CCNA Information Security Governance Questions

75 of 92 questions · Page 1/2 · Information Security Governance · Answers revealed

1
MCQmedium

During a merger, the acquiring company's CISO must integrate the security governance of the target company. The target company has no formal security governance. What is the FIRST step the CISO should take?

A.Conduct a security awareness training for the target company's employees.
B.Perform a comprehensive risk assessment of the target company's security posture.
C.Align the target company's security policies with the acquirer's policies.
D.Implement the acquirer's security governance framework immediately.
AnswerB

Initial assessment informs integration strategy.

Why this answer

Without a formal security governance structure, the CISO must first understand the target company's current security posture through a comprehensive risk assessment. This step identifies vulnerabilities, threats, and gaps in controls, providing the baseline data needed to prioritize integration efforts and align with the acquirer's governance framework. Skipping this assessment risks implementing policies that are irrelevant or ineffective against the target's actual risks.

Exam trap

ISACA often tests the principle that governance integration must begin with understanding the current state (risk assessment) rather than jumping to policy alignment or implementation, which is a common mistake candidates make by assuming immediate enforcement is the first step.

How to eliminate wrong answers

Option A is wrong because conducting security awareness training before understanding the target's risk profile and existing security gaps is premature; training should be tailored to identified risks and policies, not implemented in a vacuum. Option C is wrong because aligning security policies without first assessing the target's current state can result in policies that conflict with existing technical controls or fail to address critical vulnerabilities. Option D is wrong because immediately implementing the acquirer's governance framework without a risk assessment may disrupt operations, miss unknown threats, and create resistance due to lack of contextual understanding.

2
MCQhard

During an internal audit, it is discovered that business units frequently purchase cloud services without involving the IT security department. Which governance deficiency does this scenario most clearly demonstrate?

A.Inadequate security awareness training
B.Lack of an incident response plan
C.Absence of a procurement security policy
D.Weak access control over cloud resources
AnswerC

A procurement policy should require security review before purchasing cloud services.

Why this answer

The lack of a procurement security policy that mandates involvement of IT security indicates a gap in governance controls. Option A (weak access controls) might be a consequence but not the root deficiency. Option B (inadequate training) is not primary.

Option C (lack of incident response) is unrelated to procurement.

3
MCQmedium

Given the exhibit, what is the MOST appropriate action for the information security manager?

A.Request board approval to accept the risk level
B.Declare a security crisis and mobilize incident response
C.Escalate to the board for immediate decision
D.Implement the action plan to reduce KRI value
AnswerD

Yellow status needs management action as planned.

Why this answer

Option B is correct because the KRI is in the yellow zone (5-10%) and requires management attention and accelerated patching. Option A is wrong because escalation is for red status. Option C is wrong because immediate remediation is for critical issues.

Option D is wrong because acceptance board approval is for risks that exceed appetite, but here it is within tolerance.

4
MCQeasy

An information security manager is developing a security strategy for a financial institution. Which of the following should be the PRIMARY driver for selecting security controls?

A.The latest cybersecurity threats reported in the industry.
B.Past security incidents that caused significant financial loss.
C.Business requirements derived from risk assessment and compliance obligations.
D.The security budget allocated for the fiscal year.
AnswerC

Controls must align with business needs and risk appetite.

Why this answer

Business requirements derived from risk assessment and compliance obligations are the primary driver because they directly align security controls with the institution's specific risk appetite, regulatory mandates (e.g., PCI DSS, SOX, GDPR), and operational needs. This ensures controls are cost-effective and prioritized based on actual exposure rather than reactive or budget-driven decisions.

Exam trap

The trap here is that candidates often pick 'past security incidents' (Option B) because it feels intuitive, but CISM emphasizes a proactive, risk-based governance approach where business requirements and compliance drive control selection, not historical events or budget constraints.

How to eliminate wrong answers

Option A is wrong because focusing solely on the latest cybersecurity threats can lead to chasing trends and implementing controls that do not address the institution's unique risk profile, resulting in wasted resources and potential gaps. Option B is wrong because past incidents, while informative, represent a reactive approach that may not cover emerging or unexperienced risks, and can over-prioritize controls for rare events while ignoring systemic vulnerabilities. Option D is wrong because letting the security budget dictate control selection can result in underfunding critical areas or over-investing in low-priority controls, bypassing the risk-based prioritization that governance frameworks require.

5
MCQhard

Refer to the exhibit. This error log indicates a failure in which component of information security governance?

A.Policy enforcement
B.Access control
C.Segregation of duties
D.Audit trail
AnswerB

The user lacks necessary permissions, indicating an access control issue.

Why this answer

The error shows that a user lacks privileges to update a policy, indicating a breakdown in access control. Option A (segregation of duties) is about dividing tasks to prevent fraud, not about insufficient privileges. Option C (policy enforcement) is broader and refers to compliance with policies, not updating them.

Option D (audit trail) is about logging, which is functioning as the error was logged.

6
MCQhard

You are the information security manager for a mid-sized e-commerce company with 500 employees. The company recently experienced a data breach where an attacker exploited a vulnerability in a third-party payment processing API, resulting in the exposure of 10,000 customer credit card numbers. The breach was detected by an external forensics team 90 days after the initial compromise. The board is concerned about the company's ability to detect and respond to incidents. Currently, the company has a part-time security team of three people who focus on firewall management and antivirus updates. There is no formal incident response plan, and security monitoring is limited to basic log review once a week. The CISO has asked you to recommend a course of action to improve the security posture, with a focus on governance and oversight. Which of the following is the BEST course of action?

A.Immediately implement a PCI DSS compliance program to ensure all payment data handling meets industry standards.
B.Develop and implement an incident response plan, establish a security operations center (SOC) with 24/7 monitoring, and define clear roles and responsibilities.
C.Purchase and deploy a next-generation firewall and endpoint detection and response (EDR) tools across the network.
D.Outsource all security operations to a managed security service provider (MSSP) with a focus on threat intelligence.
AnswerB

This addresses governance, detection, and response holistically.

Why this answer

Option B is correct because the core governance issue is the lack of a formal incident response plan and adequate monitoring. Establishing a SOC with 24/7 monitoring directly addresses the 90-day detection gap, while defining roles and responsibilities ensures accountability and oversight, which are key governance principles. This approach aligns with the CISM focus on establishing processes and oversight rather than just deploying technology.

Exam trap

The trap here is that candidates often choose a technology-focused answer (like C or D) because it seems more concrete, but the CISM exam emphasizes that governance and oversight—such as having a formal plan and defined roles—must come before technology investments to ensure effective security management.

How to eliminate wrong answers

Option A is wrong because PCI DSS compliance is a standard for handling payment card data, but it does not directly address the lack of incident detection and response capabilities; it focuses on preventive controls and data security, not on governance of incident response. Option C is wrong because purchasing next-generation firewalls and EDR tools is a tactical, technology-centric solution that does not establish the governance framework, incident response plan, or monitoring processes needed to detect and respond to breaches in a timely manner. Option D is wrong because outsourcing to an MSSP without first having an internal incident response plan and defined roles can lead to a lack of ownership and oversight; it shifts responsibility but does not fix the governance gap, and the board's concern is about the company's own ability to detect and respond.

7
MCQeasy

An organization's security governance committee has approved a new security policy. What is the NEXT critical step to ensure the policy's effectiveness?

A.Implement technical controls to enforce the policy.
B.Conduct an audit to measure compliance.
C.Communicate the policy to all relevant stakeholders and provide training.
D.Enforce disciplinary actions for non-compliance.
AnswerC

Awareness and understanding are prerequisites for compliance.

Why this answer

Option B is correct because communication and training are essential for adoption. Option A is wrong because implementation without communication leads to non-compliance. Option C is wrong because auditing before implementation is premature.

Option D is wrong because enforcement without understanding is ineffective.

8
MCQmedium

A company is restructuring its security governance due to rapid growth. The CISO reports to the CIO. What is the PRIMARY risk of this reporting structure?

A.Compliance with regulations may become difficult
B.The security budget may be insufficient
C.Cooperation between IT and security may decrease
D.Security objectives may be overridden by IT operational goals
AnswerD

Conflict of interest reduces independence.

Why this answer

Option B is correct because security performance may be subordinated to IT operational priorities. Option A is wrong as budget control may exist but is secondary. Option C is wrong as compliance is not directly affected.

Option D is wrong because cooperation can still exist.

9
MCQeasy

Given the exhibit, what is the MOST significant governance gap in the described architecture?

A.Weak authentication for remote access
B.No defined security governance board or oversight mechanism
C.Insufficient physical security in data centers
D.Lack of intrusion detection for internal traffic
AnswerB

Architecture lacks governance structure; roles and accountabilities not defined.

Why this answer

Option B is correct because the architecture description does not indicate a defined ownership or governance layer for the security controls. Option A is wrong as controls exist. Option C is wrong as MFA is there.

Option D is wrong as monitoring exists. The gap is governance oversight, not technical.

10
MCQmedium

A multinational corporation is establishing an information security governance framework. The board has approved a top-down approach where security policies are created at the corporate level and adapted locally. Which of the following is a key benefit of this approach?

A.It allows each subsidiary to develop security policies that best fit their local legal environment.
B.It reduces the time required to implement security policies across the entire organization.
C.It minimizes the need for local security teams to understand the corporate strategy.
D.It ensures a consistent baseline of security controls while allowing for local regulatory adjustments.
AnswerD

This balances uniformity with flexibility.

Why this answer

Option A is correct because consistent baseline policies ensure minimum security across all units, while local adaptation allows for regulatory compliance. Option B is wrong because local adaptation may reduce consistency. Option C is wrong because top-down reduces time to enforce baseline.

Option D is wrong because local teams still have some autonomy.

11
MCQeasy

An information security manager is developing a security scorecard for the board. Which of the following should be included to BEST demonstrate governance performance?

A.Total number of security incidents this quarter
B.Percentage of systems patched within 30 days
C.Employee security training completion rate
D.Number of risk acceptances approved vs. rejected
AnswerD

Directly reflects governance and risk appetite.

Why this answer

Option B is correct because risk acceptance tracking shows how the board's risk appetite is applied. Option A is wrong because patch rate is operational. Option C is wrong as incident count is reactive.

Option D is wrong as training completion is awareness, not governance.

12
Multi-Selecteasy

Which TWO of the following are key elements of an information security governance framework, as defined by COBIT?

Select 2 answers
A.Value delivery
B.Incident response
C.Resource management
D.Strategic alignment
E.Risk management
AnswersA, D

Governance should ensure that security investments deliver value to the organization.

Why this answer

Strategic alignment and value delivery are two of the five key governance areas per COBIT. Compliance and resource management are also elements, but the question asks which TWO are specifically key. Incident response is operational, not a governance element.

13
MCQmedium

An organization's security steering committee meets quarterly but lacks decision-making authority. Projects are delayed due to lack of prioritization. What is the most effective improvement?

A.Increase meeting frequency to weekly
B.Outsource project prioritization to external consultants
C.Empower the committee with budget and resource allocation authority
D.Replace committee members with senior executives
AnswerC

This gives the committee the ability to prioritize and execute decisions.

Why this answer

Option A is correct because empowering the committee with authority over budget and resources directly addresses the root cause. Option B increases frequency but does not solve authority issue. Option C changes personnel but not authority.

Option D outsources prioritization, which may not align with business needs.

14
Multi-Selecthard

Which TWO of the following are key responsibilities of an information security governance committee?

Select 2 answers
A.Perform vulnerability assessments on critical systems.
B.Set the organization's risk appetite.
C.Approve major changes to information security policies.
D.Review and approve the information security strategy.
E.Conduct daily monitoring of security events.
AnswersC, D

Policy approval is a key governance function.

Why this answer

The information security governance committee is a high-level body responsible for strategic oversight. Approving major changes to information security policies (Option C) is a core governance function, ensuring that policy updates align with business objectives and regulatory requirements before implementation. This is distinct from operational tasks like vulnerability assessments or daily monitoring.

Exam trap

The trap here is that candidates confuse governance-level responsibilities (policy approval, strategy review) with operational or tactical tasks (vulnerability assessments, daily monitoring), or they mistakenly assign risk appetite setting to the governance committee instead of the board of directors.

15
MCQmedium

A multinational corporation is designing an information security strategy to support its global operations. Which approach best ensures that the strategy is actionable and measurable?

A.Conduct a cost-benefit analysis of security controls
B.Base the strategy on industry best practices
C.Define KPIs and KRIs aligned with business goals
D.Adopt a leading-edge technology roadmap
AnswerC

KPIs and KRIs provide quantifiable metrics to monitor performance and risk, making the strategy actionable.

Why this answer

Defining key performance indicators (KPIs) and key risk indicators (KRIs) tied to business goals allows the organization to track progress and effectiveness. Option A relies solely on external best practices, which may not fit the specific context. Option B focuses on cost-benefit analysis, which is important but not sufficient for actionability.

Option D addresses technology adoption without a measurement framework.

16
MCQhard

A multinational corporation is experiencing significant security incidents due to inconsistent security policies across subsidiaries. The CISO proposes implementing a centralized governance model. However, business unit leaders argue that local regulations require autonomy. Which approach best balances governance with local compliance?

A.Implement a single global security policy with mandatory compliance
B.Delegate all security decisions to local business units
C.Develop a framework of minimum security requirements, allowing local augmentation
D.Outsource security governance to a third-party managed service
AnswerC

This approach balances global consistency with local regulatory needs.

Why this answer

Option B is correct because it allows a minimum set of requirements while enabling local augmentation to meet specific regulatory needs. Option A is too rigid and may conflict with local laws. Option C gives up central control entirely.

Option D outsources governance, which may not address local nuances.

17
MCQmedium

Refer to the exhibit. An organization is implementing access controls for a new data repository that will store financial reports classified as Category C. Which of the following is the MOST appropriate control to include?

A.Require encryption of data in transit
B.Implement role-based access control (RBAC)
C.Enforce dual control for access
D.Conduct quarterly access reviews
AnswerA

Category C explicitly requires encryption for transmission.

Why this answer

Option B is correct because Category C requires encryption for transmission; encryption at rest is not mandated but optional. Option A (role-based access) is implied by 'need-to-know' but not explicitly stated; Option C (dual control) is for Category D; Option D (quarterly audits) is for Category D.

18
MCQmedium

Refer to the exhibit. An information security manager reviews the risk register and sees that Risk ID R001 has a residual risk of High with a treatment of Accept. Which of the following best explains why this situation may indicate a governance failure?

A.The risk register should not contain risks with residual risk above low.
B.The control effectiveness rating of 'Partially effective' is too vague.
C.Accepting a high residual risk likely exceeds the board-approved risk appetite.
D.The risk owner should be a business unit head, not the CISO.
AnswerC

Governance requires that risk acceptance decisions are within the risk appetite approved by the board.

Why this answer

Option D is correct because accepting a high residual risk without board approval likely violates risk appetite policy. Option A is wrong because the CISO can be risk owner. Option B is wrong because controls are partially effective, but that's not the governance failure.

Option C is wrong because the risk register is not invalid; the issue is the treatment decision.

19
MCQeasy

An organization is developing its information security strategy. Which of the following should be the PRIMARY driver for defining security objectives?

A.Industry best practices
B.Historical security incidents
C.Business objectives
D.Regulatory compliance requirements
AnswerC

Security strategy must align with and enable business goals.

Why this answer

Business objectives are the primary driver because security exists to enable business goals. Option A is wrong because industry benchmarks are reference points, not primary drivers. Option B is wrong because regulatory requirements are constraints, not drivers.

Option D is wrong because historical incidents inform but don't drive strategy.

20
MCQhard

Based on the exhibit, which role is missing from the governance policy that would be essential for enforcing accountability?

A.External auditor
B.Internal audit function
C.A role with authority to enforce compliance and impose consequences
D.Chief compliance officer
AnswerC

Policy lacks enforcement mechanisms; accountability requires consequences.

Why this answer

Option D is correct because without defined consequences or enforcement responsibilities, accountability is weak. Option A is wrong because audit provides assurance, not enforcement. Option B is wrong because compliance officer may exist but isn't defined.

Option C is wrong because external auditor is not internal governance.

21
MCQeasy

Which of the following is the best indicator that an organization has effective information security governance?

A.Achievement of ISO 27001 certification
B.The security budget has increased year over year
C.Low number of security incidents
D.Security metrics are reviewed by the board quarterly
AnswerD

Board review shows that security is integrated into governance and strategic decision-making.

Why this answer

Review of security metrics by the board demonstrates governance oversight and strategic alignment. Option A (low incident count) could be due to luck. Option C (high budget) does not guarantee effectiveness.

Option D (certifications) indicates compliance, not necessarily governance performance.

22
MCQeasy

A small business cannot afford a dedicated security team. Which governance model is most appropriate?

A.Implement a full security program based on ISO 27001
B.Hire a virtual CISO and outsource security operations
C.Ignore security until a breach occurs
D.Delegate security to the IT manager with periodic board updates
AnswerB

This provides governance oversight and operational capability cost-effectively.

Why this answer

Option A is correct because hiring a virtual CISO and outsourcing operations provides governance expertise without full-time cost. Option B is too heavy. Option C is negligent.

Option D places governance burden on an IT manager who may lack authority.

23
MCQhard

An organization's information security governance committee has not met for the past six months. Which of the following is the most significant risk associated with this situation?

A.Increased operational costs due to uncoordinated security investments
B.Regulatory fines from noncompliance
C.Delayed response to security incidents
D.Lack of oversight leading to misalignment with business strategy
AnswerD

The committee is responsible for ensuring security supports business goals; without meetings, oversight is lost.

Why this answer

Without regular governance committee meetings, there is no oversight of security activities, leading to potential misalignment with business objectives. Option A (increased costs) could occur but is not the primary risk. Option C (delayed incident response) is operational.

Option D (regulatory fines) is a possible consequence but less immediate than loss of strategic alignment.

24
MCQeasy

A newly appointed CISO wants to establish an information security governance committee. What is the PRIMARY purpose of this committee?

A.To manage day-to-day security operations.
B.To implement security controls across the organization.
C.To approve technical security solutions.
D.To ensure security strategy aligns with business objectives and provide oversight.
AnswerD

Governance committees bridge security and business strategy.

Why this answer

The primary purpose of an information security governance committee is to ensure that the security strategy aligns with business objectives and to provide oversight. This committee does not execute day-to-day operations or implement controls; instead, it sets direction, reviews risk posture, and ensures that security investments support organizational goals, as defined in frameworks like COBIT and ISO 38500.

Exam trap

The trap here is that candidates often confuse governance (strategic oversight and alignment) with management (tactical implementation and operations), leading them to select options that describe operational or technical tasks rather than the committee's true strategic purpose.

How to eliminate wrong answers

Option A is wrong because managing day-to-day security operations is the responsibility of operational teams (e.g., SOC, IT security staff), not a governance committee, which focuses on strategic oversight. Option B is wrong because implementing security controls is a tactical or operational activity carried out by technical teams based on policies approved by governance, not the committee's primary role. Option C is wrong because approving technical security solutions is typically a function of architecture review boards or engineering leads, while the governance committee focuses on strategic alignment and risk acceptance, not detailed technical approvals.

25
MCQhard

Refer to the exhibit. The audit finding reveals a deficiency in which critical aspect of information security governance?

A.Strategic alignment between security objectives and business goals is missing.
B.The board has not approved the security strategy.
C.Resource allocation for security initiatives is not based on business impact.
D.Risk management processes are not integrated with business planning.
AnswerA

Measurable objectives aligned with business goals are essential for strategic alignment.

Why this answer

Option C is correct because the lack of measurable objectives linked to business outcomes indicates a failure in strategic alignment. Option A is wrong because while risk management is related, the finding specifically addresses strategy. Option B is wrong because the board may have approved the current strategy, but it is deficient.

Option D is wrong because resource allocation is not the direct issue.

26
MCQeasy

An information security manager is evaluating the effectiveness of the organization's security governance. Which of the following metrics would best indicate that governance processes are functioning properly?

A.Total spending on security tools compared to the approved budget.
B.Percentage of risk treatment plans that have been implemented as scheduled.
C.Number of security incidents reported per quarter.
D.Mean time to detect (MTTD) for security incidents.
AnswerB

This shows whether governance decisions on risk are being carried out.

Why this answer

Option C is correct because the percentage of risk treatment plans implemented directly reflects whether governance decisions are being executed. Option A is wrong because the number of incidents may vary due to external factors. Option B is wrong because mean time to detect is an operational metric, not governance.

Option D is wrong because budget spent does not measure effectiveness.

27
MCQhard

A financial institution is integrating a newly acquired fintech startup. The startup has a very different security culture. What governance approach best ensures integration without stifling innovation?

A.Allow the startup to maintain its own security policies indefinitely
B.Force the startup to adopt all of the institution's policies immediately
C.Use a transitional risk-based approach, phasing in critical controls while allowing flexibility
D.Create a separate security team for the startup
AnswerC

This method ensures security while respecting the startup's culture and innovation.

Why this answer

Option D is correct because a transitional risk-based approach balances control with flexibility. Option A may stifle innovation and cause resistance. Option B loses central control.

Option C creates silos.

28
MCQhard

During a merger, the acquiring company's board insists on integrating the target company's information security governance into its own within 90 days. However, the target has a significantly different risk culture and lacks documented policies. What is the most critical governance risk in this scenario?

A.The acquiring company's security team may lack the capacity to train the target's staff.
B.The target's employees may resist the new security culture.
C.The acquiring company may inadvertently accept unknown high-risk exposures.
D.There will be insufficient time to develop new security policies for the combined entity.
AnswerC

Rushing integration without understanding the target's risk posture can lead to severe exposure.

Why this answer

Option B is correct because the speed of integration may force acceptance of unknown risks without proper due diligence. Option A is wrong because culture clash is important but the immediate risk is accepting unknown risks. Option C is wrong because policy development can follow due diligence.

Option D is wrong because training is a later step.

29
MCQeasy

A hospital chain has separate security teams for each facility. There is no central coordination, leading to duplicate efforts and inconsistent patient data protection. The system's CISO wants to improve governance with minimal disruption. What should he do?

A.Merge all teams into one central unit
B.Implement a top-down mandate for all policies
C.Create a governance committee with representatives from each facility
D.Outsource security to a third party
AnswerC

Promotes coordination and minimal disruption.

Why this answer

Option B is correct because a governance committee with representatives fosters coordination without major reorganization. Option A is disruptive. Option C ignores local needs.

Option D outsources responsibility.

30
Multi-Selecteasy

A security audit has identified several governance weaknesses. Which TWO of the following are most likely to indicate a lack of effective information security governance? (Choose two.)

Select 2 answers
A.Risk assessments are not performed on a regular basis.
B.No formal security steering committee exists.
C.The information security policy is not available on the intranet.
D.Employees have not completed annual security awareness training.
E.Antivirus software is not updated on all endpoints.
AnswersA, B

Regular risk assessments are fundamental to governance to ensure risk is managed.

Why this answer

A is correct because regular risk assessments are a foundational requirement of information security governance, as they ensure that security controls remain aligned with evolving threats and business objectives. Without periodic risk assessments, the organization cannot demonstrate due diligence or maintain an accurate risk profile, which is a direct indicator of governance failure.

Exam trap

ISACA often tests the distinction between governance (strategic oversight, risk management, committee structures) and operational controls (training, patching, policy distribution), leading candidates to mistake operational deficiencies for governance weaknesses.

31
MCQhard

A financial institution is restructuring its information security governance to comply with a new regulatory requirement that mandates a formal risk appetite statement. The board has conflicting views on the level of risk to accept. Which of the following should the information security manager do to facilitate the definition of risk appetite?

A.Recommend adopting the risk appetite levels used by a peer financial institution.
B.Facilitate a workshop with business leaders to map risk tolerance to strategic goals.
C.Draft a risk appetite statement and ask the CISO to approve it on behalf of the board.
D.Propose a quantitative risk appetite based on the organization's technology risk metrics.
AnswerB

This aligns risk appetite with business strategy and fosters board consensus.

Why this answer

Option A is correct because risk appetite should be aligned with business objectives and defined in business terms to be meaningful. Option B is wrong because industry benchmarks are not binding and may not reflect the institution's unique situation. Option C is wrong because technology risks are only one component.

Option D is wrong because the board has final responsibility, not the CISO.

32
Multi-Selectmedium

Which TWO of the following are essential components of an information security governance framework according to ISACA's COBIT?

Select 2 answers
A.Value delivery
B.Performance measurement
C.Strategic alignment
D.Incident response playbook
E.Firewall configuration
AnswersA, C

A core component ensuring security investments bring value.

Why this answer

Strategic alignment (C) and value delivery (E) are key governance principles in COBIT. Performance measurement (A) is also important but not a foundational component; firewall config (B) and incident response (D) are operational.

33
Multi-Selectmedium

Which TWO of the following are key components of an information security governance framework? (Choose two.)

Select 2 answers
A.Security policy and standards.
B.Intrusion detection system (IDS) configuration.
C.Firewall rule set.
D.Payment Card Industry Data Security Standard (PCI DSS) compliance report.
E.Risk management process.
AnswersA, E

Foundational elements of governance frameworks.

Why this answer

Security policy and standards are foundational components of an information security governance framework because they establish the high-level direction, principles, and mandatory requirements that guide the organization's security posture. The risk management process is equally critical as it provides a structured methodology for identifying, assessing, and treating risks, ensuring that security decisions are aligned with business objectives and risk appetite. Together, they form the strategic and operational backbone of governance, enabling accountability and continuous improvement.

Exam trap

The trap here is that candidates confuse operational security controls (like IDS configuration or firewall rules) or compliance outputs (like PCI DSS reports) with the strategic governance components, which are policy, standards, and risk management processes.

34
MCQeasy

An organization has recently experienced a data breach due to an insider threat. The board has requested an update on governance improvements. Which of the following should the information security manager recommend first?

A.Developing a formalized insider threat program with clear roles and responsibilities.
B.Conducting annual security awareness training for all employees.
C.Implementing two-factor authentication for all critical systems.
D.Deploying endpoint detection and response (EDR) software on all systems.
AnswerA

This establishes governance over insider risk, including monitoring and response.

Why this answer

Option B is correct because a formalized insider threat program with defined roles and monitoring reduces the risk of insider incidents. Option A is wrong because technical controls alone are ineffective without governance and process. Option C is wrong because training is important but not the immediate governance priority.

Option D is wrong for the same reason as A.

35
Multi-Selecthard

Which THREE of the following are challenges in implementing information security governance in a decentralized organization?

Select 3 answers
A.Unified risk reporting
B.Redundant security controls and tools
C.Centralized incident response
D.Diverse regulatory compliance requirements
E.Inconsistent policy enforcement across business units
AnswersB, D, E

Each unit may purchase similar tools, increasing costs and complexity.

Why this answer

Decentralized organizations often face inconsistent policy enforcement (A), redundant security controls (B), and diverse regulatory compliance (D). Centralized incident response (C) is typically not a challenge; it may be absent, but the challenge is lack of centralization. Unified risk reporting (E) is a goal, not a challenge.

36
MCQmedium

A large enterprise is implementing a new governance framework. The board has approved a risk appetite statement. What is the MOST important next step for the information security manager?

A.Implement technical controls to reduce risks
B.Develop an audit plan to monitor risk levels
C.Define risk acceptance criteria and thresholds
D.Conduct security awareness training for employees
AnswerC

Risk appetite needs operationalization through criteria.

Why this answer

Option B is correct because risk appetite must be translated into actionable criteria and thresholds for decision-making. Option A is wrong because controls implementation follows criteria. Option C is wrong because awareness is important but not the most immediate.

Option D is wrong because audit approach is separate.

37
Drag & Dropmedium

Arrange the steps for responding to a data breach involving personally identifiable information (PII).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response begins with containment, then evidence preservation, internal notification, impact assessment, and external notification.

38
MCQeasy

During an internal audit, it was found that the security policy does not address the use of personal devices for work. Which governance action should be taken first?

A.Develop a mobile device management policy and conduct a risk assessment
B.Train users on security awareness
C.Purchase MDM software
D.Immediately ban all personal devices
AnswerA

This is the proper governance approach: policy first, then technology and training.

Why this answer

Option D is correct because governance starts with policy development based on risk assessment. Option A is reactive and may disrupt operations. Option B puts technology before policy.

Option C is a partial solution.

39
MCQhard

Acme Corp, a global manufacturer, has a decentralized security governance model. Each business unit manages its own security, resulting in inconsistent policies and repeated audit findings. The new CISO proposes a federated model where a central team sets minimum standards and each unit can add local controls. However, the European unit's head insists on full autonomy due to GDPR strictness. The board is concerned about compliance costs. What should the CISO do first?

A.Implement the federated model immediately and require all units to comply
B.Allow the European unit to keep full autonomy while others follow the model
C.Conduct a risk assessment to identify where local controls are truly needed
D.Hire a GDPR expert for the European unit
AnswerC

A risk-based approach provides evidence for the federated model.

Why this answer

Option C is correct because conducting a risk assessment will identify where local controls are truly necessary and justify the federated model. Option A ignores local concerns. Option B undermines the federation goal.

Option D is a tactical fix, not strategic.

40
Multi-Selecthard

Which THREE of the following are essential components of a mature information security governance framework?

Select 3 answers
A.A formally defined and approved risk appetite statement.
B.Performance measurement and reporting mechanisms for the board.
C.Full compliance with all relevant regulatory requirements.
D.Strategic alignment between security objectives and business goals.
E.A dedicated security operations center (SOC) with 24/7 monitoring.
AnswersA, B, D

Risk appetite guides decision-making across the organization.

Why this answer

Options A, B, and D are correct. A strategic alignment (A) ensures security supports business goals, a defined risk appetite (B) sets boundaries, and performance measurement (D) enables oversight. Option C is wrong because security operations center is an operational function, not a governance component.

Option E is wrong because regulatory compliance is an outcome, not a governance framework component itself.

41
MCQhard

You are the CISO of a mid-sized e-commerce company with 500 employees. The company recently suffered a data breach where an attacker exfiltrated customer credit card data from the production database. The investigation revealed that the breach originated from a compromised developer workstation. The developer had been granted direct access to the production database for troubleshooting purposes, a practice that had been in place for years. The security governance framework currently lacks a formal process for managing privileged access. The board has asked for immediate improvements to prevent recurrence. Which course of action BEST addresses the governance gap?

A.Implement a privileged access management (PAM) solution with just-in-time access and session recording.
B.Segment the network to isolate production databases from developer workstations.
C.Conduct security awareness training for all developers on password security.
D.Deploy endpoint protection and patch management for all workstations.
AnswerA

Addresses the governance gap by formalizing and controlling privileged access.

Why this answer

The core governance gap is the lack of a formal process for managing privileged access. Implementing a Privileged Access Management (PAM) solution with just-in-time (JIT) access and session recording directly addresses this by enforcing time-bound, auditable, and approved access to the production database, eliminating standing privileges. This aligns with the principle of least privilege and provides a governance mechanism to control, monitor, and revoke elevated access, which is the root cause of the breach.

Exam trap

The trap here is that candidates confuse technical controls (segmentation, patching, training) with governance controls (policies, processes, and oversight), leading them to select a solution that mitigates symptoms rather than the root governance gap of unmanaged privileged access.

How to eliminate wrong answers

Option B is wrong because network segmentation is a technical control that reduces the attack surface but does not establish a formal governance process for managing privileged access; it does not address the lack of a policy or procedure for granting, reviewing, or revoking production database access. Option C is wrong because security awareness training focuses on user behavior and password hygiene, but it does not solve the governance deficiency of having no formal privileged access management process; the breach occurred due to standing privileges, not weak passwords. Option D is wrong because endpoint protection and patch management are essential security hygiene measures but do not create a governance framework for controlling who gets privileged access and under what conditions; they mitigate workstation compromise but not the systemic lack of access governance.

42
Matchingmedium

Match each security metric to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Average time to detect an incident

Average time to remediate an incident

Average time between system failures

Contractual commitment for service levels

Indicator of risk level change

Why these pairings

Metrics used in security management.

43
Multi-Selecteasy

Which TWO of the following are primary responsibilities of the board of directors in information security governance?

Select 2 answers
A.Approving the organization's information security risk appetite.
B.Implementing security controls to mitigate identified risks.
C.Designing the technical security architecture for the organization.
D.Holding executive management accountable for the effectiveness of the security program.
E.Conducting internal security audits of the information systems.
AnswersA, D

The board sets the risk appetite.

Why this answer

Options A and D are correct. The board is responsible for approving the risk appetite (A) and ensuring executive management's performance on security (D). Option B is wrong because implementing controls is management's role.

Option C is wrong because technical security architecture is not a board function. Option E is wrong because the board oversees but does not conduct audits.

44
MCQmedium

An organization has a decentralized security governance model. The CISO is struggling to enforce consistent security policies across business units. What is the BEST approach to improve consistency?

A.Allow each business unit to define its own security policies.
B.Implement a federated model where business units have complete autonomy.
C.Mandate that all business units adopt the same security tools and processes.
D.Establish a central security governance committee with representation from each business unit.
AnswerD

Balances consistency with business unit needs.

Why this answer

In a decentralized governance model, the best approach to enforce consistent security policies without undermining business unit autonomy is to establish a central security governance committee with representation from each business unit. This federated approach ensures that policies are collaboratively developed, agreed upon, and uniformly applied, leveraging cross-unit input to balance security requirements with operational needs. It directly addresses the CISO's enforcement challenge by creating a formal, inclusive decision-making body that drives policy standardization.

Exam trap

The trap here is that candidates often confuse a federated model (Option B) with a collaborative governance committee, but the key distinction is that a federated model grants complete autonomy without central coordination, whereas a committee provides structured representation to enforce consistency.

How to eliminate wrong answers

Option A is wrong because allowing each business unit to define its own security policies would perpetuate inconsistency and fragmentation, directly contradicting the goal of improving consistency. Option B is wrong because implementing a federated model where business units have complete autonomy would remove any central oversight, making it impossible to enforce uniform security standards across the organization. Option C is wrong because mandating that all business units adopt the same security tools and processes is a rigid, top-down approach that ignores unique unit requirements and operational contexts, likely leading to resistance and non-compliance rather than genuine consistency.

45
MCQhard

After a merger, the combined organization has two different risk tolerance levels: one entity is risk-averse, the other is risk-taking. What is the best governance action?

A.Adopt the less restrictive risk tolerance
B.Maintain separate risk tolerance levels for each legacy entity
C.Adopt the more conservative risk tolerance across the board
D.Reassess risk appetite and approve a single unified statement
AnswerD

A unified risk appetite ensures consistent risk-taking aligned with strategic goals.

Why this answer

The board should reassess and approve a single, unified risk appetite statement to provide clear direction. Option A (keeping separate) leads to inconsistency. Option B (always using the more conservative) may stifle innovation.

Option D (using the less restrictive) could expose the organization to excessive risk.

46
MCQhard

A multinational corporation is designing its information security governance framework. The board has requested a single metric that best indicates the effectiveness of the security program. Which metric would BEST satisfy this request?

A.Percentage of systems compliant with security baseline.
B.Number of security incidents reported per month.
C.Mean time to detect (MTTD) security events.
D.Percentage of security controls achieving their intended outcomes as validated by testing.
AnswerD

This directly measures the effectiveness of the security program.

Why this answer

Option D is correct because it provides a direct measure of how well security controls are working. Option A is an operational metric, not strategic. Option B is a compliance metric but does not measure effectiveness.

Option C is a technical metric that may not resonate with the board.

47
MCQhard

A company's information security manager notices that several business units have implemented shadow IT systems that bypass the central security governance. Which of the following governance strategies would most effectively address this issue in the long term?

A.Conduct periodic audits to discover shadow IT and penalize non-compliant units.
B.Deploy a cloud access security broker (CASB) to discover and integrate shadow IT into the infrastructure.
C.Enforce a strict policy that prohibits any IT system without prior security approval.
D.Establish a formal process for business units to request exceptions to the standard IT policy, with risk acceptance.
AnswerD

This balances security with business agility and maintains governance visibility.

Why this answer

Option C is correct because a formal exception process allows business units to innovate while maintaining oversight. Option A is wrong because strict prohibition may drive shadow IT further underground. Option B is wrong because delayed discovery is not proactive governance.

Option D is wrong because integration projects are one-time fixes, not a governance solution.

48
Drag & Dropmedium

Arrange the steps for deploying a security patch to critical servers in a production environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Patch management involves identification, testing, backup, deployment, and verification.

49
MCQmedium

Refer to the exhibit. A security administrator reports that the VPN tunnel to the remote peer (10.1.1.1) intermittently fails. Based on the configuration, which of the following is the most likely cause?

A.Improper NAT traversal configuration
B.Mismatched IKE phase 1 parameters
C.Expired digital certificate
D.Incorrect access-list 101
AnswerA

Without NAT traversal, the tunnel may fail when the VPN traffic traverses a NAT device, causing intermittent drops.

Why this answer

The configuration is missing the 'set pfs' command and does not include NAT traversal settings. Intermittent failure often occurs when NAT is involved and no NAT traversal is configured. Option A (mismatched IKE parameters) would cause constant failure.

Option B (incorrect ACL) would prevent specific traffic, not intermittent. Option C (expired certificate) is irrelevant as pre-shared key is used.

50
MCQmedium

BankOne has a mature security governance program but recently failed a regulatory audit because the board had not formally approved the risk appetite statement. The CISO argues that risk appetite is reviewed annually and was verbally approved. To prevent recurrence, what governance change is most effective?

A.Automate risk appetite monitoring
B.Reduce the number of risk indicators
C.Document all board approvals in minutes
D.Require board resolution for risk appetite annually
AnswerD

Ensures documented, formal approval.

Why this answer

Option D is correct because requiring a formal board resolution annually ensures documented approval. Option A is passive. Option B automates but does not address approval.

Option C reduces indicators, which may be counterproductive.

51
MCQmedium

A multinational corporation is implementing a risk-based approach to information security governance. The chief information security officer (CISO) has been asked to prioritize security initiatives based on business impact. Which of the following actions should the CISO take FIRST to align security governance with business objectives?

A.Enforce multifactor authentication (MFA) for all remote access.
B.Implement a compliance management tool to track regulatory requirements.
C.Deploy a security information and event management (SIEM) system to centralize log analysis.
D.Conduct a business impact analysis (BIA) to identify critical processes and their security requirements.
AnswerD

A BIA identifies critical business processes and their dependencies, enabling risk-based prioritization.

Why this answer

Conducting a business impact analysis (BIA) is the foundational step in a risk-based governance approach because it identifies critical business processes, their recovery time objectives (RTOs), and the specific security requirements needed to protect them. Without this analysis, the CISO cannot align security initiatives with business impact, as the BIA directly links security controls to the organization's most valuable assets and operational priorities.

Exam trap

The trap here is that candidates often confuse tactical security controls (like MFA or SIEM) with the strategic governance step of first understanding business impact, leading them to select a technically correct but sequentially premature answer.

How to eliminate wrong answers

Option A is wrong because enforcing MFA for all remote access is a tactical control that should be prioritized based on BIA findings, not implemented first without understanding which processes and data are most critical. Option B is wrong because implementing a compliance management tool addresses regulatory tracking but does not establish the business impact or risk prioritization needed to align security governance with business objectives. Option C is wrong because deploying a SIEM system centralizes log analysis for detection and response, but it is a reactive measure that should be scoped and prioritized after the BIA identifies which systems and data require monitoring.

52
MCQeasy

A CISO is developing an information security governance framework for a financial institution. Which of the following is the PRIMARY purpose of such a framework?

A.Minimize risks to an acceptable level
B.Align security with business objectives
C.Ensure compliance with regulatory requirements
D.Deploy the latest security technologies
AnswerB

Governance ensures that security investments and activities support the business strategy and deliver value.

Why this answer

The primary purpose of information security governance is to ensure that security strategies are aligned with business objectives, enabling the organization to meet its goals. Option A is about compliance, which is a component but not primary. Option B focuses on technology deployment, which is operational.

Option D targets risk reduction, which is an outcome but not the core purpose of governance.

53
MCQmedium

You are the IT governance officer at a regional bank with 1,200 employees. The bank has a security policy that requires annual security awareness training for all staff. However, the compliance rate is only 60%. The board is concerned about regulatory risk and wants to improve compliance. The current training is a generic online module that takes 30 minutes to complete. Employees complain that the training is boring and not relevant to their roles. The training is managed by the HR department, which sends reminders but does not enforce consequences. Which of the following is the BEST course of action to improve training compliance and governance?

A.Outsource the training to a third-party provider.
B.Increase the frequency of reminder emails from monthly to weekly.
C.Implement a learning management system (LMS) to track completion.
D.Redesign the training to be role-specific and mandate completion in the security governance framework with consequences for non-compliance.
AnswerD

Addresses both relevance and enforcement, key governance components.

Why this answer

Option D is correct because it addresses both the root cause (irrelevant training) and the governance gap (lack of enforcement). By redesigning training to be role-specific, employees see direct relevance, which improves engagement and retention. Mandating completion within the security governance framework and attaching consequences (e.g., access revocation) creates accountability, directly driving compliance from 60% toward the board's target.

Exam trap

The trap here is that candidates often mistake tracking (Option C) for enforcement, failing to recognize that governance requires both visibility and consequences to drive compliance.

How to eliminate wrong answers

Option A is wrong because outsourcing to a third-party provider does not fix the core issues of relevance or enforcement; it merely shifts the same generic content to another vendor, and without governance authority, compliance may remain low. Option B is wrong because increasing reminder frequency from monthly to weekly only amplifies a failed communication tactic; it does not address employee motivation or enforce consequences, so it is unlikely to move compliance beyond 60%. Option C is wrong because implementing an LMS to track completion provides visibility but no enforcement mechanism; without mandating completion and attaching consequences, tracking alone does not compel behavior change.

54
Multi-Selecteasy

Which TWO of the following are primary responsibilities of the board of directors with regard to information security governance? (Select exactly two.)

Select 2 answers
A.Performing vulnerability scans
B.Implementing security controls
C.Ensuring security strategy aligns with business goals
D.Approving the information security risk appetite
E.Conducting daily security monitoring
AnswersC, D

Governance responsibility.

Why this answer

Options B and D are correct. The board sets risk appetite (B) and ensures security is integrated with business strategy (D). A is management's role.

C is management's role. E is operational.

55
MCQhard

A government agency is criticized for poor security governance after a data breach. An external review finds that security policies are not aligned with agency's mission. The director wants to implement a governance framework that ties security to strategic objectives. Which framework is most suitable?

A.NIST Cybersecurity Framework
B.PCI DSS
C.COBIT 2019
D.ISO 27001
AnswerC

Specifically designed for governance and linking security to business objectives.

Why this answer

Option C is correct because COBIT is designed for governance and alignment with enterprise goals. Option A is a management system. Option B is operational.

Option D is industry-specific.

56
MCQeasy

An organization plans to implement ISO/IEC 27001 to formalize its information security management system. Which step is most critical to ensure successful implementation?

A.Conduct a comprehensive risk assessment
B.Obtain commitment from top management
C.Develop detailed information security policies
D.Train all employees on security awareness
AnswerB

Top management involvement provides necessary resources and authority for the ISMS.

Why this answer

ISO 27001 emphasizes top management commitment as a key success factor. Without it, resources, authority, and support may be lacking. Option B (risk assessment) is important but comes after commitment.

Option C (policy development) and D (training) are subsequent steps.

57
MCQhard

A financial services firm has a mature information security program but is struggling to demonstrate the value of security investments to the board. Which metric would BEST communicate the effectiveness of the security program in business terms?

A.Number of security alerts triaged per day.
B.Reduction in average cost per security incident over the past year.
C.Time to patch critical vulnerabilities.
D.Percentage of systems with endpoint protection installed.
AnswerB

Directly ties security program effectiveness to financial impact.

Why this answer

The reduction in average cost per security incident directly translates security program outcomes into financial terms that resonate with the board. This metric demonstrates the program's effectiveness by quantifying the monetary value of improved prevention, detection, and response capabilities, aligning with the CISM focus on governance and business alignment.

Exam trap

The trap here is that candidates often choose a technical or operational metric (like time to patch or alert volume) because it seems directly measurable, but the CISM exam emphasizes that the board cares about business impact and financial outcomes, not technical details.

How to eliminate wrong answers

Option A is wrong because the number of security alerts triaged per day is an operational metric that measures activity volume, not effectiveness or business value; a high volume could indicate poor tuning or false positives, not a mature program. Option C is wrong because time to patch critical vulnerabilities is a technical compliance metric that measures remediation speed, not the overall security program's effectiveness in reducing business risk or cost. Option D is wrong because the percentage of systems with endpoint protection installed is a coverage metric that does not reflect the actual performance of the security controls or their impact on incident costs; it ignores detection efficacy, response quality, and business outcomes.

58
MCQeasy

Refer to the exhibit. A company implements this data classification scheme. Which risk is most likely introduced by this scheme?

A.Over-classification of data, increasing administrative burden
B.Under-classification of internal data, leading to exposure
C.Inability to audit data access
D.Inconsistent handling of confidential data
AnswerB

Without an 'Internal' label, internal data may be labeled Public, exposing it unintentionally.

Why this answer

The classification scheme lacks an 'Internal' label for data that is not public but not highly sensitive. Employees may misclassify internal data as Public or Confidential, leading to under- or over-classification. Specifically, internal data (e.g., internal memos) may be incorrectly labeled as Public (under-classification) because there is no appropriate label.

Option A (over-classification) would happen if Confidential is used for internal data, but the greater risk is under-classification of internal data.

59
MCQeasy

A retail company's security governance includes a policy that all software must be approved by a security committee. This delays critical business applications. The CIO complains. How should the CISO adjust governance?

A.Increase committee meeting frequency
B.Implement a risk-based approval process with expedited paths
C.Remove the approval requirement
D.Automate software approval
AnswerB

Speeds up low-risk approvals while maintaining security.

Why this answer

Option B is correct because a risk-based approval process with expedited paths balances security and agility. Option A removes control. Option C automates but may not address the root.

Option D increases frequency but not efficiency.

60
Matchingmedium

Match each security control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall blocking unauthorized traffic

Intrusion detection system alerting on anomalies

Restoring system from backup after breach

Security warning banners on login

Additional authentication for legacy systems

Why these pairings

Control categories in information security.

61
Multi-Selectmedium

Which THREE of the following are responsibilities of the board of directors regarding information security governance?

Select 3 answers
A.Approve the information security strategy
B.Respond to security incidents
C.Conduct vulnerability scans
D.Authorize the security budget
E.Set the organization's risk appetite
AnswersA, D, E

The board ensures the strategy aligns with business goals.

Why this answer

The board is responsible for approving the security strategy, setting risk appetite, and authorizing the budget. Conducting vulnerability scans is an operational task for technical staff. Responding to incidents is management's responsibility.

62
MCQmedium

TechStart, a cloud-based startup, has rapidly grown from 50 to 500 employees. It lacks a formal security governance structure. The CEO asks the CISO to develop one. The CISO finds that the company's culture values speed over compliance. The board expects a governance framework within three months. What is the most practical approach?

A.Implement a full COBIT framework immediately
B.Defer governance until after the next product launch
C.Start with a lean governance model, focusing on critical assets and compliance requirements
D.Focus solely on technical controls like firewalls and IAM
AnswerC

This balances speed with essential governance.

Why this answer

Option A is correct because starting with a lean governance model focusing on critical assets and compliance requirements is achievable and respects the culture. Option B is too heavy. Option C neglects governance.

Option D postpones and risks non-compliance.

63
MCQmedium

A multinational corporation must comply with both GDPR and CCPA. Which governance approach is most effective?

A.Create a single rigid unified policy applicable everywhere
B.Develop a unified data protection framework with regional adjustments
C.Implement separate compliance programs for each regulation
D.Outsource compliance to a third-party service provider
AnswerB

This approach balances consistency with flexibility to address local regulations.

Why this answer

A unified data protection framework with regional adjustments allows consistency while meeting specific requirements. Option A (separate programs) increases complexity and cost. Option B (rigid unified policy) may not satisfy all local laws.

Option D (outsource) shifts responsibility but does not ensure governance effectiveness.

64
MCQmedium

An organization is implementing a new cloud-based ERP system. Which of the following is the MOST important action for the information security manager to ensure alignment with the organization's risk appetite?

A.Conduct a risk assessment to identify and evaluate risks associated with the cloud deployment.
B.Review the cloud provider's SOC 2 report for compliance with relevant regulations.
C.Negotiate contract terms including data protection clauses with the cloud provider.
D.Develop a detailed access control policy specifically for the cloud ERP system.
AnswerA

A risk assessment directly aligns security measures with risk appetite.

Why this answer

Conducting a risk assessment (A) is the most important action because it directly evaluates the cloud ERP deployment against the organization's risk appetite, identifying, analyzing, and evaluating risks such as data exposure, vendor lock-in, and compliance gaps. This foundational step ensures that subsequent controls, contracts, and policies are aligned with the acceptable level of risk, as defined by the organization's risk tolerance thresholds.

Exam trap

The trap here is that candidates often confuse operational due diligence (like reviewing SOC 2 reports or negotiating contracts) with the strategic governance action of aligning with risk appetite, which must start with a risk assessment to define the baseline for all subsequent decisions.

How to eliminate wrong answers

Option B is wrong because reviewing a SOC 2 report is a due diligence activity that assesses the cloud provider's controls, but it does not inherently align the deployment with the organization's specific risk appetite; it only verifies compliance with predefined criteria. Option C is wrong because negotiating contract terms, while important for legal protection, occurs after risks are identified and does not ensure alignment with risk appetite without a prior risk assessment to inform those terms. Option D is wrong because developing a detailed access control policy is a tactical control implementation that addresses a subset of risks, but it does not provide the strategic alignment with risk appetite that a comprehensive risk assessment achieves.

65
Multi-Selecteasy

Which TWO of the following are primary objectives of information security governance? (Choose two.)

Select 2 answers
A.Eliminate all information security risks.
B.Align security strategy with business goals.
C.Maximize profitability through security investments.
D.Ensure accountability for security decisions.
E.Achieve compliance with all applicable regulations.
AnswersB, D

Core objective of governance.

Why this answer

Option B is correct because information security governance's primary objective is to ensure that security strategy is aligned with business goals, enabling the organization to protect assets while supporting its mission. This alignment is achieved through governance frameworks like COBIT or ISO 38500, which mandate that security investments and controls are directly tied to business objectives, not isolated technical measures.

Exam trap

The trap here is that candidates confuse compliance (Option E) with governance, but CISM emphasizes that governance is about strategic alignment and accountability, not just meeting regulatory checklists, which is a common misconception in exam questions.

66
Multi-Selecteasy

Which TWO of the following are typically considered key components of an information security governance framework?

Select 2 answers
A.Adoption of a formal risk management process
B.Scheduling of regular penetration tests
C.Establishment of a performance measurement system
D.Development of a detailed incident response plan
E.Implementation of specific technical controls
AnswersA, C

Risk management is a foundational governance component.

Why this answer

Correct: B and D. A performance measurement system (B) ensures governance effectiveness, and a risk management process (D) is core to governance. Option A (specific technical controls) is too narrow; C (detailed incident response plan) is operational; E (penetration testing schedule) is a tactic, not a governance component.

67
MCQhard

During an audit, it was found that the organization's information security policy is not being followed by business units. Which of the following is the MOST effective way for the information security manager to improve compliance?

A.Establish a policy review committee with business unit representatives to align policy with operational needs.
B.Provide additional security awareness training focused on policy requirements.
C.Escalate non-compliance to senior management for disciplinary action.
D.Increase the frequency of automated policy compliance checks.
AnswerA

Involving stakeholders increases buy-in and practical compliance.

Why this answer

The most effective way to improve compliance is to align the policy with operational realities by involving business unit representatives in a policy review committee. When policies conflict with business processes, users will bypass them; adjusting the policy to be both secure and practical increases voluntary adherence. This addresses the root cause—policy misalignment—rather than treating symptoms like lack of awareness or enforcement.

Exam trap

The trap here is that candidates often choose awareness training (B) as a quick fix, but CISM emphasizes that non-compliance due to policy misalignment requires policy revision, not just more training or enforcement.

How to eliminate wrong answers

Option B is wrong because additional awareness training assumes the non-compliance stems from ignorance, but the audit found the policy is not being followed despite likely existing training; the core issue is policy impracticality, not lack of knowledge. Option C is wrong because escalating non-compliance for disciplinary action treats the symptom (violations) without fixing the underlying policy that may be unworkable, and it can damage trust and reduce reporting of genuine issues. Option D is wrong because increasing automated compliance checks only detects violations more frequently but does not address why business units are not following the policy; it may even increase friction and shadow IT if the policy remains misaligned.

68
MCQmedium

After a merger, two companies with different security cultures are being integrated. What is the BEST approach for the information security manager to achieve a unified governance structure?

A.Implement a regulatory framework as the baseline
B.Maintain separate frameworks until a natural convergence occurs
C.Adopt the security framework of the acquiring company
D.Develop a new framework incorporating strengths from both companies
AnswerD

Fosters buy-in and leverages existing capabilities.

Why this answer

Option B is correct because developing a new framework that incorporates best practices from both is most effective. Option A is wrong because adopting one company's framework may cause resistance. Option C is wrong because separate frameworks hinder integration.

Option D is wrong as waiting leads to confusion.

69
MCQhard

Refer to the exhibit. A security analyst reviews the ACL on the organization's border router. Based on the exhibit, which of the following is the MOST significant governance concern?

A.The ACL is applied to the outbound interface, which is ineffective for blocking inbound attacks.
B.The ACL does not include filtering for outbound traffic, which may allow spoofed internal IPs to exit the network.
C.The ACL permits any traffic after denying specific IP ranges, creating a security gap.
D.The ACL permits all traffic from private IP addresses, which could allow internal IP spoofing.
AnswerB

Outbound filtering (ingress filtering) is missing, which is a governance oversight.

Why this answer

Option B is correct because the ACL shown only filters inbound traffic on the border router's external interface. Without an outbound ACL (or an inbound ACL on the internal interface), spoofed packets with internal source IP addresses can exit the network, enabling IP spoofing attacks that bypass anti-spoofing best practices (RFC 2827, BCP 38). This is a governance concern as it violates the principle of preventing source address spoofing, which is a fundamental security control for network perimeter defense.

Exam trap

The trap here is that candidates focus on the inbound ACL's content (denying private IPs) and miss the governance issue of missing outbound anti-spoofing controls, which is a classic CISM governance concern about policy compliance rather than just ACL syntax.

How to eliminate wrong answers

Option A is wrong because applying the ACL to the outbound interface is not inherently ineffective; the exhibit shows the ACL is applied inbound on the external interface, which is standard for filtering inbound traffic. Option C is wrong because the ACL explicitly denies specific IP ranges before permitting any traffic, which is a standard implicit deny at the end of an ACL; the 'permit any' after denies does not create a security gap if the denies are correctly placed. Option D is wrong because the ACL does not permit all traffic from private IP addresses; it denies specific private ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and permits any other traffic, which is correct for inbound filtering but does not address outbound spoofing.

70
MCQhard

A financial institution is designing its information security governance to comply with multiple regulations. The board has limited risk appetite. Which approach BEST ensures effective governance while minimizing conflict?

A.Assign different compliance teams for each regulation
B.Implement a harmonized control framework that maps to all regulations
C.Adopt a single regulatory framework and ignore others
D.Create separate governance committees for each regulation
AnswerB

Streamlines compliance and reduces duplication.

Why this answer

Option D is correct because a harmonized control framework that maps to all regulations reduces duplication and conflict. Option A is wrong because siloed compliance creates inefficiency. Option B is wrong as it may miss regulatory requirements.

Option C is wrong as committees without alignment cause confusion.

71
MCQeasy

Refer to the exhibit. A security manager notices that several contractors have been granted access to a financial system without documented exceptions. Based on the policy, what is the most likely governance deficiency?

A.The policy does not specify quarterly review of access rights.
B.The data owner did not approve the exceptions.
C.Contractors should not have any access to financial systems.
D.Lack of documentation for approved exceptions.
AnswerD

The policy requires documented exceptions, which are missing.

Why this answer

Option A is correct because the policy requires exceptions to be documented, but they are not. Option B is wrong because the owners approved, but documentation is missing. Option C is wrong because the policy does not require quarterly reviews.

Option D is wrong because revocation is a control, but the deficiency is lack of documentation.

72
Multi-Selectmedium

Which THREE of the following are essential components of an information security governance framework?

Select 3 answers
A.A process for conducting security incident response.
B.Implementation of technical security controls such as firewalls.
C.Strategic alignment of security with business objectives.
D.Defined roles and responsibilities for security management.
E.Performance measurement and reporting mechanisms.
AnswersC, D, E

Governance ensures security supports business goals.

Why this answer

Strategic alignment of security with business objectives (Option C) is essential because an information security governance framework must ensure that security initiatives directly support and enable the organization's mission and goals. Without this alignment, security becomes a siloed cost center rather than a strategic enabler, leading to misallocated resources and reduced executive sponsorship. This principle is foundational to the CISM governance domain, where security is viewed as a business function, not just a technical discipline.

Exam trap

ISACA often tests the distinction between governance (strategic oversight) and management (operational execution), and the trap here is that candidates confuse operational processes like incident response or technical controls with governance framework components, leading them to select A or B instead of the correct strategic elements.

73
Multi-Selecteasy

Which THREE elements are typically included in a security governance charter?

Select 3 answers
A.Budget authority
B.Incident response procedures
C.Roles and responsibilities
D.Reporting structure
E.Technical architecture diagrams
AnswersA, C, D

Governance includes resource allocation power.

Why this answer

Roles and responsibilities (A), reporting structure (C), and budget authority (D) are governance charter components. Technical diagrams (B) and incident procedures (E) are operational.

74
MCQhard

A healthcare organization is developing an information security strategy. The board has mandated that the strategy must support innovation while protecting patient data. Which governance approach BEST balances these priorities?

A.Implement strict access controls and encryption for all data.
B.Establish a risk appetite framework that defines acceptable risk levels for innovation initiatives.
C.Adopt a 'security by design' approach for all new projects.
D.Create a separate innovation sandbox with limited data access.
AnswerB

Enables informed decision-making balancing innovation and security.

Why this answer

A risk appetite framework (Option B) is the correct governance approach because it explicitly defines the level of risk the organization is willing to accept in pursuit of innovation, allowing the board to balance patient data protection with strategic growth. This framework provides a decision-making boundary for security controls, ensuring that innovation initiatives are not stifled by overly restrictive measures while still maintaining compliance with healthcare regulations like HIPAA and HITECH.

Exam trap

The trap here is that candidates often confuse tactical security controls (like encryption or sandboxes) with governance frameworks, failing to recognize that only a risk appetite framework provides the strategic balance between innovation and protection required by the board's mandate.

How to eliminate wrong answers

Option A is wrong because implementing strict access controls and encryption for all data is a tactical control measure, not a governance framework; it fails to address the board's mandate to support innovation, as blanket restrictions can hinder agile development and data sharing required for new healthcare technologies. Option C is wrong because adopting a 'security by design' approach for all new projects is a best practice for secure development, but it does not provide a governance-level mechanism to balance risk and innovation; it focuses on implementation rather than strategic risk acceptance. Option D is wrong because creating a separate innovation sandbox with limited data access is an operational tactic that isolates risk but does not establish a governance framework for the entire organization; it avoids the core issue of defining acceptable risk levels across all initiatives and may lead to shadow IT if not governed properly.

75
MCQmedium

An information security manager is preparing a report for the board on the state of information security governance. Which of the following elements is most important to include in the report?

A.The percentage of the security budget spent on different projects.
B.Key risk indicators (KRIs) related to the organization's critical assets.
C.A log of all recent security incidents and their root causes.
D.A detailed list of all security tools and their functionalities.
AnswerB

KRIs effectively communicate risk posture and governance status to the board.

Why this answer

Option B is correct because key risk indicators provide a concise view of risk exposure and governance effectiveness. Option A is wrong because a list of all security tools is too detailed and not strategic. Option C is wrong because operational incident details are not board-level.

Option D is wrong because budget variance is only one aspect; KRIs are more comprehensive.

Page 1 of 2 · 92 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Information Security Governance questions.