the first priority.

107
MCQeasy

Which role is primarily responsible for ensuring that information security risks are identified, assessed, and managed within a business unit?

A.Data owner
B.Chief Information Security Officer (CISO)
C.Board of directors
D.Risk owner
AnswerD

Risk owner is accountable for specific risks.

Why this answer

Option D is correct because risk owners are accountable for risk management decisions within their domain. Option A is wrong because the CISO oversees the security program but does not own specific risks. Option B is wrong because the board provides governance, not day-to-day risk management.

Option C is wrong because the data owner is responsible for data classification and protection, not all risks.

108
MCQeasy

A security analyst receives an alert from the SIEM indicating a high number of failed login attempts from a single external IP address targeting a public-facing web server. The analyst checks the logs and sees that the attempts are using common usernames. What is the MOST appropriate immediate response?

A.Block the IP address at the firewall.
B.Ignore the alert as it is likely a false positive.
C.Disable the web server.
D.Notify law enforcement.
AnswerA

Immediate containment stops ongoing attacks.

Why this answer

Option A is correct because blocking the IP at the firewall is a quick containment measure to stop the attack. Option B is wrong because ignoring could lead to successful brute-force. Option C is premature as law enforcement is not needed at this stage.

Option D is too drastic and would disrupt business.

109
MCQhard

Refer to the exhibit. A security analyst reviews the firewall configuration and identifies a potential risk. What is the most likely risk?

A.Risk of unauthorized external access to internal services.
B.Risk of denial-of-service attacks from internal hosts.
C.Risk of IP spoofing attacks from the inside network.
D.Risk of data exfiltration via DNS tunneling.
AnswerD

Permissive DNS outbound can be exploited for covert data transfer.

Why this answer

The exhibit shows a firewall rule that permits DNS traffic (UDP/TCP port 53) from the internal network to any external destination. This configuration allows internal hosts to perform DNS queries to external servers, which can be exploited for DNS tunneling—a technique where data is encapsulated within DNS queries and responses to bypass security controls and exfiltrate sensitive information. Since DNS traffic is typically allowed through firewalls, this creates a covert channel for data exfiltration, making option D the most likely risk.

Exam trap

The trap here is that candidates may focus on the firewall rule allowing outbound DNS traffic and incorrectly assume it only poses a risk of unauthorized external access (option A), overlooking the more subtle but critical risk of data exfiltration via DNS tunneling, which is a well-known covert channel in security assessments.

How to eliminate wrong answers

Option A is wrong because the firewall rule permits outbound DNS traffic from internal to external, not inbound traffic from external to internal, so unauthorized external access to internal services is not directly facilitated by this rule. Option B is wrong because denial-of-service attacks from internal hosts would require a different attack vector, such as flooding, and the DNS rule does not inherently enable internal hosts to launch DoS attacks; it merely allows DNS queries. Option C is wrong because IP spoofing attacks from the inside network involve forging source IP addresses, which is not directly related to the DNS rule; spoofing is typically mitigated by ingress/egress filtering, not by DNS-specific firewall rules.

110
MCQhard

An organization's information security governance committee has not met for the past six months. Which of the following is the most significant risk associated with this situation?

A.Increased operational costs due to uncoordinated security investments
B.Regulatory fines from noncompliance
C.Delayed response to security incidents
D.Lack of oversight leading to misalignment with business strategy
AnswerD

The committee is responsible for ensuring security supports business goals; without meetings, oversight is lost.

Why this answer

Without regular governance committee meetings, there is no oversight of security activities, leading to potential misalignment with business objectives. Option A (increased costs) could occur but is not the primary risk. Option C (delayed incident response) is operational.

Option D (regulatory fines) is a possible consequence but less immediate than loss of strategic alignment.

111
MCQhard

During a risk assessment, an organization identifies that a legacy system processes credit card data and has a high likelihood of being exploited. The cost to remediate the vulnerability is $500,000, while the potential loss from a breach is $2 million with a 30% annual probability. What is the most appropriate risk treatment decision based on this information?

A.Risk mitigation by implementing controls to fix the vulnerability
B.Risk transfer by purchasing cyber insurance
C.Risk acceptance because the probability is low
D.Risk avoidance by decommissioning the legacy system
AnswerA

Remediation cost less than ALE.

Why this answer

Option C is correct because the annual loss expectancy (ALE) is $2,000,000 × 0.30 = $600,000, which exceeds the remediation cost of $500,000, making risk mitigation cost-effective. Option A is wrong because acceptance would leave the risk unaddressed when mitigation is cheaper than the expected loss. Option B is wrong because transferring would involve insurance premiums that likely exceed the expected loss.

Option D is wrong because avoidance (removing the system) is more drastic and may not be necessary.

112
MCQmedium

During an incident, the incident response team discovers that the attacker used stolen credentials to access the network. What should the team do during the eradication phase?

A.Conduct a security awareness training.
B.Block the attacker's IP addresses.
C.Install additional antivirus software.
D.Reset all user passwords.
AnswerD

Correct: Directly removes attacker's access.

Why this answer

Option B is correct because resetting compromised passwords removes the attacker's access. Blocking IPs is containment; installing AV and training are good but not immediate eradication.

113
MCQmedium

During an incident, the team identifies that a contractor's credentials were used to access sensitive data. Which of the following should be the IMMEDIATE action?

A.Notify the client whose data was accessed.
B.Revoke the contractor's access and terminate the contract.
C.Contact the contractor to ask about the activity.
D.Disable the compromised credentials and initiate forensic investigation.
AnswerD

Option B is correct because disabling credentials stops further misuse, and forensic investigation determines scope.

Why this answer

Option B is correct because disabling credentials stops further misuse, and forensic investigation determines scope. Option A is wrong because termination may be premature. Option C is wrong because alerting the contractor could compromise the investigation.

Option D is wrong because notification should be based on confirmed breach.

114
MCQeasy

A newly appointed CISO wants to establish an information security governance committee. What is the PRIMARY purpose of this committee?

A.To manage day-to-day security operations.
B.To implement security controls across the organization.
C.To approve technical security solutions.
D.To ensure security strategy aligns with business objectives and provide oversight.
AnswerD

Governance committees bridge security and business strategy.

Why this answer

The primary purpose of an information security governance committee is to ensure that the security strategy aligns with business objectives and to provide oversight. This committee does not execute day-to-day operations or implement controls; instead, it sets direction, reviews risk posture, and ensures that security investments support organizational goals, as defined in frameworks like COBIT and ISO 38500.

Exam trap

The trap here is that candidates often confuse governance (strategic oversight and alignment) with management (tactical implementation and operations), leading them to select options that describe operational or technical tasks rather than the committee's true strategic purpose.

How to eliminate wrong answers

Option A is wrong because managing day-to-day security operations is the responsibility of operational teams (e.g., SOC, IT security staff), not a governance committee, which focuses on strategic oversight. Option B is wrong because implementing security controls is a tactical or operational activity carried out by technical teams based on policies approved by governance, not the committee's primary role. Option C is wrong because approving technical security solutions is typically a function of architecture review boards or engineering leads, while the governance committee focuses on strategic alignment and risk acceptance, not detailed technical approvals.

115
MCQhard

You are the incident response manager for a mid-sized e-commerce company. At 2:00 PM, the security operations center receives an alert from the intrusion detection system indicating a potential SQL injection attack against the customer database server. The server hosts a critical database containing customer PII and payment card data. The alert shows multiple suspicious queries from an internal IP address 192.168.10.50, which belongs to the development team's jump box. The development team uses this jump box to access production servers for maintenance. The jump box is managed by the IT operations team. The CEO is currently in a meeting with investors and cannot be disturbed. The CISO is on leave. The company has a written incident response plan that designates the IT director as the incident response coordinator in the absence of the CISO. The IT director has limited security knowledge. The database administrator (DBA) reports that the database is experiencing high CPU usage and that some customer records appear to have been modified. You need to take immediate action. What should you do FIRST?

A.Shut down the database server to prevent further data loss
B.Contact the development team lead to ask about the activity
C.Isolate the jump box from the network immediately
D.Escalate the incident to the IT director and request guidance
AnswerC

Stops the attack and preserves evidence.

Why this answer

Isolating the jump box (192.168.10.50) is the correct first action because it immediately stops the active SQL injection attack at its source, preventing further data exfiltration or modification. The suspicious queries originate from this internal IP, and containment is the priority in incident response to halt the threat before investigation or recovery. This aligns with the NIST SP 800-61 containment strategy, which prioritizes stopping the attack vector before preserving evidence or notifying stakeholders.

Exam trap

The trap here is that candidates confuse 'escalation' with 'first action'—they think notifying the IT director is required per the plan, but CISM emphasizes that incident response managers must take immediate containment steps before escalation when an active attack is confirmed.

How to eliminate wrong answers

Option A is wrong because shutting down the database server destroys volatile evidence (e.g., active connections, memory-resident queries) and causes unnecessary business disruption; containment should isolate the attacker, not the asset. Option B is wrong because contacting the development team lead wastes critical time and may tip off a potential insider threat or compromised account; the jump box could be under attacker control, and human verification is unreliable during an active breach. Option D is wrong because escalating to the IT director, who has limited security knowledge, delays decisive containment action; the incident response plan designates the IT director as coordinator, but you, as the incident response manager, have the authority to execute immediate containment steps per your role.

116
MCQhard

Match the following security program components with their primary purpose by dragging each component to the correct description.

A.Security Policy
B.Incident Response Plan
C.Risk Assessment
D.Describes the organization's high-level security objectives and management commitment
E.Provides step-by-step actions to detect, respond, and recover from security incidents
F.Identifies threats, vulnerabilities, and impacts to determine risk levels

Why this answer

A security policy establishes high-level direction and management intent. An incident response plan provides a structured approach for handling security incidents. A risk assessment identifies and evaluates risks to the organization.

These are distinct components with specific purposes.

Exam trap

Candidates often confuse policy with procedure; policy is high-level, while procedures are detailed steps.

Why the other options are wrong

A

Matching item, not directly evaluated here.

B

Matching item.

C

Matching item.

D

Correct match for Security Policy.

E

Correct match for Incident Response Plan.

F

Correct match for Risk Assessment.

117
MCQmedium

An information security program is being developed for a multinational organization. Which of the following is the PRIMARY driver for aligning the security program with business objectives?

A.Compliance with industry regulations
B.Reducing information security costs
C.Achieving the organization's strategic goals
D.Implementing the latest security technologies
AnswerC

Why this answer

The primary driver for aligning the security program with business objectives is to ensure that security initiatives directly support and enable the organization's strategic goals. Without this alignment, security becomes a cost center rather than a business enabler, and resources may be misallocated to activities that do not advance the enterprise's mission. CISM emphasizes that security governance must be integrated with business strategy to justify investment and demonstrate value to stakeholders.

Exam trap

The trap here is that candidates often mistake compliance (A) as the primary driver because it is a visible and mandatory requirement, but CISM stresses that compliance is a subset of governance, not the overarching goal of program alignment.

Why the other options are wrong

A

Compliance is a requirement but not the primary driver; the program must support business goals to be effective.

B

Cost reduction is a possible outcome but not the primary driver for alignment.

D

Adopting new technologies is a tactic, not the primary driver.

118
MCQmedium

Given the exhibit, what is the most likely classification of this incident?

A.Malware infection
B.Denial of service
C.Brute-force attack
D.Insider threat
AnswerC

Correct: Typical pattern of brute-force password guessing.

Why this answer

Option A is correct because multiple failed logins from the same IP to multiple accounts in a short period indicates a brute-force attack. DoS would target availability; malware and insider threats have different indicators.

119
MCQhard

Refer to the exhibit. The audit finding reveals a deficiency in which critical aspect of information security governance?

A.Strategic alignment between security objectives and business goals is missing.
B.The board has not approved the security strategy.
C.Resource allocation for security initiatives is not based on business impact.
D.Risk management processes are not integrated with business planning.
AnswerA

Measurable objectives aligned with business goals are essential for strategic alignment.

Why this answer

Option C is correct because the lack of measurable objectives linked to business outcomes indicates a failure in strategic alignment. Option A is wrong because while risk management is related, the finding specifically addresses strategy. Option B is wrong because the board may have approved the current strategy, but it is deficient.

Option D is wrong because resource allocation is not the direct issue.

120
MCQeasy

An information security manager is evaluating the effectiveness of the organization's security governance. Which of the following metrics would best indicate that governance processes are functioning properly?

A.Total spending on security tools compared to the approved budget.
B.Percentage of risk treatment plans that have been implemented as scheduled.
C.Number of security incidents reported per quarter.
D.Mean time to detect (MTTD) for security incidents.
AnswerB

This shows whether governance decisions on risk are being carried out.

Why this answer

Option C is correct because the percentage of risk treatment plans implemented directly reflects whether governance decisions are being executed. Option A is wrong because the number of incidents may vary due to external factors. Option B is wrong because mean time to detect is an operational metric, not governance.

Option D is wrong because budget spent does not measure effectiveness.

121
MCQhard

A financial institution is integrating a newly acquired fintech startup. The startup has a very different security culture. What governance approach best ensures integration without stifling innovation?

A.Allow the startup to maintain its own security policies indefinitely
B.Force the startup to adopt all of the institution's policies immediately
C.Use a transitional risk-based approach, phasing in critical controls while allowing flexibility
D.Create a separate security team for the startup
AnswerC

This method ensures security while respecting the startup's culture and innovation.

Why this answer

Option D is correct because a transitional risk-based approach balances control with flexibility. Option A may stifle innovation and cause resistance. Option B loses central control.

Option C creates silos.

122
MCQmedium

You are the information security program manager at a global financial services firm. The firm has a mature security program, but the CISO is concerned that the program is not keeping pace with emerging threats such as supply chain attacks and advanced persistent threats (APTs). Additionally, the program currently focuses heavily on compliance with regulations (e.g., PCI DSS, GDPR) rather than proactive risk management. The board wants to see a more strategic approach to information security. However, the compliance team is large and influential, and they resist changes that might reduce their role. You have been asked to propose a new program model that addresses these concerns while maintaining regulatory compliance. What should you do?

A.Restructure the compliance team into a risk management function.
B.Expand the compliance team to cover more regulations and increase auditing frequency.
C.Increase security awareness training across the organization.
D.Evolve the program to a risk-based approach that integrates threat intelligence and adapts controls dynamically, while keeping compliance as a baseline.
AnswerD

Balances proactive risk management with compliance requirements.

Why this answer

Correct answer is C because evolving to a risk-based model with integrated threat intelligence directly addresses the proactive gap while maintaining compliance. Option A (expand compliance coverage) does not solve the proactive issue. Option B (restructure the compliance team) may cause political friction without addressing root cause.

Option D (increase awareness training) is too narrow.

123
MCQhard

During a forensic investigation, an incident responder needs to collect memory from a compromised server. What is the BEST method to preserve evidence integrity?

A.Remotely acquire memory using a network connection.
B.Use a live forensic toolkit to capture memory to a network share.
C.Reboot the system into safe mode and then capture memory.
D.Perform a hardware memory acquisition using a write-blocker.
AnswerD

Ensures data integrity and volatile data preservation.

Why this answer

Option C is correct because hardware acquisition with a write-blocker ensures no alteration to the original evidence. Option A and B risk network interference. Option D destroys volatile data.

124
MCQmedium

Refer to the exhibit. During a ransomware incident, the response team discovers that the backup server is also encrypted. Which phase of the playbook is MOST impacted?

A.Phase 5: Post-Incident
B.Phase 3: Eradication
C.Phase 2: Containment
D.Phase 4: Recovery
AnswerD

Recovery relies on clean backups; encrypted backups hinder restoration.

Why this answer

Option D is correct because the Recovery phase (Phase 4) is most impacted when the backup server is encrypted during a ransomware incident. Without clean, unencrypted backups, the organization cannot restore systems and data to a known good state, which is the primary goal of the Recovery phase. The encryption of backups directly undermines the ability to recover, forcing the team to consider alternative recovery methods such as decryption keys, offline backups, or system rebuilds.

Exam trap

The trap here is that candidates often confuse the Recovery phase with the Eradication phase, thinking that removing the ransomware will automatically restore access to backups, but in reality, encrypted backups require separate decryption or restoration processes that are part of Recovery, not Eradication.

How to eliminate wrong answers

Option A is wrong because the Post-Incident phase (Phase 5) focuses on lessons learned, reporting, and process improvement, not on the immediate technical recovery from encrypted backups. Option B is wrong because the Eradication phase (Phase 3) involves removing malware and closing attack vectors, but the encrypted backups are a recovery obstacle, not an eradication task. Option C is wrong because the Containment phase (Phase 2) aims to isolate the incident to prevent further spread, but the backup server being already encrypted means containment does not address the loss of recovery data.

125
MCQhard

During a merger, the acquiring company's board insists on integrating the target company's information security governance into its own within 90 days. However, the target has a significantly different risk culture and lacks documented policies. What is the most critical governance risk in this scenario?

A.The acquiring company's security team may lack the capacity to train the target's staff.
B.The target's employees may resist the new security culture.
C.The acquiring company may inadvertently accept unknown high-risk exposures.
D.There will be insufficient time to develop new security policies for the combined entity.
AnswerC

Rushing integration without understanding the target's risk posture can lead to severe exposure.

Why this answer

Option B is correct because the speed of integration may force acceptance of unknown risks without proper due diligence. Option A is wrong because culture clash is important but the immediate risk is accepting unknown risks. Option C is wrong because policy development can follow due diligence.

Option D is wrong because training is a later step.

126
MCQmedium

Match each risk assessment activity with the correct phase of the risk management lifecycle: Activities: 1. Identify assets and threats 2. Determine risk level 3. Select controls to reduce risk 4. Monitor risk over time Phases: A. Risk Assessment B. Risk Treatment C. Risk Monitoring D. Risk Communication (not used)

1.Identify assets and threats
2.Determine risk level
3.Select controls to reduce risk
4.Monitor risk over time

Why this answer

In the risk management lifecycle, identifying assets and threats and determining risk level are part of Risk Assessment. Selecting controls is Risk Treatment. Monitoring risk is Risk Monitoring.

Risk Communication is a continuous activity, not a separate phase.

Exam trap

Candidates often confuse 'determine risk level' as part of risk treatment, but it is actually part of assessment. Also, monitoring is often overlooked as a separate phase.

Why the other options are wrong

1

Correct match is A

2

Correct match is A

3

Correct match is B

4

Correct match is C

127
MCQeasy

A multinational organization is establishing an information security program. The Chief Information Security Officer (CISO) wants to ensure the program aligns with business objectives and is accountable to senior management. Which of the following governance structures would best support this goal?

A.A board-level risk committee oversees the information security program without management involvement.
B.An executive steering committee with representatives from business units, legal, and IT meets quarterly to review program status.
C.The CISO reports to the chief legal officer (CLO).
D.The information security function reports directly to the IT operations manager.
AnswerB

This structure ensures alignment, accountability, and cross-functional support.

Why this answer

Correct answer is D because an executive steering committee with business representation ensures alignment with business objectives and accountability to senior management. Option A (security function reporting to IT operations) can lead to conflicts of interest. Option B (CISO reporting to legal) may emphasize compliance over broader program goals.

Option C (separate board committee without management) lacks day-to-day integration.

128
MCQhard

During a cyber incident, the organization's legal counsel advises that certain information about the breach should not be shared with external partners due to ongoing law enforcement investigation. The incident response team must balance transparency with confidentiality. Which of the following is the BEST approach?

A.Seek partner input on what to share
B.Share all information with partners under NDA
C.Provide only non-sensitive overview to partners
D.Withhold all information until investigation ends
AnswerC

A non-sensitive overview maintains transparency while protecting investigative integrity.

Why this answer

Providing a non-sensitive overview keeps partners informed without compromising the investigation. Option B is correct.

129
MCQmedium

You are the information security manager for a mid-sized e-commerce company. The company operates a web application that handles credit card transactions and stores customer data in a backend database. The incident response team has just been alerted to a potential data breach: an intrusion detection system (IDS) flagged a SQL injection attack pattern on the web application's login page. The attack originated from an external IP address (5.5.5.5) and appears to have been successful, as the IDS also detected a large outbound data transfer from the database server to another external IP (6.6.6.6) shortly after. The database server is not segmented from the web server. The company has a legal obligation to report breaches involving cardholder data within 72 hours. The incident response plan is being activated. The team includes a forensic analyst, a network engineer, and a legal advisor. The web application is currently running and serving customers. The CEO wants to minimize business disruption. Which of the following actions should the incident response team take FIRST?

A.Shut down the web application and database server immediately to stop the breach.
B.Isolate the database server from the network and block outbound traffic to the external IP.
C.Patch the SQL injection vulnerability in the web application and continue monitoring.
D.Take a full forensic image of all servers before taking any containment actions.
AnswerB

This stops data exfiltration while preserving the web application's availability.

Why this answer

Option B is correct because the immediate priority is to contain the breach by isolating the compromised database server and blocking outbound traffic to the attacker's IP (6.6.6.6). This stops the exfiltration of cardholder data, preserves evidence on the isolated server, and minimizes business disruption by keeping the web application running. Shutting down servers (Option A) would cause unacceptable downtime, while patching (Option C) or imaging (Option D) without containment would allow continued data loss.

Exam trap

The trap here is that candidates confuse 'stopping the breach' with 'shutting everything down' (Option A), failing to recognize that containment actions like network isolation can halt data loss while preserving business continuity and evidence integrity.

How to eliminate wrong answers

Option A is wrong because shutting down both servers halts business operations, violating the CEO's directive to minimize disruption, and destroys volatile evidence (e.g., network connections, memory) that the forensic analyst needs. Option C is wrong because patching the SQL injection vulnerability does not stop the ongoing exfiltration to 6.6.6.6; the attacker may still have a backdoor or active connection, and data loss continues. Option D is wrong because taking forensic images before containment allows the attacker to continue exfiltrating data during the imaging process, violating the legal obligation to stop the breach within 72 hours.

130
MCQeasy

An organization has just experienced a ransomware attack that encrypted files on several file servers. The incident response team has contained the incident. What is the next critical step?

A.Pay the ransom to recover data.
B.Wipe the affected servers and reimage them.
C.Notify law enforcement.
D.Restore files from clean backups.
AnswerD

Correct: Efficient recovery without paying ransom.

Why this answer

Option A is correct because restoring from clean backups is the most reliable recovery method. Paying ransom is discouraged; notifying law enforcement can come later; wiping servers may be too drastic if backups exist.

131
MCQmedium

During a simulated phishing exercise, several employees clicked a link and entered their credentials on a fake login page. The security team needs to determine the impact. Which of the following should be the NEXT step?

A.Reset the affected employees' passwords and enable multi-factor authentication
B.Implement a security awareness training program
C.Conduct a forensic analysis of the employees' workstations
D.Block the phishing domain at the web proxy
AnswerA

This mitigates the credential compromise.

Why this answer

When credentials are compromised in a phishing attack, the immediate priority is to contain the breach by invalidating the exposed credentials. Resetting the affected employees' passwords and enabling multi-factor authentication (MFA) prevents attackers from using the harvested credentials for unauthorized access, especially if the credentials are reused across other systems. This aligns with the Incident Response phase of containment before moving to eradication or recovery.

Exam trap

The trap here is that candidates may confuse the containment phase with the eradication phase, choosing to block the phishing domain (Option D) instead of immediately neutralizing the compromised credentials, which is the more urgent action to prevent further unauthorized access.

How to eliminate wrong answers

Option B is wrong because implementing a security awareness training program is a long-term preventive measure, not an immediate containment step during active incident response. Option C is wrong because conducting a forensic analysis of the employees' workstations is premature; the phishing link was a server-side credential harvester, not a client-side malware infection, so workstation forensics would not directly address the credential compromise. Option D is wrong because blocking the phishing domain at the web proxy is a reactive defense but does not remediate the already-compromised credentials; the attacker may still use the stolen passwords before the domain is blocked.

132
MCQeasy

An organization has recently experienced a data breach due to a misconfigured database. The root cause was a lack of proper change management. As part of the risk management process, what should the organization do NEXT after implementing corrective controls?

A.Perform a residual risk assessment
B.Purchase additional cyber insurance to cover future breaches
C.Conduct security awareness training for all employees
D.Update the information security policy to mandate stricter controls
AnswerA

After implementing controls, the organization must evaluate whether the residual risk meets the risk appetite.

Why this answer

Option D is correct because after implementing controls, the organization should reassess residual risk to ensure it is within appetite. Option A is wrong because updating policies without reassessment may not address the actual risk level. Option B is wrong because training is important but not the immediate next step.

Option C is wrong because transferring risk does not address the control effectiveness.

133
MCQeasy

A regional hospital is required to comply with the Health Insurance Portability and Accountability Act (HIPAA). During an internal audit, it was discovered that patient electronic health records (EHRs) are transmitted over the internet without encryption. The risk manager has been asked to recommend a risk treatment. Which action should be prioritized to address this finding?

A.Implement encryption for all data in transit
B.Accept the risk because the likelihood of interception is low
C.Purchase cyber insurance to cover potential data breach costs
D.Discontinue all electronic transmission of patient data
AnswerA

Correct; encryption is a standard control to protect data in transit.

Why this answer

Option A is correct because implementing encryption for data in transit directly addresses the identified vulnerability and is a mandatory safeguard under HIPAA. Option B is incorrect because accepting this high-risk condition would likely violate regulatory requirements. Option C is overly drastic and would disrupt operations without addressing underlying security.

Option D is incorrect because insurance does not reduce the risk of non-compliance.

134
MCQhard

A multinational corporation with a decentralized information security program has recently experienced a data breach involving customer PII. The breach originated from a regional office that had not implemented the global security baseline due to local IT staff claiming 'unique operational requirements.' The CISO has tasked the security manager with revising the program to prevent recurrence. The organization has 12 regional offices, each with its own IT leadership, and a central security team. The budget is tight, and there is resistance to centralized control. Which of the following is the BEST course of action for the security manager?

A.Increase the frequency of security audits for all regional offices
B.Provide additional training to regional IT staff on the importance of security baselines
C.Allow each regional office to maintain its own security program as long as it meets minimum standards
D.Establish a mandatory global security baseline with a formal exception process requiring CISO approval for any deviation
AnswerD

This provides enforceability and flexibility, ensuring deviations are formally risk-assessed and approved.

Why this answer

Option A is correct because establishing a mandatory global baseline with a formal exception process ensures consistency while allowing for justified deviations that are formally approved. Option B is wrong because allowing each office to maintain its own program would perpetuate the fragmentation that led to the breach. Option C is wrong because increasing audits may detect issues but does not prevent them without enforceable standards.

Option D is wrong because training alone does not address the root cause of non-compliance.

135
Multi-Selectmedium

Which TWO actions are appropriate during the containment phase of an incident involving a malware outbreak on multiple workstations?

Select 2 answers
A.Contact all users to warn them about the malware
B.Reimage all affected workstations immediately
C.Isolate infected workstations from the network
D.Notify customers about potential data breach
E.Block known malicious domains and IPs at the firewall
AnswersC, E

Isolation stops lateral movement.

Why this answer

Option C is correct because isolating infected workstations from the network is a primary containment action that prevents the malware from spreading laterally to other systems, limiting the scope of the incident. This is typically achieved by disconnecting network cables, disabling switch ports, or using network access control (NAC) to quarantine the affected hosts, which stops further propagation without destroying forensic evidence.

Exam trap

The trap here is that candidates often confuse containment with eradication or communication, mistakenly selecting 'reimage all affected workstations immediately' as a containment step, when in fact reimaging is an eradication action that should occur after containment and evidence collection.

136
MCQeasy

An organization's incident response plan has not been updated in two years. Which of the following is the MOST likely consequence?

A.The plan will comply with new regulations automatically.
B.The plan will be more effective due to maturity.
C.The plan will be followed exactly as written.
D.The plan may not address current threats and technologies.
AnswerD

Option D is correct because outdated plans may not cover recent attack vectors or system changes.

Why this answer

Option D is correct because outdated plans may not cover recent attack vectors or system changes. Option A is wrong. Option B is wrong because outdated plans may be ignored.

Option C is wrong because regulations change.

137
MCQhard

An organization has implemented a host-based intrusion prevention system (HIPS) on all endpoints. An internal audit reveals that many incidents go undetected because users often disable HIPS when it interferes with applications. Which of the following is the MOST effective control to address this issue?

A.Disable HIPS and rely solely on network-based intrusion detection.
B.Increase the sensitivity of HIPS signatures to detect more threats.
C.Remove the ability for users to disable HIPS.
D.Implement application whitelisting to allow approved applications while HIPS monitors.
AnswerD

Option A is correct because application whitelisting reduces the need to disable HIPS as it prevents unapproved applications from running, reducing conflicts.

Why this answer

Option A is correct because application whitelisting reduces the need to disable HIPS as it prevents unapproved applications from running, reducing conflicts. Option B is wrong because it removes endpoint protection. Option C is wrong because it may increase false positives, causing more disablement.

Option D is wrong because it could break needed applications.

138
MCQeasy

A hospital chain has separate security teams for each facility. There is no central coordination, leading to duplicate efforts and inconsistent patient data protection. The system's CISO wants to improve governance with minimal disruption. What should he do?

A.Merge all teams into one central unit
B.Implement a top-down mandate for all policies
C.Create a governance committee with representatives from each facility
D.Outsource security to a third party
AnswerC

Promotes coordination and minimal disruption.

Why this answer

Option B is correct because a governance committee with representatives fosters coordination without major reorganization. Option A is disruptive. Option C ignores local needs.

Option D outsources responsibility.

139
Multi-Selectmedium

Which TWO of the following are common approaches to information security risk assessment?

Select 2 answers
A.Qualitative
B.Quantitative
C.Penetration testing
D.Vulnerability assessment
E.Business impact analysis
AnswersA, B

Uses descriptive scales.

Why this answer

Options A and D are correct because quantitative and qualitative are the two main types. Quantitative uses numerical values, qualitative uses descriptive ranks. Option B is wrong because vulnerability assessment is a separate activity.

Option C is wrong because it is not an assessment type. Option E is wrong because penetration testing is a specific test, not an assessment methodology.

140
Multi-Selecteasy

A security audit has identified several governance weaknesses. Which TWO of the following are most likely to indicate a lack of effective information security governance? (Choose two.)

Select 2 answers
A.Risk assessments are not performed on a regular basis.
B.No formal security steering committee exists.
C.The information security policy is not available on the intranet.
D.Employees have not completed annual security awareness training.
E.Antivirus software is not updated on all endpoints.
AnswersA, B

Regular risk assessments are fundamental to governance to ensure risk is managed.

Why this answer

A is correct because regular risk assessments are a foundational requirement of information security governance, as they ensure that security controls remain aligned with evolving threats and business objectives. Without periodic risk assessments, the organization cannot demonstrate due diligence or maintain an accurate risk profile, which is a direct indicator of governance failure.

Exam trap

ISACA often tests the distinction between governance (strategic oversight, risk management, committee structures) and operational controls (training, patching, policy distribution), leading candidates to mistake operational deficiencies for governance weaknesses.

141
MCQhard

A risk manager is aggregating risks across the enterprise and finds that multiple individual risks, each with low impact and low probability, could combine to create a significant risk. What is the best approach to address this?

A.Ignore the individual risks as they are low priority
B.Use a risk aggregation model to assess cumulative impact and consider enterprise-level controls
C.Accept the risk because the probability of all occurring simultaneously is negligible
D.Treat each individual risk separately with minimal controls
AnswerB

Aggregation provides a holistic view and appropriate mitigation.

Why this answer

Using a risk aggregation model allows the organization to assess the cumulative impact and implement enterprise-level controls. Ignoring or treating individually may miss the combined effect. Accepting as negligible ignores the potential for compounding.

142
MCQhard

A financial institution is restructuring its information security governance to comply with a new regulatory requirement that mandates a formal risk appetite statement. The board has conflicting views on the level of risk to accept. Which of the following should the information security manager do to facilitate the definition of risk appetite?

A.Recommend adopting the risk appetite levels used by a peer financial institution.
B.Facilitate a workshop with business leaders to map risk tolerance to strategic goals.
C.Draft a risk appetite statement and ask the CISO to approve it on behalf of the board.
D.Propose a quantitative risk appetite based on the organization's technology risk metrics.
AnswerB

This aligns risk appetite with business strategy and fosters board consensus.

Why this answer

Option A is correct because risk appetite should be aligned with business objectives and defined in business terms to be meaningful. Option B is wrong because industry benchmarks are not binding and may not reflect the institution's unique situation. Option C is wrong because technology risks are only one component.

Option D is wrong because the board has final responsibility, not the CISO.

143
MCQmedium

During a risk assessment, an organization identifies that its legacy payment system has a high likelihood of exploitation due to unpatched vulnerabilities. The system is critical for daily operations. Which risk treatment option should the organization PRIMARILY consider?

A.Implement compensating controls to reduce the risk
B.Accept the risk as a cost of doing business
C.Avoid the risk by decommissioning the system
D.Purchase cyber insurance to transfer the risk
AnswerA

Compensating controls like network segmentation and enhanced monitoring can reduce risk while keeping the system operational.

Why this answer

Option B is correct because mitigation through compensating controls reduces risk while maintaining operations. Option A is wrong because avoidance would mean discontinuing the system, which is not feasible. Option C is wrong because transfer shifts financial risk but not operational risk.

Option D is wrong because acceptance without action is inappropriate for high risk.

144
MCQeasy

Which of the following is the primary purpose of communicating risk assessment results to senior management?

A.To comply with regulatory requirements
B.To enable informed decision-making about risk acceptance
C.To assign blame for security failures
D.To justify the security budget
AnswerB

Senior management needs information to make decisions.

Why this answer

The primary purpose is to enable informed decision-making about risk acceptance and resource allocation. Budget justification and compliance are secondary benefits. Assigning blame is not a purpose.

145
MCQeasy

A security analyst detects an unusual spike in outbound traffic from a database server. Which of the following is the FIRST step in the incident response process?

A.Confirm the incident as a true positive
B.Isolate the server from the network
C.Identify the root cause of the traffic spike
D.Notify senior management
AnswerA

Confirming the alert as a true incident is the initial step to ensure that response efforts are justified.

Why this answer

The first step is to confirm the incident as a true positive before taking further actions like isolation, analysis, or notification. Option C is correct because validating the alert prevents unnecessary escalation and ensures resources are focused on genuine incidents.

146
Multi-Selectmedium

Which TWO of the following are essential components of an information security program charter?

Select 2 answers
A.List of approved security technologies.
B.Detailed annual budget allocation.
C.List of approved third-party vendors.
D.Roles, responsibilities, and authority of the program team.
E.Program scope, objectives, and strategic alignment.
AnswersD, E

Establishes governance and accountability.

Why this answer

Correct answers are B and D. Option B (scope and objectives) defines program boundaries. Option D (roles and responsibilities) establishes accountability.

Option A (detailed budget) is typically in a separate document. Option C (technology stack) is operational, not charter-level. Option E (vendor list) is not relevant to charter.

147
MCQeasy

Which of the following is the PRIMARY purpose of an incident response plan?

A.To assign blame for security failures
B.To prevent all security incidents from occurring
C.To provide a systematic method for responding to incidents
D.To meet regulatory compliance requirements
AnswerC

The plan ensures consistent and effective response.

Why this answer

The primary purpose of an incident response plan is to establish a structured, systematic methodology for detecting, containing, eradicating, and recovering from security incidents. This ensures that the organization can minimize damage, reduce recovery time and costs, and preserve evidence for forensic analysis. Without a predefined plan, responses become ad hoc, increasing the likelihood of errors and extended downtime.

Exam trap

ISACA often tests the distinction between primary purpose and secondary benefits; candidates mistakenly choose regulatory compliance (Option D) because they confuse a common driver for implementing a plan with its fundamental operational objective.

How to eliminate wrong answers

Option A is wrong because assigning blame is counterproductive and not a goal of incident response; the focus is on learning and improving processes, not on fault-finding. Option B is wrong because incident response plans are designed to manage incidents that occur, not to prevent them; prevention is the domain of risk management and security controls. Option D is wrong because while regulatory compliance may be a benefit, it is not the primary purpose; the core objective is to effectively manage incidents to protect the organization's assets and operations.

148
MCQhard

A security program includes multiple metrics. Which metric best indicates the program's effectiveness in reducing overall risk?

A.Composite risk score based on threat, vulnerability, and control assessments.
B.Number of security incidents per quarter.
C.Mean time to detect (MTTD) incidents.
D.Percentage of employees who completed security training.
AnswerA

Directly reflects risk posture and reduction efforts.

Why this answer

A composite risk score that aggregates threats, vulnerabilities, and controls provides a holistic view of risk reduction over time.

149
Multi-Selectmedium

Which TWO of the following are essential components of an information security governance framework according to ISACA's COBIT?

Select 2 answers
A.Value delivery
B.Performance measurement
C.Strategic alignment
D.Incident response playbook
E.Firewall configuration
AnswersA, C

A core component ensuring security investments bring value.

Why this answer

Strategic alignment (C) and value delivery (E) are key governance principles in COBIT. Performance measurement (A) is also important but not a foundational component; firewall config (B) and incident response (D) are operational.

150
MCQeasy

Which document should be reviewed and updated at least annually?

A.Vendor contracts
B.Incident response plan
C.Network topology diagram
D.User manuals
AnswerB

Regulatory and best practice standards require annual review of IR plans.

Why this answer

The incident response plan must be kept current to reflect new threats and changes. Option D is correct. Options A, B, C are not typically reviewed annually as a standard requirement.

Page 1

Page 2 of 7

Page 3

All pages