DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISM Exam Prep: Study Materials & Mock Tests, Certified Information Security Manager | SPOTO

Prepare effectively for the Certified Information Security Manager (CISM) exam with SPOTO's CISM Exam Prep: Study Materials & Mock Tests. As a CISM, you demonstrate advanced expertise in developing and managing enterprise information security programs. Access our comprehensive study materials and engaging mock tests, including free test options, to delve into exam dumps, sample questions, and exam materials. Engage in realistic mock exams to simulate the exam environment and refine your exam practice. Utilize our detailed exam answers and exam simulator to enhance your preparation. With SPOTO's exam practice resources, including online exam questions, you'll be well-equipped to excel in the CISM exam and advance your career in information security.

Take other online exams

Question #1
Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?
A. Systems operation procedures are not enforced
B. Change management procedures are poor
C. Systems development is outsourced
D. Systems capacity management is not performed
View answer
Correct Answer: C

View The Updated CISM Exam Questions

SPOTO Provides 100% Real CISM Exam Questions for You to Pass Your CISM Exam!

Question #2
An organization’s senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager’s FIRST step to support this strategy?
A. Incorporate social media into the security awareness program
B. Develop a guideline on the acceptable use of social media
C. Develop a business case for a data loss prevention solution
D. Employ the use of a web content filtering solution
View answer
Correct Answer: C
Question #3
The PRIMARY reason for creating a business case when proposing an information security project is to:
A. establish the value of the project in relation to business objectives
B. establish the value of the project with regard to regulatory compliance
C. ensure relevant business parties are involved in the project
D. ensure comprehensive security controls are identified
View answer
Correct Answer: C
Question #4
A new system has been developed that does not comply with password-aging rules. This noncompliance can BEST be identified through:
A. a business impact analysis
B. an internal audit assessment
C. an incident management process
D. a progressive series of warnings
View answer
Correct Answer: C
Question #5
A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to:
A. rebuild the server from the last verified backup
B. place the web server in quarantine
C. shut down the server in an organized manner
D. rebuild the server with original media and relevant patches
View answer
Correct Answer: C
Question #6
A business unit uses an e-commerce application with a strong password policy. Many customers complain that they cannot remember their passwords because they are too long and complex. The business unit states it is imperative to improve the customer experience. The information security manager should FIRST:
A. change the password policy to improve the customer experience
B. research alternative secure methods of identity verification
C. evaluate the impact of the customer’s experience on business revenue
D. recommend implementing two-factor authentication
View answer
Correct Answer: A
Question #7
When supporting an organization’s privacy officer, which of the following is the information security manager’s PRIMARY role regarding primacy requirements?
A. Monitoring the transfer of private data
B. Conducting privacy awareness programs
C. Ensuring appropriate controls are in place
D. Determining data classification
View answer
Correct Answer: D
Question #8
Which of the following presents the GREATEST challenge in calculating return on investment (ROI) in the security environment?
A. Number of incidents cannot be predetermined
B. Project cost overruns cannot be anticipated
C. Cost of security tools is difficult to estimate
D. Costs of security incidents cannot be estimated
View answer
Correct Answer: A
Question #9
Which of the following devices should be placed within a demilitarized zone (DMZ)?
A. Network switch
B. Web server
C. Database server
D. File/print server
View answer
Correct Answer: A
Question #10
Which of the following will BEST ensure that management takes ownership of the decision making process for information security?
A. Security policies and procedures
B. Annual self-assessment by management
C. Security-steering committees
D. Security awareness campaigns
View answer
Correct Answer: C
Question #11
An organization is in the process of adopting a hybrid data infrastructure, transferring all non-core applications to cloud service providers and maintaining all core business functions house. The information security manager has determined a defense in depth strategy should be used. Which of the following BEST describes this strategy?
A. Multi-factor login requirements for cloud service applications, timeouts, and complex passwords
B. Deployments of nested firewalls within the infrastructure
C. Separate security controls for applications, platforms, programs, and endpoints
D. Strict enforcement of role-based access control (RBAC)
View answer
Correct Answer: C
Question #12
Information security managers should use risk assessment techniques to:
A. justify selection of risk mitigation strategies
B. maximize the return on investment (ROD
C. provide documentation for auditors and regulators
D. quantify risks that would otherwise be subjective
View answer
Correct Answer: B
Question #13
Emergency actions are taken at the early stage of a disaster with the purpose of preventing injuries or loss of life and:
A. determining the extent of property damage
B. preserving environmental conditions
C. ensuring orderly plan activation
D. reducing the extent of operational damage
View answer
Correct Answer: A
Question #14
Which of the following is the BEST approach when using sensitive customer data during the testing phase of a systems development project?
A. Establish the test environment on a separate network
B. Sanitize customer data
C. Monitor the test environment for data loss
D. Implement equivalent controls to those on the source system
View answer
Correct Answer: C
Question #15
The MOST important reason for formally documenting security procedures is to ensure:
A. processes are repeatable and sustainable
B. alignment with business objectives
C. auditability by regulatory agencies
D. objective criteria for the application of metrics
View answer
Correct Answer: B
Question #16
When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set: to a higher false reject rate (FRR).
A.
B. to a lower crossover error rate
C. to a higher false acceptance rate (FAR)
D. exactly to the crossover error rate
View answer
Correct Answer: C
Question #17
The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:
A. change the root password of the system
B. implement multifactor authentication
C. rebuild the system from the original installation medium
D. disconnect the mail server from the network
View answer
Correct Answer: B
Question #18
Which of the following environments represents the GREATEST risk to organizational security?
A. Locally managed file server
B. Enterprise data warehouse
C. Load-balanced, web server cluster
D. Centrally managed data switch
View answer
Correct Answer: B
Question #19
An organization is considering whether to allow employees to use personal computing devices for business purposes. To BEST facilitate senior management’s decision, the information security manager should:
A. map the strategy to business objectives
B. perform a cost-benefit analysis
C. conduct a risk assessment
D. develop a business case
View answer
Correct Answer: C
Question #20
Which of the following will BEST protect confidential data when connecting large wireless networks to an existing wired-network infrastructure?
A. Mandatory access control (MAC) address filtering
B. Strong passwords
C. Virtual private network (VPN)
D. Firewall
View answer
Correct Answer: D
Question #21
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following?
A. IP spoofing
B. Man-in-the-middle attack
C. Repudiation
D. Trojan
View answer
Correct Answer: C
Question #22
Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source?
A. A bit-level copy of all hard drive data
B. The last verified backup stored offsite
C. Data from volatile memory
D. Backup servers
View answer
Correct Answer: D
Question #23
Which of the following is the MOST important driver when developing an effective information security strategy?
A. Information security standards
B. Compliance requirements
C. Benchmark reports
D. Security audit reports
View answer
Correct Answer: A
Question #24
When considering whether to adopt a new information security framework, an organization’s information security manager should FIRST:
A. compare the framework with the current business strategy
B. perform a technical feasibility analysis
C. perform a financial viability study
D. analyze the framework’s legal implications and business impact
View answer
Correct Answer: C
Question #25
Which of the following would be MOST critical to the successful implementation of a biometric authentication system?
A. Budget allocation
B. Technical skills of staff
C. User acceptance
D. Password requirements
View answer
Correct Answer: C
Question #26
The MAIN advantage of implementing automated password synchronization is that it:
A. reduces overall administrative workload
B. increases security between multi-tier systems
C. allows passwords to be changed less frequently
D. reduces the need for two-factor authentication
View answer
Correct Answer: A
Question #27
When collecting evidence for forensic analysis, it is important to:
A. A
B. request the IT department do an image copy
C. disconnect from the network and isolate the affected devices
D. ensure law enforcement personnel are present before the forensic analysis commences
View answer
Correct Answer: D
Question #28
Which of the following is the PRIMARY reason for implementing a risk management program?
A. Allows the organization to eliminate risk
B. Is a necessary part of management's due diligence
C. Satisfies audit and regulatory requirements
D. Assists in incrementing the return on investment (ROD
View answer
Correct Answer: B
Question #29
During which phase of an incident response process should corrective actions to the response procedure be considered and implemented?
A. Eradication
B. Review
C. Containment
D. Identification
View answer
Correct Answer: A
Question #30
The BEST way to ensure that an external service provider complies with organizational security policies is to:
A. Explicitly include the service provider in the security policies
B. Receive acknowledgment in writing stating the provider has read all policies
C. Cross-reference to policies in the service level agreement
D. Perform periodic reviews of the service provider
View answer
Correct Answer: B
Question #31
An organization involved in e-commerce activities operating from its home country opened a new office in another country with stringent security laws. In this scenario, the overall security strategy should be based on:
A. risk assessment results
B. international security standards
C. the most stringent requirements
D. the security organization structure
View answer
Correct Answer: D
Question #32
Which of the following metrics would provide management with the MOST useful information about the progress of a security awareness program?
A. Increased number of downloads of the organization’s security policy
B. Increased reported of security incidents
C. Completion rate of user awareness training within each business unit
D. Decreased number of security incidents
View answer
Correct Answer: C
Question #33
Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center"?
A. Mantrap
B. Biometric lock
C. Closed-circuit television (CCTV)
D. Security guard
View answer
Correct Answer: D
Question #34
An information security manager is recommending an investment in a new security initiative to address recently published threats. Which of the following would be MOST important to include in the business case?
A. Business impact if threats materialize
B. Availability of unused funds in the security budget
C. Threat information from reputable sources
D. Alignment of the new initiative with the approved business strategy
View answer
Correct Answer: B
Question #35
In an organization, information systems security is the responsibility of:
A. all personnel
B. information systems personnel
C. information systems security personnel
D. functional personnel
View answer
Correct Answer: C
Question #36
Which of the following is MOST important for an information security manager to regularly report to senior management?
A. Results of penetration tests
B. Audit reports
C. Impact of unremediated risks
D. Threat analysis reports
View answer
Correct Answer: D
Question #37
Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?
A. User
B. Security
C. Operations
D. Database
View answer
Correct Answer: A
Question #38
Which of the following is done PRIMARILY to address the integrity of information?
A. Assignment of appropriate control permissions
B. Implementation of an Internet security application
C. Implementation of a duplex server system
D. Encryption of email
View answer
Correct Answer: D
Question #39
Which of the following risks would BEST be assessed using quantitative risk assessment techniques?
A. Customer data stolen
B. An electrical power outage
C. A web site defaced by hackers
D. Loss of the software development team
View answer
Correct Answer: B
Question #40
What is the BEST method to verify that all security patches applied to servers were properly documented?
A. Trace change control requests to operating system (OS) patch logs
B. Trace OS patch logs to OS vendor's update documentation
C. Trace OS patch logs to change control requests
D. Review change control documentation for key servers
View answer
Correct Answer: D
Question #41
Detailed business continuity plans should be based PRIMARILY on:
A. consideration of different alternatives
B. the solution that is least expensive
C. strategies that cover all applications
D. strategies validated by senior management
View answer
Correct Answer: C
Question #42
When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/ disaster recovery plans is because:
A. this is a requirement of the security policy
B. software licenses may expire in the future without warning
C. the asset inventory must be maintained
D. service level agreements may not otherwise be met
View answer
Correct Answer: C
Question #43
An information security program should be sponsored by:
A. infrastructure management
B. the corporate audit department
C. key business process owners
D. information security management
View answer
Correct Answer: B
Question #44
An information security manager is implementing a bring your own device (BYOD) program. Which of the following would BEST ensure that users adhere to the security standards?
A. Monitor user activities on the network
B. Publish the standards on the intranet landing page
C. Establish an acceptable use policy
D. Deploy a device management solution
View answer
Correct Answer: A
Question #45
The BEST way to ensure that information security policies are followed is to:
A. distribute printed copies to all employees
B. perform periodic reviews for compliance
C. include escalating penalties for noncompliance
D. establish an anonymous hotline to report policy abuses
View answer
Correct Answer: B
Question #46
Which of the following is the PRIMARY reason to conduct periodic business impact assessments?
A. Improve the results of last business impact assessment
B. Update recovery objectives based on new risks
C. Decrease the recovery times
D. Meet the needs of the business continuity policy
View answer
Correct Answer: A
Question #47
A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following?
A. Denial of service (DoS) attacks
B. Traffic sniffing
C. Virus infections
D. IP address spoofing
View answer
Correct Answer: A
Question #48
Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his, her password reset?
A. Performing reviews of password resets
B. Conducting security awareness programs
C. Increasing the frequency of password changes
D. Implementing automatic password syntax checking
View answer
Correct Answer: B
Question #49
Which if the following would be the MOST important information to include in a business case for an information security project in a highly regulated industry?
A. Compliance risk assessment
B. Critical audit findings
C. Industry comparison analysis
D. Number of reported security incidents
View answer
Correct Answer: B
Question #50
Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?
A. Certificate-based authentication of web client
B. Certificate-based authentication of web server
C. Data confidentiality between client and web server
D. Multiple encryption algorithms
View answer
Correct Answer: B
Question #51
An intranet server should generally be placed on the:
A. internal network
B. firewall server
C. external router
D. primary domain controller
View answer
Correct Answer: D
Question #52
Which of the following would MOST likely require a business continuity plan to be invoked?
A. An unauthorized visitor discovered in the data center
B. A distributed denial of service attack on an e-mail server
C. An epidemic preventing staff from performing job functions
D. A hacker holding personally identifiable information hostage
View answer
Correct Answer: B
Question #53
In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?
A. Applying patches
B. Changing access rules
C. Upgrading hardware
D. Backing up files
View answer
Correct Answer: D
Question #54
A message* that has been encrypted by the sender's private key and again by the receiver's public key achieves:
A. authentication and authorization
B. confidentiality and integrity
C. confidentiality and nonrepudiation
D. authentication and nonrepudiation
View answer
Correct Answer: A
Question #55
To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include?
A. Service level agreements (SLAs)
B. Right to audit clause
C. Intrusion detection system (IDS) services
D. Spam filtering services
View answer
Correct Answer: D
Question #56
In a large organization, defining recovery time objectives (RTOs) is PRIMARILY the responsibility of:
A. the IT manager
B. the information security manager
C. the business unit manager
D. senior manager
View answer
Correct Answer: D
Question #57
Which of the following situations would be the MOST concern to a security manager? Audit logs are not enabled on a production server
B. The logon ID for a terminated systems analyst still exists on the system
C. The help desk has received numerous results of users receiving phishing e-mails
D. A Trojan was found to be installed on a system administrator's laptop
View answer
Correct Answer: A
Question #58
The PRIMARY objective of security awareness is to:
A. ensure that security policies are understood
B. influence employee behavior
C. ensure legal and regulatory compliance
D. notify of actions for noncompliance
View answer
Correct Answer: C
Question #59
Which of the following is the BEST approach for an organization desiring to protect its intellectual property?
A. Conduct awareness sessions on intellectual property policy D
B. Require all employees to sign a nondisclosure agreement
C. Promptly remove all access when an employee leaves the organization Restrict access to a need-to-know basis
View answer
Correct Answer: D
Question #60
The recovery time objective (RTO) is reached at which of the following milestones?
A. Disaster declaration
B. Recovery of the backups
C. Restoration of the system
D. Return to business as usual processing
View answer
Correct Answer: C
Question #61
Management decisions concerning information security investments will be MOST effective when they are based on:
A. an annual loss expectancy (ALE) determined from the history of security events
B. the formalized acceptance of risk analysis by management
C. the reporting of consistent and periodic assessments of risks
D. a process for identifying and analyzing threats and vulnerabilities
View answer
Correct Answer: B
Question #62
What is the BEST way to ensure data protection upon termination of employment?
A. Retrieve identification badge and card keys
B. Retrieve all personal computer equipment
C. Erase all of the employee's folders
D. Ensure all logical access is removed
View answer
Correct Answer: B
Question #63
It is important to develop an information security baseline because it helps to define:
A. critical information resources needing protection
B. a security policy for the entire organization
C. the minimum acceptable security to be implemented
D. required physical and logical access controls
View answer
Correct Answer: A
Question #64
Which of the following is MOST important to the success of an information security program?
A. Security' awareness training
B. Achievable goals and objectives
C. Senior management sponsorship
D. Adequate start-up budget and staffing
View answer
Correct Answer: B
Question #65
An organization without any formal information security program that has decided to implement information security best practices should FIRST:
A. invite an external consultant to create the security strategy
B. allocate budget based on best practices
C. benchmark similar organizations
D. define high-level business security requirements
View answer
Correct Answer: A
Question #66
Managing the life cycle of a digital certificate is a role of a(n):
A. system administrator
B. security administrator
C. system developer
D. independent trusted source
View answer
Correct Answer: C
Question #67
A data-hosting organization’s data center houses servers, applications, and data for a large number of geographically dispersed customers. Which of the following strategies would be the BEST approach for developing a physical access control policy for the organization?
A. Design single sign-on or federated access
B. Conduct a risk assessment to determine security risks and mitigating controls
C. Develop access control requirements for each system and application
D. Review customers’ security policies
View answer
Correct Answer: B

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: