DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISM Exam Practice Made Easy: Latest Mock Exams, Certified Information Security Manager | SPOTO

Prepare for the Certified Information Security Manager (CISM) exam with ease using SPOTO's CISM Exam Practice Made Easy: Latest Mock Exams. As a CISM, you demonstrate advanced knowledge in developing and managing enterprise information security programs. Access our latest mock exams, including free test options, to engage in comprehensive exam preparation. Delve into exam dumps, sample questions, and exam materials to reinforce your understanding of key concepts. Engage in realistic mock exams to simulate the exam environment and refine your exam practice. Utilize our detailed exam answers and exam simulator for effective exam preparation. With SPOTO's exam practice resources, including online exam questions, you'll be well-equipped to excel in the CISM exam and advance your career.
Take other online exams

Question #1
Which of the following is the MOST important risk associated with middleware in a client-server environment?
A. Server patching may be prevented
B. System backups may be incomplete
C. System integrity may be affected
D. End-user sessions may be hijacked
View answer
Correct Answer: C
Question #2
Which of the following will BEST facilitate the development of appropriate incident response procedures?
A. Conducting scenario testing
B. Performing vulnerability assessments
C. Analyzing key risk indicators (KRIs)
D. Assessing capability maturity
View answer
Correct Answer: A
Question #3
Which of the following is BEST to include in a business case when the return on investment (ROI) for an information security initiative is difficult to calculate?
A. Estimated reduction in risk
B. Estimated increase in efficiency
C. Projected costs over time
D. Projected increase in maturity level
View answer
Correct Answer: A
Question #4
Which of the following BEST supports the alignment of information security with business functions?
A. Creation of a security steering committee
B. IT management support of security assessments
C. Business management participation in security penetration tests
D. A focus on technology security risk within business processes
View answer
Correct Answer: A
Question #5
An IT department plans to migrate an application to the public cloud. Which of the following is the information security manager's MOST important action in support of this initiative?
A. Calculate security implementation costs
B. Evaluate service level agreements (SLAs)
C. Provide cloud security requirements
D. Review cloud provider independent assessment reports
View answer
Correct Answer: B
Question #6
Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his, her password reset?
A. Performing reviews of password resets
B. Conducting security awareness programs
C. Increasing the frequency of password changes
D. Implementing automatic password syntax checking
View answer
Correct Answer: B
Question #7
An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?
A. Security in storage and transmission of sensitive data
B. Provider's level of compliance with industry standards
C. Security technologies in place at the facility
D. Results of the latest independent security review
View answer
Correct Answer: A
Question #8
The MAIN reason for an information security manager to monitor industry level changes in the business and IT is to:
A. evaluate the effect of the changes on the levels of residual risk
B. identify changes in the risk environment
C. update information security policies in accordance with the changes
D. change business objectives based on potential impact
View answer
Correct Answer: B
Question #9
The PRIMARY disadvantage of using a cold-site recovery facility is that it is:
A. unavailable for testing during normal business hours
B. only available if not being used by the primary tenant
C. not possible to reserve test dates in advance
D. not cost-effective for testing critical applications at the site
View answer
Correct Answer: A
Question #10
A validated patch to address a new vulnerability that may affect a mission-critical server has been released. What should be done immediately?
A. Add mitigating controls
B. Take the server off-line and install the patch
C. Check the server’s security and install the patch
D. Conduct an impact analysis
View answer
Correct Answer: D
Question #11
What should be the PRIMARY basis for establishing a recovery time objective (RTO) for a critical business application?
A. Business impact analysis (BIA) results
B. Related business benchmarks
C. Risk assessment results
D. Legal and regulatory requirements
View answer
Correct Answer: A
Question #12
An organization’s information security strategy for the coming year emphasizes reducing the risk of ransomware. Which of the following would be MOST helpful to support this strategy?
A. Provide relevant training to all staff
B. Create a penetration testing plan
C. Perform a controls gap analysis
D. Strengthen security controls for the IT environment
View answer
Correct Answer: A
Question #13
Following a risk assessment, new countermeasures have been approved by management. Which of the following should be performed NEXT?
A. Develop an implementation strategy
B. Schedule the target end date for implementation activities
C. Budget the total cost of implementation activities
D. Calculate the residual risk for each countermeasure
View answer
Correct Answer: A
Question #14
Which of the following is the BEST reason for delaying the application of a critical security patch?
A. Conflicts with software development lifecycle
B. Technology interdependencies
C. Lack of vulnerability management
D. Resource limitations
View answer
Correct Answer: B
Question #15
Which of the following characteristics is MOST important to a bank in a high-value online financial transaction system?
A. Identification
B. Confidentiality
C. Authentication
D. Audit monitoring
View answer
Correct Answer: B
Question #16
Which of the following is MOST important when conducting a forensic investigation?
A. Documenting analysis steps
B. Capturing full system images
C. Maintaining a chain of custody
D. Analyzing system memory
View answer
Correct Answer: C
Question #17
In an organization where IT is critical to its business strategy and where there is a high level of operational dependence on IT, senior management commitment to security is BEST demonstrated by the:
A. segregation of duties policy
B. size of the IT security function
C. reporting line of the chief information security officer (CISO)
D. existence of an IT steering committee
View answer
Correct Answer: D
Question #18
Which of the following is the MOST important step when establishing guidelines for the use of social networking sites in an organization?
A. Establish disciplinary actions for noncompliance
B. Define acceptable information for posting
C. Identity secure social networking sites
D. Perform a vulnerability assessment
View answer
Correct Answer: D
Question #19
A cloud service provider is unable to provide an independent assessment of controls. Which of the following is the BEST way to obtain assurance that the provider can adequately protect the organization’s information?
A. Invoke the right to audit per the contract
B. Review the provider’s information security policy
C. Check references supplied by the provider’s other customers
D. Review the provider’s self-assessment
View answer
Correct Answer: A
Question #20
When an operating system is being hardened, it is MOST important for an information security manager to ensure that:
A. system logs are activated
B. default passwords are changed
C. file access is restricted
D. anonymous access is removed
View answer
Correct Answer: A
Question #21
The MAIN reason for continuous monitoring of a security strategy is to:
A. optimize resource allocation
B. confirm benefits are being realized
C. evaluate the implementation of the strategy
D. allocate funds for information security
View answer
Correct Answer: C
Question #22
Which of the following is the GREATEST benefit of integrating a security information and event management (SIEM) solution with traditional security tools such as IDS, anti-malware, and email screening solutions?
A. The elimination of false positive detections
B. A reduction in operational costs
C. An increase in visibility into patterns of potential threats
D. The consolidation of tools into a single console
View answer
Correct Answer: D
Question #23
Which of the following is MOST critical for prioritizing actions in a business continuity plan (BCP)?
A. Business impact analysis (BIA)
B. Risk assessment
C. Asset classification
D. Business process mapping
View answer
Correct Answer: A
Question #24
The BEST way to isolate corporate data stored on employee-owned mobile devices would be to implement:
A. a sandbox environment
B. device encryption
C. two-factor authentication
D. a strong password policy
View answer
Correct Answer: A
Question #25
What would be an information security manager’s BEST course of action when notified that the implementation of some security controls is being delayed due to budget constraints?
A. Prioritize security controls based on risk
B. Request a budget exception for the security controls
C. Begin the risk acceptance process
D. Suggest less expensive alternative security controls
View answer
Correct Answer: A
Question #26
Which of the following metrics BEST evaluates the completeness of disaster-recovery preparations?
A. Number of published application-recovery plans
B. Ratio of recovery-plan documents to total applications
C. Ratio of tested applications to total applications
D. Ratio of successful to unsuccessful tests
View answer
Correct Answer: C
Question #27
An organization outsources its payroll processing. Which of the following would be the BEST key risk indicator for monitoring the information security of the service provider?
A. Number of security incidents by severity
B. Number of critical security patches
C. Percentage of application up-time
D. Number of manual payroll adjustments
View answer
Correct Answer: A
Question #28
Which of the following would BEST provide stakeholders with information to determine the appropriate response to a disaster?
A. Risk assessment
B. Vulnerability assessment
C. Business impact analysis
D. SWOT analysis
View answer
Correct Answer: C
Question #29
Which of the following has the GREATEST impact on efforts to improve an organization’s security posture?
A. Supportive tone at the top management regarding security
B. Well-documented security policies and procedures
C. Regular reporting to senior management
D. Automation of security controls
View answer
Correct Answer: A
Question #30
An organization determines that an end-user has clicked on a malicious link. Which of the following would MOST effectively prevent similar situations from recurring?
A. End-user training
B. Virus protection
C. End-user access control
D. Updated security policies
View answer
Correct Answer: A
Question #31
What should be an organization’s MAIN concern when evaluating an Infrastructure as a Service (IaaS) cloud computing model for an e-commerce application?
A. Availability of provider’s services
B. Internal audit requirements
C. Where the application resides
D. Application ownership
View answer
Correct Answer: A
Question #32
Which of the following should be an information security manager's FIRST course of action following a decision to implement a new technology?
A. Determine security controls needed to support the new technology
B. Perform a business impact analysis (BIA) on the new technology
C. Perform a return-on-investment (ROI) analysis for the new technology
D. Determine whether the new technology will comply with regulatory requirements
View answer
Correct Answer: B
Question #33
Which of the following is the MOST effective way to ensure security policies are relevant to organizational business practices?
A. Integrate industry best practices
B. Obtain senior management sign-off
C. Conduct an organization-wide security audit
D. Leverage security steering committee contribution
View answer
Correct Answer: D
Question #34
A new system has been developed that does not comply with password-aging rules. This noncompliance can BEST be identified through:
A. a business impact analysis
B. an internal audit assessment
C. an incident management process
D. a progressive series of warnings
View answer
Correct Answer: B
Question #35
In an organization that has undergone an expansion through an acquisition which of the following would BEST secure the enterprise network?
A. Using security groups
B. Log analysis of system access
C. Business or role-based segmentation
D. Encryption of data traversing networks
View answer
Correct Answer: A
Question #36
Which of the following is MOST important when selecting an information security metric?
A. Aligning the metric to the IT strategy
B. Defining the metric in quantitative terms
C. Ensuring the metric is repeatable
D. Defining the metric in qualitative terms
View answer
Correct Answer: B
Question #37
What is the PRIMARY role of the information security program?
A. To develop and enforce a set of security policies aligned with the business
B. To educate stakeholders regarding information security requirements
C. To perform periodic risk assessments and business impact analyses (BIAs)
D. To provide guidance in managing organizational security risk
View answer
Correct Answer: A
Question #38
When outsourcing data to a cloud service provider, which of the following should be the information security manager’s MOST important consideration?
A. Roles and responsibilities have been defined for the subscriber organization
B. Cloud servers are located in the same country as the organization
C. Access authorization includes biometric security verification
D. Data stored at the cloud service provider is not co-mingled
View answer
Correct Answer: D
Question #39
What would be the PRIMARY reason for an organization to conduct a simulated phishing attack on its employees as part of a social engineering assessment?
A. Measure the effectiveness of security awareness training
B. Identify the need for mitigating security controls
C. Measure the effectiveness of the anti-spam solution
D. Test the effectiveness of the incident response plan
View answer
Correct Answer: A
Question #40
Utilizing external resources for highly technical information security tasks allows an information security manager to:
A. distribute technology risk
B. leverage limited resources
C. outsource responsibility
D. transfer business risk
View answer
Correct Answer: D
Question #41
Which of the following is the PRIMARY benefit to an organization using an automated event monitoring solution?
A. Improved response time to incidents
B. Improved network protection
C. Enhanced forensic analysis
D. Reduced need for manual analysis
View answer
Correct Answer: A
Question #42
What would be an information security manager’s BEST recommendation upon learning that an existing contract with a third party does not clearly identify requirements for safeguarding the organization’s critical data?
A. Create an addendum to the existing contract
B. Cancel the outsourcing contract
C. Transfer the risk to the provider
D. Initiate an external audit of the provider’s data center
View answer
Correct Answer: A
Question #43
From a business perspective, the MOST important function of information security is to support:
A. predictable operations
B. international standards
C. security awareness
D. corporate policy
View answer
Correct Answer: D
Question #44
After an information security business case has been approved by senior management, it should be:
A. used to design functional requirements for the solution
B. used as the foundation for a risk assessment
C. referenced to build architectural blueprints for the solution
D. reviewed at key intervals to ensure intended outcomes
View answer
Correct Answer: D
Question #45
Which of the following is the MOST effective method for assessing the effectiveness of a security awareness program?
A. Post-incident review
B. Social engineering test
C. Vulnerability scan
D. Tabletop test
View answer
Correct Answer: B
Question #46
Which of the following is the BEST defense against a brute force attack?
A. Discretionary access control
B. Intruder detection lockout
C. Time-of-day restrictions
D. Mandatory access control
View answer
Correct Answer: C
Question #47
Which if the following is MOST important to building an effective information security program?
A. Information security architecture to increase monitoring activities
B. Management support for information security
C. Relevant and timely content included in awareness programs
D. Logical access controls for information systems
View answer
Correct Answer: B
Question #48
The MAIN purpose of documenting information security guidelines for use within a large, international organization is to:
A. ensure that all business units have the same strategic security goals
B. provide evidence for auditors that security practices are adequate
C. explain the organization's preferred practices for security
D. ensure that all business units implement identical security procedures
View answer
Correct Answer: A
Question #49
Which of the following is the MOST effective way to protect the authenticity of data in transit?
A. Hash value
B. Digital signature
C. Public key
D. Private key
View answer
Correct Answer: B
Question #50
Which of the following is the MOST effective way to ensure the process for granting access to new employees is standardized and meets organizational security requirements?
A. Grant authorization to individual systems as required with the approval of information security management
B. Require managers of new hires be responsible for account setup and access during employee orientation
C. Embed the authorization and creation of accounts with HR onboarding procedures
D. Adopt a standard template of access levels for all employees to be enacted upon hiring
View answer
Correct Answer: C
Question #51
When messages are encrypted and digitally signed to protect documents transferred between trading partners, the GREATEST concern is that:
A. trading partners can repudiate the transmission of messages
B. hackers can eavesdrop on messages
C. trading partners can repudiate the receipt of messages
D. hackers can introduce forgery messages
View answer
Correct Answer: D
Question #52
A risk has been formally accepted and documented. Which of the following is the MOST important action for an information security manager?
A. Update risk tolerance levels
B. Notify senior management and the board
C. Monitor the environment for changes
D. Re-evaluate the organization’s risk appetite
View answer
Correct Answer: D
Question #53
Which of the following is the BEST criterion to use when classifying assets?
A. The market value of the assets
B. Annual loss expectancy (ALE)
C. Value of the assets relative to the organization
D. Recovery time objective (RTO)
View answer
Correct Answer: C
Question #54
Which of the following is the MOST important reason for performing vulnerability assessments periodically?
A. Management requires regular reports
B. The environment changes constantly
C. Technology risks must be mitigated
D. The current threat levels are being assessed
View answer
Correct Answer: B
Question #55
Recovery time objectives (RTOs) are an output of which of the following?
A. Business continuity plan
B. Disaster recovery plan
C. Service level agreement (SLA)
D. Business impact analysis (BIA)
View answer
Correct Answer: B
Question #56
Which of the following is MOST relevant for an information security manager to communicate to IT operations?
A. The level of inherent risk
B. Vulnerability assessments
C. Threat assessments
D. The level of exposure
View answer
Correct Answer: B
Question #57
A data leakage prevention (DLP) solution has identified that several employees are sending confidential company data to their personal email addresses in violation of company policy. The information security manager should FIRST:
A. contact the employees involved to retake security awareness training
B. notify senior management that employees are breaching policy
C. limit access to the Internet for employees involved
D. initiate an investigation to determine the full extent of noncompliance
View answer
Correct Answer: D
Question #58
Relying on which of the following methods when detecting new threats using IDS should be of MOST concern?
A. Statistical pattern recognition
B. Attack signatures
C. Heuristic analysis
D. Traffic analysis
View answer
Correct Answer: B
Question #59
Which of the following should be an information security manager's PRIMARY focus during the development of a critical system storing highly confidential data?
A. Ensuring the amount of residual risk is acceptable
B. Reducing the number of vulnerabilities detected
C. Avoiding identified system threats
D. Complying with regulatory requirements
View answer
Correct Answer: D
Question #60
Which of the following would BEST ensure that application security standards are in place?
A. Functional testing
B. Performing a code review
C. Publishing software coding standards
D. Penetration testing
View answer
Correct Answer: D
Question #61
Which of the following should be the PRIMARY input when defining the desired state of security within an organization?
A. Acceptable risk level
B. Annual loss expectancy
C. External audit results
D. Level of business impact
View answer
Correct Answer: D
Question #62
After adopting an information security framework, an information security manager is working with senior management to change the organization-wide perception that information security is solely the responsibility of the information security department. To achieve this objective, what should be the information security manager's FIRST initiative?
A. Develop an operational plan providing best practices for information security projects
B. Develop an information security awareness campaign with senior management's support
C. Document and publish the responsibilities of the information security department
D. Implement a formal process to conduct periodic compliance reviews
View answer
Correct Answer: B
Question #63
Which of the following is MOST important to include in monthly information security reports to the broad?
A. Trend analysis of security metrics
B. Threat intelligence
C. Root cause analysis of security incidents
D. Risk assessment results
View answer
Correct Answer: A
Question #64
Which of the following defines the minimum security requirements that a specific system must meet?
A. Security policy
B. Security guideline
C. Security procedure
D. Security baseline
View answer
Correct Answer: A
Question #65
An information security manager learns that the root password of an external FTP server may be subject to brute force attacks. Which of the following would be the MOST appropriate way to reduce the likelihood of a successful attack?
A. Block the source IP address of the attacker
B. Lock remote logon after multiple failed attempts
C. Disable access to the externally facing server
D. Install an intrusion detection system (IDS)
View answer
Correct Answer: B
Question #66
Which of the following provides the MOST comprehensive understanding of an organization’s information security posture?
A. Risk management metrics
B. External audit findings
C. Results of vulnerability assessments
D. The organization’s security incident trends
View answer
Correct Answer: A
Question #67
The use of a business case to obtain funding for an information security investment is MOST effective when the business case:
A. relates information security policies and standards into business requirements
B. relates the investment to the organization’s strategic plan
C. realigns information security objectives to organizational strategy
D. articulates management’s intent and information security directives in clear language
View answer
Correct Answer: B
Question #68
When customer data has been compromised, an organization should contact law enforcement authorities:
A. if the attack comes from an international source
B. when directed by the information security manager
C. if there is potential impact to the organization
D. in accordance with the corporate communication policy
View answer
Correct Answer: D
Question #69
Which of the following BEST supports the risk assessment process to determine critically of an asset?
A. Business impact analysis (BIA)
B. Residual risk analysis
C. Vulnerability assessment
D. Threat assessment
View answer
Correct Answer: A
Question #70
An internal audit has found that critical patches were not implemented within the timeline established by policy without a valid reason. Which of the following is the BEST course of action to address the audit findings?
A. Perform regular audits on the implementation of critical patches
B. Evaluate patch management training
C. Assess the patch management process
D. Monitor and notify IT staff of critical patches
View answer
Correct Answer: C
Question #71
Which of the following is MOST useful to include in a report to senior management on a regular basis to demonstrate the effectiveness of the information security program?
A. Key risk indicators (KRIs)
B. Capability maturity models
C. Critical success factors (CSFs)
D. Key performance indicators (KPIs)
View answer
Correct Answer: A
Question #72
The PRIMARY purpose of a periodic threat and risk assessment report to senior management is to communicate the:
A. status of the security posture
B. probability of future incidents
C. cost-benefit of security controls
D. risk acceptance criteria
View answer
Correct Answer: A
Question #73
Which of the following is MOST likely to drive an update to the information security strategy?
A. A recent penetration test has uncovered a control weakness
B. A major business application has been upgraded
C. Management has decided to implement an emerging technology
D. A new chief technology officer has been hired
View answer
Correct Answer: C
Question #74
For a user of commercial software downloaded from the Internet, which of the following is the MOST effective means of ensuring authenticity?
A. Digital signatures
B. Digital certificates
C. Digital code signing
D. Steganography
View answer
Correct Answer: C
Question #75
Which of the following is the BEST reason to develop comprehensive information security policies?
A. To comply with external industry and government regulations
B. To support development of effective risk indicators
C. To align the information security program to organizational strategy
D. To gain senior management support for the information security program
View answer
Correct Answer: C
Question #76
The authorization to transfer the handling of an internal security incident to a third-party support provider is PRIMARILY defined by the:
A. information security manager
B. escalation procedures
C. disaster recovery plan
D. chain of custody
View answer
Correct Answer: D
Question #77
The BEST way to mitigate the risk associated with a social engineering attack is to:
A. deploy an effective intrusion detection system (IDS)
B. perform a user-knowledge gap assessment of information security practices
C. perform a business risk assessment of the email filtering system
D. implement multi-factor authentication on critical business systems
View answer
Correct Answer: B
Question #78
An organization with a large number of users finds it necessary to improve access control applications. Which of the following would BEST help to prevent unauthorized user access to networks and applications?
A. Single sign-on
B. Biometric systems
C. Complex user passwords
D. Access control lists
View answer
Correct Answer: D
Question #79
Which of the following is MOST helpful to maintain cohesiveness within an organization’s information security resource?
A. Information security architecture
B. Security gap analysis
C. Business impact analysis
D. Information security steering committee
View answer
Correct Answer: A
Question #80
During the initiation phase of the system development life cycle (SDLC) for a software project, information security activities should address:
A. baseline security controls
B. cost-benefit analyses
C. benchmarking security metrics
D. security objectives
View answer
Correct Answer: D
Question #81
Which of the following is the BEST performed by the security department?
A. Approving standards for accessing the operating system
B. Logging unauthorized access to the operating system
C. Managing user profiles for accessing the operating system
D. Provisioning users to access the operating system
View answer
Correct Answer: B
Question #82
Which of the following should be an information security manager’s MOST important consideration when conducting a physical security review of a potential outsourced data center?
A. Distance of the data center from the corporate office
B. Availability of network circuit connections
C. Environment factors of the surrounding location
D. Proximity to law enforcement
View answer
Correct Answer: C
Question #83
Which of the following would BEST detect malicious damage arising from an internal threat?
A. Access control list
B. Encryption
C. Fraud awareness training
D. Job rotation
View answer
Correct Answer: D
Question #84
Which of the following should be an information security manager's PRIMARY role when an organization initiates a data classification process?
A. Verify that assets have been appropriately classified
B. Apply security in accordance with specific classification
C. Define the classification structure to be implemented
D. Assign the asset classification level
View answer
Correct Answer: C
Question #85
The PRIMARY purpose for continuous monitoring of security controls is to ensure:
A. system availability
B. control gaps are minimized
C. effectiveness of controls
D. alignment with compliance requirements
View answer
Correct Answer: C
Question #86
An organization shares customer information across its globally dispersed branches. Which of the following should be the GREATEST concern to information security management?
A. Cross-cultural differences between branches
B. Conflicting data protection regulations
C. Insecure wide area networks (WANs)
D. Decentralization of information security
View answer
Correct Answer: C
Question #87
When drafting the corporate privacy statement for a public web site, which of the following MUST be included?
A. Access control requirements
B. Limited liability clause
C. Information encryption requirements
D. Explanation of information usage
View answer
Correct Answer: C
Question #88
Exceptions to a security policy should be approved based PRIMARILY on:
A. risk appetite
B. the external threat probability
C. results of a business impact analysis (BIA)
D. the number of security incidents
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: