Certified Information Security Manager CISM (CISM) — Questions 451500

500 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
Multi-Selecteasy

Which TWO of the following are risk treatment strategies as defined in ISO 27005?

Select 2 answers
A.Risk analysis
B.Risk monitoring
C.Risk avoidance
D.Risk transfer
E.Risk communication
AnswersC, D

Avoidance is a risk treatment strategy.

Why this answer

Risk avoidance and risk transfer are standard treatment strategies. Risk analysis, risk communication, and risk monitoring are not treatment strategies but are part of the risk management process.

452
Multi-Selecthard

Which TWO of the following are recommended practices when conducting a post-incident review? (Select TWO)

Select 2 answers
A.Document lessons learned and improvement actions
B.Update the incident response plan immediately
C.Assign blame to responsible individuals
D.Identify the root cause of the incident
E.Reimage all affected systems
AnswersA, D

Lessons learned improve future response.

Why this answer

Correct: Identifying root cause (B) and documenting lessons learned (C) are key. Assigning blame (A) is discouraged. Updating the IRP (D) is a result, but not the review itself.

Reimaging systems (E) is recovery, not review.

453
Multi-Selectmedium

An information security manager is designing a security program for a multinational organization. Which factors should be considered when developing the program governance structure? (Select 3)

Select 3 answers
A.Legal and regulatory requirements across jurisdictions
B.Current technology architecture
C.Business strategy and objectives
D.Organizational culture and risk appetite
AnswersA, C, D

Why this answer

Legal and regulatory requirements across jurisdictions are foundational because a multinational organization must comply with diverse data protection laws (e.g., GDPR in Europe, CCPA in California, LGPD in Brazil) that directly dictate security controls, breach notification timelines, and data residency rules. The governance structure must incorporate these obligations to avoid legal penalties and ensure consistent policy enforcement across borders.

Exam trap

ISACA often tests the distinction between governance (strategy, culture, compliance) and management (architecture, tools, implementation), leading candidates to mistakenly select technology architecture as a governance factor.

Why the other options are wrong

B

Technology architecture is an operational concern, not governance.

454
MCQeasy

A security analyst notices unusual outbound traffic from a server that is not scheduled for any data transfers. Which step should the analyst take FIRST?

A.Block the IP addresses in the outbound traffic
B.Immediately isolate the server from the network
C.Document the observation and escalate to the incident response team
D.Ignore as it may be a false positive
AnswerC

Proper escalation ensures formal handling.

Why this answer

Option B is correct because starting documentation and escalation is the proper first step per incident response procedures. Option A is wrong because isolating without analysis may disrupt services. Option C is wrong because ignoring is dangerous.

Option D is wrong because blocking without understanding may hide the issue.

455
Multi-Selectmedium

Which TWO of the following are key indicators that an organization's information security governance is effective?

Select 2 answers
A.Low variance between the approved security budget and actual spending.
B.The number of security policies that have been published.
C.High percentage of risk treatment plans implemented on time.
D.Regular reporting of security performance metrics to the board.
E.High completion rate for security awareness training.
AnswersC, D

This shows that governance decisions are being executed.

Why this answer

Options B and D are correct. A high percentage of risk treatment plan implementation (B) shows governance execution, and board-level security dashboards (D) indicate oversight. Option A is wrong because the number of policies is not a measure of effectiveness.

Option C is wrong because low budget variance does not equal good governance. Option E is wrong because awareness training completion is operational.

456
Multi-Selectmedium

Which TWO of the following are valid risk treatment options according to ISO 31000? (Choose two.)

Select 2 answers
A.Risk avoidance
B.Risk measurement
C.Risk identification
D.Risk communication
E.Risk retention
AnswersA, E

Avoiding the risk by not undertaking the activity.

Why this answer

Options B and C are correct: risk avoidance and risk retention (acceptance) are treatment options. Option A is incorrect because risk measurement is not treatment. Option D is incorrect because risk identification is part of assessment.

Option E is incorrect because risk communication is ongoing.

457
MCQmedium

A company is designing its information security program and wants to ensure that it meets regulatory requirements across multiple jurisdictions. Which of the following approaches is most appropriate?

A.Adopt ISO 27001 as the sole framework for the program.
B.Implement a regulatory compliance framework that maps controls to applicable laws and standards.
C.Comply with the strictest regulation and ignore others.
D.Engage external legal counsel to review policies quarterly.
AnswerB

Maps controls to regulations, ensuring comprehensive and consistent compliance.

Why this answer

Correct answer is D because a regulatory compliance framework provides a structured, comprehensive approach. Option A (ISO 27001) is a standard but not specifically tailored to multi-jurisdictional regulations. Option B (minimal compliance to save costs) is risky.

Option C (legal review only) lacks sustained program management.

458
MCQmedium

An organization's information security program is based on a risk management framework. Which of the following BEST describes the role of the information security manager in this context?

A.Setting the organization's risk appetite
B.Designing and managing the security program
C.Owning all information security risks
D.Conducting internal audits of controls
AnswerB

Why this answer

The information security manager is responsible for designing and managing the security program based on the risk management framework. This includes translating risk assessment results into security controls, policies, and procedures, and ensuring the program aligns with the organization's risk posture. The manager does not set risk appetite (that is a board-level decision) nor own all risks (risk owners are business process owners).

Exam trap

The trap here is confusing the information security manager's operational role with strategic or assurance roles, leading candidates to select 'setting risk appetite' or 'conducting internal audits' instead of the correct program management function.

Why the other options are wrong

A

Risk appetite is set by the board of directors, not the security manager.

C

Risk ownership resides with business process owners; the security manager facilitates risk management.

D

Internal audits are performed by audit function, not security management.

459
Multi-Selecthard

Which THREE elements should be included in an incident response plan to ensure effective communication during a security incident?

Select 3 answers
A.Escalation procedures for notifying management and legal
B.Communication protocols and channels for internal coordination
C.List of affected systems and data
D.Public relations strategy for external communication
E.Defined roles and responsibilities for the incident response team
AnswersA, B, E

Escalation ensures timely involvement of decision-makers.

Why this answer

Option A is correct because escalation procedures define the specific thresholds and contact paths for notifying management and legal teams when an incident exceeds predefined severity levels. This ensures that decision-makers are informed promptly to authorize critical actions like legal holds or regulatory notifications, preventing delays that could worsen the incident's impact.

Exam trap

The trap here is that candidates confuse operational data (like affected systems) with communication plan elements, or they mistakenly think a full public relations strategy must be embedded in the IR plan rather than referenced as a separate document.

460
Multi-Selectmedium

Which THREE are essential steps in incident containment? (Choose three.)

Select 3 answers
A.Root cause analysis
B.Notify external regulators
C.Disable compromised accounts
D.Isolate affected systems
E.Preserve forensic evidence
AnswersC, D, E

Disabling accounts stops attacker access through valid credentials.

Why this answer

Isolating affected systems, disabling compromised accounts, and preserving forensic evidence are critical containment steps. Root cause analysis is part of investigation, and notifying regulators is a post-containment step.

461
MCQeasy

A small business without a dedicated incident response team experiences a suspected breach. Who should be primarily responsible for leading the incident response efforts?

A.The CEO of the company.
B.The IT administrator who discovered the breach.
C.The external cybersecurity consultant on retainer.
D.The legal counsel.
AnswerC

Correct: Brings specialized skills and experience.

Why this answer

Option B is correct because external cybersecurity consultants have the expertise needed. The IT administrator may lack training, the CEO is management, and legal counsel provides advice, not leadership.

462
MCQhard

Match each information security program component to its primary focus area. Component: 1. Risk Assessment, 2. Security Awareness Training, 3. Incident Response Plan, 4. Policy Framework Focus Areas: A. Human factors and behavior B. Structured response to events C. Identification and analysis of threats D. Governance and compliance requirements Drag each component to its matching focus area.

Risk Assessment.C. Identification and analysis of threats
Security Awareness Training.A. Human factors and behavior
Incident Response Plan.B. Structured response to events
Policy Framework.D. Governance and compliance requirements

Why this answer

Risk Assessment focuses on identifying and analyzing threats. Security Awareness Training addresses human factors. Incident Response Plan provides structured response.

Policy Framework establishes governance and compliance.

Exam trap

Candidates often confuse Incident Response Plan with Risk Assessment, but incident response is about reaction, not identification.

Why the other options are wrong

Risk Assessment

This is correct matching; but in JSON we mark all false and use pbq_config.

463
MCQeasy

A company's information security manager is tasked with ensuring that security initiatives align with business goals. Which of the following best demonstrates this alignment?

A.Prioritizing security projects based solely on technical risk assessment.
B.Implementing all security controls required by regulatory standards.
C.Creating a security budget that allocates funds equally across departments.
D.Establishing security metrics that are linked to key business performance indicators.
AnswerD

This directly ties security outcomes to business success, demonstrating alignment.

Why this answer

Option D is correct because linking security metrics to business KPIs directly shows how security supports business objectives. Option A is wrong because compliance alone does not guarantee alignment with business goals. Option B is wrong because focusing only on technical risks ignores business context.

Option C is wrong because budget allocation should be based on risk and business value, not just equal distribution.

464
MCQhard

A risk manager is establishing risk appetite for a new product line. Which of the following best describes the relationship between risk appetite and risk tolerance?

A.Risk appetite and tolerance are interchangeable terms
B.Risk appetite is set by regulatory bodies; tolerance is set by the board
C.Risk appetite is the specific limit for each risk; tolerance is the overall willingness to accept risk
D.Risk appetite is the general approach to risk; tolerance defines acceptable variation in performance
AnswerD

This correctly distinguishes between appetite and tolerance.

Why this answer

Risk appetite is the general approach to risk at the enterprise level, while risk tolerance defines the acceptable variation in performance around objectives. Specific limits are part of tolerance, not appetite. Regulatory bodies may set constraints but do not define appetite.

465
Multi-Selectmedium

Which THREE of the following are key components of an incident response plan? (Select THREE)

Select 3 answers
A.List of all employees' contact information
B.Annual budget for incident response tools
C.Communication and escalation matrix
D.Incident response procedures
E.Roles and responsibilities of team members
AnswersC, D, E

Clear communication paths are critical during an incident.

Why this answer

Correct: Response procedures (A), communication escalation (B), and roles and responsibilities (C) are essential. A budget (D) is not typically part of the plan itself. A list of all employees (E) is too detailed and not a core component.

466
MCQhard

A global financial services firm with 15,000 employees has recently experienced a significant data breach due to inadequate oversight of third-party vendors. The breach originated from a cloud service provider that had been granted elevated access without a formal risk assessment or contract review. The board has directed the CISO to overhaul the information security governance framework to prevent recurrence. Currently, the organization has a decentralized security model where each business unit manages its own vendor relationships. The CISO proposes a centralized governance body. Which of the following is the BEST course of action to establish effective governance over third-party risk?

A.Establish a central third-party risk management program with a defined policy and vendor assessment process
B.Conduct quarterly penetration tests on all third-party systems
C.Provide annual security awareness training for employees managing vendors
D.Mandate that all vendor contracts include data protection clauses
AnswerA

Centralized program ensures consistent governance and oversight of all vendor relationships.

Why this answer

Option C is correct because it directly addresses the root cause: lack of oversight. A formal third-party risk management (TPRM) program with centralized policies and vendor assessments provides consistent governance. Option A (contract clauses) is reactive and not comprehensive; Option B (training) addresses awareness but not process; Option D (penetration testing) is a technical control, not governance.

467
MCQeasy

A manufacturing company has an incident response plan that includes a communication plan. However, during a recent ransomware incident, the team realized that the external legal counsel was not listed in the plan. The incident requires consultation with legal due to potential regulatory implications. The incident response manager needs to address this gap quickly. What should the manager do?

A.Notify legal counsel after the incident is resolved
B.Use only internal legal department instead of external counsel
C.Ignore legal counsel involvement for this incident
D.Add the legal counsel to the incident response plan immediately
AnswerD

Updating the plan to include all necessary stakeholders is essential for effective communication.

Why this answer

The manager should add legal counsel to the communication plan immediately to ensure they are included in future incidents. Ignoring them or delaying notification could worsen regulatory consequences. Using internal legal might not be sufficient for external counsel needs.

468
MCQmedium

After detecting a ransomware infection on a file server, the incident response team performs containment and eradication. Which step should be prioritized during the recovery phase to minimize business impact?

A.Contact the attackers to negotiate a decryption key
B.Reimage all servers in the same network segment
C.Identify and patch the vulnerability used for entry
D.Restore data from verified clean backups
AnswerD

Restoring from backups is the primary recovery method.

Why this answer

Restoring data from clean backups is the most direct way to recover operations without paying ransom. Identifying the vulnerability (B) is part of eradication, not recovery. Negotiating with attackers (A) is discouraged.

Reimaging all servers (D) may be excessive and cause more downtime.

469
MCQhard

A security manager is evaluating risk treatment options for a high-risk vulnerability. Drag each option to the correct risk treatment category. Options: - Apply a vendor patch - Purchase cyber insurance - Decommission the system - Accept the risk with formal sign-off - Install a WAF (Web Application Firewall) Categories: - Mitigate - Transfer - Avoid - Accept

Answer options not yet available.

Why this answer

Risk mitigation reduces the likelihood or impact: applying a patch and installing a WAF are mitigation. Transfer shifts risk to a third party: cyber insurance. Avoid eliminates the risk by removing the system: decommissioning.

Acceptance is formal acknowledgment: accept with sign-off.

Exam trap

Candidates may misclassify insurance as mitigation because it reduces financial impact, but it is transfer. Also, decommissioning is clearly avoidance, not mitigation.

470
MCQhard

A multinational organization needs to comply with GDPR and CCPA. What is the best approach for the information security program?

A.Implement a unified privacy framework covering all regulations
B.Adopt the most restrictive requirements from any regulation
C.Outsource compliance to a third-party provider
D.Create separate security programs for each region
AnswerA

A unified framework ensures compliance while maintaining efficiency.

Why this answer

Implementing a unified privacy framework that covers all regulations ensures consistency and reduces complexity. Option C is correct. Option A may cause over-compliance and inefficiency.

Option B duplicates effort. Option D increases risk.

471
MCQhard

An organization's IDS logs show multiple outbound connections to an external IP address from a server that normally communicates only internally. The logs indicate the process is running under the SYSTEM account. Which of the following BEST describes the likely root cause?

A.A backdoor installed via a previous compromise
B.A misconfigured application
C.An authorized administrative activity
D.A privilege escalation exploit
AnswerA

Outbound connections from SYSTEM account are a classic indicator of a backdoor or remote access Trojan (RAT) placed after initial compromise.

Why this answer

Persistent outbound connections from the SYSTEM account suggest a backdoor installed by a prior compromise that allows remote command execution. Option C is correct.

472
MCQeasy

Which of the following best describes the difference between risk appetite and risk tolerance?

A.Risk appetite is the maximum risk tolerance
B.Risk tolerance is the total risk, and risk appetite is the residual risk
C.Risk appetite is the amount of risk an organization is willing to accept, while risk tolerance is the acceptable variation around that appetite for specific objectives
D.Risk appetite is qualitative, and risk tolerance is quantitative
AnswerC

This is the standard definition.

Why this answer

Option A is correct because risk appetite is the broad willingness to accept risk, while risk tolerance is the acceptable deviation around specific objectives. Option B is wrong because it reverses the definitions. Option C is wrong because both are quantitative or qualitative.

Option D is wrong because tolerance is not a subset but a measurable boundary.

473
MCQhard

A technology startup has grown rapidly and its risk management practices are informal. The CEO has a very high risk appetite and frequently overrides risk management recommendations to accelerate product launches. After a serious data breach involving customer payment information, the board of directors demands a formal risk management program. The risk manager is tasked with changing the risk culture. The startup has limited resources but must meet contractual obligations to protect customer data. What is the most effective first step?

A.Develop and communicate a revised risk appetite statement approved by the board
B.Outsource all information security operations to a managed service provider
C.Immediately deploy a suite of technical security controls
D.Recommend the termination of the CEO for previous risk decisions
AnswerA

Correct; this aligns the organization's risk tolerance and guides behavior.

Why this answer

Option D is correct because developing and communicating a revised risk appetite statement aligned with the board's risk tolerance sets the foundation for a risk-aware culture. It provides clear guidance for decision-making. Option A is insufficient without a cultural shift; technical controls may be undermined.

Option B is drastic and not directly a risk management action. Option C transfers responsibility but does not change internal culture or ensure compliance.

474
MCQmedium

An organization has decided to adopt a risk-based approach to information security. What is the FIRST step the information security manager should take to implement this approach?

A.Identify and assess information assets and their associated threats and vulnerabilities.
B.Define the organization's risk appetite and risk tolerance levels.
C.Implement security controls based on industry best practices.
D.Select a risk management framework such as ISO 31000 or NIST RMF.
AnswerA

Risk identification and assessment form the foundation.

Why this answer

The first step in implementing a risk-based approach is to identify and assess information assets along with their associated threats and vulnerabilities. This foundational activity provides the necessary context for all subsequent risk management decisions, including defining risk appetite, selecting a framework, and implementing controls. Without a clear understanding of what assets exist and what risks they face, any further steps would be based on assumptions rather than evidence.

Exam trap

The trap here is that candidates often confuse the sequence of risk management activities, mistakenly believing that defining risk appetite or selecting a framework should come first, when in fact asset identification and risk assessment are the prerequisite steps that inform all other decisions.

How to eliminate wrong answers

Option B is wrong because defining risk appetite and risk tolerance levels requires prior knowledge of the assets and risks; without asset identification, risk appetite cannot be meaningfully set. Option C is wrong because implementing controls based on industry best practices without first understanding the specific risks can lead to misallocated resources and ineffective security, violating the core principle of a risk-based approach. Option D is wrong because selecting a risk management framework (e.g., ISO 31000 or NIST RMF) is a tactical decision that should follow the initial identification and assessment of assets and risks to ensure the framework is applied to the correct scope.

475
MCQmedium

An organization's incident response team has completed the initial response to a ransomware incident. During the post-incident review, they identify that the detection was delayed because security logs from different systems were not correlated. The team wants to improve detection capabilities. What should the team recommend as the primary improvement?

A.Hire additional security analysts to manually correlate logs
B.Increase the amount of logging on all systems
C.Implement a Security Information and Event Management (SIEM) system
D.Reduce log retention to lower storage costs
AnswerC

SIEM correlates logs from multiple sources to detect incidents in a timely manner.

Why this answer

Implementing a SIEM solution provides centralized log collection and correlation, enabling timely detection. Increasing logging without correlation still results in data silos. Hiring more analysts may help but does not address the root cause of poor correlation.

Reducing log retention would hinder forensic analysis.

476
MCQeasy

Which of the following best describes the primary purpose of an information security program?

A.To ensure 100% system availability
B.To eliminate all security risks
C.To manage security risks in alignment with business strategy
D.To achieve compliance with all applicable regulations
AnswerC

Program ensures security supports business objectives.

Why this answer

Option C is correct because the program's goal is to align security with business objectives and manage risk to an acceptable level. Option A is wrong as availability is one aspect of CIA triad, not the primary purpose. Option B is wrong as security is an enabler, not an absolute obstacle.

Option D is wrong as legal compliance is a component, not the overarching goal.

477
MCQhard

An organization's governance framework requires regular reporting to the board. Which reporting frequency and format is MOST effective for a board with limited security expertise?

A.Monthly dashboard of technical control effectiveness metrics
B.Quarterly report summarizing key risk indicators and business impact
C.Annual presentation of the overall security risk register
D.Weekly technical briefings on incidents and vulnerabilities
AnswerB

Balanced frequency and business context.

Why this answer

Option C is correct because quarterly reports with business impact language and risk trends are tailored for board understanding. Option A is wrong because weekly is too frequent and technical. Option B is wrong because annual is too infrequent.

Option D is wrong because technical depth is inappropriate.

478
MCQhard

A multinational corporation is expanding its cloud infrastructure across multiple regions. The risk team has identified that the shared responsibility model for cloud security is not well understood by business units. After a recent audit, several misconfigurations led to a data exposure incident that affected one region. The CISO wants to implement a risk management program that ensures consistent control across all regions. As the risk manager, what is the most effective course of action to reduce the risk of similar incidents?

A.Transfer the risk to cloud providers by renegotiating contracts to include liability clauses.
B.Develop and enforce cloud security baseline standards and conduct regular compliance audits.
C.Implement a cloud access security broker (CASB) to monitor all cloud activities centrally.
D.Accept the risk as inherent to cloud adoption and focus resources on incident response.
AnswerB

Standards and audits address the root cause by ensuring consistent understanding and adherence.

Why this answer

Developing and enforcing cloud security baseline standards and conducting regular compliance audits directly address the root cause of misconfigurations due to lack of understanding. A CASB provides monitoring but does not enforce standards. Transferring risk to cloud providers shifts liability but does not prevent misconfigurations.

Acceptance with focus on incident response is reactive and does not reduce likelihood.

479
MCQhard

During a risk assessment, an organization identifies a critical vulnerability in a legacy system that cannot be patched. The system's availability is crucial for business operations. Which of the following risk treatment strategies is MOST appropriate?

A.Risk mitigation by implementing compensating controls
B.Risk acceptance with formal sign-off by senior management
C.Risk transfer through cyber insurance
D.Risk avoidance by decommissioning the system
AnswerB

Why this answer

When a critical vulnerability cannot be patched and the system must remain available for business operations, risk acceptance is the most appropriate strategy because it formally acknowledges the residual risk after all feasible controls have been considered. Senior management sign-off is required because the risk exceeds the organization's risk appetite, and acceptance documents the decision to operate with the known vulnerability. This approach aligns with the CISM principle that risk acceptance is a valid treatment when the cost of other treatments exceeds the benefit or when no other treatment is feasible.

Exam trap

The trap here is that candidates often choose risk mitigation (compensating controls) because it seems proactive, but the question explicitly states the vulnerability 'cannot be patched' and the system is 'crucial for business operations,' making formal acceptance by senior management the required CISM answer when residual risk remains after all feasible controls.

Why the other options are wrong

A

Compensating controls are a form of mitigation, but the question says the system cannot be patched; however, compensating controls can still reduce risk. The key is that the vulnerability cannot be fixed, so mitigation may not be fully effective. The best answer is acceptance if no controls are cost-effective.

C

Insurance transfers financial risk but not operational risk; the vulnerability remains.

D

Decommissioning would avoid risk but is not acceptable because the system is critical.

480
MCQeasy

A small business owner wants to establish an information security program but has limited budget and staff. Which of the following frameworks would be most appropriate to guide the program?

A.ISO/IEC 27001
B.NIST Cybersecurity Framework
C.COBIT 2019
D.PCI DSS
AnswerB

Flexible and adaptable, with tiers for maturity.

Why this answer

Option C is correct because NIST CSF is scalable, risk-based, and suitable for organizations of all sizes. Option A is wrong as ISO 27001 is comprehensive but resource-intensive. Option B is wrong as COBIT is focused on IT governance, not specifically security.

Option D is wrong as PCI DSS applies only to credit card data.

481
Multi-Selectmedium

An organization experiences a data breach involving personal information. Which TWO actions should be taken as part of incident response? (Choose two.)

Select 2 answers
A.Immediately issue a press release without consulting legal.
B.Notify the relevant data protection authority within the required timeframe.
C.Ignore the incident if no customers have complained.
D.Conduct a post-incident review to identify lessons learned.
E.Delete all system logs to prevent further exposure.
AnswersB, D

Option B is correct as it is required by regulations.

Why this answer

Options B and D are correct. B is required by regulations; D is best practice. Option A is wrong; Option C is wrong because logs are needed for investigation; Option E is wrong because press release should be coordinated.

482
MCQhard

During an incident investigation, the team discovers that an attacker used a valid user's credentials to access a sensitive database. The user's account had multi-factor authentication (MFA) enabled. How is this MOST likely possible?

A.MFA was not properly configured
B.The attacker guessed the MFA token
C.The user approved a fraudulent MFA prompt
D.The attacker used a man-in-the-middle attack
AnswerC

Attackers can bombard users with MFA requests until they approve one.

Why this answer

MFA fatigue attacks involve repeatedly sending push notifications until the user approves one. Option A is less likely; Option C would not bypass MFA; Option D is not direct.

483
MCQmedium

A risk manager is evaluating a control that reduces the likelihood of a threat from high to low. The cost of the control is $100,000 annually. The expected loss without the control is $500,000 per year. Which of the following should the risk manager recommend?

A.Avoid the risk by discontinuing the process
B.Transfer the risk through insurance
C.Implement the control
D.Accept the risk
AnswerC

Net benefit: $400,000 loss reduction minus $100,000 cost = $300,000 savings.

Why this answer

Option B is correct because the control reduces loss to $100,000, saving $400,000, but costs $100,000, net benefit $300,000. Option A is wrong because controlling may be cost-effective. Option C is wrong because transfer might be more expensive.

Option D is wrong because avoidance may not be necessary.

484
MCQhard

A financial institution's security program must comply with PCI DSS, GDPR, and SOX. Which approach is MOST efficient to manage overlapping compliance requirements?

A.Develop three separate control sets for each regulation
B.Focus only on the requirements of the strictest regulation
C.Implement a single control set mapped to all applicable regulations
D.Engage external auditors to manage compliance for each regulation
AnswerC

A unified control framework eliminates redundancy and streamlines compliance.

Why this answer

Option A is correct because implementing a single set of controls mapped to multiple regulations reduces duplication and simplifies management. Option B is wrong focusing only on the strictest may miss unique requirements. Option C is wrong separate sets are inefficient.

Option D is wrong outsourcing does not address overlap.

485
MCQmedium

A company experiences ransomware that encrypts critical servers. Backups are available but were taken 2 weeks ago. What is the best course?

A.Restore from backups immediately
B.Restore from backups after verifying no residual malware and performing security scans
C.Rebuild servers from scratch
D.Pay the ransom
AnswerB

Correct: Ensures a clean environment before restoration.

Why this answer

Restore from backups after verifying no residual malware and performing security scans to ensure clean restoration.

486
MCQhard

An organization has implemented a data classification policy but notices that employees often mark documents as 'internal use only' even when they contain personally identifiable information (PII). Which of the following is the most effective corrective action for the information security program?

A.Revise the data classification policy to simplify categories.
B.Conduct random audits and reprimand employees who misclassify data.
C.Increase the frequency of data classification training for all employees.
D.Deploy a data loss prevention (DLP) system that automatically classifies documents based on content inspection.
AnswerD

Automates classification, reducing user error and ensuring consistent labeling.

Why this answer

Correct answer is C because automating classification based on content reduces reliance on user discretion. Option A (more training) may help but is not as effective as automation. Option B (auditing and reprimanding) is punitive and may not address root cause.

Option D (policy revision) alone does not enforce compliance.

487
Multi-Selectmedium

Which TWO are common challenges in incident management?

Select 2 answers
A.Inadequate communication between teams
B.Lack of executive support
C.Too many technical staff
D.Over-reliance on automation
E.Excessive documentation
AnswersA, B

Correct: Poor communication leads to delays and errors.

Why this answer

Lack of executive support and inadequate communication between teams are frequent obstacles.

488
MCQhard

An organization has a distributed incident response team across multiple time zones. During a critical incident, communication delays occur due to different work hours. Which strategy BEST improves coordination and response time?

A.Require all team members to work overlapping shifts
B.Implement a follow-the-sun incident response model
C.Designate a single incident commander for the entire response
D.Outsource incident response to a managed security service provider
AnswerB

Follow-the-sun ensures continuous coverage by handing off between regions.

Why this answer

Implementing a follow-the-sun model ensures that a team is always available during business hours, reducing delays. A single point of contact (A) creates a bottleneck. Overlapping schedules (B) helps but not as comprehensive as follow-the-sun.

Outsourcing (D) may introduce new issues.

489
MCQhard

During a review of the information security program, the security manager discovers that the program's objectives are not aligned with the organization's strategic business goals. What is the best course of action?

A.Justify the existing objectives to management to demonstrate their value.
B.Revise the program objectives to align with business goals.
C.Implement additional security controls to compensate for the misalignment.
D.Escalate the issue to the board of directors without changes.
AnswerB

Why this answer

The CISM framework emphasizes that an information security program must be directly aligned with the organization's strategic business goals to ensure that security investments support business objectives rather than hinder them. Revising the program objectives to align with business goals (Option B) is the correct course of action because it ensures that security controls, risk appetite, and resource allocation are driven by business needs, not isolated technical requirements. This alignment is a core principle of the Information Security Program domain, as misalignment can lead to wasted resources, reduced executive support, and increased business risk.

Exam trap

ISACA often tests the misconception that adding more controls or escalating issues can substitute for strategic alignment, but the CISM exam specifically requires candidates to recognize that program objectives must be revised to match business goals before any other action is taken.

Why the other options are wrong

A

This does not address the misalignment; the objectives should be revised to match business goals.

C

Adding controls does not fix the strategic misalignment.

D

Escalation is not the first step; the manager should propose a solution.

490
MCQmedium

Refer to the exhibit. An analyst sees this alert on the network. What is the most appropriate immediate action?

A.Ignore the alert as it is likely false positive
B.Investigate the source endpoint for compromise
C.Block the source IP 10.0.1.50
D.Block the destination IP 203.0.113.5
AnswerB

Correct: The internal system is likely compromised and needs examination.

Why this answer

The source IP is internal, so the analyst should investigate the internal system for compromise.

491
MCQhard

A multinational financial institution uses a third-party Managed Security Service Provider (MSSP) for 24/7 monitoring of its security infrastructure. During a targeted attack, the MSSP’s analysts detected anomalous activity on a critical server at 2:00 AM. However, due to the service level agreement (SLA) which allows up to 12 hours for notification of lower-priority incidents, the MSSP classified the incident as medium severity and did not notify the internal incident response team until 2:00 PM. By then, the attacker had exfiltrated sensitive customer data. The internal team is conducting a post-incident review. What is the PRIMARY issue that led to the delay?

A.The MSSP analysts lacked technical skills to recognize the incident's true severity
B.The incident severity was incorrectly classified as medium
C.The internal incident response team was not available until 2:00 PM
D.The SLA for notification of medium-severity incidents was too long
AnswerD

The SLA allowed a 12-hour delay which was exploited by the attacker.

Why this answer

The SLA had a notification window that was too long for this type of incident. The classification as medium severity might have been appropriate, but the SLA aggravated the delay. The team's availability and the MSSP's technical skills are secondary or not the root cause.

492
Multi-Selecteasy

Which THREE are components of the Plan phase in a security program lifecycle (e.g., ISO 27001 PDCA)?

Select 3 answers
A.Risk assessment
B.Strategy alignment with business objectives
C.Monitoring and review
D.Implementation of controls
E.Policy development
AnswersA, B, E

Risk assessment is foundational to planning.

Why this answer

Risk assessment, policy development, and strategy alignment are all part of planning. Options A, B, and E are correct. Option C (implementation) belongs to the Do phase.

Option D (monitoring) belongs to Check/Act.

493
MCQmedium

An organization's incident response team is conducting a lessons learned meeting after a major incident. Which outcome is MOST critical to document?

A.Root cause analysis
B.Detailed timeline of events
C.List of tools used
D.Total cost of the incident
AnswerA

Root cause identifies underlying issues to prevent recurrence.

Why this answer

Option B is correct because root cause analysis prevents recurrence. Option A is wrong although timeline is useful, root cause is more critical. Option C is wrong because cost is not the primary learning objective.

Option D is wrong because tool list is less strategic.

494
MCQhard

A financial institution is hit by a Distributed Denial of Service (DDoS) attack that is overwhelming their internet-facing services. The incident response team activates the plan, but the attack continues to escalate. The CEO is under pressure and asks the incident response manager whether they should pay the ransom demand (the attackers also sent an extortion note demanding payment to stop the attack). The manager must advise the CEO on the best course of action.

A.Engage a DDoS scrubbing service to filter malicious traffic
B.Implement rate limiting on the firewall
C.Shut down all external-facing services
D.Pay the ransom to stop the attack immediately
AnswerA

Scrubbing services can absorb and filter attack traffic while allowing legitimate traffic.

Why this answer

Using DDoS scrubbing services (cloud-based or on-premise) is the recommended technical defense. Paying the ransom encourages future attacks and does not guarantee the attack will stop. Rate limiting may affect legitimate traffic.

Shutting down external access is too drastic and impacts business.

495
MCQeasy

Which of the following is the PRIMARY goal of incident containment?

A.To gather evidence for prosecution.
B.To recover systems to normal operation.
C.To identify the root cause.
D.To prevent further damage and limit the scope of the incident.
AnswerD

Core objective of containment.

Why this answer

Option C is correct because containment aims to prevent further damage and limit scope. Options A, B, D are goals of other phases.

496
MCQmedium

After a security incident, the board holds the CISO accountable. The CISO argues that the incident was caused by a failure in the third-party risk management process. Which of the following governance deficiencies is most likely the root cause?

A.There was no board-approved policy for assessing and monitoring third-party risk.
B.The third-party contract did not specify security requirements.
C.The organization did not implement technical controls to monitor third-party access.
D.The incident response plan did not cover third-party related incidents.
AnswerA

Governance requires board-level policies to define expectations and oversight.

Why this answer

Option D is correct because without board-level oversight of third-party risk, governance cannot ensure proper management. Option A is wrong because technical failures are not governance deficiencies. Option B is wrong because vendor selection is operational, not governance.

Option C is wrong because incident response is post-event; the root cause is lack of governance oversight.

497
MCQeasy

An information security manager is asked to report on the effectiveness of the security program. Which metric would BEST indicate governance effectiveness?

A.Percentage of security initiatives directly linked to business strategy
B.Number of critical vulnerabilities identified
C.Number of audit findings per quarter
D.Mean time to detect and respond to incidents
AnswerA

Directly measures governance alignment.

Why this answer

Option A is correct because governance effectiveness is best measured by the percentage of security projects aligned with business strategy. Option B is wrong as mean time to respond is operational. Option C is wrong as vulnerability count is technical.

Option D is wrong as audit findings are compliance focused.

498
Multi-Selectmedium

Which TWO of the following are key components of an information security program governance structure? (Select TWO.)

Select 2 answers
A.A steering committee that includes senior management and business unit leaders.
B.An incident response plan that defines roles and procedures.
C.Regular reporting to the board of directors on security metrics and risks.
D.A vulnerability scanning schedule and remediation SLAs.
E.A firewall policy that specifies allowed and denied traffic.
AnswersA, C

A steering committee ensures alignment with business strategy and provides oversight.

Why this answer

A steering committee that includes senior management and business unit leaders is a key component of an information security program governance structure because it provides strategic oversight, aligns security initiatives with business objectives, and ensures accountability at the executive level. This committee typically authorizes policies, reviews risk appetite, and approves resource allocation, which are essential for effective governance.

Exam trap

ISACA often tests the distinction between governance (strategic oversight and decision-making) and management (operational execution and controls), so candidates mistakenly select operational items like incident response plans or vulnerability schedules as governance components.

499
MCQhard

An organization uses the ISO 31000 risk management framework. During the risk evaluation phase, it determines that a certain risk has a low likelihood but very high impact. The organization's risk appetite is moderate. Which of the following is the MOST appropriate risk treatment decision?

A.Accept the risk due to low likelihood
B.Avoid the risk by discontinuing the activity that generates it
C.Transfer the risk through insurance
D.Mitigate the risk by implementing controls to reduce impact
AnswerD

Mitigation reduces the impact to an acceptable level, aligning with moderate risk appetite.

Why this answer

Option A is correct because even low likelihood risks with high impact may need mitigation to align with moderate risk appetite. Option B is wrong because acceptance is only appropriate if risk is within appetite. Option C is wrong because avoidance is extreme unless no other controls exist.

Option D is wrong because transfer may not fully address the impact.

500
MCQeasy

Which of the following is the PRIMARY role of the board of directors in information security governance?

A.Managing the day-to-day security operations.
B.Implementing security controls and technologies.
C.Providing strategic direction and oversight of the security program.
D.Developing detailed security policies and procedures.
AnswerC

The board ensures security aligns with business strategy.

Why this answer

The board of directors holds the ultimate fiduciary responsibility for the organization, including its information security posture. Their primary role is to provide strategic direction and oversight, ensuring that the security program aligns with business objectives, risk appetite, and regulatory requirements. This includes approving the overall security strategy, reviewing key risk indicators, and holding management accountable for security performance, not executing tactical tasks.

Exam trap

ISACA often tests the distinction between governance (board) and management (CISO/IT) roles, and the trap here is that candidates mistakenly assign tactical implementation duties to the board because they confuse oversight with execution.

How to eliminate wrong answers

Option A is wrong because managing day-to-day security operations is the responsibility of the security operations center (SOC) and operational staff, not the board. Option B is wrong because implementing security controls and technologies is a tactical function performed by security engineers and IT teams, not the board. Option D is wrong because developing detailed security policies and procedures is a management-level task typically handled by the CISO and security team, while the board provides high-level approval and oversight of the policy framework.

Page 6

Page 7 of 7

All pages