DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISM Certification Exam Sample, Free Exam Resources for Success , Certified Information Security Manager | SPOTO

Explore valuable CISM Certification Exam Sample and Free Exam Resources for Success with SPOTO. As a Certified Information Security Manager (CISM), you showcase advanced expertise in enterprise information security program development and management. Our practice tests, including free test options, provide a diverse array of exam questions and sample questions to enhance your preparation. Access exam dumps, detailed exam materials, and precise exam answers to reinforce your understanding of key concepts. Engage in realistic mock exams to simulate exam scenarios and refine your exam practice. Utilize our exam preparation resources and advanced exam simulator to maximize your success in the CISM exam. With SPOTO, achieve exam success and elevate your information security career.
Take other online exams

Question #1
Which of the following would present the GREATEST risk to information security?
A. Virus signature files updates are applied to all servers every day
B. Security access logs are reviewed within five business days Real 208 Isaca CISM Exam
C. Critical patches are applied within 24 hours of their release
D. Security incidents are investigated within five business days
View answer
Correct Answer: A
Question #2
Security audit reviews should PRIMARILY:
A. ensure that controls operate as required
B. ensure that controls are cost-effective
C. focus on preventive controls
D. ensure controls are technologically current
View answer
Correct Answer: B
Question #3
When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set:
A. to u higher false reject rate (FRR)
B. to a lower crossover error rate
C. to a higher false acceptance rate (FAR)
View answer
Correct Answer: B
Question #4
The MOST important success factor to design an effective IT security awareness program is to:
A. customize the content to the target audience
B. ensure senior management is represented
C. ensure that all the staff is trained
D. avoid technical content but give concrete examples
View answer
Correct Answer: A
Question #5
Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers?
A. Batch patches into frequent server updates
B. Initially load the patches on a test machine C
D. Automatically push all patches to the servers
View answer
Correct Answer: B
Question #6
Priority should be given to which of the following to ensure effective implementation of information security governance?
A. Consultation
B. Negotiation
C. Facilitation
D. Planning
View answer
Correct Answer: B
Question #7
The FIRST priority when responding to a major security incident is: A. documentation.
B. monitoring
C. restoration
D. containment
View answer
Correct Answer: C
Question #8
The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:
A. verify the decision with the business units
B. check the system's risk analysis
C. recommend update after post implementation review
D. request an audit review
View answer
Correct Answer: D
Question #9
An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage crosstraining. Which type of authorization policy would BEST address this practice?
A. Multilevel B
C. Discretionary
D. Attribute-based
View answer
Correct Answer: A
Question #10
Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:
A. define the circumstances where cryptography should be used
B. define cryp,0£raphic algorithms and key lengths
C. describe handling procedures of cryptographic keys
D. establish the use of cryptographic solutions
View answer
Correct Answer: B
Question #11
The PRIMARY focus of the change control process is to ensure that changes are:
A. authorized
B. applied
C. documented
D. tested
View answer
Correct Answer: A
Question #12
Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract? Real 266 Isaca CISM Exam
A. A hot site facility will be shared in multiple disaster declarations
B. All equipment is provided "at time of disaster, not on floor"
C. The facility is subject to a "first-come, first-served" policy
D. Equipment may be substituted with equivalent model
View answer
Correct Answer: A
Question #13
Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?
A. Vulnerability scans
B. Penetration tests
C. Code reviews
D. Security audits
View answer
Correct Answer: A
Question #14
To BEST improve the alignment of the information security objectives in an organization, the chief Real 165 Isaca CISM Exam information security officer (CISO) should:
A. revise the information security program
B. evaluate a balanced business scorecard
C. conduct regular user awareness sessions
D. perform penetration tests
View answer
Correct Answer: D
Question #15
Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
A. System analyst
B. System user
C. Operations manager
D. Data security officer
View answer
Correct Answer: C
Question #16
Which of the following is the MOST important to ensure a successful recovery?
A. Backup media is stored offsite
B. Recovery location is secure and accessible
C. More than one hot site is available
D. Network alternate links are regularly tested
View answer
Correct Answer: A
Question #17
The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:
A. perform penetration testing
B. establish security baselines
C. implement vendor default settings
D. link policies to an independent standard
View answer
Correct Answer: C
Question #18
The PRIMARY objective of an Internet usage policy is to prevent:
A. access to inappropriate sites
B. downloading malicious code
C. violation of copyright laws
D. disruption of Internet access
View answer
Correct Answer: B
Question #19
The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify:
A. weaknesses in network and server security
B. ways to improve the incident response process
C. potential attack vectors on the network perimeter
D. the optimum response to internal hacker attacks
View answer
Correct Answer: B
Question #20
When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into consideration is the:
A. services delivery objective
B. recovery time objective (RTO)
C. recovery window
D. maximum tolerable outage (MTO)
View answer
Correct Answer: B
Question #21
An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?
A. Research best practices
B. Meet with stakeholders
C. Establish change control procedures
D. Identify critical systems
View answer
Correct Answer: D
Question #22
When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken?
A. Reboot the router connecting the DMZ to the firewall
B. Power down all servers located on the DMZ segment
C. Monitor the probe and isolate the affected segment
D. Enable server trace logging on the affected segment
View answer
Correct Answer: D
Question #23
In an organization, information systems security is the responsibility of:
A. all personnel
B. information systems personnel
C. information systems security personnel
D. functional personnel
View answer
Correct Answer: C
Question #24
Real 191 Isaca CISM Exam Which of the following is MOST important to the successful promotion of good security management practices?
A. Security metrics
B. Security baselines
C. Management support
D. Periodic training
View answer
Correct Answer: C
Question #25
In business-critical applications, user access should be approved by the:
A. information security manager
B. data owner
D. business management
View answer
Correct Answer: B
Question #26
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network? Real 158 Isaca CISM Exam
A. Configuration of firewalls
B. Strength of encryption algorithms C
D. Safeguards over keys
View answer
Correct Answer: B
Question #27
Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security:
A. policy
B. strategy
C. guideline
D. baseline
View answer
Correct Answer: D
Question #28
Which of the following will BEST protect against malicious activity by a former employee?
A. Preemployment screening
B. Close monitoring of users
C. Periodic awareness training
D. Effective termination procedures
View answer
Correct Answer: C
Question #29
An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security management. The MOST important element of the request for proposal (RI P) is the:
A. references from other organizations
B. past experience of the engagement team
C. sample deliverable
D. methodology used in the assessment
View answer
Correct Answer: A
Question #30
Which of the following is MOST important in determining whether a disaster recovery test is successful?
A. Only business data files from offsite storage are used
B. IT staff fully recovers the processing infrastructure
C. Critical business processes are duplicated Real 264 Isaca CISM Exam
D. All systems are restored within recovery time objectives (RTOs)
View answer
Correct Answer: D
Question #31
What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They:
A. all use weak encryption
B. are decrypted by the firewall
C. may be quarantined by mail filters
D. may be corrupted by the receiving mail server
View answer
Correct Answer: C
Question #32
A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this?
A. Enable access through a separate device that requires adequate authentication
B. Implement manual procedures that require password change after each use Real 216 Isaca CISM Exam
C. Request the vendor to add multiple user IDs
D. Analyze the logs to detect unauthorized access
View answer
Correct Answer: C
Question #33
Which of the following will BEST ensure that management takes ownership of the decision making process for information security?
A. Security policies and procedures
B. Annual self-assessment by management
C. Security- steering committees
D. Security awareness campaigns
View answer
Correct Answer: C
Question #34
The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:
A. weaknesses in network security
B. patterns of suspicious access
C. how an attack was launched on the network
D. potential attacks on the internal network
View answer
Correct Answer: A
Question #35
Which would be the BEST recommendation to protect against phishing attacks? Real 234 Isaca CISM Exam
A. Install an antispam system
B. Publish security guidance for customers
C. Provide security awareness to the organization's staff
D. Install an application-level firewall
View answer
Correct Answer: D
Question #36
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system? A. User ad hoc reporting is not logged
B. Network traffic is through a single switch
C. Operating system (OS) security patches have not been applied
D. Database security defaults to ERP settings
View answer
Correct Answer: D
Question #37
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing? Real 244 Isaca CISM Exam
A. To mitigate technical risks
B. To have an independent certification of network security
C. To receive an independent view of security exposures D
View answer
Correct Answer: B
Question #38
Which of the following are the MOST important criteria when selecting virus protection software?
A. Product market share and annualized cost B
C. Alert notifications and impact assessments for new viruses
D. Ease of maintenance and frequency of updates
View answer
Correct Answer: C
Question #39
Which of the following would raise security awareness among an organization's employees?
A. Distributing industry statistics about security incidents
B. Monitoring the magnitude of incidents
C. Encouraging employees to behave in a more conscious manner D
View answer
Correct Answer: A
Question #40
A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors? A. System monitoring for traffic on network ports
B. Security code reviews for the entire application
C. Reverse engineering the application binaries
D. Running the application from a high-privileged account on a test system
View answer
Correct Answer: A
Question #41
Which of the following is the BEST approach for improving information security management processes?
A. Conduct periodic security audits
C. Define and monitor security metrics
D. Survey business units for feedback
View answer
Correct Answer: C
Question #42
In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:
A. ensure access to individual functions can be granted to individual users only
B. implement role-based access control in the application
C. enforce manual procedures ensuring separation of conflicting duties
D. create service accounts that can only be used by authorized team members
View answer
Correct Answer: C
Question #43
Real 231 Isaca CISM Exam What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective?
A. Provide detailed instructions on how to carry out different types of tasks
B. Ensure consistency of activities to provide a more stable environment
C. Ensure compliance to security standards and regulatory requirements
D. Ensure reusability to meet compliance to quality requirements
View answer
Correct Answer: D
Question #44
Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges?
A. Layered defense strategy
B. System audit log monitoring
C. Signed acceptable use policy D
View answer
Correct Answer: A
Question #45
Who is responsible for raising awareness of the need for adequate funding for risk action plans?
A. Chief information officer (CIO)
B. Chief financial officer (CFO)
C. Information security manager
D. Business unit management
View answer
Correct Answer: B
Question #46
An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?
A. Review the procedures for granting access
B. Establish procedures for granting emergency access Real 220 Isaca CISM Exam
C. Meet with data owners to understand business needs
D. Redefine and implement proper access rights
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: