DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISM Exam Questions & Study Materials, Certified Information Security Manager | SPOTO

Prepare for your CISM certification with SPOTO's comprehensive study materials and high-quality practice tests. Our exam questions cover a range of topics, including cybersecurity governance, risk management, incident response, and compliance. Access free sample questions to gauge your readiness and delve into our extensive exam dumps for a deeper understanding of key concepts. With SPOTO's mock exams, simulate the real testing environment and fine-tune your exam-taking skills. Explore our rich collection of exam materials, complete with detailed answers and explanations, to reinforce your knowledge. Whether you're practicing exam questions, reviewing sample scenarios, or refining your exam strategy, SPOTO's online exam simulator is your essential tool for CISM exam preparation success.
Take other online exams

Question #1
The FIRST step in an incident response plan is to:
A. notify- the appropriate individuals
B. contain the effects of the incident to limit damage
C. develop response strategies for systematic attacks
D. validate the incident
View answer
Correct Answer: C
Question #2
The MOST effective way to ensure that outsourced service providers comply with the organization's information security policy would be:
A. service level monitoring
B. penetration testing
C. periodically auditing
D. security awareness training
View answer
Correct Answer: B
Question #3
Identification and prioritization of business risk enables project managers to:
A. establish implementation milestones
B. reduce the overall amount of slack time
C. address areas with most significance
D. accelerate completion of critical paths
View answer
Correct Answer: D
Question #4
Which of the following is the MOST usable deliverable of an information security risk analysis?
A. Business impact analysis (BIA) report
B. List of action items to mitigate risk
C. Assignment of risks to process owners
D. Quantification of organizational risk
View answer
Correct Answer: D
Question #5
After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?
A. Senior management
B. Business manager
C. IT audit manager
D. Information security officer (ISO)
View answer
Correct Answer: D
Question #6
Which of the following BEST ensures that information transmitted over the Internet will remain confidential?
A. Virtual private network (VPN)
B. Firewalls and routers
C. Biometric authentication
D. Two-factor authentication
View answer
Correct Answer: C
Question #7
A business impact analysis (BIA) is the BEST tool for calculating:
A. total cost of ownership
B. priority of restoration
C. annualized loss expectancy (ALE)
D. residual risk
View answer
Correct Answer: B
Question #8
To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective?
A. Assessment of business impact of past incidents
B. Need of an independent review of incident causes
C. Need for constant improvement on the security level
D. Possible business benefits from incident impact reduction
View answer
Correct Answer: C
Question #9
The BEST strategy for risk management is to:
A. achieve a balance between risk and organizational goals
B. reduce risk to an acceptable level
C. ensure that policy development properly considers organizational risks
D. ensure that all unmitigated risks are accepted by management
View answer
Correct Answer: B
Question #10
Which of the following risks would BEST be assessed using qualitative risk assessment techniques?
A. Theft of purchased software
B. Power outage lasting 24 hours
C. Permanent decline in customer confidence
D. Temporary loss of e-mail due to a virus attack
View answer
Correct Answer: C
Question #11
A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action? A penetration test
B. A security baseline review
C. A risk assessment
D. A business impact analysis (BIA)
View answer
Correct Answer: A
Question #12
Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following?
A. Tree diagrams
B. Venn diagrams
C. Heat charts
D. Bar charts
View answer
Correct Answer: B
Question #13
Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:
A. conduct a risk assessment and allow or disallow based on the outcome
B. recommend a risk assessment and implementation only if the residual risks are accepted
C. recommend against implementation because it violates the company's policies
D. recommend revision of current policy
View answer
Correct Answer: A
Question #14
During the security review of organizational servers it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. As a FIRST step, the Real 289 Isaca CISM Exam security manager should:
A. copy sample files as evidence
B. remove access privileges to the folder containing the data
C. report this situation to the data owner
D. train the HR team on properly controlling file permissions
View answer
Correct Answer: B
Question #15
All risk management activities are PRIMARILY designed to reduce impacts to:
A. a level defined by the security manager
B. an acceptable level based on organizational risk tolerance
C. a minimum level consistent with regulatory requirements
D. the minimum level possible
View answer
Correct Answer: C
Question #16
The MOST important objective of a post incident review is to:
A. capture lessons learned to improve the process
B. develop a process for continuous improvement
C. develop a business case for the security program budget
D. identify new incident management tools
View answer
Correct Answer: C
Question #17
The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is:
A. Secure Sockets Layer (SSL)
B. Secure Shell (SSH)
C. IP Security (IPSec)
D. Secure/Multipurpose Internet Mail Extensions (S/MIME )
View answer
Correct Answer: C
Question #18
Which of the following is the MOST effective type of access control?
A. Centralized
B. Role-based
C. Decentralized
D. Discretionary
View answer
Correct Answer: A
Question #19
The criticality and sensitivity of information assets is determined on the basis of: C.
A. threat assessment
B. vulnerability assessment
D. impact assessment
View answer
Correct Answer: B
Question #20
Who can BEST approve plans to implement an information security governance framework? C.
A. Internal auditor
B. Information security management Steering committee
D. Infrastructure management
View answer
Correct Answer: A
Question #21
Which of the following devices should be placed within a demilitarized zone (DMZ)?
B.
A. Network switch Web server
C. Database server
D. File/print server
View answer
Correct Answer: C
Question #22
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?.
A. Identify the vulnerable systems and apply compensating controls
B. Minimize the use of vulnerable systems
C. Communicate the vulnerability to system users
D. Update the signatures database of the intrusion detection system (IDS)
View answer
Correct Answer: B
Question #23
A customer credit card database has been breached by hackers. The FIRST step in dealing with this attack should be to:
A. confirm the incident
C. start containment
D. notify law enforcement
View answer
Correct Answer: D
Question #24
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices? C.
A. Regular review of access control lists
B. Security guard escort of visitors Visitor registry log at the door
D. A biometric coupled with a PIN
View answer
Correct Answer: A
Question #25
When implementing security controls, an information security manager must PRIMARILY focus on:
A. minimizing operational impacts
B. eliminating all vulnerabilities
C. usage by similar organizations
D. certification from a third party
View answer
Correct Answer: D
Question #26
A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST?
A. Understand the business requirements of the developer portal
B. Perform a vulnerability assessment of the developer portal
C. Install an intrusion detection system (IDS)
D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server
View answer
Correct Answer: D
Question #27
Which of the following would be the BEST metric for the IT risk management process?
A. Number of risk management action plans
B. Percentage of critical assets with budgeted remedial
C. Percentage of unresolved risk exposures
D. Number of security incidents identified
View answer
Correct Answer: B
Question #28
Which of the following disaster recovery testing techniques is the MOST cost-effective way to determine the effectiveness of the plan?
A. Preparedness tests B
C. Full operational tests
D. Actual service disruption
View answer
Correct Answer: B
Question #29
When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices?
A. Centralizing security management
B. Implementing sanctions for noncompliance
C. Policy enforcement by IT management Periodic compliance reviews
View answer
Correct Answer: A
Question #30
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?
A. Authentication
B. Hardening
C. Encryption
D. Nonrepudiation
View answer
Correct Answer: C
Question #31
Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?
A. Business continuity coordinator
B. Chief operations officer (COO)
C. Information security manager
D. Internal audit
View answer
Correct Answer: C
Question #32
The MOST important reason that statistical anomaly-based intrusion detection systems (slat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs:
A. create more overhead than signature-based IDSs
B. cause false positives from minor changes to system variables
C. generate false alarms from varying user or system actions
D. cannot detect new types of attacks
View answer
Correct Answer: C
Question #33
Which of the following is MOST effective in preventing security weaknesses in operating systems?
B.
A. Patch management Change management
C. Security baselines
D. Configuration management
View answer
Correct Answer: C
Question #34
To determine how a security breach occurred on the corporate network, a security manager looks Real 285 Isaca CISM Exam at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?
A. Database server
B. Domain name server (DNS)
C. Time server
D. Proxy server
View answer
Correct Answer: B
Question #35
The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:
A. sales department
B. database administrator
C. chief information officer (CIO)
D. head of the sales department
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: