CCNA Cism Security Programme Questions

75 of 165 questions · Page 2/3 · Cism Security Programme topic · Answers revealed

76
Multi-Selectmedium

A CISO is evaluating metrics for an executive security report. Which TWO of the following are lagging indicators?

Select 2 answers
A.Number of security awareness training sessions held.
B.Patch compliance rate for critical systems.
C.Mean time to detect (MTTD) security incidents.
D.Percentage of employees who completed security training.
E.Number of data breaches in the past quarter.
AnswersC, E

Measures past detection performance.

Why this answer

Lagging indicators reflect past incidents or performance. Breach count and mean time to detect (MTTD) are outcome-based metrics that show what has already happened.

77
MCQeasy

What is the primary function of a Security Operations Center (SOC)?

A.Designing the security architecture
B.Developing security policies and standards
C.Conducting security awareness training
D.Continuous monitoring, detection, and response to security threats
AnswerD

SOC analysts monitor alerts and respond to incidents.

Why this answer

A SOC is responsible for monitoring, detecting, and responding to security incidents.

78
Multi-Selectmedium

A security manager is selecting controls for a new application. Which TWO controls are most important to include in a defense-in-depth strategy? (Select TWO)

Select 2 answers
A.Weekly vulnerability scans
B.Role-based access control (RBAC) with least privilege
C.Single sign-on (SSO) implementation
D.Encryption of data at rest
E.Input validation and sanitization
AnswersB, E

Restricts access to authorized users only.

Why this answer

Defense-in-depth requires multiple layers; input validation prevents injection attacks, and access control ensures least privilege.

79
MCQeasy

Which of the following is the BEST reporting structure for a CISO to ensure independent oversight and alignment with business strategy?

A.Reporting to the CIO
B.Reporting to the head of legal
C.Reporting to the CEO or board of directors
D.Reporting to the CFO
AnswerC

This provides independence and direct alignment with business strategy.

Why this answer

Reporting to the CEO or board ensures the CISO has the authority and independence to influence security strategy without conflicting priorities from IT operations.

80
MCQhard

An organization uses CIS Controls v8. They are a small business with limited cybersecurity resources. Which implementation group (IG) should they prioritize?

A.All IGs simultaneously
B.IG3
C.IG1
D.IG2
AnswerC

IG1 is the foundational set suitable for small businesses.

Why this answer

IG1 is the basic set of cyber hygiene controls designed for organizations with limited resources.

81
MCQmedium

Which control framework is most appropriate for an organization that wants a prioritized set of controls based on implementation groups (IG1, IG2, IG3)?

A.NIST SP 800-53
B.CIS Controls v8
C.COBIT 2019
D.ISO 27001 Annex A
AnswerB

CIS Controls v8 organizes controls into Implementation Groups (IG1, IG2, IG3) for prioritization.

Why this answer

CIS Controls v8 explicitly defines implementation groups to help organizations prioritize controls based on their risk profile and resources.

82
MCQhard

A CISO is preparing an executive dashboard for the board of directors. Which combination of metrics would provide the most meaningful overview of the security programme's effectiveness?

A.Number of security architects, SOC analyst headcount, and security tool count
B.Mean time to detect (MTTD), mean time to respond (MTTR), and number of breaches
C.Number of security incidents, percentage of systems patched, and security awareness training completion rate
D.Phishing click rate, number of vendor assessments completed, and security budget spent
AnswerB

These provide both operational efficiency (MTTD, MTTR) and outcome (breaches) for the board.

Why this answer

Leading indicators like patch compliance and MTTD provide forward-looking insight and operational efficiency, while lagging indicators like breach count show past impact. A balanced scorecard should include both.

83
MCQmedium

In a security operations center (SOC), which function is PRIMARILY responsible for analyzing alerts and determining whether they represent actual security incidents?

A.Tier 1 SOC analyst
B.Incident response manager
C.Tier 2 SOC analyst
D.Security architect
AnswerC

Handles escalated alerts and incident analysis.

Why this answer

Tier 2 SOC analysts are primarily responsible for deep-dive analysis of alerts escalated from Tier 1, using threat intelligence, log correlation, and forensic techniques to determine if an alert represents a genuine security incident. They possess the technical expertise to differentiate false positives from true positives by examining raw packet captures, endpoint artifacts, and SIEM event details that Tier 1 analysts may lack the context or authority to investigate fully.

Exam trap

The trap here is that candidates often confuse the initial triage role of Tier 1 analysts with the confirmatory analysis role of Tier 2, mistakenly thinking Tier 1 determines incidents, whereas Tier 1 only filters and escalates.

How to eliminate wrong answers

Option A is wrong because Tier 1 SOC analysts perform initial triage and categorization of alerts, but they lack the advanced analytical skills and authority to confirm incidents; their role is to escalate suspicious alerts to Tier 2. Option B is wrong because the incident response manager coordinates the response plan, communication, and resource allocation after an incident is confirmed, not the initial analysis of alerts. Option D is wrong because the security architect designs and reviews security controls and infrastructure, but does not perform real-time alert analysis or incident validation in the SOC.

84
MCQmedium

In a third-party risk management programme, what is the primary purpose of vendor tiering?

A.To assign responsibility for vendor management to different teams
B.To prioritize which vendors require more rigorous security assessments
C.To ensure all vendors receive the same level of oversight
D.To determine the vendor's pricing structure
AnswerB

High-risk vendors get more scrutiny; low-risk may have lighter processes.

Why this answer

Vendor tiering categorizes vendors based on the criticality of services and data access to determine the appropriate level of due diligence and monitoring. This ensures resources are focused on high-risk vendors.

85
Multi-Selecthard

A security manager is developing a security scorecard for the CISO. Which THREE of the following metrics are considered LEADING indicators?

Select 3 answers
A.Mean time to detect (MTTD)
B.Patch compliance percentage
C.Phishing simulation click rate
D.Number of data breaches
E.Access review completion rate
AnswersB, C, E

Measures proactive vulnerability remediation.

Why this answer

Leading indicators predict future incidents. Patch compliance, access review completion, and phishing click rate are proactive measures.

86
MCQeasy

Which of the following is the PRIMARY purpose of a security awareness program?

A.To reduce human-related security risks
B.To achieve compliance with regulatory requirements
C.To increase the security team's visibility
D.To document training completion for audits
AnswerA

Behavior change directly reduces risks like phishing and social engineering.

Why this answer

The primary purpose is to change employee behavior to reduce human-related security risks, such as phishing susceptibility.

87
MCQmedium

A security architect is designing a defense-in-depth strategy. Which combination of controls best exemplifies this approach?

A.Physical security, background checks, and non-disclosure agreements
B.Encryption, data loss prevention, and backup
D.Firewall, antivirus, encryption, and security awareness training
AnswerD

Correct. All four represent different layers: network, host, data, and human.

Why this answer

Defense-in-depth uses multiple layers of security. Firewall (network), antivirus (host), encryption (data), and security awareness (human) provide overlapping layers.

88
Multi-Selectmedium

An organization is selecting security controls from NIST SP 800-53. Which TWO control families are most directly related to access control? (Select TWO)

Select 2 answers
A.Identification and Authentication (IA)
B.Configuration Management (CM)
C.System and Communications Protection (SC)
D.Audit and Accountability (AU)
E.Access Control (AC)
AnswersA, E

Covers user identification and authentication mechanisms.

Why this answer

Access Control (AC) and Identification and Authentication (IA) are the primary families governing access management.

89
MCQhard

A financial institution uses CIS Controls v8 and must prioritize implementation. The organization has limited resources and high exposure to ransomware. Which implementation group should be addressed FIRST?

A.All groups simultaneously
B.Implementation Group 3 (IG3)
C.Implementation Group 1 (IG1)
D.Implementation Group 2 (IG2)
AnswerC

IG1 includes basic cyber hygiene controls that prevent common attacks like ransomware.

Why this answer

IG1 consists of essential controls (e.g., inventory, malware defenses) that address the most common attacks, including ransomware.

90
MCQmedium

An organization is redesigning its information security program to better align with business objectives. The CISO reports to the CIO, but business leaders feel security decisions are too IT-centric. Which reporting structure would best address this concern?

A.CISO reports to the Chief Risk Officer (CRO).
B.CISO reports to the Chief Operating Officer (COO).
C.CISO reports directly to the CEO or Board of Directors.
D.CISO continues reporting to CIO but with a dotted line to the Board.
AnswerC

Direct reporting to the CEO or Board ensures security is independent and aligned with business objectives.

Why this answer

Reporting to the CEO or Board gives the CISO independence from IT and better alignment with business strategy.

91
Multi-Selecthard

An organization is implementing a security champions program to improve application security. Which THREE of the following are key success factors for such a program?

Select 3 answers
A.Ensuring that champions have authority to stop releases with critical vulnerabilities.
B.Rotating champions every quarter to maximize exposure.
C.Allocating dedicated time for champions to participate in security activities.
D.Providing advanced security training tailored to their development role.
E.Selecting champions only from senior management.
AnswersA, C, D

Authority to block releases gives them real influence.

Why this answer

Security champions need dedicated time, training, and management support to be effective. Champions act as liaisons between security and development.

92
MCQmedium

Which control selection framework includes implementation groups (IG1, IG2, IG3) that help organizations prioritize controls based on their risk profile?

A.CIS Controls v8
B.COBIT 2019
C.NIST SP 800-53
D.ISO 27001 Annex A
AnswerA

CIS Controls v8 uses IG1, IG2, IG3 for prioritization.

Why this answer

CIS Controls v8 organizes controls into Implementation Groups (IG1, IG2, IG3) to guide prioritization. NIST SP 800-53 uses families, and ISO 27001 uses Annex A controls.

93
Multi-Selectmedium

A CISO is evaluating security metrics for reporting to the board. Which TWO of the following are leading indicators?

Select 2 answers
A.Mean time to detect (MTTD) incidents
B.Number of data breaches in the past quarter
C.Number of security tools deployed
D.Phishing simulation click rate
E.Patch compliance percentage
AnswersD, E

Leading indicator of user awareness.

Why this answer

Leading indicators are proactive measures. Phishing click rate predicts future breaches, and patch compliance indicates current vulnerability posture. Breach count and MTTD are lagging, and number of security tools is not a performance metric.

94
MCQmedium

A CISO wants to present a high-level security status to the board using a one-page dashboard. Which of the following metrics is MOST appropriate for this audience?

A.Phishing click rate and patch compliance percentage
B.Mean time to detect (MTTD) for incidents
C.Detailed vulnerability counts by severity
D.Total number of security controls implemented
AnswerA

Leading indicators that show risk trends and control effectiveness.

Why this answer

Leading indicators like phishing click rate and patch compliance are actionable and forward-looking, suitable for board-level oversight.

95
MCQeasy

Which role within a security team is primarily responsible for designing and reviewing security architectures to ensure alignment with business requirements and security standards?

A.SOC analyst
B.GRC analyst
C.Security architect
D.Security analyst
AnswerC

Security architects design and review security solutions and architectures.

Why this answer

The security architect designs and reviews the security architecture, ensuring it meets business needs and security requirements. Other roles focus on operations, analysis, or awareness.

96
MCQeasy

Which security team role is primarily responsible for defining and maintaining security architecture standards?

A.GRC analyst
B.Security analyst
C.Penetration tester
D.Security architect
AnswerD

The security architect defines security architecture and standards.

Why this answer

The security architect designs the security architecture, ensuring that security controls are integrated into systems and networks.

97
MCQeasy

Which control framework is structured around Implementation Groups (IG1, IG2, IG3) to help organizations prioritize security controls based on risk?

A.CIS Controls v8
B.COBIT 2019
C.ISO 27001 Annex A
D.NIST SP 800-53
AnswerA

CIS Controls v8 uses IG1 (basic), IG2 (intermediate), and IG3 (advanced) for prioritization.

Why this answer

The CIS Controls v8 framework is uniquely structured around Implementation Groups (IG1, IG2, IG3) to provide a prioritized, risk-based approach to security control implementation. IG1 represents basic cyber hygiene for organizations with limited resources, IG2 adds more advanced controls for those with moderate risk, and IG3 includes comprehensive controls for high-risk environments. This tiered structure directly aligns with the CISM focus on aligning security controls with business risk and resource constraints.

Exam trap

The trap here is that candidates often confuse the CIS Controls Implementation Groups with NIST SP 800-53's impact-based baselines (Low, Moderate, High), but the key distinction is that IG1/IG2/IG3 are risk-prioritized tiers based on organizational resources and threat exposure, not just data impact levels.

How to eliminate wrong answers

Option B (COBIT 2019) is wrong because it is a governance and management framework focused on IT processes and objectives, not a control framework structured around Implementation Groups; it uses a capability maturity model and process reference model instead. Option C (ISO 27001 Annex A) is wrong because it is a list of control objectives and controls for an Information Security Management System (ISMS), but it does not define Implementation Groups; organizations must determine applicability based on their own risk assessment, not a predefined tiered grouping. Option D (NIST SP 800-53) is wrong because it provides a comprehensive catalog of security and privacy controls for federal information systems, organized by control families (e.g., Access Control, Audit and Accountability), not by Implementation Groups; it uses baselines (Low, Moderate, High) but these are impact-based, not risk-prioritized tiers like IG1/IG2/IG3.

98
MCQmedium

A security manager is designing an executive security report. Which content is most appropriate for a one-page C-suite dashboard?

A.Detailed logs of all security incidents from the past week
B.List of all vulnerabilities found during the last scan
C.Top security risks and key performance indicators with trends
D.Full results of the latest phishing simulation
AnswerC

Provides actionable insight at a strategic level.

Why this answer

C-suite executives need high-level strategic insights, not operational details. Top risks and key metrics (e.g., risk posture, critical incidents) are suitable for a dashboard.

99
MCQeasy

When implementing security controls, which approach ensures that multiple layers of defense are applied so that if one control fails, others compensate?

A.Business-enabling controls
B.Critical controls first
C.Compensating controls
D.Defense-in-depth
AnswerD

Defense-in-depth uses multiple layers of defense to protect assets.

Why this answer

Defense-in-depth (option D) is the correct approach because it implements multiple, overlapping layers of security controls (e.g., firewalls, IDS/IPS, endpoint protection, access controls) so that if one layer fails or is bypassed, subsequent layers continue to provide protection. This layered strategy reduces the likelihood of a single point of failure compromising the entire security posture, aligning with the CISM principle of risk mitigation through redundancy.

Exam trap

The trap here is that candidates often confuse 'compensating controls' (a specific, alternative control for a single requirement) with the broader 'defense-in-depth' strategy, leading them to select option C when the question asks for the layered approach that ensures compensation across multiple controls.

How to eliminate wrong answers

Option A is wrong because business-enabling controls are designed to support business objectives (e.g., enabling remote access) rather than providing redundant layers of defense; they focus on functionality, not compensating for failures. Option B is wrong because 'critical controls first' refers to prioritizing implementation of the most important controls (e.g., from the CIS Critical Security Controls), but it does not inherently ensure multiple layers or compensation if one fails—it's a prioritization strategy, not a layered defense model. Option C is wrong because compensating controls are specific alternative controls used when a primary control cannot be implemented (e.g., using additional logging instead of encryption), but they are not a comprehensive layered approach; defense-in-depth encompasses multiple layers, including compensating controls as one possible element, not the overarching strategy.

100
Multi-Selectmedium

A security manager is designing a vulnerability management program. Which TWO of the following are essential processes?

Select 2 answers
A.Immediate patching of all vulnerabilities within 24 hours.
B.Vulnerability disclosure program for external researchers.
C.Penetration testing of all applications annually.
D.Regular vulnerability scanning of all systems.
E.Risk-based prioritization of vulnerabilities for remediation.
AnswersD, E

Scanning identifies vulnerabilities.

Why this answer

Vulnerability management includes regular scanning and a prioritization process to remediate based on risk. Patching is part of remediation, but scanning and prioritization are foundational.

101
MCQeasy

Which role is primarily responsible for developing and maintaining the organization's security architecture?

A.Security Analyst
B.GRC Analyst
C.Security Architect
D.Penetration Tester
AnswerC

The Security Architect designs security structures and ensures they align with business needs.

Why this answer

The security architect designs and oversees the implementation of security architecture.

102
MCQhard

A security manager is evaluating OKRs for the vulnerability management team. Which key result best aligns with an objective to reduce risk from vulnerabilities?

A.Conduct quarterly penetration tests
B.Achieve 95% scan coverage of assets
C.Reduce mean time to remediate critical vulnerabilities by 30%
D.Increase the number of scans by 20%
AnswerC

Directly measures improvement in reducing vulnerability exposure.

Why this answer

Mean time to remediate critical vulnerabilities directly measures risk reduction, as faster remediation lowers exposure.

103
MCQmedium

An organization is implementing a third-party risk management (TPRM) program. Which approach best addresses nth-party risk?

A.Requiring that key vendors include security requirements in contracts with their subcontractors
B.Performing on-site audits of all third parties
C.Accepting the risk since it is outside the organization's control
D.Conducting annual assessments of all direct vendors only
AnswerA

Cascading requirements help mitigate nth-party risk.

Why this answer

Nth-party risk refers to risks from suppliers of your suppliers. Contractual requirements that cascade down the supply chain are essential to manage this risk.

104
Multi-Selecteasy

A security architect is selecting controls for an e-commerce platform. Which TWO of the following are examples of compensating controls?

Select 2 answers
A.Implementing multi-factor authentication when strong passwords cannot be enforced.
B.Encrypting all data at rest.
C.Deploying a web application firewall (WAF) to protect against SQL injection.
D.Conducting quarterly vulnerability scans.
E.Using network segmentation to isolate a legacy system that cannot be patched.
AnswersA, E

MFA compensates for weak password policies.

Why this answer

Compensating controls are alternative measures that provide equivalent protection when a primary control cannot be implemented. Multi-factor authentication can compensate for weak passwords, and enhanced monitoring can compensate for missing patch on legacy systems.

105
MCQhard

A CISO is preparing the security budget for the next fiscal year. The current IT budget is $10 million. For a mature security program, what is the recommended security budget range?

A.$500,000 to $750,000
B.$1 million to $1.5 million
C.$100,000 to $200,000
D.$2 million to $3 million
AnswerB

Correct. 10-15% of $10 million is $1-1.5 million.

Why this answer

Best practice for a mature security program is to allocate 10-15% of the IT budget to security. For a $10 million IT budget, that is $1 million to $1.5 million.

106
MCQmedium

In a defence-in-depth strategy, which control is considered a compensating control when a critical application cannot be patched immediately due to operational constraints?

A.Configuration management
B.Intrusion detection system (IDS)
C.Network segmentation
D.Vulnerability scanning
AnswerC

Segmenting the vulnerable application restricts access and reduces risk while patching is delayed.

Why this answer

Compensating controls provide alternative protection when a primary control cannot be applied. Network segmentation limits the blast radius and reduces the attack surface until patching can occur.

107
MCQeasy

What is the primary purpose of a vulnerability management program?

A.To enforce access control policies
B.To detect and respond to security incidents
C.To manage third-party security risks
D.To identify, assess, and remediate security weaknesses in systems
AnswerD

This is the core function of vulnerability management.

Why this answer

Vulnerability management aims to identify, classify, and remediate vulnerabilities to reduce the attack surface.

108
MCQhard

A security manager is developing metrics for the C-suite dashboard. Which combination of metrics would provide the best view of security program effectiveness, including both leading and lagging indicators?

A.Breach count and number of security tools deployed
B.Phishing click rate and mean time to detect (MTTD)
C.Patch compliance and number of vulnerabilities identified
D.Number of security incidents and percentage of budget spent
AnswerB

Phishing click rate is a leading indicator of user awareness; MTTD is a lagging indicator of detection capability.

Why this answer

A balanced scorecard includes leading indicators (like patch compliance) and lagging indicators (like MTTD) to provide a comprehensive view.

109
MCQmedium

A CISO is evaluating a cloud provider's security posture. Which of the following should be the MOST important consideration in the vendor risk assessment?

A.The provider's certifications and SOC 2 reports
B.The provider's data center locations
C.The provider's market share and brand reputation
D.The provider's pricing compared to competitors
AnswerA

Independent audits validate security measures.

Why this answer

The provider's certifications and independent audits provide objective evidence of security controls, which is critical for trust.

110
MCQhard

An organization is designing a third-party risk management (TPRM) program. They have identified a vendor that stores sensitive customer data. According to best practices, what should be the minimum requirement for this vendor's contract?

A.Vendor's insurance certificate
B.Annual self-assessment questionnaire only
C.Contractual security requirements and right to audit
D.SOC 2 Type II report without contractual clauses
AnswerC

Correct. Contracts should include security requirements and audit rights for high-risk vendors.

Why this answer

For vendors handling sensitive customer data, the contract must include security requirements such as data protection clauses, incident notification timelines, and the right to audit. This ensures contractual enforceability of security controls.

111
Multi-Selecthard

A company is designing a third-party risk management (TPRM) program. Which THREE of the following are essential components of the ongoing monitoring phase for a critical vendor?

Select 3 answers
A.Annual reassessment of the vendor's security controls
B.Contractual requirement for data encryption
C.Periodic review of vendor's security certifications (e.g., SOC 2)
D.One-time onboarding risk assessment
E.Continuous monitoring of vendor's external attack surface
AnswersA, C, E

Annual reassessment is part of ongoing monitoring cycle.

Why this answer

Ongoing monitoring includes continuous assessment of security posture. Annual reassessment is part of the cycle, but ongoing monitoring includes more frequent checks. Contractual requirements are set during onboarding, not monitored ongoing.

Exit procedures are for termination.

112
MCQmedium

An organization is designing a security operations center (SOC). Which of the following functions is PRIMARILY responsible for analyzing alerts and determining if they represent genuine threats?

A.SOC Manager
B.Security Architect
C.Incident Responder
D.Security Analyst
AnswerD

Analysts analyze alerts and escalate incidents.

Why this answer

Security analysts are responsible for alert triage and investigation.

113
MCQhard

A security manager needs to justify an increase in the security budget to the board. The current budget is 0.15% of revenue. Which approach would most effectively demonstrate the need for additional funding?

A.Compare the budget to last year's spending and note the increase in threats.
B.Present a cost-benefit analysis showing how additional investment reduces breach probability and potential loss.
C.Highlight recent high-profile breaches in the industry.
D.Show that the budget is below the industry benchmark of 0.2-0.5% of revenue and detail the risks of underfunding.
AnswerD

Using industry benchmarks and risk implications provides a clear, objective justification.

Why this answer

Benchmarking against industry standards (0.2-0.5% of revenue) and showing the gap provides a compelling case.

114
MCQeasy

Which of the following is a LEADING indicator of security performance?

A.Cost of a data breach
B.Mean time to detect (MTTD)
C.Number of security incidents
D.Patch compliance percentage
AnswerD

Patch compliance is a leading indicator of vulnerability management effectiveness.

Why this answer

Leading indicators predict future performance; patch compliance measures proactive risk reduction.

115
MCQmedium

An organization wants to establish a security champions program. What is the primary benefit of embedding security advocates in development teams?

A.Eliminating the need for vulnerability assessments
B.Replacing the role of security architects
C.Improving secure coding adoption and collaboration
D.Reducing the need for a SOC
AnswerC

Champions advocate for security and help integrate it into development.

Why this answer

Security champions serve as liaisons, promoting security practices and facilitating communication between security and development teams.

116
MCQmedium

A SOC analyst receives an alert about a potential malware infection on a critical server. Which step should the analyst take FIRST?

A.Reboot the server to clear the potential malware
B.Notify the incident response team and escalate
C.Disconnect the server from the network immediately
D.Perform initial triage to verify the alert and assess severity
AnswerD

Triage confirms the alert and guides next steps.

Why this answer

The first step in incident response is to investigate and confirm the alert (triage) to avoid acting on false positives.

117
MCQeasy

Which of the following is the PRIMARY benefit of a security champions program?

A.Reducing the need for security awareness training
B.Embedding security advocates in business units
C.Automating security testing
D.Eliminating third-party risks
AnswerB

Champions provide on-the-ground support and influence.

Why this answer

Security champions act as liaisons within development teams, promoting security best practices and improving collaboration.

118
MCQmedium

A security dashboard is being designed for the C-suite. Which metric is most appropriate for a one-page executive summary?

A.Number of phishing simulation campaigns
B.List of all security incidents in the quarter
C.Security scorecard with overall risk level
D.Detailed patch compliance by system
AnswerC

Provides a concise, high-level status of security posture.

Why this answer

The security scorecard with overall risk level is the most appropriate metric for a one-page executive summary because it provides a high-level, aggregated view of the organization's security posture. Executives need a concise, actionable summary that distills complex security data into a single risk indicator, enabling quick decision-making without technical details.

Exam trap

The trap here is that candidates often confuse operational metrics (like patch compliance or incident counts) with strategic metrics, failing to recognize that the C-suite requires a synthesized risk indicator rather than detailed technical data.

How to eliminate wrong answers

Option A is wrong because the number of phishing simulation campaigns is a tactical metric that measures training activity, not the overall security risk or program effectiveness; it lacks the strategic context needed for executive oversight. Option B is wrong because a list of all security incidents in the quarter is too granular and operational, overwhelming executives with raw data rather than summarizing risk trends or impact. Option D is wrong because detailed patch compliance by system is a technical, system-level metric that belongs in operational reports for IT teams, not in a one-page executive summary that requires a synthesized view of risk.

119
MCQmedium

A security awareness manager is designing role-based training. Which training is most appropriate for software developers?

A.Phishing identification
B.Social engineering awareness
C.Incident response procedures
D.Secure coding practices
AnswerD

Directly addresses the risk they introduce in code.

Why this answer

Developers need specialized training on secure coding practices to reduce vulnerabilities in applications.

120
MCQeasy

Which of the following is the primary objective of a security champions programme?

A.To enforce security policies across the organization
B.To conduct phishing simulations for employees
C.To provide an escalation path for security incidents
D.To embed security advocates within development teams
AnswerD

Security champions serve as liaisons and advocates within their teams.

Why this answer

A security champions programme embeds security advocates within development teams to promote secure practices, improve communication, and embed security into daily work, rather than incident response or policy enforcement.

121
MCQmedium

Which of the following is a leading indicator for measuring the effectiveness of a security awareness program?

A.Number of vulnerabilities patched
B.Phishing click rate
C.Mean time to respond (MTTR)
D.Number of security incidents
AnswerB

Click rate measures user susceptibility and is predictive of future breaches.

Why this answer

Phishing click rate is a leading indicator because it predicts future incidents by measuring current behavior.

122
MCQmedium

An organization is implementing a security controls framework and needs to prioritize which controls to implement first. According to CIS Controls v8, which approach aligns with the principle of 'implementation groups'?

A.Focus only on controls that address the greatest risks regardless of group
B.Implement IG3 controls first as they are the most advanced
C.Start with all controls from IG1, then move to IG2 and IG3 as resources allow
D.Implement controls from all groups simultaneously to achieve comprehensive coverage
AnswerC

IG1 represents basic cyber hygiene controls that are essential for all organizations.

Why this answer

CIS Controls v8 defines Implementation Groups (IG1, IG2, IG3) that prioritize controls based on organizational maturity, starting with the most foundational and critical controls.

123
MCQeasy

Which of the following is the PRIMARY purpose of a security champions program?

A.Enforce compliance with security policies
B.Embed security advocates in dev teams to promote secure practices
C.Reduce the number of phishing simulations
D.Replace the need for a dedicated security team
AnswerB

Champions serve as bridges between security and development.

Why this answer

Security champions act as liaisons in development teams, promoting security practices and facilitating communication with the security team.

124
MCQeasy

Which of the following security team roles is primarily responsible for designing and implementing security solutions to protect an organization's systems and data?

A.Security architect
B.Security analyst
C.GRC analyst
D.Penetration tester
AnswerA

Designs and oversees implementation of security solutions.

Why this answer

The security architect designs the overall security structure, including policies, technologies, and controls. Other roles focus on operations, analysis, or governance.

125
Multi-Selectmedium

An organization is defining objectives and key results (OKRs) for the security program. Which TWO of the following are examples of leading indicators that could be used as key results?

Select 2 answers
A.Number of security incidents
B.Phishing click rate
C.Mean time to respond (MTTR)
D.Number of data breaches
E.Patch compliance percentage
AnswersB, E

Correct. Leading indicator of user awareness.

Why this answer

Leading indicators are proactive and predictive. Phishing click rate (user behavior) and patch compliance (vulnerability management) are leading indicators.

126
MCQmedium

A large organization is implementing a security controls framework and wants to prioritize controls that provide the greatest risk reduction with the least operational friction. Which approach should the security manager adopt?

A.Implement all controls from the chosen framework simultaneously
B.Implement compensating controls only for legacy systems
C.Prioritize critical controls that address high-risk areas and enable business operations
D.Select controls based on regulatory compliance requirements only
AnswerC

This risk-based approach ensures resources are focused on the most impactful controls.

Why this answer

Prioritizing critical controls first, especially those that address the most significant risks and are business-enabling, aligns with defense-in-depth and risk-based decision making.

127
Multi-Selecthard

A security manager is developing OKRs for the security team. Which TWO key results are appropriate leading indicators? (Select TWO)

Select 2 answers
A.Complete 100% of privileged access reviews quarterly
B.Achieve zero critical vulnerabilities in external scans
C.Reduce number of data breaches by 20%
D.Achieve 95% patch compliance within 30 days of release
E.Decrease mean time to detect (MTTD) to under 1 hour
AnswersA, D

Access review completion is a leading indicator for IAM governance.

Why this answer

Leading indicators are proactive; patch compliance reflects current security posture, and access review completion indicates governance effectiveness.

128
MCQhard

An organization's SOC team is measured on mean time to detect (MTTD) and mean time to respond (MTTR). The security manager notices that MTTD is low but MTTR is high. What is the most likely cause?

A.The team is understaffed during off-hours
B.The vulnerability management program is ineffective
C.The SIEM is generating too many false positives
D.The incident response process lacks automation or clear procedures
AnswerD

Slow response despite quick detection points to process or automation gaps.

Why this answer

Low detection time but high response time indicates that while alerts are generated quickly, the response process is slow due to inefficiencies in triage or remediation.

129
MCQeasy

Which of the following is a key objective of a Security Operations Center (SOC)?

A.Conducting risk assessments
B.Developing security policies
C.Monitoring and responding to security incidents
D.Managing user access rights
AnswerC

This is the core function of a SOC.

Why this answer

The SOC's primary objectives include monitoring, detection, and response to security incidents. Risk assessment is typically a GRC function, and policy creation is a governance function.

130
MCQmedium

In a vendor risk assessment, a third-party vendor will have access to sensitive customer data. According to TPRM best practices, what should the organization do first?

A.Conduct a risk assessment
B.Include security requirements in the contract
C.Define exit procedures
D.Perform ongoing monitoring
AnswerA

Risk assessment determines the level of due diligence needed.

Why this answer

A risk assessment is performed to understand the risks before defining contract requirements and ongoing monitoring.

131
MCQhard

When designing phishing simulations, which approach best balances user learning and operational disruption?

A.Send high-difficulty simulations monthly without training
B.Start with low-difficulty simulations, increase difficulty over time, and require remediation training for clickers
C.Use low-difficulty simulations quarterly with no follow-up
D.Send random-difficulty simulations weekly and report clickers to management
AnswerB

This approach educates users and improves detection skills gradually.

Why this answer

Progressive difficulty and remediation training for clickers helps users learn while minimizing negative impact on productivity.

132
MCQhard

A company is assessing nth-party risk from a critical cloud provider. Which approach should be taken to manage this risk effectively?

A.Replace the cloud provider with an in-house solution
B.Conduct a direct audit of the provider's subcontractors
C.Ignore nth-party risk as it is out of scope
D.Require the cloud provider to contractually manage and report on their subcontractors
AnswerD

Correct. This extends risk management to the provider's supply chain.

Why this answer

Managing nth-party risk requires understanding the cloud provider's supply chain. Contractual requirements for the provider to manage their subcontractors and regular audits help mitigate downstream risks.

133
MCQmedium

When selecting security controls, a company must prioritize which controls first?

A.Controls that are least expensive
B.Controls that are easiest to implement
C.All controls from the chosen framework equally
D.Controls that address the highest risks and are critical to business operations
AnswerD

Risk-based prioritization ensures resources are focused on most impactful areas.

Why this answer

Critical controls that address the most significant risks should be implemented first.

134
MCQhard

During a security architecture review, the security architect identifies that a new application stores sensitive customer data in plaintext in the database. The application owner argues that performance requirements prevent encryption. What is the most appropriate compensating control to reduce risk?

A.Implement strong password policies for database access
B.Network segmentation to isolate the database server
C.Conduct more frequent vulnerability scans
D.Database activity monitoring (DAM)
AnswerD

DAM monitors and alerts on suspicious database queries, compensating for lack of encryption.

Why this answer

Database activity monitoring (DAM) can detect unauthorized access or exfiltration attempts, providing visibility and alerting without impacting performance. Encryption at rest is preferred, but DAM is a compensating control when encryption is not feasible.

135
MCQhard

A company uses a SaaS provider that processes sensitive customer data. The provider undergoes annual SOC 2 audits. Which additional step is essential to manage nth-party risk?

A.Require the provider to disclose and assess the security of its subcontractors
B.Include a right-to-audit clause for the provider
C.Conduct penetration testing on the provider's application
D.Review the SOC 2 report annually
AnswerA

This ensures visibility into the extended supply chain.

Why this answer

Nth-party risk requires understanding the provider's subcontractors; requiring disclosure and assessment of their vendors is key.

136
MCQeasy

A CISO is deciding on the organizational structure for the information security team. Which reporting structure is most likely to ensure the security function has sufficient independence and authority?

A.Reporting to the Chief Information Officer (CIO)
B.Reporting to the Chief Operating Officer (COO)
C.Reporting to the Chief Financial Officer (CFO)
D.Reporting to the CEO or board of directors
AnswerD

This structure provides independence from IT and operations, enhancing authority and objectivity.

Why this answer

Reporting to the CEO or board of directors ensures the information security function operates independently from operational and IT management, preventing conflicts of interest where security decisions could be overridden by cost or performance pressures. This structure aligns with the CISM principle that the CISO must have sufficient authority to enforce security policies across the entire organization without reporting to a function that may prioritize other objectives over security.

Exam trap

Cisco often tests the misconception that reporting to the CIO is acceptable because IT and security are closely related, but the CISM exam emphasizes that independence from IT is critical to avoid conflicts of interest in risk management decisions.

How to eliminate wrong answers

Option A is wrong because reporting to the CIO creates a conflict of interest where the security team may be pressured to approve insecure IT projects or bypass controls to meet delivery deadlines, undermining independent risk assessment. Option B is wrong because the COO focuses on operational efficiency and cost reduction, which can lead to underinvestment in security controls that are perceived as slowing down business processes. Option C is wrong because the CFO prioritizes financial performance and cost containment, which may result in security budget cuts or delayed implementation of critical security measures to meet short-term financial targets.

137
MCQmedium

An information security manager is designing a security awareness program. Which approach BEST addresses the different learning needs of various employee groups?

A.Use only phishing simulations as training
B.Focus training only on high-risk groups such as system administrators
C.Provide the same annual training to all employees to ensure consistency
D.Deliver role-based training: secure coding for developers, social engineering for executives, and basic awareness for all
AnswerD

Role-based training addresses specific risks associated with each role.

Why this answer

Role-based training ensures that each group receives content relevant to their responsibilities.

138
MCQmedium

An organization is implementing a security champions program. What is the primary purpose of this initiative?

A.To embed security advocates within development teams to improve secure coding practices
B.To conduct security awareness training for all employees
C.To provide a career path for security professionals
D.To replace the need for a dedicated security team
AnswerA

Champions act as liaisons, promoting security in day-to-day development.

Why this answer

Security champions embed security advocates within development teams to promote secure practices.

139
Multi-Selectmedium

An organization is implementing CIS Controls v8. Which THREE of the following are implementation groups (IGs) defined in the CIS Controls?

Select 3 answers
A.IG1: Basic cyber hygiene for small organizations.
B.IG3: Advanced controls for high-risk or regulated environments.
C.IG4: Cloud-specific controls for cloud-first organizations.
D.IG2: Intermediate controls for organizations with moderate risk.
E.IG0: Minimal controls for non-critical systems.
AnswersA, B, D

IG1 is the foundational group.

Why this answer

CIS Controls v8 defines three implementation groups: IG1 (basic cyber hygiene), IG2 (intermediate), and IG3 (advanced) based on organization size and risk.

140
MCQeasy

Which of the following is a leading indicator for measuring the effectiveness of a security awareness program?

A.Phishing click rate
B.Number of breaches
C.Number of security incidents
D.Mean time to detect (MTTD)
AnswerA

Phishing click rate is a leading indicator that shows how well employees are able to identify phishing attempts.

Why this answer

Leading indicators are proactive measures that predict future performance; phishing click rate reflects current behavior that influences future security incidents.

141
Multi-Selecthard

A multinational organization is implementing a vendor risk management programme. Which THREE of the following should be included in the programme to effectively manage nth-party risk? (Select THREE.)

Select 3 answers
A.Include contractual clauses that require vendors to pass down security requirements to subcontractors
B.Include the right to audit subcontractors in vendor contracts
C.Conduct annual security assessments of all subcontractors
D.Require vendors to disclose all subcontractors and their security posture
E.Require vendors to obtain insurance for subcontractors
AnswersA, B, D

Flow-down clauses ensure requirements extend to subcontractors.

Why this answer

To manage nth-party risk, the programme should require vendors to disclose their subcontractors, include contractual clauses flowing down security requirements, and have the right to audit subcontractors. Assessing all suppliers' suppliers is impractical; focusing on high-risk vendors is more feasible.

142
Multi-Selecthard

Which TWO are key elements of a security awareness program designed to change employee behavior?

Select 2 answers
A.Role-based training tailored to specific job functions
B.Annual compliance training for all employees
C.Phishing simulations with remediation training for those who click
D.Posters and newsletters about security topics
AnswersA, C

Relevant training increases engagement and retention.

Why this answer

Role-based training tailors content to job functions, and phishing simulations with remediation training reinforce learning.

143
MCQmedium

A security manager is developing a security scorecard for the C-suite. Which combination of metrics would be MOST appropriate for a one-page dashboard?

A.Patch compliance percentage and mean time to detect incidents.
B.Detailed vulnerability counts by severity and system owner.
C.Number of security awareness training sessions completed.
D.List of all third-party vendors and their risk ratings.
AnswerA

These are key leading and lagging indicators suitable for executives.

Why this answer

A one-page dashboard for the C-suite should include both leading and lagging indicators that provide a high-level view of security posture, such as patch compliance (leading) and mean time to detect (lagging).

144
MCQmedium

An organization is implementing a data security program. Which of the following is the most effective approach to protect sensitive data at rest?

A.Implementing strict access control lists (ACLs)
B.Implementing data loss prevention (DLP) solutions
C.Encrypting sensitive data stored in databases and file shares
D.Conducting regular vulnerability scans on servers
AnswerC

Encryption directly protects data at rest.

Why this answer

Encryption is a fundamental control for protecting data at rest. While DLP and access controls are important, encryption provides direct confidentiality protection.

145
Multi-Selecthard

An organization is implementing a vendor tiering program for third-party risk management. Which TWO criteria should be used to classify vendors into high, medium, or low risk tiers? (Select TWO)

Select 2 answers
A.Length of contract
B.Type and sensitivity of data accessed
C.Vendor's annual revenue
D.Criticality of service provided
E.Vendor's geographic location
AnswersB, D

Determines potential impact if data is breached.

Why this answer

Data access and service criticality directly affect the potential impact of a vendor compromise.

146
MCQmedium

An organization is implementing a defense-in-depth strategy. Which of the following is the BEST example of a compensating control?

A.Encrypting data at rest using AES-256
B.Installing a firewall at the network perimeter
C.Requiring multi-factor authentication for remote access where strong passwords are not feasible
D.Conducting quarterly vulnerability scans
AnswerC

Multi-factor authentication compensates for the inability to enforce strong passwords.

Why this answer

Option C is the best example of a compensating control because it provides an alternative security measure (multi-factor authentication) to mitigate the risk of weak or infeasible strong passwords for remote access. Compensating controls are implemented when a primary control cannot be applied due to technical or operational constraints, and they must achieve an equivalent or greater level of security. In this scenario, MFA compensates for the lack of password strength by requiring an additional authentication factor, such as a one-time passcode (OTP) or biometric, thereby reducing the likelihood of credential compromise.

Exam trap

The trap here is that candidates often confuse compensating controls with preventive or detective controls, mistakenly selecting a strong security measure like encryption or firewalls instead of recognizing that a compensating control specifically addresses a limitation or infeasibility of a primary control.

How to eliminate wrong answers

Option A is wrong because encrypting data at rest using AES-256 is a preventive control, not a compensating control; it directly protects data confidentiality without substituting for another control. Option B is wrong because installing a firewall at the network perimeter is a preventive control that enforces access policies, not a compensating control that addresses a deficiency in another control. Option D is wrong because conducting quarterly vulnerability scans is a detective control that identifies weaknesses after they exist, not a compensating control that provides an alternative safeguard when a primary control is not feasible.

147
MCQmedium

An information security manager is asked to justify an increase in the security budget. Which approach BEST demonstrates the value of the security program?

A.Comparing the proposed budget to industry benchmarks
B.Calculating the ROI by estimating breach avoidance and compliance cost savings
C.Highlighting the number of security tools currently in use
D.Listing all security certifications held by the team
AnswerB

ROI quantifies the financial benefit of security investments.

Why this answer

Presenting the return on investment (ROI) by quantifying avoided breach costs and compliance savings provides a business case for budget increases.

148
Multi-Selectmedium

An organization is designing a security awareness program. Which TWO of the following should be included for developers?

Select 2 answers
A.Physical security procedures
B.Social engineering defense for executives
C.Threat modeling techniques
D.General phishing awareness
E.Secure coding practices
AnswersC, E

Helps developers identify security flaws early.

Why this answer

Developers need secure coding and threat modeling to build secure applications.

149
Multi-Selecteasy

Which TWO of the following are typical components of a security awareness program?

Select 2 answers
A.Role-based security training
B.Vulnerability scanning
C.Phishing simulations
D.Security architecture design
E.Penetration testing
AnswersA, C

Tailored training for different roles.

Why this answer

Phishing simulations and role-based training are core components of awareness programs. Penetration testing is a technical assessment, vulnerability scanning is technical, and security architecture is a design function.

150
MCQeasy

Which of the following is a LEADING indicator of security performance?

A.Cost of a data breach
B.Mean time to respond (MTTR)
C.Number of security incidents
D.Patch compliance percentage
AnswerD

Measures proactive maintenance, predicting future incidents.

Why this answer

Leading indicators predict future performance. Patch compliance measures proactive security posture.

← PreviousPage 2 of 3 · 165 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cism Security Programme questions.