Certified Information Security Manager CISM (CISM) — Questions 376450

500 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQmedium

An information security manager has identified a risk with a high likelihood and high impact. The cost of mitigating the risk exceeds the potential loss. What is the MOST appropriate risk treatment strategy?

A.Risk mitigation
B.Risk acceptance
C.Risk transfer
D.Risk avoidance
AnswerB

Why this answer

When mitigation cost exceeds potential loss, risk acceptance is appropriate if the risk is within the organization's risk appetite. Alternatively, risk transfer (e.g., insurance) could be considered, but acceptance is often the primary choice when the cost-benefit is negative.

Exam trap

Candidates may choose 'mitigate' without considering cost-benefit analysis; CISM emphasizes aligning treatment with business value.

Why the other options are wrong

A

Mitigation cost exceeds potential loss, making it inefficient.

C

Transfer (e.g., insurance) may still be expensive; acceptance is more direct when cost of transfer also high.

D

Avoidance would mean discontinuing the activity, which may not be feasible or cost-effective.

377
MCQmedium

During a risk assessment, a company discovers that its data backup process is incomplete: backups are performed daily but stored onsite without encryption. The risk owner proposes to accept this risk due to low likelihood of a physical breach. Which of the following is the BEST reason to challenge this acceptance?

A.The impact of losing both primary and backup data is unacceptably high
B.The risk owner does not have authority to accept risks
C.Encryption is not required as the facility is secure
D.The cost of implementing encrypted offsite backups is minimal
AnswerA

A single event (fire, theft) could destroy both data and backup, leading to catastrophic business impact.

Why this answer

Option D is correct because a complete loss of backup integrity from a single event (e.g., fire) could be catastrophic, making the risk unacceptable. Option A is wrong because cost alone doesn't justify acceptance if impact is high. Option B is wrong because the risk owner's authority doesn't override risk committee.

Option C is wrong because encryption is a mitigation, not a reason to challenge acceptance.

378
MCQhard

An organization has implemented a balanced scorecard to measure the effectiveness of its information security program. Which of the following metrics would be MOST appropriate for the 'internal processes' perspective?

A.Percentage of systems compliant with baseline
B.Mean time to detect and respond to incidents
C.Percentage of users who completed security awareness training
D.Number of security incidents reported to management
AnswerB

Why this answer

The 'internal processes' perspective of a balanced scorecard focuses on the efficiency and effectiveness of the operational workflows that deliver the security program. Mean time to detect (MTTD) and mean time to respond (MTTR) directly measure the performance of the incident response process, which is a core internal process. This metric reflects how quickly the organization can identify and contain threats, making it the most appropriate choice for this perspective.

Exam trap

The trap here is that candidates confuse the 'internal processes' perspective with compliance or training metrics, mistakenly selecting A or C because they seem operational, but the balanced scorecard framework specifically ties 'internal processes' to the efficiency of core security workflows like incident response, not static compliance or awareness rates.

Why the other options are wrong

A

Compliance rate is more aligned with the governance or regulatory perspective, not internal processes.

C

This is a learning and growth metric, not internal processes.

D

This is more of an output metric, not specifically internal process efficiency.

379
MCQhard

A company is considering outsourcing its security operations center (SOC). Which governance consideration is MOST critical before finalizing the decision?

A.The vendor's service level agreements (SLAs) for incident response times.
B.The vendor's technical expertise and certifications.
C.The cost savings compared to in-house operations.
D.The ability to maintain oversight and accountability for security outcomes.
AnswerD

Governance requires clear accountability even when services are outsourced.

Why this answer

Option D is correct because governance requires that the organization retains ultimate responsibility for security outcomes, even when functions are outsourced. Without the ability to maintain oversight and accountability, the company cannot ensure that its security posture aligns with business risk tolerance and regulatory compliance requirements. This is a fundamental principle of information security governance, as the board and senior management cannot delegate accountability.

Exam trap

The trap here is that candidates often mistake operational metrics (like SLAs or certifications) for governance considerations, but CISM emphasizes that governance is about ensuring the organization retains ultimate accountability and oversight, not just delegating tasks to a vendor.

How to eliminate wrong answers

Option A is wrong because while SLAs for incident response times are important operational metrics, they are not the most critical governance consideration; governance focuses on strategic oversight and accountability, not just contractual performance targets. Option B is wrong because technical expertise and certifications, while valuable for vendor selection, are operational or tactical concerns that do not address the governance requirement for the organization to retain control over security outcomes. Option C is wrong because cost savings, though a common business driver, are a financial consideration that must be balanced against risk; prioritizing cost over governance can lead to loss of control and increased residual risk, which is a governance failure.

380
MCQhard

A multinational corporation experiences a security breach involving customer PII. The incident response team needs to determine notification requirements. Which factor is MOST important in deciding which regulatory bodies to inform?

A.Location of the affected individuals
B.Location of the attacker
C.Location of the company's CIO
D.Location of the data custodian
AnswerA

Breach notification laws are based on the data subjects' residence.

Why this answer

Option D is correct because notification requirements depend on the jurisdiction of the affected individuals. Option A is wrong because the data custodian's location is not always relevant. Option B is wrong because the CIO's location is irrelevant.

Option C is wrong because attacker location does not determine notification obligations.

381
MCQeasy

An organization has just completed a risk assessment and identified several high-risk vulnerabilities. The security program manager needs to prioritize remediation efforts. Which of the following should be the primary factor in determining priority?

A.Regulatory requirements only
B.Likelihood of exploitation
C.Risk level (likelihood × impact)
D.Ease of remediation
AnswerC

Risk level gives a holistic prioritization.

Why this answer

Option C is correct because risk level combines likelihood and impact, aligning with risk management principles. Option A is wrong as ease of remediation without considering risk leads to misallocation. Option B is wrong because it ignores impact.

Option D is wrong as regulatory requirements are important but should be integrated into risk assessment.

382
MCQeasy

A risk manager is presenting risk treatment options to senior management. Which of the following is the BEST approach to communicate risk in a way that supports informed decision-making?

A.Focus only on high and extreme risks
B.Use technical language to accurately describe vulnerabilities
C.Translate risk into potential financial impact
D.Present risk in qualitative terms only
AnswerC

Financial impact is a common language for business decisions.

Why this answer

Option C is correct because presenting risk in financial terms aligns with business language. Option A is wrong because technical details may overwhelm. Option B is wrong because focusing only on high risks ignores others.

Option D is wrong because qualitative terms lack precision for cost-benefit analysis.

383
MCQeasy

The security team is designing a security awareness program. Which topic should be prioritized FIRST?

A.Phishing recognition and reporting
B.Password creation and management
C.Incident reporting procedures
D.Data classification and handling
AnswerA

Phishing is a top threat; early training can prevent many incidents.

Why this answer

Option A is correct because phishing is a common initial attack vector, and training users to recognize it can immediately reduce risk. Option B is wrong password policies are important but often covered later. Option C is wrong incident reporting is critical but follows awareness of threats.

Option D is wrong data classification is more advanced.

384
Multi-Selecteasy

Which TWO of the following are valid risk response options?

Select 2 answers
A.Risk amplification
B.Risk neutralization
C.Risk mitigation
D.Risk acceptance
E.Risk retention
AnswersC, D

Implementing controls to reduce risk.

Why this answer

Options A and B are correct because risk mitigation (reduce) and risk acceptance are standard responses. Options C and D are wrong because risk amplification and risk neutralization are not standard terms. Option E is wrong because risk retention is a form of acceptance but the term is less common; however, many frameworks use retention as a synonym for acceptance, but the question expects 'acceptance' and 'mitigation' as clear options.

We'll correct: Actually retention is sometimes used as acceptance, but to avoid confusion, we'll stick with mitigation and acceptance as clearly correct. So E is not a standard term in COBIT/ISO 31000.

385
MCQeasy

An analyst receives an alert indicating a potential data exfiltration. The alert shows a host IP address 10.10.50.200 sending large amounts of data to an external IP address 203.0.113.5 over port 443. What should the analyst do FIRST?

A.Block the external IP address immediately
B.Escalate to the incident response team
C.Verify the alert by checking logs and network traffic
D.Isolate the host from the network
AnswerC

Verification ensures the incident is real before further action.

Why this answer

Option C is correct because the first step in incident response is to validate the alert. The analyst must verify that the traffic is indeed anomalous and not legitimate (e.g., a large backup or software update) by examining logs and packet captures. Premature action without verification could disrupt business operations or destroy forensic evidence.

Exam trap

The trap here is that candidates often jump to containment (isolate or block) without first verifying the alert, confusing the urgency of a potential exfiltration with the disciplined step of validation required by the NIST SP 800-61 incident response lifecycle.

How to eliminate wrong answers

Option A is wrong because blocking the external IP immediately could be an overreaction if the traffic is legitimate (e.g., a cloud backup service), and it may destroy evidence or alert the attacker. Option B is wrong because escalation to the incident response team should occur only after the analyst has verified the alert and gathered initial evidence; premature escalation wastes resources. Option D is wrong because isolating the host without verification could disrupt critical services if the traffic is benign, and it may also tip off an insider threat or destroy volatile data.

386
MCQhard

Based on the configuration snippet, what is the expected behavior when an incident is triggered?

A.Standard playbook executed, notification sent, auto containment applied.
B.The incident is logged but no action is taken.
C.Priority override applied, but no notification sent.
D.Auto containment applied without executing any playbook.
AnswerA

Correct: All fields are set accordingly.

Why this answer

Option B is correct because the configuration indicates the standard playbook will be executed, the incident response team will be notified, and containment actions will be automatically applied. Priority override is false, so no override occurs.

387
MCQmedium

A multinational corporation is implementing an information security governance framework. The board has requested a mechanism to ensure that security investments align with business objectives. Which of the following is the BEST approach to achieve this alignment?

A.Minimize security spending to maximize ROI.
B.Adopt a best-practice framework such as NIST CSF and implement all controls.
C.Focus on regulatory compliance to ensure legal requirements are met.
D.Develop a risk-based prioritization framework linking security initiatives to business risk appetite.
AnswerD

Directly aligns security investments with business objectives through risk management.

Why this answer

Option D is correct because a risk-based prioritization framework directly maps security initiatives to the organization's risk appetite, ensuring that investments target the most critical business risks. This aligns with the CISM principle that governance must link security activities to business objectives through risk management, not through arbitrary cost-cutting or blanket compliance.

Exam trap

The trap here is that candidates often confuse 'adopting a best-practice framework' (Option B) with proper governance, but CISM emphasizes that frameworks must be tailored to the organization's risk appetite, not implemented wholesale.

How to eliminate wrong answers

Option A is wrong because minimizing security spending to maximize ROI ignores the need to address actual risks; it assumes all spending is waste, which can leave critical assets unprotected and misalign with business objectives that require risk mitigation. Option B is wrong because adopting a best-practice framework like NIST CSF and implementing all controls without tailoring to the organization's specific risk profile leads to inefficient resource allocation and may over-invest in low-priority areas, failing to align with business goals. Option C is wrong because focusing solely on regulatory compliance ensures only legal minimums are met, which may not address the unique risk landscape or strategic business objectives, leaving the organization exposed to non-compliance-related threats.

388
MCQhard

Based on the exhibit, what is the MOST likely attack vector that led to the compromise?

A.Exploitation of the nf_conntrack table full condition
B.Credential-based attack using a compromised SSH key from the brute force attempt
C.Vulnerability in the SSH password authentication
D.Successful brute force attack from 10.0.0.50
AnswerB

The failed attempts from 10.0.0.50 likely scanned for weak credentials; the successful login from a different IP used a key, suggesting a stolen key.

Why this answer

Option A is correct because the brute force attempt from 10.0.0.50 failed, but then a successful SSH login from 10.0.0.51 occurred, indicating credential reuse or stolen key from the brute force target. Option B is wrong because the brute force itself failed. Option C is wrong because the conntrack error is a symptom of the attack, not the vector.

Option D is wrong because the admin account used a publickey authentication, not a password vulnerability.

389
Multi-Selectmedium

An incident response plan should include which three key components to ensure effective response? (Choose three.)

Select 3 answers
A.Communication procedures for internal and external stakeholders.
B.Roles and responsibilities of the response team.
C.Detailed step-by-step technical instructions for all possible incidents.
D.A list of pre-approved vendors for forensic services.
E.A method for preserving and handling evidence.
AnswersA, B, E

Correct: Ensures timely information flow.

Why this answer

Options A, C, and E are correct because roles and responsibilities, communication procedures, and evidence handling are fundamental. Detailed technical instructions are impractical, and pre-approved vendors are helpful but not core.

390
MCQeasy

Based on the exhibit, which of the following is true about traffic from the internet to the internal network 10.0.0.0/8?

A.Internet traffic to 10.0.0.5 is permitted only if from 192.168.1.0/24.
B.All traffic from the internet to the internal network is denied.
C.Traffic from the internet to 10.0.0.5 port 80 is permitted.
D.Traffic from 192.168.1.0/24 to 10.0.0.5 port 80 is permitted.
AnswerB

First rule denies all IP traffic to 10.0.0.0/8.

Why this answer

The first deny rule blocks all IP traffic to 10.0.0.0/8 from any source, including internet. The permit only allows specific source, but it is after a deny any to 10.0.0.0/8, so traffic to 10.0.0.5 is also blocked? Actually, order matters: first deny any to 10.0.0.0/8 blocks all traffic to that network, then permit specific to 10.0.0.5 would never be reached. So internet traffic to internal is denied entirely.

391
MCQhard

Based on the log entries, what is the most likely scenario?

A.A brute-force attack against the root account
B.A remote code execution attempt
C.A legitimate user repeatedly mistyping their password
D.A misconfiguration causing duplicate log entries
AnswerA

Multiple failed attempts in quick succession for the same account and IP is classic brute-force behavior.

Why this answer

The rapid succession of failed SSH login attempts for the root account from the same IP indicates a brute-force attack. Option A is not supported by the logs. Option B is unlikely due to the speed of attempts.

Option C is less likely than an active attack.

392
Multi-Selecteasy

Which TWO are key indicators of a data breach? (Choose two.)

Select 2 answers
A.System performance degradation
B.Unusual outbound network traffic
C.Increased spam emails to the organization
D.Unauthorized access to sensitive data
E.Multiple failed login attempts from a single user
AnswersB, D

Unusual outbound traffic, especially to unknown IPs, is a common sign of data exfiltration.

Why this answer

Unusual outbound traffic and unauthorized access to sensitive data are classic indicators of a data breach. Multiple failed logins may indicate brute force, spam relates to phishing, and performance degradation is too vague.

393
MCQmedium

An organization has a mature incident management process. After a major incident, they conduct a post-incident review. Which activity is MOST important during this review?

A.Identify individuals responsible for the incident
B.Update security tools to block similar attacks
C.Determine root causes and document lessons learned
D.Calculate the total cost of the incident
AnswerC

Root cause analysis and lessons learned drive process improvements.

Why this answer

Option C is correct because identifying root causes and improvements prevents recurrence. Option A (assigning blame) is counterproductive. Option B (updating tools) is part of improvement but not the most important.

Option D (metrics) supports analysis but is not the primary goal.

394
MCQmedium

After a ransomware attack, a company discovers that backups are also encrypted. The incident response team has isolated the affected systems. What should be the next step?

A.Attempt restoration from encrypted backups.
B.Pay the ransom to obtain decryption keys.
C.Isolate additional systems and notify law enforcement.
D.Reimage all systems from known clean media.
AnswerC

Containment and involving authorities are best practices.

Why this answer

Option C is correct because the priority is to contain the incident and then involve law enforcement to investigate, while preserving evidence. Option A is wrong because paying ransom is not recommended and may not guarantee recovery. Option B is wrong because encrypted backups cannot be restored.

Option D is wrong because reimaging destroys forensic evidence.

395
MCQeasy

A company is evaluating its risk management process. The CISM notices that risks are being assessed based on qualitative scales (low, medium, high) but decisions require quantitative data. What is the most effective action to improve the process?

A.Switch to a fully quantitative risk assessment methodology.
B.Use a hybrid approach that includes both qualitative and quantitative assessments.
C.Replace qualitative scales with precise monetary values.
D.Continue using qualitative method since it is simpler.
AnswerB

Provides comprehensive risk information for decision-making.

Why this answer

A hybrid approach (Option B) is most effective because it leverages qualitative scales for initial, rapid risk identification and prioritization, while quantitative data (e.g., ALE, SLE, ARO) provides the monetary rigor needed for cost-benefit analysis and management decisions. This aligns with ISACA's guidance that risk assessment should be tailored to the decision context, not purely one method.

Exam trap

The trap here is that candidates assume 'quantitative' is always superior, ignoring the practical need for a hybrid approach that balances qualitative speed with quantitative rigor for decision-making.

How to eliminate wrong answers

Option A is wrong because a fully quantitative methodology requires extensive historical data, precise probability estimates, and can be resource-prohibitive; it may also create a false sense of precision when data is uncertain. Option C is wrong because replacing qualitative scales with precise monetary values without a structured quantitative model (e.g., Monte Carlo simulation) ignores the inherent uncertainty in risk estimation and can lead to misleadingly exact figures. Option D is wrong because continuing with only qualitative methods fails to provide the objective monetary data required for decisions like insurance coverage or budget allocation, violating the CISM principle of aligning risk management with business needs.

396
MCQmedium

A financial institution is implementing a risk management program and needs to select a methodology that balances quantitative and qualitative factors, complies with regulatory requirements, and provides a consistent framework for risk assessment across business units. Which methodology would best meet these requirements?

A.FAIR
B.OCTAVE
C.ISO 27005
D.NIST SP 800-30
AnswerC

ISO 27005 provides a comprehensive risk management framework that supports both qualitative and quantitative approaches and is widely accepted for regulatory compliance.

Why this answer

ISO 27005 is an international standard for information security risk management that supports both qualitative and quantitative approaches, aligns with various regulations, and provides a consistent framework. OCTAVE is primarily qualitative and not a regulatory standard. FAIR is quantitative but not a comprehensive standard.

NIST SP 800-30 is qualitative and specific to US federal agencies.

397
Multi-Selectmedium

Which TWO of the following are essential components of an effective information security governance framework? (Select exactly two.)

Select 2 answers
A.Implementation of a SIEM system
B.Automated patch management system
C.Process for aligning security strategy with business strategy
D.Intrusion prevention system (IPS)
E.Defined roles and responsibilities for security decisions
AnswersC, E

Ensures security supports business.

Why this answer

Options A and C are correct. A governance framework must include defined roles and responsibilities (A) and a process to align security with business objectives (C). B is operational, not governance.

D is tactical. E is a control, not governance component.

398
MCQhard

A security manager is preparing a risk report for the board of directors. Which of the following should be included to best support strategic risk-based decisions?

A.Operational metrics such as number of firewalls and intrusion detection alerts
B.List of all past security incidents and their root causes
C.Detailed vulnerability scan results and patch levels
D.Summary of top risks, risk appetite alignment, and treatment status
AnswerD

Board requires strategic overview.

Why this answer

Option A is correct because the board needs a high-level view of top risks and their status relative to appetite. Option B is wrong because technical details are not appropriate for board level. Option C is wrong because past incidents are historical, not forward-looking.

Option D is wrong because daily operations are too granular.

399
MCQeasy

An organization's incident response plan (IRP) is being updated. Which stakeholder should be included in the IRP development to ensure legal and regulatory requirements are met?

A.Legal counsel
B.External auditors
C.Chief Information Security Officer (CISO)
D.IT manager
AnswerA

Legal counsel ensures compliance with laws and regulations.

Why this answer

Legal counsel ensures the plan complies with relevant laws and regulations, such as breach notification requirements. The CISO (A) oversees security but may not have legal expertise. IT manager (B) focuses on technical aspects.

External auditors (D) are not typically involved in plan development.

400
MCQeasy

An organization's incident response plan includes a step to 'contain the incident.' Which of the following actions is an example of containment?

A.Disconnecting an infected workstation from the network
B.Restoring data from backup
C.Analyzing log files to determine the attack vector
D.Removing malware from the system
AnswerA

This prevents further propagation of malware.

Why this answer

Disconnecting an infected workstation from the network is a classic containment action because it immediately isolates the compromised system, preventing the spread of malware or unauthorized lateral movement to other hosts. Containment focuses on limiting the scope and impact of an incident, not on remediation or investigation. This step aligns with the NIST SP 800-61 incident response lifecycle, where containment is performed before eradication and recovery.

Exam trap

ISACA often tests the distinction between containment, eradication, and recovery, and the trap here is that candidates mistake 'removing malware' (eradication) or 'restoring from backup' (recovery) for containment, because they focus on fixing the problem rather than stopping its spread first.

How to eliminate wrong answers

Option B is wrong because restoring data from backup is a recovery action, not containment; it occurs after the threat is contained and eradicated, aiming to return systems to normal operation. Option C is wrong because analyzing log files to determine the attack vector is part of identification and analysis, not containment; it helps understand the incident but does not stop its spread. Option D is wrong because removing malware from the system is an eradication action, which follows containment; containment must first isolate the threat to prevent further damage before cleanup begins.

401
MCQeasy

Based on the exhibit, what is the first action the incident response team should take?

A.Confirm the IDS alert is not a false positive.
B.Review the web server logs on 192.168.1.10 for evidence of exploitation.
C.Block the source IP 10.5.5.5 on the firewall.
D.Disable the firewall rule 'Allow-Internal-Web'.
AnswerB

Correct: Directly check if the XSS succeeded.

Why this answer

Option C is correct because the first step is to investigate the target web server logs to determine if the XSS attempt was successful. Blocking the source IP or disabling the rule may be premature if the attack was not effective, and confirming a false positive is less direct than reviewing logs.

402
MCQeasy

During a risk assessment, a CISM identifies that the organization's data backup process has a single point of failure. The backup server is located in the same data center as the primary server. Which risk response is most appropriate?

A.Mitigate by moving the backup server to a geographically separate location.
B.Transfer the risk by purchasing business interruption insurance.
C.Avoid the risk by discontinuing the backup process.
D.Accept the risk because the cost of mitigation is high.
AnswerA

This reduces the likelihood of both servers being lost simultaneously.

Why this answer

Moving the backup server to a geographically separate location directly eliminates the single point of failure by ensuring that a localized disaster (e.g., fire, flood, power outage) at the primary data center does not simultaneously destroy both the primary and backup data. This is a classic risk mitigation strategy that reduces the likelihood and impact of data loss, aligning with the principle of geographic redundancy for disaster recovery.

Exam trap

The trap here is that candidates may confuse risk transfer (insurance) with risk mitigation (redundancy), or incorrectly assume that accepting the risk is acceptable when a clear, cost-effective mitigation exists, especially in a CISM scenario where the organization's risk appetite is not explicitly stated as high.

How to eliminate wrong answers

Option B is wrong because purchasing business interruption insurance transfers the financial risk of downtime but does not address the technical single point of failure; the backup data remains vulnerable to the same physical disaster as the primary server. Option C is wrong because discontinuing the backup process would avoid the risk of backup failure but introduces an unacceptable risk of permanent data loss, violating fundamental data protection and business continuity requirements. Option D is wrong because accepting the risk without justification is inappropriate when a cost-effective mitigation (moving the backup server) is available; the cost of mitigation is not inherently high, and the risk of total data loss typically outweighs the expense of geographic separation.

403
Multi-Selectmedium

Which of the following are key components of an information security risk management program? (Select TWO)

Select 2 answers
A.Risk assessment
B.Vulnerability scanning
C.Risk treatment
D.Incident response
AnswersA, C

Why this answer

Risk assessment is a core component of an information security risk management program because it systematically identifies, analyzes, and evaluates risks to information assets. It provides the foundational understanding of threats, vulnerabilities, and impacts necessary for informed decision-making. Without a formal risk assessment, the program lacks the data needed to prioritize and justify security investments.

Exam trap

ISACA often tests the distinction between program-level components (risk assessment, risk treatment) and operational activities (vulnerability scanning, incident response) to see if candidates understand that the risk management program is a strategic, governance framework, not a list of technical tasks.

Why the other options are wrong

B

Vulnerability scanning is a tool used within risk assessment, not a component of the program itself.

D

Incident response is a separate process, not a component of risk management.

404
MCQeasy

A company engages a third-party vendor to process customer data. Which of the following is the most critical step in managing the associated risk?

A.Requiring the vendor to sign a non-disclosure agreement
B.Conducting a due diligence assessment before contracting
C.Performing a vulnerability scan of the vendor's network
D.Including a clause that transfers liability to the vendor
AnswerB

Pre-contract due diligence is the most critical to identify and mitigate risks early.

Why this answer

Conducting due diligence before contracting is essential to identify risks and ensure the vendor meets security requirements. Vulnerability scans are part of due diligence but not the most critical step. NDA and liability clauses are important but secondary to initial assessment.

405
MCQhard

An organization's IR plan is tested annually. After a test, many gaps are identified. What is the best next step?

A.Update the IR plan based on lessons learned and schedule a follow-up test
B.Train all employees on the plan
C.Wait for the next scheduled test in one year
D.Purchase additional security tools
AnswerA

Correct: Continuous improvement reduces gaps.

Why this answer

Updating the plan based on lessons learned and scheduling a follow-up test improves preparedness.

406
MCQhard

During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?

A.Inadequate monitoring of DNS traffic for anomalies
B.Weak password policies
C.Unpatched web server software
D.Lack of data-at-rest encryption
AnswerA

Without monitoring DNS traffic for tunneling, exfiltration can go unnoticed for long periods.

Why this answer

The correct answer is A because DNS tunneling exfiltrates data by encoding it within DNS queries and responses, which are often allowed through firewalls without deep inspection. The attacker remained undetected for three months because the security team lacked monitoring of DNS traffic for anomalies, such as unusual query volumes, non-standard record types (e.g., TXT records), or domains with high entropy. Without DNS-specific anomaly detection or a security information and event management (SIEM) system correlating DNS logs, the exfiltration blended into normal traffic.

Exam trap

The trap here is that candidates may focus on the initial breach vector (e.g., unpatched software or weak passwords) rather than the detection failure that allowed the exfiltration to persist undetected for months, which is the core of the question.

How to eliminate wrong answers

Option B is wrong because weak password policies would not directly enable undetected data exfiltration over three months; they might allow initial access but do not explain the persistence of DNS tunneling. Option C is wrong because unpatched web server software could be an initial vector, but the question focuses on the weakness that allowed the attacker to remain undetected for so long, not the entry point. Option D is wrong because lack of data-at-rest encryption does not affect detection of outbound data exfiltration via DNS tunneling; it concerns data confidentiality if storage is compromised, not network monitoring.

407
MCQmedium

After a ransomware incident, the incident response team contains the spread and begins eradication. The team discovers that the ransomware encrypted files on a file server and also deleted shadow copies. Which of the following should the team do NEXT to support recovery?

A.Restore the encrypted files from the most recent backup.
B.Create a forensic image of the file server and affected endpoints.
C.Attempt to decrypt the files using available decryption tools.
D.Notify law enforcement immediately.
AnswerB

Preserving evidence is essential before any recovery actions.

Why this answer

After containment and eradication, the priority is to preserve evidence for root cause analysis and potential legal action. Creating a forensic image of the file server and affected endpoints captures the ransomware artifacts, encryption keys, and system state before any recovery actions that could overwrite critical data. This aligns with the CISM incident management phase of 'lessons learned' and ensures the team can determine the attack vector and prevent recurrence.

Exam trap

The trap here is that candidates assume recovery (restoring backups) is the immediate next step, but CISM emphasizes that evidence preservation must precede any recovery action to support forensic analysis and legal proceedings.

How to eliminate wrong answers

Option A is wrong because restoring from backup before forensic imaging risks destroying volatile evidence (e.g., ransomware binaries, registry keys, or network logs) that is essential for identifying the initial compromise vector. Option C is wrong because attempting decryption without first preserving evidence may alter the system state, and decryption tools are rarely available for modern ransomware; even if successful, the team loses forensic data. Option D is wrong because law enforcement notification is not an immediate technical step for recovery; it should occur after evidence preservation and as part of the incident communication plan, not before forensic imaging.

408
MCQhard

A global company is establishing an information security governance committee. Which membership composition BEST ensures alignment between security and business strategy?

A.IT operations managers and the CISO
B.Chief Information Security Officer (CISO) and IT directors only
C.Senior leaders from each business unit, the CISO, and the Chief Risk Officer
D.Chief Financial Officer (CFO), General Counsel, and CISO
AnswerC

Ensures business alignment and risk integration.

Why this answer

Option D is correct because cross-functional representation from business units ensures diverse perspectives and stakeholder buy-in. Option A is wrong due to lack of business input. Option B is wrong as finance and legal alone are insufficient.

Option C is wrong as IT operations lacks governance authority.

409
MCQeasy

Which metric is most indicative of security program effectiveness?

A.Security budget spent
B.Time to patch critical vulnerabilities
C.Number of security tools deployed
D.Number of security incidents
AnswerB

This metric shows how quickly the organization mitigates high-risk exposures.

Why this answer

Time to patch critical vulnerabilities directly reflects the program's ability to reduce risk. Option B is correct. Option A is a lagging indicator.

Option C measures spending, not effectiveness. Option D counts tools, not outcomes.

410
Multi-Selectmedium

Which THREE of the following are typical steps in a qualitative risk assessment?

Select 3 answers
A.Estimate likelihood and impact using rating scales
B.Prioritize risks based on risk ratings
C.Identify assets and threats
D.Calculate annualized loss expectancy (ALE)
E.Assign monetary values to impact
AnswersA, B, C

Rating scales (e.g., 1-5) are qualitative.

Why this answer

Qualitative assessment uses rating scales instead of monetary values. Identifying assets and threats, estimating likelihood and impact using scales, and prioritizing based on risk ratings are steps. Assigning monetary values and calculating ALE are quantitative steps.

411
MCQeasy

After successfully containing an incident, the incident response team discovers that the attacker exploited a previously unknown vulnerability in a web application. The vulnerability is not yet patched by the vendor. The organization's management is concerned about the risk of another attack using the same vulnerability. What should the team recommend as the immediate action to reduce this risk?

A.Implement a workaround to mitigate the vulnerability
B.Disable the web application until a patch is available
C.Report the vulnerability to the software vendor
D.Develop an in-house patch for the vulnerability
AnswerA

Workarounds can reduce risk quickly without waiting for a patch.

Why this answer

Implementing a workaround (such as a web application firewall rule or configuration change) reduces the immediate risk while waiting for a vendor patch. Developing a patch in-house is not advisable due to complexity and risk. Reporting to vendor is important but does not provide immediate protection.

Disabling the service may be too disruptive.

412
MCQmedium

An organization's security program has been in place for two years, but recently several security incidents occurred due to lack of user awareness. What is the most likely root cause?

A.The awareness program is not regularly updated or evaluated for effectiveness.
B.Lack of a security awareness program.
C.Insufficient budget for security tools.
D.Insufficient firewall rules.
AnswerA

Continuous improvement is needed; without updates, awareness decays.

Why this answer

Without periodic evaluation and updates, awareness programs become stale and ineffective. The other options are indirect or insufficient.

413
MCQmedium

A company is developing a risk treatment plan for a set of identified risks. One risk involves a third-party vendor that hosts critical data. The risk owner recommends accepting the risk. Which of the following conditions would BEST support this decision?

A.The organization has no compensating controls in place
B.The cost to mitigate is higher than the potential financial loss from a breach
C.The risk is within the organization's risk appetite but the business impact is high
D.The vendor has a history of security incidents
AnswerB

If mitigation costs outweigh the expected loss, acceptance is a sound business decision.

Why this answer

Option A is correct because accepting risk is justified when the cost of mitigation exceeds the potential loss. Option B is wrong because high vulnerability increases risk, making acceptance less appropriate. Option C is wrong because lack of controls increases inherent risk.

Option D is wrong because business impact is a factor, but if mitigation cost is higher, acceptance may be appropriate.

414
Drag & Dropmedium

Arrange the steps in order for conducting a business impact analysis (BIA) in business continuity management.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

A BIA first identifies critical functions, then determines acceptable downtime, assesses impact, prioritizes recovery, and finally documents findings.

415
MCQeasy

An organization's intrusion detection system alerts on a potential C2 communication from an internal host. Which phase of the incident response lifecycle should be initiated first?

A.Post-Incident Activity
B.Preparation
C.Containment, Eradication, and Recovery
D.Detection and Analysis
AnswerD

Alert triggers the detection phase.

Why this answer

Option A is correct because detection and analysis is the first phase after preparation. Option B is wrong because containment follows analysis. Option C is wrong because eradication comes after containment.

Option D is wrong because recovery is after eradication.

416
Multi-Selectmedium

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly three.)

Select 3 answers
A.Risk elimination
B.Risk transfer (sharing)
C.Risk avoidance
D.Risk mitigation (reduction)
E.Risk deferral
AnswersB, C, D

Transfer involves sharing risk with another party, e.g., insurance.

Why this answer

Option B is correct because ISO 31000 defines risk transfer (sharing) as a valid risk treatment option, where the risk is shifted to another party, such as through insurance or outsourcing. This is a standard approach in information security risk management to reduce the financial impact of a risk event.

Exam trap

ISACA often tests the distinction between 'risk elimination' and 'risk avoidance' to trap candidates who confuse the two, as elimination implies complete removal of the risk source, which is rarely achievable in information security, while avoidance means not engaging in the risky activity at all.

417
MCQhard

You are the CISO of a mid-sized financial services firm that processes credit card transactions. The company has recently expanded its operations to include a mobile payment application that stores payment credentials in the cloud. The current information security program was designed primarily for the on-premises environment and has not been updated to address cloud-specific risks. The internal audit team has identified that the cloud service provider (CSP) does not have an independent third-party audit report (e.g., SOC 2) available for review. Additionally, the mobile app development team has been deploying code without formal security review, citing the need for rapid releases to compete in the market. The CEO has expressed concern about the potential for a data breach and has asked you to recommend immediate actions to strengthen the security program while minimizing business disruption. Which of the following should you recommend as the FIRST course of action?

A.Encrypt all data in transit and at rest using the organization's own encryption keys.
B.Implement compensating controls such as tokenization for all cardholder data stored in the cloud.
C.Conduct a detailed security assessment of the cloud service provider's controls and contractually require an annual SOC 2 Type II report.
D.Require the mobile app development team to undergo formal security training and implement a peer review process for all code deployments.
AnswerC

This directly addresses the gap in oversight and provides assurance over the CSP's controls.

Why this answer

Option C is the correct first course of action because the absence of an independent third-party audit report (e.g., SOC 2 Type II) means the organization has no verified assurance that the cloud service provider (CSP) has adequate security controls in place. As CISO, you must immediately assess the CSP's security posture and contractually mandate a SOC 2 Type II report to gain visibility into the effectiveness of the CSP's controls over time, which is foundational before implementing any compensating technical controls. This aligns with the CISM domain of Information Security Program governance, where vendor risk management and due diligence are critical first steps when expanding into cloud environments.

Exam trap

The trap here is that candidates often jump to implementing a technical control (like encryption or tokenization) as the immediate fix, but the CISM exam emphasizes that governance and vendor risk management—specifically obtaining independent assurance of the CSP's controls—must come first before deploying compensating technical measures.

How to eliminate wrong answers

Option A is wrong because encrypting data with the organization's own keys (client-side encryption) does not address the root cause—lack of visibility into the CSP's overall security posture; encryption is a compensating control that should follow a proper vendor risk assessment. Option B is wrong because implementing tokenization for cardholder data is a tactical data-centric control that does not resolve the immediate governance gap of having no independent audit report on the CSP; tokenization should be considered after contractual assurance is established. Option D is wrong because requiring security training and peer review for the mobile app development team, while beneficial, does not address the most critical risk—the unverified cloud provider—and would not be the first priority when the CSP's controls are completely unknown.

418
MCQmedium

Based on the exhibit, an incident involves unauthorized access to a file server containing corporate training videos. No sensitive data is stored there. Which priority should the incident be assigned?

A.Critical
B.Medium
C.High
D.Low
AnswerD

Low-value data, easily restored.

Why this answer

Option D is correct because the training videos are low-value data with no sensitive information and are easily restored. Option A is wrong because no sensitive data or regulatory implications. Option B is wrong because no sensitive business data.

Option C is wrong because no operational data.

419
Multi-Selecthard

Which THREE of the following are essential roles in an effective information security governance structure? (Choose three.)

Select 3 answers
A.Help desk manager.
B.Board of directors.
C.Network administrator.
D.Security steering committee.
E.Chief information security officer (CISO).
AnswersB, D, E

Provides strategic oversight and direction.

Why this answer

The board of directors is essential because it holds ultimate accountability for the organization's risk posture and must approve the information security strategy, policies, and resource allocation. Without board-level oversight, security governance lacks the authority to enforce compliance and align security objectives with business goals. This aligns with the CISM framework's emphasis on top-down governance, where the board provides strategic direction and ensures adequate funding for security initiatives.

Exam trap

The trap here is that candidates confuse operational or technical roles (help desk manager, network administrator) with governance roles, failing to recognize that governance requires strategic oversight and accountability, not hands-on technical execution.

420
Multi-Selecteasy

Which TWO of the following are best practices for preserving digital evidence during an incident? (Select exactly 2)

Select 2 answers
A.Create a forensic image of the hard drive using a write blocker
B.Document the chain of custody
C.Interview witnesses before collecting data
D.Run antivirus scans on the affected system
E.Reboot the system to clear memory
AnswersA, B

Write blocker prevents alteration of original data.

Why this answer

Creating a forensic image with a write blocker (Option A) is a best practice because it captures an exact bit-for-bit copy of the storage media without altering the original data. The write blocker intercepts write commands at the hardware or software level, ensuring the integrity of the evidence. This preserves the original state for later analysis and admissibility in legal proceedings.

Exam trap

The trap here is that candidates often confuse 'preserving evidence' with 'immediate remediation'—choosing actions like rebooting or scanning that seem helpful but actually destroy volatile data or alter the evidence, while the exam emphasizes forensic soundness and legal admissibility over speed.

421
MCQhard

Refer to the exhibit. An audit reveals that 20% of privileged accounts were approved by the same manager without secondary review. Which control deficiency is MOST relevant to this finding?

A.Segregation of duties
B.Access review frequency
C.Provisioning delay
D.Audit log retention
AnswerA

One person approving without oversight is a segregation of duties deficiency.

Why this answer

Option C is correct because the lack of secondary review for privileged account approvals violates the principle of segregation of duties. Option A is wrong provisioning delay is not indicated. Option B is wrong access review frequency may be adequate.

Option D is wrong log retention is unrelated to approval process.

422
Multi-Selectmedium

Which of the following are key components of an Information Security Risk Management program? (Select TWO.)

Select 2 answers
A.Establishing a risk management framework
B.Conducting vulnerability scanning
C.Performing risk assessment and treatment
D.Performing internal audits
AnswersA, C

Why this answer

A is correct because establishing a risk management framework is the foundational component of an Information Security Risk Management program. It defines the policies, procedures, and governance structure for identifying, assessing, and treating risks, aligning with standards like ISO 31000 or NIST SP 800-39. Without a framework, risk management activities lack consistency and accountability.

Exam trap

The trap here is that candidates confuse operational security activities (like vulnerability scanning or internal audits) with the strategic components of a risk management program, which are the framework and the risk assessment/treatment cycle.

Why the other options are wrong

B

Vulnerability scanning is a technical control, not a program component.

D

Audit is independent assurance, not part of the risk management program itself.

423
Matchingmedium

Match each business continuity term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum time to restore a process after disruption

Maximum age of data that must be recovered

Plan to maintain business functions during disruption

Plan to restore IT infrastructure after disaster

Process to identify critical functions and dependencies

Why these pairings

Business continuity and disaster recovery terms.

424
MCQhard

A company's security program includes a policy that prohibits the use of personal devices for work. However, the CISO discovers that several executives are using personal tablets to access corporate email. What is the most appropriate action for the CISO to take?

A.Block all personal devices from the network
B.Continue monitoring but take no action
C.Update the policy to allow personal devices under strict controls
D.Discipline the executives for policy violation
AnswerC

Balances security with usability through mobile device management.

Why this answer

Option B is correct because the program should be risk-based: allow the behavior but enforce security controls like MDM and data encryption. Option A is wrong as ignoring policy undermines the program. Option C is wrong as blanket prohibition may be bypassed.

Option D is wrong as security should enable business while managing risk.

425
MCQeasy

Based on the exhibit, what is the MOST significant gap in incident management?

A.Inconsistent incident classification.
B.Slow response times.
C.High number of incidents.
D.Lack of documentation.
AnswerD

Option C is correct because 45 incidents (37.5%) have no documentation, indicating a process gap.

Why this answer

Option C is correct because 45 incidents (37.5%) have no documentation, indicating a process gap. Option A is not necessarily a gap; Option B is relatively low; Option D cannot be determined.

426
MCQmedium

Which of the following is the PRIMARY reason for an information security manager to integrate risk management into the organization's enterprise risk management (ERM) framework?

A.To ensure compliance with regulatory requirements
B.To provide a consistent risk reporting structure across the enterprise
C.To support informed decision-making by aligning security risks with business objectives
D.To reduce the cost of risk management through shared resources
AnswerC

Why this answer

Integrating information security risk into ERM ensures that security risks are considered alongside business risks, enabling better prioritization and resource allocation. This alignment helps the organization make informed decisions that balance risk appetite and business objectives. The primary driver is to support strategic decision-making, not just compliance or reporting.

Exam trap

Candidates may choose 'To comply with regulatory requirements' because regulations often mandate risk management, but the primary reason is strategic alignment with business goals, not compliance.

Why the other options are wrong

A

Compliance is a benefit but not the primary reason; integration is about strategic alignment.

B

Consistent reporting is a result of integration, not the primary reason.

D

Cost reduction is a potential benefit but not the primary strategic reason.

427
Multi-Selecthard

An organization has a high residual risk after implementing all feasible controls. According to CISM best practices, which of the following should the information security manager do? (Select TWO.)

Select 2 answers
A.Escalate to senior management for risk acceptance
B.Document the risk in the risk register and accept it
C.Implement additional compensating controls
D.Immediately perform a new risk assessment
AnswersA, C

Why this answer

When residual risk remains high after all feasible controls are implemented, the information security manager should escalate the risk to senior management for formal risk acceptance (Option A). This aligns with CISM best practices, as senior management holds the authority to accept risks that exceed the organization's risk appetite. Additionally, implementing compensating controls (Option C) can further reduce residual risk to an acceptable level, even if primary controls are already in place.

Exam trap

The trap here is that candidates confuse 'documenting and accepting' (Option B) as sufficient, overlooking the CISM requirement that risk acceptance must be formally escalated to and approved by senior management, not just recorded by the security manager.

Why the other options are wrong

B

Documentation alone is not sufficient; escalation is needed for high residual risk.

D

A new assessment may be done later, but the immediate action is to escalate and consider additional controls.

428
MCQhard

After a major security incident, the board of directors requests a review of the information security program. Which of the following metrics would be MOST useful to demonstrate the effectiveness of the program over the past year?

A.Percentage of employees who completed security awareness training
B.Number of security incidents detected and contained within defined SLAs
C.Total cost of security investments compared to industry benchmarks
D.Number of vulnerabilities identified in the latest penetration test
AnswerB

Why this answer

The number of incidents detected and contained within defined SLAs directly measures the program's ability to detect and respond to threats, which is a key indicator of operational effectiveness. Other metrics may be useful but do not directly measure the program's performance in protecting the organization.

Exam trap

Candidates often choose 'Percentage of employees completing security training' because training is a common control, but it doesn't measure actual incident response effectiveness.

Why the other options are wrong

A

Training completion is a leading indicator but does not measure program effectiveness in handling incidents.

C

Cost comparison does not indicate how well the program performed.

D

Vulnerability counts are point-in-time and not a comprehensive measure of program effectiveness.

429
MCQmedium

A company has recently adopted COBIT 2019 as its governance framework. The board is requesting a concise report on the effectiveness of the security program. Which reporting structure best aligns with COBIT's guidance?

A.List of all security incidents and their impacts
B.Dashboard showing alignment of security goals with enterprise goals, using KRIs and KPIs
C.Compliance status with all applicable regulations
D.Detailed technical vulnerabilities discovered during penetration tests
AnswerB

This directly addresses COBIT's governance objectives.

Why this answer

Option C is correct because COBIT emphasizes linking security goals to enterprise goals and using KRIs and KPIs. Option A lists incidents but does not show alignment. Option B is too technical.

Option D is compliance-focused, not governance.

430
Matchingmedium

Match each security framework to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Specify requirements for an ISMS

Provide risk-based guidance for critical infrastructure

Govern and manage enterprise IT

Align IT services with business needs

Protect cardholder data

Why these pairings

Common frameworks referenced in CISM.

431
MCQeasy

A security analyst detects a potential data exfiltration from a critical server. According to incident response best practices, what is the first action the analyst should take?

A.Disconnect the server from the network immediately.
B.Notify the incident response manager.
C.Review firewall logs to confirm the exfiltration.
D.Take a forensic image of the server.
AnswerA

Correct: Stops exfiltration and prevents further damage.

Why this answer

Option A is correct because immediate containment is the priority to stop further data loss. Other actions are important but should follow containment.

432
MCQeasy

A small e-commerce company with 50 employees and limited IT budget is establishing its first formal information security program. The company processes customer payment data and must comply with PCI DSS. The CEO wants to balance security with operational costs. The IT manager proposes investing in a state-of-the-art security information and event management (SIEM) system costing $100,000 annually. The CISO, however, recommends a more phased approach. Considering the company's size, budget constraints, and compliance requirements, what should be the CISO's primary recommendation?

A.Implement the SIEM system immediately to achieve real-time threat detection.
B.Outsource all security operations to a managed security service provider (MSSP).
C.Develop a custom security software solution tailored to the company's payment processing system.
D.Deploy a firewall, antivirus software, and enforce strong access controls as baseline security measures.
AnswerD

These are essential, cost-effective controls that meet PCI DSS requirements and protect against common threats.

Why this answer

The correct action is to implement a firewall, antivirus, and basic access controls as foundational measures that address PCI DSS requirements cost-effectively. A SIEM (A) is too expensive and complex for a small organization. Outsourcing to an MSSP (C) may be considered later but is not the first step.

Developing custom software (D) is unnecessary and wastes resources.

433
MCQeasy

A security analyst receives an alert indicating a potential data exfiltration from a server. Which of the following should be the FIRST step in the incident response process?

A.Perform a forensic analysis.
B.Escalate to senior management.
C.Isolate the server from the network.
D.Verify the alert to confirm it is not a false positive.
AnswerD

Option C is correct because the first step in incident response is to verify the alert to avoid unnecessary response to false positives.

Why this answer

Option C is correct because the first step in incident response is to verify the alert to avoid unnecessary response to false positives. Option A is wrong because isolation may be premature without verification. Option B is wrong because escalation should occur after confirmation.

Option D is wrong because forensic analysis is done after containment.

434
MCQmedium

A security manager is tasked with building a business case for a new security program. Which metric is most persuasive to senior management?

A.Number of security incidents detected per month.
B.Estimated financial exposure from unmitigated risks.
C.Percentage of systems patched within 30 days.
D.Hours spent on security training.
AnswerB

Quantified risk exposure resonates with leadership.

Why this answer

Senior management cares about business impact; showing financial risk exposure demonstrates the need in their language.

435
MCQhard

Refer to the exhibit. An organization uses these firewall rules. After a breach, the IR team finds that the attacker gained access via SSH from an external IP. Which rule is most likely misconfigured?

A.MySQL should be blocked entirely
B.RDP should not be allowed
C.HTTPS should be inspected
D.SSH is allowed from any source instead of only internal
AnswerD

Correct: SSH should be restricted to specific trusted IPs.

Why this answer

The SSH rule allows access from any source, which is a security risk. It should be restricted to internal IPs.

436
Matchingmedium

Match each cryptographic term to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses same key for encryption and decryption

Uses public/private key pair

One-way transformation producing fixed-size digest

Provides authenticity and non-repudiation

Framework managing digital certificates and keys

Why these pairings

Cryptography concepts relevant to CISM.

437
MCQmedium

A company's security steering committee includes representatives from Human Resources, Legal, and Risk Management, but not from Business Operations. What is the most likely consequence of this membership gap?

A.Data breaches will occur more frequently
B.Security policies may not align with operational processes
C.Security spending will increase unexpectedly
D.The company will face regulatory fines
AnswerB

Operations provides insight into how security controls affect business workflows.

Why this answer

Without operations, security policies may not align with day-to-day business processes, leading to inefficiencies or resistance. Option B (increased costs) could occur but is not the most direct consequence. Option C (data breaches) is less likely.

Option D (regulatory non-compliance) is possible but secondary.

438
MCQhard

Refer to the exhibit. What is most suspicious about this event?

A.The user jdoe is not an administrator
B.Event ID 4688 is unusual
C.The process ID is too low
D.The process name svchost.exe running from Temp folder
AnswerD

Correct: svchost.exe is a Windows system process and should not run from Temp.

Why this answer

svchost.exe running from the Temp folder is abnormal because it should run from System32.

439
Multi-Selecthard

Which THREE of the following are key indicators of a mature information security governance process? (Select exactly three.)

Select 3 answers
A.Security risk appetite is defined and reported to the board
B.Mean time to patch critical vulnerabilities is under 48 hours
C.Security performance metrics are linked to business outcomes
D.Security strategy is reviewed and updated annually based on business changes
E.Number of security incidents decreased by 20% year-over-year
AnswersA, C, D

Key governance element.

Why this answer

Options A, C, and E are correct. A mature governance process includes business-aligned metrics (A), board-level risk reporting (C), and regular strategy review (E). B is operational metrics.

D is a reactive metric.

440
Multi-Selecthard

Which TWO of the following are key indicators that an organization's information security governance is inadequate?

Select 2 answers
A.Low budget for security awareness
B.Frequent changes to security policies without approval
C.High number of security incidents
D.Use of multiple antivirus solutions
E.Absence of a risk appetite statement
AnswersB, E

Indicates lack of governance process over policy changes.

Why this answer

Frequent policy changes without approval (B) and absence of a risk appetite statement (D) directly indicate governance failures. High incident count (A) and low budget (C) may be symptoms but not definitive; multiple antivirus (E) is operational.

441
MCQeasy

During a post-incident review, the incident response team identifies that the root cause of a data breach was a misconfigured firewall rule that allowed unrestricted inbound access from the internet. Which corrective action BEST addresses this issue?

A.Increase the frequency of penetration tests
B.Conduct a one-time review of all firewall rules
C.Restore the firewall configuration from the last known good backup
D.Implement a change management process for firewall modifications
AnswerD

Change management ensures all rule changes are authorized and reviewed, reducing risk.

Why this answer

Implementing a change management process ensures that firewall rule changes are reviewed and approved, preventing misconfigurations. A one-time review (B) is temporary. Penetration testing (C) identifies vulnerabilities but doesn't fix process.

Restoring from backup (D) does not address the configuration issue.

442
MCQeasy

Based on the exhibit, what is the MOST appropriate next step for the information security manager?

A.Recommend implementing multifactor authentication to reduce the risk
B.Accept the risk because the likelihood is only moderate
C.Reassess the risk with a higher risk appetite threshold
D.Transfer the risk by purchasing cyber insurance
AnswerA

Additional controls can lower the likelihood or impact, bringing the risk within appetite.

Why this answer

Multifactor authentication (MFA) directly mitigates the most likely attack vector for the identified risk—credential theft or brute-force attacks—by requiring a second factor (e.g., a one-time password from a hardware token or biometric) in addition to the password. Since the exhibit (not shown) indicates a moderate likelihood but high impact, implementing MFA reduces the likelihood to a more acceptable level without requiring a change in risk appetite or transferring the risk. This aligns with the CISM principle of applying cost-effective controls to reduce residual risk to within the organization's risk tolerance.

Exam trap

ISACA often tests the misconception that risk acceptance is a valid default response when likelihood is moderate, but the trap here is that acceptance requires the risk to be within the risk appetite after all cost-effective controls have been considered—not before.

How to eliminate wrong answers

Option B is wrong because accepting a risk with only moderate likelihood ignores the potential high impact; risk acceptance should only occur when the residual risk is within the organization's risk appetite after controls are applied, not as a default action. Option C is wrong because reassessing with a higher risk appetite threshold is a reactive and inappropriate approach—it artificially lowers the perceived risk rather than addressing the actual vulnerability, which violates the principle of risk management. Option D is wrong because transferring the risk via cyber insurance does not reduce the likelihood or impact of the security incident; it only provides financial compensation after a breach, and the organization still suffers operational and reputational damage, making it a less appropriate next step than implementing a preventive control like MFA.

443
MCQmedium

A company is implementing a risk management program and needs to define risk appetite. Which of the following is the MOST appropriate statement of risk appetite for a financial institution?

A.The organization will mitigate all risks to a low level
B.The organization will not invest in high-risk projects
C.The organization accepts no level of risk
D.The organization will accept up to $5M in potential loss for operational risks
AnswerD

Quantified risk appetite supports consistent decision-making.

Why this answer

Option B is correct because it sets a quantifiable tolerance for specific risk types. Option A is wrong because zero tolerance is unrealistic. Option C is wrong because it defines risk tolerance in a specific area.

Option D is wrong because it is a risk treatment decision, not appetite statement.

444
Multi-Selectmedium

An incident responder is handling a phishing attack that resulted in credential theft. Which TWO actions should be taken FIRST in the containment phase?

Select 2 answers
A.Disable the user's account temporarily.
B.Notify all users about the phishing campaign.
C.Conduct a forensic analysis of the user's machine.
D.Block the phishing URL at the proxy.
E.Reset the compromised user's password.
AnswersA, E

Stops further use of the stolen credentials.

Why this answer

Options A and E are correct because resetting the password and disabling the account immediately cut off attacker access. Option B is a good step but not first priority. Option C is forensic, not containment.

Option D is communication, which comes later.

445
Multi-Selectmedium

Which of the following are essential components of an information security program governance framework? (Select TWO.)

Select 2 answers
A.A security steering committee with executive representation.
B.A formal risk appetite statement.
C.Documented information security policies and procedures.
D.An incident response plan.
AnswersA, C

Why this answer

A security steering committee with executive representation is essential because it provides strategic oversight, aligns security initiatives with business objectives, and ensures resource allocation and governance accountability. This committee typically includes C-level executives who approve security policies, review risk posture, and enforce compliance across the organization.

Exam trap

ISACA often tests the distinction between governance components (steering committee, policies) and operational or risk management artifacts (risk appetite statement, incident response plan), leading candidates to select familiar but incorrect operational items.

Why the other options are wrong

B

Risk appetite is part of risk management, not governance framework per se.

D

Operational plan, not a governance component.

446
MCQhard

After a major security incident, the incident response team completes the containment, eradication, and recovery phases. The CISO is now planning the post-incident activities. Which activity is MOST critical to ensure that lessons learned are effectively incorporated?

A.Publishing a public disclosure of the incident.
B.Terminating the incident response team's engagement.
C.Restoring all systems to full production status.
D.Conducting a post-incident review and updating policies.
AnswerD

This ensures that the organization learns from the incident and improves future response.

Why this answer

Conducting a post-incident review and updating policies is the most critical post-incident activity because it ensures that the root cause, response gaps, and process deficiencies are formally documented and translated into actionable improvements. This directly supports the continuous improvement cycle required by NIST SP 800-61 and ISO 27035, preventing recurrence of similar incidents.

Exam trap

ISACA often tests the distinction between operational recovery tasks (restoring systems) and strategic improvement tasks (post-incident review), leading candidates to mistakenly prioritize immediate restoration over the learning process that prevents future incidents.

How to eliminate wrong answers

Option A is wrong because public disclosure is a legal or regulatory obligation (e.g., GDPR breach notification) that does not inherently incorporate lessons learned into internal security controls. Option B is wrong because terminating the incident response team's engagement prematurely closes the feedback loop, preventing the capture of process improvements and forensic findings. Option C is wrong because restoring systems to full production status is an operational recovery step, not a learning activity; it does not address why the incident occurred or how to prevent it.

447
MCQhard

During a security program review, the auditor finds that incident response procedures have not been tested in over two years. What is the MOST significant risk arising from this finding?

A.Non-compliance with regulatory requirements
B.Higher financial costs due to inefficiencies
C.Increased recovery time after an incident
D.Ineffective response leading to greater damage during an incident
AnswerD

Without testing, the plan may not work, causing extended damage.

Why this answer

Option C is correct because untested procedures may be ineffective or outdated, leading to failure during a real incident. Option A is wrong increased recovery time is a symptom. Option B is wrong non-compliance is possible but not the most significant.

Option D is wrong higher costs are secondary.

448
MCQmedium

An information security manager is developing a program metric to measure the effectiveness of the security awareness training. Which metric is most appropriate?

A.Percentage of employees who completed the training.
B.Number of security incidents caused by human error.
C.Average score on post-training tests.
D.Time taken to complete the training modules.
AnswerB

Why this answer

The most appropriate metric for measuring the effectiveness of security awareness training is the reduction in security incidents caused by human error. While completion rates and test scores measure participation and knowledge retention, they do not directly indicate whether the training has changed employee behavior and reduced real-world risk. A decrease in human-error-related incidents provides direct evidence that the training is effectively influencing secure practices.

Exam trap

The trap here is that candidates often confuse training completion or test scores with effectiveness, but CISM emphasizes outcome-based metrics that demonstrate actual risk reduction, not just activity completion.

Why the other options are wrong

A

Completion does not measure learning or behavior change.

C

Test scores measure knowledge retention, but not application in real situations.

D

Time is irrelevant to effectiveness; fast completion may indicate skipping content.

449
MCQhard

An organization uses a SIEM to correlate security events. The SIEM generates an alert for a possible brute-force attack against an admin account. The incident response team reviews the alert and finds that the account is a service account with a known password. What should the team do NEXT?

A.Notify the service owner
B.Disable the service account
C.Investigate the source IP addresses
D.Change the password for the service account
AnswerD

Changing the password invalidates the attacker's attempts.

Why this answer

The correct next step is to change the password for the service account because the alert indicates a possible brute-force attack, and a known password represents a compromised credential. Even if the account is a service account, the password must be rotated to prevent unauthorized access. This aligns with the incident response principle of containing the threat by invalidating the compromised authentication factor.

Exam trap

The trap here is that candidates confuse a service account with a user account and choose to investigate the source IP addresses first, forgetting that containment (password change) must precede investigation when a known credential is involved.

How to eliminate wrong answers

Option A is wrong because notifying the service owner is a communication step that should occur after the immediate threat is contained, not as the next action. Option B is wrong because disabling the service account would disrupt dependent services and applications, potentially causing a larger operational impact than the brute-force attempt itself. Option C is wrong because while investigating source IP addresses is a valid forensic step, it does not address the immediate risk of a known password being used in an ongoing attack; containment takes priority over investigation.

450
Multi-Selecteasy

Which TWO of the following are key performance indicators (KPIs) commonly used to measure the effectiveness of incident management processes?

Select 2 answers
A.Percentage of incidents resolved within SLA
B.Mean Time to Detect (MTTD)
C.Mean Time to Respond (MTTR)
D.Total cost of incidents
E.Number of incidents per month
AnswersB, C

MTTD measures how quickly an incident is detected, a key indicator of detection capability.

Why this answer

Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are standard KPIs for incident management effectiveness. The other options are either volume metrics or not specific to incident management.

Page 5

Page 6 of 7

Page 7

All pages