Certified Information Security Manager CISM (CISM) — Questions 526600

896 questions total · 12pages · All types, answers revealed

Page 7

Page 8 of 12

Page 9
526
MCQmedium

A company's security program includes a policy that all employees must use strong passwords and change them every 90 days. However, the recent internal audit shows that 60% of employees have passwords that do not meet the strength requirements. What is the most effective corrective action?

A.Conduct quarterly password audits with manual checks
B.Increase the frequency of security awareness training
C.Implement technical controls to enforce password strength
D.Extend the password change interval to 180 days
AnswerC

Technical enforcement (e.g., complexity rules) ensures compliance.

Why this answer

Option D is correct because automated enforcement ensures policy compliance without relying on user behavior change. Option A is wrong as training alone is insufficient. Option B is wrong because it reduces security and does not address the root cause.

Option C is wrong as audits detect but do not prevent non-compliance.

527
MCQeasy

Which of the following is the primary purpose of a Key Risk Indicator (KRI)?

A.To provide early warning signals of increasing risk
B.To report on past incidents and losses
C.To measure the effectiveness of security controls
D.To demonstrate compliance with regulations
AnswerA

KRIs indicate potential risk changes.

Why this answer

A Key Risk Indicator (KRI) is a metric used to provide an early warning signal that a risk exposure is approaching or exceeding acceptable thresholds. Unlike lagging indicators that report on past events, KRIs are forward-looking, enabling proactive risk mitigation before a risk materializes into a loss.

Exam trap

The trap here is that candidates often confuse KRIs with KPIs or KCIs, mistakenly thinking KRIs measure past performance or control effectiveness, when in fact KRIs are specifically designed to provide leading indicators of changing risk exposure.

How to eliminate wrong answers

Option B is wrong because reporting on past incidents and losses is the function of a Key Performance Indicator (KPI) or a loss event metric, not a KRI, which is forward-looking. Option C is wrong because measuring the effectiveness of security controls is the role of a Key Control Indicator (KCI) or control effectiveness metric, not a KRI, which focuses on risk exposure. Option D is wrong because demonstrating compliance with regulations is typically achieved through compliance audits and control testing, not through KRIs, which are designed to signal changes in risk levels rather than adherence to regulatory requirements.

528
Matchingmedium

Match each security control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall blocking unauthorized traffic

Intrusion detection system alerting on anomalies

Restoring system from backup after breach

Security warning banners on login

Additional authentication for legacy systems

Why these pairings

Control categories in information security.

529
Multi-Selecthard

A security team detects lateral movement within the network using PowerShell scripts. Which TWO actions are MOST effective to contain the threat?

Select 2 answers
A.Conduct memory forensics on affected endpoints.
B.Implement network segmentation to isolate affected VLANs.
C.Disable PowerShell remoting on all systems.
D.Apply the latest security patches to all systems.
E.Isolate the affected systems immediately.
AnswersC, E

Prevents further use of PowerShell for lateral movement.

Why this answer

Disabling PowerShell remoting (WinRM) on all systems is a highly effective containment action because it directly cuts off the primary channel used for lateral movement via PowerShell scripts. Attackers frequently abuse WinRM (port 5985/5986) and PowerShell's `Invoke-Command` or `Enter-PSSession` to move laterally, so disabling this service blocks that specific attack vector without requiring immediate system isolation.

Exam trap

Cisco often tests the distinction between containment and remediation, and the trap here is that candidates confuse 'isolating affected systems' (which is correct) with 'applying patches' (which is remediation, not containment), or they mistakenly think memory forensics is a containment action when it is actually part of the investigation phase.

530
MCQeasy

Which role within a security team is primarily responsible for designing and reviewing security architectures to ensure alignment with business requirements and security standards?

A.SOC analyst
B.GRC analyst
C.Security architect
D.Security analyst
AnswerC

Security architects design and review security solutions and architectures.

Why this answer

The security architect designs and reviews the security architecture, ensuring it meets business needs and security requirements. Other roles focus on operations, analysis, or awareness.

531
Multi-Selectmedium

Which THREE of the following are responsibilities of the board of directors regarding information security governance?

Select 3 answers
A.Approve the information security strategy
B.Respond to security incidents
C.Conduct vulnerability scans
D.Authorize the security budget
E.Set the organization's risk appetite
AnswersA, D, E

The board ensures the strategy aligns with business goals.

Why this answer

The board of directors is responsible for high-level governance, including approving the information security strategy to ensure alignment with business objectives. This strategic oversight ensures that security initiatives support organizational goals and comply with regulatory requirements, rather than involving hands-on technical execution.

Exam trap

The trap here is confusing governance (board-level strategic oversight) with management (operational execution), leading candidates to select hands-on tasks like incident response or vulnerability scanning as board responsibilities.

532
MCQhard

An organization maintains evidence handling procedures for incident response. A forensic investigator needs to collect a hard drive from a compromised server. Which of the following is the MOST critical step to ensure admissibility in court?

A.Encrypting the hard drive during transport.
B.Creating a forensic image of the hard drive before disconnecting it.
C.Ensuring the investigator has the proper certification.
D.Documenting the chain of custody from the moment of collection.
AnswerD

Chain of custody proves evidence hasn't been tampered with.

Why this answer

Chain of custody documentation is essential for evidence integrity and admissibility.

533
MCQhard

The SIEM alerts on this traffic. What should the incident analyst do FIRST?

A.Isolate the host for investigation.
B.Accept the traffic as normal.
C.Block the IP at the firewall.
D.Check if the destination is a legitimate CDN.
AnswerA

Option C is correct because the threat intelligence suggests C2, so isolating the host prevents further potential data loss or lateral movement while investigation proceeds.

Why this answer

The SIEM alert indicates suspicious traffic, and the first priority in incident response is containment to prevent further damage or lateral movement. Isolating the host (Option A) immediately stops the potential threat from communicating with the network, allowing for a safe forensic investigation. This aligns with the NIST SP 800-61 incident response lifecycle, where containment is prioritized before eradication or recovery.

Exam trap

Cisco often tests the principle that containment (isolating the host) must precede any investigative or remediation steps like blocking IPs or verifying destinations, as candidates may mistakenly prioritize analysis over immediate action.

How to eliminate wrong answers

Option B is wrong because accepting the traffic as normal without investigation ignores the SIEM alert, which is a failure of the detection and analysis phase; the alert indicates a potential security event that requires verification. Option C is wrong because blocking the IP at the firewall is a reactive measure that may disrupt legitimate services if the IP is spoofed or shared (e.g., via a CDN), and it does not address the compromised host itself, which could still be used for other malicious activities. Option D is wrong because checking if the destination is a legitimate CDN is a secondary step that should occur after containment; the immediate priority is to stop the threat, not to validate the destination, as the alert could indicate a command-and-control (C2) channel using a legitimate CDN as a front.

534
MCQeasy

Which is a key component of an information security program?

A.Encryption technology
B.Firewall
C.Antivirus software
D.Security policy
AnswerD

Policies establish the governance framework for the program.

Why this answer

A security policy is the foundational component of an information security program because it defines the organization's strategic direction, governance structure, and high-level principles for protecting information assets. Unlike specific technologies (encryption, firewalls, antivirus), the policy establishes the rules, roles, and responsibilities that drive the selection and implementation of all security controls. Without a policy, technical measures lack context, authority, and alignment with business objectives.

Exam trap

Cisco often tests the distinction between governance (policy) and operational controls (technology), trapping candidates who confuse a tactical tool like a firewall or antivirus with the strategic program component that defines the security program's scope and authority.

How to eliminate wrong answers

Option A is wrong because encryption technology is a specific technical control that protects data confidentiality, but it is not a program-level component; it is a tool deployed under the policy's guidance. Option B is wrong because a firewall is a network security device that filters traffic based on rules, but it is an operational control, not a strategic program component. Option C is wrong because antivirus software is a host-based endpoint protection tool that detects and removes malware, but it is a tactical solution, not a governance element of the security program.

535
MCQmedium

Refer to the exhibit. Given the exhibit, which type of incident is MOST likely occurring?

A.Phishing campaign
B.Ransomware attack
C.Insider threat
D.DDoS attack
AnswerC

The user's behavior—accessing and exfiltrating sensitive data—is characteristic of an insider threat.

Why this answer

The exhibit shows a user logging in from an unusual location, attempting unauthorized access, and then exfiltrating sensitive data. This pattern is indicative of an insider threat, as it involves a legitimate user performing malicious actions. Option A is correct.

536
MCQmedium

Based on the exhibit, what is the most significant security gap in this configuration?

A.The intrusion detection system is set to alert-only, so it cannot block attacks.
B.The vendor baseline is CIS Level 1, which may be too permissive.
C.The firewall allows inbound HTTPS from any source to web servers.
D.The database port 3306 is exposed to web servers without encryption.
AnswerA

Without prevention, attacks may succeed before manual response.

Why this answer

The intrusion detection system (IDS) is configured in alert-only mode, meaning it can only generate alerts and cannot take action to block or drop malicious traffic. This is a significant security gap because, unlike an intrusion prevention system (IPS), an IDS operates out-of-band and relies on manual intervention or separate security controls to stop attacks, leaving the network vulnerable during the response delay.

Exam trap

Cisco often tests the distinction between IDS (alert-only) and IPS (inline blocking) to catch candidates who assume any detection system can automatically stop attacks.

How to eliminate wrong answers

Option B is wrong because CIS Level 1 is a foundational baseline that focuses on essential security controls with minimal operational impact; it is not inherently 'too permissive' and is widely recommended as a starting point for hardening. Option C is wrong because allowing inbound HTTPS (TCP/443) from any source to web servers is a standard and necessary configuration for public-facing web services, provided the web servers are properly hardened and patched. Option D is wrong because exposing database port 3306 (MySQL) to web servers without encryption is a risk, but it is less significant than the IDS being unable to block attacks; database traffic can be encrypted with TLS or SSH tunneling, and the web server is a trusted internal component in many architectures.

537
Multi-Selectmedium

A CISO is presenting a security metrics dashboard to the board. Which TWO metrics are most appropriate for board-level reporting? (Select TWO.)

Select 2 answers
A.Number of security staff per business unit
B.Security investment vs. loss avoidance
C.Number of firewall rules changed
D.Mean time to detect (MTTD)
E.Average patch deployment time
AnswersB, D

Demonstrates ROI and is strategic.

Why this answer

Board-level metrics should focus on strategic outcomes such as incident response and financial impact.

538
MCQmedium

An organization is updating its incident response plan after a lessons learned meeting. Which of the following is the primary purpose of updating the plan based on lessons learned?

A.To assign blame for failures
B.To share threat intelligence with ISACs
C.To incorporate improvements to prevent recurrence and enhance response
D.To document the incident for regulatory compliance
AnswerC

Updating the IR plan with changes identified in lessons learned helps prevent similar incidents and improve response.

Why this answer

The primary purpose is to incorporate improvements to prevent recurrence and improve response effectiveness.

539
MCQeasy

A security metrics program should include key performance indicators (KPIs) for board reporting. Which metric is most appropriate for executive oversight?

A.Number of firewall rules configured
B.Daily log volume
C.Patch management tool version
D.Mean time to detect (MTTD) incidents
AnswerD

MTTD is a strategic metric for board visibility.

Why this answer

Mean time to detect is a high-level metric that reflects security effectiveness.

540
MCQmedium

TechStart, a cloud-based startup, has rapidly grown from 50 to 500 employees. It lacks a formal security governance structure. The CEO asks the CISO to develop one. The CISO finds that the company's culture values speed over compliance. The board expects a governance framework within three months. What is the most practical approach?

A.Implement a full COBIT framework immediately
B.Defer governance until after the next product launch
C.Start with a lean governance model, focusing on critical assets and compliance requirements
D.Focus solely on technical controls like firewalls and IAM
AnswerC

This balances speed with essential governance.

Why this answer

Option A is correct because starting with a lean governance model focusing on critical assets and compliance requirements is achievable and respects the culture. Option B is too heavy. Option C neglects governance.

Option D postpones and risks non-compliance.

541
Multi-Selectmedium

Which THREE of the following are incident severity levels defined in a typical incident management program? (Select three.)

Select 3 answers
A.P5 – Low
B.P3 – Medium
C.P1 – Critical
D.P0 – Emergency
E.P2 – High
AnswersB, C, E

P3 has limited impact and standard response.

Why this answer

Common severity levels include P1 (critical), P2 (high), P3 (medium), and P4 (low). P0 is not standard; P5 is not used.

542
MCQeasy

An incident response team is conducting an exercise to test its playbook for a ransomware incident. Which of the following is the PRIMARY benefit of such an exercise?

A.Validating the incident response plan and identifying areas for improvement
B.Documenting the exercise for future reference
C.Complying with regulatory requirements
D.Testing the technical skills of the team
AnswerA

Plan validation and improvement are key objectives.

Why this answer

Exercises validate the effectiveness of the plan and identify gaps before a real incident.

543
MCQeasy

Based on the exhibit, which role is responsible for notifying affected users about the phishing attack?

A.Technical Lead
B.Legal Counsel
C.Incident Response Manager
D.Communications Lead
AnswerD

The communications lead handles internal and external communications.

Why this answer

The Communications Lead is responsible for notifying affected users about the phishing attack because this role manages external and internal communications, including user notifications, during an incident. In the exhibit, the Communications Lead is explicitly assigned the task of 'Notify affected users' under the communication plan, ensuring timely and accurate messaging to reduce further risk.

Exam trap

ISACA often tests the misconception that the Incident Response Manager handles all communications, but the trap here is that the IR Manager delegates user notification to the Communications Lead to maintain separation of duties and focus on technical containment.

How to eliminate wrong answers

Option A is wrong because the Technical Lead focuses on technical remediation (e.g., isolating systems, analyzing logs) and does not handle user notifications, which is a communications function. Option B is wrong because Legal Counsel advises on regulatory compliance and liability but does not directly notify users; their role is to review messaging for legal risk, not to execute the notification. Option C is wrong because the Incident Response Manager coordinates the overall response and decision-making but delegates user notification to the Communications Lead to avoid bottlenecks and ensure specialized handling.

544
MCQmedium

An organization is developing an information security strategy aligned with business objectives. Which of the following is the BEST approach to prioritize security investments?

A.Follow industry benchmarks without adjustment
B.Use a risk-based approach aligned to business impact
C.Prioritize based on the cost of security controls
D.Allocate budget equally across all security domains
AnswerB

Risk-based prioritization ensures investments address the highest risks.

Why this answer

A risk-based approach aligns security investments with the organization's risk appetite, ensuring resources are directed to the most critical areas.

545
MCQeasy

Which security team role is primarily responsible for defining and maintaining security architecture standards?

A.GRC analyst
B.Security analyst
C.Penetration tester
D.Security architect
AnswerD

The security architect defines security architecture and standards.

Why this answer

The security architect designs the security architecture, ensuring that security controls are integrated into systems and networks.

546
MCQeasy

An organization has an incident response plan that designates a primary and alternate incident response team. During a simulated ransomware attack, the primary team is unavailable. What should the alternate team do FIRST?

A.Contact the primary team members for instructions.
B.Declare a disaster and escalate to senior management.
C.Execute the incident response plan as documented.
D.Assess the situation and then activate the plan.
AnswerD

Assessment first ensures appropriate response based on current conditions.

Why this answer

Option D is correct because the alternate team must first assess the situation to understand the scope, impact, and validity of the ransomware attack before activating the plan. This aligns with the NIST SP 800-61 incident response lifecycle, where detection and analysis precede containment, eradication, and recovery. Jumping directly to execution without assessment could lead to inappropriate response actions, such as isolating systems that are not affected or failing to preserve critical forensic evidence.

Exam trap

The trap here is that candidates often confuse 'activating the plan' with 'executing the plan immediately,' but CISM emphasizes that assessment is a mandatory first step before any plan activation to ensure the response is appropriate for the specific incident.

How to eliminate wrong answers

Option A is wrong because the primary team is unavailable by design in this scenario, and contacting them for instructions would cause unnecessary delay and violate the purpose of having an alternate team. Option B is wrong because declaring a disaster and escalating to senior management is premature; the incident must first be assessed to determine if it meets the disaster declaration criteria, which typically involve significant business impact or data loss. Option C is wrong because executing the incident response plan as documented without first assessing the situation ignores the need to tailor the response to the specific ransomware variant, affected systems, and current network state, which could lead to ineffective or harmful actions.

547
MCQeasy

Which control framework is structured around Implementation Groups (IG1, IG2, IG3) to help organizations prioritize security controls based on risk?

A.CIS Controls v8
B.COBIT 2019
C.ISO 27001 Annex A
D.NIST SP 800-53
AnswerA

CIS Controls v8 uses IG1 (basic), IG2 (intermediate), and IG3 (advanced) for prioritization.

Why this answer

The CIS Controls v8 framework is uniquely structured around Implementation Groups (IG1, IG2, IG3) to provide a prioritized, risk-based approach to security control implementation. IG1 represents basic cyber hygiene for organizations with limited resources, IG2 adds more advanced controls for those with moderate risk, and IG3 includes comprehensive controls for high-risk environments. This tiered structure directly aligns with the CISM focus on aligning security controls with business risk and resource constraints.

Exam trap

The trap here is that candidates often confuse the CIS Controls Implementation Groups with NIST SP 800-53's impact-based baselines (Low, Moderate, High), but the key distinction is that IG1/IG2/IG3 are risk-prioritized tiers based on organizational resources and threat exposure, not just data impact levels.

How to eliminate wrong answers

Option B (COBIT 2019) is wrong because it is a governance and management framework focused on IT processes and objectives, not a control framework structured around Implementation Groups; it uses a capability maturity model and process reference model instead. Option C (ISO 27001 Annex A) is wrong because it is a list of control objectives and controls for an Information Security Management System (ISMS), but it does not define Implementation Groups; organizations must determine applicability based on their own risk assessment, not a predefined tiered grouping. Option D (NIST SP 800-53) is wrong because it provides a comprehensive catalog of security and privacy controls for federal information systems, organized by control families (e.g., Access Control, Audit and Accountability), not by Implementation Groups; it uses baselines (Low, Moderate, High) but these are impact-based, not risk-prioritized tiers like IG1/IG2/IG3.

548
Multi-Selectmedium

Which THREE elements are essential for an effective information security governance framework?

Select 3 answers
A.Clear accountability structure
B.Board or executive oversight
C.Free and open-source security tools
D.Comprehensive security policies
E.Formal risk appetite statement
AnswersA, B, D

Assigning responsibilities ensures governance is implemented.

Why this answer

A clear accountability structure is essential because it defines who is responsible for specific security decisions and actions, ensuring that no critical task falls through the cracks. Without defined roles, security gaps emerge, and incident response becomes chaotic. This aligns with the CISM principle that governance requires unambiguous ownership of security outcomes.

Exam trap

The trap here is that candidates confuse operational tools or risk appetite statements with the foundational governance elements, but CISM specifically tests that governance is about oversight, accountability, and policy—not the tools or risk quantification methods.

549
MCQmedium

A multinational corporation must comply with both GDPR and CCPA. Which governance approach is most effective?

A.Create a single rigid unified policy applicable everywhere
B.Develop a unified data protection framework with regional adjustments
C.Implement separate compliance programs for each regulation
D.Outsource compliance to a third-party service provider
AnswerB

This approach balances consistency with flexibility to address local regulations.

Why this answer

Option B is correct because a unified data protection framework with regional adjustments allows the organization to maintain consistent governance principles while accommodating specific legal requirements of GDPR (e.g., data subject rights, 72-hour breach notification) and CCPA (e.g., opt-out rights, broader definition of personal information). This approach aligns with the CISM domain of Information Security Governance by enabling scalable, risk-based compliance without duplicating efforts or creating conflicts between policies.

Exam trap

The trap here is that candidates often choose Option C (separate programs) thinking it ensures full compliance, but CISM emphasizes governance efficiency and risk management, where a unified framework with regional adjustments is the most effective approach to avoid duplication and control conflicts.

How to eliminate wrong answers

Option A is wrong because a single rigid unified policy cannot simultaneously satisfy GDPR's strict consent and data portability requirements and CCPA's opt-out and service provider definitions, leading to non-compliance in one or both jurisdictions. Option C is wrong because implementing separate compliance programs for each regulation creates silos, increases operational complexity, and misses opportunities for shared controls (e.g., data mapping, access controls) that could reduce cost and risk. Option D is wrong because outsourcing compliance to a third-party service provider transfers accountability but not liability; the corporation remains ultimately responsible under both GDPR (Article 28) and CCPA (Section 1798.140), and third parties may not have the necessary context for nuanced regional adjustments.

550
Multi-Selectmedium

A financial institution is implementing a risk-based approach to prioritize its information security initiatives. The risk manager has completed a risk assessment and identified several risks with varying impact and likelihood. Which TWO of the following are the most important benefits of using the risk assessment results to determine the order of security projects?

Select 2 answers
A.Aligns security spending with business objectives
B.Provides a defensible justification for security investments
C.Eliminates the need for qualitative analysis
D.Ensures compliance with all applicable regulations
E.Reduces the total number of security controls needed
AnswersA, B

Correct; risk assessment helps prioritize based on business impact.

Why this answer

Option A is correct because a risk-based approach ensures that security spending is directed toward mitigating the risks that most threaten the institution's critical business objectives, such as protecting customer financial data or ensuring transaction integrity. By prioritizing initiatives based on assessed risk levels, the organization directly links security investments to business value, avoiding waste on low-priority controls.

Exam trap

The trap here is that candidates may confuse the purpose of risk assessment results—which is to prioritize based on business impact—with compliance or control reduction, leading them to select options like D or E that sound plausible but are not primary benefits of a risk-based approach.

551
MCQmedium

A security manager is designing an executive security report. Which content is most appropriate for a one-page C-suite dashboard?

A.Detailed logs of all security incidents from the past week
B.List of all vulnerabilities found during the last scan
C.Top security risks and key performance indicators with trends
D.Full results of the latest phishing simulation
AnswerC

Provides actionable insight at a strategic level.

Why this answer

C-suite executives need high-level strategic insights, not operational details. Top risks and key metrics (e.g., risk posture, critical incidents) are suitable for a dashboard.

552
MCQmedium

An organization is updating its security policies. After drafting the policy, which step should occur NEXT?

A.Stakeholder consultation
B.Training and awareness
C.Approval by management
D.Legal review
AnswerD

Legal review is the next logical step.

Why this answer

Legal review ensures the policy complies with applicable laws and regulations before seeking approval.

553
MCQhard

A security awareness programme is being evaluated. Which metric BEST indicates a positive security culture?

A.Number of policy violations
B.Percentage of employees who completed training
C.Number of security incidents reported
D.Phishing simulation click rate
AnswerD

Lower click rates indicate better security awareness and culture.

Why this answer

A low click rate on simulated phishing emails indicates that employees are cautious and apply training.

554
MCQeasy

When implementing security controls, which approach ensures that multiple layers of defense are applied so that if one control fails, others compensate?

A.Business-enabling controls
B.Critical controls first
C.Compensating controls
D.Defense-in-depth
AnswerD

Defense-in-depth uses multiple layers of defense to protect assets.

Why this answer

Defense-in-depth (option D) is the correct approach because it implements multiple, overlapping layers of security controls (e.g., firewalls, IDS/IPS, endpoint protection, access controls) so that if one layer fails or is bypassed, subsequent layers continue to provide protection. This layered strategy reduces the likelihood of a single point of failure compromising the entire security posture, aligning with the CISM principle of risk mitigation through redundancy.

Exam trap

The trap here is that candidates often confuse 'compensating controls' (a specific, alternative control for a single requirement) with the broader 'defense-in-depth' strategy, leading them to select option C when the question asks for the layered approach that ensures compensation across multiple controls.

How to eliminate wrong answers

Option A is wrong because business-enabling controls are designed to support business objectives (e.g., enabling remote access) rather than providing redundant layers of defense; they focus on functionality, not compensating for failures. Option B is wrong because 'critical controls first' refers to prioritizing implementation of the most important controls (e.g., from the CIS Critical Security Controls), but it does not inherently ensure multiple layers or compensation if one fails—it's a prioritization strategy, not a layered defense model. Option C is wrong because compensating controls are specific alternative controls used when a primary control cannot be implemented (e.g., using additional logging instead of encryption), but they are not a comprehensive layered approach; defense-in-depth encompasses multiple layers, including compensating controls as one possible element, not the overarching strategy.

555
MCQmedium

An organization is implementing a new cloud-based ERP system. Which of the following is the MOST important action for the information security manager to ensure alignment with the organization's risk appetite?

A.Conduct a risk assessment to identify and evaluate risks associated with the cloud deployment.
B.Review the cloud provider's SOC 2 report for compliance with relevant regulations.
C.Negotiate contract terms including data protection clauses with the cloud provider.
D.Develop a detailed access control policy specifically for the cloud ERP system.
AnswerA

A risk assessment directly aligns security measures with risk appetite.

Why this answer

Conducting a risk assessment (A) is the most important action because it directly evaluates the cloud ERP deployment against the organization's risk appetite, identifying, analyzing, and evaluating risks such as data exposure, vendor lock-in, and compliance gaps. This foundational step ensures that subsequent controls, contracts, and policies are aligned with the acceptable level of risk, as defined by the organization's risk tolerance thresholds.

Exam trap

The trap here is that candidates often confuse operational due diligence (like reviewing SOC 2 reports or negotiating contracts) with the strategic governance action of aligning with risk appetite, which must start with a risk assessment to define the baseline for all subsequent decisions.

How to eliminate wrong answers

Option B is wrong because reviewing a SOC 2 report is a due diligence activity that assesses the cloud provider's controls, but it does not inherently align the deployment with the organization's specific risk appetite; it only verifies compliance with predefined criteria. Option C is wrong because negotiating contract terms, while important for legal protection, occurs after risks are identified and does not ensure alignment with risk appetite without a prior risk assessment to inform those terms. Option D is wrong because developing a detailed access control policy is a tactical control implementation that addresses a subset of risks, but it does not provide the strategic alignment with risk appetite that a comprehensive risk assessment achieves.

556
MCQhard

You are the CISM for a mid-sized e-commerce company that processes credit card transactions. The company recently experienced a security incident where an attacker exploited a vulnerability in the web application to gain access to the customer database containing payment card information. The incident response team contained the breach, but the root cause analysis revealed that the vulnerability had been identified in a penetration test six months ago but was not remediated due to competing priorities. The company's risk management framework defines risk appetite as 'moderate' for information security risks. The board is concerned and has asked you to recommend improvements to prevent recurrence. The company has a limited budget and cannot implement all possible controls. Current environment: web application developed in-house, hosted on-premises, with a mix of virtual and physical servers. The security team consists of three people responsible for monitoring, incident response, and vulnerability management. The development team follows an agile methodology with bi-weekly sprints. The company has cyber liability insurance that covers breach response costs up to $2 million. Based on this scenario, what is the most effective course of action?

A.Hire two additional security analysts to improve monitoring and incident response.
B.Implement a formal vulnerability management program with defined remediation SLAs based on risk severity.
C.Increase cyber liability insurance coverage to $5 million to cover potential breach costs.
D.Rewrite the web application using a secure development framework to eliminate vulnerabilities.
AnswerB

This directly addresses the failure to remediate known vulnerabilities, ensuring timely fixes.

Why this answer

Option B is correct because a formal vulnerability management program with defined remediation SLAs directly addresses the root cause: the known vulnerability was not patched due to competing priorities. By tying remediation timelines to risk severity (e.g., critical vulnerabilities patched within 7 days, high within 30 days), the company operationalizes its 'moderate' risk appetite and ensures that penetration test findings are acted upon before they can be exploited. This is the most cost-effective approach given the limited budget, as it leverages existing staff and processes rather than requiring new hires or expensive rewrites.

Exam trap

ISACA often tests the misconception that increasing insurance or hiring more staff is the primary solution to a risk management failure, when in fact the core issue is the lack of a process to enforce remediation of known vulnerabilities within the organization's risk appetite.

How to eliminate wrong answers

Option A is wrong because hiring two additional security analysts improves monitoring and incident response but does not fix the underlying issue of unpatched vulnerabilities; the attacker exploited a known vulnerability that should have been remediated, not a detection gap. Option C is wrong because increasing cyber liability insurance to $5 million only transfers financial risk after a breach, it does not prevent recurrence of the vulnerability exploitation and violates the principle of reducing risk to an acceptable level. Option D is wrong because rewriting the web application using a secure development framework is a long-term, high-cost solution that exceeds the limited budget and does not address the immediate need to remediate existing vulnerabilities; it also ignores the fact that the current application is already in production and needs a process for ongoing vulnerability management.

557
Multi-Selectmedium

A security manager is designing a vulnerability management program. Which TWO of the following are essential processes?

Select 2 answers
A.Immediate patching of all vulnerabilities within 24 hours.
B.Vulnerability disclosure program for external researchers.
C.Penetration testing of all applications annually.
D.Regular vulnerability scanning of all systems.
E.Risk-based prioritization of vulnerabilities for remediation.
AnswersD, E

Scanning identifies vulnerabilities.

Why this answer

Vulnerability management includes regular scanning and a prioritization process to remediate based on risk. Patching is part of remediation, but scanning and prioritization are foundational.

558
MCQhard

An organization's incident response policy requires preserving evidence in its original state. During a live incident on a critical server, the incident response team needs to capture volatile data, such as running processes and network connections, which would be lost if the system were shut down. The team has a forensic workstation with various tools. What tool should the team use to capture the volatile data before taking the system offline?

A.WinHex
B.dd command
C.FTK Imager
D.Memory dump tool (e.g., winpmem)
AnswerD

Memory dump tools are designed to capture volatile data from RAM.

Why this answer

Volatile data from memory is best captured using a dedicated memory acquisition tool like winpmem or similar. FTK Imager and WinHex are primarily for disk imaging. The dd command is used for disk copying, not memory.

Memory dumps capture volatile data.

559
MCQmedium

Which board-level metric is MOST useful for measuring the effectiveness of the incident response process?

A.Mean time to respond (MTTR)
B.Patch compliance percentage
C.Mean time to detect (MTTD)
D.Number of security incidents
AnswerA

MTTR indicates how quickly the organization responds to incidents.

Why this answer

Mean time to respond (MTTR) directly measures how quickly incidents are contained and remediated.

560
MCQeasy

Which role is primarily responsible for developing and maintaining the organization's security architecture?

A.Security Analyst
B.GRC Analyst
C.Security Architect
D.Penetration Tester
AnswerC

The Security Architect designs security structures and ensures they align with business needs.

Why this answer

The security architect designs and oversees the implementation of security architecture.

561
MCQmedium

A company is implementing a new security program. The CISO wants to ensure alignment with business objectives. Which approach is best?

A.Implement technical controls
B.Develop policies based on industry standards
C.Perform a risk assessment
D.Use the COBIT framework
AnswerD

COBIT is designed for governance and alignment of IT with business objectives.

Why this answer

The COBIT framework (Control Objectives for Information and Related Technologies) is specifically designed to bridge the gap between IT governance and business goals, providing a comprehensive set of controls and processes that align security program objectives with enterprise strategy. Unlike other options, COBIT directly addresses governance, risk management, and performance measurement in a way that ensures the security program supports business objectives rather than operating in isolation.

Exam trap

The trap here is that candidates often choose 'Perform a risk assessment' (Option C) because risk assessment is a foundational security activity, but the question asks for the 'best approach' to ensure alignment with business objectives, which requires a governance framework like COBIT that systematically links risk management to strategy, not just a one-time assessment.

How to eliminate wrong answers

Option A is wrong because implementing technical controls without first understanding business objectives and risk appetite can lead to misaligned security measures that either over-constrain operations or leave critical assets unprotected. Option B is wrong because developing policies based solely on industry standards (e.g., ISO 27001, NIST) may achieve compliance but does not inherently ensure alignment with the company's specific business goals, strategic priorities, or risk tolerance. Option C is wrong because performing a risk assessment is a critical input to alignment but is a tactical activity, not a governance framework; it identifies risks but does not provide the structured governance mechanisms to continuously align security program decisions with business objectives.

562
MCQmedium

A security operations center analyst receives an alert from the SIEM indicating a possible data exfiltration. The analyst is unsure if it is a true positive. What is the MOST appropriate action?

A.Review additional logs to confirm
B.Escalate to the incident response manager
C.Immediately block the source IP
D.Quarantine the affected system
AnswerA

Reviewing additional logs provides context and helps confirm whether the alert represents a true incident.

Why this answer

Option A is correct because the analyst must first validate the alert by reviewing additional logs (e.g., firewall, proxy, DNS, or endpoint logs) to confirm whether the SIEM alert represents a true positive. Jumping to containment or escalation without confirmation risks unnecessary disruption and false alarms, which violates the incident response principle of 'verify before acting.' The SIEM may have triggered on a benign pattern (e.g., a large file transfer to a trusted cloud service), and only correlated log analysis can establish intent and context.

Exam trap

The trap here is that candidates confuse 'immediate containment' (a later step in incident response) with 'initial validation,' leading them to choose a disruptive action like blocking or quarantining before confirming the alert is a true positive.

How to eliminate wrong answers

Option B is wrong because escalating to the incident response manager without first confirming the alert is premature; escalation should occur only after the analyst has validated the alert as a true positive and gathered initial evidence. Option C is wrong because immediately blocking the source IP could disrupt legitimate business operations if the alert is a false positive, and it destroys forensic evidence (e.g., netflow data, active connections) needed for further analysis. Option D is wrong because quarantining the affected system is a containment action that should only be taken after confirming malicious activity; premature quarantine can cause unnecessary downtime and may not be appropriate for a potential false positive.

563
Multi-Selectmedium

Which TWO actions are essential during the detection and analysis phase of incident response?

Select 2 answers
A.Notify law enforcement
B.Disconnect affected systems
C.Determine the scope of the incident
D.Rebuild systems
E.Identify indicators of compromise (IOCs)
AnswersC, E

Correct: Scope assessment is essential to understand impact.

Why this answer

Determining the scope of the incident (C) is essential during the detection and analysis phase because it defines the boundaries of the compromise—identifying which systems, data, and users are affected. This step is critical for prioritizing response actions and preventing the incident from spreading further. Without scope determination, subsequent containment and eradication efforts may be misdirected or incomplete.

Exam trap

Cisco often tests the distinction between phases of the incident response lifecycle (NIST SP 800-61), and the trap here is confusing containment actions (like disconnecting systems) with detection and analysis actions, leading candidates to select Option B instead of focusing on scope determination and IOC identification.

564
MCQeasy

Which of the following is an example of an external stakeholder that should be included in the incident response plan's vendor contacts list?

A.Chief Information Security Officer
B.Incident response manager
C.External legal counsel
D.Board of directors
AnswerC

External legal counsel is a vendor contact often needed during incidents.

Why this answer

Third-party contacts such as legal firms, forensic investigators, PR agencies, and insurance providers are essential for incident response. Internal contacts are separate.

565
MCQhard

A security manager is evaluating OKRs for the vulnerability management team. Which key result best aligns with an objective to reduce risk from vulnerabilities?

A.Conduct quarterly penetration tests
B.Achieve 95% scan coverage of assets
C.Reduce mean time to remediate critical vulnerabilities by 30%
D.Increase the number of scans by 20%
AnswerC

Directly measures improvement in reducing vulnerability exposure.

Why this answer

Mean time to remediate critical vulnerabilities directly measures risk reduction, as faster remediation lowers exposure.

566
Multi-Selectmedium

A CISO is building a business case for a new security tool. Which TWO metrics would BEST justify the investment to senior leadership?

Select 2 answers
A.Compliance cost avoidance
B.Breach cost avoidance
C.Mean time to respond (MTTR) improvements
D.Phishing simulation click rate
E.Number of vulnerabilities discovered
AnswersA, B

Shows how the tool reduces costs related to regulatory compliance (e.g., fines, audits).

Why this answer

Senior leadership cares about financial impact. Breach cost avoidance and compliance cost avoidance directly demonstrate value by reducing potential losses.

567
MCQmedium

An organization is implementing a third-party risk management (TPRM) program. Which approach best addresses nth-party risk?

A.Requiring that key vendors include security requirements in contracts with their subcontractors
B.Performing on-site audits of all third parties
C.Accepting the risk since it is outside the organization's control
D.Conducting annual assessments of all direct vendors only
AnswerA

Cascading requirements help mitigate nth-party risk.

Why this answer

Nth-party risk refers to risks from suppliers of your suppliers. Contractual requirements that cascade down the supply chain are essential to manage this risk.

568
MCQeasy

What is the first step in the security policy development lifecycle?

A.Gap analysis
B.Legal review
C.Drafting the policy
D.Stakeholder consultation
AnswerA

Correct: Identifies needs first.

Why this answer

Gap analysis identifies missing or inadequate controls before drafting new policies.

569
MCQmedium

A company's incident response team is handling a confirmed ransomware infection that has encrypted files on several servers. The IT director requests that the team immediately restore data from backups to minimize downtime. However, the team suspects that the backup repository may also be compromised because the attacker had administrative credentials. What is the BEST course of action?

A.Proceed with restoration from the most recent backup to restore operations quickly.
B.Rebuild the servers from scratch and restore from an offline backup taken before the compromise.
C.First, clean the backup repository and verify integrity before restoring to prevent re-infection.
D.Engage law enforcement before any restoration activities.
AnswerB

This ensures no malware is reintroduced and the backup is trusted.

Why this answer

Option B is correct because restoring from an offline backup taken before the compromise ensures that the restored data is free of the ransomware and that the backup itself was not encrypted or tampered with. Since the attacker had administrative credentials, any online backup repository could have been accessed and compromised, making offline backups the only trustworthy source. This approach also eliminates the risk of re-infection by rebuilding the servers from scratch, ensuring no residual malware remains.

Exam trap

The trap here is that candidates may assume a backup repository can be cleaned or verified as safe, overlooking that an attacker with administrative credentials could have compromised the backup system itself, making offline backups the only reliable recovery source.

How to eliminate wrong answers

Option A is wrong because restoring from the most recent backup, even if it appears intact, risks re-infection if the backup repository was accessed by the attacker using administrative credentials; the ransomware may have encrypted or corrupted the backup files, or the backup may contain the initial infection vector. Option C is wrong because cleaning the backup repository and verifying integrity before restoration is insufficient if the attacker had administrative credentials—they could have planted persistent malware or altered backup metadata, and cleaning does not guarantee the repository is free of compromise; offline backups are the only safe source. Option D is wrong because engaging law enforcement before restoration is not the immediate priority; while notification may be required, delaying restoration increases downtime and business impact, and law enforcement typically does not prohibit restoration from offline backups.

570
MCQhard

During a risk assessment, a security manager discovers that the residual risk after implementing planned controls is still above the risk appetite threshold. What should the manager do NEXT?

A.Implement additional controls immediately
B.Document the risk as accepted
C.Escalate the residual risk to senior management
D.Reassess the risk using a different methodology
AnswerC

Why this answer

When residual risk exceeds the risk appetite threshold after planned controls, the security manager cannot simply accept or ignore it; the risk must be escalated to senior management because they hold the authority to decide whether to accept the risk, allocate additional budget for further controls, or adjust the risk appetite. This aligns with the CISM domain of Information Security Risk Management, where risk acceptance is a management decision, not an operational one.

Exam trap

The trap here is that candidates confuse operational risk acceptance (which a manager can do for low risks) with management-level risk acceptance required when residual risk exceeds the appetite threshold, leading them to incorrectly choose Option B.

Why the other options are wrong

A

While additional controls may be an option, the immediate next step is to escalate and get a decision.

B

Acceptance requires authorization from management, not unilateral action by the security manager.

D

Changing methodology may give different numbers but doesn't address the underlying issue.

571
MCQeasy

After a security incident, which step should be taken first?

A.Recovery
B.Lessons learned
C.Containment
D.Eradication
AnswerC

Correct: Immediate containment stops the incident from spreading.

Why this answer

In incident management, containment is the immediate priority after detection because it stops the spread of the threat and limits damage. Without containment, the attacker may continue to move laterally, exfiltrate data, or destroy evidence, making recovery and eradication ineffective. CISM emphasizes that containment must precede eradication and recovery to preserve forensic integrity and reduce business impact.

Exam trap

Cisco often tests the misconception that eradication or recovery should come first because candidates confuse the urgency of removing the threat with the logical sequence of incident response phases.

How to eliminate wrong answers

Option A is wrong because recovery (restoring systems to normal operation) cannot safely occur until the threat is contained and eradicated; attempting recovery first risks re-infection or further damage. Option B is wrong because lessons learned is a post-incident review activity that occurs after containment, eradication, and recovery are complete, not as the first step. Option D is wrong because eradication (removing malware, closing backdoors) requires containment first to ensure the attacker cannot re-enter or cause additional harm during the removal process.

572
MCQhard

After implementing controls, the residual risk is calculated to be at a level that slightly exceeds the risk appetite. The business owner argues that the cost of further mitigation outweighs the benefit. What is the most appropriate action for the risk manager?

A.Transfer the risk through insurance
B.Accept the residual risk as a business decision
C.Document the risk and escalate to senior management for acceptance
D.Implement additional controls regardless of cost
AnswerC

Formal escalation ensures informed decision-making and proper risk acceptance.

Why this answer

The risk manager should document the risk and escalate to senior management for formal acceptance. Acceptance requires approval at an appropriate level. Simply accepting without documentation is not proper.

Implementing controls regardless of cost ignores cost-benefit. Transferring via insurance does not address residual risk that already exceeds appetite.

573
MCQeasy

Based on the incident response policy exhibit, which phase should include notifying external stakeholders such as law enforcement?

A.Recovery
B.Post-Incident
C.Detection
D.Containment
AnswerB

Post-incident includes reporting and lessons learned, which may involve external notifications.

Why this answer

B is correct because the post-incident phase is the appropriate time to notify external stakeholders such as law enforcement, as it occurs after containment and eradication are complete. During this phase, the incident is fully documented, evidence is preserved, and legal obligations (e.g., breach notification laws like GDPR Article 33 or HIPAA Breach Notification Rule) are fulfilled. Notifying law enforcement earlier could compromise forensic integrity or operational continuity, so it is deliberately deferred to the post-incident stage.

Exam trap

ISACA often tests the misconception that law enforcement must be notified immediately upon detection, but the correct timing is after containment and eradication to avoid compromising evidence and operational response.

How to eliminate wrong answers

Option A is wrong because the recovery phase focuses on restoring systems to normal operations, not on external notifications; law enforcement involvement would disrupt recovery efforts. Option C is wrong because the detection phase is about identifying potential incidents via alerts (e.g., from SIEM or IDS), not about stakeholder communication; premature notification could lead to false alarms. Option D is wrong because the containment phase aims to isolate the incident to prevent further damage (e.g., via network segmentation or host isolation), and involving law enforcement at this stage could interfere with rapid containment actions.

574
MCQeasy

During an incident investigation, the incident response team needs to collect volatile data from a compromised server. Which of the following data should be collected FIRST?

A.Contents of system memory (RAM)
B.Network connection logs from the firewall
C.Contents of the hard drive
D.Event logs from the system
AnswerA

Memory is the most volatile and should be captured first.

Why this answer

Volatile data, such as the contents of system memory (RAM), is lost when the system is powered off. Collecting RAM first preserves evidence of running processes, network connections, and encryption keys that would otherwise be destroyed. This follows the order of volatility (RFC 3227), which mandates capturing the most volatile data first.

Exam trap

The trap here is that candidates often prioritize persistent data like hard drive contents or logs, mistakenly thinking they are more important, but the order of volatility dictates that transient data in RAM must be captured first to avoid permanent loss.

How to eliminate wrong answers

Option B is wrong because network connection logs from the firewall are non-volatile and stored on a separate device, so they can be collected later without risk of loss. Option C is wrong because the contents of the hard drive are non-volatile and can be imaged after the system is powered down, but collecting it first would risk overwriting volatile data in RAM. Option D is wrong because event logs from the system are stored on the hard drive and are non-volatile; they can be collected after volatile data has been captured.

575
MCQeasy

Which governance model is characterized by a single, centralized security team that serves the entire organization?

A.Centralized
B.Federated
C.Decentralized
D.Hybrid
AnswerA

Correct: Single team serves entire organization.

Why this answer

Centralized governance consolidates security resources and authority under one team, ensuring consistent policy enforcement and streamlined management.

576
Multi-Selecteasy

Which TWO of the following are primary objectives of information security governance? (Choose two.)

Select 2 answers
A.Eliminate all information security risks.
B.Align security strategy with business goals.
C.Maximize profitability through security investments.
D.Ensure accountability for security decisions.
E.Achieve compliance with all applicable regulations.
AnswersB, D

Core objective of governance.

Why this answer

Option B is correct because information security governance's primary objective is to ensure that security strategy is aligned with business goals, enabling the organization to protect assets while supporting its mission. This alignment is achieved through governance frameworks like COBIT or ISO 38500, which mandate that security investments and controls are directly tied to business objectives, not isolated technical measures.

Exam trap

The trap here is that candidates confuse compliance (Option E) with governance, but CISM emphasizes that governance is about strategic alignment and accountability, not just meeting regulatory checklists, which is a common misconception in exam questions.

577
Multi-Selecteasy

A security architect is selecting controls for an e-commerce platform. Which TWO of the following are examples of compensating controls?

Select 2 answers
A.Implementing multi-factor authentication when strong passwords cannot be enforced.
B.Encrypting all data at rest.
C.Deploying a web application firewall (WAF) to protect against SQL injection.
D.Conducting quarterly vulnerability scans.
E.Using network segmentation to isolate a legacy system that cannot be patched.
AnswersA, E

MFA compensates for weak password policies.

Why this answer

Compensating controls are alternative measures that provide equivalent protection when a primary control cannot be implemented. Multi-factor authentication can compensate for weak passwords, and enhanced monitoring can compensate for missing patch on legacy systems.

578
MCQmedium

Which of the following best describes the primary purpose of a security program's governance framework?

A.To implement technical security controls
B.To provide oversight and alignment with business objectives
C.To conduct vulnerability assessments
D.To manage security incidents
AnswerB

Why this answer

The primary purpose of a security program's governance framework is to provide oversight and ensure that security activities are aligned with business objectives, risk appetite, and regulatory requirements. It establishes the policies, roles, and accountability structures that guide decision-making, rather than directly executing technical tasks. This alignment is critical for the program to be sustainable and supported by executive management.

Exam trap

The trap here is that candidates confuse the governance framework with the operational security program itself, mistakenly selecting a tactical activity (like implementing controls or managing incidents) instead of recognizing that governance is the strategic oversight layer that directs and constrains those activities.

Why the other options are wrong

A

Technical controls are operational, not governance.

C

Vulnerability assessments are part of ongoing operations.

D

Incident management is a process within the program.

579
MCQhard

A CISO is preparing the security budget for the next fiscal year. The current IT budget is $10 million. For a mature security program, what is the recommended security budget range?

A.$500,000 to $750,000
B.$1 million to $1.5 million
C.$100,000 to $200,000
D.$2 million to $3 million
AnswerB

Correct. 10-15% of $10 million is $1-1.5 million.

Why this answer

Best practice for a mature security program is to allocate 10-15% of the IT budget to security. For a $10 million IT budget, that is $1 million to $1.5 million.

580
MCQmedium

When an incident cannot be resolved within the maximum tolerable downtime (MTD), what is the appropriate action regarding business continuity and disaster recovery (BC/DR)?

A.Ignore the MTD and focus solely on incident eradication
B.Continue incident response until full recovery
C.Declare a disaster immediately without further analysis
D.Escalate to the BC/DR team for possible activation of continuity plans
AnswerD

This triggers BC/DR processes to protect business operations.

Why this answer

If the MTD is at risk, the incident response team should escalate to BC/DR to activate continuity or recovery plans. This ensures business functions are restored.

581
Multi-Selecthard

Which TWO of the following are key roles on the crisis management team (CMT) for a major cybersecurity incident? (Select two.)

Select 2 answers
A.Chief Information Security Officer (CISO)
B.Security analyst
C.Chief Executive Officer (CEO)
D.Help desk manager
E.Network administrator
AnswersA, C

CISO leads the technical response and advises on security matters.

Why this answer

The CMT typically includes the CEO and CISO, among others, to make strategic decisions.

582
MCQeasy

Which of the following is the most significant risk in this architecture?

A.Segmentation of network zones
B.Admin access via VPN and jump host
C.Use of TLS 1.3 for encryption
D.Direct SQL authentication from application server to database
AnswerD

If app server is compromised, database can be accessed directly.

Why this answer

Direct SQL authentication from the application server to the database bypasses any centralized authentication or service account management, creating a single point of failure for credential compromise. If the application server is breached, an attacker can extract hardcoded or stored database credentials and gain unfettered access to the database, leading to potential data exfiltration or destruction. This risk is magnified because direct SQL authentication often uses static, long-lived credentials without the layered controls (e.g., MFA, session auditing) that would be present in a more robust authentication path.

Exam trap

The trap here is that candidates often mistake a common security control (like TLS 1.3 or VPN) for a risk, or they fail to recognize that direct SQL authentication is a dangerous architectural flaw that bypasses all centralized authentication and authorization controls.

How to eliminate wrong answers

Option A is wrong because segmentation of network zones is a security control that reduces risk by isolating traffic and limiting lateral movement; it is not a risk but a mitigation. Option B is wrong because admin access via VPN and jump host is a standard, secure practice that enforces encrypted tunnels and a controlled bastion host, reducing the attack surface for administrative actions. Option C is wrong because use of TLS 1.3 for encryption is a strong, modern cryptographic protocol that provides confidentiality and integrity for data in transit; it is a security enhancement, not a risk.

583
Multi-Selecthard

A financial services firm is subject to SOX, PCI DSS, and GDPR. The CISO needs to implement a regulatory change management process. Which THREE steps are essential?

Select 3 answers
A.Assess impact on existing controls
B.Immediately enforce all changes regardless of cost
C.Outsource compliance to a single vendor
D.Monitor regulatory updates from authorities
E.Update policies and controls accordingly
AnswersA, D, E

Determines required adjustments.

Why this answer

Monitoring regulatory changes, assessing impact, and updating controls are critical to maintaining compliance.

584
MCQhard

After a data breach, the CISO is updating the incident response plan. Which of the following is MOST critical to include?

A.Communication templates for stakeholders
B.Technical forensic procedures
C.Root cause analysis methodology
D.Legal hold instructions for data preservation
AnswerA

Effective communication is vital to control damage and meet legal obligations.

Why this answer

After a data breach, the incident response plan must prioritize clear, consistent communication to manage stakeholder expectations, regulatory notifications, and legal repercussions. Communication templates ensure that notifications to customers, regulators, and executives are accurate, timely, and compliant with breach notification laws (e.g., GDPR Article 33, state-specific 72-hour requirements). Without predefined templates, the response team risks delays or inconsistent messaging, which can exacerbate reputational damage and legal liability.

Exam trap

Cisco often tests the distinction between strategic plan components (like communication templates) and tactical/operational details (like forensic procedures or root cause analysis), tempting candidates to choose a technically detailed option that is not the most critical for the plan's immediate post-breach effectiveness.

How to eliminate wrong answers

Option B is wrong because technical forensic procedures are operational details typically documented in a separate forensic playbook or standard operating procedure, not in the high-level incident response plan; the plan should reference the need for forensics but not include the step-by-step commands or tools. Option C is wrong because root cause analysis methodology is part of the post-incident review phase, not the immediate response phase; including it in the plan would clutter the critical response steps and delay time-sensitive actions. Option D is wrong because legal hold instructions are a legal process managed by the legal team and are typically covered in a data preservation policy or legal hold notice, not in the incident response plan itself; the plan should note the requirement to preserve evidence but not the detailed hold instructions.

585
MCQmedium

A security manager is conducting a risk assessment for a new cloud-based system. The system will store sensitive customer data. Which of the following should be the FIRST step in the risk assessment process?

A.Select appropriate security controls
B.Conduct vulnerability scanning
C.Identify potential threat sources
D.Identify and classify information assets
AnswerD

Asset identification is foundational to any risk assessment.

Why this answer

In the risk assessment process, the first step is to identify and classify information assets because you cannot assess risks to assets you haven't identified. For a cloud-based system storing sensitive customer data, this means cataloging data types (e.g., PII, financial records), their locations (e.g., specific cloud storage buckets), and their classification levels (e.g., confidential, restricted) before any threat or vulnerability analysis can be meaningfully performed.

Exam trap

The trap here is that candidates often confuse the order of risk assessment steps, mistakenly thinking that identifying threats (Option C) comes first because threats are the 'active' element, but CISM emphasizes that asset identification is the foundational step that drives all subsequent analysis.

How to eliminate wrong answers

Option A is wrong because selecting security controls is a risk treatment step that occurs after risks have been assessed and prioritized, not at the beginning of the assessment. Option B is wrong because vulnerability scanning is a technical activity that identifies weaknesses in existing systems, but it cannot be effectively scoped or targeted without first knowing which assets are in scope and their classification. Option C is wrong because while identifying threat sources is important, it logically follows asset identification; you must know what assets you are protecting before you can determine which threats are relevant to those specific assets.

586
MCQhard

An incident response team is dealing with a persistent threat that uses fileless malware. Which containment strategy is most effective?

A.Isolate affected endpoints from the network while preserving memory
B.Disable user accounts
C.Block known malicious IPs
D.Reimage all endpoints
AnswerA

Correct: Contains the threat and preserves forensic data.

Why this answer

Isolating affected endpoints preserves volatile memory evidence needed to analyze fileless malware.

587
MCQhard

During a merger, the acquiring company's security program must integrate with the target company's program. What is the HIGHEST priority action?

A.Consolidate all security tools
B.Conduct a comprehensive risk assessment of the target
C.Merge the security teams into one reporting structure
D.Standardize security policies immediately
AnswerB

Risk assessment provides the basis for all integration decisions.

Why this answer

Option B is correct because a comprehensive risk assessment of the target company's environment identifies integration risks and informs the integration plan. Option A is premature without understanding risks. Option C and D are tactical steps that should follow risk assessment.

588
MCQeasy

Which of the following is the PRIMARY purpose of a security program's key performance indicators (KPIs)?

A.To ensure compliance with regulations
B.To assign accountability to individuals
C.To track the budget for security initiatives
D.To measure the effectiveness of security controls
AnswerD

KPIs provide quantifiable measures of control performance and program outcomes.

Why this answer

KPIs are designed to provide measurable evidence of how well the security program is achieving its objectives, specifically by quantifying the effectiveness of security controls. For example, a KPI like 'mean time to detect (MTTD)' directly measures the performance of detection controls, enabling data-driven decisions on control improvements. This aligns with the CISM focus on governance and performance management, not just compliance or budgeting.

Exam trap

The trap here is that candidates often confuse KPIs with compliance metrics or operational tasks, mistakenly thinking the primary purpose is to ensure regulatory adherence rather than to measure and improve the effectiveness of security controls.

How to eliminate wrong answers

Option A is wrong because compliance with regulations is a baseline requirement, not the primary purpose of KPIs; KPIs measure performance beyond mere compliance, such as control effectiveness. Option B is wrong because assigning accountability is a function of roles and responsibilities within the governance structure, not a direct purpose of KPIs, which are metrics, not assignment tools. Option C is wrong because tracking the budget for security initiatives is a financial management activity, typically measured by cost-related metrics (e.g., cost per incident), not the primary purpose of KPIs, which focus on operational and strategic effectiveness.

589
Multi-Selectmedium

A CISO is designing a security metrics program for the board. Which TWO metrics are MOST appropriate for board-level reporting?

Select 2 answers
A.Phishing simulation click rate
B.Average patch deployment time
C.Number of firewall rules
D.Security investment vs. loss avoidance
E.Mean time to respond (MTTR)
AnswersD, E

Demonstrates financial ROI.

Why this answer

Mean time to respond (MTTR) and security investment vs. loss avoidance are strategic metrics that inform risk management and resource allocation.

590
Multi-Selecteasy

Which TWO of the following are typically considered key components of an information security governance framework?

Select 2 answers
A.Adoption of a formal risk management process
B.Scheduling of regular penetration tests
C.Establishment of a performance measurement system
D.Development of a detailed incident response plan
E.Implementation of specific technical controls
AnswersA, C

Risk management is a foundational governance component.

Why this answer

Correct: B and D. A performance measurement system (B) ensures governance effectiveness, and a risk management process (D) is core to governance. Option A (specific technical controls) is too narrow; C (detailed incident response plan) is operational; E (penetration testing schedule) is a tactic, not a governance component.

591
MCQhard

During an audit, it was found that the organization's information security policy is not being followed by business units. Which of the following is the MOST effective way for the information security manager to improve compliance?

A.Establish a policy review committee with business unit representatives to align policy with operational needs.
B.Provide additional security awareness training focused on policy requirements.
C.Escalate non-compliance to senior management for disciplinary action.
D.Increase the frequency of automated policy compliance checks.
AnswerA

Involving stakeholders increases buy-in and practical compliance.

Why this answer

The most effective way to improve compliance is to align the policy with operational realities by involving business unit representatives in a policy review committee. When policies conflict with business processes, users will bypass them; adjusting the policy to be both secure and practical increases voluntary adherence. This addresses the root cause—policy misalignment—rather than treating symptoms like lack of awareness or enforcement.

Exam trap

The trap here is that candidates often choose awareness training (B) as a quick fix, but CISM emphasizes that non-compliance due to policy misalignment requires policy revision, not just more training or enforcement.

How to eliminate wrong answers

Option B is wrong because additional awareness training assumes the non-compliance stems from ignorance, but the audit found the policy is not being followed despite likely existing training; the core issue is policy impracticality, not lack of knowledge. Option C is wrong because escalating non-compliance for disciplinary action treats the symptom (violations) without fixing the underlying policy that may be unworkable, and it can damage trust and reduce reporting of genuine issues. Option D is wrong because increasing automated compliance checks only detects violations more frequently but does not address why business units are not following the policy; it may even increase friction and shadow IT if the policy remains misaligned.

592
MCQeasy

Which of the following is the PRIMARY purpose of an information security risk assessment?

A.To eliminate all identified risks
B.To identify and evaluate risks in terms of likelihood and impact
C.To comply with regulatory requirements
D.To assign blame for security incidents
AnswerB

Why this answer

The primary purpose of an information security risk assessment is to identify and evaluate risks in terms of their likelihood and impact. This process enables an organization to prioritize risks and determine appropriate risk treatment options, such as mitigation, transfer, acceptance, or avoidance, based on a clear understanding of the risk landscape. Without this evaluation, any subsequent risk management decisions would lack a defensible basis.

Exam trap

The trap here is that candidates often confuse the purpose of a risk assessment with the purpose of risk treatment or compliance, leading them to select 'comply with regulatory requirements' as the primary purpose, when in fact compliance is a secondary benefit, not the core objective.

Why the other options are wrong

A

Eliminating all risks is impractical and not the primary purpose; risk assessment informs risk treatment decisions.

C

Compliance may be a driver but is not the primary purpose; the core is informed decision-making.

D

Risk assessment is proactive, not punitive.

593
MCQmedium

After a merger, two companies with different security cultures are being integrated. What is the BEST approach for the information security manager to achieve a unified governance structure?

A.Implement a regulatory framework as the baseline
B.Maintain separate frameworks until a natural convergence occurs
C.Adopt the security framework of the acquiring company
D.Develop a new framework incorporating strengths from both companies
AnswerD

Fosters buy-in and leverages existing capabilities.

Why this answer

Option D is correct because merging two distinct security cultures requires a deliberate, collaborative approach that leverages the best practices from both organizations. Developing a new framework that incorporates strengths from both companies ensures buy-in from stakeholders and creates a unified governance structure that is tailored to the combined entity's risk profile, rather than imposing one side's culture or waiting for an uncertain natural convergence.

Exam trap

The trap here is that candidates often assume the acquiring company's framework should dominate (Option C) due to organizational hierarchy, but CISM emphasizes that effective governance requires cultural integration and stakeholder alignment, not unilateral imposition.

How to eliminate wrong answers

Option A is wrong because implementing a regulatory framework as the baseline (e.g., ISO 27001 or NIST CSF) provides a compliance foundation but does not address the cultural integration or operational differences between the two companies, potentially leading to resistance or gaps in governance. Option B is wrong because maintaining separate frameworks until a natural convergence occurs is passive and risky; it prolongs security inconsistencies, creates blind spots in oversight, and fails to establish a unified governance structure in a timely manner. Option C is wrong because adopting the security framework of the acquiring company ignores the acquired company's existing controls and cultural strengths, which can cause friction, loss of institutional knowledge, and non-compliance with legacy requirements.

594
MCQhard

A large financial institution is updating its information security program to align with a new regulatory framework. The program currently has a decentralized governance model. Which of the following is the MOST significant risk of maintaining a decentralized model?

A.Slower incident response
B.Inconsistent security levels across business units
C.Higher cost of compliance
D.Duplication of controls
AnswerB

Inconsistency can create security gaps and regulatory non-compliance.

Why this answer

Option B is correct because decentralized governance leads to inconsistent security levels across business units, which is a major regulatory and risk concern. Option A is possible but less critical. Option C may increase but is a consequence.

Option D may be slower but inconsistent security is more fundamental.

595
Multi-Selecteasy

Which TWO components are essential for an effective information security governance framework?

Select 2 answers
A.Implementation of an intrusion detection system
B.Detailed technical configuration guides
C.Board-level oversight of security programs
D.Alignment of security program with business objectives
E.Daily threat intelligence feeds
AnswersC, D

Governance requires board accountability and oversight to ensure security is prioritized.

Why this answer

Board-level oversight and alignment with business objectives are foundational to governance, ensuring security is integrated into organizational strategy.

596
Multi-Selecteasy

Which TWO of the following are primary goals of the containment phase in incident response? (Select TWO)

Select 2 answers
A.Restore normal business operations
B.Eradicate the root cause of the incident
C.Preserve evidence for legal proceedings
D.Prevent the incident from spreading to other systems
E.Limit the scope and impact of the incident
AnswersD, E

Containment includes isolating affected systems to prevent spread.

Why this answer

Correct: Limiting further damage (A) and preventing expansion (C) are containment goals. Eradication (B) is a separate phase. Preserving evidence (D) is important but not primary in containment, and restoring operations (E) is recovery.

597
MCQmedium

In a defence-in-depth strategy, which control is considered a compensating control when a critical application cannot be patched immediately due to operational constraints?

A.Configuration management
B.Intrusion detection system (IDS)
C.Network segmentation
D.Vulnerability scanning
AnswerC

Segmenting the vulnerable application restricts access and reduces risk while patching is delayed.

Why this answer

Compensating controls provide alternative protection when a primary control cannot be applied. Network segmentation limits the blast radius and reduces the attack surface until patching can occur.

598
MCQeasy

What is the primary purpose of a vulnerability management program?

A.To enforce access control policies
B.To detect and respond to security incidents
C.To manage third-party security risks
D.To identify, assess, and remediate security weaknesses in systems
AnswerD

This is the core function of vulnerability management.

Why this answer

Vulnerability management aims to identify, classify, and remediate vulnerabilities to reduce the attack surface.

599
MCQmedium

A security manager is designing a metrics dashboard for executive management. Which of the following metrics is MOST useful for demonstrating the value of the security program?

A.Percentage of budget spent on security
B.Number of security patches applied
C.Number of security policies created
D.Mean time to detect incidents
AnswerD

MTTD measures the program's effectiveness in identifying threats, demonstrating proactive value.

Why this answer

Option B is correct because mean time to detect incidents directly reflects the program's ability to identify threats, which is a key value indicator. Option A is operational. Option C is budget-related.

Option D is output, not outcome.

600
MCQeasy

You are the CISO of a mid-sized manufacturing company. The company has grown rapidly through acquisitions, and each subsidiary has its own information security program. There is no centralized governance, and recent security incidents have occurred due to inconsistent policies. The board has asked you to create a unified information security program that balances flexibility with control. Each subsidiary has unique operational processes and varying levels of security maturity. You have limited budget and cannot replace all local security teams. Which approach should you take?

A.Immediately mandate compliance with a new enterprise-wide security policy.
B.Develop a minimum security standard (MSS) and a phased implementation roadmap based on risk.
C.Centralize all security operations and disband local teams.
D.Adopt the most mature subsidiary's program as the enterprise standard.
AnswerB

Provides baseline while allowing flexibility and phased adoption.

Why this answer

Correct answer is D because developing a minimum security standard (MSS) with a phased roadmap allows each subsidiary to implement controls based on risk while providing a common baseline. Option A (centralize all security functions) is costly and disruptive. Option B (adopt the best subsidiary's program) may not fit others.

Option C (mandate immediate compliance) ignores varying maturity and can cause resistance.

Page 7

Page 8 of 12

Page 9
Certified Information Security Manager CISM CISM Questions 526–600 | Page 8/12 | Courseiva