CCNA Cism Security Program Questions

75 of 137 questions · Page 1/2 · Cism Security Program topic · Answers revealed

1
MCQeasy

You are the information security program manager for a government agency. The agency has a highly regulated environment and is in the process of updating its incident response plan. During a tabletop exercise, it becomes clear that the detection capabilities are strong, but the response coordination between IT, legal, and public affairs is poor. This caused delays in containing a simulated ransomware attack. The existing program includes an incident response policy but no formal procedures for cross-department coordination. The agency's leadership wants quick improvement with minimal budget impact. What should you recommend?

A.Outsource incident response to a managed security service provider (MSSP).
B.Create a dedicated incident response team that reports directly to the CISO.
C.Purchase a new SIEM solution to improve detection accuracy.
D.Develop a detailed incident response coordination plan with defined roles and communication channels, and conduct quarterly joint exercises.
AnswerD

Cost-effective and directly improves coordination.

Why this answer

Correct answer is C because creating structured coordination procedures and conducting regular joint exercises directly addresses the coordination gap at low cost. Option A (new SIEM) does not fix coordination. Option B (outsourcing) is expensive and may not align with government requirements.

Option D (separate team) could be costly and does not leverage existing staff.

2
MCQmedium

A multinational corporation is implementing a new information security program. The program manager needs to ensure that security requirements are integrated into the procurement process for third-party services. Which of the following is the most effective approach?

A.Include security requirements after contract signing
B.Require third parties to self-attest compliance
C.Embed security clauses in request for proposals (RFPs)
D.Conduct periodic security audits of third parties
AnswerC

This ensures security is a contractual requirement from the start.

Why this answer

Option C is correct because integrating security requirements into the procurement lifecycle ensures that contractual obligations are legally binding. Option A is wrong because post-contract negotiations are less effective and may face resistance. Option B is wrong because periodic reviews are reactive.

Option D is wrong because it shifts responsibility without proper integration.

3
MCQmedium

You are the CISO of a retail company that is planning to implement a new e-commerce platform. The information security program currently consists of a set of high-level policies, but there are no detailed standards or guidelines for secure development. The development team uses agile methodologies and is accustomed to rapid releases. They have resisted security reviews in the past, citing delays. You need to integrate security into the development lifecycle without causing friction. The company's risk appetite is moderate; they accept some risk for speed but not if it leads to major breaches. The board expects you to manage this risk effectively. Which approach should you take?

A.Provide annual security training to all developers.
B.Assign a security champion to each development team and create a lightweight secure coding checklist.
C.Establish a separate security team that reviews all code after development is complete.
D.Implement a mandatory security gate before each release, requiring a full security review.
AnswerB

Incorporates security into the process without heavy process overhead.

Why this answer

Correct answer is A because embedding a security champion in each team provides ongoing guidance without slowing down development drastically. Option B (gate process) will cause friction and likely be bypassed. Option C (separate team review) may cause delays and resentment.

Option D (training only) may not change behavior effectively.

4
MCQhard

A global e-commerce company is designing its information security program. The CISO wants to implement a defense-in-depth strategy for the web application layer. Which combination of controls best achieves this objective?

A.SSL/TLS encryption and VPN access
B.Web application firewall (WAF) and intrusion detection system (IDS)
C.WAF, input validation, and security logging
D.Regular patching and vulnerability scanning
AnswerC

Combines prevention, detection, and monitoring.

Why this answer

Option B is correct because defense-in-depth requires multiple layers of controls: detection (WAF), prevention (input validation), and response (monitoring). Option A is wrong as IDS alone is detection only. Option C is wrong as patching is a single layer.

Option D is wrong as encryption provides confidentiality but not attack prevention.

5
MCQmedium

An organization has implemented a new security policy requiring multi-factor authentication for all remote access. Several users complain about the inconvenience. What is the BEST course of action for the security manager?

A.Allow exceptions for senior executives
B.Delay implementation until user acceptance improves
C.Revoke remote access for non-compliant users
D.Provide training on the importance of MFA
AnswerD

Training addresses the root cause of complaints—lack of understanding—and promotes compliance.

Why this answer

Option B is correct because training helps users understand the importance and reduces resistance. Option A is too drastic initially. Option C undermines security.

Option D delays necessary protection.

6
Multi-Selecthard

Which of the following are key components of a mature information security program? (Select 2)

Select 2 answers
A.Comprehensive risk management process
B.Adoption of cloud security tools
C.Continuous monitoring and improvement
D.Single point of failure for security decisions
AnswersA, C

Why this answer

A comprehensive risk management process is a foundational component of a mature information security program because it ensures that security controls are aligned with business objectives through systematic identification, assessment, and treatment of risks. This process, often guided by frameworks like ISO 31000 or NIST SP 800-39, enables prioritization of resources based on risk appetite and tolerance, rather than relying on ad-hoc or reactive measures. Without this, the program lacks the structured governance needed to adapt to evolving threats and regulatory requirements.

Exam trap

The trap here is that candidates mistake tactical tools or organizational shortcuts (like a single security decision-maker) for program maturity, when CISM emphasizes that maturity is defined by process integration, governance, and continuous improvement, not by technology adoption or centralized authority.

Why the other options are wrong

B

Tool adoption is not a program component; it's an implementation detail.

D

Mature programs distribute accountability.

7
MCQeasy

An organization wants to ensure that its security program aligns with business objectives. Which activity is most important?

A.Regularly meeting with business unit leaders to understand needs and risks.
B.Conducting vulnerability scans twice a year.
C.Developing a security awareness campaign.
D.Purchasing an advanced threat detection system.
AnswerA

Direct engagement ensures security supports business objectives.

Why this answer

Engaging business units ensures that security priorities support strategic goals and are integrated into operations.

8
MCQeasy

An organization's security program includes a risk assessment process. Which step should be performed FIRST?

A.Identify assets and their value
B.Calculate the level of risk
C.Establish the risk assessment context
D.Determine the likelihood of threats
AnswerC

Setting the scope, objectives, and criteria is the initial step in risk assessment.

Why this answer

Option D is correct because establishing context (scope, criteria, and risk appetite) must precede other steps. Option A is wrong because asset identification comes after context. Option B is wrong because likelihood is assessed after identification.

Option C is wrong because calculation comes later.

9
MCQmedium

Which of the following best describes the primary purpose of an Information Security Program?

A.To reduce the number of security incidents to zero.
B.To ensure compliance with all relevant laws and regulations.
C.To align security efforts with business objectives and manage risk.
D.To implement technical security controls across all systems.
AnswerC

Why this answer

The primary purpose of an Information Security Program is to align security efforts with business objectives and manage risk to an acceptable level. This ensures that security investments and activities directly support the organization's mission, rather than operating in isolation. A program focused solely on compliance or technical controls may fail to address the dynamic risk landscape and business needs.

Exam trap

The trap here is that candidates often mistake compliance (Option B) as the primary goal, but CISM emphasizes that compliance is a subset of risk management, and the program's core purpose is to enable business objectives by managing risk, not just to satisfy auditors.

Why the other options are wrong

A

Zero incidents is unrealistic; the program aims to manage risk, not eliminate all incidents.

B

Compliance is part of the program but not the primary purpose; the program should support business goals.

D

Technical controls are a component, but the program includes governance, policies, and processes.

10
Multi-Selecthard

Which THREE characteristics indicate a higher maturity level in a security program maturity model?

Select 3 answers
A.Reactive approach to incidents
B.Continuous improvement
C.Automated security controls
D.Ad hoc processes
E.Quantitative performance metrics
AnswersB, C, E

Mature programs regularly refine processes based on lessons learned.

Why this answer

Options B, C, and E are correct. Continuous improvement, quantitative metrics, and automated controls are hallmarks of mature processes. Option A is wrong ad hoc processes are low maturity.

Option D is wrong reactive approach is low maturity.

11
Multi-Selecthard

Which THREE of the following are common challenges in implementing an information security program across a large enterprise?

Select 3 answers
A.Cultural resistance to security controls from business units.
B.Overreliance on automated security tools.
C.Inconsistent enforcement of security policies across subsidiaries.
D.Lack of security awareness training for end users.
E.Legacy systems that cannot be patched or upgraded.
AnswersA, C, E

Often seen when security is perceived as hindering productivity.

Why this answer

Correct answers are A, C, and E. Option A (cultural resistance to security controls) is common. Option C (legacy systems that cannot be patched) is a technical challenge.

Option E (inconsistent enforcement across business units) reflects governance issues. Option B (lack of security awareness training) is a symptom but not an implementation challenge per se; training can be provided. Option D (overreliance on automated tools) is less common.

12
MCQmedium

An organization is developing an information security program for a new subsidiary. Which approach BEST ensures that the subsidiary's program complements the parent's?

A.Replicate the parent's policies exactly
B.Adopt a recognized international standard such as ISO 27001
C.Perform a separate risk assessment for the subsidiary
D.Outsource security management to a third party
AnswerB

A common standard facilitates interoperability and consistency across entities.

Why this answer

Option D is correct because adopting a recognized international standard like ISO 27001 provides a common framework that can be tailored, ensuring consistency while allowing for local adaptation. Option A is wrong because exact replication may not fit. Option B is wrong separate assessments may create divergence.

Option C is wrong outsourcing does not ensure complement.

13
MCQeasy

A security manager is developing a new information security program for a mid-sized company. Which of the following should be the FIRST step?

A.Implement technical controls
B.Conduct a risk assessment
C.Purchase security tools
D.Develop security policies
AnswerB

A risk assessment identifies threats, vulnerabilities, and impacts, guiding the security program's priorities.

Why this answer

Option B is correct because a risk assessment is the foundational step to identify threats and vulnerabilities before designing controls. Option A is premature without understanding risks. Option C is incorrect because purchasing tools should follow risk assessment.

Option D is incorrect because policies should be based on risk assessment results.

14
Multi-Selectmedium

Which TWO are essential elements of an information security program?

Select 2 answers
A.Vulnerability scanning tools
B.Risk management process
C.Network firewall
D.Security awareness training
E.Incident response plan
AnswersD, E

Education is a key element of a security program.

Why this answer

Security awareness training and incident response plan are core program components. Risk management is also critical but not listed as correct here per question design. Options A and D are correct.

Option B is a tool, not an element. Option C is fundamental but we need exactly two; awareness and incident response are both essential. Option E is a technology control.

15
MCQmedium

An information security manager is developing a program metric to report to senior management. Which metric best demonstrates the effectiveness of the information security program?

A.Number of security incidents reported
B.Percentage of systems with up-to-date patches
C.Mean time to detect (MTTD) security incidents
D.Number of security awareness training sessions held
AnswerC

Why this answer

Mean time to detect (MTTD) is a key indicator of detection capability, directly reflecting program effectiveness. Senior management cares about how quickly threats are identified.

Exam trap

Number of security incidents is often chosen, but it doesn't indicate effectiveness; a high number could mean better detection.

Why the other options are wrong

A

Does not show effectiveness; could indicate increased reporting.

B

Operational metric, not strategic for senior management.

D

Activity metric, not outcome-based.

16
Matchingmedium

Match each security role to its primary responsibility.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Senior executive responsible for security strategy

Oversees daily security operations and team

Designs security infrastructure and controls

Evaluates compliance and effectiveness of controls

Executes incident response procedures

Why these pairings

Roles in an information security program.

17
MCQhard

A security program manager is reviewing the results of a recent internal audit that identified several security gaps. The manager must prioritize remediation efforts. Which factor should be given the MOST weight?

A.Likelihood of exploitation
B.Business impact of the vulnerability
C.Availability of compensating controls
D.Cost of remediation
AnswerB

Impact determines potential harm to the organization and guides prioritization.

Why this answer

Option C is correct because business impact (potential financial, reputational, or operational damage) is the primary driver for prioritization. Option A is a constraint, not a priority factor. Option B is important but impact often outweighs likelihood.

Option D may reduce urgency but not replace impact.

18
MCQeasy

Which of the following is the PRIMARY responsibility of a steering committee in an information security program?

A.Approving individual security policies
B.Providing strategic direction and oversight
C.Conducting vulnerability assessments
D.Implementing security controls
AnswerB

Why this answer

The steering committee's primary role is to provide strategic direction and oversight for the information security program, ensuring alignment with business objectives and risk appetite. This includes approving the overall security strategy, budget, and major initiatives, rather than engaging in operational tasks like policy drafting or technical assessments.

Exam trap

The trap here is that candidates confuse the steering committee's strategic oversight role with the tactical or operational duties of other roles, such as the CISO or security analysts, leading them to select options like approving policies or conducting assessments.

Why the other options are wrong

A

Policy approval is an operational task, not the primary strategic role of the steering committee.

C

Technical assessments are performed by operational teams, not the steering committee.

D

Implementation is an operational responsibility, not a steering committee function.

19
MCQhard

An organization has multiple business units with different risk tolerances. How should the security program address this?

A.Develop risk-based security policies for each business unit
B.Apply a single enterprise-wide security policy
C.Define a minimum baseline and allow units to exceed it
D.Decentralize security management to each unit
AnswerA

Tailored policies align with varying risk tolerances.

Why this answer

Risk-based policies per unit allow customization to each unit's risk appetite while maintaining overall governance. Option A is correct. Option B imposes a one-size-fits-all.

Option C may not be sufficient for high-risk units. Option D lacks central coordination.

20
Multi-Selecteasy

When establishing an information security program, which TWO of the following are key components of governance?

Select 2 answers
A.Security awareness training
B.Vulnerability management
C.Steering committee
D.Security policies
E.Incident response plan
AnswersC, D

A steering committee provides strategic direction and oversight.

Why this answer

Options A and D are correct. Security policies (A) define the framework, and a steering committee (D) provides oversight and alignment. Options B, C, and E are operational components, not governance.

21
MCQhard

An information security manager reviews the suspicious activity log shown in the exhibit. The payroll file is supposed to be encrypted and only accessible internally. What is the MOST likely cause for the failed download?

A.The user's encryption certificate has expired
B.The file was not encrypted before being uploaded
C.The user lacked permission to decrypt the file
D.The external IP is blocked by the firewall
AnswerC

The 'Encryption key not found' error implies the user does not have the decryption key, likely due to insufficient permissions.

Why this answer

Option D is correct because the status 'Encryption key not found' indicates that the user does not have the necessary decryption key, likely due to lack of permission. Option A is wrong because certificate expiry would show a different error. Option B is wrong because if the file were not encrypted, it would download successfully.

Option C is wrong because if the external IP were blocked, the download would not initiate.

22
MCQmedium

During a security assessment, an organization discovers that its patch management process is not consistently applied across all systems. Which of the following controls would best address this deficiency as part of the information security program?

A.Require all system administrators to manually approve patches before deployment.
B.Increase the frequency of vulnerability scans to weekly.
C.Conduct additional security awareness training for system administrators.
D.Implement a configuration management database (CMDB) linked to an automated patch deployment tool.
AnswerD

CMDB provides system inventory; automation ensures consistent patching.

Why this answer

Correct answer is B because a configuration management database (CMDB) with automated patching ensures consistent application. Option A (manual patch approval) is slow and error-prone. Option C (monthly vulnerability scans) detects but does not fix.

Option D (security awareness training) is unrelated to patching.

23
Multi-Selecteasy

Which TWO of the following are primary objectives of a security awareness program?

Select 2 answers
A.Improve password sharing practices
B.Increase the security budget
C.Reduce the number of security incidents
D.Change employee security behavior
E.Ensure compliance with regulations
AnswersC, D

Reducing incidents is a direct outcome of effective awareness.

Why this answer

Options A and B are correct. Changing employee behavior and reducing security incidents are core objectives. Option C is wrong compliance is a benefit but not the primary objective.

Option D is wrong increasing budget is not an awareness objective. Option E is wrong improving password sharing is counterproductive.

24
MCQmedium

An organization's security program includes a set of metrics reported quarterly to the board. Which metric best demonstrates the effectiveness of the security awareness program?

A.Percentage of employees who completed training
B.Number of security incidents
C.Number of policy violations
D.Reduction in phishing click-through rate
AnswerD

Directly measures whether employees apply training to real threats.

Why this answer

Option C is correct because a reduction in phishing click-through rate directly measures behavior change from awareness training. Option A reflects overall incidents, not just awareness. Option B measures completion, not effectiveness.

Option D may be influenced by many factors.

25
MCQhard

A global financial services firm operates in 30 countries and is subject to multiple data protection regulations, including GDPR, CCPA, and various financial services directives. The firm has a centralized information security program but struggles with inconsistent enforcement across regions. The CISO is under pressure to demonstrate compliance to the board while reducing costs. The compliance team suggests creating a separate security program for each regulation, while the IT audit team recommends adopting the most stringent regulation as the baseline. The CISO must decide on a strategy that balances compliance, efficiency, and cost. What is the best approach for the CISO to take?

A.Develop a unified set of controls that satisfy the common requirements of all regulations and map them to each regulation's specific needs.
B.Adopt ISO 27001 as the single framework and map it loosely to all regulations.
C.Create three separate security programs, one for each major regulation (GDPR, CCPA, financial directives).
D.Use the most stringent regulation (e.g., GDPR) as the baseline and accept potential gaps with other regulations.
AnswerA

A unified control framework reduces duplication, lowers costs, and simplifies compliance while covering all regulatory requirements.

Why this answer

The best approach is to develop a unified control framework that maps common security controls to multiple regulations, leveraging the fact that many requirements overlap. Option A (adopting one framework) may not cover all regulatory specificities. Option B (separate programs) is inefficient and costly.

Option D (focus on most stringent) can lead to gaps in less stringent but unique requirements.

26
MCQhard

Match each information security program component with its correct description.

Policy.High-level statement of management intent
Standard.Mandatory requirement to support policy
Guideline.Recommended practice or advisory action
Procedure.Detailed step-by-step instructions

Why this answer

A policy is a high-level statement of intent. A standard is a mandatory requirement. A guideline is a recommended practice.

A procedure is a detailed step-by-step instruction.

Exam trap

Candidates often confuse standard with guideline; standards are mandatory, guidelines are advisory.

27
MCQmedium

An auditor reviews the BYOD policy and notes that mobile device management (MDM) logs show several devices without encryption. The policy has been in effect for 6 months. Which of the following is the most likely reason for this non-compliance?

A.The grace period allows non-compliance for 7 days
B.Employees are unaware of the encryption requirement
C.The policy does not explicitly require encryption
D.MDM is not configured to enforce encryption automatically
AnswerD

Without automated enforcement, compliance is voluntary.

Why this answer

Option D is correct because the policy lacks automated enforcement of encryption; MDM can enforce encryption if the policy requires it, but the exhibit does not mention automated enforcement. Option A is wrong because there is a clear requirement for encryption. Option B is wrong because the grace period applies to OS updates, not encryption.

Option C is wrong because encryption is explicitly required; the gap is in technical enforcement.

28
MCQeasy

A company has a small security team and limited budget. Which initial investment provides the MOST value for building an effective security program?

A.Implement an automated policy enforcement system
B.Deploy an asset inventory management tool
C.Conduct security awareness training for all employees
D.Perform a comprehensive penetration test
AnswerC

Awareness training is cost-effective and reduces phishing and other user-related risks.

Why this answer

Option A is correct because security awareness training addresses the human factor, reducing many common risks at low cost. Option B is wrong asset inventory is important but often requires tools and effort. Option C is wrong penetration testing is point-in-time and may not address ongoing risks.

Option D is wrong policy enforcement requires technology investment.

29
MCQmedium

An information security manager is designing a program for a healthcare organization. Which of the following should be the FIRST step in establishing the program?

A.Develop information security policies and procedures
B.Conduct a risk assessment
C.Select and implement security controls
D.Define security metrics and reporting
AnswerB

Why this answer

Conducting a risk assessment is the foundational first step because it identifies and prioritizes the specific threats and vulnerabilities facing the healthcare organization's sensitive data (e.g., PHI under HIPAA). Without this baseline understanding, any subsequent policies, controls, or metrics would be misaligned with actual risk exposure, leading to ineffective or wasteful security investments.

Exam trap

ISACA often tests the misconception that policy development is the logical starting point, but CISM emphasizes that risk assessment must precede all other program elements to ensure alignment with business objectives and regulatory requirements.

Why the other options are wrong

A

Policies should be based on risk assessment results, not developed first.

C

Controls are selected after risks are identified.

D

Metrics are defined after program objectives and controls are established.

30
Multi-Selectmedium

A multinational corporation is designing an information security program to align with diverse business units and regulatory requirements across different regions. The CISO is prioritizing key components that ensure the program is both comprehensive and adaptable. Which TWO components are most critical for achieving this alignment?

Select 2 answers
A.Focusing exclusively on the most stringent regulatory requirement to satisfy all others
B.Establishing a governance structure with defined roles, responsibilities, and oversight
C.Creating a control framework that maps common controls to multiple regulatory requirements
D.Adopting a single security framework such as ISO 27001 for all regions
E.Implementing separate security programs for each business unit to address unique needs
AnswersB, C

A governance structure provides the foundation for consistent decision-making and accountability across the organization.

Why this answer

A robust governance framework (B) ensures consistent oversight and accountability, while mapping controls to multiple regulations (D) enables efficiency and compliance across jurisdictions. Option A (single framework) may not cover all specific requirements; option C (separate programs) leads to duplication; option E (focus on one regulation) risks non-compliance elsewhere.

31
MCQhard

An organization's information security program includes a formal exception process. When reviewing an exception request to bypass a critical control, what is the MOST important factor for the information security manager to consider?

A.The cost of implementing the control
B.The residual risk after compensating controls
C.The number of users affected by the exception
D.The duration of the exception
AnswerB

Why this answer

The most important factor when reviewing an exception request to bypass a critical control is the residual risk after compensating controls. This ensures that the organization's risk appetite is not exceeded and that the compensating controls adequately mitigate the risk to an acceptable level, as required by frameworks like ISO 27001 and NIST SP 800-53.

Exam trap

The trap here is that candidates often focus on operational or business factors (cost, user count, duration) instead of the core risk management principle that the residual risk must be acceptable to the organization.

Why the other options are wrong

A

Cost is a factor but not the most important; risk acceptance is paramount.

C

Number of users is less important than the risk exposure.

D

Duration matters but is secondary to the risk level.

32
Multi-Selecthard

An information security manager is evaluating the maturity of the organization's security program. Which of the following indicators suggest a high level of maturity? (Select TWO.)

Select 2 answers
A.All security incidents are resolved within 24 hours
B.Security metrics are included in regular executive reports
C.The program uses the latest encryption standards
D.A formal risk acceptance process is in place and used
E.The security team conducts annual penetration tests
AnswersB, D

Why this answer

Option B is correct because including security metrics in regular executive reports demonstrates that security performance is being measured, tracked, and communicated to leadership as part of ongoing governance. This aligns with a mature security program where security is integrated into business decision-making, not treated as a siloed technical function.

Exam trap

The trap here is that candidates confuse operational effectiveness (e.g., fast incident resolution or use of modern encryption) with process maturity, which is about governance, measurement, and continuous improvement rather than technical speed or tooling.

Why the other options are wrong

A

Resolution time is not necessarily an indicator of maturity; process consistency is more important.

C

Using latest technology is a tactical choice, not a maturity indicator.

E

Annual testing is a good practice but not a strong indicator of overall program maturity.

33
MCQmedium

During a merger, two companies with different information security programs are being integrated. The combined entity must maintain compliance with PCI DSS and GDPR. The CISO is concerned about gaps in coverage due to differing maturity levels. Which of the following is the BEST approach to harmonize the programs?

A.Adopt the more stringent security program from the acquirer across the entire entity.
B.Merge the two programs by combining all controls from each.
C.Implement a completely new framework that meets both regulations.
D.Perform a gap analysis against the requirements and prioritize remediation.
AnswerD

A gap analysis provides a clear picture of what is missing and allows for efficient resource allocation.

Why this answer

Option D is correct because a gap analysis identifies where controls are missing or insufficient, allowing for a prioritized remediation plan. Option A is wrong because adopting the higher standard may be unnecessary and costly. Option B is wrong because merging without analysis could introduce risks.

Option C is wrong because a new framework from scratch may not leverage existing investments.

34
MCQeasy

Based on the risk register entry, what is the primary gap in the current controls?

A.The policy exists but is not enforced technically
B.MDM is not a suitable control
C.The risk score is too low to require action
D.The likelihood of occurrence is low
AnswerA

Policy without enforcement is ineffective.

Why this answer

Option D is correct because the current control is a policy without enforcement, leaving the risk unmitigated. Option A is wrong because the risk score is 15, not low. Option B is wrong as likelihood is medium, not low.

Option C is wrong because MDM is proposed but not implemented.

35
MCQhard

Match the following security program components with their primary purpose by dragging each component to the correct description.

A.Security Policy
B.Incident Response Plan
C.Risk Assessment
D.Describes the organization's high-level security objectives and management commitment
E.Provides step-by-step actions to detect, respond, and recover from security incidents
F.Identifies threats, vulnerabilities, and impacts to determine risk levels

Why this answer

A security policy establishes high-level direction and management intent. An incident response plan provides a structured approach for handling security incidents. A risk assessment identifies and evaluates risks to the organization.

These are distinct components with specific purposes.

Exam trap

Candidates often confuse policy with procedure; policy is high-level, while procedures are detailed steps.

Why the other options are wrong

A

Matching item, not directly evaluated here.

B

Matching item.

C

Matching item.

D

Correct match for Security Policy.

E

Correct match for Incident Response Plan.

F

Correct match for Risk Assessment.

36
MCQmedium

An information security program is being developed for a multinational organization. Which of the following is the PRIMARY driver for aligning the security program with business objectives?

A.Compliance with industry regulations
B.Reducing information security costs
C.Achieving the organization's strategic goals
D.Implementing the latest security technologies
AnswerC

Why this answer

The primary driver for aligning the security program with business objectives is to ensure that security initiatives directly support and enable the organization's strategic goals. Without this alignment, security becomes a cost center rather than a business enabler, and resources may be misallocated to activities that do not advance the enterprise's mission. CISM emphasizes that security governance must be integrated with business strategy to justify investment and demonstrate value to stakeholders.

Exam trap

The trap here is that candidates often mistake compliance (A) as the primary driver because it is a visible and mandatory requirement, but CISM stresses that compliance is a subset of governance, not the overarching goal of program alignment.

Why the other options are wrong

A

Compliance is a requirement but not the primary driver; the program must support business goals to be effective.

B

Cost reduction is a possible outcome but not the primary driver for alignment.

D

Adopting new technologies is a tactic, not the primary driver.

37
MCQmedium

You are the information security program manager at a global financial services firm. The firm has a mature security program, but the CISO is concerned that the program is not keeping pace with emerging threats such as supply chain attacks and advanced persistent threats (APTs). Additionally, the program currently focuses heavily on compliance with regulations (e.g., PCI DSS, GDPR) rather than proactive risk management. The board wants to see a more strategic approach to information security. However, the compliance team is large and influential, and they resist changes that might reduce their role. You have been asked to propose a new program model that addresses these concerns while maintaining regulatory compliance. What should you do?

A.Restructure the compliance team into a risk management function.
B.Expand the compliance team to cover more regulations and increase auditing frequency.
C.Increase security awareness training across the organization.
D.Evolve the program to a risk-based approach that integrates threat intelligence and adapts controls dynamically, while keeping compliance as a baseline.
AnswerD

Balances proactive risk management with compliance requirements.

Why this answer

Correct answer is C because evolving to a risk-based model with integrated threat intelligence directly addresses the proactive gap while maintaining compliance. Option A (expand compliance coverage) does not solve the proactive issue. Option B (restructure the compliance team) may cause political friction without addressing root cause.

Option D (increase awareness training) is too narrow.

38
MCQeasy

A multinational organization is establishing an information security program. The Chief Information Security Officer (CISO) wants to ensure the program aligns with business objectives and is accountable to senior management. Which of the following governance structures would best support this goal?

A.A board-level risk committee oversees the information security program without management involvement.
B.An executive steering committee with representatives from business units, legal, and IT meets quarterly to review program status.
C.The CISO reports to the chief legal officer (CLO).
D.The information security function reports directly to the IT operations manager.
AnswerB

This structure ensures alignment, accountability, and cross-functional support.

Why this answer

Correct answer is D because an executive steering committee with business representation ensures alignment with business objectives and accountability to senior management. Option A (security function reporting to IT operations) can lead to conflicts of interest. Option B (CISO reporting to legal) may emphasize compliance over broader program goals.

Option C (separate board committee without management) lacks day-to-day integration.

39
MCQhard

A multinational corporation with a decentralized information security program has recently experienced a data breach involving customer PII. The breach originated from a regional office that had not implemented the global security baseline due to local IT staff claiming 'unique operational requirements.' The CISO has tasked the security manager with revising the program to prevent recurrence. The organization has 12 regional offices, each with its own IT leadership, and a central security team. The budget is tight, and there is resistance to centralized control. Which of the following is the BEST course of action for the security manager?

A.Increase the frequency of security audits for all regional offices
B.Provide additional training to regional IT staff on the importance of security baselines
C.Allow each regional office to maintain its own security program as long as it meets minimum standards
D.Establish a mandatory global security baseline with a formal exception process requiring CISO approval for any deviation
AnswerD

This provides enforceability and flexibility, ensuring deviations are formally risk-assessed and approved.

Why this answer

Option A is correct because establishing a mandatory global baseline with a formal exception process ensures consistency while allowing for justified deviations that are formally approved. Option B is wrong because allowing each office to maintain its own program would perpetuate the fragmentation that led to the breach. Option C is wrong because increasing audits may detect issues but does not prevent them without enforceable standards.

Option D is wrong because training alone does not address the root cause of non-compliance.

40
Multi-Selectmedium

Which TWO of the following are essential components of an information security program charter?

Select 2 answers
A.List of approved security technologies.
B.Detailed annual budget allocation.
C.List of approved third-party vendors.
D.Roles, responsibilities, and authority of the program team.
E.Program scope, objectives, and strategic alignment.
AnswersD, E

Establishes governance and accountability.

Why this answer

Correct answers are B and D. Option B (scope and objectives) defines program boundaries. Option D (roles and responsibilities) establishes accountability.

Option A (detailed budget) is typically in a separate document. Option C (technology stack) is operational, not charter-level. Option E (vendor list) is not relevant to charter.

41
MCQhard

A security program includes multiple metrics. Which metric best indicates the program's effectiveness in reducing overall risk?

A.Composite risk score based on threat, vulnerability, and control assessments.
B.Number of security incidents per quarter.
C.Mean time to detect (MTTD) incidents.
D.Percentage of employees who completed security training.
AnswerA

Directly reflects risk posture and reduction efforts.

Why this answer

A composite risk score that aggregates threats, vulnerabilities, and controls provides a holistic view of risk reduction over time.

42
MCQeasy

Which document should be reviewed and updated at least annually?

A.Vendor contracts
B.Incident response plan
C.Network topology diagram
D.User manuals
AnswerB

Regulatory and best practice standards require annual review of IR plans.

Why this answer

The incident response plan must be kept current to reflect new threats and changes. Option D is correct. Options A, B, C are not typically reviewed annually as a standard requirement.

43
Multi-Selectmedium

Which THREE of the following are key performance indicators (KPIs) for an information security program?

Select 3 answers
A.Number of security awareness training completions per quarter.
B.Total number of security staff.
C.Percentage of critical vulnerabilities remediated within SLA.
D.Average number of firewall rules per device.
E.Mean time to respond (MTTR) to incidents.
AnswersA, C, E

Indicates program reach.

Why this answer

KPIs measure program effectiveness: incident response time, vulnerability remediation rate, and security awareness training completion are direct indicators. Number of firewalls is a resource count.

44
Multi-Selectmedium

An information security manager is developing a security program for a multinational organization. Which of the following should be considered when defining the program scope? (Select THREE)

Select 3 answers
A.Business objectives and strategy
B.Current technology architecture
C.All information assets, including those managed by third parties
D.Applicable legal and regulatory requirements
AnswersA, C, D

Why this answer

Business objectives and strategy (A) are foundational because the security program must align with and support the organization's mission, risk appetite, and strategic goals. Without this alignment, security controls may conflict with business operations or fail to prioritize critical assets, leading to wasted resources or increased risk exposure.

Exam trap

The trap here is that candidates often select 'Current technology architecture' (B) because it seems practical, but CISM emphasizes that scope should be driven by business needs, legal obligations, and asset inventory, not by existing infrastructure, which can become a constraint rather than a guide.

Why the other options are wrong

B

Architecture is a design element, not a scope determinant.

45
Multi-Selectmedium

Which TWO of the following are essential components of a security program governance structure?

Select 2 answers
A.Security charter
B.Vulnerability scanning schedule
C.Security steering committee
D.Incident response plan
E.Help desk ticketing system
AnswersA, C

Defines roles, responsibilities, and authority.

Why this answer

Options A and D are correct because a steering committee provides oversight and a security charter defines authority. Option B is wrong as a help desk is operational. Option C is wrong as vulnerability scanning is a technical control, not governance.

Option E is wrong as an incident response plan is operational.

46
MCQeasy

Which of the following is the primary purpose of an information security program?

A.Implement firewalls and antivirus software.
B.Achieve compliance with regulations only.
C.Eliminate all security risks.
D.Protect the confidentiality, integrity, and availability of information assets.
AnswerD

Core CIA triad aligned with business objectives.

Why this answer

The program's overarching goal is to protect the confidentiality, integrity, and availability of information assets, aligned with business needs.

47
MCQhard

An organization has a mature security program with documented policies and standards. However, during a recent audit, it was found that several business units are not following the mandated data classification standard. What is the MOST likely root cause?

A.Inadequate security awareness training
B.Lack of enforcement mechanisms
C.Outdated data classification policy
D.Insufficient budget for security tools
AnswerB

Why this answer

The correct answer is B because a mature security program with documented policies and standards indicates that the classification rules are already defined. The audit finding that business units are not following the mandated standard points to a failure in enforcement mechanisms—such as automated Data Loss Prevention (DLP) rules, access control policies, or mandatory labeling in SharePoint—rather than a lack of awareness or outdated policy. Without enforcement (e.g., Group Policy Objects blocking unclassified data uploads or SIEM alerts for missing classification tags), even well-trained staff may bypass the standard.

Exam trap

ISACA often tests the distinction between 'lack of awareness' and 'lack of enforcement'—the trap here is that candidates assume training is the solution to non-compliance, but in a mature program with documented policies, the root cause is almost always the absence of automated enforcement or consequences.

Why the other options are wrong

A

Training may exist; the issue is lack of consequence for non-compliance.

C

The policy is documented and mature; outdatedness is not indicated.

D

Budget may affect tools but not directly cause non-compliance with a standard.

48
MCQhard

A large healthcare organization recently experienced a ransomware attack that encrypted patient records (ePHI). The attack originated from a phishing email that bypassed the email security gateway. The security program includes annual security awareness training, but post-incident analysis reveals that employees often ignore suspicious emails. The CISO wants to revise the program to reduce the likelihood of similar incidents. Which course of action is most effective?

A.Restrict users' ability to receive emails from external domains except from approved senders
B.Implement a next-generation email security gateway with AI-based threat detection
C.Deploy endpoint detection and response (EDR) on all workstations
D.Increase the frequency of phishing simulations and enforce mandatory remedial training for employees who fall for them
AnswerD

This directly modifies employee behavior through repeated testing and education.

Why this answer

Option B is most effective because it directly addresses the human factor by increasing the frequency of phishing simulations and providing remedial training, which reinforces secure behavior. Option A improves technology but does not change employee behavior. Option C (EDR) can detect ransomware but does not prevent the initial phishing compromise.

Option D is overly restrictive and may hinder business operations.

49
Multi-Selecthard

An organization is designing its information security program and needs to ensure it supports business continuity. Which TWO of the following should be integrated into the program?

Select 2 answers
A.Business impact analysis (BIA) results.
B.Security awareness training for all employees.
C.Security controls for backup and recovery.
D.Vulnerability scanning schedules.
AnswersA, C

Why this answer

A is correct because the Business Impact Analysis (BIA) identifies critical business processes, their maximum tolerable downtime (MTD), and recovery time objectives (RTO), which directly inform the prioritization and design of security controls to ensure business continuity. Without BIA results, the security program cannot align recovery strategies with actual business needs, risking either over-investment or under-protection of key functions.

Exam trap

The trap here is that candidates mistakenly treat security awareness training as a continuity-supporting activity, when in fact it is a general security hygiene measure, not a direct input to business continuity planning or recovery operations.

Why the other options are wrong

B

Training is important but not directly a continuity integration.

D

Vulnerability scanning is proactive security, not continuity.

50
Drag & Dropmedium

Arrange the steps for implementing a new firewall rule in an enterprise environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall changes require clear objectives, change control, testing, implementation, and verification.

51
Multi-Selecthard

A security manager is evaluating the effectiveness of the security program. Which of the following would be valid indicators of a mature program? (Select two.)

Select 2 answers
A.Number of security tools deployed
B.Risk management integrated into business processes
C.Low number of security incidents
D.Trend of improving security metrics over time
AnswersB, D

Why this answer

Risk management integrated into business processes (B) is a key indicator of a mature security program because it demonstrates that security is not a siloed function but is embedded in strategic decision-making, resource allocation, and operational workflows. This alignment ensures that security controls and investments are directly tied to business objectives and risk appetite, which is a hallmark of maturity as defined by frameworks like the CMMI and the ISACA CISM model.

Exam trap

The trap here is that candidates often mistake a low number of security incidents as a sign of success, but CISM emphasizes that a mature program is defined by integrated risk management and measurable improvement trends, not by the absence of incidents, which can be deceptive due to detection gaps or reporting biases.

Why the other options are wrong

A

More tools do not equal maturity; could indicate complexity.

C

May be coincidental; not a reliable maturity metric.

52
MCQmedium

Refer to the exhibit. The CISO wants to improve the program. Which recommendation BEST addresses the main gap shown in the dashboard?

A.Implement automated patching for high-risk vulnerabilities
B.Reduce the compliance target for high-risk vulnerabilities to 90 days
C.Focus on critical vulnerability remediation
D.Increase patch frequency for all systems
AnswerA

Automation can help reduce the 12% that exceed the 60-day window.

Why this answer

Option C is correct because high-risk vulnerability remediation at 88% is below target; automated patching for high-risk vulnerabilities would improve this metric. Option A is wrong increasing patch frequency may not target the specific gap. Option B is wrong critical vulnerability remediation is already high.

Option D is wrong reducing the target would not address the underlying issue.

53
MCQeasy

A small business is developing its first information security program. Which approach is most effective?

A.Hire an external security consultant to design the entire program.
B.Adopt a comprehensive framework like ISO 27001 immediately.
C.Conduct a risk assessment to identify key assets and threats.
D.Purchase and deploy a next-generation firewall.
AnswerC

Aligns program with actual business risks and priorities.

Why this answer

Conducting a risk assessment first establishes the foundation for a tailored, cost-effective program. Prematurely adopting a full framework can be overwhelming; point solutions and full outsourcing are less sustainable.

54
MCQhard

Refer to the exhibit. An analyst observes the network traffic between three internal hosts and a web server. Which of the following is the MOST likely interpretation of this traffic?

A.A SYN flood attack is in progress.
B.A single host is using multiple IP addresses to scan the server.
C.Multiple users are accessing the web server normally.
D.A distributed denial-of-service (DDoS) attack is occurring.
AnswerC

The logs show successful TCP connections followed by HTTP requests.

Why this answer

The exhibit shows multiple internal hosts (10.0.0.1, 10.0.0.2, 10.0.0.3) each establishing a normal TCP three-way handshake with the web server (192.168.1.100) on port 80, with varying source ports and no abnormal flags or packet rates. This pattern indicates legitimate concurrent user access, as each host completes the handshake and exchanges data without flooding or scanning behavior.

Exam trap

The trap here is that candidates may misinterpret any traffic from multiple hosts as a DDoS attack, failing to notice the normal handshake completion and low packet volume that indicate legitimate user access rather than an attack.

How to eliminate wrong answers

Option A is wrong because a SYN flood attack would show a high volume of SYN packets from a single source with no corresponding SYN-ACK completions, often with spoofed source IPs, not the clean three-way handshakes seen here. Option B is wrong because a single host using multiple IP addresses to scan the server would typically send probes to multiple ports or show incomplete connections (e.g., SYN scans with RST responses), not full handshakes to the same port from distinct internal IPs. Option D is wrong because a DDoS attack would involve a massive number of packets from many sources overwhelming the server, often with incomplete connections or unusual traffic patterns, not the orderly, low-rate connections from three hosts.

55
Multi-Selectmedium

Which of the following are key components of an information security program's strategic plan? (Select two.)

Select 2 answers
A.Annual budget allocation
B.Security program vision and objectives
C.Incident response procedures
D.Roadmap for security initiatives
AnswersB, D

Why this answer

The strategic plan for an information security program defines the long-term direction and governance framework. The security program vision and objectives (B) establish the overarching goals and alignment with business strategy, while the roadmap for security initiatives (D) provides the phased implementation plan to achieve those objectives. These are foundational components of strategic planning, not operational or tactical elements.

Exam trap

ISACA often tests the distinction between strategic (vision, roadmap) and operational/tactical (budget, procedures) components, leading candidates to mistakenly select annual budget allocation as a strategic element because it is a common management activity.

Why the other options are wrong

A

Budgeting is operational, not strategic.

C

Procedures are operational.

56
MCQeasy

Refer to the exhibit. The dashboard shows the incident response plan test is overdue. What is the MOST immediate risk?

A.Loss of cyber insurance coverage
B.Regulatory fines for non-compliance with testing requirements
C.Extended recovery time during an incident
D.Increased likelihood of a successful breach due to untested procedures
AnswerD

Without testing, the incident response plan may fail, leading to greater damage.

Why this answer

Option A is correct because an untested plan may have invalidated procedures, increasing the likelihood of a breach during a real incident. Option B is wrong regulatory fines may result, but the immediate risk is operational. Option C is wrong recovery time is a consequence.

Option D is wrong insurance impact is less immediate.

57
MCQhard

Based on the exhibit, what is the most likely vulnerability that an attacker could exploit?

A.An attacker could perform a DDoS attack on the external interface to disrupt email services.
B.An attacker could use SQL injection on the web server to extract data directly from the database via the permitted MySQL traffic.
C.An attacker could exploit the SMTP service to send spam.
D.An attacker could sniff traffic on the DMZ segment to capture LDAP credentials.
AnswerB

The MySQL rule allows direct database access from web; SQL injection can leverage this.

Why this answer

The IDS is on the DMZ-Internal segment, but it only alerts; it does not block. If an attacker compromises a web server, they can communicate with the database server without being blocked by the IDS (only alerted). Additionally, the firewall allows MySQL direct from web to database, so after compromise, the attacker can extract data.

The most likely vulnerability is the lack of network segregation between web and database tiers – they are in different zones but the firewall rule permits MySQL directly, and the IDS is passive. However, the question asks for most likely exploit: an attacker could use SQL injection to compromise the web server and then pivot to the database. The IDS may detect but not prevent.

So the gap is that the database is directly accessible from the web tier without any application-layer filtering. Among options, we need to pick one that correctly identifies the exploit path.

58
MCQmedium

An organization's security program includes metrics to measure performance. Which metric BEST indicates the effectiveness of the vulnerability management process?

A.Number of vulnerabilities identified
B.Number of patches deployed per month
C.Percentage of systems scanned weekly
D.Mean time to remediate (MTTR) vulnerabilities
AnswerD

MTTR shows how quickly the organization fixes vulnerabilities, a key effectiveness indicator.

Why this answer

Option B is correct because mean time to remediate (MTTR) directly reflects how quickly vulnerabilities are addressed, showing process effectiveness. Option A is wrong count alone does not indicate resolution. Option C is wrong scan coverage is a process measure, not outcome.

Option D is wrong number of patches deployed may include non-critical patches.

59
MCQmedium

During a security audit, several deviations from policy are found. What should the security manager do first?

A.Accept the risk and move on
B.Investigate the root cause of the deviations
C.Update the policies immediately
D.Take disciplinary action against responsible employees
AnswerB

Root cause analysis identifies systemic issues and informs corrective actions.

Why this answer

Investigating the root cause helps understand why deviations occurred and prevents recurrence. Option B is correct. Option A may be premature without understanding causes.

Option C may be too harsh without analysis. Option D is reactive.

60
MCQeasy

Which of the following is the primary purpose of an Information Security Program?

A.To implement the latest security technologies
B.To align security with business objectives and manage risk
C.To comply with all applicable regulations
D.To eliminate all security risks
AnswerB

Why this answer

The primary purpose of an Information Security Program is to align security initiatives with business objectives and manage risk to an acceptable level. While technology implementation, compliance, and risk elimination are components, they are means to the end of supporting the organization's mission and risk appetite. A program that does not align with business goals will lack executive support and fail to prioritize resources effectively.

Exam trap

ISACA often tests the misconception that an Information Security Program is primarily about technology or compliance, when in fact it is a governance mechanism to align security with business strategy and manage risk.

Why the other options are wrong

A

Technology is a tool, not the program's purpose.

C

Compliance is a component, not the primary purpose.

D

Eliminating all risks is impossible and impractical.

61
MCQhard

You are the CISO of a large healthcare organization that has recently experienced a data breach due to an insider who exfiltrated patient data over several months. The breach was discovered by an external partner. The organization's information security program includes data loss prevention (DLP) tools, but they were not configured to monitor outbound data from the compromised system. Additionally, user activity monitoring (UAM) was only applied to privileged users, not to regular staff. The board demands a comprehensive improvement plan that will prevent similar incidents. However, there are concerns about employee privacy and budget constraints. The organization has a strong culture of trust and minimal monitoring. Which of the following should be the first priority in the revised program?

A.Expand user activity monitoring to all employees with a clear policy on privacy and acceptable use.
B.Implement stricter access controls and review user permissions quarterly.
C.Deploy a new DLP solution with advanced analytics and block all external data transfers.
D.Conduct additional security awareness training focused on insider threats.
AnswerA

Detects anomalous behavior; privacy guidelines address concerns.

Why this answer

Correct answer is D because expanding UAM to all users, with clear privacy guidelines, directly addresses the monitoring gap while respecting privacy. Option A (new DLP only) may not catch slow exfiltration. Option B (stronger access controls) helps but does not detect ongoing exfiltration.

Option C (training) is important but not the primary corrective action.

62
Multi-Selecteasy

Which TWO of the following are essential components of an information security program charter?

Select 2 answers
A.List of specific security tools to be deployed.
B.Roles and responsibilities of key stakeholders.
C.Vendor selection criteria.
D.Program scope and objectives.
E.Detailed budget allocation.
AnswersB, D

Clear accountability is required.

Why this answer

A charter should define scope and authority. Program scope and roles/responsibilities are fundamental; budget and tools are not charter elements.

63
MCQeasy

An organization's information security program recently experienced a ransomware attack that encrypted critical data. Which of the following program components should be improved first to prevent recurrence?

A.Develop an incident response plan specific to ransomware.
B.Conduct additional security awareness training on phishing.
C.Implement a robust backup and recovery process with offline copies.
D.Enhance network segmentation to isolate critical systems.
AnswerC

Effective backups ensure data can be restored without paying ransom.

Why this answer

Correct answer is A because a robust backup and recovery process is the most direct defense against ransomware. Option B (network segmentation) can limit spread but does not prevent encryption. Option C (employee training) is important but not the primary corrective action.

Option D (incident response plan) helps after the fact, not prevention.

64
MCQhard

The security analyst reviews the SIEM alert and finds that the source IP is from a trusted VPN broker used by remote employees. What is the most likely explanation for the alert?

A.The VPN broker itself is misconfigured
B.A legitimate user forgot their password
C.An attacker has compromised a remote employee's device and is brute-forcing the admin account
D.The alert is a false positive due to SIEM rule threshold
AnswerC

Source IP is VPN broker, but device behind it could be compromised.

Why this answer

Option B is correct because a brute force attack could originate from a compromised VPN endpoint. Option A is wrong because the alert indicates failed attempts, not successful authentication. Option C is wrong because failed attempts are likely malicious, not mistaken.

Option D is wrong as the alert is not false positive given the pattern.

65
Multi-Selecteasy

Which TWO of the following are key performance indicators (KPIs) for measuring the effectiveness of an information security program?

Select 2 answers
A.Number of security policies approved.
B.Mean time to detect (MTTD) security incidents.
C.Employee satisfaction score from annual survey.
D.Percentage of critical systems patched within 30 days.
E.Percentage of security budget spent on tools.
AnswersB, D

Measures detection effectiveness.

Why this answer

Correct answers are A and D. Option A (mean time to detect) directly measures detection effectiveness. Option D (percentage of systems patched within SLA) measures protection.

Option B (number of security policies) is a count, not performance. Option C (budget spent) is a financial metric, not a performance indicator. Option E (employee satisfaction) is not a security KPI.

66
MCQmedium

An organization has a mature security program but is experiencing an increase in successful social engineering attacks. The incident response team has confirmed that the attacks are bypassing current controls. What should the program manager do first?

A.Conduct a root cause analysis and update risk assessment
B.Implement multi-factor authentication for all systems
C.Disable email links and attachments
D.Increase the frequency of security awareness training
AnswerA

Identifies gaps and informs control improvements.

Why this answer

Option D is correct because the first step in continuous improvement is to analyze the root cause and update the risk assessment. Option A is wrong as increasing training without understanding the gap may be inefficient. Option B is wrong as it only addresses future incidents, not current vulnerabilities.

Option C is premature without analysis.

67
MCQeasy

Which document should be created FIRST when establishing an information security program?

A.Information security policy
B.Risk assessment report
C.Incident response plan
D.Business continuity plan
AnswerA

Why this answer

The information security policy is the foundation document that sets the direction, principles, and responsibilities. All other standards, procedures, and guidelines are derived from it.

Exam trap

Some might answer 'risk assessment' because it's important, but the policy must be in place to guide the risk assessment process.

Why the other options are wrong

B

Risk assessment is informed by policy.

C

Incident response is a later operational plan.

D

BCP is related but separate and typically follows policy.

68
Multi-Selectmedium

Which of the following are key components of an effective information security program? (Select TWO.)

Select 2 answers
A.State-of-the-art security tools and technologies
B.A risk management framework
C.Security awareness and training programs
D.A large security operations center
E.Compliance with all applicable laws
AnswersB, C

Why this answer

A risk management framework is a key component because it provides a structured, repeatable process for identifying, assessing, and mitigating information security risks. It ensures that security investments and controls are aligned with business objectives and risk appetite, rather than being ad hoc or technology-driven. Without a risk management framework, an information security program lacks the foundational governance to prioritize threats and allocate resources effectively.

Exam trap

The trap here is that candidates often mistake operational components (like a SOC or advanced tools) or compliance outcomes as foundational pillars, whereas CISM emphasizes that governance through a risk management framework and the human element via security awareness are the true core components of a sustainable program.

Why the other options are wrong

A

Tools are important but not a key component; the program must include processes and people.

D

Size is not a key component; effectiveness matters more.

E

Compliance is a goal, not a component of the program itself.

69
MCQmedium

A company's security program includes a set of controls based on a risk assessment. During an audit, several controls are found to be ineffective. What should the security manager do first?

A.Conduct a root cause analysis to determine why controls failed.
B.Increase the frequency of control testing.
C.Report the findings to management and accept the risk.
D.Implement compensating controls immediately.
AnswerA

Identifies systemic gaps; allows effective remediation.

Why this answer

RCA identifies why controls failed, enabling targeted improvements and preventing recurrence.

70
Multi-Selecthard

A security program manager is selecting metrics to report to the board. Which THREE metrics provide the BEST indication of the program's effectiveness?

Select 3 answers
A.Number of security incidents
B.Budget spent on security tools
C.Percentage of systems compliant with baseline
D.Percentage of employees trained
E.Mean time to detect incidents
AnswersC, D, E

Compliance with security baseline shows control implementation and reduces risk.

Why this answer

Options B, C, and D are correct. Mean time to detect (B) measures detection capability. Percentage of employees trained (C) indicates awareness coverage.

Percentage of systems compliant with baseline (D) shows control implementation. Option A (incident count) can be misleading; E (budget) does not measure effectiveness.

71
Multi-Selectmedium

An information security program must include elements to ensure continuous improvement. Which TWO of the following are MOST essential for continuous improvement?

Select 2 answers
A.Annual risk assessment
B.Quarterly board meetings
C.Monthly patching
D.Post-incident reviews
E.Regular security awareness training
AnswersA, D

Risk assessment identifies evolving threats and areas for improvement.

Why this answer

Options A and C are correct. Annual risk assessment (A) identifies new threats and gaps. Post-incident reviews (C) provide lessons learned.

Option B (training) is important but not primarily for improvement; D (patching) is operational; E (board meetings) is governance, not continuous improvement.

72
MCQmedium

An information security manager is designing a metrics program to report to the board. Which of the following metrics would be MOST meaningful to the board?

A.Number of security incidents reported
B.Percentage of systems with critical vulnerabilities
C.Average patch deployment time
D.Number of security awareness training completions
AnswerB

Why this answer

The board is primarily concerned with strategic risk posture and business impact. Percentage of systems with critical vulnerabilities directly quantifies the organization's exposure to high-severity threats, enabling informed risk acceptance or remediation decisions. This metric aligns with the board's fiduciary duty to oversee risk management, unlike operational details such as incident counts or training completions.

Exam trap

The trap here is that candidates confuse operational metrics (e.g., patch time, training completions) with strategic risk indicators, assuming the board wants to see activity volume rather than residual risk exposure.

Why the other options are wrong

A

Lagging indicator; board prefers leading indicators of risk.

C

Operational detail; not strategic.

D

Activity metric, not outcome.

73
Multi-Selecteasy

Which of the following are key components of an information security program? (Select TWO)

Select 2 answers
A.A set of security policies and standards
B.A network architecture diagram
C.A risk management process
D.An incident response log
AnswersA, C

Why this answer

A set of security policies and standards is a key component because it establishes the governance framework that defines acceptable use, access control, and compliance requirements for the entire organization. Without documented policies and standards, the security program lacks the authoritative baseline to enforce controls or measure effectiveness. These documents are the foundation for all other security activities, including training, audits, and incident response.

Exam trap

The trap here is that candidates often confuse operational artifacts (like network diagrams or logs) with programmatic components, failing to recognize that the core of an information security program is the governance and risk management framework, not the technical outputs or diagrams.

Why the other options are wrong

B

This is a technical artifact, not a core program component.

D

This is an operational record, not a program component.

74
MCQhard

An organization's information security program has been operational for two years. The security manager is asked to propose changes to improve effectiveness. Which approach should the manager take first?

A.Implement new security controls based on industry best practices.
B.Conduct a maturity assessment of the current program.
C.Increase the security awareness training budget.
D.Revise the information security policy.
AnswerB

Why this answer

Before making any changes, the security manager must first understand the current state of the program. A maturity assessment (e.g., using the CMMI or COBIT framework) evaluates the effectiveness, gaps, and capability levels of existing processes and controls. This baseline ensures that subsequent improvements are targeted and justified, rather than arbitrary or misaligned with the organization's actual needs.

Exam trap

ISACA often tests the principle that assessment must precede action; the trap here is that candidates may jump to implementing controls or revising policies as a quick fix, ignoring the foundational step of measuring current maturity to ensure changes are evidence-based and effective.

Why the other options are wrong

A

This may introduce unnecessary controls without understanding existing gaps.

C

Training is important but not the first step; assessment should precede resource allocation.

D

Policy revision may be needed, but first understand the program's strengths and weaknesses.

75
Drag & Dropmedium

Arrange the steps for performing a vulnerability scan on a network segment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Vulnerability scanning requires authorization, configuration, execution, analysis, and prioritization.

Page 1 of 2 · 137 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cism Security Program questions.