DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISM Certifications Practice Tests 2024 Updated, Certified Information Security Manager | SPOTO

Elevate your preparation for the CISM certification with SPOTO's updated CISM Certifications Practice Tests 2024. As a Certified Information Security Manager (CISM), you demonstrate advanced expertise in developing and managing enterprise information security programs. Our practice tests, including free test options, provide comprehensive coverage of exam topics, from exam dumps and sample questions to detailed exam materials and exam answers. Engage in realistic mock exams to simulate the exam environment and sharpen your exam practice. Access precise exam questions and answers to reinforce understanding and prepare effectively for the CISM exam. Utilize our exam preparation resources and advanced exam simulator to maximize your success in achieving CISM certification.
Take other online exams

Question #1
The return on investment of information security can BEST be evaluated through which of the following?
A. Support of business objectives
B. Security metrics
C. Security deliverables
D. Process improvement models
View answer
Correct Answer: C
Question #2
Which of the following devices should be placed within a DMZ?
A. Proxy server
B. Application server
C. Departmental server
D. Data warehouse server
View answer
Correct Answer: A
Question #3
A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:
A. it simulates the real-1ife situation of an external security attack
B. human intervention is not required for this type of test
C. less time is spent on reconnaissance and information gathering
D. critical infrastructure information is not revealed to the tester
View answer
Correct Answer: D
Question #4
The configuration management plan should PRIMARILY be based upon input from:
A. business process owners
B. the information security manager
C. the security steering committee
D. IT senior management
View answer
Correct Answer: C
Question #5
What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted? Real 195 Isaca CISM Exam
A. Perform periodic penetration testing
B. Establish minimum security baselines
C. Implement vendor default settings
D. Install a honeypot on the network
View answer
Correct Answer: A
Question #6
An information security program should focus on: Real 224 Isaca CISM Exam
A. best practices also in place at peer companies
B. solutions codified in international standards
C. key controls identified in risk assessments
D. continued process improvement
View answer
Correct Answer: C
Question #7
In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?
A. Implementing on-screen masking of passwords Real 196 Isaca CISM Exam
B. Conducting periodic security awareness programs
C. Increasing the frequency of password changes
D. Requiring that passwords be kept strictly confidential
View answer
Correct Answer: B
Question #8
Which of the following should be determined FIRST when establishing a business continuity program?
A. Cost to rebuild information processing facilities
B. Incremental daily cost of the unavailability of systems
C. Location and cost of offsite recovery facilities
D. Composition and mission of individual recovery teams
View answer
Correct Answer: B
Question #9
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
A. Sign a legal agreement assigning them all liability for any breach
B. Remove all trading partner access until the situation improves
C. Set up firewall rules restricting network traffic from that location
D. Send periodic reminders advising them of their noncompliance
View answer
Correct Answer: D
Question #10
The MOST important reason for formally documenting security procedures is to ensure:
A. processes are repeatable and sustainable
C. auditability by regulatory agencies
D. objective criteria for the application of metrics
View answer
Correct Answer: A
Question #11
What is the MOST effective access control method to prevent users from sharing files with unauthorized users?
A. Mandatory
B. Discretionary
C. Walled garden
D. Role-based
View answer
Correct Answer: B
Question #12
When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?
A. Number of controls
B. Cost of achieving control objectives
C. Effectiveness of controls
D. Test results of controls Real 167 Isaca CISM Exam
View answer
Correct Answer: D
Question #13
The implementation of continuous monitoring controls is the BEST option where:
A. incidents may have a high impact and frequency
B. legislation requires strong information security controls
C. incidents may have a high impact but low frequency
D. Electronic commerce is a primary business driver
View answer
Correct Answer: D
Question #14
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network? Real 158 Isaca CISM Exam
A. Configuration of firewalls
B. Strength of encryption algorithms
C. Authentication within application D
View answer
Correct Answer: D
Question #15
What is the GREATEST risk when there is an excessive number of firewall rules?
A. One rule may override another rule in the chain and create a loophole
B. Performance degradation of the whole network
C. The firewall may not support the increasing number of rules due to limitations
D. The firewall may show abnormal behavior and may crash or automatically shut down
View answer
Correct Answer: A
Question #16
Which of the following areas is MOST susceptible to the introduction of security weaknesses?
A. Database management
B. Tape backup management C
D. Incident response management
View answer
Correct Answer: C
Question #17
An information security manager wishing to establish security baselines would:
A. include appropriate measurements in the system development life cycle
B. implement the security baselines to establish information security best practices
C. implement the security baselines to fulfill laws and applicable regulations in different jurisdictions
D. leverage information security as a competitive advantage
View answer
Correct Answer: A
Question #18
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application? A. System analyst
B. Quality control manager Real 197 Isaca CISM Exam
C. Process owner
D. Information security manager
View answer
Correct Answer: A
Question #19
What is an appropriate frequency for updating operating system (OS) patches on production servers?
A. During scheduled rollouts of new applications
B. According to a fixed security patch management schedule
C. Concurrently with quarterly hardware maintenance
D. Whenever important security patches are released
View answer
Correct Answer: A
Question #20
What is the MOST important reason for conducting security awareness programs throughout an organization? A. Reducing the human risk
B. Maintaining evidence of training records to ensure compliance
C. Informing business units about the security strategy
D. Training personnel in security incident response
View answer
Correct Answer: C
Question #21
A digital signature using a public key infrastructure (PKI) will:
A. not ensure the integrity of a message
B. rely on the extent to which the certificate authority (CA) is trusted
C. require two parties to the message exchange
D. provide a high level of confidentiality
View answer
Correct Answer: B
Question #22
Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:
A. mandatory access controls
B. discretionary access controls
C. lattice-based access controls
D. role-based access controls
View answer
Correct Answer: D
Question #23
Which of the following are the MOST important individuals to include as members of an information security steering committee?
A. Direct reports to the chief information officer Real 204 Isaca CISM Exam
B. IT management and key business process owners
C. Cross-section of end users and IT professionals
D. Internal audit and corporate legal departments
View answer
Correct Answer: C
Question #24
What is the BEST way to ensure that contract programmers comply with organizational security policies?
A. Explicitly refer to contractors in the security standards
B. Have the contractors acknowledge in writing the security policies
C. Create penalties for noncompliance in the contracting agreement
D. Perform periodic security reviews of the contractors
View answer
Correct Answer: D
Question #25
What is the MOST appropriate change management procedure for the handling of emergency Real 214 Isaca CISM Exam program changes?
A. Formal documentation does not need to be completed before the change
B. Business management approval must be obtained prior to the change
C. Documentation is completed with approval soon after the change
D. All changes must follow the same process
View answer
Correct Answer: B
Question #26
Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network?
A. Signal strength
B. Number of administrators
C. Bandwidth
D. Encryption strength
View answer
Correct Answer: A
Question #27
As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be:
A. considered at the discretion of the information owner
B. approved by the next higher person in the organizational structure
C. formally managed within the information security framework
D. reviewed and approved by the security manager
View answer
Correct Answer: B
Question #28
Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?
A. Utilize an intrusion detection system
B. Establish minimum security baselines
C. Implement vendor recommended settings
D. Perform periodic penetration testing
View answer
Correct Answer: C
Question #29
To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOS T important item to include?
A. Service level agreements (SLAs)
B. Right to audit clause
C. Intrusion detection system (IDS) services
D. Spam filtering services
View answer
Correct Answer: C
Question #30
Real 203 Isaca CISM Exam Which of the following presents the GREATEST exposure to internal attack on a network?
A. User passwords are not automatically expired
B. All network traffic goes through a single switch
C. User passwords are encoded but not encrypted
D. All users reside on a single internal subnet
View answer
Correct Answer: D
Question #31
In business-critical applications, user access should be approved by the:
A. information security manager
B. data owner
C. data custodian
D. business management
View answer
Correct Answer: D
Question #32
Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state?
A. Security audit reports
B. Balanced scorecard
C. Capability maturity model (CMM)
D. Systems and business security architecture
View answer
Correct Answer: C
Question #33
Security awareness training should be provided to new employees:
A. on an as-needed basis
B. during system user training
C. before they have access to data
D. along with department staff
View answer
Correct Answer: C
Question #34
Which of the following documents would be the BES T reference to determine whether access control mechanisms are appropriate for a critical application?
A. User security procedures
B. Business process flow
C. IT security policy
D. Regulatory requirements
View answer
Correct Answer: D
Question #35
The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?
A. Data owner
B. Data custodian Real 233 Isaca CISM Exam
C. Systems programmer
D. Security administrator
View answer
Correct Answer: C
Question #36
Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that: A. the third party provides a demonstration on a test system.
B. goals and objectives are clearly defined
C. the technical staff has been briefed on what to expect
D. special backups of production servers are taken
View answer
Correct Answer: A
Question #37
Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center"?
A. Mantrap B
C. Closed-circuit television (CCTV)
D. Security guard
View answer
Correct Answer: C
Question #38
Which of the following would be the MOST significant security risk in a pharmaceutical institution?
A. Compromised customer information
B. Unavailability of online transactions
C. Theft of security tokens
D. Theft of a Research and Development laptop Real 225 Isaca CISM Exam
View answer
Correct Answer: B
Question #39
To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to.
A. create a separate account for the programmer as a power user
C. have the programmer sign a letter accepting full responsibility
D. perform regular audits of the application
View answer
Correct Answer: B
Question #40
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
A. User ad hoc reporting is not logged B
C. Operating system (OS) security patches have not been applied
D. Database security defaults to ERP settings
View answer
Correct Answer: B
Question #41
What is the MOST important item to be included in an information security policy?
A. The definition of roles and responsibilities
B. The scope of the security program
C. The key objectives of the security program
D. Reference to procedures and standards of the security program
View answer
Correct Answer: A
Question #42
Which item would be the BEST to include in the information security awareness training program for new general staff employees?
A. Review of various security models
B. Discussion of how to construct strong passwords
C. Review of roles that have privileged access
D. Discussion of vulnerability assessment results
View answer
Correct Answer: C
Question #43
Which of the following is the MOST important risk associated with middleware in a client-server environment? Real 157 Isaca CISM Exam
A. Server patching may be prevented
B. System backups may be incomplete
C. System integrity may be affected
D. End-user sessions may be hijacked
View answer
Correct Answer: B
Question #44
Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers?
A. Restrict the available drive allocation on all PCs
B. Disable universal serial bus (USB) ports on all desktop devices C
D. Establish strict access controls to sensitive information
View answer
Correct Answer: B
Question #45
The BEST way to ensure that an external service provider complies with organizational security Real 187 Isaca CISM Exam policies is to:
A. Explicitly include the service provider in the security policies
B. Receive acknowledgment in writing stating the provider has read all policies
C. Cross-reference to policies in the service level agreement
D. Perform periodic reviews of the service provider
View answer
Correct Answer: C
Question #46
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GRF.ATEST weakness in recovery capability?
A. Exclusive use of the hot site is limited to six weeks
B. The hot site may have to be shared with other customers
C. The time of declaration determines site access priority
D. The provider services all major companies in the area
View answer
Correct Answer: B
Question #47
Good information security procedures should:
A. define the allowable limits of behavior
B. underline the importance of security governance
D. be updated frequently as new software is released
View answer
Correct Answer: A
Question #48
A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?
A. User
B. Network
C. Operations
D. Database
View answer
Correct Answer: A
Question #49
An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage crosstraining. Which type of authorization policy would BEST address this practice?
A. Multilevel
B. Role-based
C. Discretionary D
View answer
Correct Answer: B
Question #50
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing? Real 244 Isaca CISM Exam
A. To mitigate technical risks
B. To have an independent certification of network security
C. To receive an independent view of security exposures
D. To identify a complete list of vulnerabilities
View answer
Correct Answer: A
Question #51
What is the BEST way to alleviate security team understaffing while retaining the capability in- house? A. Hire a contractor that would not be included in the permanent headcount
B. Outsource with a security services provider while retaining the control internally
C. Establish a virtual security team from competent employees across the company
D. Provide cross training to minimize the existing resources gap
View answer
Correct Answer: D
Question #52
Which of the following is the MOST important reason why information security objectives should be defined?
A. Tool for measuring effectiveness
B. General understanding of goals
C. Consistency with applicable standards
D. Management sign-off and support initiatives Real 175 Isaca CISM Exam
View answer
Correct Answer: D
Question #53
The FIRST priority when responding to a major security incident is:
A. documentation
B. monitoring
C. restoration
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: