Sorry, you are out of time.
CISM Practice Exam 2
Take your exam preparation to the next level with fully simulated online practice tests designed to replicate the real exam experience. These exams feature realistic questions, timed conditions, and detailed explanations to help you assess your knowledge, identify weak areas, and build confidence before test day.
1. An organization introduced an updated information security policy but discovered that several employees were unaware of changes to their responsibilities under the new policy. What is the best approach to ensure all employees understand their updated roles?
Correct Answer: A Explanation: Using multiple communication channels (A) ensures broad and effective dissemination of policy changes, increasing the likelihood that all employees understand their responsibilities. A one-time email notification (B) may not reach or engage all employees effectively. Relying solely on department managers (C) risks inconsistent communication. A trickle-down approach (D) delays awareness and reduces accountability. Multiple channels provide clarity and reinforce the importance of updated responsibilities.
2. An e-commerce organization has identified the risk of a Distributed Denial-of-Service (DDoS) attack on its website, which could lead to significant downtime and revenue loss. After evaluating potential risk treatment options, the organization decides to purchase a cloud-based DDoS mitigation service. Which type of risk response does this represent?
Correct Answer: B. Risk mitigation. Explanation: Implementing a cloud-based DDoS mitigation service (B) represents risk mitigation because it reduces the likelihood and impact of a DDoS attack by deploying a technical control. Risk avoidance (A) would involve discontinuing the service that is at risk of attack, which is not the case here. Risk acceptance (C) refers to acknowledging the risk without taking action, which is not demonstrated in this scenario. Risk transfer (D) typically involves shifting the financial burden of risk, such as through insurance, rather than reducing the risk itself.
3. A manufacturing company learns that unauthorized USB devices have been connecting to its control systems, posing a serious malware infection risk. Which control is most effective to prevent this vulnerability?
Correct Answer: A. Explanation: Physically blocking USB ports prevents any unauthorized USB device from being connected to the control systems, effectively eliminating this vulnerability. Endpoint protection software reduces the risk but cannot guarantee detection of all malware. Isolated networks are helpful, but internal actors could still introduce infected devices. A policy is essential for setting expectations but may not prevent deliberate violations.
4. A newly established strategic partnership requires the organization to share sensitive customer data with a third-party vendor. What should the organization do to address this internal influence on its information security strategy?
Correct Answer: A Explanation: Establishing a third-party risk management program (A) ensures that the organization evaluates and monitors the vendor’s security practices, addressing risks associated with sharing sensitive customer data. Requiring a non-disclosure agreement (B) is necessary but insufficient without verifying security practices. Limiting shared data (C) helps minimize exposure but does not ensure adequate protection for required data. Focusing solely on internal practices (D) neglects the external risk posed by third parties. A risk management program ensures that third-party relationships are aligned with the organization’s security strategy.
5. An information security manager is responsible for reporting compliance status across multiple regions. Which of the following is the BEST method for ensuring consistent and accurate compliance reporting?
Correct Answer: C. Explanation: A centralized compliance management system ensures consistency in the way compliance data is collected, analyzed, and reported. This system standardizes reporting practices and reduces errors that may occur with decentralized approaches. Local compliance officers (Option A) and regional manager reports (Option B) are useful but can result in discrepancies due to varying practices. Internal audits (Option D) are important but can be time-consuming and are not as consistent as automated, centralized reporting.
6. An organization conducts a vulnerability assessment and discovers that multiple systems are running outdated software versions. What should the information security manager prioritize to address this issue?
Correct Answer: A Explanation: Deploying patches and updates (A) directly addresses the root cause of the vulnerabilities, reducing the associated risks. Implementing compensating controls (B) is a temporary measure but does not resolve the issue. Disconnecting systems (C) may disrupt business operations unnecessarily. Notifying senior management (D) provides visibility but does not mitigate the vulnerabilities. Applying patches is the most effective and proactive response to address outdated software.
7. A financial services company plans to outsource its data center operations to a managed services provider (MSP). Which of the following is the MOST important factor that the information security manager should consider when negotiating the service level agreement (SLA)?
Correct Answer: C. Explanation: The SLA must ensure that the MSP commits to providing timely notification of security breaches, enabling the financial services company to respond promptly and minimize the impact. While compliance adherence (Option A) and continuous monitoring (Option B) are vital, these measures only help prevent incidents but do not cover post-incident response. Disaster recovery (Option D) ensures data recovery but does not mitigate immediate risks associated with breach notification delays. Timely notification is crucial for implementing incident response plans and maintaining customer trust.
8. The Chief Information Security Officer (CISO) is preparing the annual budget for the information security program. Which approach is the MOST effective to ensure that the budget request aligns with the organization’s business objectives?
Correct Answer: B. Prioritize funding for initiatives that address the organization’s highest risks. Explanation: The correct answer is B. Prioritizing initiatives that address the highest risks ensures that the budget directly supports the organization’s most critical vulnerabilities and aligns with business objectives by protecting key assets. Option A (Base on previous year’s expenditure) lacks a risk-driven approach and may not address current needs. Option C (Allocate equally) ignores the varying importance of different functions and risks. Option D (Focus on emerging technologies) may lead to over-investment in unproven solutions without addressing immediate risks.
9. An organization relies on a third-party vendor to manage its cloud infrastructure. During a recent security audit, it was found that the vendor's security controls were inadequate to meet the organization’s compliance requirements. What should the information security manager do first to address this issue?
Correct Answer: B Explanation: Conducting a risk assessment (B) is the most appropriate first step as it helps evaluate the impact of the vendor’s inadequate controls on the organization’s overall risk posture. Terminating the contract (A) is premature without understanding the impact. Requiring additional controls (C) may be necessary but should follow the assessment. Escalating to senior management (D) is appropriate for decision-making but requires a clear understanding of the risks involved.
10. During an annual review of the incident response plan, it was noted that some response strategies were overly generic and lacked specificity for certain threats, such as advanced persistent threats (APTs). How should the organization address this gap to enhance incident management readiness?
Correct Answer: A Explanation: Developing playbooks for specific types of incidents (A) provides tailored guidance for responding to unique threats like APTs, which enhances the specificity and applicability of the incident response plan. Relying on vendor-recommended guidelines (B) may not align with the organization's unique environment and risks. Focusing solely on prevention (C) neglects the critical need for preparedness in the event of an incident. While increasing review frequency (D) is beneficial, it does not directly address the lack of detailed response strategies. Playbooks ensure that the response team has actionable and threat-specific procedures, significantly improving readiness.
11. An organization’s incident classification policy requires immediate escalation of incidents classified as critical. During a denial-of-service attack, the incident was incorrectly classified as moderate due to insufficient information during initial analysis, delaying the response. What action should the organization take to mitigate such issues in the future?
Correct Answer: A Explanation: Implementing a preliminary classification step (A) allows responders to assign a provisional severity level that can be updated as more information becomes available, ensuring timely escalation of critical incidents. Requiring all incidents to be classified as critical (B) leads to over-escalation, diluting resources. Using a single classification tier (C) oversimplifies the process and reduces effectiveness. Post-incident reviews (D) are useful for learning but do not provide a proactive solution. Preliminary classification improves flexibility and ensures incidents are escalated appropriately.
12. In developing a new information security strategy, how can an organization ensure that its objectives are well-received and understood by its stakeholders?
Correct Answer: B. Explanation: Mapping security objectives to business goals in plain language ensures that all stakeholders understand how the information security strategy supports overall business success. Clear communication in non-technical terms helps build buy-in and support for strategic initiatives. Technical jargon may alienate non-technical stakeholders, and prioritizing past incidents could overlook new risks. Benchmarking can provide insights but should not be the sole method for prioritizing objectives.
13. An organization needs to collect and analyze digital evidence as part of an incident investigation. What should the information security manager prioritize to ensure the process complies with legal and regulatory requirements?
Correct Answer: A Explanation: Maintaining a strict chain of custody (A) ensures that evidence is preserved and admissible in legal or regulatory proceedings, demonstrating compliance with requirements. Using forensic tools (B) is useful but secondary to legal adherence. Documenting findings (C) is important but does not ensure compliance without proper evidence handling. Collecting evidence from all systems (D) may be necessary but must follow chain-of-custody protocols. A documented chain of custody ensures integrity and legal defensibility.
14. An organization recently experienced a phishing attack that compromised several employee accounts. To prevent similar incidents, what should the information security manager prioritize in the information security awareness program?
Correct Answer: A Explanation: Simulated phishing exercises (A) are an effective way to teach employees to recognize and respond to phishing attempts, directly addressing the root cause of the incident. Requiring acknowledgment of the policy (B) ensures awareness of guidelines but does not improve phishing recognition skills. General cybersecurity education (C) provides a broad foundation but may not focus on the specific issue. Sending a warning email (D) raises awareness temporarily but lacks a practical component. Simulations provide hands-on learning, improving awareness and response.
15. An organization’s leadership has decided to establish an information security governance framework. During initial discussions, the security team raised concerns about aligning the framework with the organization's overall goals. What is the first step the team should take to address this?
Correct Answer: C Explanation: Mapping the organization’s strategic objectives to specific security requirements (C) ensures that the governance framework directly supports the organization’s goals, making it effective and aligned. Conducting a BIA (A) identifies critical assets but does not establish alignment with broader objectives. Defining roles and responsibilities (B) is necessary but should follow the alignment process. Creating a high-level policy (D) provides guidance but does not ensure alignment with organizational goals. Aligning security requirements with strategic objectives lays a strong foundation for governance.
16. While developing an information security strategy, the CISO identifies that senior executives view security as a cost center rather than a business enabler. What is the BEST approach to gain executive support for the strategy?
Correct Answer: B. Demonstrate how security investments align with business objectives. Explanation: The correct answer is B. Demonstrating the alignment of security investments with business objectives helps executives see security as a contributor to organizational success rather than just a cost. Option A (Highlight penalties for non-compliance) may create urgency but fails to address the broader value of security. Option C (Benchmark security posture) can provide context but does not directly link security to business outcomes. Option D (Emphasize operational efficiencies) is useful but secondary to showcasing strategic alignment.
17. An organization is expanding its information security program to include a new office in another country. What should the security manager prioritize to establish effective processes for the new location?
Correct Answer: A Explanation: Ensuring compliance with local regulatory requirements (A) ensures that the program processes are legally and operationally viable in the new location. Deploying existing processes (B) without adaptation may fail to meet local needs. Training employees (C) is necessary but does not establish compliant processes. Assigning a local officer (D) enhances oversight but must be guided by compliant processes. Local regulatory compliance ensures the program’s effectiveness and legitimacy.
18. An organization’s HR department is digitizing employee records as part of a broader operational strategy. What should the security team prioritize to integrate information security into this process?
Correct Answer: A Explanation: Implementing access controls (A) ensures that only authorized personnel can access sensitive employee records, aligning security with the digitization process. Encrypting data during migration (B) is important but does not address long-term security. Training HR personnel (C) supports awareness but does not directly secure records. Assigning responsibility to IT (D) centralizes accountability but does not integrate security into HR processes. Access controls are fundamental to maintaining security during and after digitization.
19. An organization discovers that unauthorized access to its sensitive data occurred due to a misconfigured database server. During the risk assessment, the team identifies that regular configuration reviews are not conducted. What should be the MOST effective long-term solution to prevent similar incidents?
Correct Answer: B. Automate configuration management and perform periodic reviews. Explanation: Automating configuration management with periodic reviews (B) provides a proactive, scalable, and long-term solution to prevent similar incidents. Database activity monitoring (A) is reactive and focuses on detection rather than prevention. Restricting access (C) is necessary but insufficient if misconfigurations persist. Training administrators (D) is valuable but does not ensure ongoing adherence to secure configurations.
20. An organization recently updated its Business Continuity Plan (BCP) following an extensive risk assessment. However, during a recent power outage, it was discovered that key personnel were unfamiliar with their roles and responsibilities during the incident. What should the organization do to improve its incident management readiness?
Correct Answer: B Explanation: Conducting regular training and drills (B) is critical to ensuring that key personnel are familiar with their roles and responsibilities outlined in the BCP. Without adequate training, even the most well-written BCP will fail in execution. Revising the BCP (A) with simplified instructions may help but does not replace the need for hands-on practice. Outsourcing to an external vendor (C) can provide expertise but does not address internal readiness or familiarize key personnel with their roles. Implementing automation (D) can support incident management but cannot replace human decision-making in complex scenarios. Training and drills provide the necessary preparation for effective BCP execution.
21. An organization is designing controls to protect its critical financial systems from unauthorized access. The security manager must choose between implementing multi-factor authentication (MFA), deploying role-based access control (RBAC), or relying solely on strong passwords. Which of the following would best mitigate the risk of unauthorized access?
Correct Answer: B Explanation: Deploying multi-factor authentication (B) is the most effective control for mitigating unauthorized access because it requires multiple forms of verification, making it significantly harder for attackers to gain access even if passwords are compromised. Strong password policies (A) improve security but are less effective against modern threats like phishing. RBAC (C) ensures appropriate access levels but does not protect against compromised credentials. Intrusion detection systems (D) monitor access attempts but do not actively prevent unauthorized access.
22. An e-commerce company is worried about the impact of a sudden ransomware attack, which is an emerging threat in their industry. What should be prioritized in the risk assessment process to minimize the impact of a ransomware attack?
Correct Answer: B. Explanation: Encryption and secure backups are crucial to minimize the impact of ransomware attacks. If sensitive data is encrypted and backed up separately, the company can recover without paying a ransom and prevent data exposure. Cyber insurance helps cover the financial loss but does not prevent damage to the data itself. Monitoring unusual traffic may detect early signs of infection but is reactive. Phishing training is vital for awareness but does not address all attack vectors.
23. A ransomware attack encrypted sensitive files on a shared drive, and the incident response team immediately disconnected the affected systems. However, during containment, the ransomware spread to other shared resources through mapped drives. What containment strategy should the organization prioritize to prevent such spread?
Correct Answer: A Explanation: Disabling file-sharing protocols and disconnecting mapped drives (A) prevents the ransomware from propagating to other shared resources, containing the incident effectively. Focusing on recovery (B) does not stop the ongoing spread. Notifying users (C) reduces access but does not block the ransomware’s activity. Isolating the shared drive (D) helps with analysis but does not address the broader containment needs. Disabling sharing mechanisms ensures that the ransomware is contained before causing further damage.
24. A recent audit indicates that the organization’s access control policy may not adequately protect critical systems. What is the most appropriate action to evaluate the effectiveness of current access control measures?
Correct Answer: A Explanation: Reviewing access logs (A) provides evidence of whether current controls are successfully preventing unauthorized access attempts, directly evaluating their effectiveness. Increasing policy update frequency (B) supports governance but does not assess controls. Employee acknowledgment (C) raises awareness but does not measure control effectiveness. Penetration testing (D) identifies vulnerabilities but does not comprehensively evaluate day-to-day control performance. Log reviews offer practical insights into control functionality.
25. A financial institution is conducting an inventory of its information assets as part of an information security program. The security manager is tasked with ensuring that critical data is identified and classified to align with business priorities. Which of the following actions should the security manager take to most effectively classify information assets?
Correct Answer: A Explanation: Developing a classification scheme (A) that considers data type, sensitivity, and regulatory requirements ensures that the classification is comprehensive, relevant to business priorities, and compliant with regulations. Focusing solely on financial impact (B) neglects other critical data such as intellectual property or customer information. Classification based on asset location (C) can overlook data importance and sensitivity. Using generic classification levels (D) without contextual adaptation often fails to address the organization’s unique requirements.
26. An organization recently implemented a Security Information and Event Management (SIEM) system to detect information security incidents. What should the information security manager prioritize to ensure timely identification of incidents?
Correct Answer: A Explanation: Configuring alerts based on critical security events (A) ensures that the SIEM system notifies the team of potential incidents in a timely manner, enabling faster responses. Weekly log reviews (B) are time-consuming and may delay incident detection. Limiting monitoring to high-risk assets (C) reduces visibility and may miss incidents. Employee training (D) improves understanding but does not directly improve incident detection. Alerts enable immediate awareness of high-priority events, ensuring timely identification.
27. During an incident simulation, the incident response team found that their response was slowed down because they lacked up-to-date knowledge of the most recent threats. Which action will best improve the team's incident management readiness?
Correct Answer: B. Explanation: Regularly updating the incident response plan to reflect current threats ensures the team has relevant knowledge and procedures to act swiftly. An internal threat intelligence database (A) is valuable but not directly useful without integrating this data into the IRP. Reassigning roles (C) may not address specific threat knowledge gaps. Monitoring cybersecurity news (D) is helpful but doesn't guarantee that the IRP will reflect this information or that the team will apply it effectively.
28. An organization’s information security manager must communicate the results of a security assessment to non-technical stakeholders. What is the best approach to ensure the audience understands the significance of the findings?
Correct Answer: B Explanation: Using visual aids like graphs and charts (B) makes the findings more accessible to non-technical stakeholders by focusing on key risks and their business impacts. Presenting detailed technical data (A) may overwhelm the audience. Comparing with industry benchmarks (C) can provide context but should not overshadow the organization’s unique risk profile. Distributing the full report (D) without simplifying the content risks misinterpretation.
29. An organization conducts a checklist review of its incident management plan and finds that the escalation process for high-severity incidents is not clearly defined. What is the most appropriate action for the information security manager to take?
Correct Answer: A Explanation: Updating the escalation process and validating it through a follow-up review (A) ensures that the plan is corrected and that changes are effective. A tabletop exercise (B) helps test scenarios but does not directly address the escalation process. Developing a decision matrix (C) aids in classification but does not resolve escalation issues. Assigning escalation responsibilities (D) provides a short-term fix but lacks procedural clarity. A structured review process ensures a thorough and validated escalation approach.
30. An organization’s security program requires that employees follow established guidelines for handling sensitive information. During a review, it is observed that employees frequently deviate from these guidelines. What is the most effective approach for the security manager to improve adherence?
Correct Answer: D Explanation: Implementing automated controls (D) ensures consistent adherence to guidelines by reducing reliance on manual compliance. Revising guidelines to make them less stringent (A) might compromise security and does not address the root cause of non-compliance. Awareness campaigns (B) improve understanding but do not guarantee compliance. Imposing penalties (C) might deter violations but can create resentment and does not resolve the underlying issue.
31. An organization is implementing multi-factor authentication (MFA) to enhance access security. To ensure a smooth integration with its enterprise applications, what should the security manager focus on?
Correct Answer: A Explanation: Selecting an MFA solution with SSO functionality (A) streamlines integration by enabling users to access multiple applications seamlessly after authentication. Limiting MFA to external users (B) or critical systems (D) undermines comprehensive security. Requiring enrollment for all employees before deployment (C) may delay implementation and cause resistance.
32. An organization has recently implemented a Security Information and Event Management (SIEM) system to enhance incident detection. However, the system generates a high volume of alerts, many of which are false positives, overwhelming the incident response team. What should the organization prioritize to address this issue?
Correct Answer: A Explanation: Configuring the SIEM system to filter out low-priority alerts (A) ensures that the incident response team focuses on actionable and critical alerts, reducing noise and improving efficiency. Assigning additional staff (B) is resource-intensive and does not address the root issue of excessive false positives. Replacing the SIEM system (C) may reduce complexity but sacrifices the advanced detection capabilities needed for effective incident management. Outsourcing monitoring to an MSSP (D) can help manage alerts but is less effective than addressing configuration issues. Proper SIEM configuration optimizes its use and enhances the team's ability to respond effectively.
33. A new system vulnerability has been discovered, exposing the organization’s customer data to potential breaches. What should the information security manager prioritize when reporting this risk to stakeholders?
Correct Answer: A Explanation: Describing the potential business impact (A) helps stakeholders understand the severity of the risk and its implications for decision-making. Focusing on technical details (B) provides insight but may not be relevant for all stakeholders. Recommending a shutdown (C) might be an action step but is not part of the initial report. Listing past vulnerabilities (D) is unrelated to the specific risk being reported. Business impact contextualizes the urgency and scope of the risk for effective decision-making.
34. Following the implementation of new security controls, which of the following methods should be used FIRST to determine their effectiveness?
Correct Answer: A. Explanation: Conducting a gap analysis is a strategic approach to evaluate the effectiveness of newly implemented security controls by comparing the current state of security with the desired or required state. This analysis identifies any discrepancies between the implemented controls and organizational security objectives, offering specific insights into areas that need enhancement. While monitoring (Options B and C) and user feedback (Option D) are useful for ongoing assessment, a gap analysis provides the initial evaluation necessary for understanding the baseline effectiveness of new controls.
35. An organization’s governance audit reveals overlapping responsibilities between the IT and security teams, causing delays in incident response. What is the BEST approach to resolve this issue?
Correct Answer: B. Redefine the roles and responsibilities of both teams to eliminate overlap. Explanation: The correct answer is B. Redefining roles and responsibilities eliminates confusion and duplication of effort, streamlining the incident response process. Option A (Assign a joint team) could perpetuate the overlap and lead to further inefficiencies. Option C (Conduct cross-training) may improve collaboration but does not address the root cause of the overlap. Option D (Implement a strict escalation matrix) manages incidents but does not resolve the underlying issue of unclear responsibilities.
36. An organization processes sensitive customer data and identifies the risk of data breaches through third-party vendors. Which risk treatment option is most appropriate to address this risk?
Correct Answer: A Explanation: Requiring vendors to comply with data protection standards (A) ensures they implement necessary controls to mitigate the risk, aligning with the organization’s security strategy. Conducting vulnerability scans (B) provides insight but may not be feasible or enforceable. Limiting shared data (C) reduces exposure but may hinder operations. Terminating vendor relationships (D) may be extreme and disrupt operations. Contractual agreements enforce vendor accountability for security.
37. An organization must comply with both GDPR and CCPA for its customer data. What is the most effective strategy to address overlapping regulatory requirements?
Correct Answer: A Explanation: Aligning compliance efforts to meet the stricter requirements (A) ensures the organization satisfies both regulations efficiently without duplicating efforts. Creating separate policies (B) increases complexity and may lead to inconsistencies. Assuming CCPA compliance follows GDPR (C) overlooks unique requirements of each regulation. Assigning separate teams (D) can create silos and inefficiencies. Addressing stricter requirements provides a streamlined and comprehensive compliance approach.
38. A media company receives weekly reports about cybersecurity risks from its IT department, focusing primarily on detected incidents. What improvement would make these reports more actionable?
Correct Answer: D. Explanation: Proactive risk indicators (such as vulnerability trends or system configuration changes) provide insights into potential threats before they occur, enabling the company to prevent incidents and address gaps ahead of time. Segmenting incidents by severity (A) helps prioritize response but still focuses on past occurrences. Compliance gaps (B) aid in regulatory adherence but may not predict future risks. Executive summaries (C) help convey information but do not add predictive value. Proactive indicators offer preemptive visibility, making reporting more comprehensive and actionable.
39. A multinational company plans to update its information security policy due to recent regulatory changes. Which approach should the security manager take to ensure continued compliance across the entire organization?
Correct Answer: C. Explanation: Analyzing the regulatory changes and updating the policy language to ensure unified compliance is essential for maintaining consistency and clarity across the organization. This approach ensures that the updated policies accurately reflect the latest regulations while avoiding ambiguities that could result in inconsistencies or non-compliance. Designating regional representatives, incorporating changes without major revisions, and providing training are secondary measures that depend on a clear, unified policy as the foundation for compliance.
40. A CISM-certified security manager is reviewing the organizational structure for information security and wants to promote accountability. Which of the following changes would MOST effectively improve accountability?
Correct Answer: D. Explanation: Assigning a single point of contact (SPOC) responsible for each critical security area ensures clear accountability. This approach leaves no ambiguity regarding ownership and encourages proactive management of responsibilities. Steering committees and matrix reporting may dilute accountability by involving multiple stakeholders, while business unit managers may lack specialized knowledge to oversee specific security areas. A SPOC system ensures that each critical area is directly managed and monitored.
41. A company is integrating its new web application firewall (WAF) with its existing SIEM system. What is the MOST important consideration to ensure effective integration?
Correct Answer: B. Explanation: Predefined SIEM rules are critical for processing the WAF logs effectively, allowing the detection of attack patterns and unusual behavior indicative of malicious activity. Without appropriate rules, the SIEM may not interpret the logs meaningfully. Option A is necessary but insufficient because the log data must also be analyzed appropriately. Testing capacity (Option C) is useful but not specific to achieving effective log correlation. Verbose logging (Option D) can lead to information overload, reducing the focus on significant alerts.
42. A retail organization has identified risks related to insider threats. The Chief Human Resources Officer (CHRO) is assigned ownership of these risks. Which action BEST aligns with the CHRO’s role as a risk owner?
Correct Answer: B. Develop and enforce policies on employee behavior and access management. Explanation: As the risk owner, the CHRO is responsible for developing and enforcing policies on employee behavior and access management (B) to address insider threats. Implementing technical tools (A) is typically handled by IT or security teams. Conducting training (C) supports risk mitigation but is not the core responsibility of the risk owner. Approving disciplinary actions (D) may be part of broader HR responsibilities but does not directly align with risk ownership.
43. The CISO is preparing an annual report on the information security program for the executive committee. What should the report focus on to gain continued support for the program?
Correct Answer: A Explanation: Focusing on alignment with strategic objectives (A) demonstrates how the security program supports the organization’s goals, ensuring continued executive support. Reviewing patched vulnerabilities (B) is too operational. Technical details of incidents (C) do not emphasize alignment with business priorities. Compliance achievements (D) are important but insufficient to show overall program alignment. Highlighting strategic alignment ensures the program’s relevance to executive decision-makers.
44. An organization recently discovered several vulnerabilities in its network infrastructure that could lead to potential data breaches. After evaluating these risks, the security manager decides to take a proactive approach and implement additional firewall configurations to mitigate the threat of unauthorized access. This decision reflects which risk response option?
Correct Answer: B. Explanation: Mitigation involves reducing the likelihood or impact of a risk by implementing controls. In this case, the security manager chooses to add firewall configurations, which are security controls aimed at reducing the risk of unauthorized access. Avoidance (A) would involve eliminating the risk entirely, typically by discontinuing a risky activity. Acceptance (C) would mean recognizing the risk but choosing not to act. Transfer (D) involves shifting the risk to a third party, like insurance. Here, additional firewall configurations are designed to minimize the vulnerability impact, making mitigation the correct answer.
45. During a corporate governance review, it was identified that information security governance is not adequately represented in the organization’s decision-making processes. What action should the organization prioritize to address this issue?
Correct Answer: A Explanation: Appointing a senior executive (A) ensures that information security governance has a voice in board-level decision-making, enabling integration with corporate governance. Improving the technical security posture (B) does not address governance representation. Employee training (C) is important for awareness but does not impact governance integration. Creating an independent committee (D) may lead to silos and reduce alignment with corporate governance. Advocacy at the executive level ensures that information security governance is incorporated into strategic decisions.
46. An organization is implementing a new information security strategy and needs ongoing support from senior leadership. What is the most effective way to gain this commitment?
Correct Answer: A Explanation: Regularly presenting metrics that demonstrate alignment with business objectives (A) shows senior leadership how the strategy supports organizational goals, fostering continued commitment. Focusing exclusively on regulatory compliance (B) may overlook broader business benefits. Highlighting technical complexity (C) could alienate non-technical stakeholders. Providing detailed technical overviews (D) risks overwhelming leadership with unnecessary information. Metrics that tie security to business success effectively secure leadership support.
47. A healthcare organization wants to classify its patient data as highly sensitive due to the nature of the information. What is the most important factor in maintaining consistent data classification for this information asset?
Correct Answer: B. Explanation: Maintaining consistent data classification requires a detailed schema that reflects the sensitivity of patient information. Without a robust classification framework, classification can become arbitrary or inconsistent across the organization. A detailed schema ensures a standardized approach that properly categorizes data based on its sensitivity, particularly for highly sensitive assets like patient data. While aligning classification with security policies, involving stakeholders, and mapping classification to regulatory requirements are essential practices, they depend on a comprehensive schema to maintain consistent classification.
48. A Business Continuity Plan (BCP) for a financial institution requires that a backup site be established for critical operations to ensure continuity during a significant disruption. The backup site, however, lacks the capacity to support the entire workforce. What should the organization prioritize to ensure the continuity of critical operations?
Correct Answer: A. Explanation: Prioritizing essential staff ensures that critical operations can continue at the backup site even with limited capacity. Constructing a larger site (B) could be too expensive and time-consuming. Remote work (C) may be helpful, but not all functions can be performed remotely. Outsourcing (D) is not always feasible for financial institutions due to regulatory constraints and data security concerns.
49. A CISM-certified security manager is reviewing a newly signed outsourcing contract. Which of the following clauses is the MOST critical to ensure compliance with legal and regulatory requirements?
Correct Answer: B. Explanation: A data protection clause is crucial in an outsourcing contract because it clearly outlines how personal data should be processed to comply with data protection laws and regulations. This clause ensures that the service provider understands and abides by the specific legal obligations, reducing the risk of non-compliance that could lead to legal consequences. An exclusivity clause has minimal bearing on legal requirements, while an NDA protects sensitive data but doesn't cover data processing specifics. Warranty clauses are important for service performance but don't directly address data processing and compliance.
50. An organization uses a risk management dashboard to monitor key security risks. A critical risk related to unpatched vulnerabilities in its core systems remains unresolved for multiple reporting cycles. What action should the Chief Information Security Officer (CISO) take to address this situation?
Correct Answer: A. Escalate the unresolved risk to senior management for prioritization. Explanation: Escalating the unresolved risk (A) ensures that senior management is aware and can allocate the necessary resources or make strategic decisions to address the issue. Increasing the severity rating (B) without justification may undermine the credibility of risk monitoring efforts. Assigning additional resources (C) is a valid approach but may require approval from senior management. Updating the dashboard (D) is useful for transparency but does not actively address the unresolved risk.
51. An organization is implementing a bring-your-own-device (BYOD) program and needs to update its information security policy to guide the development of supporting standards. What is the most important consideration to include in the policy?
Correct Answer: A Explanation: Including requirements for securing personal devices (A) ensures that standards and procedures can address risks associated with BYOD, providing a foundation for safe implementation. Listing approved devices (B) is too restrictive and does not address security comprehensively. Providing detailed technical specifications (C) is more appropriate for procedures, not policy. Prohibiting personal devices (D) conflicts with the BYOD initiative. Security requirements guide the development of effective BYOD standards and procedures.
52. An organization is negotiating a contract with a third-party software developer to build a custom application. To integrate security requirements, what should the security team prioritize?
Correct Answer: A Explanation: Requiring secure coding practices (A) ensures that security is embedded into the application from the start, aligning with the organization’s security objectives. Signing an NDA (B) protects intellectual property but does not address coding standards. Limiting open-source components (C) may reduce flexibility and innovation without addressing broader security risks. Conducting background checks (D) ensures personnel reliability but does not influence development practices. Secure coding practices are critical for integrating security into custom applications.
53. During a major security incident, the organization’s business continuity plan (BCP) and incident response plan (IRP) provided conflicting priorities for resource allocation. What is the most effective action for the information security manager to take to resolve this issue for future incidents?
Correct Answer: A Explanation: Updating both plans to define resource prioritization criteria (A) ensures alignment and prevents future conflicts. Giving precedence to the BCP (B) may not be appropriate in all situations. Increasing testing frequency (C) identifies conflicts but does not resolve them. Assigning a resource coordinator (D) improves execution but does not address procedural conflicts in the plans. Clearly defined criteria ensure effective and conflict-free resource allocation.
54. An organization is expanding its operations to a new country and needs to ensure compliance with local data protection laws. What is the FIRST step the organization should take to align with the new legal requirements?
Correct Answer: A. Conduct a legal gap analysis to compare existing policies with local laws. Explanation: The correct answer is A. Conducting a legal gap analysis is the first step to identify discrepancies between the organization’s existing policies and local legal requirements, enabling informed decisions on necessary changes. Option B (Deploy a data encryption solution) may be part of compliance but does not directly address understanding local laws. Option C (Hire a local legal consultant) may assist in compliance efforts but is not the first step—understanding the gaps is crucial before involving external parties. Option D (Revise existing policies) is premature without first identifying what aspects require alignment with local requirements.
55. A company is designing information security controls for a new payment processing system. The system needs to ensure the confidentiality of payment card data both in storage and in transit. Which of the following is the MOST effective approach?
Correct Answer: A. Explanation: Symmetric encryption is efficient for encrypting bulk data like payment card information and provides strong confidentiality when encryption keys are adequately protected. Access controls, including separation of duties and role-based access, are critical for preventing unauthorized key access. Option B suggests secure transmission without adequate protection in storage, while Option C is flawed because hashing is not reversible and thus unsuitable for data that needs retrieval. PKI (Option D) is usually less practical for encryption of large datasets due to performance constraints.
56. An organization has experienced a data breach, and the incident response team needs to notify external stakeholders promptly. What is the most important factor the information security manager should consider when preparing the communication plan?
Correct Answer: A Explanation: Ensuring compliance with legal and regulatory requirements (A) is crucial when notifying external stakeholders, as it demonstrates accountability and adherence to laws governing data breaches. Including technical details (B) may confuse stakeholders or provide unnecessary information. Reassuring stakeholders (C) is important but secondary to compliance. Minimizing financial impact (D) is a consideration but should not overshadow transparency and legal obligations. Compliance ensures lawful and effective communication.
57. A software development team lead is assigned to maintain an encryption control system that encrypts sensitive data in transit to comply with the company's data protection policies. What position best defines the team lead's role in this scenario?
Correct Answer: C. Explanation: Control owners are responsible for ensuring specific security controls are implemented effectively. The team lead's role involves maintaining encryption control, directly responsible for its effectiveness and compliance with data protection policies. Risk owners (A) handle risk management for specific risks. Process owners (B) manage overall business functions. Compliance owners (D) are responsible for regulatory adherence at an organizational level. Since the team lead oversees the encryption control system, they act as the control owner.
58. An organization has implemented network segmentation as a security control. To test the effectiveness of this control, the information security manager plans to evaluate whether unauthorized communication is possible between segments. What is the best method to perform this test?
Correct Answer: C Explanation: Conducting a penetration test (C) is the best method to validate network segmentation, as it actively tests whether unauthorized access can occur across segments. Reviewing network diagrams (A) ensures design accuracy but does not test implementation. Packet sniffers (B) monitor traffic but do not simulate attacks. Verifying firewall rules (D) checks configuration but does not validate effectiveness against potential threats.
59. In the process of adopting COBIT 2019, a global bank aims to improve its governance of enterprise IT. Which approach best ensures that COBIT is effectively integrated into the bank's information security governance?
Correct Answer: B. Explanation: Aligning COBIT's governance objectives with the bank's overall IT strategy ensures that the framework integrates seamlessly with existing goals and practices. This approach helps build a unified structure where security governance supports strategic business needs and IT objectives. COBIT is designed to support broader governance by mapping its principles directly to IT objectives. Policy design, training, and monitoring are all significant aspects of COBIT adoption, but alignment with IT strategy ensures its effective integration.
60. The finance department requests a secure method to process remote financial transactions as part of a new operational objective. How should the security team respond to ensure alignment with this request?
Correct Answer: A Explanation: Implementing multi-factor authentication (A) directly supports the finance department’s objective by securing remote access without hindering operations. Encrypting financial data (B) is critical for data protection but does not address access security. Restricting remote access entirely (C) conflicts with the operational goal of enabling remote transactions. Regular audits (D) enhance oversight but do not provide immediate security for remote access. Multi-factor authentication ensures secure and operationally aligned remote financial processing.
61. In the strategic planning phase, an organization’s CISO is tasked with developing a business case for expanding its cybersecurity resources. Which of the following elements should be prioritized to justify the additional funding?
Correct Answer: B. Explanation: When developing a business case for expanding cybersecurity resources, it's crucial to demonstrate how the proposed resources will align with and support the organization’s business objectives. Business leaders are more inclined to approve funding if they understand how cybersecurity investments directly contribute to the company's strategic goals, whether by mitigating risks to key business functions or by enhancing operational efficiency. Identifying gaps, analyzing ROI, and benchmarking provide supporting data, but alignment with business objectives remains the primary justification.
62. During an incident evaluation, the response team identified that conflicting versions of events were reported by different teams, delaying the analysis process. What action should the organization take to address this issue?
Correct Answer: A Explanation: Establishing a centralized incident documentation process (A) ensures consistent and accurate records of events, reducing confusion and delays during evaluations. Assigning a single point of contact (B) improves communication but does not resolve inconsistencies in documentation. Focusing only on technical data (C) overlooks valuable insights from team members. Requiring written reports from all teams (D) may create delays and administrative burdens. A centralized process improves clarity and coordination during incident evaluations.
63. An organization’s post-incident review revealed that while the technical response to a malware incident was effective, there was no documented process for capturing lessons learned, resulting in missed opportunities for improving future readiness. What action should the organization take to address this gap?
Correct Answer: A Explanation: Developing a structured framework (A) ensures that lessons learned are consistently documented, analyzed, and implemented to improve future readiness. Conducting more frequent drills (B) enhances skills but does not address the need to capture and apply lessons from real incidents. Assigning a team member (C) helps with documentation but may not ensure a systematic approach to implementation. Using third-party consultants (D) adds value but does not replace an internal process for continuous improvement. A structured framework ensures that insights from each incident lead to actionable improvements.
64. During the eradication phase of an incident, the security team identifies malware on several systems. What is the most appropriate action for the information security manager to take?
Correct Answer: A Explanation: Removing malware and ensuring no traces remain (A) effectively eradicates the threat, aligning with the eradication phase’s objectives. Reimaging all systems (B) is excessive unless necessary and may disrupt operations. Notifying employees (C) minimizes risk but does not eliminate the malware. Monitoring network traffic (D) helps identify other issues but does not address the immediate eradication need. Proper eradication ensures the threat is fully neutralized.
65. During an audit, it is discovered that some critical information assets have not been classified. What is the best step to resolve this issue?
Correct Answer: A Explanation: Updating the classification process to include periodic reviews (A) ensures that all assets are consistently reviewed and classified, addressing gaps over time. Assigning responsibility to IT security (B) centralizes accountability but does not ensure all assets are covered. Focusing on new assets (C) neglects existing gaps. Increasing training frequency (D) improves awareness but does not guarantee process updates. Periodic reviews ensure comprehensive and ongoing classification.
66. An organization has implemented a Disaster Recovery Plan (DRP) that relies on a secondary data center located in a different region. During a large-scale outage, the secondary data center experienced network congestion, significantly delaying failover operations. What action should the organization prioritize to prevent such issues in the future?
Correct Answer: A Explanation: Upgrading the network bandwidth and capacity (A) addresses the root cause of network congestion and ensures smooth failover operations in the future. While conducting failover tests during peak traffic (B) is valuable for identifying bottlenecks, it does not resolve the issue unless corrective action is taken. Developing manual workarounds (C) is a temporary solution that does not address the long-term issue of network performance. Engaging an external vendor (D) may improve monitoring but does not necessarily resolve the capacity issue. Ensuring adequate network capacity at the secondary data center is critical for effective disaster recovery.
67. A financial institution wants to improve its information security posture by adopting a framework that integrates IT governance with business objectives. Which framework should the information security manager use to align the security program with the organization’s overall goals?
Correct Answer: A Explanation: COBIT (A) is specifically designed to integrate IT governance with business objectives, ensuring alignment between technology and organizational goals. It provides a governance framework that bridges the gap between technical security measures and broader business strategies. ISO/IEC 27001 (B) focuses on information security management but does not emphasize IT governance alignment. NIST CSF (C) is a strong cybersecurity framework but is less focused on governance. ITIL (D) concentrates on IT service management and operational processes rather than aligning security with business objectives.
68. An organization is establishing metrics to measure the effectiveness of its information security awareness program. Which metric would best demonstrate its impact?
Correct Answer: B Explanation: The reduction in successful phishing incidents (B) directly reflects the program’s effectiveness in changing employee behavior and improving awareness. The number of employees completing training (A) measures participation but not outcomes. The cost of the program (C) is important for budgeting but does not demonstrate impact. The frequency of sessions (D) indicates activity but not success. Metrics like reduced phishing incidents provide actionable insights into the program’s impact on organizational security.
69. A recent incident exposed gaps in the organization’s third-party vendor management process. What is the most appropriate corrective action to address these gaps?
Correct Answer: A Explanation: Regular security assessments (A) identify and mitigate risks in the vendor management process, addressing gaps revealed during the incident. Terminating contracts (B) may be necessary for severe cases but is not a proactive improvement. Adding breach penalties (C) enforces accountability but does not strengthen vendor security. Improving communication (D) is helpful but does not address underlying security gaps. Security assessments ensure that vendors meet organizational standards.
70. An organization is implementing a new information security program and wants to ensure it aligns with its overall information security strategy. What is the most important first step to achieve this alignment?
Correct Answer: D Explanation: Establishing a governance structure (D) ensures that the program is guided by the strategic priorities and objectives of the organization, providing oversight and alignment. Conducting a risk assessment (A) is important but should be directed by the governance structure to align with strategic goals. Developing technical controls (B) is an implementation detail that follows strategic alignment. Budget allocation (C) is critical but depends on a well-defined governance framework. Governance ensures that the program adheres to the information security strategy.
71. During the recovery phase of a ransomware attack, an organization restored its critical systems from backups. However, shortly after restoration, the ransomware reactivated because the infected files were not completely removed. What should the organization prioritize to ensure effective eradication and recovery?
Correct Answer: A Explanation: Conducting a comprehensive malware scan across all systems (A) ensures that infected files are identified and removed before initiating recovery, preventing the malware from reactivating. Performing a full reinstallation (B) is time-consuming and disruptive, and may not be necessary if thorough scans are performed. Isolating restored systems (C) minimizes risk but does not address the underlying issue of leftover infections. Recovering non-critical systems first (D) does not prioritize business continuity and leaves critical systems vulnerable. A thorough malware scan ensures that the recovery process is not undermined by residual infections.
72. A technology company develops a classification system that includes specific categories for various types of security incidents. However, the system often categorizes incidents based on their technical impact rather than the overall business impact. How can the organization refine its classification framework to better align with business goals?
Correct Answer: A. Explanation: Incident categories should reflect both technical and business impacts to ensure that the classification aligns with the organization's goals. Delegating to business managers (B) might result in technical aspects being overlooked. Limiting categories (C) could oversimplify classification and reduce accuracy. Separate categories (D) may increase complexity without adding value.
73. During a security risk assessment, a retail organization discovers an emerging threat of credential-stuffing attacks against its customer-facing web applications. To address this, the security manager recommends implementing multi-factor authentication (MFA). What should the manager do NEXT to validate this recommendation?
Correct Answer: A. Conduct a cost-benefit analysis to justify the implementation of MFA. Explanation: Conducting a cost-benefit analysis (A) ensures that the recommended control is feasible and aligns with the organization's risk tolerance and budget. While penetration testing (B) can confirm vulnerabilities, it does not validate the recommendation itself. Assessing customer adoption challenges (C) is important later in the implementation process but not for validation. Reviewing success in other organizations (D) provides context but is insufficient for justifying the recommendation in the organization’s specific environment.
74. A telecommunications company finds that its Disaster Recovery Plan (DRP) does not effectively cover all critical applications across different regions. Which of the following would be the best first step to enhance disaster recovery readiness?
Correct Answer: A. Explanation: Establishing region-specific requirements ensures that DRP efforts comply with local regulations and address specific regional risks. A global plan (B) could lack regional nuances, while managed service providers (C) may not guarantee compliance. A centralized recovery manager (D) can help coordinate efforts but must understand regional requirements for effective planning.
75. An organization recently acquired a new subsidiary with distinct IT systems and security policies. To address this change, what should the information security manager prioritize to reassess risk?
Correct Answer: A Explanation: Conducting a risk assessment (A) identifies vulnerabilities, threats, and potential impacts related to the subsidiary’s IT systems, ensuring risks are addressed in the new context. Enforcing security policies (B) may overlook unique risks. Integrating systems (C) focuses on operations but does not evaluate risk. Internal audits (D) provide ongoing assurance but are not the first step. A risk assessment ensures the organization understands and manages risks associated with the acquisition.
Your score is
Restart Exam
