Certified Information Security Manager CISM (CISM) — Questions 151225

500 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
Multi-Selectmedium

Which TWO of the following are key components of an information security governance framework? (Choose two.)

Select 2 answers
A.Security policy and standards.
B.Intrusion detection system (IDS) configuration.
C.Firewall rule set.
D.Payment Card Industry Data Security Standard (PCI DSS) compliance report.
E.Risk management process.
AnswersA, E

Foundational elements of governance frameworks.

Why this answer

Security policy and standards are foundational components of an information security governance framework because they establish the high-level direction, principles, and mandatory requirements that guide the organization's security posture. The risk management process is equally critical as it provides a structured methodology for identifying, assessing, and treating risks, ensuring that security decisions are aligned with business objectives and risk appetite. Together, they form the strategic and operational backbone of governance, enabling accountability and continuous improvement.

Exam trap

The trap here is that candidates confuse operational security controls (like IDS configuration or firewall rules) or compliance outputs (like PCI DSS reports) with the strategic governance components, which are policy, standards, and risk management processes.

152
MCQmedium

A large enterprise with a centralized Security Information and Event Management (SIEM) system is experiencing a high volume of false positive alerts. The security team is overwhelmed and has started to ignore many alerts. During a recent incident, a critical alert indicating lateral movement by an attacker was missed because it was buried among hundreds of false positives. The incident escalated significantly before it was discovered. The CISO has asked the incident response manager to recommend improvements to prevent this from happening again. What should the manager recommend as the primary action?

A.Increase all alert thresholds to reduce volume
B.Tune SIEM rules to eliminate known false positives
C.Hire additional security analysts to handle the load
D.Disable all non-critical alert categories
AnswerB

Fine-tuning rules reduces noise while maintaining detection of true positives.

Why this answer

Tuning the SIEM rules to reduce false positives is the most direct way to improve alert quality without losing coverage. Increasing thresholds may cause missed real alerts. Hiring more staff is a longer-term solution.

Disabling non-critical alerts could remove important detection capabilities.

153
MCQhard

A multinational organization is evaluating its risk appetite for a new cloud-based customer relationship management (CRM) system. The system will store personal data across multiple jurisdictions with varying data protection laws. The risk committee has set a risk appetite statement that allows only low residual risk. Which of the following controls is MOST critical to ensure compliance with the risk appetite?

A.Implement data classification and strict role-based access controls
B.Conduct continuous monitoring and logging of all system activities
C.Encrypt all data at rest and in transit using strong algorithms
D.Negotiate service-level agreements (SLAs) with cloud provider for uptime
AnswerA

Data classification and RBAC directly control who can access sensitive data, reducing risk to an acceptable level.

Why this answer

Option C is correct because data classification and access controls ensure that only authorized users access data, addressing both legal and operational risks. Option A is wrong because encryption alone does not manage access. Option B is wrong because SLA enforcement focuses on vendor performance, not direct risk reduction.

Option D is wrong because monitoring identifies issues but does not enforce controls.

154
Multi-Selectmedium

Which THREE of the following are key performance indicators (KPIs) for an information security program?

Select 3 answers
A.Number of security awareness training completions per quarter.
B.Total number of security staff.
C.Percentage of critical vulnerabilities remediated within SLA.
D.Average number of firewall rules per device.
E.Mean time to respond (MTTR) to incidents.
AnswersA, C, E

Indicates program reach.

Why this answer

KPIs measure program effectiveness: incident response time, vulnerability remediation rate, and security awareness training completion are direct indicators. Number of firewalls is a resource count.

155
MCQeasy

An organization has recently experienced a data breach due to an insider threat. The board has requested an update on governance improvements. Which of the following should the information security manager recommend first?

A.Developing a formalized insider threat program with clear roles and responsibilities.
B.Conducting annual security awareness training for all employees.
C.Implementing two-factor authentication for all critical systems.
D.Deploying endpoint detection and response (EDR) software on all systems.
AnswerA

This establishes governance over insider risk, including monitoring and response.

Why this answer

Option B is correct because a formalized insider threat program with defined roles and monitoring reduces the risk of insider incidents. Option A is wrong because technical controls alone are ineffective without governance and process. Option C is wrong because training is important but not the immediate governance priority.

Option D is wrong for the same reason as A.

156
Multi-Selectmedium

An information security manager is developing a security program for a multinational organization. Which of the following should be considered when defining the program scope? (Select THREE)

Select 3 answers
A.Business objectives and strategy
B.Current technology architecture
C.All information assets, including those managed by third parties
D.Applicable legal and regulatory requirements
AnswersA, C, D

Why this answer

Business objectives and strategy (A) are foundational because the security program must align with and support the organization's mission, risk appetite, and strategic goals. Without this alignment, security controls may conflict with business operations or fail to prioritize critical assets, leading to wasted resources or increased risk exposure.

Exam trap

The trap here is that candidates often select 'Current technology architecture' (B) because it seems practical, but CISM emphasizes that scope should be driven by business needs, legal obligations, and asset inventory, not by existing infrastructure, which can become a constraint rather than a guide.

Why the other options are wrong

B

Architecture is a design element, not a scope determinant.

157
MCQhard

An organization is compromised by an APT that has established multiple backdoors across the network. What is the most effective eradication strategy?

A.Monitor network traffic for anomalies.
B.Remove each backdoor individually using forensics.
C.Rebuild all affected systems from trusted backups after ensuring the attack vector is closed.
D.Isolate compromised segments from the rest of the network.
AnswerC

Correct: Ensures complete removal of persistence.

Why this answer

Option D is correct because rebuilding all affected systems from trusted backups ensures that all backdoors are removed, as the attacker may have hidden persistence. Individual removal may miss some, and monitoring/isolation are not eradication.

158
MCQeasy

A small accounting firm with 50 employees recently suffered a ransomware attack that encrypted all client data on its file server. The firm had no backup strategy, and the attackers demanded a ransom for decryption. The firm paid the ransom, but many clients left due to loss of trust. The firm’s owner has now hired you as a part-time risk manager. Your first task is to develop a risk management program. What is the most appropriate initial step?

A.Purchase a comprehensive cyber insurance policy
B.Fire the IT staff responsible for the security failures
C.Conduct a risk assessment to identify assets, threats, and vulnerabilities
D.Immediately implement a backup and disaster recovery solution
AnswerC

Correct; risk assessment is the first step to understand the risk landscape.

Why this answer

Option D is correct because conducting a risk assessment is the foundational step in any risk management program. It identifies assets, threats, vulnerabilities, and controls. Without a risk assessment, other actions like purchasing insurance or implementing backups may be misdirected or incomplete.

Option A is premature; insurance should be informed by risk assessment. Option B is not a constructive action. Option C is reactive and may not address all risks.

159
Multi-Selectmedium

Which TWO of the following are essential components of a security program governance structure?

Select 2 answers
A.Security charter
B.Vulnerability scanning schedule
C.Security steering committee
D.Incident response plan
E.Help desk ticketing system
AnswersA, C

Defines roles, responsibilities, and authority.

Why this answer

Options A and D are correct because a steering committee provides oversight and a security charter defines authority. Option B is wrong as a help desk is operational. Option C is wrong as vulnerability scanning is a technical control, not governance.

Option E is wrong as an incident response plan is operational.

160
MCQeasy

An organization experiences a DDoS attack that overwhelms their internet connection. Which containment strategy would be MOST effective?

A.Shut down all external connectivity.
B.Change firewall rules to block all traffic.
C.Add more bandwidth to absorb the attack.
D.Contact the ISP for traffic scrubbing or blackhole routing.
AnswerD

Effective mitigation at network level.

Why this answer

Option D is correct because ISP-level traffic scrubbing mitigates the attack while leaving legitimate traffic intact. Option A blocks all traffic. Option B is the best but we placed it as D.

Option C disrupts connectivity. Option D is the right action.

161
MCQhard

A financial institution has a mature incident response program. During a security incident, the incident response team identifies that a business-critical application is affected. The team must decide whether to continue containing the incident or allow limited operations to continue. Which factor should be given the HIGHEST priority?

A.Maintaining customer trust.
B.Minimizing downtime of the application.
C.Regulatory compliance and data protection.
D.Preserving evidence for potential litigation.
AnswerC

Compliance and data protection are critical and must be prioritized.

Why this answer

In a mature incident response program, regulatory compliance and data protection take precedence because financial institutions are subject to strict data privacy laws (e.g., GDPR, PCI DSS, SOX) that mandate safeguarding sensitive data during an incident. Allowing limited operations could lead to unauthorized data exposure or breach of legal obligations, resulting in severe penalties and reputational damage that outweigh the benefits of continued uptime.

Exam trap

The trap here is that candidates often prioritize minimizing downtime (Option B) or preserving customer trust (Option A) because they focus on business continuity, but CISM emphasizes that regulatory compliance and data protection are non-negotiable and must override operational concerns during a security incident.

How to eliminate wrong answers

Option A is wrong because maintaining customer trust, while important, is a secondary outcome of proper incident handling and not the highest priority when regulatory mandates require immediate containment to prevent data loss. Option B is wrong because minimizing downtime of the application is a business continuity concern, but in a security incident, allowing operations to continue risks further compromise and data exfiltration, which can cause far greater long-term damage. Option D is wrong because preserving evidence for potential litigation is a consideration but should not override the immediate need to comply with data protection laws and stop ongoing unauthorized access or data leakage.

162
Drag & Dropmedium

Order the steps for establishing a security incident response team (IRT).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Building an IRT starts with defining roles, then recruiting, developing procedures, acquiring tools, and testing.

163
MCQeasy

Which of the following is the primary purpose of an information security program?

A.Implement firewalls and antivirus software.
B.Achieve compliance with regulations only.
C.Eliminate all security risks.
D.Protect the confidentiality, integrity, and availability of information assets.
AnswerD

Core CIA triad aligned with business objectives.

Why this answer

The program's overarching goal is to protect the confidentiality, integrity, and availability of information assets, aligned with business needs.

164
MCQhard

An organization has a mature security program with documented policies and standards. However, during a recent audit, it was found that several business units are not following the mandated data classification standard. What is the MOST likely root cause?

A.Inadequate security awareness training
B.Lack of enforcement mechanisms
C.Outdated data classification policy
D.Insufficient budget for security tools
AnswerB

Why this answer

The correct answer is B because a mature security program with documented policies and standards indicates that the classification rules are already defined. The audit finding that business units are not following the mandated standard points to a failure in enforcement mechanisms—such as automated Data Loss Prevention (DLP) rules, access control policies, or mandatory labeling in SharePoint—rather than a lack of awareness or outdated policy. Without enforcement (e.g., Group Policy Objects blocking unclassified data uploads or SIEM alerts for missing classification tags), even well-trained staff may bypass the standard.

Exam trap

ISACA often tests the distinction between 'lack of awareness' and 'lack of enforcement'—the trap here is that candidates assume training is the solution to non-compliance, but in a mature program with documented policies, the root cause is almost always the absence of automated enforcement or consequences.

Why the other options are wrong

A

Training may exist; the issue is lack of consequence for non-compliance.

C

The policy is documented and mature; outdatedness is not indicated.

D

Budget may affect tools but not directly cause non-compliance with a standard.

165
Matchingmedium

Match each risk management term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Risk level before controls are applied

Risk remaining after controls are implemented

Amount of risk the organization is willing to accept

Acceptable variation around the risk appetite

Process of modifying risk by applying controls

Why these pairings

Key risk management concepts from CISM.

166
MCQhard

After a ransomware attack, the incident response team successfully restores systems from backups. However, the ransomware encrypts files that were modified after the last backup was taken. Which of the following is the BEST way to minimize future data loss?

A.Train users to save files to network drives.
B.Perform full backups daily instead of weekly.
C.Implement a data loss prevention (DLP) system.
D.Use continuous data protection (CDP) with frequent snapshots.
AnswerD

Option C is correct because CDP provides near-real-time backup, minimizing data loss between backups.

Why this answer

Option C is correct because CDP provides near-real-time backup, minimizing data loss between backups. Option A is wrong because daily backups still have a window of up to 24 hours. Option B is wrong because DLP prevents exfiltration, not data loss.

Option D is wrong because network drives also need backup.

167
MCQmedium

An organization has implemented a new web application that processes sensitive customer data. The risk assessment identified a high likelihood of SQL injection attacks due to insufficient input validation. Which of the following is the BEST risk treatment strategy?

A.Transfer the risk by purchasing cyber insurance
B.Avoid the risk by discontinuing the web application
C.Remediate the risk by implementing parameterized queries and input validation
D.Accept the risk because the likelihood is low after compensating controls
AnswerC

This directly addresses the vulnerability and reduces the risk to an acceptable level.

Why this answer

Option C is correct because parameterized queries (prepared statements) and input validation directly address the root cause of SQL injection by separating SQL logic from user-supplied data. This is a remediation (mitigation) strategy that reduces the likelihood of exploitation to an acceptable level, which aligns with the high-risk scenario described.

Exam trap

The trap here is that candidates often confuse risk transfer (insurance) with risk mitigation, or they incorrectly assume that accepting risk is a default option when the scenario clearly indicates a high-likelihood, high-impact vulnerability that can be directly fixed with a standard coding practice.

How to eliminate wrong answers

Option A is wrong because purchasing cyber insurance transfers the financial impact of a breach, not the technical risk itself; the SQL injection vulnerability remains exploitable, and insurance does not prevent data loss or regulatory penalties. Option B is wrong because avoiding the risk by discontinuing the web application would eliminate business functionality and is disproportionate when a proven technical control (parameterized queries) exists to mitigate the vulnerability. Option D is wrong because accepting the risk is only appropriate when residual risk is low after compensating controls, but the scenario states the likelihood is high and no compensating controls have been implemented; accepting without remediation would leave the organization exposed to a high-probability attack.

168
MCQeasy

Which of the following best describes residual risk?

A.Risk before any controls are applied
B.Risk that remains after implementing controls
C.The likelihood that a control will fail
D.The level of risk an organization is willing to accept
AnswerB

Residual risk is the remaining risk after mitigation.

Why this answer

Option A is correct because residual risk is what remains after controls. Option B is wrong because it describes inherent risk. Option C is wrong because it describes risk appetite.

Option D is wrong because it describes control effectiveness.

169
MCQhard

A bank detects unusual activity on a server containing sensitive financial data. The activity appears to be from a compromised vendor account that has legitimate remote access to the server for maintenance. The incident manager must decide on containment while maintaining business operations. The vendor account has elevated privileges and is used for routine updates. Disabling the account would delay critical maintenance. What is the BEST course of action?

A.Contact the vendor to ask about the unusual activity.
B.Isolate the affected server from the network while allowing necessary access through a jump box.
C.Disable the vendor's account immediately.
D.Block all remote access from external IPs.
AnswerB

Contains the threat while maintaining essential vendor access securely.

Why this answer

Option C is correct because isolating the server and using a jump box allows controlled access while preventing further compromise. Option A is too disruptive. Option B may block legitimate vendors.

Option D does not address the immediate threat.

170
MCQmedium

A financial institution is designing an incident response plan. They want to ensure that during a ransomware incident, critical transaction systems can be restored within 4 hours. Which metric should be used to measure this requirement?

A.Mean Time to Repair (MTTR)
B.Recovery Time Objective (RTO)
C.Mean Time Between Failures (MTBF)
D.Recovery Point Objective (RPO)
AnswerB

RTO defines the maximum acceptable downtime.

Why this answer

The Recovery Time Objective (RTO) defines the maximum acceptable downtime after a disaster or incident, which directly aligns with the requirement to restore critical transaction systems within 4 hours. In incident management, RTO is the metric used to set the target for system recovery, ensuring business continuity. For ransomware incidents, RTO drives the restoration strategy and resource allocation to meet the 4-hour window.

Exam trap

The trap here is confusing RTO (time to restore) with RPO (data loss tolerance), as both are recovery metrics but address different dimensions—candidates often pick RPO when the question mentions 'restore' without carefully noting the time constraint for restoration versus data age.

How to eliminate wrong answers

Option A (Mean Time to Repair, MTTR) is wrong because MTTR measures the average time taken to repair a failed component after it has failed, not the maximum allowable downtime for a system; it is a reliability metric, not a recovery target. Option C (Mean Time Between Failures, MTBF) is wrong because MTBF measures the average time between inherent failures of a system, indicating reliability, not the recovery time requirement after an incident. Option D (Recovery Point Objective, RPO) is wrong because RPO defines the maximum acceptable data loss measured in time (e.g., how old the restored data can be), not the time to restore operations; it answers 'how much data can we lose?' not 'how fast must we recover?'.

171
MCQhard

A large healthcare organization recently experienced a ransomware attack that encrypted patient records (ePHI). The attack originated from a phishing email that bypassed the email security gateway. The security program includes annual security awareness training, but post-incident analysis reveals that employees often ignore suspicious emails. The CISO wants to revise the program to reduce the likelihood of similar incidents. Which course of action is most effective?

A.Restrict users' ability to receive emails from external domains except from approved senders
B.Implement a next-generation email security gateway with AI-based threat detection
C.Deploy endpoint detection and response (EDR) on all workstations
D.Increase the frequency of phishing simulations and enforce mandatory remedial training for employees who fall for them
AnswerD

This directly modifies employee behavior through repeated testing and education.

Why this answer

Option B is most effective because it directly addresses the human factor by increasing the frequency of phishing simulations and providing remedial training, which reinforces secure behavior. Option A improves technology but does not change employee behavior. Option C (EDR) can detect ransomware but does not prevent the initial phishing compromise.

Option D is overly restrictive and may hinder business operations.

172
Multi-Selecthard

An organization is designing its information security program and needs to ensure it supports business continuity. Which TWO of the following should be integrated into the program?

Select 2 answers
A.Business impact analysis (BIA) results.
B.Security awareness training for all employees.
C.Security controls for backup and recovery.
D.Vulnerability scanning schedules.
AnswersA, C

Why this answer

A is correct because the Business Impact Analysis (BIA) identifies critical business processes, their maximum tolerable downtime (MTD), and recovery time objectives (RTO), which directly inform the prioritization and design of security controls to ensure business continuity. Without BIA results, the security program cannot align recovery strategies with actual business needs, risking either over-investment or under-protection of key functions.

Exam trap

The trap here is that candidates mistakenly treat security awareness training as a continuity-supporting activity, when in fact it is a general security hygiene measure, not a direct input to business continuity planning or recovery operations.

Why the other options are wrong

B

Training is important but not directly a continuity integration.

D

Vulnerability scanning is proactive security, not continuity.

173
MCQhard

In a risk assessment, a CISM calculates the annualized loss expectancy (ALE) for a specific threat. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE, and which risk response is most cost-effective if a control costs $12,000 per year and reduces ARO to 0.05?

A.Accept the risk because the control is not cost-justified.
B.Accept the risk because ALE after control is only $2,500.
C.Implement the control because it reduces ALE to $2,500.
D.Implement the control because ALE is $10,000, and control cost is only $12,000.
AnswerA

The cost of control is greater than the risk reduction benefit, so acceptance is appropriate.

Why this answer

The ALE is calculated as SLE × ARO = $50,000 × 0.2 = $10,000. After implementing the control costing $12,000 per year, the residual ALE is $50,000 × 0.05 = $2,500. The annual cost of the control ($12,000) exceeds the reduction in ALE ($10,000 - $2,500 = $7,500), so the control is not cost-justified.

Therefore, accepting the risk is the most cost-effective response.

Exam trap

The trap here is that candidates often compare the control cost to the original ALE ($10,000) or to the residual ALE ($2,500) instead of comparing it to the reduction in ALE ($7,500), leading to incorrect cost-justification conclusions.

How to eliminate wrong answers

Option B is wrong because it states 'accept the risk because ALE after control is only $2,500' — this is a correct observation about the residual ALE but fails to compare the control cost ($12,000) against the reduction in ALE ($7,500), which is the key cost-benefit analysis. Option C is wrong because it says 'implement the control because it reduces ALE to $2,500' — this ignores that the control cost ($12,000) is greater than the reduction in ALE ($7,500), making it not cost-justified. Option D is wrong because it says 'implement the control because ALE is $10,000, and control cost is only $12,000' — this incorrectly implies that a control cost lower than the original ALE justifies implementation, but the correct comparison is between the control cost and the reduction in ALE (not the original ALE).

174
Multi-Selecthard

Which THREE of the following are challenges in implementing information security governance in a decentralized organization?

Select 3 answers
A.Unified risk reporting
B.Redundant security controls and tools
C.Centralized incident response
D.Diverse regulatory compliance requirements
E.Inconsistent policy enforcement across business units
AnswersB, D, E

Each unit may purchase similar tools, increasing costs and complexity.

Why this answer

Decentralized organizations often face inconsistent policy enforcement (A), redundant security controls (B), and diverse regulatory compliance (D). Centralized incident response (C) is typically not a challenge; it may be absent, but the challenge is lack of centralization. Unified risk reporting (E) is a goal, not a challenge.

175
MCQhard

After a security incident, the incident response team identifies that the root cause was a phishing email that bypassed the email filter. The email contained a malicious macro that executed PowerShell commands. Which control would be MOST effective in preventing similar incidents in the future?

A.Implement network segmentation for sensitive systems
B.Disable macros in documents originating from external sources
C.Deploy additional antivirus software on endpoints
D.Conduct security awareness training for all employees
AnswerB

This directly prevents the attack vector used in the incident.

Why this answer

Disabling macros in documents from external sources directly addresses the attack vector: the malicious macro that executed PowerShell commands. This control prevents the macro from running, regardless of the email filter's failure, by blocking the execution environment at the endpoint level. It is a preventive technical control that stops the attack before it can proceed.

Exam trap

The trap here is that candidates often choose security awareness training (D) because it seems like a broad solution, but the question asks for the 'most effective' control against a specific technical attack vector, and disabling macros is a direct technical prevention that does not rely on human behavior.

How to eliminate wrong answers

Option A is wrong because network segmentation limits lateral movement after a compromise but does not prevent the initial phishing email or macro execution. Option C is wrong because additional antivirus software relies on signature or heuristic detection, which can be bypassed by obfuscated or zero-day macros; it is a detective/reactive control, not a preventive one. Option D is wrong because security awareness training reduces human error but does not prevent the macro from executing if a user still opens the document; it is a administrative control, not a technical control that blocks the attack vector directly.

176
Drag & Dropmedium

Arrange the steps for implementing a new firewall rule in an enterprise environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall changes require clear objectives, change control, testing, implementation, and verification.

177
MCQmedium

An organization's incident response team is notified of a potential denial-of-service (DoS) attack targeting their web application. The team suspects a distributed denial-of-service (DDoS) attack. What is the FIRST step the team should take?

A.Contact the ISP to block the attacking IPs.
B.Shut down the web application to protect resources.
C.Implement rate limiting on the web server.
D.Analyze network traffic to confirm the attack.
AnswerD

Traffic analysis confirms the attack and provides details for response.

Why this answer

Before taking any action, the incident response team must first confirm that a DDoS attack is actually occurring. Analyzing network traffic (e.g., using NetFlow, sFlow, or packet capture) allows the team to distinguish a genuine DDoS from a flash crowd, a misconfiguration, or a legitimate spike in traffic. This step ensures that subsequent mitigation efforts are based on accurate evidence, preventing unnecessary disruption to services.

Exam trap

The trap here is that candidates often jump to immediate mitigation (blocking IPs or shutting down) without first verifying the incident, but the CISM framework emphasizes that the first step in incident response is always to confirm and characterize the event before taking action.

How to eliminate wrong answers

Option A is wrong because contacting the ISP to block attacking IPs is premature without first confirming the attack; moreover, in a DDoS, source IPs are often spoofed, making IP-based blocking ineffective and potentially blocking legitimate users. Option B is wrong because shutting down the web application is a drastic, last-resort action that should only be taken after confirming the attack and exhausting other mitigation options; it unnecessarily denies service to legitimate users. Option C is wrong because implementing rate limiting on the web server is a reactive mitigation step that should be applied only after the attack is confirmed and its characteristics (e.g., traffic patterns, protocols) are understood; premature rate limiting can inadvertently throttle legitimate traffic.

178
MCQeasy

During an incident, the incident response team needs to preserve evidence for legal proceedings. Which of the following is the MOST important action to take?

A.Create a forensic image of affected systems using write-blockers.
B.Document the incident in a free-form text.
C.Take screenshots of system logs.
D.Notify law enforcement immediately.
AnswerA

Option A is correct because creating a forensic image with write-blockers ensures evidence integrity.

Why this answer

Option A is correct because creating a forensic image with write-blockers ensures evidence integrity. Option B is wrong because screenshots can be altered. Option C is wrong because structured documentation is needed.

Option D is wrong because law enforcement is notified after evidence preservation.

179
Multi-Selecthard

A security manager is evaluating the effectiveness of the security program. Which of the following would be valid indicators of a mature program? (Select two.)

Select 2 answers
A.Number of security tools deployed
B.Risk management integrated into business processes
C.Low number of security incidents
D.Trend of improving security metrics over time
AnswersB, D

Why this answer

Risk management integrated into business processes (B) is a key indicator of a mature security program because it demonstrates that security is not a siloed function but is embedded in strategic decision-making, resource allocation, and operational workflows. This alignment ensures that security controls and investments are directly tied to business objectives and risk appetite, which is a hallmark of maturity as defined by frameworks like the CMMI and the ISACA CISM model.

Exam trap

The trap here is that candidates often mistake a low number of security incidents as a sign of success, but CISM emphasizes that a mature program is defined by integrated risk management and measurable improvement trends, not by the absence of incidents, which can be deceptive due to detection gaps or reporting biases.

Why the other options are wrong

A

More tools do not equal maturity; could indicate complexity.

C

May be coincidental; not a reliable maturity metric.

180
MCQmedium

Refer to the exhibit. The CISO wants to improve the program. Which recommendation BEST addresses the main gap shown in the dashboard?

A.Implement automated patching for high-risk vulnerabilities
B.Reduce the compliance target for high-risk vulnerabilities to 90 days
C.Focus on critical vulnerability remediation
D.Increase patch frequency for all systems
AnswerA

Automation can help reduce the 12% that exceed the 60-day window.

Why this answer

Option C is correct because high-risk vulnerability remediation at 88% is below target; automated patching for high-risk vulnerabilities would improve this metric. Option A is wrong increasing patch frequency may not target the specific gap. Option B is wrong critical vulnerability remediation is already high.

Option D is wrong reducing the target would not address the underlying issue.

181
MCQmedium

A company's incident response team uses a SIEM to detect security events. Which SIEM capability is MOST critical for early detection of a potential incident?

A.Correlation rules
B.Real-time alerting
C.User and entity behavior analytics (UEBA)
D.Long-term log retention
AnswerA

Correlation rules link related events across sources to detect attacks early.

Why this answer

Correlation rules analyze multiple log sources to identify patterns indicating an attack, enabling early detection. Real-time alerting (A) is important but relies on correlation. Log retention (B) aids investigation.

User behavior analytics (D) is advanced but not the most critical for early detection.

182
Multi-Selecteasy

Which THREE steps are essential in the post-incident review process?

Select 3 answers
A.Identify lessons learned and process improvements
B.Update the incident response plan
C.Assign blame for the incident
D.Conduct a root cause analysis
E.Renew vendor contracts
AnswersA, B, D

Continuous improvement is a primary goal.

Why this answer

Options A, C, and D are correct: identifying improvements, root cause analysis, and updating the IRP are key. Option B is wrong because assigning blame is counterproductive. Option E is wrong because vendor contracts are not necessarily reviewed unless relevant.

183
MCQmedium

A large enterprise is implementing a new governance framework. The board has approved a risk appetite statement. What is the MOST important next step for the information security manager?

A.Implement technical controls to reduce risks
B.Develop an audit plan to monitor risk levels
C.Define risk acceptance criteria and thresholds
D.Conduct security awareness training for employees
AnswerC

Risk appetite needs operationalization through criteria.

Why this answer

Option B is correct because risk appetite must be translated into actionable criteria and thresholds for decision-making. Option A is wrong because controls implementation follows criteria. Option C is wrong because awareness is important but not the most immediate.

Option D is wrong because audit approach is separate.

184
Drag & Dropmedium

Arrange the steps for responding to a data breach involving personally identifiable information (PII).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response begins with containment, then evidence preservation, internal notification, impact assessment, and external notification.

185
MCQeasy

After a security incident, the incident response team prepares a report detailing the root cause, impact, and lessons learned. Who is the PRIMARY audience for this report?

A.The affected users
B.Senior management and the board of directors
C.The IT support team
D.External auditors
AnswerB

They need to make strategic decisions based on the incident.

Why this answer

The primary audience for a post-incident report detailing root cause, impact, and lessons learned is senior management and the board of directors. They require this information to make strategic decisions about risk acceptance, resource allocation for remediation, and to fulfill fiduciary duties regarding cybersecurity governance. The report provides the business context and financial impact necessary for executive-level oversight, not the technical details needed by operational teams.

Exam trap

The trap here is that candidates confuse the audience for the detailed technical incident report (which goes to IT and the incident response team) with the audience for the lessons-learned executive summary, which is specifically designed for senior management and the board.

How to eliminate wrong answers

Option A is wrong because affected users need only immediate guidance on how to resume normal operations and any required password resets, not a detailed root cause analysis or lessons learned. Option C is wrong because the IT support team requires operational runbooks and specific technical indicators (e.g., IOCs, log snippets, patch versions) to implement fixes, not a high-level executive summary. Option D is wrong because external auditors typically request evidence of incident response process compliance (e.g., chain of custody, timestamps, policy adherence) rather than the strategic lessons-learned report intended for internal governance.

186
MCQeasy

A small business is developing its first information security program. Which approach is most effective?

A.Hire an external security consultant to design the entire program.
B.Adopt a comprehensive framework like ISO 27001 immediately.
C.Conduct a risk assessment to identify key assets and threats.
D.Purchase and deploy a next-generation firewall.
AnswerC

Aligns program with actual business risks and priorities.

Why this answer

Conducting a risk assessment first establishes the foundation for a tailored, cost-effective program. Prematurely adopting a full framework can be overwhelming; point solutions and full outsourcing are less sustainable.

187
MCQeasy

During an internal audit, it was found that the security policy does not address the use of personal devices for work. Which governance action should be taken first?

A.Develop a mobile device management policy and conduct a risk assessment
B.Train users on security awareness
C.Purchase MDM software
D.Immediately ban all personal devices
AnswerA

This is the proper governance approach: policy first, then technology and training.

Why this answer

Option D is correct because governance starts with policy development based on risk assessment. Option A is reactive and may disrupt operations. Option B puts technology before policy.

Option C is a partial solution.

188
Multi-Selectmedium

Which THREE of the following are common challenges in incident response? (Select exactly 3)

Select 3 answers
A.Over-reliance on cloud services
B.Poor coordination between teams
C.Insufficient staffing and expertise
D.Difficulty in identifying the root cause
E.Lack of proper tools and technology
AnswersB, C, E

Silos hinder effective response.

Why this answer

Poor coordination between teams (Option B) is a common challenge in incident response because security incidents often require collaboration across IT, legal, PR, and management. Without clear communication channels and predefined roles, response efforts become fragmented, leading to delays in containment and recovery. This is a well-documented issue in frameworks like NIST SP 800-61, which emphasizes the need for a coordinated incident response plan.

Exam trap

ISACA often tests the distinction between operational challenges during active response (coordination, staffing, tools) versus strategic or post-incident issues (cloud dependency, root cause analysis) to see if candidates confuse the incident response lifecycle phases.

189
Drag & Dropmedium

Order the steps for conducting an internal audit of an information security management system (ISMS) based on ISO 27001.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Audits start with scope definition, planning, execution, documentation, and reporting.

190
MCQhard

An organization's incident response team uses a SIEM system to correlate logs. A malicious insider is able to cover their tracks by deleting logs from the SIEM. Which of the following is the BEST preventive control?

A.Alert when logs are deleted from SIEM.
B.Restrict SIEM access to authorized personnel only.
C.Require multifactor authentication for SIEM access.
D.Implement a separate, write-once log storage that is inaccessible to the SIEM.
AnswerD

Option A is correct because an immutable log storage prevents tampering even if SIEM is compromised.

Why this answer

Option A is correct because an immutable log storage prevents tampering even if SIEM is compromised. Option B is wrong because authentication does not prevent deletions by authorized users. Option C is wrong because alerting does not prevent deletion.

Option D is wrong because insiders may have authorized access.

191
MCQhard

Refer to the exhibit. An analyst observes the network traffic between three internal hosts and a web server. Which of the following is the MOST likely interpretation of this traffic?

A.A SYN flood attack is in progress.
B.A single host is using multiple IP addresses to scan the server.
C.Multiple users are accessing the web server normally.
D.A distributed denial-of-service (DDoS) attack is occurring.
AnswerC

The logs show successful TCP connections followed by HTTP requests.

Why this answer

The exhibit shows multiple internal hosts (10.0.0.1, 10.0.0.2, 10.0.0.3) each establishing a normal TCP three-way handshake with the web server (192.168.1.100) on port 80, with varying source ports and no abnormal flags or packet rates. This pattern indicates legitimate concurrent user access, as each host completes the handshake and exchanges data without flooding or scanning behavior.

Exam trap

The trap here is that candidates may misinterpret any traffic from multiple hosts as a DDoS attack, failing to notice the normal handshake completion and low packet volume that indicate legitimate user access rather than an attack.

How to eliminate wrong answers

Option A is wrong because a SYN flood attack would show a high volume of SYN packets from a single source with no corresponding SYN-ACK completions, often with spoofed source IPs, not the clean three-way handshakes seen here. Option B is wrong because a single host using multiple IP addresses to scan the server would typically send probes to multiple ports or show incomplete connections (e.g., SYN scans with RST responses), not full handshakes to the same port from distinct internal IPs. Option D is wrong because a DDoS attack would involve a massive number of packets from many sources overwhelming the server, often with incomplete connections or unusual traffic patterns, not the orderly, low-rate connections from three hosts.

192
Multi-Selectmedium

Which of the following are key components of an information security program's strategic plan? (Select two.)

Select 2 answers
A.Annual budget allocation
B.Security program vision and objectives
C.Incident response procedures
D.Roadmap for security initiatives
AnswersB, D

Why this answer

The strategic plan for an information security program defines the long-term direction and governance framework. The security program vision and objectives (B) establish the overarching goals and alignment with business strategy, while the roadmap for security initiatives (D) provides the phased implementation plan to achieve those objectives. These are foundational components of strategic planning, not operational or tactical elements.

Exam trap

ISACA often tests the distinction between strategic (vision, roadmap) and operational/tactical (budget, procedures) components, leading candidates to mistakenly select annual budget allocation as a strategic element because it is a common management activity.

Why the other options are wrong

A

Budgeting is operational, not strategic.

C

Procedures are operational.

193
MCQhard

Acme Corp, a global manufacturer, has a decentralized security governance model. Each business unit manages its own security, resulting in inconsistent policies and repeated audit findings. The new CISO proposes a federated model where a central team sets minimum standards and each unit can add local controls. However, the European unit's head insists on full autonomy due to GDPR strictness. The board is concerned about compliance costs. What should the CISO do first?

A.Implement the federated model immediately and require all units to comply
B.Allow the European unit to keep full autonomy while others follow the model
C.Conduct a risk assessment to identify where local controls are truly needed
D.Hire a GDPR expert for the European unit
AnswerC

A risk-based approach provides evidence for the federated model.

Why this answer

Option C is correct because conducting a risk assessment will identify where local controls are truly necessary and justify the federated model. Option A ignores local concerns. Option B undermines the federation goal.

Option D is a tactical fix, not strategic.

194
MCQeasy

Refer to the exhibit. The dashboard shows the incident response plan test is overdue. What is the MOST immediate risk?

A.Loss of cyber insurance coverage
B.Regulatory fines for non-compliance with testing requirements
C.Extended recovery time during an incident
D.Increased likelihood of a successful breach due to untested procedures
AnswerD

Without testing, the incident response plan may fail, leading to greater damage.

Why this answer

Option A is correct because an untested plan may have invalidated procedures, increasing the likelihood of a breach during a real incident. Option B is wrong regulatory fines may result, but the immediate risk is operational. Option C is wrong recovery time is a consequence.

Option D is wrong insurance impact is less immediate.

195
MCQhard

During a risk assessment, the risk team identifies that a key vendor has access to sensitive data. The vendor's security posture is unclear. Which of the following is the BEST course of action?

A.Ignore the risk because the vendor is known
B.Terminate the vendor relationship immediately
C.Conduct a third-party risk assessment
D.Request the vendor's latest security certification
AnswerC

A formal assessment evaluates the vendor's security controls.

Why this answer

Option D is correct because conducting a third-party risk assessment provides clarity. Option A is wrong because immediately terminating may be disruptive. Option B is wrong because ignoring is not risk management.

Option C is wrong because asking for certification may not be sufficient.

196
MCQmedium

During a phishing campaign, several employees clicked a malicious link that downloaded a remote access trojan (RAT). The incident response team has isolated the infected endpoints and is analyzing network traffic. They suspect that data may have been exfiltrated but are unsure. The team needs to determine the extent of data exfiltration as quickly as possible. What action should the team take FIRST?

A.Review DNS logs for outbound connections to unknown destinations
B.Block the malicious domain at the firewall
C.Reset all employees' passwords
D.Run a full network scan for open ports
AnswerA

DNS logs can show queries to command-and-control or exfiltration domains, providing evidence.

Why this answer

Reviewing DNS logs can reveal connections to known malicious domains or unusual patterns, helping identify data exfiltration. Blocking the domain is a containment step but doesn't aid analysis. Running a network scan may be too broad.

Resetting passwords is important but not for detecting exfiltration.

197
Multi-Selecthard

Which THREE of the following are common challenges when implementing a risk management program in an organization? (Choose three.)

Select 3 answers
A.Lack of senior management support
B.Inability to quantify risks in financial terms
C.Too many controls implemented too quickly
D.Resistance to change from business units
E.Overly detailed risk appetite
AnswersA, B, D

Without top-down support, the program may lack resources and authority.

Why this answer

Options A, C, and E are correct. Option B is incorrect because risk appetite should be defined upfront. Option D is incorrect because controls are typically implemented after risk assessment.

198
Multi-Selecthard

Which THREE of the following are essential components of a mature information security governance framework?

Select 3 answers
A.A formally defined and approved risk appetite statement.
B.Performance measurement and reporting mechanisms for the board.
C.Full compliance with all relevant regulatory requirements.
D.Strategic alignment between security objectives and business goals.
E.A dedicated security operations center (SOC) with 24/7 monitoring.
AnswersA, B, D

Risk appetite guides decision-making across the organization.

Why this answer

Options A, B, and D are correct. A strategic alignment (A) ensures security supports business goals, a defined risk appetite (B) sets boundaries, and performance measurement (D) enables oversight. Option C is wrong because security operations center is an operational function, not a governance component.

Option E is wrong because regulatory compliance is an outcome, not a governance framework component itself.

199
MCQhard

Based on the exhibit, what is the most likely vulnerability that an attacker could exploit?

A.An attacker could perform a DDoS attack on the external interface to disrupt email services.
B.An attacker could use SQL injection on the web server to extract data directly from the database via the permitted MySQL traffic.
C.An attacker could exploit the SMTP service to send spam.
D.An attacker could sniff traffic on the DMZ segment to capture LDAP credentials.
AnswerB

The MySQL rule allows direct database access from web; SQL injection can leverage this.

Why this answer

The IDS is on the DMZ-Internal segment, but it only alerts; it does not block. If an attacker compromises a web server, they can communicate with the database server without being blocked by the IDS (only alerted). Additionally, the firewall allows MySQL direct from web to database, so after compromise, the attacker can extract data.

The most likely vulnerability is the lack of network segregation between web and database tiers – they are in different zones but the firewall rule permits MySQL directly, and the IDS is passive. However, the question asks for most likely exploit: an attacker could use SQL injection to compromise the web server and then pivot to the database. The IDS may detect but not prevent.

So the gap is that the database is directly accessible from the web tier without any application-layer filtering. Among options, we need to pick one that correctly identifies the exploit path.

200
MCQmedium

An organization's security program includes metrics to measure performance. Which metric BEST indicates the effectiveness of the vulnerability management process?

A.Number of vulnerabilities identified
B.Number of patches deployed per month
C.Percentage of systems scanned weekly
D.Mean time to remediate (MTTR) vulnerabilities
AnswerD

MTTR shows how quickly the organization fixes vulnerabilities, a key effectiveness indicator.

Why this answer

Option B is correct because mean time to remediate (MTTR) directly reflects how quickly vulnerabilities are addressed, showing process effectiveness. Option A is wrong count alone does not indicate resolution. Option C is wrong scan coverage is a process measure, not outcome.

Option D is wrong number of patches deployed may include non-critical patches.

201
MCQhard

You are the CISO of a mid-sized e-commerce company with 500 employees. The company recently suffered a data breach where an attacker exfiltrated customer credit card data from the production database. The investigation revealed that the breach originated from a compromised developer workstation. The developer had been granted direct access to the production database for troubleshooting purposes, a practice that had been in place for years. The security governance framework currently lacks a formal process for managing privileged access. The board has asked for immediate improvements to prevent recurrence. Which course of action BEST addresses the governance gap?

A.Implement a privileged access management (PAM) solution with just-in-time access and session recording.
B.Segment the network to isolate production databases from developer workstations.
C.Conduct security awareness training for all developers on password security.
D.Deploy endpoint protection and patch management for all workstations.
AnswerA

Addresses the governance gap by formalizing and controlling privileged access.

Why this answer

The core governance gap is the lack of a formal process for managing privileged access. Implementing a Privileged Access Management (PAM) solution with just-in-time (JIT) access and session recording directly addresses this by enforcing time-bound, auditable, and approved access to the production database, eliminating standing privileges. This aligns with the principle of least privilege and provides a governance mechanism to control, monitor, and revoke elevated access, which is the root cause of the breach.

Exam trap

The trap here is that candidates confuse technical controls (segmentation, patching, training) with governance controls (policies, processes, and oversight), leading them to select a solution that mitigates symptoms rather than the root governance gap of unmanaged privileged access.

How to eliminate wrong answers

Option B is wrong because network segmentation is a technical control that reduces the attack surface but does not establish a formal governance process for managing privileged access; it does not address the lack of a policy or procedure for granting, reviewing, or revoking production database access. Option C is wrong because security awareness training focuses on user behavior and password hygiene, but it does not solve the governance deficiency of having no formal privileged access management process; the breach occurred due to standing privileges, not weak passwords. Option D is wrong because endpoint protection and patch management are essential security hygiene measures but do not create a governance framework for controlling who gets privileged access and under what conditions; they mitigate workstation compromise but not the systemic lack of access governance.

202
MCQhard

You are the incident response manager for a multinational corporation that processes sensitive financial data. The company has a mature security operations center (SOC) that monitors network traffic, endpoints, and cloud services. At 2:00 AM local time, the SOC alerts you to a critical incident: an internal server (IP 10.10.10.50) is communicating with an external IP address (198.51.100.23) known to be associated with a ransomware group. The server hosts a financial database that is replicated to a secondary site every 6 hours. The last successful replication was at 1:00 AM. The SOC has already isolated the server from the network by blocking its outbound traffic at the firewall. However, the server is still running. The initial investigation suggests that the communication started 30 minutes ago. The database contains customer PII and transactional data. Your incident response plan includes steps for containment, eradication, recovery, and post-incident review. The CEO is being notified and expects a recommendation on the best course of action. The company has a cyber insurance policy that requires timely notification and preservation of evidence. The legal department advises that any action that could destroy evidence must be carefully considered. Which of the following is the BEST course of action?

A.Take a forensic image of the server's memory and disk for analysis, then rebuild the server from a known good backup.
B.Reconnect the server to the network and attempt to negotiate with the attacker if ransomware is detected.
C.Immediately wipe the server and restore from the 1:00 AM backup to minimize downtime.
D.Leave the server isolated but running to monitor the attacker's actions and gather intelligence.
AnswerA

Forensic imaging preserves evidence, and rebuilding ensures a clean system.

Why this answer

Option A is correct because it balances forensic preservation (memory and disk imaging) with recovery from a known good backup, ensuring evidence is intact for legal and insurance requirements while restoring operations. The server is isolated, so imaging can be done safely without risk of further compromise, and the 1:00 AM backup (just one hour before the 2:00 AM communication started) is likely clean, minimizing data loss.

Exam trap

ISACA often tests the misconception that immediate eradication (wiping) is faster and safer, but the trap here is that destroying evidence before forensic imaging violates legal and insurance requirements, and the isolated server can be safely imaged without risk of spread.

How to eliminate wrong answers

Option B is wrong because reconnecting the server to the network to negotiate with attackers would expose the environment to active ransomware deployment, violating containment principles and potentially destroying evidence. Option C is wrong because immediately wiping the server destroys volatile memory evidence (e.g., running processes, network connections) and disk artifacts needed for forensic analysis, which could violate cyber insurance policy requirements for evidence preservation. Option D is wrong because leaving the server isolated but running to monitor attackers risks the ransomware encrypting data in memory or triggering a delayed payload, and the SOC has already blocked outbound traffic, so no actionable intelligence can be gathered from a severed connection.

203
Multi-Selecthard

A security analyst reviews the following alert from the SIEM: 'Multiple failed login attempts from IP 10.0.0.5 to the domain controller within 5 minutes.' Which TWO actions should the analyst take as part of initial incident response?

Select 2 answers
A.Block the IP address in the firewall immediately.
B.Review authentication logs from other servers for similar patterns.
C.Escalate the alert to the incident response team.
D.Reset the password of the targeted account.
E.Check if the source IP belongs to an internal asset.
AnswersB, E

Correlation helps identify a broader attack.

Why this answer

Option B is correct because reviewing authentication logs from other servers for similar patterns helps determine if the failed login attempts are part of a broader brute-force or password-spraying attack targeting multiple systems, not just the domain controller. This lateral analysis is a key initial step in incident response to assess the scope and identify compromised accounts or additional indicators of compromise (IoCs). Option E is correct because verifying whether the source IP belongs to an internal asset is critical to distinguish between an external attacker and a misconfigured internal service or user, which directly impacts the response strategy (e.g., internal remediation vs. external threat containment).

Exam trap

The trap here is that candidates often confuse immediate containment (blocking the IP) with proper triage, failing to recognize that validating the source IP's ownership and correlating logs across systems are essential first steps before any irreversible action is taken.

204
Matchingmedium

Match each security metric to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Average time to detect an incident

Average time to remediate an incident

Average time between system failures

Contractual commitment for service levels

Indicator of risk level change

Why these pairings

Metrics used in security management.

205
MCQmedium

An incident response team discovers that an attacker used stolen credentials to access a database. Which step is MOST critical during the eradication phase?

A.Reset all passwords and revoke certificates.
B.Implement multi-factor authentication.
C.Patch the database server.
D.Restore the database from backup.
AnswerA

Eliminates attacker's access using stolen credentials.

Why this answer

Option B is correct because resetting passwords and revoking certificates removes the attacker's access. Options A, C, D are either not eradication or less critical.

206
Multi-Selecteasy

Which TWO of the following are primary responsibilities of the board of directors in information security governance?

Select 2 answers
A.Approving the organization's information security risk appetite.
B.Implementing security controls to mitigate identified risks.
C.Designing the technical security architecture for the organization.
D.Holding executive management accountable for the effectiveness of the security program.
E.Conducting internal security audits of the information systems.
AnswersA, D

The board sets the risk appetite.

Why this answer

Options A and D are correct. The board is responsible for approving the risk appetite (A) and ensuring executive management's performance on security (D). Option B is wrong because implementing controls is management's role.

Option C is wrong because technical security architecture is not a board function. Option E is wrong because the board oversees but does not conduct audits.

207
MCQmedium

An organization has a decentralized security governance model. The CISO is struggling to enforce consistent security policies across business units. What is the BEST approach to improve consistency?

A.Allow each business unit to define its own security policies.
B.Implement a federated model where business units have complete autonomy.
C.Mandate that all business units adopt the same security tools and processes.
D.Establish a central security governance committee with representation from each business unit.
AnswerD

Balances consistency with business unit needs.

Why this answer

In a decentralized governance model, the best approach to enforce consistent security policies without undermining business unit autonomy is to establish a central security governance committee with representation from each business unit. This federated approach ensures that policies are collaboratively developed, agreed upon, and uniformly applied, leveraging cross-unit input to balance security requirements with operational needs. It directly addresses the CISO's enforcement challenge by creating a formal, inclusive decision-making body that drives policy standardization.

Exam trap

The trap here is that candidates often confuse a federated model (Option B) with a collaborative governance committee, but the key distinction is that a federated model grants complete autonomy without central coordination, whereas a committee provides structured representation to enforce consistency.

How to eliminate wrong answers

Option A is wrong because allowing each business unit to define its own security policies would perpetuate inconsistency and fragmentation, directly contradicting the goal of improving consistency. Option B is wrong because implementing a federated model where business units have complete autonomy would remove any central oversight, making it impossible to enforce uniform security standards across the organization. Option C is wrong because mandating that all business units adopt the same security tools and processes is a rigid, top-down approach that ignores unique unit requirements and operational contexts, likely leading to resistance and non-compliance rather than genuine consistency.

208
MCQhard

After a merger, the combined organization has two different risk tolerance levels: one entity is risk-averse, the other is risk-taking. What is the best governance action?

A.Adopt the less restrictive risk tolerance
B.Maintain separate risk tolerance levels for each legacy entity
C.Adopt the more conservative risk tolerance across the board
D.Reassess risk appetite and approve a single unified statement
AnswerD

A unified risk appetite ensures consistent risk-taking aligned with strategic goals.

Why this answer

The board should reassess and approve a single, unified risk appetite statement to provide clear direction. Option A (keeping separate) leads to inconsistency. Option B (always using the more conservative) may stifle innovation.

Option D (using the less restrictive) could expose the organization to excessive risk.

209
MCQeasy

A data breach has occurred exposing customer personal information. The risk manager needs to select a response to reduce the likelihood of similar incidents. Which risk response is most appropriate?

A.Avoid the risk by discontinuing online services
B.Transfer the risk through cyber insurance
C.Accept the risk
D.Mitigate the risk by implementing stronger access controls
AnswerD

Addressing the control weakness reduces the likelihood of similar incidents.

Why this answer

Mitigating the risk by implementing stronger access controls directly addresses the root cause and reduces the likelihood of future breaches. Accepting the risk is inappropriate when a breach has already occurred. Transferring via insurance only covers financial loss but does not reduce likelihood.

Avoiding by discontinuing online services is extreme and not immediately necessary.

210
MCQmedium

During a security audit, several deviations from policy are found. What should the security manager do first?

A.Accept the risk and move on
B.Investigate the root cause of the deviations
C.Update the policies immediately
D.Take disciplinary action against responsible employees
AnswerB

Root cause analysis identifies systemic issues and informs corrective actions.

Why this answer

Investigating the root cause helps understand why deviations occurred and prevents recurrence. Option B is correct. Option A may be premature without understanding causes.

Option C may be too harsh without analysis. Option D is reactive.

211
MCQeasy

Which of the following is the primary purpose of an Information Security Program?

A.To implement the latest security technologies
B.To align security with business objectives and manage risk
C.To comply with all applicable regulations
D.To eliminate all security risks
AnswerB

Why this answer

The primary purpose of an Information Security Program is to align security initiatives with business objectives and manage risk to an acceptable level. While technology implementation, compliance, and risk elimination are components, they are means to the end of supporting the organization's mission and risk appetite. A program that does not align with business goals will lack executive support and fail to prioritize resources effectively.

Exam trap

ISACA often tests the misconception that an Information Security Program is primarily about technology or compliance, when in fact it is a governance mechanism to align security with business strategy and manage risk.

Why the other options are wrong

A

Technology is a tool, not the program's purpose.

C

Compliance is a component, not the primary purpose.

D

Eliminating all risks is impossible and impractical.

212
MCQhard

You are the CISO of a large healthcare organization that has recently experienced a data breach due to an insider who exfiltrated patient data over several months. The breach was discovered by an external partner. The organization's information security program includes data loss prevention (DLP) tools, but they were not configured to monitor outbound data from the compromised system. Additionally, user activity monitoring (UAM) was only applied to privileged users, not to regular staff. The board demands a comprehensive improvement plan that will prevent similar incidents. However, there are concerns about employee privacy and budget constraints. The organization has a strong culture of trust and minimal monitoring. Which of the following should be the first priority in the revised program?

A.Expand user activity monitoring to all employees with a clear policy on privacy and acceptable use.
B.Implement stricter access controls and review user permissions quarterly.
C.Deploy a new DLP solution with advanced analytics and block all external data transfers.
D.Conduct additional security awareness training focused on insider threats.
AnswerA

Detects anomalous behavior; privacy guidelines address concerns.

Why this answer

Correct answer is D because expanding UAM to all users, with clear privacy guidelines, directly addresses the monitoring gap while respecting privacy. Option A (new DLP only) may not catch slow exfiltration. Option B (stronger access controls) helps but does not detect ongoing exfiltration.

Option C (training) is important but not the primary corrective action.

213
MCQmedium

A company is choosing a risk assessment methodology for a new cloud-based application. The CISO prefers a method that uses monetary values and numerical probabilities to compute annual loss expectancy. Which methodology should be selected?

A.OCTAVE Allegro methodology
B.NIST SP 800-30 Revision 1 risk assessment process
C.Quantitative risk assessment using SLE, ARO, and ALE
D.Qualitative risk assessment using risk matrices
AnswerC

This uses monetary values and probabilities.

Why this answer

Option B is correct because SLE is the expected monetary loss from a single incident, ARO is the annual rate of occurrence, and ALE = SLE × ARO, which yields a quantitative risk value. Option A is wrong because a qualitative method uses rankings like high/medium/low, not monetary values. Option C is wrong because NIST SP 800-30 is a risk assessment guide, not a specific methodology.

Option D is wrong because OCTAVE is a qualitative methodology.

214
MCQmedium

You are a security analyst for a mid-sized e-commerce company. The company uses a cloud-based email service. Several employees report receiving phishing emails that appear to come from the CEO, asking them to purchase gift cards. The emails have a spoofed sender address but pass SPF and DKIM checks because the attacker compromised a legitimate email account. The CEO's account has been locked, but the attacker may have set up forwarding rules. You need to ensure the attacker cannot use the account further. You have the following options: A) Change the CEO's password and enable MFA, then remove any forwarding rules. B) Delete the CEO's email account and create a new one. C) Block all emails from the CEO's email address at the gateway. D) Restore the CEO's mailbox from a backup taken before the compromise. Which option is the BEST course of action?

A.Block the CEO's email address at the gateway
B.Delete the account and create a new one
C.Restore from backup
D.Change password, enable MFA, and remove forwarding rules
AnswerD

This secures the account and cleans up attacker's persistence.

Why this answer

Option D is the best course of action because the attacker has already compromised the CEO's legitimate account, bypassing SPF and DKIM. Changing the password immediately revokes the attacker's session tokens and access, enabling MFA adds an additional authentication factor to prevent re-entry, and removing any forwarding rules stops the attacker from exfiltrating emails or continuing the phishing campaign through auto-forwarding. This directly addresses the root cause—the compromised account—without disrupting business continuity.

Exam trap

The trap here is that candidates may choose to block the email address at the gateway (Option A) thinking it stops the phishing, but they fail to realize the attacker still has full control of the account and can continue malicious activity without sending emails through the gateway.

How to eliminate wrong answers

Option A is wrong because blocking the CEO's email address at the gateway is a reactive measure that does not remove the attacker's access to the account; the attacker could still use the account to send emails internally or via other channels, and it would also block legitimate CEO emails. Option B is wrong because deleting the account and creating a new one is overly disruptive, causes loss of historical emails and continuity, and does not guarantee the attacker hasn't already set up forwarding rules or exfiltrated data; it also fails to address the need to secure the compromised account first. Option C is wrong because restoring from a backup taken before the compromise would revert the mailbox to a previous state but would not remove the attacker's current access (e.g., session tokens, forwarding rules set after the backup), and the attacker could still regain access if the password and MFA are not updated.

215
Multi-Selecteasy

Which TWO of the following are essential components of an information security program charter?

Select 2 answers
A.List of specific security tools to be deployed.
B.Roles and responsibilities of key stakeholders.
C.Vendor selection criteria.
D.Program scope and objectives.
E.Detailed budget allocation.
AnswersB, D

Clear accountability is required.

Why this answer

A charter should define scope and authority. Program scope and roles/responsibilities are fundamental; budget and tools are not charter elements.

216
MCQhard

A financial institution has an incident involving a suspected data breach of customer PII. The incident response team contains the breach. What should be the NEXT priority according to legal and regulatory requirements?

A.Assess the extent of the breach.
B.Engage a public relations firm.
C.Notify affected customers.
D.Perform a root cause analysis.
AnswerA

Needed to determine legal notification requirements.

Why this answer

Option C is correct because assessing the extent of the breach determines notification scope. Option A can wait. Option B follows after assessment.

Option D is secondary.

217
MCQeasy

An organization's information security program recently experienced a ransomware attack that encrypted critical data. Which of the following program components should be improved first to prevent recurrence?

A.Develop an incident response plan specific to ransomware.
B.Conduct additional security awareness training on phishing.
C.Implement a robust backup and recovery process with offline copies.
D.Enhance network segmentation to isolate critical systems.
AnswerC

Effective backups ensure data can be restored without paying ransom.

Why this answer

Correct answer is A because a robust backup and recovery process is the most direct defense against ransomware. Option B (network segmentation) can limit spread but does not prevent encryption. Option C (employee training) is important but not the primary corrective action.

Option D (incident response plan) helps after the fact, not prevention.

218
MCQhard

The security analyst reviews the SIEM alert and finds that the source IP is from a trusted VPN broker used by remote employees. What is the most likely explanation for the alert?

A.The VPN broker itself is misconfigured
B.A legitimate user forgot their password
C.An attacker has compromised a remote employee's device and is brute-forcing the admin account
D.The alert is a false positive due to SIEM rule threshold
AnswerC

Source IP is VPN broker, but device behind it could be compromised.

Why this answer

Option B is correct because a brute force attack could originate from a compromised VPN endpoint. Option A is wrong because the alert indicates failed attempts, not successful authentication. Option C is wrong because failed attempts are likely malicious, not mistaken.

Option D is wrong as the alert is not false positive given the pattern.

219
MCQmedium

During an incident investigation, the team discovers that a compromised account was used to exfiltrate data. Which of the following should the team do NEXT?

A.Determine the scope of the breach by analyzing accessed resources.
B.Reset the password and re-enable the account immediately.
C.Notify the affected users and customers.
D.Delete the compromised account from the system.
AnswerA

Option B is correct because understanding the scope is critical to effective containment and notification.

Why this answer

Option B is correct because understanding the scope is critical to effective containment and notification. Option A is wrong because re-enabling without analysis could allow continued access. Option C is wrong because notification should be based on confirmed impact.

Option D is wrong because deletion may destroy evidence.

220
Multi-Selecteasy

Which TWO of the following are key performance indicators (KPIs) for measuring the effectiveness of an information security program?

Select 2 answers
A.Number of security policies approved.
B.Mean time to detect (MTTD) security incidents.
C.Employee satisfaction score from annual survey.
D.Percentage of critical systems patched within 30 days.
E.Percentage of security budget spent on tools.
AnswersB, D

Measures detection effectiveness.

Why this answer

Correct answers are A and D. Option A (mean time to detect) directly measures detection effectiveness. Option D (percentage of systems patched within SLA) measures protection.

Option B (number of security policies) is a count, not performance. Option C (budget spent) is a financial metric, not a performance indicator. Option E (employee satisfaction) is not a security KPI.

221
MCQmedium

After containing a security incident, the team conducts a root cause analysis. They find the breach originated from a compromised third-party vendor account. What is the most effective long-term mitigation?

A.Increase logging on vendor accounts
B.Change all passwords manually
C.Implement vendor access reviews and enforce MFA
D.Terminate the vendor relationship
AnswerC

Correct: Reduces risk of future compromises from vendor accounts.

Why this answer

Implementing vendor access reviews and enforcing MFA addresses the root cause of unauthorized access.

222
MCQmedium

An organization has a mature security program but is experiencing an increase in successful social engineering attacks. The incident response team has confirmed that the attacks are bypassing current controls. What should the program manager do first?

A.Conduct a root cause analysis and update risk assessment
B.Implement multi-factor authentication for all systems
C.Disable email links and attachments
D.Increase the frequency of security awareness training
AnswerA

Identifies gaps and informs control improvements.

Why this answer

Option D is correct because the first step in continuous improvement is to analyze the root cause and update the risk assessment. Option A is wrong as increasing training without understanding the gap may be inefficient. Option B is wrong as it only addresses future incidents, not current vulnerabilities.

Option C is premature without analysis.

223
MCQhard

A multinational corporation is designing its information security governance framework. The board has requested a single metric that best indicates the effectiveness of the security program. Which metric would BEST satisfy this request?

A.Percentage of systems compliant with security baseline.
B.Number of security incidents reported per month.
C.Mean time to detect (MTTD) security events.
D.Percentage of security controls achieving their intended outcomes as validated by testing.
AnswerD

This directly measures the effectiveness of the security program.

Why this answer

Option D is correct because it provides a direct measure of how well security controls are working. Option A is an operational metric, not strategic. Option B is a compliance metric but does not measure effectiveness.

Option C is a technical metric that may not resonate with the board.

224
MCQmedium

During the eradication phase of an incident response, which action is MOST critical to ensure the threat is fully removed?

A.Delete the malware files from the system.
B.Reset passwords for all user accounts.
C.Update antivirus signatures.
D.Reimage all affected systems from known-good backups.
AnswerD

Only way to guarantee removal of persistent threats.

Why this answer

Option B is correct because reimaging from known-good backups ensures no remnants of malware remain. Option A is not eradication but prevention. Option C may miss hidden malware.

Option D is a post-eradication step.

225
Multi-Selecthard

Which TWO of the following are key components of an information risk management program, as defined by ISACA? (Select exactly two.)

Select 2 answers
A.Business continuity plan
B.Risk appetite and tolerance
C.Data classification scheme
D.Risk assessment methodology
E.Vulnerability scanning process
AnswersB, D

Risk appetite defines the amount of risk the organization is willing to accept, essential for risk management.

Why this answer

Options A and D are correct. Risk appetite and risk assessment are core components. Option B is incorrect: data classification is part of information security governance, not specifically risk management program components.

Option C is incorrect: vulnerability scanning is a technical control, not a program component. Option E is incorrect: business continuity planning is a related but separate domain.

Page 2

Page 3 of 7

Page 4

All pages