CCNA Cism Security Programme Questions

75 of 165 questions · Page 1/3 · Cism Security Programme topic · Answers revealed

1
Multi-Selectmedium

A security awareness program includes phishing simulations. Which THREE factors should be considered when designing the simulation frequency and difficulty? (Select THREE)

Select 3 answers
A.Employee's years of service
B.Employee role and job function
C.Past phishing click rate trends
D.Number of security incidents in the past year
E.Current threat landscape and prevalent attack types
AnswersB, C, E

Different roles face different phishing risks.

Why this answer

Employee role, past click rates, and current threat landscape help tailor simulations for effectiveness and relevance.

2
MCQeasy

Which of the following is a leading indicator of security program effectiveness?

A.Phishing click rate
B.Mean time to detect (MTTD)
C.Breach count
D.Number of security incidents
AnswerA

Phishing click rate is a leading indicator of user susceptibility and can be tracked proactively.

Why this answer

Leading indicators predict future security performance, and phishing click rate is a proactive measure that can be improved before a breach occurs.

3
MCQmedium

A company is designing a third-party risk management (TPRM) program. Which factor should PRIMARILY determine the tier of a vendor?

A.Vendor's annual revenue
B.Length of business relationship
C.Contract value
D.Type of data accessed and service criticality
AnswerD

Risk is driven by data sensitivity and business impact.

Why this answer

Vendor tiering should be based on the risk they pose. Data access and service criticality directly affect organizational risk.

4
MCQeasy

An information security manager is designing the reporting structure for the CISO. Which reporting structure is most likely to ensure independence and adequate authority for the security function?

A.CISO reports to the CFO
B.CISO reports to the CEO or board of directors
C.CISO reports to the CIO
D.CISO reports to the head of internal audit
AnswerB

This structure provides independence and direct access to top management, enhancing authority.

Why this answer

Reporting to the board or a senior executive not directly responsible for IT operations ensures independence and reduces conflicts of interest.

5
MCQmedium

An organization is implementing a security champions program. Which of the following is the primary benefit of such a program?

A.Providing 24/7 security monitoring
B.Eliminating the need for security awareness training
C.Reducing the need for a dedicated security team
D.Embedding security expertise within development teams
AnswerD

Correct. Champions act as liaisons and advocates for security.

Why this answer

Security champions are advocates embedded in development teams to help integrate security into the development lifecycle, promoting secure development practices.

6
Multi-Selectmedium

Which TWO of the following are key components of a security operations center (SOC)? (Select TWO)

Select 2 answers
A.Vulnerability scanning
B.Identity and access management
C.Incident response
D.Security monitoring and detection
E.Application security testing
AnswersC, D

Core SOC function.

Why this answer

A SOC focuses on monitoring, detection, and response. Vulnerability management and identity management are separate functions.

7
Multi-Selectmedium

A security manager is designing a security awareness program. Which TWO metrics are leading indicators of program effectiveness?

Select 2 answers
A.Knowledge assessment scores from training.
B.Phishing simulation click rate.
C.Number of security incidents reported by employees.
D.Number of phishing emails reported by users.
E.Mean time to detect (MTTD) a phishing attack.
AnswersA, B

Indicates retention of training content.

Why this answer

Leading indicators predict future performance. Phishing click rate and knowledge assessment scores measure current behavior and knowledge, which can predict future incidents.

8
MCQmedium

A company is selecting a security control framework. They want a prioritized set of controls that are implementation group-based and address common cyber threats. Which framework best meets these requirements?

A.COBIT 2019
B.NIST SP 800-53
C.ISO 27001 Annex A
D.CIS Controls v8
AnswerD

CIS Controls v8 uses IG1, IG2, IG3 for prioritization and is threat-informed.

Why this answer

CIS Controls v8 are organized into Implementation Groups (IG1, IG2, IG3) and provide a prioritized, threat-informed set of controls.

9
MCQmedium

An organization is implementing a security controls framework and needs to prioritize controls for a small business with limited resources. Which implementation group from CIS Controls v8 should be addressed first?

A.IG2
B.IG1
C.IG3
D.IG0
AnswerB

Correct. IG1 is the foundational set of controls for small businesses.

Why this answer

CIS Controls v8 defines Implementation Group 1 (IG1) as the basic set of controls for small businesses with limited resources. IG1 is designed to be the minimum standard and should be implemented first.

10
MCQhard

During third-party risk assessment, a vendor is found to have access to sensitive customer data. The vendor's own supply chain includes a critical fourth-party component. What is the BEST way to address this nth-party risk?

A.Ignore the fourth party as it is outside the organization's scope
B.Conduct a direct assessment of the fourth party
C.Terminate the contract with the vendor
D.Request the vendor to assess and pass through security requirements to its suppliers
AnswerD

Contractual flow-down ensures requirements are met down the chain.

Why this answer

Requiring the vendor to manage its sub-suppliers through contractual flow-down ensures the organization's risk requirements extend throughout the supply chain.

11
Multi-Selecteasy

Which TWO of the following are components of a typical vulnerability management program?

Select 2 answers
A.Conducting security awareness training
B.Remediating identified vulnerabilities through patching
C.Monitoring network traffic for anomalies
D.Performing penetration tests
E.Conducting regular vulnerability scans
AnswersB, E

Remediation is a core component.

Why this answer

Vulnerability management includes scanning for vulnerabilities and remediation (patching).

12
Multi-Selecthard

A company is implementing a vendor tiering system for third-party risk management. Which TWO factors should be used to determine the tier of a vendor?

Select 2 answers
A.Vendor's marketing budget
B.Criticality of the service provided by the vendor
C.Vendor's stock price
D.Type of data accessed by the vendor
E.Vendor's annual revenue
AnswersB, D

Correct. Service criticality affects business impact.

Why this answer

Vendor tiering is typically based on the sensitivity of data the vendor accesses and the criticality of the service they provide. These factors determine the risk level and required controls.

13
MCQhard

An organization with a mature security program is reviewing its budget allocation. The board has asked the CISO to justify a proposed increase. Which of the following provides the STRONGEST justification for the security budget?

A.Benchmarking against industry peers showing that the proposed budget is below average.
B.Breach avoidance value, estimating the cost of incidents that were prevented.
C.Operational efficiency gains from automation of security processes.
D.Compliance with all regulatory requirements to avoid fines.
AnswerB

This directly demonstrates ROI.

Why this answer

Breach avoidance value quantifies the financial impact of prevented incidents, providing a direct link between security investment and risk reduction, which is compelling to the board.

14
MCQeasy

Which of the following is a leading indicator of security program effectiveness?

A.Access review completion rate
B.Number of data breaches
C.Cost of a data breach
D.Mean time to respond (MTTR)
AnswerA

Leading indicator showing proactive identity governance.

Why this answer

Leading indicators measure proactive security posture; access review completion rate indicates how well entitlements are managed.

15
Multi-Selecteasy

In designing a security operations centre (SOC), which TWO functions are core to the SOC's responsibilities? (Select TWO.)

Select 2 answers
A.Vulnerability management
B.Security monitoring and detection
C.Security awareness training
D.Security architecture design
E.Incident response
AnswersB, E

Monitoring and detection are core SOC functions.

Why this answer

The SOC core functions include monitoring security events, detecting threats, and responding to incidents. Vulnerability management and security architecture are typically separate functions, though they may interact with the SOC.

16
MCQmedium

A security manager is selecting a controls framework for a new organization. Which framework provides the most granular control families and is widely used for US federal agencies?

A.CIS Controls v8
B.ISO 27001 Annex A
C.NIST SP 800-53
D.COBIT 2019
AnswerC

It contains over 1,000 controls in 20 families.

Why this answer

NIST SP 800-53 is a comprehensive catalog of controls organized into families, commonly used by US federal agencies and many private organizations.

17
MCQhard

A company maintains a security scorecard for the executive team. Which metric is MOST appropriate to include as a leading indicator on a one-page dashboard?

A.Phishing click rate
B.Average cost per incident
C.Number of data breaches in the past year
D.Number of security tools deployed
AnswerA

It is a leading indicator that can be improved with training.

Why this answer

Phishing click rate is a leading indicator that measures user awareness and predicts future compromise risk.

18
MCQhard

An organization's security budget is 12% of the IT budget. Which of the following best describes the maturity of this security program?

A.Immature, because security should be less than 5% of IT budget
B.Mature, but only if it also includes a separate budget for compliance
C.Mature, as it aligns with the 10-15% benchmark
D.Overbudgeted, as the ideal is 8% of IT budget
AnswerC

12% is within the typical range for mature programs.

Why this answer

Industry benchmarks indicate that mature security programs allocate 10-15% of IT budget to security. 12% falls within this range, suggesting a mature program.

19
MCQhard

An organization uses ISO 27001 Annex A controls. During a risk assessment, they identify a need for a compensating control because the primary control is not feasible. What should the security manager do FIRST?

A.Accept the risk without any control
B.Remove the asset from scope
C.Document the risk and obtain management approval for the compensating control
D.Implement the compensating control immediately
AnswerC

Formal risk acceptance ensures due diligence and management buy-in.

Why this answer

Compensating controls require formal acceptance of the residual risk and approval by management to ensure accountability.

20
Multi-Selectmedium

A CISO is building a security operations center (SOC). Which TWO of the following are primary functions of a SOC?

Select 2 answers
A.Continuous monitoring of security events and alerts.
B.Conducting penetration tests of critical applications.
C.Performing vulnerability scans and patch management.
D.Incident detection and response.
E.Developing secure coding standards for developers.
AnswersA, D

Monitoring is a key SOC function.

Why this answer

A SOC's core functions are monitoring for threats and responding to incidents. Vulnerability management and architecture are separate functions.

21
MCQmedium

A CISO is designing a security scorecard for the board of directors. Which metric is most appropriate to include for a one-page executive dashboard?

A.Detailed list of known vulnerabilities
B.Number of phishing simulations conducted
C.Names of vendors with critical findings
D.Percentage of systems patched within SLA
AnswerD

Correct. This metric indicates the effectiveness of vulnerability management at a high level.

Why this answer

The board needs high-level, strategic metrics. Percentage of systems patched within SLA provides a clear, concise view of vulnerability management status, which is critical for risk reduction.

22
Multi-Selecthard

A security manager is building a business case for additional security budget. Which THREE justifications are most effective for obtaining executive approval? (Select THREE)

Select 3 answers
A.Number of security tools deployed
B.Compliance cost avoidance
C.Breach avoidance value
D.Operational efficiency improvements
E.Industry peer comparison
AnswersB, C, D

Avoiding fines and penalties has clear financial benefit.

Why this answer

Breach avoidance value, compliance cost avoidance, and operational efficiency gains are direct, quantifiable benefits that resonate with executives.

23
MCQmedium

A security manager is selecting controls for a new application. Which of the following is the BEST approach for prioritization?

A.Select controls based on vendor recommendations
B.Implement controls in the order of ease of deployment
C.Prioritize critical controls that address the highest risks
D.Implement all controls simultaneously
AnswerC

Risk-based prioritization focuses on what matters most.

Why this answer

Prioritizing critical controls first ensures the most important risks are addressed before less critical ones.

24
MCQeasy

Which of the following is a key objective of implementing a security champions program?

A.To replace the need for a formal security awareness program
B.To reduce the number of security tools needed
C.To embed security advocates in development teams
D.To conduct phishing simulations for all employees
AnswerC

Security champions act as liaisons, improving security integration.

Why this answer

Security champions are volunteers within development teams who promote security best practices and facilitate communication between security and development.

25
MCQhard

An information security manager needs to justify a budget increase. Which approach would be MOST effective for gaining executive approval?

A.List all planned technology purchases
B.Describe the latest cyber threats
C.Present ROI analysis showing breach avoidance savings
D.Show industry benchmarks for security spending
AnswerC

Directly ties spending to risk reduction and financial impact.

Why this answer

Executives respond to financial justification. ROI based on breach avoidance demonstrates value in monetary terms.

26
MCQmedium

In the context of defense-in-depth, which control provides protection at the network layer to prevent unauthorized access?

A.Encryption of data at rest
B.Antivirus software
C.Firewalls
D.Security awareness training
AnswerC

Firewalls enforce network access control.

Why this answer

Firewalls are a network security control that filter traffic based on rules.

27
MCQmedium

A company is developing security metrics to present to the C-suite. Which metric is a leading indicator of security performance?

A.Percentage of user access reviews completed on time
B.Mean time to detect (MTTD) security incidents
C.Total cost of security incidents
D.Number of data breaches in the past quarter
AnswerA

This is a leading indicator because timely access reviews prevent unauthorized access.

Why this answer

Leading indicators predict future security outcomes. Access review completion rates indicate how well access controls are managed, which reduces risk of unauthorized access.

28
MCQmedium

An organization's CISO reports to the CIO. The CISO is concerned that security initiatives are often deprioritized due to conflicts of interest. Which reporting structure would best address this concern?

A.Reporting to the CEO
B.Reporting to the COO
C.Reporting to the board or risk committee
D.Reporting to the CFO
AnswerC

This ensures independent oversight and alignment with risk appetite.

Why this answer

Reporting to the board or a risk committee provides independent oversight and reduces conflicts inherent in reporting to IT or operations.

29
Multi-Selectmedium

A CISO is establishing a vendor risk management (TPRM) program. Which THREE of the following are key components of an effective TPRM program?

Select 3 answers
A.Exit procedures to ensure data is returned or destroyed.
B.Performing a single annual assessment for all vendors.
C.Onboarding risk assessment based on vendor criticality and data access.
D.Requiring all vendors to have ISO 27001 certification.
E.Ongoing monitoring of vendor security posture.
AnswersA, C, E

Proper termination reduces residual risk.

Why this answer

A TPRM program includes onboarding risk assessment, ongoing monitoring, and exit procedures to manage risks throughout the vendor lifecycle.

30
MCQhard

A security manager needs to justify an increase in the security budget. Which metric is MOST compelling to demonstrate the value of security investments to the board?

A.Number of phishing simulations conducted
B.Percentage of IT budget allocated to security
C.Return on investment (ROI) from avoided breach costs
D.Number of security tools deployed
AnswerC

ROI shows the financial benefit of security spending.

Why this answer

ROI calculations, such as breach avoidance value, show financial benefit and resonate with the board.

31
Multi-Selectmedium

An organization is developing a vendor risk management program. Which TWO of the following should be included in the vendor onboarding risk assessment?

Select 2 answers
A.Verification of security certifications (e.g., SOC 2, ISO 27001)
B.Assessment of data classification and access levels
C.Vendor's employee satisfaction surveys
D.Review of vendor's financial stability
E.Vendor's marketing materials
AnswersA, B

Provides evidence of security controls.

Why this answer

Onboarding assessment should evaluate inherent risk (data access) and security capabilities (certifications).

32
MCQhard

A company is implementing a third-party risk management program and needs to prioritize vendors for assessment. Which factor should be given the highest weight?

A.Data access level and service criticality
B.Contract value
C.Duration of the relationship
D.Vendor size
AnswerA

These directly impact the organization's risk posture.

Why this answer

The sensitivity of data accessed and the criticality of the service to operations are primary risk factors for vendor prioritization.

33
MCQmedium

Which metric is considered a lagging indicator of security program performance?

A.Patch compliance percentage
B.Mean time to detect (MTTD)
C.Access review completion rate
D.Phishing simulation click rate
AnswerB

Correct. MTTD measures how quickly past incidents were detected.

Why this answer

Lagging indicators measure past events. Mean time to detect (MTTD) is a lagging indicator because it reflects historical detection efficiency.

34
MCQmedium

An organization is implementing a defense-in-depth strategy. Which of the following control combinations BEST exemplifies this principle?

A.A single firewall with access control lists
B.Antivirus software on all endpoints
C.Physical locks on server room doors and CCTV
D.Network segmentation, intrusion detection systems, and full-disk encryption
AnswerD

Multiple overlapping controls across network, host, and data layers.

Why this answer

Defense-in-depth uses multiple layers of controls. Network segmentation, IDS, and encryption provide preventive, detective, and corrective layers at different points.

35
MCQhard

During a third-party risk assessment, the security team discovers that a critical vendor's sub-supplier (nth party) has access to sensitive data. The vendor contract does not address nth-party risk. What is the BEST course of action?

A.Accept the risk because the vendor is contractually responsible
B.Revise the contract to require the vendor to flow down security requirements to sub-suppliers
C.Perform an on-site assessment of the sub-supplier
D.Request that the vendor terminate the sub-supplier relationship
AnswerB

This ensures the vendor manages nth-party risks contractually.

Why this answer

The organization should require the vendor to contractually manage nth-party risks, as the organization's data is still at risk.

36
MCQmedium

Which of the following is a leading indicator for security performance?

A.Patch compliance percentage
B.Mean time to recover (MTTR)
C.Number of data breaches
D.Mean time to detect (MTTD)
AnswerA

Leading indicator of vulnerability management effectiveness.

Why this answer

Leading indicators are proactive measures that predict future performance. Patch compliance is a leading indicator because it shows current security posture that influences future incidents.

37
MCQmedium

An organization is developing a security scorecard for the CISO. Which of the following is a leading indicator that would be most useful for predicting future security incidents?

A.Mean time to respond (MTTR) to incidents
B.Number of security incidents in the past quarter
C.Total cost of security incidents
D.Percentage of systems compliant with patch SLAs
AnswerD

Patch compliance is a leading indicator of potential vulnerabilities.

Why this answer

Leading indicators, such as the percentage of systems with known vulnerabilities patched within the SLA, provide early warning of potential issues. Patch compliance is a proactive measure that reduces risk.

38
Multi-Selectmedium

Which THREE elements are essential components of a third-party risk management (TPRM) program? (Select THREE)

Select 3 answers
A.Automated patching of vendor systems
B.Contractual security requirements
C.Shared SOC services
D.Vendor tiering based on data access and criticality
E.Onboarding risk assessment
AnswersB, D, E

Legal enforceability ensures compliance.

Why this answer

Contractual security requirements (Option B) are essential because they legally bind the vendor to specific security controls, data protection obligations, and compliance standards. Without these enforceable clauses in the contract, the organization has no formal recourse if the vendor suffers a breach or fails to meet security expectations. This is a foundational element of any third-party risk management program, as it sets the baseline for acceptable risk transfer and due care.

Exam trap

The trap here is that candidates often confuse operational security controls (like patching or shared SOC) with the governance and risk management components that define a TPRM program, leading them to select options that describe how an organization secures its own environment rather than how it manages vendor risk.

39
Multi-Selecthard

Which TWO of the following are characteristics of a security champions program that contribute to its effectiveness?

Select 2 answers
A.Champions report directly to the CISO
B.Champions are rotated every six months
C.Champions act as liaisons between security and their teams
D.Champions have authority to enforce security policies
E.Champions are volunteers from development teams with additional security training
AnswersC, E

Liaison role facilitates communication and adoption.

Why this answer

Security champions are embedded in teams and receive specialized training, enabling them to advocate security practices.

40
MCQeasy

Which security control framework is organized into Implementation Groups (IG1, IG2, IG3) based on organizational risk profile and resources?

A.NIST SP 800-53
B.COBIT 2019
C.ISO 27001 Annex A
D.CIS Controls v8
AnswerD

CIS Controls v8 defines Implementation Groups IG1, IG2, and IG3 to guide prioritization.

Why this answer

CIS Controls v8 uses Implementation Groups to help organizations prioritize controls based on their maturity and risk.

41
Multi-Selecteasy

A security architect is designing a defense-in-depth strategy for a financial institution. Which TWO of the following are essential components of a defense-in-depth approach?

Select 2 answers
A.A single, strong firewall at the network perimeter.
B.A single sign-on (SSO) solution for all applications.
C.Network segmentation to isolate critical systems.
D.Annual penetration testing as the primary security control.
E.Endpoint detection and response (EDR) on all workstations and servers.
AnswersC, E

Limits the impact of a breach.

Why this answer

Defense-in-depth uses multiple layers of security controls. Network segmentation limits lateral movement, and endpoint detection provides visibility at the host level.

42
MCQmedium

A security manager is developing metrics for the executive dashboard. Which combination of metrics provides a balanced view of security program performance?

A.Phishing click rate and mean time to detect (MTTD)
B.Budget spent and number of security tools deployed
C.Patch compliance percentage and number of phishing simulation clicks
D.Number of security incidents and mean time to respond (MTTR)
AnswerA

Phishing click rate is a leading indicator; MTTD is a lagging indicator, providing balance.

Why this answer

A balanced dashboard should include both leading and lagging indicators to show current effectiveness and past outcomes.

43
Multi-Selectmedium

An organization is designing a vendor tiering process for its third-party risk management program. Which TWO factors are MOST appropriate for determining a vendor's risk tier?

Select 2 answers
A.Type and sensitivity of data the vendor accesses
B.Vendor's geographic location
C.Number of employees at the vendor
D.Vendor's annual revenue
E.Criticality of the vendor's service to business operations
AnswersA, E

High sensitivity data increases risk.

Why this answer

Data access and service criticality are primary factors for tiering vendors.

44
MCQeasy

Which control family in NIST SP 800-53 addresses the identification and authentication of users?

A.Personnel Security (PS)
B.Identification and Authentication (IA)
C.System and Communications Protection (SC)
D.Access Control (AC)
AnswerB

Correct. IA family addresses user identity and authentication.

Why this answer

The Identification and Authentication (IA) family in NIST SP 800-53 covers user identification, authentication, and credential management.

45
MCQhard

An organization uses ISO 27001 Annex A as its control framework. During a risk assessment, a control weakness is identified that could lead to a high-impact data breach. However, implementing the recommended control is cost-prohibitive. Which approach BEST addresses this situation?

A.Transfer the risk through cyber insurance
B.Implement a compensating control that provides equivalent protection
C.Reduce the risk rating to justify not implementing
D.Accept the risk without further action
AnswerB

Compensating controls address the risk differently but effectively.

Why this answer

Compensating controls provide an alternative means of mitigating risk when the primary control is not feasible.

46
MCQmedium

During a third-party risk assessment, the security team discovers that a critical vendor has subcontracted data processing to another company without notification. This represents which type of risk?

A.Nth-party risk
B.Fourth-party risk
C.Inherent risk
D.Residual risk
AnswerA

Nth-party risk covers risks from subcontractors or suppliers further down the chain.

Why this answer

Nth-party risk refers to risks from suppliers of your suppliers, which can be overlooked.

47
MCQmedium

A security awareness program includes phishing simulations. Which metric best measures the long-term effectiveness of the program?

A.Number of phishing simulation campaigns per year
B.Click rate trend over multiple simulation cycles
C.Pass rate on phishing simulation knowledge test
D.Number of employees who report phishing emails
AnswerB

Shows sustained improvement in user vigilance.

Why this answer

A sustained downward trend in click rate over time indicates improved awareness and behavior, while single-click rate or reported emails may vary.

48
MCQmedium

An organization is implementing a defense-in-depth strategy. Which of the following control combinations BEST exemplifies this approach?

A.Access control lists, data loss prevention, and encryption
B.Firewall, antivirus, and encryption
C.Network segmentation, intrusion detection system, and incident response plan
D.Security awareness training, vulnerability scanning, and patching
AnswerC

This includes preventive, detective, and corrective controls across multiple layers.

Why this answer

Defense-in-depth uses multiple layers of controls; here, network segmentation (preventive), IDS (detective), and incident response plan (corrective) cover different stages.

49
MCQmedium

A company is designing a security awareness program. Which approach is MOST effective for ensuring that employees apply security principles in their daily work?

A.Annual computer-based training for all employees covering general security topics
B.Role-based training: developers receive secure coding training, executives receive social engineering awareness
C.Monthly phishing simulations without any accompanying training
D.A one-time security awareness seminar conducted by an external consultant
AnswerB

Tailored training addresses specific risks and is more effective in changing behavior.

Why this answer

Role-based training targets specific risks relevant to each job function, making the training more practical and memorable.

50
MCQeasy

In designing a security programme for a mid-sized enterprise, the CISO is deciding which security framework to adopt for control selection. Which of the following frameworks is specifically structured around implementation groups (IG1, IG2, IG3) to help organizations prioritize controls based on risk and maturity?

A.CIS Controls v8
B.ISO 27001 Annex A
C.NIST SP 800-53
D.COBIT 2019
AnswerA

CIS Controls v8 define Implementation Groups (IG1, IG2, IG3) for prioritization.

Why this answer

The CIS Controls v8 are organized into three Implementation Groups (IG1, IG2, IG3) to guide organizations in prioritizing controls based on their risk profile and security maturity. NIST SP 800-53 and ISO 27001 use different categorizations.

51
Multi-Selecthard

An organization is implementing an identity and access management (IAM) program. Which THREE of the following are key components of a mature IAM program?

Select 3 answers
A.Biometric authentication for all users.
B.Role-based access control (RBAC) aligned with job functions.
C.Quarterly access reviews for critical systems.
D.Single sign-on (SSO) for all cloud applications.
E.Automated provisioning and de-provisioning of user accounts.
AnswersB, C, E

RBAC simplifies access management.

Why this answer

Mature IAM includes lifecycle management (provisioning/de-provisioning), role-based access control (RBAC), and periodic access reviews to ensure least privilege.

52
Multi-Selectmedium

Which TWO metrics are considered leading indicators for information security program performance?

Select 2 answers
A.Patch compliance percentage
B.Phishing click rate
C.Number of data breaches
D.Mean time to detect (MTTD)
AnswersA, B

High patch compliance reduces vulnerability risk, predicting fewer future exploits.

Why this answer

Leading indicators predict future performance; phishing click rate and patch compliance are proactive measures.

53
Multi-Selectmedium

Which TWO budget components are considered 'services' in a typical security budget?

Select 2 answers
A.Penetration testing conducted by an external firm
B.Security awareness training software license
C.Firewall hardware
D.Salaries for security staff
E.Managed Security Service Provider (MSSP) fees
AnswersA, E

Pen testing is a professional service.

Why this answer

Services include external consultants and managed security services, not personnel or technology purchases.

54
MCQeasy

A security manager is designing a security awareness program for a mid-sized organization. Which of the following is the MOST effective approach to ensure that training is relevant to different employee roles?

A.Deliver the same annual training to all employees to ensure consistency.
B.Provide role-based training that addresses specific risks for each job function.
C.Focus only on senior executives since they are the primary targets of social engineering.
D.Conduct quarterly phishing simulations without any formal training.
AnswerB

Role-based training is tailored and more effective.

Why this answer

Role-based training tailors content to specific job functions, making it more relevant and effective than generic training. Developers need secure coding, executives need social engineering awareness, and all staff need basic awareness.

55
MCQeasy

In a vendor tiering system for third-party risk management, which factor is most critical for determining the tier?

A.Vendor's data access and service criticality
B.Vendor's annual revenue
C.Vendor's geographic location
D.Vendor's number of employees
AnswerA

These determine the potential impact on the organization.

Why this answer

The vendor's access to sensitive data and the criticality of the service to business operations are the primary factors for tiering, as they directly impact risk exposure.

56
Multi-Selectmedium

Which THREE of the following are key activities in a third-party risk management (TPRM) program?

Select 3 answers
A.Ongoing monitoring of vendor security posture
B.Providing vendor with access to internal network
C.Negotiating contract security requirements
D.Onboarding risk assessment for new vendors
E.Performing background checks on vendor employees
AnswersA, C, D

Continuous monitoring detects changes in risk.

Why this answer

TPRM includes onboarding risk assessment, contract security requirements, and ongoing monitoring.

57
Multi-Selecthard

A security manager is developing a set of objectives and key results (OKRs) for the security program. Which THREE would be considered effective security OKRs?

Select 3 answers
A.Objective: Implement a new SIEM. Key Result: Deploy SIEM by Q3.
B.Objective: Enhance incident response. Key Result: Achieve 100% of incidents logged within 1 hour of detection.
C.Objective: Improve vulnerability management. Key Result: Reduce mean time to remediate critical vulnerabilities from 30 to 7 days.
D.Objective: Increase security awareness. Key Result: Conduct quarterly phishing simulations.
E.Objective: Reduce risk from third parties. Key Result: Complete risk assessments for 100% of high-tier vendors by year-end.
AnswersB, C, E

Measurable and outcome-focused.

Why this answer

OKRs should be measurable and tied to security outcomes.

58
MCQmedium

A CISO is presenting security metrics to the board. Which of the following metrics would be MOST relevant for a one-page executive dashboard?

A.Breach count and associated financial impact
B.Mean time to detect (MTTD) for incidents
C.Number of firewall rule changes per month
D.Percentage of employees who completed training
AnswerA

Directly relates to business risk and is easy to understand.

Why this answer

Executives need high-level summary metrics. Breach count is a lagging indicator that directly communicates security effectiveness to the board.

59
MCQmedium

A CISO is evaluating the reporting structure for the information security team. Which reporting line is generally considered MOST effective for ensuring independence and organizational influence?

A.Report to the Chief Financial Officer (CFO)
B.Report to the Chief Information Officer (CIO)
C.Report to the board of directors or audit committee
D.Report to the Chief Operating Officer (COO)
AnswerC

This structure provides independence, authority, and visibility at the highest level.

Why this answer

Reporting to the board of directors or a board committee ensures security has a direct voice at the highest level, avoiding conflicts with IT or business operations.

60
Multi-Selecthard

A security manager is designing a security budget for a mid-sized company. Which TWO of the following are typical components of a security budget?

Select 2 answers
A.Technology costs for security tools and infrastructure.
B.Legal fees for contract reviews.
C.Marketing budget for security awareness campaigns.
D.Office renovation for security operations center.
E.Personnel costs for security staff salaries and benefits.
AnswersA, E

Tools like SIEM, firewalls are necessary.

Why this answer

Security budgets typically include personnel costs (salaries) and technology costs (tools, software). Training and licensing are also common but may be subsumed under personnel or technology.

61
MCQmedium

An organization is implementing a vendor risk management program. A vendor that provides cloud-based HR services will have access to employee PII. According to industry best practices, what should be the first step in the vendor lifecycle?

A.Include security requirements in the contract
B.Perform a risk assessment of the vendor
C.Request the vendor's SOC 2 report
D.Conduct an onsite audit of the vendor
AnswerB

Risk assessment is the first step to tier the vendor and scope due diligence.

Why this answer

The first step is to perform a risk assessment based on the vendor's data access and service criticality to determine the appropriate level of due diligence. This aligns with the NIST framework for third-party risk management.

62
MCQmedium

An organization is implementing a security controls framework based on NIST SP 800-53. The CISO wants to prioritize controls that will provide the greatest risk reduction for critical assets. Which approach should be used to select the initial set of controls?

A.Select all controls from the framework to achieve full compliance.
B.Implement business-enabling controls before any other controls.
C.Apply the critical controls first, focusing on those that address the highest risks.
D.Choose compensating controls to replace all technical controls.
AnswerC

Critical controls provide the most risk reduction.

Why this answer

Applying critical controls first, such as those from the CIS Critical Security Controls, ensures that the most impactful controls are implemented early to reduce risk.

63
Multi-Selectmedium

Which THREE components are essential for a comprehensive third-party risk management (TPRM) program?

Select 3 answers
A.Vendor product marketing review
B.Ongoing monitoring
C.Onboarding risk assessment
D.Annual reassessment
AnswersB, C, D

Continuous monitoring detects changes in vendor risk posture.

Why this answer

TPRM includes onboarding risk assessment, ongoing monitoring, and exit procedures for a complete lifecycle.

64
MCQhard

An organization with a mature security program allocates 12% of its IT budget to security. Which factor is MOST likely to support this level of investment?

A.The organization is in a highly regulated industry with strict compliance mandates
B.The organization's IT budget is very large
C.The organization has a low number of security incidents historically
D.The organization has a high risk tolerance
AnswerA

Regulatory requirements often drive higher security spending.

Why this answer

A mature program typically invests 10-15% of IT budget. The key driver is the organization's risk appetite and compliance requirements, not just revenue percentage.

65
Multi-Selecteasy

Which THREE of the following are components of a security operations center (SOC)?

Select 3 answers
A.Vulnerability scanning
B.Response
C.Security monitoring
D.Security awareness training
E.Detection
AnswersB, C, E

Correct. SOC responds to incidents.

Why this answer

A SOC includes monitoring, detection, and response capabilities. Security awareness training is not a SOC function; it is part of the awareness program.

66
MCQhard

A company wants to establish a security champions program. What is the primary benefit of embedding security champions in development teams?

A.Eliminating the requirement for a dedicated security team
B.Reducing the need for automated security testing tools
C.Reducing the frequency of penetration testing
D.Ensuring security is considered during the design and development phases
AnswerD

Champions advocate for security early in the SDLC.

Why this answer

Security champions act as liaisons, promoting secure coding practices and facilitating communication between security and development, thereby integrating security earlier.

67
MCQeasy

What is the PRIMARY purpose of a security champions program?

A.To embed security advocates in non-security teams to promote security best practices
B.To enforce security policies through peer pressure
C.To conduct security audits of other teams
D.To replace the security team in development projects
AnswerA

Champions help integrate security into daily work.

Why this answer

Security champions act as advocates within teams, promoting security practices and bridging the gap between security and development.

68
Multi-Selectmedium

A security manager is designing a metrics dashboard for the CISO. Which TWO metrics are leading indicators of security performance? (Select TWO)

Select 2 answers
A.Patch compliance percentage
B.Number of security incidents
C.Number of data breaches
D.Mean time to detect (MTTD)
E.Phishing click rate
AnswersA, E

Leading indicator of vulnerability management.

Why this answer

Phishing click rate and patch compliance are proactive measures that predict future risk, unlike breach count and MTTD which are lagging.

69
MCQmedium

A company is designing its security awareness program. Which approach BEST addresses the need for role-based training?

A.Focus only on phishing simulations for all staff
B.Deliver the same annual training to all employees
C.Provide secure coding training to developers and social engineering awareness to executives
D.Create a single module covering all topics for everyone
AnswerC

Targets specific risks relevant to each role.

Why this answer

Role-based training tailors content to specific job functions, making it more relevant and effective.

70
MCQeasy

Which role is primarily responsible for designing and reviewing an organization's security architecture?

A.Security analyst
B.GRC analyst
C.Security architect
D.SOC analyst
AnswerC

Correct. The security architect designs the security architecture.

Why this answer

The security architect designs and reviews security architecture to ensure it aligns with business requirements and security standards.

71
Multi-Selectmedium

A CISO is developing key risk indicators (KRIs) for the security programme. Which TWO of the following are lagging indicators? (Select TWO.)

Select 2 answers
A.Number of data breaches in the past quarter
B.Percentage of systems patched within SLA
C.Percentage of access reviews completed on time
D.Phishing click rate
E.Mean time to respond (MTTR) to incidents
AnswersA, E

Breaches are outcomes of past failures.

Why this answer

Lagging indicators measure past performance or outcomes. Number of data breaches and mean time to respond (MTTR) are outcome and efficiency metrics that reflect past events. Patch compliance and phishing click rate are leading indicators.

72
MCQmedium

Which of the following BEST describes the role of a security architect in a security program?

A.Managing user access requests
B.Conducting penetration tests
C.Monitoring security alerts and incidents
D.Designing and reviewing security controls and solutions
AnswerD

Architects focus on design and integration.

Why this answer

The security architect designs security structures and ensures controls are integrated into systems and networks.

73
MCQmedium

In a security awareness program, which training approach is most appropriate for software developers?

A.Secure coding practices and common vulnerabilities
B.Social engineering awareness for executives
C.Incident response procedures
D.General security awareness training covering phishing
AnswerA

Correct. Developers should be trained on secure coding to prevent vulnerabilities.

Why this answer

Developers need secure coding training to address vulnerabilities in code they write. Role-based training ensures relevance and effectiveness.

74
MCQeasy

Which of the following is a leading indicator of security program effectiveness?

A.Number of security incidents
B.Number of data breaches
C.Phishing click rate
D.Mean time to detect (MTTD)
AnswerC

Correct. Phishing click rate is a leading indicator that measures current user susceptibility.

Why this answer

Leading indicators are proactive measures that predict future performance. Phishing click rate is a leading indicator because it measures current user behavior that can be improved before an incident occurs.

75
MCQmedium

A CISO is designing the security organization for a financial services firm. Which reporting structure is most likely to ensure the independence and authority of the information security function?

A.Reporting to the CEO or board of directors
B.Reporting to the risk committee
C.Reporting to the CIO
D.Reporting to the chief legal officer
AnswerA

Provides independence and authority, aligning security with business strategy.

Why this answer

Reporting to the CEO or board provides independence from operational pressures, allowing the CISO to enforce security without conflict of interest. Reporting to the CIO can create conflicts, as security may be subordinated to IT goals. Reporting to legal or risk committees may lack operational authority.

Page 1 of 3 · 165 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cism Security Programme questions.