DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Ace CISM Certification Exam Questions & Study Resources, Certified Information Security Manager | SPOTO

CISM (Certified Information Security Manager) is an advanced certification offered by ISACA, indicating proficiency in developing and managing enterprise information security programs. As you prepare to ace the CISM certification exam, leveraging study resources like exam questions, sample questions, and mock exams can significantly enhance your readiness. These resources provide a simulated exam environment, allowing you to practice with real exam questions and refine your knowledge. Additionally, access to exam materials, including exam answers and practice tests, enables focused preparation. With SPOTO's comprehensive study resources, including free tests and exam dumps, you can engage in targeted exam practice and enhance your exam preparation. Utilize the exam simulator to simulate exam conditions and boost your confidence before the actual exam. Prepare effectively with SPOTO's CISM study resources to excel in your certification journey as a Certified Information Security Manager.
Take other online exams

Question #1
Which of the following enables compliance with a nonrepudiation policy requirement for electronic transactions?
A. Digital certificates
B. Digital signatures
C. Encrypted passwords
D. One-time passwords
View answer
Correct Answer: B

View The Updated CISM Exam Questions

SPOTO Provides 100% Real CISM Exam Questions for You to Pass Your CISM Exam!

Question #2
Which of the following is a PRIMARY responsibility of an information security steering committee?
A. Reviewing the information security strategy
B. Approving the information security awareness training strategy
C. Analyzing information security policy compliance reviews
D. Approving the purchase of information security technologies
View answer
Correct Answer: A
Question #3
The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:
A. escalate issues to an external third party for resolution
B. ensure that senior management provides authority for security to address the issues
C. insist that managers or units not in agreement with the security solution accept the risk
D. refer the issues to senior management along with any security recommendations
View answer
Correct Answer: D
Question #4
From an information security perspective, information that no longer supports the main purpose of the business should be:
A. analyzed under the retention policy
B. protected under the information classification policy
C. analyzed under the backup policy
D. protected under the business impact analysis (BIA)
View answer
Correct Answer: A
Question #5
When designing an information security quarterly report to management, the MOST important element to be considered should be the:
A. information security metrics
B. knowledge required to analyze each issue
C. linkage to business area objectives
D. baseline against which metrics are evaluated
View answer
Correct Answer: C
Question #6
Business units within an organization are resistant to proposed changes to the information security program. Which of the following is the BEST way to address this issue?
A. Implementing additional security awareness training
B. Communicating critical risk assessment results to business unit managers
C. Including business unit representation on the security steering committee
D. Publishing updated information security policies
View answer
Correct Answer: B
Question #7
Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?
A. Restore servers from backup media stored offsite
B. Conduct an assessment to determine system status
C. Perform an impact analysis of the outage
D. Isolate the screened subnet
View answer
Correct Answer: C
Question #8
Which program element should be implemented FIRST in asset classification and control?
A. Risk assessment
B. Classification
C. Valuation
D. Risk mitigation
View answer
Correct Answer: C
Question #9
An information security manager must understand the relationship between information security and business operations in order to:
A. support organizational objectives
B. determine likely areas of noncompliance
C. assess the possible impacts of compromise
D. understand the threats to the business
View answer
Correct Answer: A
Question #10
To gain a clear understanding of the impact that a new regulatory requirement will have on an organization’s information security controls, an information security manager should FIRST:
A. interview senior management
B. conduct a risk assessment
C. conduct a cost-benefit analysis
D. perform a gap analysis
View answer
Correct Answer: D
Question #11
Which of the following is a benefit of information security governance?
A. Reduction of the potential for civil or legal liability
B. Questioning trust in vendor relationships
C. Increasing the risk of decisions based on incomplete management information
D. Direct involvement of senior management in developing control processes
View answer
Correct Answer: A
Question #12
Which of the following is the BEST advantage of a centralized information security organizational structure?
A. It allows for a common level of assurance across the enterprise
B. It is easier to manage and control business unit security teams
C. It is more responsive to business unit needs
D. It provides a faster turnaround for security waiver requests
View answer
Correct Answer: B
Question #13
Of the following, which is the MOST important aspect of forensic investigations?
A. The independence of the investigator
B. Timely intervention
C. Identifying the perpetrator
D. Chain of custody
View answer
Correct Answer: B
Question #14
When supporting a large corporation’s board of directors in the development of governance, which of the following is the PRIMARY function of the information security manager?
A. Gaining commitment of senior management
B. Preparing the security budget
C. Providing advice and guidance
D. Developing a balanced scorecard
View answer
Correct Answer: C
Question #15
Which of the following is the BEST way to facilitate the alignment between an organization’s information security program and business objectives?
A. Information security is considered at the feasibility stage of all IT projects
B. The information security governance committee includes representation from key business areas
C. The chief executive officer reviews and approves the information security program
D. The information security program is audited by the internal audit department
View answer
Correct Answer: B
Question #16
When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern?
A. Ensuring accessibility should a disaster occur
B. Versioning control as plans are modified
C. Broken hyperlinks to resources stored elsewhere
D. Tracking changes in personnel and plan assets
View answer
Correct Answer: D
Question #17
Senior management commitment and support will MOST likely be offered when the value of information security governance is presented from a:
A. threat perspective
B. compliance perspective
C. risk perspective
D. policy perspective
View answer
Correct Answer: D
Question #18
Minimum standards for securing the technical infrastructure should be defined in a security:
A. strategy
B. guidelines
C. model
D. architecture
View answer
Correct Answer: D
Question #19
Which of the following is an example of a corrective control? A. Diverting incoming traffic upon responding to the denial of service (DoS) attack
B. Filtering network traffic before entering an internal network from outside
C. Examining inbound network traffic for viruses
D. Logging inbound network traffic
View answer
Correct Answer: D
Question #20
Which of the following is the BEST mechanism to determine the effectiveness of the incident response process?
A. Incident response metrics
B. Periodic auditing of the incident response process
C. Action recording and review
D. Post incident review
View answer
Correct Answer: A
Question #21
Which of the following would be MOST appropriate for collecting and preserving evidence?
A. Encrypted hard drives
B. Generic audit software
C. Proven forensic processes
D. Log correlation software
View answer
Correct Answer: C
Question #22
Which of the following has the highest priority when defining an emergency response plan? Real 290 Isaca CISM Exam A. Critical data
B. Critical infrastructure
C. Safety of personnel
D. Vital records
View answer
Correct Answer: A
Question #23
A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST?
A. Investigate alternative options to remediate the noncompliance
B. Assess the business impact to the organization
C. Present the noncompliance risk to senior management
D. Determine the cost to remediate the noncompliance
View answer
Correct Answer: B
Question #24
An organization has learned of a security breach at another company that utilizes similar Real 288 Isaca CISM Exam technology. The FIRST thing the information security manager should do is:
A. assess the likelihood of incidents from the reported cause
B. discontinue the use of the vulnerable technology
C. report to senior management that the organization is not affected
D. remind staff that no similar security breaches have taken place
View answer
Correct Answer: C
Question #25
Real 271 Isaca CISM Exam Which of the following is MOST closely associated with a business continuity program?
A. Confirming that detailed technical recovery plans exist
B. Periodically testing network redundancy
C. Updating the hot site equipment configuration every quarter
D. Developing recovery time objectives (RTOs) for critical functions
View answer
Correct Answer: B
Question #26
A post-incident review should be conducted by an incident management team to determine: Real 263 Isaca CISM Exam A. relevant electronic evidence.
B. lessons learned
C. hacker's identity
D. areas affected
View answer
Correct Answer: C
Question #27
What is the FIRST action an information security manager should take when a company laptop is reported stolen?
A. Evaluate the impact of the information loss
B. Update the corporate laptop inventory
C. Ensure compliance with reporting procedures
D. Disable the user account immediately
View answer
Correct Answer: C
Question #28
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A. storage capacity and shelf life
B. regulatory and legal requirements
C. business strategy and direction
D. application systems and media
View answer
Correct Answer: D
Question #29
What is the PRIMARY objective of a post-event review in incident response?
A. Adjust budget provisioning
B. Preserve forensic data
C. Improve the response process
D. Ensure the incident is fully documented
View answer
Correct Answer: B
Question #30
Which of the following is the BEST way to verify that all critical production servers are utilizing up- to- date virus signature files?
A. Verify the date that signature files were last pushed out
B. Use a recently identified benign virus to test if it is quarantined
C. Research the most recent signature file and compare to the console
D. Check a sample of servers that the signature files are current
View answer
Correct Answer: A
Question #31
Which of the following MOST effectively helps an organization to align information security governance with corporate governance?
A. Promoting security as enabler to achieve business objectives
B. Prioritizing security initiatives based on IT strategy
C. Adopting global security standards to achieve business goals
D. Developing security performance metrics
View answer
Correct Answer: A
Question #32
A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager? Real 286 Isaca CISM Exam
A. Ensure that all OS patches are up-to-date
B. Block inbound traffic until a suitable solution is found
C. Obtain guidance from the firewall manufacturer
D. Commission a penetration test
View answer
Correct Answer: B
Question #33
A possible breach of an organization's IT system is reported by the project manager. What is the FIRST thing the incident response manager should do? A. Run a port scan on the system
B. Disable the logon ID
C. Investigate the system logs
D. Validate the incident
View answer
Correct Answer: B
Question #34
Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?
A. Detailed technical recovery plans are maintained offsite Real 267 Isaca CISM Exam
B. Network redundancy is maintained through separate providers
C. Hot site equipment needs are recertified on a regular basis
D. Appropriate declaration criteria have been established
View answer
Correct Answer: C
Question #35
An organization enacted several information security policies to satisfy regulatory requirements. Which of the following situations would MOST likely increase the probability of noncompliance to these requirements?
A. Inadequate buy-in from system owners to support the policies
B. Availability of security policy documents on a public website
C. Lack of training for end users on security policies
D. Lack of an information security governance framework
View answer
Correct Answer: A
Question #36
Within a security governance framework, which of the following is the MOST important characteristic of the information security committee? The committee:
A. conducts frequent reviews of the security policy
B. has established relationships with external professionals
C. has a clearly defined charter and meeting protocols
D. includes a mix of members from all levels of management
View answer
Correct Answer: D
Question #37
Which of the following is the PRIMARY reason an information security strategy should be deployed across an organization?
A. To ensure that the business complies with security regulations
B. To ensure that management's intent is reflected in security activities
C. To ensure that employees adhere to security standards
D. To ensure that security-related industry best practices are adopted
View answer
Correct Answer: A
Question #38
What is the BEST method for mitigating against network denial of service (DoS) attacks?
A. Ensure all servers are up-to-date on OS patches
B. Employ packet filtering to drop suspect packets
C. Implement network address translation to make internal addresses nonroutable
D. Implement load balancing for Internet facing devices
View answer
Correct Answer: A
Question #39
Which of the following is MOST critical for an effective information security governance framework?
A. Board members are committed to the information security program
B. Information security policies are reviewed on a regular basis
C. The information security program is continually monitored
D. The CIO is accountable for the information security program
View answer
Correct Answer: A
Question #40
Who is ultimately responsible for the organization's information?
A. Data custodian
B. Chief information security officer (CISO) Board of directors
E. Chief information officer (CIO)
View answer
Correct Answer: C
Question #41
When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:
A. aligned with the IT strategic plan
B. based on the current rate of technological change
C. three-to-five years for both hardware and software
D. aligned with the business strategy
View answer
Correct Answer: D
Question #42
Which of the following would BEST enable integration of information security governance into corporate governance?
A. Ensuring appropriate business representation on the information security steering committee
B. Using a balanced scorecard to measure the performance of the information security strategy
C. Implementing IT governance, risk and compliance (IT GRC) dashboards
D. Having the CIO chair the information security steering committee
View answer
Correct Answer: C
Question #43
Which of the following is a PRIMARY responsibility of the information security governance function?
A. Defining security strategies to support organizational programs
B. Ensuring adequate support for solutions using emerging technologies
C. Fostering a risk-aware culture to strengthen the information security program
D. Advising senior management on optimal levels of risk appetite and tolerance
View answer
Correct Answer: A
Question #44
Which of the following BEST enables effective information security governance?
A. Periodic vulnerability assessments
B. Established information security metrics
C. Advanced security technologies
D. Security-aware corporate culture
View answer
Correct Answer: D
Question #45
Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was:
A. removed into the custody of law enforcement investigators
B. kept in the tape library' pending further analysis
C. sealed in a signed envelope and locked in a safe under dual control
D. handed over to authorized independent investigators
View answer
Correct Answer: C
Question #46
Which of the following should be the FIRST step in developing an information security plan?
A. Perform a technical vulnerabilities assessment
B. Analyze the current business strategy
C. Perform a business impact analysis
D. Assess the current levels of security awareness
View answer
Correct Answer: B
Question #47
Which of the following is MOST helpful for aligning security operations with the IT governance framework?
A. Information security policy
B. Security risk assessment
C. Security operations program
D. Business impact analysis (BIA)
View answer
Correct Answer: A
Question #48
Which of the following should an information security manager do FIRST after learning about a new regulation that affects the organization?
A. Evaluate the changes with legal counsel
B. Notify the affected business units
C. Assess the noncompliance risk
D. Inform senior management of the new regulation
View answer
Correct Answer: A

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: