DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISM Exam Questions & Mock Exams, Certified Information Security Manager | SPOTO

CISM certification validates your expertise in developing and managing enterprise information security programs. Our practice tests cover a wide range of topics, including exam questions, sample questions, and mock exams, ensuring you're well-prepared for the real exam. You'll have access to exam dumps, exam materials, and online exam questions, enhancing your understanding of key concepts. Our detailed exam answers and exam questions and answers sections further strengthen your knowledge base. With our exam practice sessions and exam simulator, you'll gain confidence and readiness for the CISM exam. Get started with our free test today and elevate your exam preparation experience with SPOTO.
Take other online exams

Question #1
When performing a risk assessment, the MOST important consideration is that:
A. management supports risk mitigation efforts
B. annual loss expectations (ALEs) have been calculated for critical assets
C. assets have been identified and appropriately valued
D. attack motives, means and opportunitiesbe understood
View answer
Correct Answer: A
Question #2
What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?
A. Risk assessment report
B. Technical evaluation report
C. Business case
D. Budgetary requirements
View answer
Correct Answer: D
Question #3
Which of the following is the MOST appropriate method of ensuring password strength in a large organization?
A. Attempt to reset several passwords to weaker values
B. Install code to capture passwords for periodic audit
C. Sample a subset of users and request their passwords for review
D. Review general security settings on each platform
View answer
Correct Answer: B
Question #4
Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?
A. SWOT analysis
B. Waterfall chart
C. Gap analysis
D. Balanced scorecard
View answer
Correct Answer: C
Question #5
Risk assessment is MOST effective when performed:
A. at the beginning of security program development
B. on a continuous basis
C. while developing the business case for the security program
D. during the business change process
View answer
Correct Answer: B
Question #6
One way to determine control effectiveness is by determining:
A. whether it is preventive, detective or compensatory
B. the capability of providing notification of failure
C. the test results of intended objectives
D. the evaluation and analysis of reliability
View answer
Correct Answer: C
Question #7
Which of the following provides the BEST confirmation that the business continuity/disaster recovery plan objectives have been achieved?
A. The recovery time objective (RTO) was not exceeded during testing
B. Objective testing of the business continuity/disaster recovery plan has been carried out consistently
C. The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing
D. Information assets have been valued and assigned to owners per the business continuity plan/disaster recovery plan
View answer
Correct Answer: D
Question #8
Which of the following is the BEST approach for an organization desiring to protect its intellectual property?
A. Conduct awareness sessions on intellectual property policy
B. Require all employees to sign a nondisclosure agreement
C. Promptly remove all access when an employee leaves the organization
D. Restrict access to a need-to-know basis
View answer
Correct Answer: C
Question #9
A security risk assessment exercise should be repeated at regular intervals because:
A. business threats are constantly changing
B. omissions in earlier assessments can be addressed
C. repetitive assessments allow various methodologies
D. they help raise awareness on security in the business
View answer
Correct Answer: B
Question #10
Obtaining senior management support for establishing a warm site can BEST be accomplished by:
A. establishing a periodic risk assessment
B. promoting regulatory requirements
C. developing a business case
D. developing effective metrics
View answer
Correct Answer: A
Question #11
A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in- house staff and by external consultants outside the organization's local are network (LAN). What should the security manager do FIRST?
A. Understand the business requirements of the developer portal
B. Perform a vulnerability assessment of the developer portal
C. Install an intrusion detection system (IDS)
D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server
View answer
Correct Answer: D
Question #12
An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:
A. broken authentication
B. unvalidated input
C. cross-site scripting
D. Structured query language (SQL) injection
View answer
Correct Answer: D
Question #13
In order to highlight to management the importance of network security, the security manager should FIRST:
A. develop a security architecture
B. install a network intrusion detection system (NIDS) and prepare a list of attacks
C. develop a network security policy
D. conduct a risk assessment
View answer
Correct Answer: A
Question #14
What is the BEST way to alleviate security team understaffing while retaining the capability in- house?
A. Hire a contractor that would not be included in the permanent headcount
B. Outsource with a security services provider while retaining the control internally
C. Establish a virtual security team from competent employees across the company
D. Provide cross training to minimize the existing resources gap
View answer
Correct Answer: C
Question #15
Successful social engineering attacks can BEST be prevented through:
A. reemployment screening
B. close monitoring of users' access patterns
C. periodic awareness training
D. efficient termination procedures
View answer
Correct Answer: A
Question #16
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
A. Identify the vulnerable systems and apply compensating controls
B. Minimize the use of vulnerable systems
C. Communicate the vulnerability to system users
D. Update the signatures database of the intrusion detection system (IDS)
View answer
Correct Answer: D
Question #17
A risk assessment should be conducted:
A. once a year for each business process andsubprocess
B. every three-to-six months for critical business processes
C. by external parties to maintain objectivity
D. annually or whenever there is a significant change
View answer
Correct Answer: C
Question #18
Which of the following is the MAIN reason for performing risk assessment on a continuous basis?
A. Justification of the security budget must be continually made
B. New vulnerabilities are discovered every day
C. The risk environment is constantly changing
D. Management needs to be continually informed about emerging risks
View answer
Correct Answer: B
Question #19
When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:
A. right-to-terminate clause
B. limitations of liability
C. service level agreement (SLA)
D. financial penalties clause
View answer
Correct Answer: A
Question #20
Which of the following is the MOST important action to take when engaging third party consultants to conduct an attack and penetration test?
A. Request a list of the software to be used
B. Provide clear directions to IT staff
C. Monitor intrusion detection system (IDS) and firewall logs closely
D. Establish clear rules of engagement
View answer
Correct Answer: C
Question #21
Which of the following is the MOST critical consideration when collecting and preserving admissible evidence during an incident response?
A. Unplugging the systems
B. Chain of custody
C. Separation of duties
D. Clock synchronization
View answer
Correct Answer: C
Question #22
Which would be the BEST recommendation to protect against phishing attacks?
A. Install anantispam system
B. Publish security guidance for customers
C. Provide security awareness to the organization's staff
D. Install an application-level firewall
View answer
Correct Answer: A
Question #23
The MOST complete business case for security solutions is one that:
A. includes appropriate justification
B. explains the current risk profile
C. details regulatory requirements
D. identifies incidents and losses
View answer
Correct Answer: C
Question #24
An organization has learned of a Security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is:
A. assess the likelihood of incidents from the reported cause
B. discontinue the use of the vulnerable technology
C. report to senior management that the organization is not affected
D. remind staff that no similar security breaches have taken place
View answer
Correct Answer: C
Question #25
An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security management. The MOST important element of the request for proposal (RFP) is the:
A. references from other organizations
B. past experience of the engagement team
C. sample deliverable
D. methodology used in the assessment
View answer
Correct Answer: A
Question #26
The MOST useful way to describe the objectives in the information security strategy is through:
A. attributes and characteristics of the 'desired state
B. overall control objectives of the security program
C. mapping the IT systems to key business processes
D. calculation of annual loss expectations
View answer
Correct Answer: B
Question #27
Which of the following provides the BEST confirmation that the business continuity/disaster recovery plan objectives have been achieved?
A. The recovery time objective (RTO) was not exceeded during testing
B. Objective testing of the business continuity/disaster recovery plan has been carried out consistently
C. The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing
D. Information assets have been valued and assigned to owners per the business continuity plan/disaster recovery plan
View answer
Correct Answer: A
Question #28
What is the BEST method for mitigating against network denial of service (DoS) attacks?
A. Ensure all servers are up-to-date on OS patches
B. Employ packet filtering to drop suspect packets
C. Implement network address translation to make internal addresses nonroutable
D. Implement load balancing for Internet facing devices
View answer
Correct Answer: A
Question #29
Security technologies should be selected PRIMARILY on the basis of their:
A. ability to mitigate business risks
B. evaluations in trade publications
C. use of new and emerging technologies
D. benefits in comparison to their costs
View answer
Correct Answer: C
Question #30
Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:
A. assess the problems and institute rollback procedures, if needed
B. disconnect the systems from the network until the problems are corrected
C. immediatelyuninstall the patches from these systems
D. immediatelycontact the vendor regarding the problems that occurred
View answer
Correct Answer: A
Question #31
What is the MOST cost-effective method of identifying new vendor vulnerabilities?
A. External vulnerability reporting sources
B. Periodic vulnerability assessments performed by consultants
C. Intrusion prevention software
D. Honey pots located in the DMZ
View answer
Correct Answer: A
Question #32
A digital signature using a public key infrastructure (PKI) will:
A. notensure the integrity of a message
B. rely on the extent to which the certificate authority (CA) is trusted
C. require two parties to the message exchange
D. provide a high level of confidentiality
View answer
Correct Answer: B
Question #33
The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for:
A. identifying vulnerabilities in the system
B. sustaining the organization's security posture
C. the existing systems that will be affected
D. complying with segregation of duties
View answer
Correct Answer: B
Question #34
From an information security manager perspective, what is the immediate benefit of clearly- defined roles and responsibilities?
A. Enhanced policy compliance
B. Improved procedure flows
C. Segregation of duties
D. Better accountability
View answer
Correct Answer: D
Question #35
The implementation of continuous monitoring controls is the BEST option where:
A. Incidents may have a high impact and frequency
B. Legislation requires strong in/orrnation security controls
C. Incidents may have a high impact but low frequency
D. Electronic commerce is a primary business driver
View answer
Correct Answer: A
Question #36
The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:
A. ensure the confidentiality of sensitive material
B. provide a high assurance of identity
C. allow deployment of the active directory
D. Implement secure sockets layer (SSL) encryption
View answer
Correct Answer: A
Question #37
An organization has to comply with recently published industry regulatory requirements- compliance that potentially has high implementation costs. What should the information security manager do FIRST?
A. Implement a security committee
B. Perform a gap analysis
C. Implement compensating controls
D. Demand immediate compliance
View answer
Correct Answer: B
Question #38
To achieve effective strategic alignment of security initiatives, it is important that:
A. steering committee leadershipbe selected by rotation
B. inputs be obtained and consensus achieved between the major organizational units
C. the business strategybe updated periodically
D. procedures and standardsbe approved by all departmental heads
View answer
Correct Answer: C
Question #39
The MOST important factor in ensuring the success of an information security program, is effective:
A. communication of information security requirements to all users in the organization
B. formulation of policies and procedures for information security
C. alignment with organizational goals andobjectives
D. monitoring compliance with information security policies and procedures
View answer
Correct Answer: C
Question #40
Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?
A. Annual loss expectancy (ALE) of incidents
B. frequency incidents
C. Total cost of ownership (TCO)
D. Approved budget for the project
View answer
Correct Answer: D
Question #41
Which of the following would be the MOST relevant factor when defining the information classification policy?
A. Quantity of information
B. Available IT infrastructure
C. Benchmarking
D. Requirements of data owners
View answer
Correct Answer: C
Question #42
Which of the following is MOST important in developing a security strategy?
A. Creating a positive business security environment
B. Understanding key business objectives
C. Having a reporting line to senior management
D. Allocating sufficient resources to information security
View answer
Correct Answer: B

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: