CCNA Cism Security Program Questions

62 of 137 questions · Page 2/2 · Cism Security Program topic · Answers revealed

76
MCQeasy

An organization is developing a new information security program and wants to ensure it aligns with business objectives. Which of the following is the MOST critical first step?

A.Develop a security awareness training program.
B.Identify business strategy and risk appetite.
C.Design the security architecture based on industry frameworks.
D.Conduct a comprehensive risk assessment.
AnswerB

Aligning with business strategy ensures security enables rather than hinders the business.

Why this answer

Identifying business strategy and risk appetite is the most critical first step because the information security program must be designed to support the organization's objectives and operate within the risk tolerance defined by leadership. Without this alignment, subsequent security controls and investments may conflict with business goals or fail to address the risks the organization is willing to accept. This ensures that security is a business enabler rather than a technical silo.

Exam trap

The trap here is that candidates often mistake conducting a comprehensive risk assessment (Option D) as the first step, but without a defined risk appetite and business strategy, the assessment lacks the context needed to evaluate risk severity and prioritize remediation effectively.

How to eliminate wrong answers

Option A is wrong because developing a security awareness training program is an operational control that should be implemented only after the program's strategic direction, risk appetite, and governance structure are defined; starting with training assumes a baseline of security culture that does not yet exist. Option C is wrong because designing security architecture based on industry frameworks (e.g., NIST, ISO 27001) without first understanding the business strategy and risk appetite can lead to over-engineering or misalignment, wasting resources on controls that do not address the organization's specific risk profile. Option D is wrong because conducting a comprehensive risk assessment requires a predefined risk appetite and business context to determine which risks are acceptable and which require mitigation; without this, the assessment lacks the criteria to prioritize findings effectively.

77
Multi-Selecthard

Which THREE are key performance indicators (KPIs) for an information security program?

Select 3 answers
A.Number of security incidents
B.Percentage of employees trained
C.Budget variance
D.Patch compliance rate
E.Mean time to detect (MTTD)
AnswersB, D, E

Training coverage indicates program reach.

Why this answer

MTTD (Mean Time to Detect), percentage of employees trained, and patch compliance rate are meaningful KPIs. Options A, C, and E are correct. Option B (number of incidents) is a lagging indicator not suitable as a KPI.

Option D (budget variance) is a financial metric.

78
Multi-Selecthard

Which THREE of the following are critical success factors for implementing an information security program?

Select 3 answers
A.Compliance as the primary driver.
B.Risk-based approach to prioritize controls.
C.Executive management sponsorship and support.
D.Deployment of the latest security technology.
E.Alignment with business objectives.
AnswersB, C, E

Focuses resources on highest risk.

Why this answer

Executive support, alignment with business, and risk-based approach are critical. Having the latest technology and compliance as sole driver are not success factors.

79
MCQeasy

An organization wants to ensure its information security program is aligned with business objectives. Which of the following is the BEST approach?

A.Implement a security incident response plan
B.Perform regular vulnerability scans
C.Involve business stakeholders in the security steering committee
D.Conduct annual security awareness training
AnswerC

Direct participation ensures security strategies reflect business priorities.

Why this answer

Option A is correct because involving business stakeholders in a steering committee ensures security initiatives support business goals. Option B is about awareness, not alignment. Option C is reactive.

Option D is technical and not directly about business alignment.

80
MCQhard

A financial institution is developing an information security program based on the COBIT framework. The board has requested a balanced scorecard to communicate program effectiveness. Which of the following metric categories would best align with the 'Internal Processes' perspective?

A.Cost of security incidents as a percentage of revenue
B.Percentage of security incidents detected within defined SLAs
C.Number of security training hours per employee
D.Customer satisfaction survey scores on data protection
AnswerB

This measures process effectiveness.

Why this answer

Option A is correct because the Internal Processes perspective focuses on operational efficiency and effectiveness of security processes. Option B is wrong as it relates to Customer perspective. Option C is wrong as it relates to Learning and Growth.

Option D is wrong as it relates to Financial.

81
MCQhard

An organization has a security program that is aligned with ISO 27001. During an internal audit, it is discovered that several controls are not being applied consistently across all departments. The MOST effective corrective action is to:

A.Update the information security policy
B.Establish a centralized security oversight function
C.Increase security awareness training frequency
D.Conduct a risk assessment for each department
AnswerB

Why this answer

The core issue is inconsistent control application across departments, which indicates a lack of governance and oversight rather than a policy or awareness deficiency. Establishing a centralized security oversight function directly addresses this by creating a single authority to enforce, monitor, and standardize control implementation, ensuring alignment with ISO 27001 requirements for management commitment and resource allocation (Clause 5.1 and 7.1). This corrective action provides the necessary organizational structure to drive consistent execution, which is the most effective long-term solution.

Exam trap

The trap here is that candidates confuse the symptom (inconsistent application) with the root cause (lack of governance), leading them to choose awareness training or policy updates, which are tactical fixes rather than strategic corrective actions.

Why the other options are wrong

A

Policy likely exists; issue is execution.

C

Training addresses knowledge, not enforcement.

D

Risk assessment would identify gaps but not fix consistency.

82
Matchingmedium

Match each CISM domain to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establish and maintain a framework to align security with business objectives

Identify and manage information risk to achieve business objectives

Design and implement a security program to manage risk

Plan and manage the incident response process

Oversee and improve the security program's performance

Why these pairings

CISM domains as defined by ISACA.

83
MCQmedium

An organization's information security program has been in place for two years. During a recent audit, several findings indicated that security controls are not consistently applied across business units. The CISO has been asked to improve the program. Which of the following should the CISO do FIRST?

A.Automate security compliance monitoring across all business units.
B.Update the information security policy to mandate compliance.
C.Conduct a risk assessment to identify gaps and prioritize remediation.
D.Implement additional security controls across all business units.
AnswerC

A risk assessment provides the basis for prioritizing controls and ensuring consistent application based on risk.

Why this answer

Conducting a risk assessment first (Option C) is the correct initial step because it systematically identifies where controls are failing or missing across business units, quantifies the associated risks, and prioritizes remediation based on business impact. Without this foundational analysis, any subsequent actions—such as automation, policy updates, or new controls—would lack direction and could waste resources on low-priority areas. This aligns with the CISM program lifecycle, where risk assessment drives all other program improvements.

Exam trap

ISACA often tests the principle that a risk assessment must precede any control implementation or policy change, tempting candidates to jump to automation or enforcement actions without first understanding the specific gaps.

How to eliminate wrong answers

Option A is wrong because automating compliance monitoring without first understanding which controls are inconsistently applied and why would simply automate the detection of known gaps without addressing root causes or prioritizing fixes. Option B is wrong because updating the policy to mandate compliance does not address the underlying issue of inconsistent application; it only reiterates requirements without providing a mechanism to identify or remediate the specific gaps. Option D is wrong because implementing additional controls across all business units without a prior risk assessment could introduce unnecessary complexity, increase costs, and fail to target the actual weaknesses, potentially creating new compliance gaps.

84
MCQeasy

Which of the following is the most important factor for ensuring the long-term success of an information security program?

A.Deployment of advanced security technologies.
B.Comprehensive security awareness training.
C.Strong support from top management.
D.Regular penetration testing.
AnswerC

Why this answer

Strong support from top management is the most important factor because it ensures the information security program receives adequate budget, organizational authority, and strategic alignment with business objectives. Without executive sponsorship, even the best technical controls can be undermined by resource constraints, policy non-compliance, or lack of cross-departmental cooperation. The CISM framework emphasizes that governance and leadership commitment are foundational to sustaining a security program over time.

Exam trap

The trap here is that candidates often mistake operational effectiveness (e.g., training or testing) for strategic success, overlooking that without top management support, no security initiative can be sustained or enforced across the organization.

Why the other options are wrong

A

Technology is a tool, not the foundation; it requires management support to be effective.

B

Training is important but not the most critical factor; without management support, training may lack resources.

D

Penetration testing is a tactical activity; it does not ensure program success without executive backing.

85
MCQhard

A security program lacks executive support. What is the best strategy to gain support?

A.Hire a security consultant to advise
B.Implement quick-win security improvements
C.Show risk quantification in business terms
D.Threaten regulatory fines for non-compliance
AnswerC

Quantified risk connects security to business impact, gaining executive attention.

Why this answer

Presenting risk in financial terms (risk quantification) resonates with executives. Option D is correct. Options A, B, C are less effective: quick wins may not address long-term support; threatening fines may breed resentment; hiring a consultant is temporary.

86
Multi-Selectmedium

During an audit of the information security program, the auditor identifies that several critical systems are not included in the incident response plan. Which of the following are the MOST appropriate actions for the security manager to take? (Select TWO.)

Select 2 answers
A.Implement compensating controls on the excluded systems
B.Document the finding and accept the risk
C.Immediately remove the excluded systems from production
D.Update the incident response plan to include all critical systems
E.Escalate the issue to senior management for decision
AnswersD, E

Updating the plan directly closes the gap identified in the audit.

Why this answer

Options B and D are correct. Escalating to senior management ensures proper awareness and authorization (B), and updating the plan to include all critical systems directly addresses the finding (D). Option A is wrong because implementing compensating controls is a temporary measure and does not solve the root cause.

Option C is wrong because immediately removing systems from production is too drastic and not justified. Option E is wrong because accepting risk without analysis bypasses proper risk management.

87
MCQeasy

An organization is updating its information security program to align with business objectives. Which of the following is the PRIMARY benefit of integrating security risk management into the strategic planning process?

A.Aligns security investments with business priorities
B.Reduces the number of security incidents
C.Increases employee awareness of security policies
D.Ensures compliance with regulatory requirements
AnswerA

Integration ensures that security resources are allocated to risks most critical to business objectives.

Why this answer

Option C is correct because integrating security risk management into strategic planning ensures that security investments are prioritized based on business impact, aligning resources with the most critical risks. Option A is wrong because compliance is a legal requirement, not the primary benefit of integration. Option B is wrong because reducing incidents is a desirable outcome but not the primary benefit of integration.

Option D is wrong because awareness is an operational benefit, not strategic.

88
MCQhard

After a data breach, the CISO reviews the security program. The breach exploited a known vulnerability in a legacy system that was deemed 'acceptable risk' two years ago. What should the CISO do to improve the program?

A.Establish a policy that legacy systems must be upgraded annually.
B.Disconnect the legacy system from the network immediately.
C.Implement a process for periodic reassessment of accepted risks.
D.Require immediate remediation of all legacy systems.
AnswerC

Ensures that risk acceptance stays current with evolving threats and business context.

Why this answer

Periodic reassessment ensures that risk acceptance decisions remain valid as threat and business environments change.

89
MCQmedium

In developing a security awareness program, which factor is most important for effectiveness?

A.Use of phishing simulations
B.Tailoring content to the target audience
C.Frequency of training sessions
D.Management endorsement
AnswerB

Customized content addresses specific risks and roles.

Why this answer

Tailoring content to the audience ensures relevance and engagement. Option C is correct. Options A (frequency) is secondary; B (mgmt endorsement) helps but not most important; D (phishing simulations) is a tactic.

90
MCQhard

A large financial institution is maturing its information security program and wants to move from a reactive to a proactive posture. Which of the following initiatives would best support this transition?

A.Deploy an automated compliance monitoring tool.
B.Implement a bug bounty program to uncover vulnerabilities.
C.Establish a threat intelligence unit that analyzes adversary tactics and shares indicators across the organization.
D.Increase the number of security operations center (SOC) analysts.
AnswerC

Threat intelligence provides actionable information to prevent attacks before they occur.

Why this answer

Correct answer is B because threat intelligence enables proactive identification and mitigation of emerging threats. Option A (increased monitoring) is reactive. Option C (bug bounty program) is useful but externally focused and limited in scope.

Option D (compliance automation) does not address proactive threat management.

91
MCQmedium

A company's security program includes a policy that all employees must use strong passwords and change them every 90 days. However, the recent internal audit shows that 60% of employees have passwords that do not meet the strength requirements. What is the most effective corrective action?

A.Conduct quarterly password audits with manual checks
B.Increase the frequency of security awareness training
C.Implement technical controls to enforce password strength
D.Extend the password change interval to 180 days
AnswerC

Technical enforcement (e.g., complexity rules) ensures compliance.

Why this answer

Option D is correct because automated enforcement ensures policy compliance without relying on user behavior change. Option A is wrong as training alone is insufficient. Option B is wrong because it reduces security and does not address the root cause.

Option C is wrong as audits detect but do not prevent non-compliance.

92
MCQeasy

Which is a key component of an information security program?

A.Encryption technology
C.Antivirus software
D.Security policy
AnswerD

Policies establish the governance framework for the program.

Why this answer

A security policy is foundational, defining rules and responsibilities. Option A is correct. Options B, C, D are technical controls or tools, not program components.

93
MCQmedium

Based on the exhibit, what is the most significant security gap in this configuration?

A.The intrusion detection system is set to alert-only, so it cannot block attacks.
B.The vendor baseline is CIS Level 1, which may be too permissive.
C.The firewall allows inbound HTTPS from any source to web servers.
D.The database port 3306 is exposed to web servers without encryption.
AnswerA

Without prevention, attacks may succeed before manual response.

Why this answer

The firewall allows traffic from web to db on port 3306 (MySQL) but there is no authentication or encryption specified; also, the IDS only alerts on critical and high signatures but does not block. However, a more fundamental gap is that the baseline is CIS Level 1, which may not be sufficient for a database server. But the question asks for the most significant gap: the firewall rule allows direct database access from web servers without any restriction or monitoring of that traffic, and the IDS is in alert-only mode, meaning malicious traffic to database will not be blocked.

Combined, the gap is that database traffic is allowed but not inspected for anomalies beyond basic signatures. But among options, the one that stands out is that database access is not protected by an application-layer firewall or WAF. However, we need to craft plausible options.

Let's think: The exhibit shows a JSON policy. Common gaps: no encryption, no authentication, IDS not inline, etc. The most significant is likely that the IDS is not set to block or prevent attacks.

But also, the firewall allows direct database access from web, which is a design issue. Let's design options accordingly.

94
Multi-Selectmedium

Which THREE elements are essential for an effective information security governance framework?

Select 3 answers
A.Clear accountability structure
B.Board or executive oversight
C.Free and open-source security tools
D.Comprehensive security policies
E.Formal risk appetite statement
AnswersA, B, D

Assigning responsibilities ensures governance is implemented.

Why this answer

Options A, B, and E are correct. Board oversight ensures strategic direction, security policies provide the foundation, and accountability structure assigns responsibility. Option C is wrong risk appetite statement is part of governance but not always considered an essential element of the framework itself.

Option D is wrong free security tools are not governance elements.

95
MCQmedium

A company is implementing a new security program. The CISO wants to ensure alignment with business objectives. Which approach is best?

A.Implement technical controls
B.Develop policies based on industry standards
C.Perform a risk assessment
D.Use the COBIT framework
AnswerD

COBIT is designed for governance and alignment of IT with business objectives.

Why this answer

Using a framework like COBIT helps align IT and security with business goals. Option A is correct because COBIT specifically focuses on governance and alignment. Option B is too generic; industry standards may not address business alignment.

Option C is a step but not the primary method for alignment. Option D is tactical, not strategic.

96
MCQmedium

Which of the following best describes the primary purpose of a security program's governance framework?

A.To implement technical security controls
B.To provide oversight and alignment with business objectives
C.To conduct vulnerability assessments
D.To manage security incidents
AnswerB

Why this answer

The primary purpose of a security program's governance framework is to provide oversight and ensure that security activities are aligned with business objectives, risk appetite, and regulatory requirements. It establishes the policies, roles, and accountability structures that guide decision-making, rather than directly executing technical tasks. This alignment is critical for the program to be sustainable and supported by executive management.

Exam trap

The trap here is that candidates confuse the governance framework with the operational security program itself, mistakenly selecting a tactical activity (like implementing controls or managing incidents) instead of recognizing that governance is the strategic oversight layer that directs and constrains those activities.

Why the other options are wrong

A

Technical controls are operational, not governance.

C

Vulnerability assessments are part of ongoing operations.

D

Incident management is a process within the program.

97
MCQhard

After a data breach, the CISO is updating the incident response plan. Which of the following is MOST critical to include?

A.Communication templates for stakeholders
B.Technical forensic procedures
C.Root cause analysis methodology
D.Legal hold instructions for data preservation
AnswerA

Effective communication is vital to control damage and meet legal obligations.

Why this answer

Option B is correct because communication templates ensure timely and consistent messaging to stakeholders, regulators, and the public, which is critical for managing reputation and legal exposure. Option A is wrong while important, technical procedures are less critical than communication. Option C is wrong legal hold is important but not as immediate.

Option D is wrong root cause analysis is post-incident.

98
MCQhard

During a merger, the acquiring company's security program must integrate with the target company's program. What is the HIGHEST priority action?

A.Consolidate all security tools
B.Conduct a comprehensive risk assessment of the target
C.Merge the security teams into one reporting structure
D.Standardize security policies immediately
AnswerB

Risk assessment provides the basis for all integration decisions.

Why this answer

Option B is correct because a comprehensive risk assessment of the target company's environment identifies integration risks and informs the integration plan. Option A is premature without understanding risks. Option C and D are tactical steps that should follow risk assessment.

99
MCQeasy

Which of the following is the PRIMARY purpose of a security program's key performance indicators (KPIs)?

A.To ensure compliance with regulations
B.To assign accountability to individuals
C.To track the budget for security initiatives
D.To measure the effectiveness of security controls
AnswerD

KPIs provide quantifiable measures of control performance and program outcomes.

Why this answer

Option B is correct because KPIs are designed to measure the effectiveness of security controls and the program. Option A is a secondary benefit. Option C is about budget tracking, not KPIs.

Option D is about accountability, which is not the primary purpose.

100
MCQhard

A large financial institution is updating its information security program to align with a new regulatory framework. The program currently has a decentralized governance model. Which of the following is the MOST significant risk of maintaining a decentralized model?

A.Slower incident response
B.Inconsistent security levels across business units
C.Higher cost of compliance
D.Duplication of controls
AnswerB

Inconsistency can create security gaps and regulatory non-compliance.

Why this answer

Option B is correct because decentralized governance leads to inconsistent security levels across business units, which is a major regulatory and risk concern. Option A is possible but less critical. Option C may increase but is a consequence.

Option D may be slower but inconsistent security is more fundamental.

101
MCQmedium

A security manager is designing a metrics dashboard for executive management. Which of the following metrics is MOST useful for demonstrating the value of the security program?

A.Percentage of budget spent on security
B.Number of security patches applied
C.Number of security policies created
D.Mean time to detect incidents
AnswerD

MTTD measures the program's effectiveness in identifying threats, demonstrating proactive value.

Why this answer

Option B is correct because mean time to detect incidents directly reflects the program's ability to identify threats, which is a key value indicator. Option A is operational. Option C is budget-related.

Option D is output, not outcome.

102
MCQeasy

You are the CISO of a mid-sized manufacturing company. The company has grown rapidly through acquisitions, and each subsidiary has its own information security program. There is no centralized governance, and recent security incidents have occurred due to inconsistent policies. The board has asked you to create a unified information security program that balances flexibility with control. Each subsidiary has unique operational processes and varying levels of security maturity. You have limited budget and cannot replace all local security teams. Which approach should you take?

A.Immediately mandate compliance with a new enterprise-wide security policy.
B.Develop a minimum security standard (MSS) and a phased implementation roadmap based on risk.
C.Centralize all security operations and disband local teams.
D.Adopt the most mature subsidiary's program as the enterprise standard.
AnswerB

Provides baseline while allowing flexibility and phased adoption.

Why this answer

Correct answer is D because developing a minimum security standard (MSS) with a phased roadmap allows each subsidiary to implement controls based on risk while providing a common baseline. Option A (centralize all security functions) is costly and disruptive. Option B (adopt the best subsidiary's program) may not fit others.

Option C (mandate immediate compliance) ignores varying maturity and can cause resistance.

103
Multi-Selecteasy

Which THREE of the following are typically included in an information security program budget?

Select 3 answers
A.Incident response retainer
B.Security awareness training materials
C.Vulnerability assessment tools
D.Marketing and advertising campaigns
E.Employee salaries
AnswersA, B, C

External service cost part of program.

Why this answer

Options A, C, and E are correct as they are common security program costs. Option B is wrong as marketing is generally not security-related. Option D is wrong as employee salaries are operational expenses, but typically budgeted separately.

104
MCQhard

A multinational corporation is designing a global information security program. Which governance structure best ensures consistent security while allowing regional flexibility?

A.Outsource security governance to a managed security service provider (MSSP).
B.Fully centralized security governance with global standards enforced uniformly.
C.Federated governance: global standards with local implementation and oversight.
D.Fully decentralized security governance, each region independent.
AnswerC

Provides consistency while allowing adaptations for local regulations and culture.

Why this answer

A federated model balances central standards with local adaptation, respecting regional legal and cultural differences.

105
MCQhard

A multinational corporation is designing its information security program and must decide how to balance security with business agility. The company operates in highly regulated industries with varying legal requirements. Which of the following approaches BEST aligns with industry best practices for such an environment?

A.Implement the strictest regulatory requirements globally to ensure compliance everywhere.
B.Adopt a baseline of controls that meet the lowest common denominator of all regulations.
C.Develop a risk-based framework that allows for tailored controls based on local risk assessments.
D.Allow each business unit to define its own security controls based on local requirements.
AnswerC

A risk-based approach provides flexibility while ensuring that controls are appropriate for the risks.

Why this answer

Option C is correct because a risk-based framework, such as ISO 27001 or NIST SP 800-53, allows the organization to establish a baseline of controls while tailoring them to address specific local legal requirements and risk profiles. This approach balances security and business agility by avoiding unnecessary overhead from overly strict global mandates while ensuring that critical regulatory obligations are met through localized risk assessments.

Exam trap

The trap here is that candidates often confuse 'strictest globally' (Option A) with 'best practice' due to a desire for simplicity, but CISM emphasizes that a risk-based approach is the only method that effectively balances compliance, security, and business agility in a multi-regulatory environment.

How to eliminate wrong answers

Option A is wrong because implementing the strictest regulatory requirements globally (e.g., GDPR's data protection rules applied in jurisdictions with less stringent laws) can introduce excessive operational friction, reduce business agility, and may conflict with local laws that permit different practices. Option B is wrong because adopting a baseline that meets the lowest common denominator of all regulations (e.g., only complying with the weakest privacy law) would leave the organization non-compliant with stricter regulations like GDPR or HIPAA, exposing it to significant legal and financial penalties. Option D is wrong because allowing each business unit to define its own security controls based on local requirements without a centralized governance framework leads to inconsistent security postures, gaps in coverage, and increased risk of regulatory non-compliance across the multinational enterprise.

106
MCQmedium

A company is implementing an information security program. Which of the following is the PRIMARY reason to align the program with business objectives?

A.To ensure regulatory compliance
B.To improve technical controls
C.To reduce overall security costs
D.To gain management buy-in and support
AnswerD

Aligning with business objectives demonstrates value, securing management commitment.

Why this answer

Option C is correct because alignment with business objectives helps secure management support and ensures the program addresses real business risks. Option A is wrong because cost reduction is a benefit, not the primary reason. Option B is wrong because compliance is a component, but alignment drives broader support.

Option D is wrong because technical improvement is not the primary driver.

107
Multi-Selecthard

Which TWO of the following are key performance indicators (KPIs) that demonstrate the effectiveness of a security awareness program?

Select 2 answers
A.Percentage of employees who correctly identify a phishing email in simulations
B.Number of employees who report suspicious emails
C.Frequency of phishing simulation tests
D.Number of training sessions completed per quarter
E.Reduction in the number of security incidents caused by human error
AnswersA, E

Directly measures knowledge retention.

Why this answer

Options A and D are correct because they measure behavior change and reduced incidents. Option B is wrong as training completion is an input metric, not outcome. Option C is wrong as phishing simulation results are a specific test, but frequency alone is not a KPI of effectiveness.

Option E is wrong as number of reported phishing emails can be positive, but it's an activity metric, not a direct outcome.

108
MCQhard

You are the director of information security at a multinational corporation that operates in many countries with conflicting data privacy laws. The company's information security program includes a data classification policy and a data retention schedule, but there is no consistent method for handling cross-border data flows. Recently, a regulator in Country A fined the company for transferring personal data to Country B, which does not provide adequate protection. The legal department recommends implementing a binding corporate rules (BCR) approach, but the IT department says it would be too complex to implement across all systems. You must update the program to ensure compliance while minimizing operational impact. The board wants a solution that can be implemented within one year with reasonable cost. What should you do?

A.Implement binding corporate rules (BCR) across all entities as recommended by legal.
B.Rely on standard contractual clauses (SCCs) for all cross-border data flows.
C.Conduct a data mapping exercise and implement a data classification tagging system to automate controls on sensitive data flows.
D.Stop all cross-border data transfers until compliant mechanisms are fully implemented.
AnswerC

Provides visibility and enables automated enforcement, scalable within one year.

Why this answer

Correct answer is D because a data mapping exercise with automated tagging provides the foundation to enforce controls without manual effort. Option A (implement BCR globally) is complex and risky. Option B (stop all cross-border transfers) is impractical.

Option C (rely on standard contractual clauses) may not be sufficient and is also administrative heavy.

109
MCQhard

An organization has implemented a balanced scorecard to measure the effectiveness of its information security program. Which of the following metrics would be MOST appropriate for the 'internal processes' perspective?

A.Percentage of systems compliant with baseline
B.Mean time to detect and respond to incidents
C.Percentage of users who completed security awareness training
D.Number of security incidents reported to management
AnswerB

Why this answer

The 'internal processes' perspective of a balanced scorecard focuses on the efficiency and effectiveness of the operational workflows that deliver the security program. Mean time to detect (MTTD) and mean time to respond (MTTR) directly measure the performance of the incident response process, which is a core internal process. This metric reflects how quickly the organization can identify and contain threats, making it the most appropriate choice for this perspective.

Exam trap

The trap here is that candidates confuse the 'internal processes' perspective with compliance or training metrics, mistakenly selecting A or C because they seem operational, but the balanced scorecard framework specifically ties 'internal processes' to the efficiency of core security workflows like incident response, not static compliance or awareness rates.

Why the other options are wrong

A

Compliance rate is more aligned with the governance or regulatory perspective, not internal processes.

C

This is a learning and growth metric, not internal processes.

D

This is more of an output metric, not specifically internal process efficiency.

110
MCQeasy

An organization has just completed a risk assessment and identified several high-risk vulnerabilities. The security program manager needs to prioritize remediation efforts. Which of the following should be the primary factor in determining priority?

A.Regulatory requirements only
B.Likelihood of exploitation
C.Risk level (likelihood × impact)
D.Ease of remediation
AnswerC

Risk level gives a holistic prioritization.

Why this answer

Option C is correct because risk level combines likelihood and impact, aligning with risk management principles. Option A is wrong as ease of remediation without considering risk leads to misallocation. Option B is wrong because it ignores impact.

Option D is wrong as regulatory requirements are important but should be integrated into risk assessment.

111
MCQeasy

The security team is designing a security awareness program. Which topic should be prioritized FIRST?

A.Phishing recognition and reporting
B.Password creation and management
C.Incident reporting procedures
D.Data classification and handling
AnswerA

Phishing is a top threat; early training can prevent many incidents.

Why this answer

Option A is correct because phishing is a common initial attack vector, and training users to recognize it can immediately reduce risk. Option B is wrong password policies are important but often covered later. Option C is wrong incident reporting is critical but follows awareness of threats.

Option D is wrong data classification is more advanced.

112
MCQeasy

Based on the exhibit, which of the following is true about traffic from the internet to the internal network 10.0.0.0/8?

A.Internet traffic to 10.0.0.5 is permitted only if from 192.168.1.0/24.
B.All traffic from the internet to the internal network is denied.
C.Traffic from the internet to 10.0.0.5 port 80 is permitted.
D.Traffic from 192.168.1.0/24 to 10.0.0.5 port 80 is permitted.
AnswerB

First rule denies all IP traffic to 10.0.0.0/8.

Why this answer

The first deny rule blocks all IP traffic to 10.0.0.0/8 from any source, including internet. The permit only allows specific source, but it is after a deny any to 10.0.0.0/8, so traffic to 10.0.0.5 is also blocked? Actually, order matters: first deny any to 10.0.0.0/8 blocks all traffic to that network, then permit specific to 10.0.0.5 would never be reached. So internet traffic to internal is denied entirely.

113
MCQeasy

Which metric is most indicative of security program effectiveness?

A.Security budget spent
B.Time to patch critical vulnerabilities
C.Number of security tools deployed
D.Number of security incidents
AnswerB

This metric shows how quickly the organization mitigates high-risk exposures.

Why this answer

Time to patch critical vulnerabilities directly reflects the program's ability to reduce risk. Option B is correct. Option A is a lagging indicator.

Option C measures spending, not effectiveness. Option D counts tools, not outcomes.

114
MCQmedium

An organization's security program has been in place for two years, but recently several security incidents occurred due to lack of user awareness. What is the most likely root cause?

A.The awareness program is not regularly updated or evaluated for effectiveness.
B.Lack of a security awareness program.
C.Insufficient budget for security tools.
D.Insufficient firewall rules.
AnswerA

Continuous improvement is needed; without updates, awareness decays.

Why this answer

Without periodic evaluation and updates, awareness programs become stale and ineffective. The other options are indirect or insufficient.

115
Drag & Dropmedium

Arrange the steps in order for conducting a business impact analysis (BIA) in business continuity management.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

A BIA first identifies critical functions, then determines acceptable downtime, assesses impact, prioritizes recovery, and finally documents findings.

116
MCQhard

You are the CISO of a mid-sized financial services firm that processes credit card transactions. The company has recently expanded its operations to include a mobile payment application that stores payment credentials in the cloud. The current information security program was designed primarily for the on-premises environment and has not been updated to address cloud-specific risks. The internal audit team has identified that the cloud service provider (CSP) does not have an independent third-party audit report (e.g., SOC 2) available for review. Additionally, the mobile app development team has been deploying code without formal security review, citing the need for rapid releases to compete in the market. The CEO has expressed concern about the potential for a data breach and has asked you to recommend immediate actions to strengthen the security program while minimizing business disruption. Which of the following should you recommend as the FIRST course of action?

A.Encrypt all data in transit and at rest using the organization's own encryption keys.
B.Implement compensating controls such as tokenization for all cardholder data stored in the cloud.
C.Conduct a detailed security assessment of the cloud service provider's controls and contractually require an annual SOC 2 Type II report.
D.Require the mobile app development team to undergo formal security training and implement a peer review process for all code deployments.
AnswerC

This directly addresses the gap in oversight and provides assurance over the CSP's controls.

Why this answer

Option C is the correct first course of action because the absence of an independent third-party audit report (e.g., SOC 2 Type II) means the organization has no verified assurance that the cloud service provider (CSP) has adequate security controls in place. As CISO, you must immediately assess the CSP's security posture and contractually mandate a SOC 2 Type II report to gain visibility into the effectiveness of the CSP's controls over time, which is foundational before implementing any compensating technical controls. This aligns with the CISM domain of Information Security Program governance, where vendor risk management and due diligence are critical first steps when expanding into cloud environments.

Exam trap

The trap here is that candidates often jump to implementing a technical control (like encryption or tokenization) as the immediate fix, but the CISM exam emphasizes that governance and vendor risk management—specifically obtaining independent assurance of the CSP's controls—must come first before deploying compensating technical measures.

How to eliminate wrong answers

Option A is wrong because encrypting data with the organization's own keys (client-side encryption) does not address the root cause—lack of visibility into the CSP's overall security posture; encryption is a compensating control that should follow a proper vendor risk assessment. Option B is wrong because implementing tokenization for cardholder data is a tactical data-centric control that does not resolve the immediate governance gap of having no independent audit report on the CSP; tokenization should be considered after contractual assurance is established. Option D is wrong because requiring security training and peer review for the mobile app development team, while beneficial, does not address the most critical risk—the unverified cloud provider—and would not be the first priority when the CSP's controls are completely unknown.

117
MCQhard

Refer to the exhibit. An audit reveals that 20% of privileged accounts were approved by the same manager without secondary review. Which control deficiency is MOST relevant to this finding?

A.Segregation of duties
B.Access review frequency
C.Provisioning delay
D.Audit log retention
AnswerA

One person approving without oversight is a segregation of duties deficiency.

Why this answer

Option C is correct because the lack of secondary review for privileged account approvals violates the principle of segregation of duties. Option A is wrong provisioning delay is not indicated. Option B is wrong access review frequency may be adequate.

Option D is wrong log retention is unrelated to approval process.

118
MCQhard

A company's security program includes a policy that prohibits the use of personal devices for work. However, the CISO discovers that several executives are using personal tablets to access corporate email. What is the most appropriate action for the CISO to take?

A.Block all personal devices from the network
B.Continue monitoring but take no action
C.Update the policy to allow personal devices under strict controls
D.Discipline the executives for policy violation
AnswerC

Balances security with usability through mobile device management.

Why this answer

Option B is correct because the program should be risk-based: allow the behavior but enforce security controls like MDM and data encryption. Option A is wrong as ignoring policy undermines the program. Option C is wrong as blanket prohibition may be bypassed.

Option D is wrong as security should enable business while managing risk.

119
MCQhard

After a major security incident, the board of directors requests a review of the information security program. Which of the following metrics would be MOST useful to demonstrate the effectiveness of the program over the past year?

A.Percentage of employees who completed security awareness training
B.Number of security incidents detected and contained within defined SLAs
C.Total cost of security investments compared to industry benchmarks
D.Number of vulnerabilities identified in the latest penetration test
AnswerB

Why this answer

The number of incidents detected and contained within defined SLAs directly measures the program's ability to detect and respond to threats, which is a key indicator of operational effectiveness. Other metrics may be useful but do not directly measure the program's performance in protecting the organization.

Exam trap

Candidates often choose 'Percentage of employees completing security training' because training is a common control, but it doesn't measure actual incident response effectiveness.

Why the other options are wrong

A

Training completion is a leading indicator but does not measure program effectiveness in handling incidents.

C

Cost comparison does not indicate how well the program performed.

D

Vulnerability counts are point-in-time and not a comprehensive measure of program effectiveness.

120
Matchingmedium

Match each security framework to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Specify requirements for an ISMS

Provide risk-based guidance for critical infrastructure

Govern and manage enterprise IT

Align IT services with business needs

Protect cardholder data

Why these pairings

Common frameworks referenced in CISM.

121
MCQeasy

A small e-commerce company with 50 employees and limited IT budget is establishing its first formal information security program. The company processes customer payment data and must comply with PCI DSS. The CEO wants to balance security with operational costs. The IT manager proposes investing in a state-of-the-art security information and event management (SIEM) system costing $100,000 annually. The CISO, however, recommends a more phased approach. Considering the company's size, budget constraints, and compliance requirements, what should be the CISO's primary recommendation?

A.Implement the SIEM system immediately to achieve real-time threat detection.
B.Outsource all security operations to a managed security service provider (MSSP).
C.Develop a custom security software solution tailored to the company's payment processing system.
D.Deploy a firewall, antivirus software, and enforce strong access controls as baseline security measures.
AnswerD

These are essential, cost-effective controls that meet PCI DSS requirements and protect against common threats.

Why this answer

The correct action is to implement a firewall, antivirus, and basic access controls as foundational measures that address PCI DSS requirements cost-effectively. A SIEM (A) is too expensive and complex for a small organization. Outsourcing to an MSSP (C) may be considered later but is not the first step.

Developing custom software (D) is unnecessary and wastes resources.

122
MCQmedium

A security manager is tasked with building a business case for a new security program. Which metric is most persuasive to senior management?

A.Number of security incidents detected per month.
B.Estimated financial exposure from unmitigated risks.
C.Percentage of systems patched within 30 days.
D.Hours spent on security training.
AnswerB

Quantified risk exposure resonates with leadership.

Why this answer

Senior management cares about business impact; showing financial risk exposure demonstrates the need in their language.

123
Multi-Selectmedium

Which of the following are essential components of an information security program governance framework? (Select TWO.)

Select 2 answers
A.A security steering committee with executive representation.
B.A formal risk appetite statement.
C.Documented information security policies and procedures.
D.An incident response plan.
AnswersA, C

Why this answer

A security steering committee with executive representation is essential because it provides strategic oversight, aligns security initiatives with business objectives, and ensures resource allocation and governance accountability. This committee typically includes C-level executives who approve security policies, review risk posture, and enforce compliance across the organization.

Exam trap

ISACA often tests the distinction between governance components (steering committee, policies) and operational or risk management artifacts (risk appetite statement, incident response plan), leading candidates to select familiar but incorrect operational items.

Why the other options are wrong

B

Risk appetite is part of risk management, not governance framework per se.

D

Operational plan, not a governance component.

124
MCQhard

During a security program review, the auditor finds that incident response procedures have not been tested in over two years. What is the MOST significant risk arising from this finding?

A.Non-compliance with regulatory requirements
B.Higher financial costs due to inefficiencies
C.Increased recovery time after an incident
D.Ineffective response leading to greater damage during an incident
AnswerD

Without testing, the plan may not work, causing extended damage.

Why this answer

Option C is correct because untested procedures may be ineffective or outdated, leading to failure during a real incident. Option A is wrong increased recovery time is a symptom. Option B is wrong non-compliance is possible but not the most significant.

Option D is wrong higher costs are secondary.

125
MCQmedium

An information security manager is developing a program metric to measure the effectiveness of the security awareness training. Which metric is most appropriate?

A.Percentage of employees who completed the training.
B.Number of security incidents caused by human error.
C.Average score on post-training tests.
D.Time taken to complete the training modules.
AnswerB

Why this answer

The most appropriate metric for measuring the effectiveness of security awareness training is the reduction in security incidents caused by human error. While completion rates and test scores measure participation and knowledge retention, they do not directly indicate whether the training has changed employee behavior and reduced real-world risk. A decrease in human-error-related incidents provides direct evidence that the training is effectively influencing secure practices.

Exam trap

The trap here is that candidates often confuse training completion or test scores with effectiveness, but CISM emphasizes outcome-based metrics that demonstrate actual risk reduction, not just activity completion.

Why the other options are wrong

A

Completion does not measure learning or behavior change.

C

Test scores measure knowledge retention, but not application in real situations.

D

Time is irrelevant to effectiveness; fast completion may indicate skipping content.

126
Multi-Selectmedium

An information security manager is designing a security program for a multinational organization. Which factors should be considered when developing the program governance structure? (Select 3)

Select 3 answers
A.Legal and regulatory requirements across jurisdictions
B.Current technology architecture
C.Business strategy and objectives
D.Organizational culture and risk appetite
AnswersA, C, D

Why this answer

Legal and regulatory requirements across jurisdictions are foundational because a multinational organization must comply with diverse data protection laws (e.g., GDPR in Europe, CCPA in California, LGPD in Brazil) that directly dictate security controls, breach notification timelines, and data residency rules. The governance structure must incorporate these obligations to avoid legal penalties and ensure consistent policy enforcement across borders.

Exam trap

ISACA often tests the distinction between governance (strategy, culture, compliance) and management (architecture, tools, implementation), leading candidates to mistakenly select technology architecture as a governance factor.

Why the other options are wrong

B

Technology architecture is an operational concern, not governance.

127
MCQmedium

A company is designing its information security program and wants to ensure that it meets regulatory requirements across multiple jurisdictions. Which of the following approaches is most appropriate?

A.Adopt ISO 27001 as the sole framework for the program.
B.Implement a regulatory compliance framework that maps controls to applicable laws and standards.
C.Comply with the strictest regulation and ignore others.
D.Engage external legal counsel to review policies quarterly.
AnswerB

Maps controls to regulations, ensuring comprehensive and consistent compliance.

Why this answer

Correct answer is D because a regulatory compliance framework provides a structured, comprehensive approach. Option A (ISO 27001) is a standard but not specifically tailored to multi-jurisdictional regulations. Option B (minimal compliance to save costs) is risky.

Option C (legal review only) lacks sustained program management.

128
MCQmedium

An organization's information security program is based on a risk management framework. Which of the following BEST describes the role of the information security manager in this context?

A.Setting the organization's risk appetite
B.Designing and managing the security program
C.Owning all information security risks
D.Conducting internal audits of controls
AnswerB

Why this answer

The information security manager is responsible for designing and managing the security program based on the risk management framework. This includes translating risk assessment results into security controls, policies, and procedures, and ensuring the program aligns with the organization's risk posture. The manager does not set risk appetite (that is a board-level decision) nor own all risks (risk owners are business process owners).

Exam trap

The trap here is confusing the information security manager's operational role with strategic or assurance roles, leading candidates to select 'setting risk appetite' or 'conducting internal audits' instead of the correct program management function.

Why the other options are wrong

A

Risk appetite is set by the board of directors, not the security manager.

C

Risk ownership resides with business process owners; the security manager facilitates risk management.

D

Internal audits are performed by audit function, not security management.

129
MCQhard

Match each information security program component to its primary focus area. Component: 1. Risk Assessment, 2. Security Awareness Training, 3. Incident Response Plan, 4. Policy Framework Focus Areas: A. Human factors and behavior B. Structured response to events C. Identification and analysis of threats D. Governance and compliance requirements Drag each component to its matching focus area.

Risk Assessment.C. Identification and analysis of threats
Security Awareness Training.A. Human factors and behavior
Incident Response Plan.B. Structured response to events
Policy Framework.D. Governance and compliance requirements

Why this answer

Risk Assessment focuses on identifying and analyzing threats. Security Awareness Training addresses human factors. Incident Response Plan provides structured response.

Policy Framework establishes governance and compliance.

Exam trap

Candidates often confuse Incident Response Plan with Risk Assessment, but incident response is about reaction, not identification.

Why the other options are wrong

Risk Assessment

This is correct matching; but in JSON we mark all false and use pbq_config.

130
MCQhard

A multinational organization needs to comply with GDPR and CCPA. What is the best approach for the information security program?

A.Implement a unified privacy framework covering all regulations
B.Adopt the most restrictive requirements from any regulation
C.Outsource compliance to a third-party provider
D.Create separate security programs for each region
AnswerA

A unified framework ensures compliance while maintaining efficiency.

Why this answer

Implementing a unified privacy framework that covers all regulations ensures consistency and reduces complexity. Option C is correct. Option A may cause over-compliance and inefficiency.

Option B duplicates effort. Option D increases risk.

131
MCQeasy

Which of the following best describes the primary purpose of an information security program?

A.To ensure 100% system availability
B.To eliminate all security risks
C.To manage security risks in alignment with business strategy
D.To achieve compliance with all applicable regulations
AnswerC

Program ensures security supports business objectives.

Why this answer

Option C is correct because the program's goal is to align security with business objectives and manage risk to an acceptable level. Option A is wrong as availability is one aspect of CIA triad, not the primary purpose. Option B is wrong as security is an enabler, not an absolute obstacle.

Option D is wrong as legal compliance is a component, not the overarching goal.

132
MCQeasy

A small business owner wants to establish an information security program but has limited budget and staff. Which of the following frameworks would be most appropriate to guide the program?

A.ISO/IEC 27001
B.NIST Cybersecurity Framework
C.COBIT 2019
D.PCI DSS
AnswerB

Flexible and adaptable, with tiers for maturity.

Why this answer

Option C is correct because NIST CSF is scalable, risk-based, and suitable for organizations of all sizes. Option A is wrong as ISO 27001 is comprehensive but resource-intensive. Option B is wrong as COBIT is focused on IT governance, not specifically security.

Option D is wrong as PCI DSS applies only to credit card data.

133
MCQhard

A financial institution's security program must comply with PCI DSS, GDPR, and SOX. Which approach is MOST efficient to manage overlapping compliance requirements?

A.Develop three separate control sets for each regulation
B.Focus only on the requirements of the strictest regulation
C.Implement a single control set mapped to all applicable regulations
D.Engage external auditors to manage compliance for each regulation
AnswerC

A unified control framework eliminates redundancy and streamlines compliance.

Why this answer

Option A is correct because implementing a single set of controls mapped to multiple regulations reduces duplication and simplifies management. Option B is wrong focusing only on the strictest may miss unique requirements. Option C is wrong separate sets are inefficient.

Option D is wrong outsourcing does not address overlap.

134
MCQhard

An organization has implemented a data classification policy but notices that employees often mark documents as 'internal use only' even when they contain personally identifiable information (PII). Which of the following is the most effective corrective action for the information security program?

A.Revise the data classification policy to simplify categories.
B.Conduct random audits and reprimand employees who misclassify data.
C.Increase the frequency of data classification training for all employees.
D.Deploy a data loss prevention (DLP) system that automatically classifies documents based on content inspection.
AnswerD

Automates classification, reducing user error and ensuring consistent labeling.

Why this answer

Correct answer is C because automating classification based on content reduces reliance on user discretion. Option A (more training) may help but is not as effective as automation. Option B (auditing and reprimanding) is punitive and may not address root cause.

Option D (policy revision) alone does not enforce compliance.

135
MCQhard

During a review of the information security program, the security manager discovers that the program's objectives are not aligned with the organization's strategic business goals. What is the best course of action?

A.Justify the existing objectives to management to demonstrate their value.
B.Revise the program objectives to align with business goals.
C.Implement additional security controls to compensate for the misalignment.
D.Escalate the issue to the board of directors without changes.
AnswerB

Why this answer

The CISM framework emphasizes that an information security program must be directly aligned with the organization's strategic business goals to ensure that security investments support business objectives rather than hinder them. Revising the program objectives to align with business goals (Option B) is the correct course of action because it ensures that security controls, risk appetite, and resource allocation are driven by business needs, not isolated technical requirements. This alignment is a core principle of the Information Security Program domain, as misalignment can lead to wasted resources, reduced executive support, and increased business risk.

Exam trap

ISACA often tests the misconception that adding more controls or escalating issues can substitute for strategic alignment, but the CISM exam specifically requires candidates to recognize that program objectives must be revised to match business goals before any other action is taken.

Why the other options are wrong

A

This does not address the misalignment; the objectives should be revised to match business goals.

C

Adding controls does not fix the strategic misalignment.

D

Escalation is not the first step; the manager should propose a solution.

136
Multi-Selecteasy

Which THREE are components of the Plan phase in a security program lifecycle (e.g., ISO 27001 PDCA)?

Select 3 answers
A.Risk assessment
B.Strategy alignment with business objectives
C.Monitoring and review
D.Implementation of controls
E.Policy development
AnswersA, B, E

Risk assessment is foundational to planning.

Why this answer

Risk assessment, policy development, and strategy alignment are all part of planning. Options A, B, and E are correct. Option C (implementation) belongs to the Do phase.

Option D (monitoring) belongs to Check/Act.

137
Multi-Selectmedium

Which TWO of the following are key components of an information security program governance structure? (Select TWO.)

Select 2 answers
A.A steering committee that includes senior management and business unit leaders.
B.An incident response plan that defines roles and procedures.
C.Regular reporting to the board of directors on security metrics and risks.
D.A vulnerability scanning schedule and remediation SLAs.
E.A firewall policy that specifies allowed and denied traffic.
AnswersA, C

A steering committee ensures alignment with business strategy and provides oversight.

Why this answer

A steering committee that includes senior management and business unit leaders is a key component of an information security program governance structure because it provides strategic oversight, aligns security initiatives with business objectives, and ensures accountability at the executive level. This committee typically authorizes policies, reviews risk appetite, and approves resource allocation, which are essential for effective governance.

Exam trap

ISACA often tests the distinction between governance (strategic oversight and decision-making) and management (operational execution and controls), so candidates mistakenly select operational items like incident response plans or vulnerability schedules as governance components.

← PreviousPage 2 of 2 · 137 questions total

Ready to test yourself?

Try a timed practice session using only Cism Security Program questions.