Certified Information Security Manager CISM (CISM) — Questions 601675

896 questions total · 12pages · All types, answers revealed

Page 8

Page 9 of 12

Page 10
601
Multi-Selecteasy

Which TWO of the following are examples of key risk indicators (KRIs) for cybersecurity risk?

Select 2 answers
A.Time to patch critical vulnerabilities
B.Number of successful phishing simulations
C.Number of vendors with SOC 2 reports
D.Number of unresolved security incidents
E.Percentage of employees completing security training
AnswersA, D

Patch latency is a key indicator of vulnerability risk.

Why this answer

Option A is correct because the time to patch critical vulnerabilities directly measures the organization's exposure window to known exploits, which is a leading indicator of cybersecurity risk. A longer patch time increases the likelihood of a successful attack, making it a key risk indicator (KRI) for vulnerability management.

Exam trap

The trap here is that candidates often confuse KRIs with KPIs, selecting metrics like training completion or phishing simulation results because they seem risk-related, but KRIs must directly measure the likelihood or impact of a risk event, not the performance of a control.

602
MCQeasy

Based on the exhibit, what is the PRIMARY risk of the automated response policy as configured?

A.Blocking the IP may be ineffective against dynamic IPs
B.The SOC manager may not receive notifications in time
C.Automatic approval may cause unnecessary disruption on false positives
D.The trigger severity is too low
AnswerC

Without manual validation, false positives can lead to business impact.

Why this answer

Option C is correct because an automated response policy that approves blocking actions without human validation can trigger unnecessary disruption when false positives occur. Even if the severity threshold is appropriate, the lack of a verification step means legitimate traffic may be blocked, impacting business operations. The primary risk is not the effectiveness of the block but the operational impact of automated decisions on benign events.

Exam trap

The trap here is that candidates focus on the technical effectiveness of the block (dynamic IPs) or the severity threshold, rather than recognizing that the automated approval itself—without human-in-the-loop—is the primary risk, as it can cause business disruption from false positives.

How to eliminate wrong answers

Option A is wrong because dynamic IPs are a secondary concern; the primary risk is false positives causing disruption, not the block's effectiveness against IP rotation. Option B is wrong because the SOC manager's notification timing is a procedural issue, not the primary risk of the automated response policy itself. Option D is wrong because the trigger severity being too low could increase false positives, but the core risk is the automatic approval mechanism, not the severity threshold—adjusting severity does not eliminate the risk of false positives causing disruption.

603
MCQmedium

Which of the following is the FIRST step in the security policy development lifecycle?

A.Gap analysis
B.Legal review
C.Approval
D.Stakeholder consultation
AnswerA

Gap analysis identifies what policies are needed.

Why this answer

The lifecycle begins with gap analysis to identify missing or outdated policies before drafting or approval.

604
MCQhard

Refer to the exhibit. A security analyst reviews the ACL on the organization's border router. Based on the exhibit, which of the following is the MOST significant governance concern?

A.The ACL is applied to the outbound interface, which is ineffective for blocking inbound attacks.
B.The ACL does not include filtering for outbound traffic, which may allow spoofed internal IPs to exit the network.
C.The ACL permits any traffic after denying specific IP ranges, creating a security gap.
D.The ACL permits all traffic from private IP addresses, which could allow internal IP spoofing.
AnswerB

Outbound filtering (ingress filtering) is missing, which is a governance oversight.

Why this answer

Option B is correct because the ACL shown only filters inbound traffic on the border router's external interface. Without an outbound ACL (or an inbound ACL on the internal interface), spoofed packets with internal source IP addresses can exit the network, enabling IP spoofing attacks that bypass anti-spoofing best practices (RFC 2827, BCP 38). This is a governance concern as it violates the principle of preventing source address spoofing, which is a fundamental security control for network perimeter defense.

Exam trap

The trap here is that candidates focus on the inbound ACL's content (denying private IPs) and miss the governance issue of missing outbound anti-spoofing controls, which is a classic CISM governance concern about policy compliance rather than just ACL syntax.

How to eliminate wrong answers

Option A is wrong because applying the ACL to the outbound interface is not inherently ineffective; the exhibit shows the ACL is applied inbound on the external interface, which is standard for filtering inbound traffic. Option C is wrong because the ACL explicitly denies specific IP ranges before permitting any traffic, which is a standard implicit deny at the end of an ACL; the 'permit any' after denies does not create a security gap if the denies are correctly placed. Option D is wrong because the ACL does not permit all traffic from private IP addresses; it denies specific private ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and permits any other traffic, which is correct for inbound filtering but does not address outbound spoofing.

605
MCQmedium

During the identification phase of incident response, which of the following is the MOST reliable indicator of a security incident?

A.A network administrator notices unusual traffic patterns.
B.An employee reports slow computer performance.
C.A vendor sends a vulnerability disclosure.
D.Antivirus software detects a known malware signature.
AnswerD

Direct evidence of malware infection.

Why this answer

Antivirus software detecting a known malware signature is the most reliable indicator because it uses signature-based detection, which matches file hashes or byte sequences against a known database of malicious code. This provides definitive, automated evidence of a security incident with minimal false positives, unlike subjective or ambiguous observations.

Exam trap

The trap here is that candidates may confuse 'reliability' with 'timeliness' or 'breadth,' choosing ambiguous indicators like unusual traffic patterns because they seem proactive, while overlooking that definitive, automated detection (antivirus signature match) provides the highest confidence for confirming an incident.

How to eliminate wrong answers

Option A is wrong because unusual traffic patterns are subjective and can result from legitimate activities like large file transfers or misconfigurations, requiring further analysis to confirm an incident. Option B is wrong because slow computer performance is a common symptom of many non-security issues such as resource exhaustion, disk fragmentation, or outdated hardware, and is not a reliable indicator of compromise. Option C is wrong because a vendor vulnerability disclosure describes a potential weakness that may not have been exploited yet; it indicates a risk, not an active security incident.

606
MCQhard

A security manager is developing metrics for the C-suite dashboard. Which combination of metrics would provide the best view of security program effectiveness, including both leading and lagging indicators?

A.Breach count and number of security tools deployed
B.Phishing click rate and mean time to detect (MTTD)
C.Patch compliance and number of vulnerabilities identified
D.Number of security incidents and percentage of budget spent
AnswerB

Phishing click rate is a leading indicator of user awareness; MTTD is a lagging indicator of detection capability.

Why this answer

A balanced scorecard includes leading indicators (like patch compliance) and lagging indicators (like MTTD) to provide a comprehensive view.

607
MCQmedium

A company's incident response team is conducting a tabletop exercise. They are discussing the steps after containment to prevent recurrence. The facilitator asks: 'What is the MOST important next step after containing an incident?' The team considers several options.

A.Identify the root cause of the incident
B.Update the incident response plan with lessons learned
C.Forensically image all affected systems
D.Notify law enforcement about the incident
AnswerA

Root cause analysis is essential to prevent recurrence by addressing the underlying vulnerability or process gap.

Why this answer

After containment, the most critical step is identifying the root cause to understand how the incident occurred and to implement effective remediation measures. Without root cause analysis, the organization cannot ensure that the same vulnerability or attack vector will not be exploited again, making containment temporary at best. This aligns with the NIST SP 800-61 incident response lifecycle, which places eradication and recovery after containment, driven by root cause identification.

Exam trap

Cisco often tests the misconception that 'lessons learned' or 'plan updates' are the immediate next step after containment, but the CISM framework emphasizes that root cause analysis must precede any plan updates to ensure the changes address the actual vulnerability.

How to eliminate wrong answers

Option B is wrong because updating the incident response plan with lessons learned is a post-incident activity that occurs after the full investigation, eradication, and recovery phases are complete, not immediately after containment. Option C is wrong because forensic imaging is a step taken during the investigation phase to preserve evidence, but it is not the 'most important next step' after containment; root cause analysis is the priority to prevent recurrence. Option D is wrong because notifying law enforcement is a discretionary legal or regulatory step that may be taken after the incident is fully understood and evidence is preserved, but it does not directly address preventing recurrence of the incident.

608
MCQhard

A CISO is developing a multi-year security roadmap. Which approach best ensures the roadmap aligns with business strategy?

A.Prioritize initiatives based on security team capacity
B.Align security initiatives with the organization's strategic business objectives
C.Base the roadmap on the latest industry threat intelligence
D.Create the roadmap based on compliance requirements only
AnswerB

Directly aligning ensures security supports business.

Why this answer

Roadmaps should be derived from business objectives to ensure relevance and executive support.

609
MCQmedium

An organization has a decentralized governance model where each business unit manages its own security team. The CISO reports to the CIO. Which of the following is the GREATEST risk associated with this structure?

A.Difficulty in achieving economies of scale for security operations
B.Lack of skilled security personnel in some business units
C.Increased cost due to duplication of security tools
D.Inconsistent enforcement of security policies across business units
AnswerD

Decentralized structures often lead to varying levels of security maturity and policy adherence, creating gaps that attackers can exploit.

Why this answer

In a decentralized model, inconsistent security practices across business units can lead to gaps in protection and difficulty in enforcing enterprise-wide standards.

610
MCQmedium

A CISO is evaluating a cloud provider's security posture. Which of the following should be the MOST important consideration in the vendor risk assessment?

A.The provider's certifications and SOC 2 reports
B.The provider's data center locations
C.The provider's market share and brand reputation
D.The provider's pricing compared to competitors
AnswerA

Independent audits validate security measures.

Why this answer

The provider's certifications and independent audits provide objective evidence of security controls, which is critical for trust.

611
Multi-Selecteasy

Which THREE of the following are typically included in an information security program budget?

Select 3 answers
A.Incident response retainer
B.Security awareness training materials
C.Vulnerability assessment tools
D.Marketing and advertising campaigns
E.Employee salaries
AnswersA, B, C

External service cost part of program.

Why this answer

Options A, C, and E are correct as they are common security program costs. Option B is wrong as marketing is generally not security-related. Option D is wrong as employee salaries are operational expenses, but typically budgeted separately.

612
MCQhard

A financial institution is designing its information security governance to comply with multiple regulations. The board has limited risk appetite. Which approach BEST ensures effective governance while minimizing conflict?

A.Assign different compliance teams for each regulation
B.Implement a harmonized control framework that maps to all regulations
C.Adopt a single regulatory framework and ignore others
D.Create separate governance committees for each regulation
AnswerB

Streamlines compliance and reduces duplication.

Why this answer

A harmonized control framework (e.g., ISO 27001, NIST CSF) maps common controls across multiple regulations (e.g., GDPR, PCI DSS, SOX), reducing duplication and conflict. This aligns with the board's limited risk appetite by providing a single, consistent set of controls that satisfy all requirements, avoiding the inefficiency and potential gaps of siloed approaches.

Exam trap

The trap here is that candidates may think separate teams or committees provide deeper specialization, but CISM emphasizes that governance must be integrated and risk-aligned, not fragmented, to avoid control conflicts and inefficiencies.

How to eliminate wrong answers

Option A is wrong because assigning different compliance teams for each regulation creates silos, leading to duplicated effort, inconsistent control application, and increased risk of conflicting interpretations. Option C is wrong because adopting a single regulatory framework and ignoring others violates legal obligations, exposing the institution to fines and audit failures. Option D is wrong because separate governance committees for each regulation fragment oversight, causing coordination overhead and potential policy conflicts that undermine a unified risk posture.

613
Multi-Selecthard

Which THREE are valid sources for threat intelligence that can be used during incident response? (Choose three.)

Select 3 answers
A.Social media posts from employees
B.Industry information sharing groups
C.Vendor vulnerability databases
D.Open-source intelligence (OSINT)
E.Internal network traffic logs
AnswersB, C, D

Information sharing groups (e.g., ISACs) provide curated threat intelligence from peer organizations.

Why this answer

Industry information sharing groups (Option B) are a valid source of threat intelligence because they provide curated, actionable data on emerging threats, indicators of compromise (IOCs), and attack patterns from peer organizations. This intelligence is directly applicable during incident response to identify known adversary tactics, techniques, and procedures (TTPs) and to correlate findings with ongoing incidents.

Exam trap

Cisco often tests the distinction between operational data (logs) and external threat intelligence, leading candidates to incorrectly select internal logs as a threat intelligence source instead of recognizing them as evidence for detection and analysis.

614
MCQhard

During a policy exception review, the CISO identifies that multiple exceptions have been granted for the same control due to business constraints. What is the best course of action?

A.Revise the policy to accommodate the business need
B.Escalate to the board for approval
C.Increase monitoring of excepted systems
D.Reject all future exceptions for that control
AnswerA

Correct: Revising policy addresses root cause.

Why this answer

Addressing root causes reduces reliance on exceptions and strengthens the security posture.

615
MCQeasy

Refer to the exhibit. A security manager notices that several contractors have been granted access to a financial system without documented exceptions. Based on the policy, what is the most likely governance deficiency?

A.The policy does not specify quarterly review of access rights.
B.The data owner did not approve the exceptions.
C.Contractors should not have any access to financial systems.
D.Lack of documentation for approved exceptions.
AnswerD

The policy requires documented exceptions, which are missing.

Why this answer

Option D is correct because the policy requires documented exceptions for any access granted outside standard provisioning rules. The security manager observed that contractors had access without such documentation, which directly violates the governance requirement for maintaining an audit trail of approved exceptions. Without this documentation, the organization cannot demonstrate that access was properly authorized, creating a compliance gap.

Exam trap

The trap here is that candidates may focus on who approved the access (Option B) rather than recognizing that the core governance deficiency is the lack of documentation for approved exceptions, which is a distinct control requirement.

How to eliminate wrong answers

Option A is wrong because the policy does not necessarily require quarterly reviews; the deficiency is specifically about undocumented exceptions, not the frequency of access reviews. Option B is wrong because the data owner may have approved the exceptions, but the failure to document them is the governance deficiency; approval without documentation still violates policy. Option C is wrong because contractors can be granted access to financial systems if exceptions are properly documented and approved; the policy does not categorically prohibit contractor access.

616
MCQhard

An organization is designing a third-party risk management (TPRM) program. They have identified a vendor that stores sensitive customer data. According to best practices, what should be the minimum requirement for this vendor's contract?

A.Vendor's insurance certificate
B.Annual self-assessment questionnaire only
C.Contractual security requirements and right to audit
D.SOC 2 Type II report without contractual clauses
AnswerC

Correct. Contracts should include security requirements and audit rights for high-risk vendors.

Why this answer

For vendors handling sensitive customer data, the contract must include security requirements such as data protection clauses, incident notification timelines, and the right to audit. This ensures contractual enforceability of security controls.

617
Multi-Selectmedium

An information security manager is implementing a risk management program. Which TWO of the following activities should be performed as part of the risk assessment process?

Select 2 answers
A.Determining acceptable risk levels
B.Analyzing threats and vulnerabilities
C.Monitoring incident response plans
D.Evaluating the effectiveness of existing controls
E.Selecting controls to mitigate risks
AnswersB, D

This is a core activity in risk identification and analysis.

Why this answer

Option B is correct because analyzing threats and vulnerabilities is a core step in the risk assessment process, as defined by the NIST SP 800-30 and ISO 31000 frameworks. This activity identifies potential threat sources and existing vulnerabilities that could be exploited, enabling the calculation of likelihood and impact for risk scenarios.

Exam trap

The trap here is confusing risk assessment (identify/analyze) with risk treatment (select controls) or risk evaluation (set acceptable levels), leading candidates to pick A or E instead of focusing on the core assessment activities B and D.

618
Multi-Selecthard

A company is designing a third-party risk management (TPRM) program. Which THREE of the following are essential components of the ongoing monitoring phase for a critical vendor?

Select 3 answers
A.Annual reassessment of the vendor's security controls
B.Contractual requirement for data encryption
C.Periodic review of vendor's security certifications (e.g., SOC 2)
D.One-time onboarding risk assessment
E.Continuous monitoring of vendor's external attack surface
AnswersA, C, E

Annual reassessment is part of ongoing monitoring cycle.

Why this answer

Ongoing monitoring includes continuous assessment of security posture. Annual reassessment is part of the cycle, but ongoing monitoring includes more frequent checks. Contractual requirements are set during onboarding, not monitored ongoing.

Exit procedures are for termination.

619
Multi-Selectmedium

Which THREE of the following are essential components of an information security governance framework?

Select 3 answers
A.A process for conducting security incident response.
B.Implementation of technical security controls such as firewalls.
C.Strategic alignment of security with business objectives.
D.Defined roles and responsibilities for security management.
E.Performance measurement and reporting mechanisms.
AnswersC, D, E

Governance ensures security supports business goals.

Why this answer

Strategic alignment of security with business objectives (Option C) is essential because an information security governance framework must ensure that security initiatives directly support and enable the organization's mission and goals. Without this alignment, security becomes a siloed cost center rather than a strategic enabler, leading to misallocated resources and reduced executive sponsorship. This principle is foundational to the CISM governance domain, where security is viewed as a business function, not just a technical discipline.

Exam trap

ISACA often tests the distinction between governance (strategic oversight) and management (operational execution), and the trap here is that candidates confuse operational processes like incident response or technical controls with governance framework components, leading them to select A or B instead of the correct strategic elements.

620
MCQeasy

Which of the following is the FIRST step when engaging an external forensics firm for an incident?

A.Activate the forensic retainer agreement
B.Provide evidence to the firm
C.Define the scope of work
D.Sign a non-disclosure agreement
AnswerA

A pre-signed retainer allows immediate activation.

Why this answer

Having a pre-existing retainer agreement reduces time to engage and ensures terms are already in place.

621
MCQmedium

Which of the following is the BEST metric for the board to assess the security program's effectiveness in detecting threats?

A.Patch compliance percentage
B.Number of security incidents
C.Phishing simulation click rate
D.Mean time to detect (MTTD)
AnswerD

MTTD is a standard detection metric.

Why this answer

Mean time to detect (MTTD) directly measures the speed of threat detection, a key indicator of detection capability.

622
MCQmedium

An organization selects a control to mitigate a risk, but after implementation, the risk level remains unchanged. What should the risk manager do first?

A.Increase the control strength
B.Re-assess the risk and control effectiveness
C.Report to senior management
D.Accept the risk as residual
AnswerB

Reassessment is necessary to understand the gap.

Why this answer

When a control is implemented but the risk level remains unchanged, the risk manager must first re-assess the risk and control effectiveness to determine why the control failed to reduce the risk. This aligns with the CISM risk management process, which mandates that controls be evaluated for proper design and operation before any escalation or acceptance decisions are made. Without this re-assessment, the organization cannot know whether the control is misconfigured, insufficient, or simply not addressing the correct threat vector.

Exam trap

The trap here is that candidates mistakenly jump to 'increase control strength' (Option A) because they assume the control is simply too weak, rather than first verifying whether the control is actually functioning or correctly designed to address the specific risk.

How to eliminate wrong answers

Option A is wrong because increasing control strength without first understanding why the current control is ineffective could waste resources and may not address the root cause, such as a misconfiguration or incorrect threat model. Option C is wrong because reporting to senior management should occur only after the risk manager has performed a re-assessment and has a clear picture of the control failure and its implications. Option D is wrong because accepting the risk as residual is premature; the risk manager must first verify whether the control can be adjusted or replaced before deciding to accept an unchanged risk level.

623
MCQhard

A multinational corporation is designing a global information security program. Which governance structure best ensures consistent security while allowing regional flexibility?

A.Outsource security governance to a managed security service provider (MSSP).
B.Fully centralized security governance with global standards enforced uniformly.
C.Federated governance: global standards with local implementation and oversight.
D.Fully decentralized security governance, each region independent.
AnswerC

Provides consistency while allowing adaptations for local regulations and culture.

Why this answer

Federated governance (Option C) is the correct choice because it establishes a global security framework with mandatory standards (e.g., ISO 27001 controls, encryption baselines like AES-256) while delegating implementation and oversight to regional units. This structure balances consistency with local legal requirements (e.g., GDPR in Europe, PIPL in China) and operational needs, avoiding the rigidity of full centralization or the fragmentation of full decentralization.

Exam trap

The trap here is that candidates often confuse 'federated governance' with 'decentralized governance' (Option D), failing to recognize that federated models enforce a mandatory global baseline while permitting local adaptation, whereas decentralized models lack any central authority or consistent standards.

How to eliminate wrong answers

Option A is wrong because outsourcing security governance to an MSSP abdicates strategic control and does not inherently provide a structure for consistent global standards with regional flexibility; MSSPs typically execute operational tasks (e.g., SIEM monitoring) rather than define governance frameworks. Option B is wrong because fully centralized governance with uniform enforcement ignores regional legal variations (e.g., data residency laws) and local risk appetites, leading to non-compliance or operational friction. Option D is wrong because fully decentralized governance creates inconsistent security postures, making it impossible to enforce global baselines (e.g., minimum encryption standards or incident response timelines) and increasing overall risk exposure.

624
MCQmedium

An organization is designing a security operations center (SOC). Which of the following functions is PRIMARILY responsible for analyzing alerts and determining if they represent genuine threats?

A.SOC Manager
B.Security Architect
C.Incident Responder
D.Security Analyst
AnswerD

Analysts analyze alerts and escalate incidents.

Why this answer

Security analysts are responsible for alert triage and investigation.

625
MCQmedium

Which board-level committee typically receives security reports to provide oversight?

A.Nominating committee
B.Compensation committee
C.Audit/risk committee
D.Finance committee
AnswerC

Correct: Oversees risk and controls.

Why this answer

The audit/risk committee is responsible for oversight of risk management and control, including security.

626
MCQhard

Following a credential compromise incident, the incident response team is conducting root cause analysis using the 5 Whys technique. The first 'why' reveals that the password was weak. The second 'why' reveals that the password policy allowed simple passwords. What should be the focus of the third 'why'?

A.Why the password policy allowed weak passwords
B.Why the intrusion was not detected earlier
C.Why the user had access to the compromised system
D.Why the user chose a weak password
AnswerA

This leads to the process failure that allowed the weak policy.

Why this answer

Root cause analysis should continue to identify why the password policy was not enforced or why it was inadequate, which is a process failure.

627
MCQhard

A multinational corporation is designing its information security program and must decide how to balance security with business agility. The company operates in highly regulated industries with varying legal requirements. Which of the following approaches BEST aligns with industry best practices for such an environment?

A.Implement the strictest regulatory requirements globally to ensure compliance everywhere.
B.Adopt a baseline of controls that meet the lowest common denominator of all regulations.
C.Develop a risk-based framework that allows for tailored controls based on local risk assessments.
D.Allow each business unit to define its own security controls based on local requirements.
AnswerC

A risk-based approach provides flexibility while ensuring that controls are appropriate for the risks.

Why this answer

Option C is correct because a risk-based framework, such as ISO 27001 or NIST SP 800-53, allows the organization to establish a baseline of controls while tailoring them to address specific local legal requirements and risk profiles. This approach balances security and business agility by avoiding unnecessary overhead from overly strict global mandates while ensuring that critical regulatory obligations are met through localized risk assessments.

Exam trap

The trap here is that candidates often confuse 'strictest globally' (Option A) with 'best practice' due to a desire for simplicity, but CISM emphasizes that a risk-based approach is the only method that effectively balances compliance, security, and business agility in a multi-regulatory environment.

How to eliminate wrong answers

Option A is wrong because implementing the strictest regulatory requirements globally (e.g., GDPR's data protection rules applied in jurisdictions with less stringent laws) can introduce excessive operational friction, reduce business agility, and may conflict with local laws that permit different practices. Option B is wrong because adopting a baseline that meets the lowest common denominator of all regulations (e.g., only complying with the weakest privacy law) would leave the organization non-compliant with stricter regulations like GDPR or HIPAA, exposing it to significant legal and financial penalties. Option D is wrong because allowing each business unit to define its own security controls based on local requirements without a centralized governance framework leads to inconsistent security postures, gaps in coverage, and increased risk of regulatory non-compliance across the multinational enterprise.

628
MCQhard

A security manager needs to justify an increase in the security budget to the board. The current budget is 0.15% of revenue. Which approach would most effectively demonstrate the need for additional funding?

A.Compare the budget to last year's spending and note the increase in threats.
B.Present a cost-benefit analysis showing how additional investment reduces breach probability and potential loss.
C.Highlight recent high-profile breaches in the industry.
D.Show that the budget is below the industry benchmark of 0.2-0.5% of revenue and detail the risks of underfunding.
AnswerD

Using industry benchmarks and risk implications provides a clear, objective justification.

Why this answer

Benchmarking against industry standards (0.2-0.5% of revenue) and showing the gap provides a compelling case.

629
MCQeasy

Which of the following is a LEADING indicator of security performance?

A.Cost of a data breach
B.Mean time to detect (MTTD)
C.Number of security incidents
D.Patch compliance percentage
AnswerD

Patch compliance is a leading indicator of vulnerability management effectiveness.

Why this answer

Leading indicators predict future performance; patch compliance measures proactive risk reduction.

630
MCQhard

An organization has just recovered from a ransomware attack and restored systems from backups. Before returning to normal operations, what is the MOST important step?

A.Update the incident response plan.
B.Test the restored systems to ensure functionality and security.
C.Notify stakeholders.
D.Conduct a root cause analysis.
AnswerB

Critical to confirm no residual malware or misconfiguration.

Why this answer

After recovering from a ransomware attack and restoring systems from backups, the most critical step is to test the restored systems for both functionality and security. This ensures that the backups are clean (free of malware), that system integrity is verified, and that no residual threats remain before returning to normal operations. Without this validation, the organization risks re-infection or operational failures that could undermine the entire recovery effort.

Exam trap

The trap here is that candidates often confuse the urgency of stakeholder notification or root cause analysis with the immediate operational necessity of validating system integrity and security before resuming business operations.

How to eliminate wrong answers

Option A is wrong because updating the incident response plan is a post-incident improvement activity that should occur after the immediate threat is neutralized and systems are verified, not before returning to operations. Option C is wrong because notifying stakeholders is important but secondary to ensuring the restored environment is safe and functional; premature notification could cause confusion if systems fail or are re-infected. Option D is wrong because conducting a root cause analysis is a forensic and process improvement step that follows stabilization and validation, and it does not directly confirm that the restored systems are secure and operational.

631
MCQmedium

A company is implementing an information security program. Which of the following is the PRIMARY reason to align the program with business objectives?

A.To ensure regulatory compliance
B.To improve technical controls
C.To reduce overall security costs
D.To gain management buy-in and support
AnswerD

Aligning with business objectives demonstrates value, securing management commitment.

Why this answer

Option C is correct because alignment with business objectives helps secure management support and ensures the program addresses real business risks. Option A is wrong because cost reduction is a benefit, not the primary reason. Option B is wrong because compliance is a component, but alignment drives broader support.

Option D is wrong because technical improvement is not the primary driver.

632
Multi-Selecthard

Which THREE of the following are essential components of an incident response plan? (Select exactly 3)

Select 3 answers
A.A list of all software licenses in the organization
B.Annual budget for security tools
C.Communication plan for internal and external stakeholders
D.Roles and responsibilities of the incident response team
E.Step-by-step procedures for handling different types of incidents
AnswersC, D, E

Communication is critical during incidents.

Why this answer

A communication plan is essential because it defines how the incident response team will coordinate internally and notify external stakeholders such as regulators, law enforcement, customers, and the media. Without a predefined communication plan, critical updates may be delayed or mishandled, leading to regulatory penalties or reputational damage. This aligns with NIST SP 800-61 and CISM best practices for incident management.

Exam trap

ISACA often tests the distinction between operational incident response components (roles, procedures, communication) and supporting organizational artifacts (licenses, budgets) that are not part of the actual response plan.

633
Multi-Selecteasy

Which THREE elements are typically included in a security governance charter?

Select 3 answers
A.Budget authority
B.Incident response procedures
C.Roles and responsibilities
D.Reporting structure
E.Technical architecture diagrams
AnswersA, C, D

Governance includes resource allocation power.

Why this answer

Budget authority is a fundamental element of a security governance charter because it establishes the financial resources and spending power necessary to implement and maintain the security program. The charter must define who has the authority to approve security-related expenditures, ensuring that governance bodies can enforce policies and fund initiatives without organizational friction.

Exam trap

The trap here is that candidates confuse operational documents (incident response procedures) or technical artifacts (architecture diagrams) with governance-level charter elements, which must only include high-level authority, roles, and reporting structures.

634
MCQmedium

An organization wants to establish a security champions program. What is the primary benefit of embedding security advocates in development teams?

A.Eliminating the need for vulnerability assessments
B.Replacing the role of security architects
C.Improving secure coding adoption and collaboration
D.Reducing the need for a SOC
AnswerC

Champions advocate for security and help integrate it into development.

Why this answer

Security champions serve as liaisons, promoting security practices and facilitating communication between security and development teams.

635
MCQmedium

During incident response, a team discovers that a phishing email successfully compromised a user's credentials. Which containment strategy would BEST limit further damage?

A.Disable the user account
B.Restore the user's system from a backup
C.Block the sender's IP address at the firewall
D.Change all user passwords
AnswerA

Disabling the account effectively blocks the attacker's current access and prevents further actions using that identity.

Why this answer

Disabling the user account immediately stops any ongoing misuse of the compromised credentials, preventing the attacker from accessing additional resources. Option A is correct.

636
MCQhard

An organization has experienced a ransomware attack that has encrypted critical servers. The incident response team is unable to contain the incident within the maximum tolerable downtime (MTD). Who has the authority to declare a disaster and activate the business continuity plan?

A.The incident response manager
B.The chief executive officer (CEO) or designated crisis management team
C.The business continuity manager
D.The chief information security officer (CISO)
AnswerB

The CEO or CMT usually has authority to activate BC/DR.

Why this answer

The BC/DR plan typically specifies a designated authority, such as the CEO or a crisis management team, to declare a disaster when MTD is breached.

637
MCQmedium

In a Capability Maturity Model (CMM) for information security processes, which level is characterized by processes being measured and controlled?

A.Level 5 (Optimizing)
B.Level 2 (Repeatable)
C.Level 4 (Managed)
D.Level 3 (Defined)
AnswerC

Level 4 uses metrics and statistical control to manage processes.

Why this answer

Level 4 (Managed) involves quantitative measurement and control of processes.

638
MCQeasy

Which incident category typically involves an employee intentionally or accidentally causing harm to the organization's information systems?

A.Data breach
B.DDoS
C.Ransomware
D.Insider threat
AnswerD

This category specifically covers threats from within the organization.

Why this answer

An insider threat is the correct category because it specifically involves harm caused by individuals within the organization, whether through malicious intent (e.g., data exfiltration, sabotage) or accidental actions (e.g., misconfiguration, phishing click). This aligns with the CISM definition of insider threats as incidents originating from employees, contractors, or trusted partners who have authorized access to information systems.

Exam trap

Cisco often tests the distinction between the incident category (who or what caused it) and the incident type or outcome, leading candidates to confuse 'insider threat' with 'data breach' because a data breach can be caused by an insider, but the question asks for the category that involves the employee's action.

How to eliminate wrong answers

Option A is wrong because a data breach is the outcome or result of an incident (e.g., unauthorized access or disclosure of data), not the category of the actor or cause; it does not specify whether the source is internal or external. Option B is wrong because a DDoS (Distributed Denial of Service) attack is an external, volumetric network attack that overwhelms system resources, typically launched from botnets, not from an employee's intentional or accidental actions. Option C is wrong because ransomware is a type of malware that encrypts files for extortion, usually delivered via external phishing or exploit kits, and does not inherently involve an employee's direct action causing harm to systems.

639
MCQmedium

During a P1 (critical) incident, the incident response manager is coordinating response activities. Who is primarily responsible for activating the crisis management team (CMT)?

A.The communications lead
B.The legal counsel
C.The incident response manager
D.The CEO of the organization
AnswerC

The IR manager assesses the severity and activates the CMT when the incident is critical (P1).

Why this answer

The crisis management team is typically activated by the incident response manager or a designated authority when an incident has major business impact. The CMT includes senior executives like CEO, CFO, CISO, GC, and Communications lead.

640
MCQmedium

A SOC analyst receives an alert about a potential malware infection on a critical server. Which step should the analyst take FIRST?

A.Reboot the server to clear the potential malware
B.Notify the incident response team and escalate
C.Disconnect the server from the network immediately
D.Perform initial triage to verify the alert and assess severity
AnswerD

Triage confirms the alert and guides next steps.

Why this answer

The first step in incident response is to investigate and confirm the alert (triage) to avoid acting on false positives.

641
MCQeasy

A security analyst detects unusual outbound traffic from a critical server to an unknown external IP address during business hours. Which step should be taken FIRST in the incident response process?

A.Notify law enforcement about the potential breach
B.Isolate the server from the network immediately
C.Contact the server owner to verify the traffic
D.Report the incident to senior management
AnswerC

Verifying with the server owner confirms whether the traffic is authorized, a crucial first step.

Why this answer

Option C is correct because the first step in incident response is to verify and validate the alert. Contacting the server owner to confirm whether the outbound traffic is authorized prevents unnecessary disruption and false positives. This aligns with the NIST SP 800-61 incident response lifecycle, where identification and initial triage precede containment or escalation.

Exam trap

The trap here is that candidates often choose immediate containment (Option B) due to urgency, but CISM emphasizes that verification must precede containment to avoid false positives and operational impact.

How to eliminate wrong answers

Option A is wrong because notifying law enforcement is a late-stage step that occurs only after the incident is confirmed and evidence is preserved; premature notification can compromise investigation and violate chain-of-custody protocols. Option B is wrong because immediately isolating the server without verification risks disrupting legitimate business operations and may destroy volatile evidence (e.g., active network connections, memory artifacts) needed for forensic analysis. Option D is wrong because reporting to senior management is a notification step that should follow confirmation of a genuine incident, not precede initial triage and validation.

642
MCQeasy

Which of the following is the PRIMARY purpose of conducting a lessons learned meeting after an incident?

A.To assign blame for the incident.
B.To determine the financial impact of the incident.
C.To document the incident for regulatory reporting.
D.To update the incident response plan and playbooks based on findings.
AnswerD

The goal is to improve future response by updating plans and procedures.

Why this answer

Lessons learned meetings are designed to identify strengths and weaknesses in the incident response process and to implement improvements.

643
Multi-Selecteasy

Which THREE of the following are key components of an incident response plan?

Select 3 answers
A.List of external contacts (law enforcement, legal, etc.).
B.Annual budget for cybersecurity tools.
C.Communication templates for internal and external stakeholders.
D.Detailed step-by-step procedures for each incident type.
E.Identification of incident response team members and roles.
AnswersA, C, E

Needed for escalation and notification.

Why this answer

Option A is correct because an incident response plan must include a list of external contacts such as law enforcement, legal counsel, and regulatory bodies. This ensures that when a security incident occurs, the organization can quickly notify the appropriate authorities and comply with legal and regulatory requirements, such as breach notification laws under GDPR or HIPAA.

Exam trap

The trap here is that candidates often mistake operational or financial elements (like budgets or overly detailed procedures) for core components of the incident response plan, when the exam focuses on the plan's structural and communication elements as defined by CISM's Incident Management domain.

644
MCQeasy

A risk assessment identifies that the organization's email system has a high likelihood of phishing attacks. The current controls include spam filtering and user awareness training. What should the organization do NEXT to manage this risk effectively?

A.Accept the risk as it is already controlled
B.Evaluate the residual risk and decide on additional controls
C.Transfer the risk to a cyber insurance provider
D.Conduct another round of user awareness training
AnswerB

The organization should assess whether current controls reduce risk to an acceptable level and implement further measures if needed.

Why this answer

After implementing initial controls (spam filtering and user awareness training), the organization must evaluate the residual risk—the risk that remains after controls are applied. This step is required by the CISM risk management process to determine whether the residual risk level is acceptable or if additional controls are needed. Option B correctly follows the risk assessment lifecycle: identify risk, apply controls, assess residual risk, then decide on further action.

Exam trap

The trap here is that candidates assume existing controls are sufficient and jump to acceptance (Option A) or repeat training (Option D), without recognizing that the CISM process mandates a formal residual risk evaluation before any risk response decision.

How to eliminate wrong answers

Option A is wrong because accepting risk without evaluating residual risk violates the CISM risk management process; acceptance is only appropriate after confirming that residual risk is within the organization's risk appetite. Option C is wrong because transferring risk to a cyber insurance provider does not reduce the likelihood or impact of phishing attacks; it only provides financial compensation after a loss, and is not a next step before evaluating residual risk. Option D is wrong because conducting another round of user awareness training without first evaluating residual risk is premature; the effectiveness of the existing training must be measured to determine if additional training is necessary.

645
Multi-Selecthard

Which TWO of the following are key performance indicators (KPIs) that demonstrate the effectiveness of a security awareness program?

Select 2 answers
A.Percentage of employees who correctly identify a phishing email in simulations
B.Number of employees who report suspicious emails
C.Frequency of phishing simulation tests
D.Number of training sessions completed per quarter
E.Reduction in the number of security incidents caused by human error
AnswersA, E

Directly measures knowledge retention.

Why this answer

Option A is correct because the percentage of employees who correctly identify a phishing email in simulations directly measures the behavioral outcome of the awareness program. A high detection rate indicates that employees are applying the training to recognize social engineering tactics, such as spoofed sender addresses or malicious links, which is a key performance indicator (KPI) for program effectiveness.

Exam trap

The trap here is that candidates often confuse activity metrics (e.g., number of training sessions or test frequency) with outcome-based KPIs, leading them to select options like C or D instead of focusing on behavioral change and incident reduction.

646
MCQhard

A healthcare organization is developing an information security strategy. The board has mandated that the strategy must support innovation while protecting patient data. Which governance approach BEST balances these priorities?

A.Implement strict access controls and encryption for all data.
B.Establish a risk appetite framework that defines acceptable risk levels for innovation initiatives.
C.Adopt a 'security by design' approach for all new projects.
D.Create a separate innovation sandbox with limited data access.
AnswerB

Enables informed decision-making balancing innovation and security.

Why this answer

A risk appetite framework (Option B) is the correct governance approach because it explicitly defines the level of risk the organization is willing to accept in pursuit of innovation, allowing the board to balance patient data protection with strategic growth. This framework provides a decision-making boundary for security controls, ensuring that innovation initiatives are not stifled by overly restrictive measures while still maintaining compliance with healthcare regulations like HIPAA and HITECH.

Exam trap

The trap here is that candidates often confuse tactical security controls (like encryption or sandboxes) with governance frameworks, failing to recognize that only a risk appetite framework provides the strategic balance between innovation and protection required by the board's mandate.

How to eliminate wrong answers

Option A is wrong because implementing strict access controls and encryption for all data is a tactical control measure, not a governance framework; it fails to address the board's mandate to support innovation, as blanket restrictions can hinder agile development and data sharing required for new healthcare technologies. Option C is wrong because adopting a 'security by design' approach for all new projects is a best practice for secure development, but it does not provide a governance-level mechanism to balance risk and innovation; it focuses on implementation rather than strategic risk acceptance. Option D is wrong because creating a separate innovation sandbox with limited data access is an operational tactic that isolates risk but does not establish a governance framework for the entire organization; it avoids the core issue of defining acceptable risk levels across all initiatives and may lead to shadow IT if not governed properly.

647
MCQmedium

Your organization is a multinational corporation with a hybrid cloud infrastructure, including on-premises data centers and AWS, Azure, and GCP environments. You have a distributed incident response team and a central SIEM that aggregates logs from all sources. You are the incident manager on duty when an alert fires indicating that a high-privilege user account (a domain admin) has been observed logging in from an IP address in a country where the company has no operations, at 3:00 AM local time. Subsequent investigation reveals that the same account also has a successful logon from the corporate headquarters at the same time, which is geographically impossible. The SIEM shows a single event for the suspicious logon, and no other indicators of compromise are present. The account has not been used for months. What is the BEST course of action?

A.Restore the domain controller from a recent backup to ensure any malware is removed.
B.Immediately disable the account and reset the password, then begin a forensic investigation to determine the scope of compromise.
C.Contact the employee who owns the account to ask if they recently traveled or used a VPN.
D.Ignore the alert as it is likely a false positive due to SIEM misconfiguration or time zone discrepancy.
AnswerB

Disabling and resetting the account stops any ongoing malicious activity, and investigation can then proceed safely.

Why this answer

Option B is correct because the simultaneous logon from two geographically impossible locations indicates a classic credential theft and replay attack, likely using a pass-the-hash or token theft technique. Disabling the account and resetting the password immediately stops the attacker's access, which is the highest priority in incident response. A forensic investigation must follow to identify the attack vector (e.g., Kerberos ticket theft, LSASS dump) and assess the scope of compromise, as the absence of other indicators does not rule out lateral movement or persistence.

Exam trap

The trap here is that candidates may assume a single anomalous event with no other indicators is a false positive, but CISM emphasizes that credential theft scenarios often present with minimal initial evidence, and the priority is containment (disable account) before investigation.

How to eliminate wrong answers

Option A is wrong because restoring the domain controller from a backup is a drastic, premature step that could destroy forensic evidence and does not address the active compromise of the user account; the attacker may still have access via other means. Option C is wrong because contacting the employee wastes critical time during an active incident and assumes the account owner is trustworthy, but the simultaneous logon proves the account is compromised regardless of VPN or travel. Option D is wrong because ignoring the alert as a false positive is negligent; the SIEM event is valid (single event does not imply misconfiguration), and the geographic impossibility is a clear indicator of credential theft, not a time zone discrepancy.

648
MCQmedium

Based on the exhibit, what is the MOST likely scenario?

A.A user is performing a scheduled task that requires authentication.
B.A user forgot their password and successfully logged in after retrying.
C.An attacker brute-forced the password and then used the credentials to access a file server.
D.A system administrator is testing password policies.
AnswerC

The sequence indicates successful guess followed by lateral movement.

Why this answer

The exhibit shows multiple failed authentication attempts (Event ID 4625) from a single user account within a short time window, followed by a successful logon (Event ID 4624) and then an access event to a file share (Event ID 5140). This pattern of rapid, repeated failures culminating in a single success is characteristic of a brute-force attack, where the attacker guesses the password and then uses the compromised credentials to access a file server.

Exam trap

The trap here is that candidates may misinterpret the failed logons as a user simply forgetting their password (Option B), but the rapid, repeated failures followed by a successful logon and file access clearly indicate a brute-force attack rather than a benign password mistake.

How to eliminate wrong answers

Option A is wrong because scheduled tasks typically use service accounts or stored credentials and do not generate a burst of failed logon events; they would show a single successful logon without preceding failures. Option B is wrong because a user who forgot their password would not generate dozens of failed attempts in rapid succession; they would typically use a password reset workflow or have a few retries, not a sustained brute-force pattern. Option D is wrong because a system administrator testing password policies would likely use a dedicated test account or controlled conditions, not a real user account, and would not follow the failed logons with a file server access event.

649
Drag & Dropmedium

Order the steps for implementing a data classification policy in an organization.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Data classification starts with defining categories, then procedures, training, labeling, and monitoring.

650
MCQhard

You are the director of information security at a multinational corporation that operates in many countries with conflicting data privacy laws. The company's information security program includes a data classification policy and a data retention schedule, but there is no consistent method for handling cross-border data flows. Recently, a regulator in Country A fined the company for transferring personal data to Country B, which does not provide adequate protection. The legal department recommends implementing a binding corporate rules (BCR) approach, but the IT department says it would be too complex to implement across all systems. You must update the program to ensure compliance while minimizing operational impact. The board wants a solution that can be implemented within one year with reasonable cost. What should you do?

A.Implement binding corporate rules (BCR) across all entities as recommended by legal.
B.Rely on standard contractual clauses (SCCs) for all cross-border data flows.
C.Conduct a data mapping exercise and implement a data classification tagging system to automate controls on sensitive data flows.
D.Stop all cross-border data transfers until compliant mechanisms are fully implemented.
AnswerC

Provides visibility and enables automated enforcement, scalable within one year.

Why this answer

Correct answer is D because a data mapping exercise with automated tagging provides the foundation to enforce controls without manual effort. Option A (implement BCR globally) is complex and risky. Option B (stop all cross-border transfers) is impractical.

Option C (rely on standard contractual clauses) may not be sufficient and is also administrative heavy.

651
MCQmedium

During an incident, the response team collects volatile data from a compromised server. Which of the following should be collected FIRST to minimize loss of evidence?

A.Contents of RAM
B.Contents of hard drive
C.Event logs
D.Network configuration
AnswerA

RAM is volatile and will be lost if the system is powered off.

Why this answer

Volatile data, such as the contents of RAM, is lost when a system is powered off. The first priority during incident response is to capture this data because it contains running processes, network connections, encryption keys, and malware that exist only in memory. Collecting RAM first ensures that this critical evidence is preserved before any other actions that might alter the system state.

Exam trap

The trap here is that candidates often confuse the order of volatility (OOV) principle, mistakenly prioritizing non-volatile data like event logs or disk contents because they seem more stable, but the exam tests the understanding that volatile data must be captured first to prevent its permanent loss.

How to eliminate wrong answers

Option B is wrong because the contents of the hard drive are non-volatile and persist after power loss; collecting it first would risk overwriting or losing volatile data in RAM during the acquisition process. Option C is wrong because event logs are stored on the hard drive and are non-volatile; they can be collected later without risk of immediate loss, and accessing them first could alter system state. Option D is wrong because network configuration is also non-volatile and stored in the registry or configuration files on disk; it does not require immediate capture and can be gathered after volatile data is secured.

652
MCQeasy

Which of the following is the PRIMARY benefit of a security champions program?

A.Reducing the need for security awareness training
B.Embedding security advocates in business units
C.Automating security testing
D.Eliminating third-party risks
AnswerB

Champions provide on-the-ground support and influence.

Why this answer

Security champions act as liaisons within development teams, promoting security best practices and improving collaboration.

653
MCQeasy

An organization is determining the risk treatment for a critical business process that has a high inherent risk. Which of the following is the MOST effective risk treatment strategy when the cost to mitigate exceeds the potential loss?

A.Risk avoidance
B.Risk reduction
C.Risk acceptance
D.Risk transfer
AnswerC

Accepting the risk is justified when mitigation costs outweigh potential loss.

Why this answer

Option B is correct because risk acceptance is appropriate when the cost of mitigation exceeds the potential loss. Option A is wrong because risk avoidance would mean discontinuing the process, which may not be feasible. Option C is wrong because risk transfer (e.g., insurance) might still be costly.

Option D is wrong because risk reduction would require controls that are not cost-effective.

654
Multi-Selecthard

Which THREE of the following are essential elements of a forensic evidence handling procedure to ensure admissibility in court?

Select 3 answers
A.Placing a legal hold on relevant data
B.Maintaining a documented chain of custody
C.Performing analysis directly on original systems
D.Using automated tools without validation
E.Creating bit-for-bit forensic copies of affected media
AnswersA, B, E

A legal hold prevents destruction of evidence.

Why this answer

A legal hold is essential because it suspends the normal data retention and deletion policies, ensuring that potentially relevant evidence is preserved from alteration or destruction. This is a foundational step in the e-discovery process and directly supports the admissibility of evidence by demonstrating that the organization took proactive steps to prevent spoliation.

Exam trap

Cisco often tests the misconception that direct analysis on original systems is acceptable, but in forensic procedures, any direct manipulation of original media is prohibited to avoid altering the evidence and compromising its admissibility.

655
MCQmedium

An organization's incident response team is handling a P2 incident involving an insider threat. The team has identified the employee responsible. The communications lead is preparing a notification to affected parties. Which of the following should be included in the notification?

A.A detailed timeline of the investigation
B.An apology from the CEO
C.The type of data that was compromised and steps taken to mitigate
D.The name of the employee responsible
AnswerC

These are required elements for notification.

Why this answer

Regulatory notifications must include a description of the incident, data involved, and mitigation steps, while avoiding speculation.

656
MCQhard

An organization is developing an incident response plan. The CISO wants to ensure that the plan aligns with industry best practices. Which framework should the CISO use as a primary reference?

A.ISO 31000
B.NIST Cybersecurity Framework
C.ITIL
D.NIST SP 800-61
AnswerD

NIST SP 800-61 is the standard for computer security incident handling.

Why this answer

NIST SP 800-61 (Computer Security Incident Handling Guide) is the definitive U.S. government standard for incident response processes, covering preparation, detection, containment, eradication, and recovery. It provides detailed, step-by-step guidance for building an incident response plan, making it the primary reference for aligning with industry best practices.

Exam trap

The trap here is that candidates confuse the NIST Cybersecurity Framework (a broad risk management tool) with NIST SP 800-61 (the specific incident response standard), or they mistakenly think ITIL's 'incident management' covers security incidents when it is designed for IT service disruptions, not security breaches.

How to eliminate wrong answers

Option A is wrong because ISO 31000 is a risk management framework, not an incident response framework; it focuses on risk identification, assessment, and treatment, not on the operational steps of handling incidents. Option B is wrong because the NIST Cybersecurity Framework (CSF) is a high-level risk-based framework for improving cybersecurity posture, not a detailed incident response procedure; it references NIST SP 800-61 for incident response specifics. Option C is wrong because ITIL (Information Technology Infrastructure Library) is a service management framework focused on IT service delivery and support (e.g., incident management as a service desk process), not on security incident response or forensic handling.

657
MCQmedium

An information security manager is preparing a report for the board on the state of information security governance. Which of the following elements is most important to include in the report?

A.The percentage of the security budget spent on different projects.
B.Key risk indicators (KRIs) related to the organization's critical assets.
C.A log of all recent security incidents and their root causes.
D.A detailed list of all security tools and their functionalities.
AnswerB

KRIs effectively communicate risk posture and governance status to the board.

Why this answer

Key risk indicators (KRIs) provide a forward-looking, quantifiable measure of risk exposure tied directly to critical assets, which is essential for the board to understand the effectiveness of governance and risk management. Unlike operational or tactical data, KRIs enable informed strategic decisions about risk appetite and resource allocation, aligning with the CISM focus on governance over management.

Exam trap

The trap here is that candidates confuse operational reporting (incident logs, tool lists) with governance reporting, which demands high-level, risk-focused metrics like KRIs that support strategic oversight.

How to eliminate wrong answers

Option A is wrong because budget allocation percentages are a tactical financial detail, not a governance-level indicator; the board needs risk context, not spending breakdowns. Option C is wrong because a log of all incidents is operational data that overwhelms the board with noise; governance reporting requires aggregated trends and risk impact, not raw root-cause details. Option D is wrong because a list of tools and their functionalities is a technical inventory, irrelevant to governance; the board needs assurance that controls are effective, not a catalog of products.

658
MCQmedium

During an incident, the incident response team determines that a compromised account was used to exfiltrate data. The account has been disabled. What is the NEXT best action to prevent similar incidents?

A.Notify potentially affected customers
B.Perform a root cause analysis
C.Reset passwords for all user accounts
D.Review authentication logs for other anomalies
AnswerB

Root cause analysis identifies the weakness to prevent recurrence.

Why this answer

Performing a root cause analysis (RCA) is the next best action because it systematically identifies the underlying vulnerability or control weakness that allowed the account compromise. Without understanding how the attacker gained access—whether through phishing, credential stuffing, or a software vulnerability—simply disabling the account does not prevent recurrence. The RCA will inform targeted remediation, such as patching, policy changes, or implementing multi-factor authentication (MFA).

Exam trap

The trap here is that candidates confuse 'next best action' with 'immediate containment step'—they choose to reset all passwords or review logs again, when the correct post-containment priority is to analyze the root cause to prevent recurrence, as emphasized in the CISM Incident Management lifecycle.

How to eliminate wrong answers

Option A is wrong because notifying customers prematurely, before the root cause is understood and containment is fully verified, can cause unnecessary panic, violate legal hold requirements, and may not address the actual attack vector. Option C is wrong because resetting passwords for all user accounts is a broad, reactive measure that does not address the specific compromise method (e.g., a keylogger or token theft) and may disrupt operations without fixing the underlying vulnerability. Option D is wrong because reviewing authentication logs for other anomalies is a detection step that should have already occurred during the incident; the next logical step after containment is to analyze the root cause, not continue hunting for other signs without understanding how the first breach happened.

659
MCQmedium

A CISO is developing a multi-year security roadmap. Which of the following should be the PRIMARY driver for prioritizing initiatives?

A.Ease of implementation
B.Availability of new technology
C.Alignment with business strategy and risk appetite
D.Cost of the initiative
AnswerC

Security must support business goals and risk tolerance.

Why this answer

The roadmap must align security initiatives with the organization's strategic business objectives to ensure relevance and support.

660
MCQmedium

An information security manager has identified a risk with a high likelihood and high impact. The cost of mitigating the risk exceeds the potential loss. What is the MOST appropriate risk treatment strategy?

A.Risk mitigation
B.Risk acceptance
C.Risk transfer
D.Risk avoidance
AnswerB

Why this answer

When mitigation cost exceeds potential loss, risk acceptance is appropriate if the risk is within the organization's risk appetite. Alternatively, risk transfer (e.g., insurance) could be considered, but acceptance is often the primary choice when the cost-benefit is negative.

Exam trap

Candidates may choose 'mitigate' without considering cost-benefit analysis; CISM emphasizes aligning treatment with business value.

Why the other options are wrong

A

Mitigation cost exceeds potential loss, making it inefficient.

C

Transfer (e.g., insurance) may still be expensive; acceptance is more direct when cost of transfer also high.

D

Avoidance would mean discontinuing the activity, which may not be feasible or cost-effective.

661
MCQmedium

During a risk assessment, a company discovers that its data backup process is incomplete: backups are performed daily but stored onsite without encryption. The risk owner proposes to accept this risk due to low likelihood of a physical breach. Which of the following is the BEST reason to challenge this acceptance?

A.The impact of losing both primary and backup data is unacceptably high
B.The risk owner does not have authority to accept risks
C.Encryption is not required as the facility is secure
D.The cost of implementing encrypted offsite backups is minimal
AnswerA

A single event (fire, theft) could destroy both data and backup, leading to catastrophic business impact.

Why this answer

Option A is correct because the core principle of risk acceptance requires that the residual risk be within the organization's risk appetite. In this scenario, the backup data is stored onsite without encryption, meaning a single physical breach (e.g., fire, theft, or natural disaster) could destroy both primary and backup data simultaneously. The impact of losing all data—potentially leading to business failure—is unacceptably high, outweighing the low likelihood of a physical breach.

The risk owner's acceptance is invalid because the risk exceeds the organization's risk tolerance, as per CISM's risk management framework.

Exam trap

Cisco often tests the misconception that risk acceptance is always valid if the risk owner approves it, but the trap here is that acceptance must align with the organization's risk appetite and the impact must be tolerable; a high-impact risk cannot be accepted solely based on low likelihood.

How to eliminate wrong answers

Option B is wrong because the risk owner, typically a business process owner, generally has the authority to accept risks within their scope, unless explicitly restricted by policy; the question does not indicate such a restriction. Option C is wrong because it incorrectly assumes that a secure facility eliminates the need for encryption, but encryption is a critical control for data at rest to protect against unauthorized access even if physical security is breached (e.g., an insider threat or theft of storage media). Option D is wrong because the cost of implementing encrypted offsite backups is not the primary reason to challenge acceptance; risk acceptance decisions are based on risk appetite and impact, not solely on cost, and minimal cost does not automatically invalidate acceptance.

662
Multi-Selectmedium

After a data breach involving customer PII, the incident response team is conducting a root cause analysis. Which THREE factors should be examined according to CISM best practices? (Select THREE.)

Select 3 answers
A.The management or governance failure that allowed the process failure.
B.The cost of the breach to the organization.
C.The specific employee who clicked the phishing email.
D.The technical vulnerability that allowed the breach.
E.The process failure that allowed the vulnerability to exist.
AnswersA, D, E

Management oversight is needed to ensure processes are effective.

Why this answer

Root cause analysis should identify technical, process, and management failures.

663
MCQmedium

During a DDoS attack classified as P2, what is the EXPECTED response time and notification level?

A.Standard response; team lead notification
B.Business hours response; management notification
C.24/7 response; executive notification
D.Scheduled remediation; email notification
AnswerB

P2 has significant impact, so management is notified and response occurs during business hours.

Why this answer

P2 incidents require management notification and a response during business hours.

664
MCQhard

An organization has implemented a balanced scorecard to measure the effectiveness of its information security program. Which of the following metrics would be MOST appropriate for the 'internal processes' perspective?

A.Percentage of systems compliant with baseline
B.Mean time to detect and respond to incidents
C.Percentage of users who completed security awareness training
D.Number of security incidents reported to management
AnswerB

Why this answer

The 'internal processes' perspective of a balanced scorecard focuses on the efficiency and effectiveness of the operational workflows that deliver the security program. Mean time to detect (MTTD) and mean time to respond (MTTR) directly measure the performance of the incident response process, which is a core internal process. This metric reflects how quickly the organization can identify and contain threats, making it the most appropriate choice for this perspective.

Exam trap

The trap here is that candidates confuse the 'internal processes' perspective with compliance or training metrics, mistakenly selecting A or C because they seem operational, but the balanced scorecard framework specifically ties 'internal processes' to the efficiency of core security workflows like incident response, not static compliance or awareness rates.

Why the other options are wrong

A

Compliance rate is more aligned with the governance or regulatory perspective, not internal processes.

C

This is a learning and growth metric, not internal processes.

D

This is more of an output metric, not specifically internal process efficiency.

665
MCQhard

A company is considering outsourcing its security operations center (SOC). Which governance consideration is MOST critical before finalizing the decision?

A.The vendor's service level agreements (SLAs) for incident response times.
B.The vendor's technical expertise and certifications.
C.The cost savings compared to in-house operations.
D.The ability to maintain oversight and accountability for security outcomes.
AnswerD

Governance requires clear accountability even when services are outsourced.

Why this answer

Option D is correct because governance requires that the organization retains ultimate responsibility for security outcomes, even when functions are outsourced. Without the ability to maintain oversight and accountability, the company cannot ensure that its security posture aligns with business risk tolerance and regulatory compliance requirements. This is a fundamental principle of information security governance, as the board and senior management cannot delegate accountability.

Exam trap

The trap here is that candidates often mistake operational metrics (like SLAs or certifications) for governance considerations, but CISM emphasizes that governance is about ensuring the organization retains ultimate accountability and oversight, not just delegating tasks to a vendor.

How to eliminate wrong answers

Option A is wrong because while SLAs for incident response times are important operational metrics, they are not the most critical governance consideration; governance focuses on strategic oversight and accountability, not just contractual performance targets. Option B is wrong because technical expertise and certifications, while valuable for vendor selection, are operational or tactical concerns that do not address the governance requirement for the organization to retain control over security outcomes. Option C is wrong because cost savings, though a common business driver, are a financial consideration that must be balanced against risk; prioritizing cost over governance can lead to loss of control and increased residual risk, which is a governance failure.

666
MCQmedium

A security dashboard is being designed for the C-suite. Which metric is most appropriate for a one-page executive summary?

A.Number of phishing simulation campaigns
B.List of all security incidents in the quarter
C.Security scorecard with overall risk level
D.Detailed patch compliance by system
AnswerC

Provides a concise, high-level status of security posture.

Why this answer

The security scorecard with overall risk level is the most appropriate metric for a one-page executive summary because it provides a high-level, aggregated view of the organization's security posture. Executives need a concise, actionable summary that distills complex security data into a single risk indicator, enabling quick decision-making without technical details.

Exam trap

The trap here is that candidates often confuse operational metrics (like patch compliance or incident counts) with strategic metrics, failing to recognize that the C-suite requires a synthesized risk indicator rather than detailed technical data.

How to eliminate wrong answers

Option A is wrong because the number of phishing simulation campaigns is a tactical metric that measures training activity, not the overall security risk or program effectiveness; it lacks the strategic context needed for executive oversight. Option B is wrong because a list of all security incidents in the quarter is too granular and operational, overwhelming executives with raw data rather than summarizing risk trends or impact. Option D is wrong because detailed patch compliance by system is a technical, system-level metric that belongs in operational reports for IT teams, not in a one-page executive summary that requires a synthesized view of risk.

667
Multi-Selecthard

An organization is preparing for a potential supply chain incident. According to CISM best practices, which THREE elements should be included in the supply chain incident playbook? (Select THREE.)

Select 3 answers
A.A step-by-step guide for paying ransoms to cybercriminals.
B.Procedures for isolating affected systems and networks.
C.A list of approved vendors for DDoS mitigation services.
D.Communication templates for notifying affected partners and customers.
E.Instructions for contacting the organization's legal counsel.
AnswersB, D, E

Containment is a key step in any incident response.

Why this answer

Supply chain incidents require specific procedures for vendor coordination, technical response, and communication.

668
MCQhard

A multinational corporation experiences a security breach involving customer PII. The incident response team needs to determine notification requirements. Which factor is MOST important in deciding which regulatory bodies to inform?

A.Location of the affected individuals
B.Location of the attacker
C.Location of the company's CIO
D.Location of the data custodian
AnswerA

Breach notification laws are based on the data subjects' residence.

Why this answer

Data privacy regulations (e.g., GDPR, CCPA, LGPD) base their notification requirements on the residency or location of the affected data subjects, not on where the breach originated or where the company's executives sit. The incident response team must map the affected PII to the specific jurisdictions whose laws impose breach notification duties, making the location of the affected individuals the primary driver for determining which regulatory bodies to inform.

Exam trap

The trap here is that candidates often confuse the location of the data (where it is stored or processed) with the location of the data subjects, leading them to incorrectly choose the data custodian's location as the key factor.

How to eliminate wrong answers

Option B is wrong because the attacker's location is irrelevant to regulatory notification obligations; breach notification laws focus on protecting the data subjects, not on prosecuting the attacker. Option C is wrong because the CIO's location has no bearing on which privacy regulations apply; notification requirements are tied to the data subjects' jurisdiction, not to the location of corporate officers. Option D is wrong because the data custodian's location (e.g., where the database is hosted) does not determine notification duties; for example, under GDPR, a company must notify the relevant supervisory authority based on the data subjects' residence, even if the custodian is in a different country.

669
MCQmedium

A security awareness manager is designing role-based training. Which training is most appropriate for software developers?

A.Phishing identification
B.Social engineering awareness
C.Incident response procedures
D.Secure coding practices
AnswerD

Directly addresses the risk they introduce in code.

Why this answer

Developers need specialized training on secure coding practices to reduce vulnerabilities in applications.

670
MCQeasy

Which of the following is the primary objective of a security champions programme?

A.To enforce security policies across the organization
B.To conduct phishing simulations for employees
C.To provide an escalation path for security incidents
D.To embed security advocates within development teams
AnswerD

Security champions serve as liaisons and advocates within their teams.

Why this answer

A security champions programme embeds security advocates within development teams to promote secure practices, improve communication, and embed security into daily work, rather than incident response or policy enforcement.

671
MCQmedium

An organization's incident response team has identified that a data breach involves customer personal information. Which of the following should be done FIRST to preserve evidence for potential litigation?

A.Issue a legal hold to preserve relevant data
B.Notify affected customers
C.Begin system restoration from backups
D.Conduct a root cause analysis
AnswerA

A legal hold ensures that all relevant data is preserved for potential legal proceedings.

Why this answer

Legal hold prevents spoliation of evidence; it must be issued before any remediation that could alter data.

672
MCQmedium

Which of the following is a leading indicator for measuring the effectiveness of a security awareness program?

A.Number of vulnerabilities patched
B.Phishing click rate
C.Mean time to respond (MTTR)
D.Number of security incidents
AnswerB

Click rate measures user susceptibility and is predictive of future breaches.

Why this answer

Phishing click rate is a leading indicator because it predicts future incidents by measuring current behavior.

673
MCQeasy

An organization has just completed a risk assessment and identified several high-risk vulnerabilities. The security program manager needs to prioritize remediation efforts. Which of the following should be the primary factor in determining priority?

A.Regulatory requirements only
B.Likelihood of exploitation
C.Risk level (likelihood × impact)
D.Ease of remediation
AnswerC

Risk level gives a holistic prioritization.

Why this answer

Risk level, calculated as likelihood multiplied by impact, is the primary factor for prioritizing remediation because it quantifies the overall exposure to the organization. While regulatory requirements, likelihood alone, or ease of remediation are important considerations, they do not capture the combined effect of both probability and consequence, which is essential for effective risk management in an information security program.

Exam trap

The trap here is that candidates often choose 'Likelihood of exploitation' (Option B) because they confuse frequency with overall risk, ignoring that a high-likelihood but low-impact vulnerability (e.g., a minor misconfiguration) may be less critical than a low-likelihood but catastrophic one (e.g., a zero-day in a core database).

How to eliminate wrong answers

Option A is wrong because regulatory requirements are only one component of risk prioritization; focusing solely on them ignores vulnerabilities with high business impact that may not be regulated. Option B is wrong because likelihood of exploitation alone does not account for the severity of the impact, leading to misallocation of resources toward frequent but low-damage threats. Option D is wrong because ease of remediation prioritizes quick fixes over addressing the most critical risks, which can leave high-risk vulnerabilities unmitigated.

674
MCQeasy

A risk manager is presenting risk treatment options to senior management. Which of the following is the BEST approach to communicate risk in a way that supports informed decision-making?

A.Focus only on high and extreme risks
B.Use technical language to accurately describe vulnerabilities
C.Translate risk into potential financial impact
D.Present risk in qualitative terms only
AnswerC

Financial impact is a common language for business decisions.

Why this answer

Translating risk into potential financial impact (Option C) is the best approach because it aligns risk with business objectives, enabling senior management to make cost-benefit decisions. Financial quantification, such as Annualized Loss Expectancy (ALE), provides a common language that executives understand, directly supporting informed decision-making on risk treatment options.

Exam trap

The trap here is that candidates may choose Option A (focusing only on high and extreme risks) because it seems efficient, but CISM emphasizes that risk communication must support informed decision-making across all risk levels, not just the most severe ones.

How to eliminate wrong answers

Option A is wrong because focusing only on high and extreme risks ignores residual risks and emerging threats, leading to incomplete risk posture visibility and potential blind spots in risk treatment. Option B is wrong because using technical language to describe vulnerabilities creates communication barriers with senior management, who need business-impact context rather than technical details. Option D is wrong because presenting risk in qualitative terms only (e.g., high/medium/low) lacks the precision needed for cost-benefit analysis, making it harder to prioritize investments and justify risk treatment decisions.

675
MCQeasy

The security team is designing a security awareness program. Which topic should be prioritized FIRST?

A.Phishing recognition and reporting
B.Password creation and management
C.Incident reporting procedures
D.Data classification and handling
AnswerA

Phishing is a top threat; early training can prevent many incidents.

Why this answer

Option A is correct because phishing is a common initial attack vector, and training users to recognize it can immediately reduce risk. Option B is wrong password policies are important but often covered later. Option C is wrong incident reporting is critical but follows awareness of threats.

Option D is wrong data classification is more advanced.

Page 8

Page 9 of 12

Page 10
Certified Information Security Manager CISM CISM Questions 601–675 | Page 9/12 | Courseiva