DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISM Certification Exam Questions & Answers, Certified Information Security Manager | SPOTO

Dive into the world of CISM Certification Exam Questions & Answers with SPOTO. As a Certified Information Security Manager (CISM), you demonstrate advanced expertise in developing and managing enterprise information security programs. Our practice tests, including free test options, feature a wide range of exam questions and sample questions to prepare you comprehensively. Access detailed exam materials, exam dumps, and precise exam answers to reinforce your understanding of key concepts. Engage in realistic mock exams to simulate exam scenarios and enhance exam practice. With SPOTO's exam preparation resources and advanced exam simulator, you'll be well-equipped to tackle the CISM certification exam successfully and excel in your information security career.

Take other online exams

Question #1
The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:
A. weaknesses in network security
B. patterns of suspicious access
C. how an attack was launched on the network
D. potential attacks on the internal network
View answer
Correct Answer: B

View The Updated CISM Exam Questions

SPOTO Provides 100% Real CISM Exam Questions for You to Pass Your CISM Exam!

Question #2
A large number of exceptions to an organization's information security standards have been granted after senior management approved a bring your own device (BYOD) program. To address this situation, it is MOST important for the information security manager to:
A. introduce strong authentication on devices
B. reject new exception requests
C. update the information security policy
D. require authorization to wipe lost devices
View answer
Correct Answer: D
Question #3
Which of the following risks is represented in the risk appetite of an organization?
A. Control
B. Inherent
C. Residual
D. Audit
View answer
Correct Answer: A
Question #4
Which of the following messages would be MOST effective in obtaining senior management’s commitment to information security management?
A. Effective security eliminates risk to the business
B. Adopt a recognized framework with metrics
C. Security is a business product and not a process
D. Security supports and protects the business
View answer
Correct Answer: D
Question #5
Logging is an example of which type of defense against systems compromise?
A. Containment
B. Detection
C. Reaction
D. Recovery
View answer
Correct Answer: B
Question #6
Which of the following change management procedures is MOST likely to cause concern to the information security manager?
A. Fallback processes are tested the weekend before changes are made
B. The development manager migrates programs into production
C. A manual rather than an automated process is used to compare program versions
D. Users are not notified of scheduled system changes
View answer
Correct Answer: C
Question #7
A global organization processes and stores large volumes of personal data. Which of the following would be the MOST important attribute in creating a data access policy?
A. Availability
B. Integrity
C. Reliability
D. Confidentiality
View answer
Correct Answer: C
Question #8
An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is:
A. assess the likelihood of incidents from the reported cause
B. discontinue the use of the vulnerable technology
C. report to senior management that the organization is not affected
D. remind staff that no similar security breaches have taken place
View answer
Correct Answer: C
Question #9
Which of the following is the PRIMARY responsibility of the information security manager when an organization implements the use of personally-owned devices on the corporate network?
A. Requiring remote wipe capabilities
B. Enforcing defined policy and procedures
C. Conducting security awareness training
D. Encrypting the data on mobile devices
View answer
Correct Answer: B
Question #10
Which of the following is the PRIMARY responsibility of the designated spokesperson during incident response testing?
A. Communicating the severity of the incident to the board
B. Establishing communication channels throughout the organization
C. Evaluating the effectiveness of the communication processes
D. Acknowledging communications from the incident response team
View answer
Correct Answer: B
Question #11
Which of the following metrics is the BEST indicator of an abuse of the change management process that could compromise information security?
A. Small number of change request
B. Large percentage decrease in monthly change requests
C. Percentage of changes that include post-approval supplemental add-ons
D. High ratio of lines of code changed to total lines of code
View answer
Correct Answer: A
Question #12
Which of the following will BEST protect confidential data when connecting large wireless networks to an existing wired-network infrastructure?
A. Mandatory access control (MAC) address filtering
B. Strong passwords
C. Virtual private network (VPN)
D. Firewall
View answer
Correct Answer: D
Question #13
In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?
A. Procedural design
B. Architectural design
C. System design specifications
D. Software development
View answer
Correct Answer: A
Question #14
An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?
A. Unsure that critical data on the server are backed up
B. Shut down the compromised server
C. Initiate the incident response process
D. Shut down the network
View answer
Correct Answer: D
Question #15
Which of the following should be the MOST important criteria when defining data retention policies?
A. Capacity requirements
B. Audit findings
C. Regulatory requirements
D. Industry best practices
View answer
Correct Answer: B
Question #16
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:
A. it implies compliance risks
B. short-term impact cannot be determined
C. it violates industry security practices
D. changes in the roles matrix cannot be detected
View answer
Correct Answer: B
Question #17
Organization A offers e-commerce services and uses secure transport protocol to protect Internet communication. To confirm communication with Organization A, which of the following would be the BEST for a client to verify?
A. The certificate of the e-commerce server
B. The browser’s indication of SSL use
C. The IP address of the e-commerce server
D. The URL of the e-commerce server
View answer
Correct Answer: C
Question #18
Which of the following is MOST likely to reduce the effectiveness of a signature-based intrusion detection system (IDS)?
A. The activities being monitored deviate from what is considered normal
B. The information regarding monitored activities becomes stale
C. The pattern of normal behavior changes quickly and dramatically
D. The environment is complex
View answer
Correct Answer: C
Question #19
When conducting a post-incident review, the GREATEST benefit of collecting mean time to resolution (MTTR) data is the ability to:
A. reduce the costs of future preventive controls
B. provide metrics for reporting to senior management
C. learn of potential areas of improvement
D. verify compliance with the service level agreement (SLA)
View answer
Correct Answer: D
Question #20
To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to.
A. create a separate account for the programmer as a power user
B. log all of the programmers' activity for review by supervisor
C. have the programmer sign a letter accepting full responsibility
D. perform regular audits of the application
View answer
Correct Answer: D
Question #21
Of the following, retention of business records should be PRIMARILY based on:
A. periodic vulnerability assessment
B. regulatory and legal requirements
C. device storage capacity and longevity
D. past litigation
View answer
Correct Answer: D
Question #22
Recovery point objectives (RPOs) can be used to determine which of the following?
A. Maximum tolerable period of data loss
B. Maximum tolerable downtime
C. Baseline for operational resiliency
D. Time to restore backups
View answer
Correct Answer: C
Question #23
Who should determine data access requirements for an application hosted at an organization's data center?
A. Business owner
B. Information security manager
C. Systems administrator
D. Data custodian
View answer
Correct Answer: B
Question #24
The PRIMARY purpose of vulnerability assessments is to:
A. determine the impact of potential threats
B. test intrusion detection systems (IDS) and response procedures
C. provide clear evidence that the system is sufficiently secure
D. detect deficiencies that could lead to a system compromise
View answer
Correct Answer: A
Question #25
Which of the following is MOST important to verify when reviewing the effectiveness of response to an information security incident?
A. Lessons learned have been implemented
B. Testing has been completed on time
C. Test results have been properly recorded
D. Metrics have been captured in a dashboard
View answer
Correct Answer: C
Question #26
Executive management is considering outsourcing all IT operations. Which of the following functions should remain internal?
A. Data ownership
B. Data monitoring
C. Data custodian
D. Data encryption
View answer
Correct Answer: D
Question #27
To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include?
A. Service level agreements (SLAs)
B. Right to audit clause
C. Intrusion detection system (IDS) services
D. Spam filtering services
View answer
Correct Answer: C
Question #28
An information security manager developing an incident response plan MUST ensure it includes:
A. an inventory of critical data
B. criteria for escalation
C. critical infrastructure diagrams
D. a business impact analysis
View answer
Correct Answer: B
Question #29
The business continuity policy should contain which of the following?
A. Emergency call trees
B. Recovery criteria
C. Business impact assessment (BIA)
D. Critical backups inventory
View answer
Correct Answer: C
Question #30
Which of the following is MOST important to the successful development of an information security strategy?
A. A well-implemented governance framework
B. Current state and desired objectives
C. An implemented development life cycle process
D. Approved policies and standards
View answer
Correct Answer: A
Question #31
The GREATEST benefit resulting from well-documented information security procedures is that they:
A. ensure that security policies are consistently applied
B. ensure that critical processes can be followed by temporary staff
C. facilitate security training of new staff
D. provide a basis for auditing security practices
View answer
Correct Answer: D
Question #32
The MOST important component of a privacy policy is:
A. notifications
B. warranties
C. liabilities
D. geographic coverage
View answer
Correct Answer: A
Question #33
Which of the following is the MOST important reason to consider the role of the IT service disk when developing incident handling procedures?
A. Service desk personnel have information on how to resolve common systems issues
B. The service desk provides a source for the identification of security incidents
C. The service desk provides information to prioritize systems recovery based on user
D. Untrained service desk personnel may be a cause of security incidents
View answer
Correct Answer: B
Question #34
Which of the following is MOST important for an information security manager to verify before conducting full-functional continuity testing?
A. Risk acceptance by the business has been documented
B. Incident response and recovery plans are documented in simple language
C. Teams and individuals responsible for recovery have been identified
D. Copies of recovery and incident response plans are kept offsite
View answer
Correct Answer: A
Question #35
Within the confidentiality, integrity, and availability (CIA) triad, which of the following activities BEST supports the concept of integrity?
A. Enforcing service level agreements
B. Implementing a data classification schema
C. Ensuring encryption for data in transit
D. Utilizing a formal change management process
View answer
Correct Answer: C
Question #36
The PRIMARY purpose of involving third-party teams for carrying out post event reviews of information security incidents is to:
A. enable independent and objective review of the root cause of the incidents
B. obtain support for enhancing the expertise of the third-party teams
C. identify lessons learned for further improving the information security management process
D. obtain better buy-in for the information security program
View answer
Correct Answer: B
Question #37
An information security steering group should:
A. provide general oversight and guidance
B. develop information security policies
C. establish information security baselines
D. oversee the daily operations of the security program
View answer
Correct Answer: A
Question #38
An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?
A. A due diligence security review of the business partner's security controls
B. Ensuring that the business partner has an effective business continuity program
C. Ensuring that the third party is contractually obligated to all relevant security requirements
D. Talking to other clients of the business partner to check references for performance
View answer
Correct Answer: A
Question #39
A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:
A. thereare sufficient safeguards in place to prevent this risk from happening
B. the needed countermeasure is too complicated to deploy
C. the cost of countermeasure outweighs the value of the asset and potential loss
D. The likelihood of the risk occurring is unknown
View answer
Correct Answer: C
Question #40
Which of the following would be the BEST way for an information security manager to justify ongoing annual maintenance fees associated with an intrusion prevention system (IPS)?
A. Perform a penetration test to demonstrate the ability to protect
B. Perform industry research annually and document the overall ranking of the IPS
C. Establish and present appropriate metrics that track performance
D. Provide yearly competitive pricing to illustrate the value of the IPS
View answer
Correct Answer: B
Question #41
Which of the following is the BEST indication of information security strategy alignment with the business?
A. Number of business objectives directly supported by information security initiatives
B. Percentage of corporate budget allocated to information security initiatives
C. Number of business executives who have attended information security awareness sessions
D. Percentage of information security incidents resolved within defined service level agreements
View answer
Correct Answer: B
Question #42
A business impact analysis should be periodically executed PRIMARILY to:
A. validate vulnerabilities on environmental changes
B. analyze the importance of assets
C. verify the effectiveness of controls
D. check compliance with regulations
View answer
Correct Answer: C
Question #43
During an information security audit, it was determined that IT staff did not follow the established standard when configuring and managing IT systems. Which of the following is the BEST way to prevent future occurrences?
A. Updating configuration baselines to allow exceptions
B. Conducting periodic vulnerability scanning
C. Providing annual information security awareness training
D. Implementing a strict change control process
View answer
Correct Answer: D
Question #44
What is the MAIN reason for an organization to develop an incident response plan?
A. Trigger immediate recovery procedures
B. Identify training requirements for the incident response team
C. Prioritize treatment based on incident criticality
D. Provide a process for notifying stakeholders of the incident
View answer
Correct Answer: D
Question #45
An organization establishes an internal document collaboration site. To ensure data confidentiality of each project group, it is MOST important to:
A. prohibit remote access to the site
B. periodically recertify access rights
C. enforce document lifecycle management
D. conduct a vulnerability assessment
View answer
Correct Answer: D
Question #46
Which of the following should be the MOST important consideration of business continuity management?
A. Ensuring human safety
B. Identifying critical business processes
C. Ensuring the reliability of backup data
D. Securing critical information assets
View answer
Correct Answer: A
Question #47
What is the MOST cost-effective method of identifying new vendor vulnerabilities?
A. External vulnerability reporting sources
B. Periodic vulnerability assessments performed by consultants
C. Intrusion prevention software
D. honey pots located in the DMZ
View answer
Correct Answer: C
Question #48
Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following?
A. Reconciliation of the annual systems inventory to the disaster recovery, business continuity plans
B. Periodic audits of the disaster recovery/business continuity plans
C. Comprehensive walk-through testing
D. Inclusion as a required step in the system life cycle process
View answer
Correct Answer: A
Question #49
A small organization has a contract with a multinational cloud computing vendor. Which of the following would present the GREATEST concern to an information security manager if omitted from the contract?
A. Authority of the subscriber to approve access to its data
B. Right of the subscriber to conduct onsite audits of the vendor
C. Escrow of software code with conditions for code release
D. Comingling of subscribers’ data on the same physical server
View answer
Correct Answer: B
Question #50
Which of the following is MOST important for an information security manager to communicate to senior management regarding the security program?
A. Potential risks and exposures
B. Impact analysis results
C. Security architecture changes
D. User roles and responsibilities
View answer
Correct Answer: A
Question #51
The GREATEST benefit of choosing a private cloud over a public cloud would be:
A. server protection
B. collection of data forensics
C. online service availability
D. containment of customer data
View answer
Correct Answer: C
Question #52
Senior management commitment and support for information security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks
B. explain the technical risks to the organization
C. evaluate the organization against best security practices
D. tie security risks to key business objectives
View answer
Correct Answer: D
Question #53
A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager?
A. Ensure that all OS patches are up-to-date
B. Block inbound traffic until a suitable solution is found
C. Obtain guidance from the firewall manufacturer
D. Commission a penetration test
View answer
Correct Answer: B
Question #54
Which of the following provides the MOST relevant information to determine the overall effectiveness of an information security program and underlying business processes?
A. Balanced scorecard
B. Cost-benefit analysis
C. Industry benchmarks
D. SWOT analysis
View answer
Correct Answer: D
Question #55
A multinational organization wants to monitor outbound traffic for data leakage from the use of unapproved cloud services. Which of the following should be the information security manager’s GREATEST consideration when implementing this control?
A. Security of cloud services
B. Data privacy regulations
C. Resistance from business users
D. Allocation of monitoring resources
View answer
Correct Answer: C
Question #56
Which of the following would be a MAJOR consideration for an organization defining its business continuity plan (BCP) or disaster recovery program (DRP)?
A. Setting up a backup site
B. Maintaining redundant systems
C. Aligning with recovery time objectives (RTOs)
D. Data backup frequency
View answer
Correct Answer: B
Question #57
For an organization with a large and complex IT infrastructure, which of the following elements of a disaster recovery hot site service will require the closest monitoring?
A. Employee access
B. Audit rights
C. Systems configurations
D. Number of subscribers
View answer
Correct Answer: D
Question #58
In a cloud technology environment, which of the following would pose the GREATEST challenge to the investigation of security incidents?
A. Access to the hardware
B. Data encryption
C. Non-standard event logs
D. Compressed customer data
View answer
Correct Answer: D
Question #59
An information security manager determines the organization's critical systems may be vulnerable to a new zero-day attack. The FIRST course of action is to:
A. advise management of risk and remediation cost
B. analyze the probability of compromise
C. survey peer organizations to see how they have addressed the issue
D. re-assess the firewall configuration
View answer
Correct Answer: A
Question #60
A business unit uses an e-commerce application with a strong password policy. Many customers complain that they cannot remember their passwords because they are too long and complex. The business unit states it is imperative to improve the customer experience. The information security manager should FIRST:
A. change the password policy to improve the customer experience
B. research alternative secure methods of identity verification
C. evaluate the impact of the customer’s experience on business revenue
D. recommend implementing two-factor authentication
View answer
Correct Answer: C
Question #61
The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:
A. regulatory' requirements
B. business requirements
C. financial value
D. IT resource availability
View answer
Correct Answer: A
Question #62
Which of the following is the MOST important reason for performing a cost-benefit analysis when implementing a security control?
A. To present a realistic information security budget
B. To ensure that benefits are aligned with business strategies
C. To ensure that the mitigation effort does not exceed the asset value
D. To justify information security program activities
View answer
Correct Answer: A
Question #63
A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in- house staff and by external consultants outside the organization's local are network (LAN). What should the security manager do FIRST?
A. Understand the business requirements of the developer portal
B. Perform a vulnerability assessment of the developer portal
C. Install an intrusion detection system (IDS)
D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server
View answer
Correct Answer: C
Question #64
The PRIMARY advantage of single sign-on (SSO) is that it will:
A. support multiple authentication mechanisms
B. increase the security related applications
C. strengthen user password
D. increase efficiency of access management
View answer
Correct Answer: B
Question #65
Which of the following BEST facilitates the effective execution of an incident response plan?
A. The response team is trained on the plan
B. The plan is based on risk assessment results
C. The incident response plan aligns with the IT disaster recovery plan
D. The plan is based on industry best practice
View answer
Correct Answer: B
Question #66
Meeting which of the following security objectives BEST ensures that information is protected against unauthorized modification?
A. Authenticity
B. Availability
C. Confidentiality
D. Integrity
View answer
Correct Answer: D

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: