Certified Information Security Manager CISM (CISM) — Questions 301375

500 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Matchingmedium

Match each security control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall blocking unauthorized traffic

Intrusion detection system alerting on anomalies

Restoring system from backup after breach

Security warning banners on login

Additional authentication for legacy systems

Why these pairings

Control categories in information security.

302
Multi-Selecthard

A security team detects lateral movement within the network using PowerShell scripts. Which TWO actions are MOST effective to contain the threat?

Select 2 answers
A.Conduct memory forensics on affected endpoints.
B.Implement network segmentation to isolate affected VLANs.
C.Disable PowerShell remoting on all systems.
D.Apply the latest security patches to all systems.
E.Isolate the affected systems immediately.
AnswersC, E

Prevents further use of PowerShell for lateral movement.

Why this answer

Options B and D are correct because isolating affected systems stops lateral spread, and disabling PowerShell remoting removes the attack vector. Option A is not precise. Option C is eradication.

Option E is forensic.

303
Multi-Selectmedium

Which THREE of the following are responsibilities of the board of directors regarding information security governance?

Select 3 answers
A.Approve the information security strategy
B.Respond to security incidents
C.Conduct vulnerability scans
D.Authorize the security budget
E.Set the organization's risk appetite
AnswersA, D, E

The board ensures the strategy aligns with business goals.

Why this answer

The board is responsible for approving the security strategy, setting risk appetite, and authorizing the budget. Conducting vulnerability scans is an operational task for technical staff. Responding to incidents is management's responsibility.

304
MCQhard

The SIEM alerts on this traffic. What should the incident analyst do FIRST?

A.Isolate the host for investigation.
B.Accept the traffic as normal.
C.Block the IP at the firewall.
D.Check if the destination is a legitimate CDN.
AnswerA

Option C is correct because the threat intelligence suggests C2, so isolating the host prevents further potential data loss or lateral movement while investigation proceeds.

Why this answer

Option C is correct because the threat intelligence suggests C2, so isolating the host prevents further potential data loss or lateral movement while investigation proceeds. Option A is possible but first step should be containment via isolation. Option B is worth checking but not first.

Option D is incorrect.

305
MCQeasy

Which is a key component of an information security program?

A.Encryption technology
B.Firewall
C.Antivirus software
D.Security policy
AnswerD

Policies establish the governance framework for the program.

Why this answer

A security policy is foundational, defining rules and responsibilities. Option A is correct. Options B, C, D are technical controls or tools, not program components.

306
MCQmedium

Refer to the exhibit. Given the exhibit, which type of incident is MOST likely occurring?

A.Phishing campaign
B.Ransomware attack
C.Insider threat
D.DDoS attack
AnswerC

The user's behavior—accessing and exfiltrating sensitive data—is characteristic of an insider threat.

Why this answer

The exhibit shows a user logging in from an unusual location, attempting unauthorized access, and then exfiltrating sensitive data. This pattern is indicative of an insider threat, as it involves a legitimate user performing malicious actions. Option A is correct.

307
MCQmedium

Based on the exhibit, what is the most significant security gap in this configuration?

A.The intrusion detection system is set to alert-only, so it cannot block attacks.
B.The vendor baseline is CIS Level 1, which may be too permissive.
C.The firewall allows inbound HTTPS from any source to web servers.
D.The database port 3306 is exposed to web servers without encryption.
AnswerA

Without prevention, attacks may succeed before manual response.

Why this answer

The firewall allows traffic from web to db on port 3306 (MySQL) but there is no authentication or encryption specified; also, the IDS only alerts on critical and high signatures but does not block. However, a more fundamental gap is that the baseline is CIS Level 1, which may not be sufficient for a database server. But the question asks for the most significant gap: the firewall rule allows direct database access from web servers without any restriction or monitoring of that traffic, and the IDS is in alert-only mode, meaning malicious traffic to database will not be blocked.

Combined, the gap is that database traffic is allowed but not inspected for anomalies beyond basic signatures. But among options, the one that stands out is that database access is not protected by an application-layer firewall or WAF. However, we need to craft plausible options.

Let's think: The exhibit shows a JSON policy. Common gaps: no encryption, no authentication, IDS not inline, etc. The most significant is likely that the IDS is not set to block or prevent attacks.

But also, the firewall allows direct database access from web, which is a design issue. Let's design options accordingly.

308
MCQmedium

TechStart, a cloud-based startup, has rapidly grown from 50 to 500 employees. It lacks a formal security governance structure. The CEO asks the CISO to develop one. The CISO finds that the company's culture values speed over compliance. The board expects a governance framework within three months. What is the most practical approach?

A.Implement a full COBIT framework immediately
B.Defer governance until after the next product launch
C.Start with a lean governance model, focusing on critical assets and compliance requirements
D.Focus solely on technical controls like firewalls and IAM
AnswerC

This balances speed with essential governance.

Why this answer

Option A is correct because starting with a lean governance model focusing on critical assets and compliance requirements is achievable and respects the culture. Option B is too heavy. Option C neglects governance.

Option D postpones and risks non-compliance.

309
MCQeasy

Based on the exhibit, which role is responsible for notifying affected users about the phishing attack?

A.Technical Lead
B.Legal Counsel
C.Incident Response Manager
D.Communications Lead
AnswerD

The communications lead handles internal and external communications.

Why this answer

The Communications Lead is responsible for notifying affected users about the phishing attack because this role manages external and internal communications, including user notifications, during an incident. In the exhibit, the Communications Lead is explicitly assigned the task of 'Notify affected users' under the communication plan, ensuring timely and accurate messaging to reduce further risk.

Exam trap

ISACA often tests the misconception that the Incident Response Manager handles all communications, but the trap here is that the IR Manager delegates user notification to the Communications Lead to maintain separation of duties and focus on technical containment.

How to eliminate wrong answers

Option A is wrong because the Technical Lead focuses on technical remediation (e.g., isolating systems, analyzing logs) and does not handle user notifications, which is a communications function. Option B is wrong because Legal Counsel advises on regulatory compliance and liability but does not directly notify users; their role is to review messaging for legal risk, not to execute the notification. Option C is wrong because the Incident Response Manager coordinates the overall response and decision-making but delegates user notification to the Communications Lead to avoid bottlenecks and ensure specialized handling.

310
MCQeasy

An organization has an incident response plan that designates a primary and alternate incident response team. During a simulated ransomware attack, the primary team is unavailable. What should the alternate team do FIRST?

A.Contact the primary team members for instructions.
B.Declare a disaster and escalate to senior management.
C.Execute the incident response plan as documented.
D.Assess the situation and then activate the plan.
AnswerD

Assessment first ensures appropriate response based on current conditions.

Why this answer

Option D is correct because the alternate team must first assess the situation to understand the scope, impact, and validity of the ransomware attack before activating the plan. This aligns with the NIST SP 800-61 incident response lifecycle, where detection and analysis precede containment, eradication, and recovery. Jumping directly to execution without assessment could lead to inappropriate response actions, such as isolating systems that are not affected or failing to preserve critical forensic evidence.

Exam trap

The trap here is that candidates often confuse 'activating the plan' with 'executing the plan immediately,' but CISM emphasizes that assessment is a mandatory first step before any plan activation to ensure the response is appropriate for the specific incident.

How to eliminate wrong answers

Option A is wrong because the primary team is unavailable by design in this scenario, and contacting them for instructions would cause unnecessary delay and violate the purpose of having an alternate team. Option B is wrong because declaring a disaster and escalating to senior management is premature; the incident must first be assessed to determine if it meets the disaster declaration criteria, which typically involve significant business impact or data loss. Option C is wrong because executing the incident response plan as documented without first assessing the situation ignores the need to tailor the response to the specific ransomware variant, affected systems, and current network state, which could lead to ineffective or harmful actions.

311
Multi-Selectmedium

Which THREE elements are essential for an effective information security governance framework?

Select 3 answers
A.Clear accountability structure
B.Board or executive oversight
C.Free and open-source security tools
D.Comprehensive security policies
E.Formal risk appetite statement
AnswersA, B, D

Assigning responsibilities ensures governance is implemented.

Why this answer

Options A, B, and E are correct. Board oversight ensures strategic direction, security policies provide the foundation, and accountability structure assigns responsibility. Option C is wrong risk appetite statement is part of governance but not always considered an essential element of the framework itself.

Option D is wrong free security tools are not governance elements.

312
MCQmedium

A multinational corporation must comply with both GDPR and CCPA. Which governance approach is most effective?

A.Create a single rigid unified policy applicable everywhere
B.Develop a unified data protection framework with regional adjustments
C.Implement separate compliance programs for each regulation
D.Outsource compliance to a third-party service provider
AnswerB

This approach balances consistency with flexibility to address local regulations.

Why this answer

A unified data protection framework with regional adjustments allows consistency while meeting specific requirements. Option A (separate programs) increases complexity and cost. Option B (rigid unified policy) may not satisfy all local laws.

Option D (outsource) shifts responsibility but does not ensure governance effectiveness.

313
Multi-Selectmedium

A financial institution is implementing a risk-based approach to prioritize its information security initiatives. The risk manager has completed a risk assessment and identified several risks with varying impact and likelihood. Which TWO of the following are the most important benefits of using the risk assessment results to determine the order of security projects?

Select 2 answers
A.Aligns security spending with business objectives
B.Provides a defensible justification for security investments
C.Eliminates the need for qualitative analysis
D.Ensures compliance with all applicable regulations
E.Reduces the total number of security controls needed
AnswersA, B

Correct; risk assessment helps prioritize based on business impact.

Why this answer

Option A is correct because aligning security spending with business objectives ensures that resources are focused on the most critical risks. Option D is correct because risk assessment results provide objective data to justify security investments to stakeholders. Option B is incorrect because compliance is not the primary benefit; risk assessment may not cover all regulatory requirements.

Option C is incorrect because risk assessment often leads to more controls, not fewer. Option E is incorrect because both quantitative and qualitative analyses have value.

314
MCQmedium

An organization is implementing a new cloud-based ERP system. Which of the following is the MOST important action for the information security manager to ensure alignment with the organization's risk appetite?

A.Conduct a risk assessment to identify and evaluate risks associated with the cloud deployment.
B.Review the cloud provider's SOC 2 report for compliance with relevant regulations.
C.Negotiate contract terms including data protection clauses with the cloud provider.
D.Develop a detailed access control policy specifically for the cloud ERP system.
AnswerA

A risk assessment directly aligns security measures with risk appetite.

Why this answer

Conducting a risk assessment (A) is the most important action because it directly evaluates the cloud ERP deployment against the organization's risk appetite, identifying, analyzing, and evaluating risks such as data exposure, vendor lock-in, and compliance gaps. This foundational step ensures that subsequent controls, contracts, and policies are aligned with the acceptable level of risk, as defined by the organization's risk tolerance thresholds.

Exam trap

The trap here is that candidates often confuse operational due diligence (like reviewing SOC 2 reports or negotiating contracts) with the strategic governance action of aligning with risk appetite, which must start with a risk assessment to define the baseline for all subsequent decisions.

How to eliminate wrong answers

Option B is wrong because reviewing a SOC 2 report is a due diligence activity that assesses the cloud provider's controls, but it does not inherently align the deployment with the organization's specific risk appetite; it only verifies compliance with predefined criteria. Option C is wrong because negotiating contract terms, while important for legal protection, occurs after risks are identified and does not ensure alignment with risk appetite without a prior risk assessment to inform those terms. Option D is wrong because developing a detailed access control policy is a tactical control implementation that addresses a subset of risks, but it does not provide the strategic alignment with risk appetite that a comprehensive risk assessment achieves.

315
MCQhard

You are the CISM for a mid-sized e-commerce company that processes credit card transactions. The company recently experienced a security incident where an attacker exploited a vulnerability in the web application to gain access to the customer database containing payment card information. The incident response team contained the breach, but the root cause analysis revealed that the vulnerability had been identified in a penetration test six months ago but was not remediated due to competing priorities. The company's risk management framework defines risk appetite as 'moderate' for information security risks. The board is concerned and has asked you to recommend improvements to prevent recurrence. The company has a limited budget and cannot implement all possible controls. Current environment: web application developed in-house, hosted on-premises, with a mix of virtual and physical servers. The security team consists of three people responsible for monitoring, incident response, and vulnerability management. The development team follows an agile methodology with bi-weekly sprints. The company has cyber liability insurance that covers breach response costs up to $2 million. Based on this scenario, what is the most effective course of action?

A.Hire two additional security analysts to improve monitoring and incident response.
B.Implement a formal vulnerability management program with defined remediation SLAs based on risk severity.
C.Increase cyber liability insurance coverage to $5 million to cover potential breach costs.
D.Rewrite the web application using a secure development framework to eliminate vulnerabilities.
AnswerB

This directly addresses the failure to remediate known vulnerabilities, ensuring timely fixes.

Why this answer

Option B is correct because a formal vulnerability management program with defined remediation SLAs directly addresses the root cause: the known vulnerability was not patched due to competing priorities. By tying remediation timelines to risk severity (e.g., critical vulnerabilities patched within 7 days, high within 30 days), the company operationalizes its 'moderate' risk appetite and ensures that penetration test findings are acted upon before they can be exploited. This is the most cost-effective approach given the limited budget, as it leverages existing staff and processes rather than requiring new hires or expensive rewrites.

Exam trap

ISACA often tests the misconception that increasing insurance or hiring more staff is the primary solution to a risk management failure, when in fact the core issue is the lack of a process to enforce remediation of known vulnerabilities within the organization's risk appetite.

How to eliminate wrong answers

Option A is wrong because hiring two additional security analysts improves monitoring and incident response but does not fix the underlying issue of unpatched vulnerabilities; the attacker exploited a known vulnerability that should have been remediated, not a detection gap. Option C is wrong because increasing cyber liability insurance to $5 million only transfers financial risk after a breach, it does not prevent recurrence of the vulnerability exploitation and violates the principle of reducing risk to an acceptable level. Option D is wrong because rewriting the web application using a secure development framework is a long-term, high-cost solution that exceeds the limited budget and does not address the immediate need to remediate existing vulnerabilities; it also ignores the fact that the current application is already in production and needs a process for ongoing vulnerability management.

316
MCQhard

An organization's incident response policy requires preserving evidence in its original state. During a live incident on a critical server, the incident response team needs to capture volatile data, such as running processes and network connections, which would be lost if the system were shut down. The team has a forensic workstation with various tools. What tool should the team use to capture the volatile data before taking the system offline?

A.WinHex
B.dd command
C.FTK Imager
D.Memory dump tool (e.g., winpmem)
AnswerD

Memory dump tools are designed to capture volatile data from RAM.

Why this answer

Volatile data from memory is best captured using a dedicated memory acquisition tool like winpmem or similar. FTK Imager and WinHex are primarily for disk imaging. The dd command is used for disk copying, not memory.

Memory dumps capture volatile data.

317
MCQmedium

A company is implementing a new security program. The CISO wants to ensure alignment with business objectives. Which approach is best?

A.Implement technical controls
B.Develop policies based on industry standards
C.Perform a risk assessment
D.Use the COBIT framework
AnswerD

COBIT is designed for governance and alignment of IT with business objectives.

Why this answer

Using a framework like COBIT helps align IT and security with business goals. Option A is correct because COBIT specifically focuses on governance and alignment. Option B is too generic; industry standards may not address business alignment.

Option C is a step but not the primary method for alignment. Option D is tactical, not strategic.

318
MCQmedium

A security operations center analyst receives an alert from the SIEM indicating a possible data exfiltration. The analyst is unsure if it is a true positive. What is the MOST appropriate action?

A.Review additional logs to confirm
B.Escalate to the incident response manager
C.Immediately block the source IP
D.Quarantine the affected system
AnswerA

Reviewing additional logs provides context and helps confirm whether the alert represents a true incident.

Why this answer

Before escalating or taking containment actions, the analyst should gather additional evidence to confirm the alert. Option D is correct.

319
Multi-Selectmedium

Which TWO actions are essential during the detection and analysis phase of incident response?

Select 2 answers
A.Notify law enforcement
B.Disconnect affected systems
C.Determine the scope of the incident
D.Rebuild systems
E.Identify indicators of compromise (IOCs)
AnswersC, E

Correct: Scope assessment is essential to understand impact.

Why this answer

Identifying indicators of compromise and determining the scope are critical during detection and analysis.

320
MCQmedium

A company's incident response team is handling a confirmed ransomware infection that has encrypted files on several servers. The IT director requests that the team immediately restore data from backups to minimize downtime. However, the team suspects that the backup repository may also be compromised because the attacker had administrative credentials. What is the BEST course of action?

A.Proceed with restoration from the most recent backup to restore operations quickly.
B.Rebuild the servers from scratch and restore from an offline backup taken before the compromise.
C.First, clean the backup repository and verify integrity before restoring to prevent re-infection.
D.Engage law enforcement before any restoration activities.
AnswerB

This ensures no malware is reintroduced and the backup is trusted.

Why this answer

Option C is correct because restoring from a known clean offline backup (taken before compromise) ensures the malware is not reintroduced. Option A risks re-infection. Option B cleans the backup repository but may still restore compromised data.

Option D delays recovery unnecessarily.

321
MCQhard

During a risk assessment, a security manager discovers that the residual risk after implementing planned controls is still above the risk appetite threshold. What should the manager do NEXT?

A.Implement additional controls immediately
B.Document the risk as accepted
C.Escalate the residual risk to senior management
D.Reassess the risk using a different methodology
AnswerC

Why this answer

When residual risk exceeds the risk appetite threshold after planned controls, the security manager cannot simply accept or ignore it; the risk must be escalated to senior management because they hold the authority to decide whether to accept the risk, allocate additional budget for further controls, or adjust the risk appetite. This aligns with the CISM domain of Information Security Risk Management, where risk acceptance is a management decision, not an operational one.

Exam trap

The trap here is that candidates confuse operational risk acceptance (which a manager can do for low risks) with management-level risk acceptance required when residual risk exceeds the appetite threshold, leading them to incorrectly choose Option B.

Why the other options are wrong

A

While additional controls may be an option, the immediate next step is to escalate and get a decision.

B

Acceptance requires authorization from management, not unilateral action by the security manager.

D

Changing methodology may give different numbers but doesn't address the underlying issue.

322
MCQeasy

After a security incident, which step should be taken first?

A.Recovery
B.Lessons learned
C.Containment
D.Eradication
AnswerC

Correct: Immediate containment stops the incident from spreading.

Why this answer

Containment is the first priority to prevent further damage. Eradication, recovery, and lessons learned come later.

323
MCQhard

After implementing controls, the residual risk is calculated to be at a level that slightly exceeds the risk appetite. The business owner argues that the cost of further mitigation outweighs the benefit. What is the most appropriate action for the risk manager?

A.Transfer the risk through insurance
B.Accept the residual risk as a business decision
C.Document the risk and escalate to senior management for acceptance
D.Implement additional controls regardless of cost
AnswerC

Formal escalation ensures informed decision-making and proper risk acceptance.

Why this answer

The risk manager should document the risk and escalate to senior management for formal acceptance. Acceptance requires approval at an appropriate level. Simply accepting without documentation is not proper.

Implementing controls regardless of cost ignores cost-benefit. Transferring via insurance does not address residual risk that already exceeds appetite.

324
MCQeasy

Based on the incident response policy exhibit, which phase should include notifying external stakeholders such as law enforcement?

A.Recovery
B.Post-Incident
C.Detection
D.Containment
AnswerB

Post-incident includes reporting and lessons learned, which may involve external notifications.

Why this answer

B is correct because the post-incident phase is the appropriate time to notify external stakeholders such as law enforcement, as it occurs after containment and eradication are complete. During this phase, the incident is fully documented, evidence is preserved, and legal obligations (e.g., breach notification laws like GDPR Article 33 or HIPAA Breach Notification Rule) are fulfilled. Notifying law enforcement earlier could compromise forensic integrity or operational continuity, so it is deliberately deferred to the post-incident stage.

Exam trap

ISACA often tests the misconception that law enforcement must be notified immediately upon detection, but the correct timing is after containment and eradication to avoid compromising evidence and operational response.

How to eliminate wrong answers

Option A is wrong because the recovery phase focuses on restoring systems to normal operations, not on external notifications; law enforcement involvement would disrupt recovery efforts. Option C is wrong because the detection phase is about identifying potential incidents via alerts (e.g., from SIEM or IDS), not about stakeholder communication; premature notification could lead to false alarms. Option D is wrong because the containment phase aims to isolate the incident to prevent further damage (e.g., via network segmentation or host isolation), and involving law enforcement at this stage could interfere with rapid containment actions.

325
MCQeasy

During an incident investigation, the incident response team needs to collect volatile data from a compromised server. Which of the following data should be collected FIRST?

A.Contents of system memory (RAM)
B.Network connection logs from the firewall
C.Contents of the hard drive
D.Event logs from the system
AnswerA

Memory is the most volatile and should be captured first.

Why this answer

Volatile data, such as the contents of system memory (RAM), is lost when the system is powered off. Collecting RAM first preserves evidence of running processes, network connections, and encryption keys that would otherwise be destroyed. This follows the order of volatility (RFC 3227), which mandates capturing the most volatile data first.

Exam trap

The trap here is that candidates often prioritize persistent data like hard drive contents or logs, mistakenly thinking they are more important, but the order of volatility dictates that transient data in RAM must be captured first to avoid permanent loss.

How to eliminate wrong answers

Option B is wrong because network connection logs from the firewall are non-volatile and stored on a separate device, so they can be collected later without risk of loss. Option C is wrong because the contents of the hard drive are non-volatile and can be imaged after the system is powered down, but collecting it first would risk overwriting volatile data in RAM. Option D is wrong because event logs from the system are stored on the hard drive and are non-volatile; they can be collected after volatile data has been captured.

326
Multi-Selecteasy

Which TWO of the following are primary objectives of information security governance? (Choose two.)

Select 2 answers
A.Eliminate all information security risks.
B.Align security strategy with business goals.
C.Maximize profitability through security investments.
D.Ensure accountability for security decisions.
E.Achieve compliance with all applicable regulations.
AnswersB, D

Core objective of governance.

Why this answer

Option B is correct because information security governance's primary objective is to ensure that security strategy is aligned with business goals, enabling the organization to protect assets while supporting its mission. This alignment is achieved through governance frameworks like COBIT or ISO 38500, which mandate that security investments and controls are directly tied to business objectives, not isolated technical measures.

Exam trap

The trap here is that candidates confuse compliance (Option E) with governance, but CISM emphasizes that governance is about strategic alignment and accountability, not just meeting regulatory checklists, which is a common misconception in exam questions.

327
MCQmedium

Which of the following best describes the primary purpose of a security program's governance framework?

A.To implement technical security controls
B.To provide oversight and alignment with business objectives
C.To conduct vulnerability assessments
D.To manage security incidents
AnswerB

Why this answer

The primary purpose of a security program's governance framework is to provide oversight and ensure that security activities are aligned with business objectives, risk appetite, and regulatory requirements. It establishes the policies, roles, and accountability structures that guide decision-making, rather than directly executing technical tasks. This alignment is critical for the program to be sustainable and supported by executive management.

Exam trap

The trap here is that candidates confuse the governance framework with the operational security program itself, mistakenly selecting a tactical activity (like implementing controls or managing incidents) instead of recognizing that governance is the strategic oversight layer that directs and constrains those activities.

Why the other options are wrong

A

Technical controls are operational, not governance.

C

Vulnerability assessments are part of ongoing operations.

D

Incident management is a process within the program.

328
Drag & Dropmedium

Order the steps for implementing a security awareness training program.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Training programs start with needs assessment, then content development, delivery, evaluation, and continuous improvement.

329
MCQeasy

Which of the following is the most significant risk in this architecture?

A.Segmentation of network zones
B.Admin access via VPN and jump host
C.Use of TLS 1.3 for encryption
D.Direct SQL authentication from application server to database
AnswerD

If app server is compromised, database can be accessed directly.

Why this answer

Option D is correct because direct SQL authentication from application server to database bypasses the principle of least privilege and can be exploited if the application server is compromised. Option A is wrong because TLS 1.3 is strong encryption. Option B is wrong because separating zones is good practice.

Option C is wrong because VPN + jump host is a security measure.

330
MCQhard

After a data breach, the CISO is updating the incident response plan. Which of the following is MOST critical to include?

A.Communication templates for stakeholders
B.Technical forensic procedures
C.Root cause analysis methodology
D.Legal hold instructions for data preservation
AnswerA

Effective communication is vital to control damage and meet legal obligations.

Why this answer

Option B is correct because communication templates ensure timely and consistent messaging to stakeholders, regulators, and the public, which is critical for managing reputation and legal exposure. Option A is wrong while important, technical procedures are less critical than communication. Option C is wrong legal hold is important but not as immediate.

Option D is wrong root cause analysis is post-incident.

331
MCQmedium

A security manager is conducting a risk assessment for a new cloud-based system. The system will store sensitive customer data. Which of the following should be the FIRST step in the risk assessment process?

A.Select appropriate security controls
B.Conduct vulnerability scanning
C.Identify potential threat sources
D.Identify and classify information assets
AnswerD

Asset identification is foundational to any risk assessment.

Why this answer

Option A is correct because identifying assets and their value is the first step in risk management. Option B is wrong because threats are identified after assets. Option C is wrong because vulnerability assessment comes after asset identification.

Option D is wrong because control selection follows risk assessment.

332
MCQhard

An incident response team is dealing with a persistent threat that uses fileless malware. Which containment strategy is most effective?

A.Isolate affected endpoints from the network while preserving memory
B.Disable user accounts
C.Block known malicious IPs
D.Reimage all endpoints
AnswerA

Correct: Contains the threat and preserves forensic data.

Why this answer

Isolating affected endpoints preserves volatile memory evidence needed to analyze fileless malware.

333
MCQhard

During a merger, the acquiring company's security program must integrate with the target company's program. What is the HIGHEST priority action?

A.Consolidate all security tools
B.Conduct a comprehensive risk assessment of the target
C.Merge the security teams into one reporting structure
D.Standardize security policies immediately
AnswerB

Risk assessment provides the basis for all integration decisions.

Why this answer

Option B is correct because a comprehensive risk assessment of the target company's environment identifies integration risks and informs the integration plan. Option A is premature without understanding risks. Option C and D are tactical steps that should follow risk assessment.

334
MCQeasy

Which of the following is the PRIMARY purpose of a security program's key performance indicators (KPIs)?

A.To ensure compliance with regulations
B.To assign accountability to individuals
C.To track the budget for security initiatives
D.To measure the effectiveness of security controls
AnswerD

KPIs provide quantifiable measures of control performance and program outcomes.

Why this answer

Option B is correct because KPIs are designed to measure the effectiveness of security controls and the program. Option A is a secondary benefit. Option C is about budget tracking, not KPIs.

Option D is about accountability, which is not the primary purpose.

335
Multi-Selecteasy

Which TWO of the following are typically considered key components of an information security governance framework?

Select 2 answers
A.Adoption of a formal risk management process
B.Scheduling of regular penetration tests
C.Establishment of a performance measurement system
D.Development of a detailed incident response plan
E.Implementation of specific technical controls
AnswersA, C

Risk management is a foundational governance component.

Why this answer

Correct: B and D. A performance measurement system (B) ensures governance effectiveness, and a risk management process (D) is core to governance. Option A (specific technical controls) is too narrow; C (detailed incident response plan) is operational; E (penetration testing schedule) is a tactic, not a governance component.

336
MCQhard

During an audit, it was found that the organization's information security policy is not being followed by business units. Which of the following is the MOST effective way for the information security manager to improve compliance?

A.Establish a policy review committee with business unit representatives to align policy with operational needs.
B.Provide additional security awareness training focused on policy requirements.
C.Escalate non-compliance to senior management for disciplinary action.
D.Increase the frequency of automated policy compliance checks.
AnswerA

Involving stakeholders increases buy-in and practical compliance.

Why this answer

The most effective way to improve compliance is to align the policy with operational realities by involving business unit representatives in a policy review committee. When policies conflict with business processes, users will bypass them; adjusting the policy to be both secure and practical increases voluntary adherence. This addresses the root cause—policy misalignment—rather than treating symptoms like lack of awareness or enforcement.

Exam trap

The trap here is that candidates often choose awareness training (B) as a quick fix, but CISM emphasizes that non-compliance due to policy misalignment requires policy revision, not just more training or enforcement.

How to eliminate wrong answers

Option B is wrong because additional awareness training assumes the non-compliance stems from ignorance, but the audit found the policy is not being followed despite likely existing training; the core issue is policy impracticality, not lack of knowledge. Option C is wrong because escalating non-compliance for disciplinary action treats the symptom (violations) without fixing the underlying policy that may be unworkable, and it can damage trust and reduce reporting of genuine issues. Option D is wrong because increasing automated compliance checks only detects violations more frequently but does not address why business units are not following the policy; it may even increase friction and shadow IT if the policy remains misaligned.

337
MCQeasy

Which of the following is the PRIMARY purpose of an information security risk assessment?

A.To eliminate all identified risks
B.To identify and evaluate risks in terms of likelihood and impact
C.To comply with regulatory requirements
D.To assign blame for security incidents
AnswerB

Why this answer

The primary purpose of an information security risk assessment is to identify and evaluate risks in terms of their likelihood and impact. This process enables an organization to prioritize risks and determine appropriate risk treatment options, such as mitigation, transfer, acceptance, or avoidance, based on a clear understanding of the risk landscape. Without this evaluation, any subsequent risk management decisions would lack a defensible basis.

Exam trap

The trap here is that candidates often confuse the purpose of a risk assessment with the purpose of risk treatment or compliance, leading them to select 'comply with regulatory requirements' as the primary purpose, when in fact compliance is a secondary benefit, not the core objective.

Why the other options are wrong

A

Eliminating all risks is impractical and not the primary purpose; risk assessment informs risk treatment decisions.

C

Compliance may be a driver but is not the primary purpose; the core is informed decision-making.

D

Risk assessment is proactive, not punitive.

338
MCQmedium

After a merger, two companies with different security cultures are being integrated. What is the BEST approach for the information security manager to achieve a unified governance structure?

A.Implement a regulatory framework as the baseline
B.Maintain separate frameworks until a natural convergence occurs
C.Adopt the security framework of the acquiring company
D.Develop a new framework incorporating strengths from both companies
AnswerD

Fosters buy-in and leverages existing capabilities.

Why this answer

Option B is correct because developing a new framework that incorporates best practices from both is most effective. Option A is wrong because adopting one company's framework may cause resistance. Option C is wrong because separate frameworks hinder integration.

Option D is wrong as waiting leads to confusion.

339
MCQhard

A large financial institution is updating its information security program to align with a new regulatory framework. The program currently has a decentralized governance model. Which of the following is the MOST significant risk of maintaining a decentralized model?

A.Slower incident response
B.Inconsistent security levels across business units
C.Higher cost of compliance
D.Duplication of controls
AnswerB

Inconsistency can create security gaps and regulatory non-compliance.

Why this answer

Option B is correct because decentralized governance leads to inconsistent security levels across business units, which is a major regulatory and risk concern. Option A is possible but less critical. Option C may increase but is a consequence.

Option D may be slower but inconsistent security is more fundamental.

340
Multi-Selecteasy

Which TWO of the following are primary goals of the containment phase in incident response? (Select TWO)

Select 2 answers
A.Restore normal business operations
B.Eradicate the root cause of the incident
C.Preserve evidence for legal proceedings
D.Prevent the incident from spreading to other systems
E.Limit the scope and impact of the incident
AnswersD, E

Containment includes isolating affected systems to prevent spread.

Why this answer

Correct: Limiting further damage (A) and preventing expansion (C) are containment goals. Eradication (B) is a separate phase. Preserving evidence (D) is important but not primary in containment, and restoring operations (E) is recovery.

341
MCQmedium

A security manager is designing a metrics dashboard for executive management. Which of the following metrics is MOST useful for demonstrating the value of the security program?

A.Percentage of budget spent on security
B.Number of security patches applied
C.Number of security policies created
D.Mean time to detect incidents
AnswerD

MTTD measures the program's effectiveness in identifying threats, demonstrating proactive value.

Why this answer

Option B is correct because mean time to detect incidents directly reflects the program's ability to identify threats, which is a key value indicator. Option A is operational. Option C is budget-related.

Option D is output, not outcome.

342
MCQeasy

You are the CISO of a mid-sized manufacturing company. The company has grown rapidly through acquisitions, and each subsidiary has its own information security program. There is no centralized governance, and recent security incidents have occurred due to inconsistent policies. The board has asked you to create a unified information security program that balances flexibility with control. Each subsidiary has unique operational processes and varying levels of security maturity. You have limited budget and cannot replace all local security teams. Which approach should you take?

A.Immediately mandate compliance with a new enterprise-wide security policy.
B.Develop a minimum security standard (MSS) and a phased implementation roadmap based on risk.
C.Centralize all security operations and disband local teams.
D.Adopt the most mature subsidiary's program as the enterprise standard.
AnswerB

Provides baseline while allowing flexibility and phased adoption.

Why this answer

Correct answer is D because developing a minimum security standard (MSS) with a phased roadmap allows each subsidiary to implement controls based on risk while providing a common baseline. Option A (centralize all security functions) is costly and disruptive. Option B (adopt the best subsidiary's program) may not fit others.

Option C (mandate immediate compliance) ignores varying maturity and can cause resistance.

343
Multi-Selecteasy

Which TWO of the following are examples of key risk indicators (KRIs) for cybersecurity risk?

Select 2 answers
A.Time to patch critical vulnerabilities
B.Number of successful phishing simulations
C.Number of vendors with SOC 2 reports
D.Number of unresolved security incidents
E.Percentage of employees completing security training
AnswersA, D

Patch latency is a key indicator of vulnerability risk.

Why this answer

KRIs measure risk level. Number of unresolved incidents and time to patch critical vulnerabilities are leading indicators of risk. Training completion and phishing simulation success are more like performance indicators.

Vendor SOC2 reports are control indicators.

344
MCQeasy

Based on the exhibit, what is the PRIMARY risk of the automated response policy as configured?

A.Blocking the IP may be ineffective against dynamic IPs
B.The SOC manager may not receive notifications in time
C.Automatic approval may cause unnecessary disruption on false positives
D.The trigger severity is too low
AnswerC

Without manual validation, false positives can lead to business impact.

Why this answer

Option A is correct because auto-approve means the actions execute without human review, which could block legitimate traffic or isolate critical systems on a false positive. Option B is wrong because notifying the SOC manager is a good practice. Option C is wrong because blocking IP is a common action.

Option D is wrong because the trigger level is appropriate for high-severity alerts.

345
MCQhard

Refer to the exhibit. A security analyst reviews the ACL on the organization's border router. Based on the exhibit, which of the following is the MOST significant governance concern?

A.The ACL is applied to the outbound interface, which is ineffective for blocking inbound attacks.
B.The ACL does not include filtering for outbound traffic, which may allow spoofed internal IPs to exit the network.
C.The ACL permits any traffic after denying specific IP ranges, creating a security gap.
D.The ACL permits all traffic from private IP addresses, which could allow internal IP spoofing.
AnswerB

Outbound filtering (ingress filtering) is missing, which is a governance oversight.

Why this answer

Option B is correct because the ACL shown only filters inbound traffic on the border router's external interface. Without an outbound ACL (or an inbound ACL on the internal interface), spoofed packets with internal source IP addresses can exit the network, enabling IP spoofing attacks that bypass anti-spoofing best practices (RFC 2827, BCP 38). This is a governance concern as it violates the principle of preventing source address spoofing, which is a fundamental security control for network perimeter defense.

Exam trap

The trap here is that candidates focus on the inbound ACL's content (denying private IPs) and miss the governance issue of missing outbound anti-spoofing controls, which is a classic CISM governance concern about policy compliance rather than just ACL syntax.

How to eliminate wrong answers

Option A is wrong because applying the ACL to the outbound interface is not inherently ineffective; the exhibit shows the ACL is applied inbound on the external interface, which is standard for filtering inbound traffic. Option C is wrong because the ACL explicitly denies specific IP ranges before permitting any traffic, which is a standard implicit deny at the end of an ACL; the 'permit any' after denies does not create a security gap if the denies are correctly placed. Option D is wrong because the ACL does not permit all traffic from private IP addresses; it denies specific private ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and permits any other traffic, which is correct for inbound filtering but does not address outbound spoofing.

346
MCQmedium

During the identification phase of incident response, which of the following is the MOST reliable indicator of a security incident?

A.A network administrator notices unusual traffic patterns.
B.An employee reports slow computer performance.
C.A vendor sends a vulnerability disclosure.
D.Antivirus software detects a known malware signature.
AnswerD

Direct evidence of malware infection.

Why this answer

Option C is correct because antivirus detection of a known malware signature is a definitive indicator. Options A and B are ambiguous. Option D is a potential threat but not an incident.

347
MCQmedium

A company's incident response team is conducting a tabletop exercise. They are discussing the steps after containment to prevent recurrence. The facilitator asks: 'What is the MOST important next step after containing an incident?' The team considers several options.

A.Identify the root cause of the incident
B.Update the incident response plan with lessons learned
C.Forensically image all affected systems
D.Notify law enforcement about the incident
AnswerA

Root cause analysis is essential to prevent recurrence by addressing the underlying vulnerability or process gap.

Why this answer

Option B is correct because after containment, identifying root cause is crucial to implement corrective actions and prevent recurrence. Option A (forensic imaging) is typically done during containment to preserve evidence. Option C (notify law enforcement) may be required but is not the immediate next step for prevention.

Option D (update the incident response plan) is part of post-incident review, not immediate.

348
Multi-Selecteasy

Which THREE of the following are typically included in an information security program budget?

Select 3 answers
A.Incident response retainer
B.Security awareness training materials
C.Vulnerability assessment tools
D.Marketing and advertising campaigns
E.Employee salaries
AnswersA, B, C

External service cost part of program.

Why this answer

Options A, C, and E are correct as they are common security program costs. Option B is wrong as marketing is generally not security-related. Option D is wrong as employee salaries are operational expenses, but typically budgeted separately.

349
MCQhard

A financial institution is designing its information security governance to comply with multiple regulations. The board has limited risk appetite. Which approach BEST ensures effective governance while minimizing conflict?

A.Assign different compliance teams for each regulation
B.Implement a harmonized control framework that maps to all regulations
C.Adopt a single regulatory framework and ignore others
D.Create separate governance committees for each regulation
AnswerB

Streamlines compliance and reduces duplication.

Why this answer

Option D is correct because a harmonized control framework that maps to all regulations reduces duplication and conflict. Option A is wrong because siloed compliance creates inefficiency. Option B is wrong as it may miss regulatory requirements.

Option C is wrong as committees without alignment cause confusion.

350
Multi-Selecthard

Which THREE are valid sources for threat intelligence that can be used during incident response? (Choose three.)

Select 3 answers
A.Social media posts from employees
B.Industry information sharing groups
C.Vendor vulnerability databases
D.Open-source intelligence (OSINT)
E.Internal network traffic logs
AnswersB, C, D

Information sharing groups (e.g., ISACs) provide curated threat intelligence from peer organizations.

Why this answer

OSINT, industry information sharing groups, and vendor vulnerability databases are established threat intelligence sources. Social media posts from employees are unreliable, and internal network traffic logs are operational data, not threat intelligence.

351
MCQeasy

Refer to the exhibit. A security manager notices that several contractors have been granted access to a financial system without documented exceptions. Based on the policy, what is the most likely governance deficiency?

A.The policy does not specify quarterly review of access rights.
B.The data owner did not approve the exceptions.
C.Contractors should not have any access to financial systems.
D.Lack of documentation for approved exceptions.
AnswerD

The policy requires documented exceptions, which are missing.

Why this answer

Option A is correct because the policy requires exceptions to be documented, but they are not. Option B is wrong because the owners approved, but documentation is missing. Option C is wrong because the policy does not require quarterly reviews.

Option D is wrong because revocation is a control, but the deficiency is lack of documentation.

352
Multi-Selectmedium

An information security manager is implementing a risk management program. Which TWO of the following activities should be performed as part of the risk assessment process?

Select 2 answers
A.Determining acceptable risk levels
B.Analyzing threats and vulnerabilities
C.Monitoring incident response plans
D.Evaluating the effectiveness of existing controls
E.Selecting controls to mitigate risks
AnswersB, D

This is a core activity in risk identification and analysis.

Why this answer

Risk assessment includes the identification and analysis of threats, vulnerabilities, and existing controls. Options C and E are directly part of risk assessment; the others belong to subsequent phases.

353
Multi-Selectmedium

Which THREE of the following are essential components of an information security governance framework?

Select 3 answers
A.A process for conducting security incident response.
B.Implementation of technical security controls such as firewalls.
C.Strategic alignment of security with business objectives.
D.Defined roles and responsibilities for security management.
E.Performance measurement and reporting mechanisms.
AnswersC, D, E

Governance ensures security supports business goals.

Why this answer

Strategic alignment of security with business objectives (Option C) is essential because an information security governance framework must ensure that security initiatives directly support and enable the organization's mission and goals. Without this alignment, security becomes a siloed cost center rather than a strategic enabler, leading to misallocated resources and reduced executive sponsorship. This principle is foundational to the CISM governance domain, where security is viewed as a business function, not just a technical discipline.

Exam trap

ISACA often tests the distinction between governance (strategic oversight) and management (operational execution), and the trap here is that candidates confuse operational processes like incident response or technical controls with governance framework components, leading them to select A or B instead of the correct strategic elements.

354
MCQmedium

An organization selects a control to mitigate a risk, but after implementation, the risk level remains unchanged. What should the risk manager do first?

A.Increase the control strength
B.Re-assess the risk and control effectiveness
C.Report to senior management
D.Accept the risk as residual
AnswerB

Reassessment is necessary to understand the gap.

Why this answer

The first step is to reassess the risk and control effectiveness to determine why the control did not reduce risk. Only then can decisions be made about increasing controls, accepting, or reporting.

355
MCQhard

A multinational corporation is designing a global information security program. Which governance structure best ensures consistent security while allowing regional flexibility?

A.Outsource security governance to a managed security service provider (MSSP).
B.Fully centralized security governance with global standards enforced uniformly.
C.Federated governance: global standards with local implementation and oversight.
D.Fully decentralized security governance, each region independent.
AnswerC

Provides consistency while allowing adaptations for local regulations and culture.

Why this answer

A federated model balances central standards with local adaptation, respecting regional legal and cultural differences.

356
MCQhard

A multinational corporation is designing its information security program and must decide how to balance security with business agility. The company operates in highly regulated industries with varying legal requirements. Which of the following approaches BEST aligns with industry best practices for such an environment?

A.Implement the strictest regulatory requirements globally to ensure compliance everywhere.
B.Adopt a baseline of controls that meet the lowest common denominator of all regulations.
C.Develop a risk-based framework that allows for tailored controls based on local risk assessments.
D.Allow each business unit to define its own security controls based on local requirements.
AnswerC

A risk-based approach provides flexibility while ensuring that controls are appropriate for the risks.

Why this answer

Option C is correct because a risk-based framework, such as ISO 27001 or NIST SP 800-53, allows the organization to establish a baseline of controls while tailoring them to address specific local legal requirements and risk profiles. This approach balances security and business agility by avoiding unnecessary overhead from overly strict global mandates while ensuring that critical regulatory obligations are met through localized risk assessments.

Exam trap

The trap here is that candidates often confuse 'strictest globally' (Option A) with 'best practice' due to a desire for simplicity, but CISM emphasizes that a risk-based approach is the only method that effectively balances compliance, security, and business agility in a multi-regulatory environment.

How to eliminate wrong answers

Option A is wrong because implementing the strictest regulatory requirements globally (e.g., GDPR's data protection rules applied in jurisdictions with less stringent laws) can introduce excessive operational friction, reduce business agility, and may conflict with local laws that permit different practices. Option B is wrong because adopting a baseline that meets the lowest common denominator of all regulations (e.g., only complying with the weakest privacy law) would leave the organization non-compliant with stricter regulations like GDPR or HIPAA, exposing it to significant legal and financial penalties. Option D is wrong because allowing each business unit to define its own security controls based on local requirements without a centralized governance framework leads to inconsistent security postures, gaps in coverage, and increased risk of regulatory non-compliance across the multinational enterprise.

357
MCQhard

An organization has just recovered from a ransomware attack and restored systems from backups. Before returning to normal operations, what is the MOST important step?

A.Update the incident response plan.
B.Test the restored systems to ensure functionality and security.
C.Notify stakeholders.
D.Conduct a root cause analysis.
AnswerB

Critical to confirm no residual malware or misconfiguration.

Why this answer

Option D is correct because testing restored systems ensures functionality and no residual threats. Options A, B, C are steps that follow after validation.

358
MCQmedium

A company is implementing an information security program. Which of the following is the PRIMARY reason to align the program with business objectives?

A.To ensure regulatory compliance
B.To improve technical controls
C.To reduce overall security costs
D.To gain management buy-in and support
AnswerD

Aligning with business objectives demonstrates value, securing management commitment.

Why this answer

Option C is correct because alignment with business objectives helps secure management support and ensures the program addresses real business risks. Option A is wrong because cost reduction is a benefit, not the primary reason. Option B is wrong because compliance is a component, but alignment drives broader support.

Option D is wrong because technical improvement is not the primary driver.

359
Multi-Selecthard

Which THREE of the following are essential components of an incident response plan? (Select exactly 3)

Select 3 answers
A.A list of all software licenses in the organization
B.Annual budget for security tools
C.Communication plan for internal and external stakeholders
D.Roles and responsibilities of the incident response team
E.Step-by-step procedures for handling different types of incidents
AnswersC, D, E

Communication is critical during incidents.

Why this answer

A communication plan is essential because it defines how the incident response team will coordinate internally and notify external stakeholders such as regulators, law enforcement, customers, and the media. Without a predefined communication plan, critical updates may be delayed or mishandled, leading to regulatory penalties or reputational damage. This aligns with NIST SP 800-61 and CISM best practices for incident management.

Exam trap

ISACA often tests the distinction between operational incident response components (roles, procedures, communication) and supporting organizational artifacts (licenses, budgets) that are not part of the actual response plan.

360
Multi-Selecteasy

Which THREE elements are typically included in a security governance charter?

Select 3 answers
A.Budget authority
B.Incident response procedures
C.Roles and responsibilities
D.Reporting structure
E.Technical architecture diagrams
AnswersA, C, D

Governance includes resource allocation power.

Why this answer

Roles and responsibilities (A), reporting structure (C), and budget authority (D) are governance charter components. Technical diagrams (B) and incident procedures (E) are operational.

361
MCQmedium

During incident response, a team discovers that a phishing email successfully compromised a user's credentials. Which containment strategy would BEST limit further damage?

A.Disable the user account
B.Restore the user's system from a backup
C.Block the sender's IP address at the firewall
D.Change all user passwords
AnswerA

Disabling the account effectively blocks the attacker's current access and prevents further actions using that identity.

Why this answer

Disabling the user account immediately stops any ongoing misuse of the compromised credentials, preventing the attacker from accessing additional resources. Option A is correct.

362
MCQeasy

A security analyst detects unusual outbound traffic from a critical server to an unknown external IP address during business hours. Which step should be taken FIRST in the incident response process?

A.Notify law enforcement about the potential breach
B.Isolate the server from the network immediately
C.Contact the server owner to verify the traffic
D.Report the incident to senior management
AnswerC

Verifying with the server owner confirms whether the traffic is authorized, a crucial first step.

Why this answer

The first step is to verify if the traffic is legitimate or malicious. Contacting the server owner helps determine if the traffic is authorized, preventing unnecessary escalation. Immediate containment (C) is premature without verification.

Reporting to management (A) or law enforcement (D) occurs after confirmation.

363
Multi-Selecteasy

Which THREE of the following are key components of an incident response plan?

Select 3 answers
A.List of external contacts (law enforcement, legal, etc.).
B.Annual budget for cybersecurity tools.
C.Communication templates for internal and external stakeholders.
D.Detailed step-by-step procedures for each incident type.
E.Identification of incident response team members and roles.
AnswersA, C, E

Needed for escalation and notification.

Why this answer

Options A, B, and E are correct because the plan should include team members, external contacts, and communication templates. Detailed procedures are in playbooks, not the plan itself. Budget is separate.

364
MCQeasy

A risk assessment identifies that the organization's email system has a high likelihood of phishing attacks. The current controls include spam filtering and user awareness training. What should the organization do NEXT to manage this risk effectively?

A.Accept the risk as it is already controlled
B.Evaluate the residual risk and decide on additional controls
C.Transfer the risk to a cyber insurance provider
D.Conduct another round of user awareness training
AnswerB

The organization should assess whether current controls reduce risk to an acceptable level and implement further measures if needed.

Why this answer

Option C is correct because after evaluating existing controls, the next step is to determine if additional controls are needed to reduce residual risk. Option A is wrong because ignoring residual risk is not acceptable. Option B is wrong because immediate transfer may not be optimal.

Option D is wrong because training alone is not a complete solution.

365
Multi-Selecthard

Which TWO of the following are key performance indicators (KPIs) that demonstrate the effectiveness of a security awareness program?

Select 2 answers
A.Percentage of employees who correctly identify a phishing email in simulations
B.Number of employees who report suspicious emails
C.Frequency of phishing simulation tests
D.Number of training sessions completed per quarter
E.Reduction in the number of security incidents caused by human error
AnswersA, E

Directly measures knowledge retention.

Why this answer

Options A and D are correct because they measure behavior change and reduced incidents. Option B is wrong as training completion is an input metric, not outcome. Option C is wrong as phishing simulation results are a specific test, but frequency alone is not a KPI of effectiveness.

Option E is wrong as number of reported phishing emails can be positive, but it's an activity metric, not a direct outcome.

366
MCQhard

A healthcare organization is developing an information security strategy. The board has mandated that the strategy must support innovation while protecting patient data. Which governance approach BEST balances these priorities?

A.Implement strict access controls and encryption for all data.
B.Establish a risk appetite framework that defines acceptable risk levels for innovation initiatives.
C.Adopt a 'security by design' approach for all new projects.
D.Create a separate innovation sandbox with limited data access.
AnswerB

Enables informed decision-making balancing innovation and security.

Why this answer

A risk appetite framework (Option B) is the correct governance approach because it explicitly defines the level of risk the organization is willing to accept in pursuit of innovation, allowing the board to balance patient data protection with strategic growth. This framework provides a decision-making boundary for security controls, ensuring that innovation initiatives are not stifled by overly restrictive measures while still maintaining compliance with healthcare regulations like HIPAA and HITECH.

Exam trap

The trap here is that candidates often confuse tactical security controls (like encryption or sandboxes) with governance frameworks, failing to recognize that only a risk appetite framework provides the strategic balance between innovation and protection required by the board's mandate.

How to eliminate wrong answers

Option A is wrong because implementing strict access controls and encryption for all data is a tactical control measure, not a governance framework; it fails to address the board's mandate to support innovation, as blanket restrictions can hinder agile development and data sharing required for new healthcare technologies. Option C is wrong because adopting a 'security by design' approach for all new projects is a best practice for secure development, but it does not provide a governance-level mechanism to balance risk and innovation; it focuses on implementation rather than strategic risk acceptance. Option D is wrong because creating a separate innovation sandbox with limited data access is an operational tactic that isolates risk but does not establish a governance framework for the entire organization; it avoids the core issue of defining acceptable risk levels across all initiatives and may lead to shadow IT if not governed properly.

367
MCQmedium

Your organization is a multinational corporation with a hybrid cloud infrastructure, including on-premises data centers and AWS, Azure, and GCP environments. You have a distributed incident response team and a central SIEM that aggregates logs from all sources. You are the incident manager on duty when an alert fires indicating that a high-privilege user account (a domain admin) has been observed logging in from an IP address in a country where the company has no operations, at 3:00 AM local time. Subsequent investigation reveals that the same account also has a successful logon from the corporate headquarters at the same time, which is geographically impossible. The SIEM shows a single event for the suspicious logon, and no other indicators of compromise are present. The account has not been used for months. What is the BEST course of action?

A.Restore the domain controller from a recent backup to ensure any malware is removed.
B.Immediately disable the account and reset the password, then begin a forensic investigation to determine the scope of compromise.
C.Contact the employee who owns the account to ask if they recently traveled or used a VPN.
D.Ignore the alert as it is likely a false positive due to SIEM misconfiguration or time zone discrepancy.
AnswerB

Disabling and resetting the account stops any ongoing malicious activity, and investigation can then proceed safely.

Why this answer

Option C is correct because immediate containment (disable account, reset password) is critical to prevent further unauthorized access, followed by forensic investigation. Option A is risky as it may delay action. Option B could alert a potential attacker.

Option D is premature and not targeted.

368
MCQmedium

Based on the exhibit, what is the MOST likely scenario?

A.A user is performing a scheduled task that requires authentication.
B.A user forgot their password and successfully logged in after retrying.
C.An attacker brute-forced the password and then used the credentials to access a file server.
D.A system administrator is testing password policies.
AnswerC

The sequence indicates successful guess followed by lateral movement.

Why this answer

The exhibit shows multiple failed authentication attempts (Event ID 4625) from a single user account within a short time window, followed by a successful logon (Event ID 4624) and then an access event to a file share (Event ID 5140). This pattern of rapid, repeated failures culminating in a single success is characteristic of a brute-force attack, where the attacker guesses the password and then uses the compromised credentials to access a file server.

Exam trap

The trap here is that candidates may misinterpret the failed logons as a user simply forgetting their password (Option B), but the rapid, repeated failures followed by a successful logon and file access clearly indicate a brute-force attack rather than a benign password mistake.

How to eliminate wrong answers

Option A is wrong because scheduled tasks typically use service accounts or stored credentials and do not generate a burst of failed logon events; they would show a single successful logon without preceding failures. Option B is wrong because a user who forgot their password would not generate dozens of failed attempts in rapid succession; they would typically use a password reset workflow or have a few retries, not a sustained brute-force pattern. Option D is wrong because a system administrator testing password policies would likely use a dedicated test account or controlled conditions, not a real user account, and would not follow the failed logons with a file server access event.

369
Drag & Dropmedium

Order the steps for implementing a data classification policy in an organization.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Data classification starts with defining categories, then procedures, training, labeling, and monitoring.

370
MCQhard

You are the director of information security at a multinational corporation that operates in many countries with conflicting data privacy laws. The company's information security program includes a data classification policy and a data retention schedule, but there is no consistent method for handling cross-border data flows. Recently, a regulator in Country A fined the company for transferring personal data to Country B, which does not provide adequate protection. The legal department recommends implementing a binding corporate rules (BCR) approach, but the IT department says it would be too complex to implement across all systems. You must update the program to ensure compliance while minimizing operational impact. The board wants a solution that can be implemented within one year with reasonable cost. What should you do?

A.Implement binding corporate rules (BCR) across all entities as recommended by legal.
B.Rely on standard contractual clauses (SCCs) for all cross-border data flows.
C.Conduct a data mapping exercise and implement a data classification tagging system to automate controls on sensitive data flows.
D.Stop all cross-border data transfers until compliant mechanisms are fully implemented.
AnswerC

Provides visibility and enables automated enforcement, scalable within one year.

Why this answer

Correct answer is D because a data mapping exercise with automated tagging provides the foundation to enforce controls without manual effort. Option A (implement BCR globally) is complex and risky. Option B (stop all cross-border transfers) is impractical.

Option C (rely on standard contractual clauses) may not be sufficient and is also administrative heavy.

371
MCQmedium

During an incident, the response team collects volatile data from a compromised server. Which of the following should be collected FIRST to minimize loss of evidence?

A.Contents of RAM
B.Contents of hard drive
C.Event logs
D.Network configuration
AnswerA

RAM is volatile and will be lost if the system is powered off.

Why this answer

Volatile data, such as the contents of RAM, is lost when a system is powered off. The first priority during incident response is to capture this data because it contains running processes, network connections, encryption keys, and malware that exist only in memory. Collecting RAM first ensures that this critical evidence is preserved before any other actions that might alter the system state.

Exam trap

The trap here is that candidates often confuse the order of volatility (OOV) principle, mistakenly prioritizing non-volatile data like event logs or disk contents because they seem more stable, but the exam tests the understanding that volatile data must be captured first to prevent its permanent loss.

How to eliminate wrong answers

Option B is wrong because the contents of the hard drive are non-volatile and persist after power loss; collecting it first would risk overwriting or losing volatile data in RAM during the acquisition process. Option C is wrong because event logs are stored on the hard drive and are non-volatile; they can be collected later without risk of immediate loss, and accessing them first could alter system state. Option D is wrong because network configuration is also non-volatile and stored in the registry or configuration files on disk; it does not require immediate capture and can be gathered after volatile data is secured.

372
MCQeasy

An organization is determining the risk treatment for a critical business process that has a high inherent risk. Which of the following is the MOST effective risk treatment strategy when the cost to mitigate exceeds the potential loss?

A.Risk avoidance
B.Risk reduction
C.Risk acceptance
D.Risk transfer
AnswerC

Accepting the risk is justified when mitigation costs outweigh potential loss.

Why this answer

Option B is correct because risk acceptance is appropriate when the cost of mitigation exceeds the potential loss. Option A is wrong because risk avoidance would mean discontinuing the process, which may not be feasible. Option C is wrong because risk transfer (e.g., insurance) might still be costly.

Option D is wrong because risk reduction would require controls that are not cost-effective.

373
MCQhard

An organization is developing an incident response plan. The CISO wants to ensure that the plan aligns with industry best practices. Which framework should the CISO use as a primary reference?

A.ISO 31000
B.NIST Cybersecurity Framework
C.ITIL
D.NIST SP 800-61
AnswerD

NIST SP 800-61 is the standard for computer security incident handling.

Why this answer

NIST SP 800-61 (Computer Security Incident Handling Guide) is the definitive U.S. government standard for incident response processes, covering preparation, detection, containment, eradication, and recovery. It provides detailed, step-by-step guidance for building an incident response plan, making it the primary reference for aligning with industry best practices.

Exam trap

The trap here is that candidates confuse the NIST Cybersecurity Framework (a broad risk management tool) with NIST SP 800-61 (the specific incident response standard), or they mistakenly think ITIL's 'incident management' covers security incidents when it is designed for IT service disruptions, not security breaches.

How to eliminate wrong answers

Option A is wrong because ISO 31000 is a risk management framework, not an incident response framework; it focuses on risk identification, assessment, and treatment, not on the operational steps of handling incidents. Option B is wrong because the NIST Cybersecurity Framework (CSF) is a high-level risk-based framework for improving cybersecurity posture, not a detailed incident response procedure; it references NIST SP 800-61 for incident response specifics. Option C is wrong because ITIL (Information Technology Infrastructure Library) is a service management framework focused on IT service delivery and support (e.g., incident management as a service desk process), not on security incident response or forensic handling.

374
MCQmedium

An information security manager is preparing a report for the board on the state of information security governance. Which of the following elements is most important to include in the report?

A.The percentage of the security budget spent on different projects.
B.Key risk indicators (KRIs) related to the organization's critical assets.
C.A log of all recent security incidents and their root causes.
D.A detailed list of all security tools and their functionalities.
AnswerB

KRIs effectively communicate risk posture and governance status to the board.

Why this answer

Option B is correct because key risk indicators provide a concise view of risk exposure and governance effectiveness. Option A is wrong because a list of all security tools is too detailed and not strategic. Option C is wrong because operational incident details are not board-level.

Option D is wrong because budget variance is only one aspect; KRIs are more comprehensive.

375
MCQmedium

During an incident, the incident response team determines that a compromised account was used to exfiltrate data. The account has been disabled. What is the NEXT best action to prevent similar incidents?

A.Notify potentially affected customers
B.Perform a root cause analysis
C.Reset passwords for all user accounts
D.Review authentication logs for other anomalies
AnswerB

Root cause analysis identifies the weakness to prevent recurrence.

Why this answer

Conducting a root cause analysis identifies how the account was compromised (e.g., phishing, weak password), allowing implementation of preventive measures like multifactor authentication. Resetting all passwords (A) is reactive. Notifying affected customers (C) is a legal step after investigation.

Reviewing logs (D) is part of analysis but not the next best preventive action.

Page 4

Page 5 of 7

Page 6

All pages