Certified Information Security Manager CISM (CISM) — Questions 226300

500 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQeasy

Which document should be created FIRST when establishing an information security program?

A.Information security policy
B.Risk assessment report
C.Incident response plan
D.Business continuity plan
AnswerA

Why this answer

The information security policy is the foundation document that sets the direction, principles, and responsibilities. All other standards, procedures, and guidelines are derived from it.

Exam trap

Some might answer 'risk assessment' because it's important, but the policy must be in place to guide the risk assessment process.

Why the other options are wrong

B

Risk assessment is informed by policy.

C

Incident response is a later operational plan.

D

BCP is related but separate and typically follows policy.

227
MCQmedium

A company is assessing the risk of a critical system outage. The system has a maximum tolerable downtime (MTD) of 2 hours, but the current recovery time objective (RTO) is 4 hours. What is the most appropriate risk treatment?

A.Mitigate by reducing the RTO to 1 hour through process automation
B.Transfer the risk by purchasing business interruption insurance
C.Accept the risk because the RTO is shorter than the MTD
D.Avoid the risk by replacing the system with a more reliable one
AnswerA

Reducing RTO to below MTD is the correct mitigation.

Why this answer

Since the current RTO exceeds the MTD, the organization is unable to meet its downtime tolerance. Reducing the RTO to 1 hour (below MTD) through process automation is the appropriate mitigation. Accepting the risk is not viable because the MTD is lower.

Transfer via insurance does not address the RTO gap. Replacing the system is more drastic and may not be cost-effective.

228
Multi-Selectmedium

Which of the following are key components of an effective information security program? (Select TWO.)

Select 2 answers
A.State-of-the-art security tools and technologies
B.A risk management framework
C.Security awareness and training programs
D.A large security operations center
E.Compliance with all applicable laws
AnswersB, C

Why this answer

A risk management framework is a key component because it provides a structured, repeatable process for identifying, assessing, and mitigating information security risks. It ensures that security investments and controls are aligned with business objectives and risk appetite, rather than being ad hoc or technology-driven. Without a risk management framework, an information security program lacks the foundational governance to prioritize threats and allocate resources effectively.

Exam trap

The trap here is that candidates often mistake operational components (like a SOC or advanced tools) or compliance outcomes as foundational pillars, whereas CISM emphasizes that governance through a risk management framework and the human element via security awareness are the true core components of a sustainable program.

Why the other options are wrong

A

Tools are important but not a key component; the program must include processes and people.

D

Size is not a key component; effectiveness matters more.

E

Compliance is a goal, not a component of the program itself.

229
Multi-Selecteasy

Which TWO of the following are PRIMARY goals of incident management according to industry best practices?

Select 2 answers
A.Restore normal operations as quickly as possible
B.Minimize business disruption
C.Document all steps for compliance
D.Assign blame to the responsible party
E.Increase the security budget
AnswersA, B

Timely restoration is a primary objective.

Why this answer

The primary goals are to minimize business disruption and restore normal operations quickly. Assigning blame is not a goal; documenting steps is important but secondary; increasing budget is not a direct goal.

230
Multi-Selecteasy

During the detection and analysis phase of incident response, which two activities are essential? (Choose two.)

Select 2 answers
A.Identifying indicators of compromise.
B.Restoring systems from backup.
C.Notifying regulatory bodies.
D.Applying security patches.
E.Determining the scope of the incident.
AnswersA, E

Correct: Critical for detection.

Why this answer

Options A and C are correct because identifying indicators of compromise and determining the scope of the incident are key to understanding the incident. Restoration, patching, and notification are later phases.

231
MCQmedium

A company's security program includes a set of controls based on a risk assessment. During an audit, several controls are found to be ineffective. What should the security manager do first?

A.Conduct a root cause analysis to determine why controls failed.
B.Increase the frequency of control testing.
C.Report the findings to management and accept the risk.
D.Implement compensating controls immediately.
AnswerA

Identifies systemic gaps; allows effective remediation.

Why this answer

RCA identifies why controls failed, enabling targeted improvements and preventing recurrence.

232
MCQhard

A company's information security manager notices that several business units have implemented shadow IT systems that bypass the central security governance. Which of the following governance strategies would most effectively address this issue in the long term?

A.Conduct periodic audits to discover shadow IT and penalize non-compliant units.
B.Deploy a cloud access security broker (CASB) to discover and integrate shadow IT into the infrastructure.
C.Enforce a strict policy that prohibits any IT system without prior security approval.
D.Establish a formal process for business units to request exceptions to the standard IT policy, with risk acceptance.
AnswerD

This balances security with business agility and maintains governance visibility.

Why this answer

Option C is correct because a formal exception process allows business units to innovate while maintaining oversight. Option A is wrong because strict prohibition may drive shadow IT further underground. Option B is wrong because delayed discovery is not proactive governance.

Option D is wrong because integration projects are one-time fixes, not a governance solution.

233
MCQmedium

Based on the exhibit, which of the following is the MOST likely attack vector?

A.SQL injection attack
B.Privilege escalation via a compromised account
C.Phishing email with malicious attachment
D.Denial of service attack
AnswerB

The logs show signs of root-level access.

Why this answer

The exhibit shows a user account with administrative privileges being used from an unusual geographic location at an anomalous time, followed by lateral movement to a domain controller. This pattern indicates that the initial access was gained through a compromised account, which was then leveraged for privilege escalation to move laterally and access sensitive systems. The attack vector is the misuse of valid credentials, not an injection or social engineering attack.

Exam trap

ISACA often tests the distinction between the initial infection vector (e.g., phishing) and the attack vector used for lateral movement (e.g., compromised credentials), leading candidates to confuse the method of initial access with the method of privilege escalation.

How to eliminate wrong answers

Option A is wrong because SQL injection attacks target web application databases by inserting malicious SQL queries, and the exhibit shows no evidence of web application logs or database error messages; instead, it shows authentication events and lateral movement. Option C is wrong because a phishing email with a malicious attachment would typically result in malware execution or credential harvesting, but the exhibit shows direct use of a legitimate account without any indication of a phishing campaign or attachment download. Option D is wrong because a denial of service attack aims to overwhelm resources and disrupt availability, whereas the exhibit shows successful authentication and lateral movement, indicating an active compromise rather than a service disruption.

234
Multi-Selecthard

A security program manager is selecting metrics to report to the board. Which THREE metrics provide the BEST indication of the program's effectiveness?

Select 3 answers
A.Number of security incidents
B.Budget spent on security tools
C.Percentage of systems compliant with baseline
D.Percentage of employees trained
E.Mean time to detect incidents
AnswersC, D, E

Compliance with security baseline shows control implementation and reduces risk.

Why this answer

Options B, C, and D are correct. Mean time to detect (B) measures detection capability. Percentage of employees trained (C) indicates awareness coverage.

Percentage of systems compliant with baseline (D) shows control implementation. Option A (incident count) can be misleading; E (budget) does not measure effectiveness.

235
Multi-Selectmedium

An information security program must include elements to ensure continuous improvement. Which TWO of the following are MOST essential for continuous improvement?

Select 2 answers
A.Annual risk assessment
B.Quarterly board meetings
C.Monthly patching
D.Post-incident reviews
E.Regular security awareness training
AnswersA, D

Risk assessment identifies evolving threats and areas for improvement.

Why this answer

Options A and C are correct. Annual risk assessment (A) identifies new threats and gaps. Post-incident reviews (C) provide lessons learned.

Option B (training) is important but not primarily for improvement; D (patching) is operational; E (board meetings) is governance, not continuous improvement.

236
MCQmedium

An information security manager is designing a metrics program to report to the board. Which of the following metrics would be MOST meaningful to the board?

A.Number of security incidents reported
B.Percentage of systems with critical vulnerabilities
C.Average patch deployment time
D.Number of security awareness training completions
AnswerB

Why this answer

The board is primarily concerned with strategic risk posture and business impact. Percentage of systems with critical vulnerabilities directly quantifies the organization's exposure to high-severity threats, enabling informed risk acceptance or remediation decisions. This metric aligns with the board's fiduciary duty to oversee risk management, unlike operational details such as incident counts or training completions.

Exam trap

The trap here is that candidates confuse operational metrics (e.g., patch time, training completions) with strategic risk indicators, assuming the board wants to see activity volume rather than residual risk exposure.

Why the other options are wrong

A

Lagging indicator; board prefers leading indicators of risk.

C

Operational detail; not strategic.

D

Activity metric, not outcome.

237
Multi-Selectmedium

Which THREE of the following are considered key components of an incident response plan?

Select 3 answers
A.Post-incident review process
B.Communication escalation matrix
C.Roles and responsibilities
D.Network diagrams
E.Disaster recovery procedures
AnswersA, B, C

Lessons learned process is integral to improving incident management.

Why this answer

Key components include a communication escalation matrix, defined roles and responsibilities, and a post-incident review process. Disaster recovery procedures are separate, and network diagrams are supporting but not a core component.

238
MCQhard

After a phishing attack, an organization's incident response team identifies that the attacker gained access to an email account and sent internal spear-phishing emails. What is the BEST immediate containment action?

A.Disable the compromised account
B.Reset all user passwords
C.Block the attacker's IP address at the firewall
D.Increase email filtering rules
AnswerA

Immediately disabling the account stops further abuse.

Why this answer

Option D is correct because disabling the compromised account stops further malicious activity. Option A is wrong because blocking the attacker's IP is ineffective if the attacker is using compromised internal accounts. Option B is wrong because resetting passwords across the domain may cause disruption and does not isolate the immediate threat.

Option C is wrong because email filtering may not block internal-to-internal emails.

239
Multi-Selecteasy

Which of the following are key components of an information security program? (Select TWO)

Select 2 answers
A.A set of security policies and standards
B.A network architecture diagram
C.A risk management process
D.An incident response log
AnswersA, C

Why this answer

A set of security policies and standards is a key component because it establishes the governance framework that defines acceptable use, access control, and compliance requirements for the entire organization. Without documented policies and standards, the security program lacks the authoritative baseline to enforce controls or measure effectiveness. These documents are the foundation for all other security activities, including training, audits, and incident response.

Exam trap

The trap here is that candidates often confuse operational artifacts (like network diagrams or logs) with programmatic components, failing to recognize that the core of an information security program is the governance and risk management framework, not the technical outputs or diagrams.

Why the other options are wrong

B

This is a technical artifact, not a core program component.

D

This is an operational record, not a program component.

240
MCQhard

An organization's information security program has been operational for two years. The security manager is asked to propose changes to improve effectiveness. Which approach should the manager take first?

A.Implement new security controls based on industry best practices.
B.Conduct a maturity assessment of the current program.
C.Increase the security awareness training budget.
D.Revise the information security policy.
AnswerB

Why this answer

Before making any changes, the security manager must first understand the current state of the program. A maturity assessment (e.g., using the CMMI or COBIT framework) evaluates the effectiveness, gaps, and capability levels of existing processes and controls. This baseline ensures that subsequent improvements are targeted and justified, rather than arbitrary or misaligned with the organization's actual needs.

Exam trap

ISACA often tests the principle that assessment must precede action; the trap here is that candidates may jump to implementing controls or revising policies as a quick fix, ignoring the foundational step of measuring current maturity to ensure changes are evidence-based and effective.

Why the other options are wrong

A

This may introduce unnecessary controls without understanding existing gaps.

C

Training is important but not the first step; assessment should precede resource allocation.

D

Policy revision may be needed, but first understand the program's strengths and weaknesses.

241
Drag & Dropmedium

Arrange the steps for deploying a security patch to critical servers in a production environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Patch management involves identification, testing, backup, deployment, and verification.

242
Drag & Dropmedium

Arrange the steps for performing a vulnerability scan on a network segment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Vulnerability scanning requires authorization, configuration, execution, analysis, and prioritization.

243
MCQhard

During a security incident, the incident response team discovers that an attacker used a previously unknown vulnerability (zero-day) in a widely used software. Which action should the team take to address this vulnerability in the short term?

A.Implement a virtual patch through an intrusion prevention system (IPS)
B.Recompile the software with additional security controls
C.Immediately disable the software across the organization
D.Deploy a vendor patch as soon as it becomes available
AnswerA

Virtual patching blocks exploit attempts while waiting for a permanent fix.

Why this answer

Applying a vendor patch may not be available for zero-day. Implementing a virtual patch via an IPS provides immediate protection until a permanent fix is available. Recompiling the software (B) is not feasible.

Reimaging all systems (C) does not address the vulnerability. Disabling the software (D) may be too disruptive.

244
MCQmedium

An organization's incident response plan includes a call tree. During an incident, the primary contact is unreachable. What should happen?

A.Escalate to senior management
B.Use a different communication method like email
C.Wait for the primary to become available
D.Move to the next person in the call tree
AnswerD

Correct: The call tree is designed with alternates.

Why this answer

The call tree should have alternates; proceeding to the next person ensures continuity.

245
MCQeasy

A healthcare organization suffers a ransomware attack that encrypts critical patient data. The incident response team activates the incident response plan. The backup administrator reports that the most recent backups are from three days ago and are stored on a disconnected tape drive. However, the organization's legal counsel advises that according to regulatory requirements, patient data must be recoverable within 24 hours. The CEO is considering paying the ransom to avoid extended downtime and regulatory penalties. As the incident manager, what should you recommend?

A.Pay the ransom to ensure quick recovery and avoid regulatory penalties.
B.Report the incident to law enforcement and wait for a decryption key.
C.Restore from the tape backups and accept the three-day data loss.
D.Attempt to negotiate with the attackers for a lower ransom while simultaneously working on backup restoration.
AnswerC

Reliable backup restoration eliminates the need to pay and complies with data recovery, albeit with some loss.

Why this answer

Option B is correct because restoring from known-good offline backups is the best practice, even with a three-day data loss. Paying the ransom (A) is discouraged and may not guarantee recovery. Negotiating (C) is risky and time-consuming.

Waiting for law enforcement (D) delays recovery and may not provide a decryption key in time.

246
Multi-Selectmedium

Which TWO of the following are key components of a risk assessment report according to best practices? (Choose two.)

Select 2 answers
A.Vendor security assessment ratings
B.Risk scenarios with likelihood and impact ratings
C.Detailed results of control testing
D.Risk treatment recommendations
E.Complete asset inventory
AnswersB, D

Risk scenarios with assessments are central to a risk assessment report.

Why this answer

Options A and D are correct. A risk assessment report should include risk scenarios and risk treatment recommendations. Option B is wrong because vendor security ratings are not a universal component.

Option C is wrong because asset inventory is input data, not part of the report. Option E is wrong because control testing results are part of a separate audit report.

247
MCQeasy

A company is implementing a risk management program and needs to identify the most critical assets. Which of the following is the BEST approach to prioritize assets for risk assessment?

A.Use the asset's purchase value to determine priority
B.Assess the business impact of each asset's compromise
C.Perform a vulnerability scan and prioritize based on findings
D.Review historical incident reports for each asset
AnswerB

Assessing business impact directly ties to criticality and is the best method for prioritization.

Why this answer

Option A is correct because asset criticality should be determined based on business impact. Option B is wrong because asset value may not reflect criticality. Option C is wrong because vulnerability scanning identifies weaknesses, not criticality.

Option D is wrong because historical incidents may not reflect current importance.

248
MCQmedium

A financial institution is implementing a new online banking platform. The risk assessment identified that the authentication module has a high likelihood of exploitation due to weak password policies. The risk owner has decided to implement multi-factor authentication (MFA) to reduce the risk. This is an example of which risk response strategy?

A.Risk avoidance
B.Risk mitigation
C.Risk acceptance
D.Risk transfer
AnswerB

MFA reduces the likelihood or impact of the risk, which is the definition of risk mitigation.

Why this answer

Implementing multi-factor authentication (MFA) reduces the likelihood or impact of a security risk by adding additional authentication factors (e.g., something you know, something you have, something you are) beyond a weak password. This directly aligns with risk mitigation, which seeks to decrease the residual risk to an acceptable level through controls. The decision does not eliminate the risk entirely (avoidance), accept it without action, or transfer it to a third party.

Exam trap

The trap here is that candidates confuse 'risk mitigation' with 'risk avoidance' because both involve implementing controls, but avoidance means eliminating the activity or technology entirely, whereas mitigation reduces but does not eliminate the risk.

How to eliminate wrong answers

Option A is wrong because risk avoidance would mean not implementing the online banking platform or removing the authentication module entirely, which is not the case. Option C is wrong because risk acceptance would involve acknowledging the risk and taking no further action, whereas MFA is an active control. Option D is wrong because risk transfer would involve shifting the financial impact of the risk to another party (e.g., via insurance or outsourcing), not implementing a technical control like MFA.

249
MCQhard

After a data breach, the risk manager discovers that the risk assessment for the affected system had not been updated for two years. The organization's risk management policy requires annual reviews. Which of the following is the MOST significant consequence of this noncompliance?

A.Increased audit findings
B.Regulatory fines for noncompliance
C.Inaccurate risk profile leading to uninformed decisions
D.Higher insurance premiums
AnswerC

An outdated risk assessment misrepresents current risks, impairing decision-making.

Why this answer

Option D is correct because outdated risk assessments lead to inaccurate risk profiles, potentially causing management to be unaware of current risks. Option A is wrong while noncompliance may increase audit findings, it is secondary. Option B is wrong because insurance premiums may increase but that is a consequence, not the most significant.

Option C is wrong because regulatory fines are possible but not guaranteed.

250
MCQeasy

An organization is developing a new information security program and wants to ensure it aligns with business objectives. Which of the following is the MOST critical first step?

A.Develop a security awareness training program.
B.Identify business strategy and risk appetite.
C.Design the security architecture based on industry frameworks.
D.Conduct a comprehensive risk assessment.
AnswerB

Aligning with business strategy ensures security enables rather than hinders the business.

Why this answer

Identifying business strategy and risk appetite is the most critical first step because the information security program must be designed to support the organization's objectives and operate within the risk tolerance defined by leadership. Without this alignment, subsequent security controls and investments may conflict with business goals or fail to address the risks the organization is willing to accept. This ensures that security is a business enabler rather than a technical silo.

Exam trap

The trap here is that candidates often mistake conducting a comprehensive risk assessment (Option D) as the first step, but without a defined risk appetite and business strategy, the assessment lacks the context needed to evaluate risk severity and prioritize remediation effectively.

How to eliminate wrong answers

Option A is wrong because developing a security awareness training program is an operational control that should be implemented only after the program's strategic direction, risk appetite, and governance structure are defined; starting with training assumes a baseline of security culture that does not yet exist. Option C is wrong because designing security architecture based on industry frameworks (e.g., NIST, ISO 27001) without first understanding the business strategy and risk appetite can lead to over-engineering or misalignment, wasting resources on controls that do not address the organization's specific risk profile. Option D is wrong because conducting a comprehensive risk assessment requires a predefined risk appetite and business context to determine which risks are acceptable and which require mitigation; without this, the assessment lacks the criteria to prioritize findings effectively.

251
Multi-Selecthard

Which THREE of the following are best practices for handling evidence during an incident investigation?

Select 3 answers
A.Document all actions taken during evidence collection.
B.Maintain a chain of custody log.
C.Analyze evidence directly on live systems to avoid delays.
D.Create a forensic image of the affected systems.
E.Store evidence in its original location to avoid disturbance.
AnswersA, B, D

Documentation ensures reproducibility and legal admissibility.

Why this answer

Option A is correct because documenting all actions taken during evidence collection ensures the integrity and admissibility of evidence in legal proceedings. This documentation, often referred to as a 'paper trail' or 'audit log,' must include timestamps, personnel involved, tools used, and any deviations from standard procedures. Without this, the chain of custody is weakened, and the evidence may be challenged as unreliable or tampered with.

Exam trap

The trap here is that candidates may confuse 'analyze evidence directly on live systems' (Option C) as acceptable for speed, but CISM emphasizes preservation of evidence integrity over expedience, and 'store evidence in its original location' (Option E) may seem logical but violates the principle of securing evidence in a controlled chain of custody.

252
MCQhard

Which host should be prioritized for risk mitigation based on the vulnerability scan results?

A.192.168.10.25
B.192.168.10.35
C.All hosts should be equally prioritized
D.192.168.10.30
AnswerB

Highest count of critical and high vulnerabilities.

Why this answer

Option C is correct because host 192.168.10.35 has the highest number of critical and high vulnerabilities (5+6=11), indicating the highest risk. Option A is wrong because host 192.168.10.25 has only 2 critical and 4 high (total 6). Option B is wrong because host 192.168.10.30 has 0 critical and 1 high (total 1).

Option D is wrong because even though host 192.168.10.35 has many medium vulnerabilities, the critical and high are most important.

253
MCQmedium

During incident response, a forensic investigator needs to collect evidence from a compromised server. Which action BEST preserves evidence integrity?

A.Perform a graceful shutdown
B.Create a network-based image
C.Pull the power cord
D.Copy files to an external drive
AnswerC

Hard power loss freezes volatile memory and stops all processes.

Why this answer

Option B is correct because pulling power ensures memory is preserved and no OS tampering. Option A is wrong because normal shutdown runs processes that can destroy evidence. Option C is wrong because file copy changes timestamps.

Option D is wrong because network imaging may miss volatile memory.

254
Multi-Selecthard

Which THREE are key performance indicators (KPIs) for an information security program?

Select 3 answers
A.Number of security incidents
B.Percentage of employees trained
C.Budget variance
D.Patch compliance rate
E.Mean time to detect (MTTD)
AnswersB, D, E

Training coverage indicates program reach.

Why this answer

MTTD (Mean Time to Detect), percentage of employees trained, and patch compliance rate are meaningful KPIs. Options A, C, and E are correct. Option B (number of incidents) is a lagging indicator not suitable as a KPI.

Option D (budget variance) is a financial metric.

255
MCQhard

A multinational corporation is migrating its on-premises data center to a hybrid cloud environment. The organization processes highly sensitive financial data subject to strict regulatory requirements (e.g., GDPR, SOX). During the risk assessment, the information security manager discovers that the cloud service provider (CSP) stores data in multiple geographic regions, some of which do not meet the organization's data residency requirements. Additionally, the CSP's encryption key management is not fully under the organization's control, and the incident response plan does not include specific procedures for cloud-based breaches. The organization's risk appetite is low, and the board has mandated that all risks must be mitigated to an acceptable level. Which of the following is the BEST course of action?

A.Require the CSP to provide dedicated hardware security modules and restrict data storage to approved regions through contractual terms
B.Accept the risk because the CSP has strong security certifications and the likelihood of a breach is low
C.Cancel the cloud migration and build a new private data center in a compliant location
D.Transfer the risk by purchasing cyber insurance that covers regulatory fines
AnswerA

This directly mitigates the identified risks and aligns with the organization's low risk appetite.

Why this answer

Option C is correct because it directly addresses the root cause (data residency non-compliance and key management) by requiring the CSP to provide dedicated key management and restrict data storage to approved regions. This aligns with the low risk appetite and regulatory requirements. Option A is wrong because accepting the risk contradicts the board's mandate.

Option B is wrong because transferring risk via insurance does not achieve compliance. Option D is wrong because building a private cloud is costly and time-consuming, and not necessarily the best immediate action.

256
MCQeasy

Refer to the exhibit. The security analyst observes these alerts. What is the MOST likely sequence of events?

A.Insider threat: jsmith intentionally exfiltrated data
B.Attacker compromised jsmith's credentials, established C2, and exfiltrated data
C.Network scan from 10.0.0.45 triggered false positives
D.Malware downloaded on jsmith's workstation and exfiltrated data
AnswerB

Pattern matches credential compromise, C2, and exfiltration.

Why this answer

The correct sequence is that an attacker compromised jsmith's credentials, established command-and-control (C2) communication, and then exfiltrated data. The alerts show a brute-force or credential-stuffing attempt from an external IP (10.0.0.45) against jsmith's account, followed by an outbound C2 beacon (e.g., DNS or HTTP) from jsmith's workstation, and finally a large data transfer to an external destination. This matches the typical kill chain: initial access via compromised credentials, persistence via C2, and data exfiltration as the final objective.

Exam trap

ISACA often tests the distinction between a network scan and a targeted credential attack; the trap here is that candidates see the same source IP (10.0.0.45) and assume it's a scan, but the specific sequence of authentication failures followed by C2 and exfiltration indicates a successful compromise, not a reconnaissance scan.

How to eliminate wrong answers

Option A is wrong because the alerts show an external IP (10.0.0.45) initiating the authentication attempts, not an internal user acting maliciously; insider threat would show internal anomalies like abnormal access times or data transfers to internal shares, not external C2 beacons. Option C is wrong because a network scan from 10.0.0.45 would generate multiple connection attempts to various ports/IPs, not a targeted credential attack against a single user followed by C2 traffic and data exfiltration; the specific sequence of authentication failures, beaconing, and data transfer indicates a targeted compromise, not a scan. Option D is wrong because malware downloaded on jsmith's workstation would typically show a file download event (e.g., HTTP GET to a malicious URL) before C2 activity, but the first alert is authentication failures, suggesting credential compromise occurred before any malware delivery; the sequence starts with credential attacks, not download events.

257
Drag & Dropmedium

Order the steps for a risk assessment process according to ISACA's risk management framework.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment starts with identification, then analysis, evaluation, treatment, and continuous monitoring.

258
MCQhard

During a security incident, the incident response team discovers that an attacker has exfiltrated data via an encrypted tunnel over HTTPS. Which log source is MOST likely to provide evidence of the exfiltration?

A.Web server access logs
B.Firewall logs
C.Intrusion detection system (IDS) logs
D.Proxy logs
AnswerD

Proxy logs can show all HTTPS traffic, including destinations and data sizes.

Why this answer

Option C is correct because proxy logs capture outgoing HTTPS connections and can show volumes and destinations. Option A is wrong because server logs may not show outbound connections. Option B is wrong because firewall logs only show IPs, not encrypted content details.

Option D is wrong because IDS often cannot inspect encrypted traffic.

259
Multi-Selecthard

Which THREE of the following are critical success factors for implementing an information security program?

Select 3 answers
A.Compliance as the primary driver.
B.Risk-based approach to prioritize controls.
C.Executive management sponsorship and support.
D.Deployment of the latest security technology.
E.Alignment with business objectives.
AnswersB, C, E

Focuses resources on highest risk.

Why this answer

Executive support, alignment with business, and risk-based approach are critical. Having the latest technology and compliance as sole driver are not success factors.

260
MCQeasy

An organization wants to ensure its information security program is aligned with business objectives. Which of the following is the BEST approach?

A.Implement a security incident response plan
B.Perform regular vulnerability scans
C.Involve business stakeholders in the security steering committee
D.Conduct annual security awareness training
AnswerC

Direct participation ensures security strategies reflect business priorities.

Why this answer

Option A is correct because involving business stakeholders in a steering committee ensures security initiatives support business goals. Option B is about awareness, not alignment. Option C is reactive.

Option D is technical and not directly about business alignment.

261
MCQmedium

A multinational corporation is assessing the risk of data breaches from third-party vendors. The CISM is tasked with selecting a risk treatment strategy. The organization has a low risk appetite for data breaches. Which strategy should be prioritized?

A.Mitigate the risk by conducting regular vendor audits.
B.Avoid the risk by not engaging vendors that cannot meet security requirements.
C.Transfer the risk by requiring vendors to have cyber insurance.
D.Accept the risk because third-party risks are unavoidable.
AnswerB

Avoidance eliminates the risk entirely, fitting low appetite.

Why this answer

Given the organization's low risk appetite for data breaches, the most appropriate strategy is to avoid the risk entirely by not engaging vendors that cannot meet security requirements. This aligns with the principle that when risk exceeds the acceptable threshold, avoidance is the prioritized treatment. Avoidance eliminates the risk source, whereas other strategies like mitigation or transfer still retain some residual risk that may be unacceptable.

Exam trap

The trap here is that candidates often default to mitigation (audits) as the standard response, failing to recognize that when risk appetite is explicitly low, avoidance is the mandated first-line strategy per ISACA's risk treatment hierarchy.

How to eliminate wrong answers

Option A is wrong because mitigation through regular vendor audits reduces but does not eliminate the risk; residual risk remains, which conflicts with a low risk appetite. Option C is wrong because transferring risk via cyber insurance does not reduce the likelihood or impact of a breach; it only provides financial compensation, leaving the organization exposed to reputational and operational harm. Option D is wrong because acceptance is only appropriate when residual risk falls within the risk appetite; here, the low appetite makes acceptance unacceptable.

262
MCQmedium

Refer to the exhibit. A security administrator reports that the VPN tunnel to the remote peer (10.1.1.1) intermittently fails. Based on the configuration, which of the following is the most likely cause?

A.Improper NAT traversal configuration
B.Mismatched IKE phase 1 parameters
C.Expired digital certificate
D.Incorrect access-list 101
AnswerA

Without NAT traversal, the tunnel may fail when the VPN traffic traverses a NAT device, causing intermittent drops.

Why this answer

The configuration is missing the 'set pfs' command and does not include NAT traversal settings. Intermittent failure often occurs when NAT is involved and no NAT traversal is configured. Option A (mismatched IKE parameters) would cause constant failure.

Option B (incorrect ACL) would prevent specific traffic, not intermittent. Option C (expired certificate) is irrelevant as pre-shared key is used.

263
MCQhard

A financial institution is developing an information security program based on the COBIT framework. The board has requested a balanced scorecard to communicate program effectiveness. Which of the following metric categories would best align with the 'Internal Processes' perspective?

A.Cost of security incidents as a percentage of revenue
B.Percentage of security incidents detected within defined SLAs
C.Number of security training hours per employee
D.Customer satisfaction survey scores on data protection
AnswerB

This measures process effectiveness.

Why this answer

Option A is correct because the Internal Processes perspective focuses on operational efficiency and effectiveness of security processes. Option B is wrong as it relates to Customer perspective. Option C is wrong as it relates to Learning and Growth.

Option D is wrong as it relates to Financial.

264
MCQmedium

During an incident investigation, the response team discovers that the attacker exploited a known vulnerability for which a patch was available but not applied. What should be the team's primary focus during the recovery phase?

A.Applying the missing patch and ensuring all systems are updated.
B.Disciplining the employee responsible for patch management.
C.Conducting a lessons-learned meeting.
D.Reporting the incident to law enforcement.
AnswerA

Correct: Direct remediation of the vulnerability.

Why this answer

Option D is correct because applying the patch addresses the root cause and prevents recurrence. Disciplining employees and reporting to law enforcement are secondary; lessons learned is post-recovery.

265
MCQhard

An organization has a security program that is aligned with ISO 27001. During an internal audit, it is discovered that several controls are not being applied consistently across all departments. The MOST effective corrective action is to:

A.Update the information security policy
B.Establish a centralized security oversight function
C.Increase security awareness training frequency
D.Conduct a risk assessment for each department
AnswerB

Why this answer

The core issue is inconsistent control application across departments, which indicates a lack of governance and oversight rather than a policy or awareness deficiency. Establishing a centralized security oversight function directly addresses this by creating a single authority to enforce, monitor, and standardize control implementation, ensuring alignment with ISO 27001 requirements for management commitment and resource allocation (Clause 5.1 and 7.1). This corrective action provides the necessary organizational structure to drive consistent execution, which is the most effective long-term solution.

Exam trap

The trap here is that candidates confuse the symptom (inconsistent application) with the root cause (lack of governance), leading them to choose awareness training or policy updates, which are tactical fixes rather than strategic corrective actions.

Why the other options are wrong

A

Policy likely exists; issue is execution.

C

Training addresses knowledge, not enforcement.

D

Risk assessment would identify gaps but not fix consistency.

266
Matchingmedium

Match each CISM domain to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establish and maintain a framework to align security with business objectives

Identify and manage information risk to achieve business objectives

Design and implement a security program to manage risk

Plan and manage the incident response process

Oversee and improve the security program's performance

Why these pairings

CISM domains as defined by ISACA.

267
MCQmedium

BankOne has a mature security governance program but recently failed a regulatory audit because the board had not formally approved the risk appetite statement. The CISO argues that risk appetite is reviewed annually and was verbally approved. To prevent recurrence, what governance change is most effective?

A.Automate risk appetite monitoring
B.Reduce the number of risk indicators
C.Document all board approvals in minutes
D.Require board resolution for risk appetite annually
AnswerD

Ensures documented, formal approval.

Why this answer

Option D is correct because requiring a formal board resolution annually ensures documented approval. Option A is passive. Option B automates but does not address approval.

Option C reduces indicators, which may be counterproductive.

268
MCQeasy

A multinational financial services company is implementing a new regulatory requirement that mandates enhanced encryption for all customer data in transit. The organization currently uses TLS 1.2, but the regulation requires TLS 1.3. The risk owner for the data transmission system is the head of network operations, who believes the current controls are sufficient and argues that upgrading will cause significant downtime and cost. The information security manager has assessed the risk as high due to potential regulatory fines and reputational damage. The risk owner refuses to accept the risk and insists on deferring the upgrade. The organization has a risk appetite statement that accepts moderate residual risk only after explicit approval from the CRO. The escalation process involves the risk management committee. What is the BEST course of action for the information security manager?

A.Conduct a detailed cost-benefit analysis to convince the risk owner to upgrade, but do not escalate until the analysis is complete.
B.Accept the risk owner's decision and update the risk register to reflect the deferred treatment with a note of the risk owner's acceptance.
C.Implement a compensating control, such as strong application-layer encryption, to reduce the residual risk to an acceptable level without upgrading TLS.
D.Escalate the issue to the risk management committee for a decision on whether to accept, mitigate, or defer the risk.
AnswerD

This follows the governance process and ensures that the risk is evaluated at the appropriate level with authority to override the risk owner's stance.

Why this answer

Given the risk owner's refusal and the high residual risk exceeding appetite, the security manager should formally escalate to the risk management committee for a final decision, as per the established governance process. This ensures proper oversight and documentation.

269
MCQmedium

A multinational corporation is implementing a risk-based approach to information security governance. The chief information security officer (CISO) has been asked to prioritize security initiatives based on business impact. Which of the following actions should the CISO take FIRST to align security governance with business objectives?

A.Enforce multifactor authentication (MFA) for all remote access.
B.Implement a compliance management tool to track regulatory requirements.
C.Deploy a security information and event management (SIEM) system to centralize log analysis.
D.Conduct a business impact analysis (BIA) to identify critical processes and their security requirements.
AnswerD

A BIA identifies critical business processes and their dependencies, enabling risk-based prioritization.

Why this answer

Conducting a business impact analysis (BIA) is the foundational step in a risk-based governance approach because it identifies critical business processes, their recovery time objectives (RTOs), and the specific security requirements needed to protect them. Without this analysis, the CISO cannot align security initiatives with business impact, as the BIA directly links security controls to the organization's most valuable assets and operational priorities.

Exam trap

The trap here is that candidates often confuse tactical security controls (like MFA or SIEM) with the strategic governance step of first understanding business impact, leading them to select a technically correct but sequentially premature answer.

How to eliminate wrong answers

Option A is wrong because enforcing MFA for all remote access is a tactical control that should be prioritized based on BIA findings, not implemented first without understanding which processes and data are most critical. Option B is wrong because implementing a compliance management tool addresses regulatory tracking but does not establish the business impact or risk prioritization needed to align security governance with business objectives. Option C is wrong because deploying a SIEM system centralizes log analysis for detection and response, but it is a reactive measure that should be scoped and prioritized after the BIA identifies which systems and data require monitoring.

270
Multi-Selecthard

Which THREE of the following are valid methods to identify information security risks? (Choose three.)

Select 3 answers
A.Financial audit
B.Business impact analysis (BIA)
C.Threat modeling workshops
D.Vulnerability scanning
E.Penetration testing
AnswersB, C, D

BIA identifies critical processes and potential impact, helping to prioritize risks.

Why this answer

Options A, C, and D are correct. Threat modeling, vulnerability assessments, and business impact analysis are established risk identification methods. Option B is wrong because penetration testing identifies vulnerabilities but is not typically a standalone risk identification method; it's a control test.

Option E is wrong because financial auditing is not a direct risk identification method for information security.

271
MCQhard

A company has a risk appetite that is 'low' for operational risks. A risk assessment recently identified that a high-speed trading platform has a residual risk rating of 'high' after controls are applied. The cost to further reduce the risk is $1 million, which exceeds the expected benefit. What is the most appropriate action for the risk owner?

A.Accept the residual risk with formal sign-off from senior management
B.Adjust the risk appetite to 'moderate' to align with the residual risk
C.Transfer the risk by taking out an insurance policy
D.Approve additional controls to lower residual risk regardless of cost
AnswerA

Since controls are not cost-effective, acceptance is appropriate with proper approval.

Why this answer

Option D is correct because risk acceptance requires explicit approval from senior management when residual risk exceeds appetite. Option A is wrong because risk appetite should not be changed without board approval, and the cost-benefit indicates acceptance is more practical. Option B is wrong because implementing controls that are not cost-effective is not prudent.

Option C is wrong because risk transfer may not be available or cost-effective.

272
MCQmedium

An organization's information security program has been in place for two years. During a recent audit, several findings indicated that security controls are not consistently applied across business units. The CISO has been asked to improve the program. Which of the following should the CISO do FIRST?

A.Automate security compliance monitoring across all business units.
B.Update the information security policy to mandate compliance.
C.Conduct a risk assessment to identify gaps and prioritize remediation.
D.Implement additional security controls across all business units.
AnswerC

A risk assessment provides the basis for prioritizing controls and ensuring consistent application based on risk.

Why this answer

Conducting a risk assessment first (Option C) is the correct initial step because it systematically identifies where controls are failing or missing across business units, quantifies the associated risks, and prioritizes remediation based on business impact. Without this foundational analysis, any subsequent actions—such as automation, policy updates, or new controls—would lack direction and could waste resources on low-priority areas. This aligns with the CISM program lifecycle, where risk assessment drives all other program improvements.

Exam trap

ISACA often tests the principle that a risk assessment must precede any control implementation or policy change, tempting candidates to jump to automation or enforcement actions without first understanding the specific gaps.

How to eliminate wrong answers

Option A is wrong because automating compliance monitoring without first understanding which controls are inconsistently applied and why would simply automate the detection of known gaps without addressing root causes or prioritizing fixes. Option B is wrong because updating the policy to mandate compliance does not address the underlying issue of inconsistent application; it only reiterates requirements without providing a mechanism to identify or remediate the specific gaps. Option D is wrong because implementing additional controls across all business units without a prior risk assessment could introduce unnecessary complexity, increase costs, and fail to target the actual weaknesses, potentially creating new compliance gaps.

273
MCQeasy

A CISO is developing an information security governance framework for a financial institution. Which of the following is the PRIMARY purpose of such a framework?

A.Minimize risks to an acceptable level
B.Align security with business objectives
C.Ensure compliance with regulatory requirements
D.Deploy the latest security technologies
AnswerB

Governance ensures that security investments and activities support the business strategy and deliver value.

Why this answer

The primary purpose of information security governance is to ensure that security strategies are aligned with business objectives, enabling the organization to meet its goals. Option A is about compliance, which is a component but not primary. Option B focuses on technology deployment, which is operational.

Option D targets risk reduction, which is an outcome but not the core purpose of governance.

274
MCQmedium

You are the IT governance officer at a regional bank with 1,200 employees. The bank has a security policy that requires annual security awareness training for all staff. However, the compliance rate is only 60%. The board is concerned about regulatory risk and wants to improve compliance. The current training is a generic online module that takes 30 minutes to complete. Employees complain that the training is boring and not relevant to their roles. The training is managed by the HR department, which sends reminders but does not enforce consequences. Which of the following is the BEST course of action to improve training compliance and governance?

A.Outsource the training to a third-party provider.
B.Increase the frequency of reminder emails from monthly to weekly.
C.Implement a learning management system (LMS) to track completion.
D.Redesign the training to be role-specific and mandate completion in the security governance framework with consequences for non-compliance.
AnswerD

Addresses both relevance and enforcement, key governance components.

Why this answer

Option D is correct because it addresses both the root cause (irrelevant training) and the governance gap (lack of enforcement). By redesigning training to be role-specific, employees see direct relevance, which improves engagement and retention. Mandating completion within the security governance framework and attaching consequences (e.g., access revocation) creates accountability, directly driving compliance from 60% toward the board's target.

Exam trap

The trap here is that candidates often mistake tracking (Option C) for enforcement, failing to recognize that governance requires both visibility and consequences to drive compliance.

How to eliminate wrong answers

Option A is wrong because outsourcing to a third-party provider does not fix the core issues of relevance or enforcement; it merely shifts the same generic content to another vendor, and without governance authority, compliance may remain low. Option B is wrong because increasing reminder frequency from monthly to weekly only amplifies a failed communication tactic; it does not address employee motivation or enforce consequences, so it is unlikely to move compliance beyond 60%. Option C is wrong because implementing an LMS to track completion provides visibility but no enforcement mechanism; without mandating completion and attaching consequences, tracking alone does not compel behavior change.

275
Multi-Selecthard

An incident response team is analyzing a phishing email that successfully compromised a user's credentials. Which TWO indicators of compromise (IOCs) should the team prioritize collecting? (Choose two.)

Select 2 answers
A.The user's browser history.
B.The IP address of the sending server.
C.The malicious URL or attachment hash.
D.The user's personal phone number.
E.The company's public website.
AnswersB, C

Option C is correct because sending IP is a key IOC for attribution.

Why this answer

Options A and C are correct because URL/hash and sending IP are key IOCs for blocking and attribution. Option B is irrelevant; Option D may be useful but not IOCs; Option E is not an IOC.

276
MCQeasy

Which of the following is the most important factor for ensuring the long-term success of an information security program?

A.Deployment of advanced security technologies.
B.Comprehensive security awareness training.
C.Strong support from top management.
D.Regular penetration testing.
AnswerC

Why this answer

Strong support from top management is the most important factor because it ensures the information security program receives adequate budget, organizational authority, and strategic alignment with business objectives. Without executive sponsorship, even the best technical controls can be undermined by resource constraints, policy non-compliance, or lack of cross-departmental cooperation. The CISM framework emphasizes that governance and leadership commitment are foundational to sustaining a security program over time.

Exam trap

The trap here is that candidates often mistake operational effectiveness (e.g., training or testing) for strategic success, overlooking that without top management support, no security initiative can be sustained or enforced across the organization.

Why the other options are wrong

A

Technology is a tool, not the foundation; it requires management support to be effective.

B

Training is important but not the most critical factor; without management support, training may lack resources.

D

Penetration testing is a tactical activity; it does not ensure program success without executive backing.

277
MCQmedium

After an incident is contained and eradicated, the incident response team conducts a post-incident review. Which of the following is the PRIMARY objective of this review?

A.Update security policies
B.Determine the financial impact
C.Assign blame to the responsible parties
D.Identify process improvements
AnswerD

The review aims to find lessons learned and improve incident response processes.

Why this answer

The main goal of a post-incident review is to identify process improvements to prevent future incidents. Option B is correct.

278
MCQhard

A security program lacks executive support. What is the best strategy to gain support?

A.Hire a security consultant to advise
B.Implement quick-win security improvements
C.Show risk quantification in business terms
D.Threaten regulatory fines for non-compliance
AnswerC

Quantified risk connects security to business impact, gaining executive attention.

Why this answer

Presenting risk in financial terms (risk quantification) resonates with executives. Option D is correct. Options A, B, C are less effective: quick wins may not address long-term support; threatening fines may breed resentment; hiring a consultant is temporary.

279
Multi-Selecteasy

Which TWO of the following are primary responsibilities of the board of directors with regard to information security governance? (Select exactly two.)

Select 2 answers
A.Performing vulnerability scans
B.Implementing security controls
C.Ensuring security strategy aligns with business goals
D.Approving the information security risk appetite
E.Conducting daily security monitoring
AnswersC, D

Governance responsibility.

Why this answer

Options B and D are correct. The board sets risk appetite (B) and ensures security is integrated with business strategy (D). A is management's role.

C is management's role. E is operational.

280
Multi-Selectmedium

During an audit of the information security program, the auditor identifies that several critical systems are not included in the incident response plan. Which of the following are the MOST appropriate actions for the security manager to take? (Select TWO.)

Select 2 answers
A.Implement compensating controls on the excluded systems
B.Document the finding and accept the risk
C.Immediately remove the excluded systems from production
D.Update the incident response plan to include all critical systems
E.Escalate the issue to senior management for decision
AnswersD, E

Updating the plan directly closes the gap identified in the audit.

Why this answer

Options B and D are correct. Escalating to senior management ensures proper awareness and authorization (B), and updating the plan to include all critical systems directly addresses the finding (D). Option A is wrong because implementing compensating controls is a temporary measure and does not solve the root cause.

Option C is wrong because immediately removing systems from production is too drastic and not justified. Option E is wrong because accepting risk without analysis bypasses proper risk management.

281
MCQeasy

An organization is updating its information security program to align with business objectives. Which of the following is the PRIMARY benefit of integrating security risk management into the strategic planning process?

A.Aligns security investments with business priorities
B.Reduces the number of security incidents
C.Increases employee awareness of security policies
D.Ensures compliance with regulatory requirements
AnswerA

Integration ensures that security resources are allocated to risks most critical to business objectives.

Why this answer

Option C is correct because integrating security risk management into strategic planning ensures that security investments are prioritized based on business impact, aligning resources with the most critical risks. Option A is wrong because compliance is a legal requirement, not the primary benefit of integration. Option B is wrong because reducing incidents is a desirable outcome but not the primary benefit of integration.

Option D is wrong because awareness is an operational benefit, not strategic.

282
MCQmedium

A multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?

A.Restore encrypted files from backup
B.Reboot the file server to clear the encryption
C.Isolate the affected systems from the network
D.Notify law enforcement
AnswerC

Isolation stops the ransomware from spreading and limits damage.

Why this answer

The first priority in ransomware incident response is containment to prevent the encryption from spreading to other systems. Isolating the affected file server from the network (e.g., disabling the network interface or disconnecting the cable) stops the ransomware from communicating with its command-and-control server and encrypting additional shares. This aligns with the NIST SP 800-61 containment strategy and ensures that the incident response team can safely preserve forensic evidence before any remediation.

Exam trap

The trap here is that candidates often choose 'Restore from backup' first because it seems like a direct fix, but CISM emphasizes containment before eradication or recovery to limit damage and preserve forensic integrity.

How to eliminate wrong answers

Option A is wrong because restoring from backup before containment risks re-encrypting the restored files if the ransomware is still active on the network, and it may overwrite forensic evidence. Option B is wrong because rebooting the file server does not clear encryption—ransomware encrypts files at rest using asymmetric cryptography, and a reboot simply restarts the OS without reversing the encryption; it may also trigger the ransomware to encrypt additional data on startup. Option D is wrong because notifying law enforcement is a secondary step that should occur after containment and evidence preservation, and premature notification can delay critical containment actions.

283
Multi-Selectmedium

Which TWO of the following are key components of an effective incident response plan?

Select 2 answers
A.A clear chain of command and escalation procedures.
B.Automatic detection and response tools.
C.Predefined response scripts for every possible incident.
D.A communication plan for internal and external stakeholders.
AnswersA, D

This ensures decision-making authority is defined.

Why this answer

A clear chain of command and escalation procedures ensure that during an incident, decision-making authority and notification paths are predefined, reducing confusion and enabling rapid, coordinated response. This aligns with NIST SP 800-61 incident response guidelines, which emphasize the need for defined roles and communication hierarchies to avoid delays or missteps in critical situations.

Exam trap

ISACA often tests the distinction between the plan's structural components (like chain of command and communication plans) and operational tools or overly rigid scripts, tempting candidates to select automatic tools or exhaustive scripts as key components when they are not foundational to the plan's design.

284
MCQhard

A government agency is criticized for poor security governance after a data breach. An external review finds that security policies are not aligned with agency's mission. The director wants to implement a governance framework that ties security to strategic objectives. Which framework is most suitable?

A.NIST Cybersecurity Framework
B.PCI DSS
C.COBIT 2019
D.ISO 27001
AnswerC

Specifically designed for governance and linking security to business objectives.

Why this answer

Option C is correct because COBIT is designed for governance and alignment with enterprise goals. Option A is a management system. Option B is operational.

Option D is industry-specific.

285
Multi-Selecthard

Which TWO of the following are appropriate actions to take during the detection phase of incident management?

Select 2 answers
A.Activate the incident response team
B.Collect and analyze logs
C.Rebuild systems from backups
D.Conduct root cause analysis
E.Preserve evidence
AnswersA, B

Once an incident is suspected, the team should be mobilized.

Why this answer

During detection, the team activates the incident response team and collects/analyzes logs to confirm the incident. Root cause analysis occurs later, evidence preservation is during containment, and rebuilding is recovery.

286
MCQhard

A security operations center (SOC) analyst receives an alert from the SIEM indicating a potential command and control (C2) communication. The alert is based on a signature that matches known C2 traffic. What is the MOST appropriate next step?

A.Block the destination IP address at the firewall
B.Escalate the alert to the incident response team immediately
C.Verify the alert by correlating with other log sources
D.Perform a full antivirus scan on all endpoints
AnswerC

Correlation with other logs confirms if it's a true positive.

Why this answer

Verifying the alert by checking other log sources (e.g., firewall, DNS) reduces false positives before escalating. Escalating immediately (A) may waste resources. Blocking the IP (C) could be premature if legitimate.

Running a full antivirus scan (D) is a reactive, not investigative step.

287
MCQhard

After a data breach, the CISO reviews the security program. The breach exploited a known vulnerability in a legacy system that was deemed 'acceptable risk' two years ago. What should the CISO do to improve the program?

A.Establish a policy that legacy systems must be upgraded annually.
B.Disconnect the legacy system from the network immediately.
C.Implement a process for periodic reassessment of accepted risks.
D.Require immediate remediation of all legacy systems.
AnswerC

Ensures that risk acceptance stays current with evolving threats and business context.

Why this answer

Periodic reassessment ensures that risk acceptance decisions remain valid as threat and business environments change.

288
MCQeasy

A company's IDS alerts on a potential breach. The incident response team is called. What should they do immediately?

A.Verify the alert and assess scope
B.Disconnect all network cables
C.Notify law enforcement
D.Reimage affected systems
AnswerA

Correct: Verification confirms the alert and assessment determines the extent.

Why this answer

The first step is to verify the alert and assess the scope to determine if it's a true positive and understand the impact.

289
MCQhard

A healthcare organization is merging with another entity and must integrate their IT systems. During due diligence, it is discovered that the acquired company has a high number of unpatched critical vulnerabilities in its electronic health record (EHR) system. The merger timeline is aggressive and the integration team wants to proceed as planned. As the risk manager, what is the best course of action?

A.Accept the risk because the vulnerabilities are in the legacy system which will be replaced.
B.Transfer the risk by purchasing cyber insurance for the combined entity.
C.Recommend delaying the integration until vulnerabilities are patched.
D.Proceed with integration but implement compensating controls like network segmentation.
AnswerC

Delay remediates the root cause before exposure increases.

Why this answer

Delaying integration until the critical vulnerabilities are patched is the most prudent action to prevent exploitation during and after integration. Proceeding with compensating controls may not be sufficient given the criticality, and accepting the risk could lead to a major breach. Insurance does not prevent the breach.

290
MCQeasy

An organization plans to implement ISO/IEC 27001 to formalize its information security management system. Which step is most critical to ensure successful implementation?

A.Conduct a comprehensive risk assessment
B.Obtain commitment from top management
C.Develop detailed information security policies
D.Train all employees on security awareness
AnswerB

Top management involvement provides necessary resources and authority for the ISMS.

Why this answer

ISO 27001 emphasizes top management commitment as a key success factor. Without it, resources, authority, and support may be lacking. Option B (risk assessment) is important but comes after commitment.

Option C (policy development) and D (training) are subsequent steps.

291
MCQhard

A financial services firm has a mature information security program but is struggling to demonstrate the value of security investments to the board. Which metric would BEST communicate the effectiveness of the security program in business terms?

A.Number of security alerts triaged per day.
B.Reduction in average cost per security incident over the past year.
C.Time to patch critical vulnerabilities.
D.Percentage of systems with endpoint protection installed.
AnswerB

Directly ties security program effectiveness to financial impact.

Why this answer

The reduction in average cost per security incident directly translates security program outcomes into financial terms that resonate with the board. This metric demonstrates the program's effectiveness by quantifying the monetary value of improved prevention, detection, and response capabilities, aligning with the CISM focus on governance and business alignment.

Exam trap

The trap here is that candidates often choose a technical or operational metric (like time to patch or alert volume) because it seems directly measurable, but the CISM exam emphasizes that the board cares about business impact and financial outcomes, not technical details.

How to eliminate wrong answers

Option A is wrong because the number of security alerts triaged per day is an operational metric that measures activity volume, not effectiveness or business value; a high volume could indicate poor tuning or false positives, not a mature program. Option C is wrong because time to patch critical vulnerabilities is a technical compliance metric that measures remediation speed, not the overall security program's effectiveness in reducing business risk or cost. Option D is wrong because the percentage of systems with endpoint protection installed is a coverage metric that does not reflect the actual performance of the security controls or their impact on incident costs; it ignores detection efficacy, response quality, and business outcomes.

292
MCQmedium

In developing a security awareness program, which factor is most important for effectiveness?

A.Use of phishing simulations
B.Tailoring content to the target audience
C.Frequency of training sessions
D.Management endorsement
AnswerB

Customized content addresses specific risks and roles.

Why this answer

Tailoring content to the audience ensures relevance and engagement. Option C is correct. Options A (frequency) is secondary; B (mgmt endorsement) helps but not most important; D (phishing simulations) is a tactic.

293
Multi-Selecteasy

Which TWO of the following are indicators of a potential security incident?

Select 2 answers
A.Low disk space on a file server.
B.Multiple unexpected system reboots.
C.A new version of a critical software released.
D.A successful login by an authorized user.
E.Unusual outbound network traffic from a server.
AnswersB, E

May indicate malware or unauthorized activity.

Why this answer

Multiple unexpected system reboots (B) are a strong indicator of a potential security incident because they may result from malware, kernel-level exploits, or denial-of-service attacks that crash the operating system. Unusual outbound network traffic from a server (E) often indicates data exfiltration, command-and-control (C2) communication, or a compromised service sending sensitive data to an external host. Both behaviors deviate from baseline operations and warrant immediate investigation under the Incident Management domain.

Exam trap

ISACA often tests the distinction between operational issues (like low disk space) and true security incident indicators, trapping candidates who confuse performance alerts with signs of compromise.

294
MCQeasy

An organization's security monitoring system detects multiple failed login attempts from an internal IP address to a critical database server. The attempts are occurring every few seconds. What is the FIRST step the incident response team should take?

A.Block the IP address at the firewall immediately.
B.Disable the database server to prevent data breach.
C.Verify whether the activity is legitimate.
D.Reset the password of the database service account.
AnswerC

Verification prevents unnecessary actions and confirms the incident.

Why this answer

The first step is to verify if the activity is legitimate or malicious to avoid false positives and understand the context.

295
MCQmedium

A security analyst detects unusual outbound network traffic from a database server to an unknown IP address. The traffic uses encrypted connections on port 443. Which type of attack is MOST likely occurring?

A.Data exfiltration
B.SQL injection
C.Ransomware
D.Denial of service
AnswerA

Encrypted outbound traffic to an unknown IP is a classic sign of data exfiltration.

Why this answer

The encrypted outbound traffic on port 443 (HTTPS) from a database server to an unknown IP is a classic indicator of data exfiltration. Attackers often use encrypted channels to bypass network security controls, as the contents of the traffic cannot be inspected by DLP or IDS/IPS systems. The database server is a high-value target for sensitive data, making this the most likely attack scenario.

Exam trap

The trap here is that candidates may confuse the encrypted traffic on port 443 with legitimate database replication or backup traffic, but the unknown destination IP and unusual outbound pattern from a database server are key red flags for exfiltration, not a normal administrative function.

How to eliminate wrong answers

Option B is wrong because SQL injection is an initial access or data manipulation technique that typically generates database query errors or unexpected SQL traffic, not encrypted outbound connections to unknown IPs. Option C is wrong because ransomware usually involves file encryption and ransom notes, often using known C2 servers or SMB/HTTP for propagation, not stealthy encrypted outbound data streams from a database server. Option D is wrong because a denial of service attack aims to overwhelm resources with high-volume traffic, not stealthy encrypted connections on a single port to an unknown IP.

296
MCQeasy

Refer to the exhibit. A company implements this data classification scheme. Which risk is most likely introduced by this scheme?

A.Over-classification of data, increasing administrative burden
B.Under-classification of internal data, leading to exposure
C.Inability to audit data access
D.Inconsistent handling of confidential data
AnswerB

Without an 'Internal' label, internal data may be labeled Public, exposing it unintentionally.

Why this answer

The classification scheme lacks an 'Internal' label for data that is not public but not highly sensitive. Employees may misclassify internal data as Public or Confidential, leading to under- or over-classification. Specifically, internal data (e.g., internal memos) may be incorrectly labeled as Public (under-classification) because there is no appropriate label.

Option A (over-classification) would happen if Confidential is used for internal data, but the greater risk is under-classification of internal data.

297
MCQhard

A large financial institution is maturing its information security program and wants to move from a reactive to a proactive posture. Which of the following initiatives would best support this transition?

A.Deploy an automated compliance monitoring tool.
B.Implement a bug bounty program to uncover vulnerabilities.
C.Establish a threat intelligence unit that analyzes adversary tactics and shares indicators across the organization.
D.Increase the number of security operations center (SOC) analysts.
AnswerC

Threat intelligence provides actionable information to prevent attacks before they occur.

Why this answer

Correct answer is B because threat intelligence enables proactive identification and mitigation of emerging threats. Option A (increased monitoring) is reactive. Option C (bug bounty program) is useful but externally focused and limited in scope.

Option D (compliance automation) does not address proactive threat management.

298
MCQeasy

A retail company's security governance includes a policy that all software must be approved by a security committee. This delays critical business applications. The CIO complains. How should the CISO adjust governance?

A.Increase committee meeting frequency
B.Implement a risk-based approval process with expedited paths
C.Remove the approval requirement
D.Automate software approval
AnswerB

Speeds up low-risk approvals while maintaining security.

Why this answer

Option B is correct because a risk-based approval process with expedited paths balances security and agility. Option A removes control. Option C automates but may not address the root.

Option D increases frequency but not efficiency.

299
MCQmedium

A company's security program includes a policy that all employees must use strong passwords and change them every 90 days. However, the recent internal audit shows that 60% of employees have passwords that do not meet the strength requirements. What is the most effective corrective action?

A.Conduct quarterly password audits with manual checks
B.Increase the frequency of security awareness training
C.Implement technical controls to enforce password strength
D.Extend the password change interval to 180 days
AnswerC

Technical enforcement (e.g., complexity rules) ensures compliance.

Why this answer

Option D is correct because automated enforcement ensures policy compliance without relying on user behavior change. Option A is wrong as training alone is insufficient. Option B is wrong because it reduces security and does not address the root cause.

Option C is wrong as audits detect but do not prevent non-compliance.

300
MCQeasy

Which of the following is the primary purpose of a Key Risk Indicator (KRI)?

A.To provide early warning signals of increasing risk
B.To report on past incidents and losses
C.To measure the effectiveness of security controls
D.To demonstrate compliance with regulations
AnswerA

KRIs indicate potential risk changes.

Why this answer

Option C is correct because KRIs provide early warnings about changes in risk levels. Option A is wrong because that describes a Key Performance Indicator (KPI). Option B is wrong because KRIs measure risk, not compliance.

Option D is wrong because KRIs are predictive, not historical.

Page 3

Page 4 of 7

Page 5

All pages