DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISM Practice Tests & Real Exam Dumps 2024 Updated, Certified Information Security Manager | SPOTO

Prepare for the CISM certification exam with SPOTO's updated 2024 practice tests and real exam dumps. As a Certified Information Security Manager, you demonstrate advanced knowledge and experience in developing and managing enterprise information security programs. Our practice tests cover essential exam topics like information risk management, governance, incident management, and program development. Access free sample questions to evaluate your readiness and dive into our comprehensive exam dumps for a thorough review. With SPOTO's mock exams, simulate real exam scenarios and refine your exam-taking skills. Explore our curated exam materials, complete with detailed answers and explanations, to reinforce your understanding. Utilize our online exam simulator to practice exam questions, enhance your exam strategy, and prepare effectively for the CISM exam.
Take other online exams

Question #1
Which of the following attacks is BEST mitigated by utilizing strong passwords?
A. Man-in-the-middle attack
B. Brute force attack
C. Remote buffer overflow
D. Root kit
View answer
Correct Answer: B
Question #2
Which of the following areas is MOST susceptible to the introduction of security weaknesses?
A. Database management
B. Tape backup management
C. Configuration management
D. Incident response management
View answer
Correct Answer: B
Question #3
Which of the following would generally have the GREATEST negative impact on an organization?
A. Theft of computer software
B. Interruption of utility services
C. Loss of customer confidence
D. Internal fraud resulting in monetary loss
View answer
Correct Answer: A
Question #4
An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:
A. mitigate the impact by purchasing insurance
B. implement a circuit-level firewall to protect the network
C. increase the resiliency of security measures in place
D. implement a real-time intrusion detection system
View answer
Correct Answer: B
Question #5
Security monitoring mechanisms should PRIMARILY:
A. focus on business-critical information
B. assist owners to manage control risks
C. focus on detecting network intrusions
D. record all security violations
View answer
Correct Answer: B
Question #6
After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:
A. increase its customer awareness efforts in those regions
B. implement monitoring techniques to detect and react to potential fraud
C. outsource credit card processing to a third party
D. make the customer liable for losses if they fail to follow the bank's advice
View answer
Correct Answer: B
Question #7
An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST?
A. Request that the third-party provider perform background checks on their employees
B. Perform an internal risk assessment to determine needed controls
C. Audit the third-party provider to evaluate their security controls
D. Perform a security assessment to detect security vulnerabilities
View answer
Correct Answer: C
Question #8
The PRIMARY purpose of using risk analysis within a security program is to:
A. justify the security expenditure
B. help businesses prioritize the assets to be protected
C. inform executive management of residual risk value
D. assess exposures and plan remediation
View answer
Correct Answer: B
Question #9
To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:
A. review the functionalities and implementation requirements of the solution
B. review comparison reports of tool implementation in peer companies
C. provide examples of situations where such a tool would be useful
D. substantiate the investment in meeting organizational needs
View answer
Correct Answer: D
Question #10
A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST?
A. Understand the business requirements of the developer portal
B. Perform a vulnerability assessment of the developer portal
C. Install an intrusion detection system (IDS)
D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server
View answer
Correct Answer: A
Question #11
The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
A. periodically testing the incident response plans
B. regularly testing the intrusion detection system (IDS)
C. establishing mandatory training of all personnel
D. periodically reviewing incident response procedures
View answer
Correct Answer: D
Question #12
During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
A. Feasibility
B. Design
C. Development
D. Testing
View answer
Correct Answer: C
Question #13
The BEST way to ensure that information security policies are followed is to:
A. distribute printed copies to all employees
B. perform periodic reviews for compliance
C. include escalating penalties for noncompliance
D. establish an anonymous hotline to report policy abuses
View answer
Correct Answer: A
Question #14
Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?
A. Passwords stored in encrypted form
B. User awareness
C. Strong passwords that are changed periodically
D. Implementation of lock-out policies
View answer
Correct Answer: A
Question #15
Which of the following would be the FIRST step in establishing an information security program?
A. Develop the security policy
B. Develop security operating procedures
C. Develop the security plan
D. Conduct a security controls study
View answer
Correct Answer: A
Question #16
Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?
A. Justification of the security budget must be continually made
B. New vulnerabilities are discovered every day
C. The risk environment is constantly changing
D. Management needs to be continually informed about emerging risks
View answer
Correct Answer: C
Question #17
The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?
A. Mitigating controls
B. Visibility of impact
C. Likelihood of occurrence
D. Incident frequency
View answer
Correct Answer: D
Question #18
An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:
A. validate and sanitize client side inputs
B. harden the database listener component
C. normalize the database schema to the third normal form
D. ensure that the security patches are updated on operating systems
View answer
Correct Answer: A
Question #19
Which of the following BEST indicates a successful risk management practice?
A. Overall risk is quantified
B. Inherent risk is eliminated
C. Residual risk is minimized
D. Control risk is tied to business units
View answer
Correct Answer: A
Question #20
A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?
A. Representation by regional business leaders
B. Composition of the board
C. Cultures of the different countries
D. IT security skills
View answer
Correct Answer: A
Question #21
A risk management program would be expected to:
A. remove all inherent risk
B. maintain residual risk at an acceptable level
C. implement preventive controls for every threat
D. reduce control risk to zero
View answer
Correct Answer: A
Question #22
In assessing risk, it is MOST essential to:
A. provide equal coverage for all asset types
B. use benchmarking data from similar organizations
C. consider both monetary value and likelihood of loss
D. focus primarily on threats and recent business losses
View answer
Correct Answer: B
Question #23
An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:
A. threat
B. loss
C. vulnerability
D. probability
View answer
Correct Answer: C
Question #24
What is the MOS T cost-effective means of improving security awareness of staff personnel?
A. Employee monetary incentives
B. User education and training
C. A zero-tolerance security policy
D. Reporting of security infractions
View answer
Correct Answer: A
Question #25
The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:
A. sales department
B. database administrator
C. chief information officer (CIO)
D. head of the sales department
View answer
Correct Answer: C
Question #26
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?
A. Number of attacks detected
B. Number of successful attacks
C. Ratio of false positives to false negatives
D. Ratio of successful to unsuccessful attacks
View answer
Correct Answer: C
Question #27
There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?
A. Black box pen test
B. Security audit
C. Source code review
D. Vulnerability scan
View answer
Correct Answer: A
Question #28
When performing a risk assessment, the MOST important consideration is that:
A. management supports risk mitigation efforts
B. annual loss expectations (ALEs) have been calculated for critical assets
C. assets have been identified and appropriately valued
D. attack motives, means and opportunities be understood
View answer
Correct Answer: B
Question #29
Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site?
A. Tests are scheduled on weekends
B. Network IP addresses are predefined
C. Equipment at the hot site is identical
D. Business management actively participates
View answer
Correct Answer: B
Question #30
Security awareness training should be provided to new employees:
A. on an as-needed basis
B. during system user training
C. before they have access to data
D. along with department staff
View answer
Correct Answer: B
Question #31
Which of the following is MOST effective in preventing security weaknesses in operating systems?
A. Patch management Change management
B.
C. Security baselines
D. Configuration management
View answer
Correct Answer: C
Question #32
Logging is an example of which type of defense against systems compromise?
A. Containment
B. DetectionC
D. Recovery
View answer
Correct Answer: B
Question #33
Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:
A. assess the problems and institute rollback procedures, if needed
B. disconnect the systems from the network until the problems are corrected
C. immediately uninstall the patches from these systems
D. immediately contact the vendor regarding the problems that occurred
View answer
Correct Answer: A
Question #34
The BEST time to perform a penetration test is after:
A. an attempted penetration has occurred
B. an audit has reported weaknesses in security controls
C. various infrastructure changes are made
D. a high turnover in systems staff
View answer
Correct Answer: D
Question #35
Which of the following is generally considered a fundamental component of an information security program?
A. Role-based access control systems
B. Automated access provisioning
C. Security awareness training
D. Intrusion prevention systems (IPSs)
View answer
Correct Answer: C
Question #36
The MOST appropriate individual to determine the level of information security needed for a specific business application is the:
A. system developer
B. information security manager
C. steering committee
D. system data owner
View answer
Correct Answer: C
Question #37
Who can BEST approve plans to implement an information security governance framework?
A. Internal auditor
B. Information security management Steering committee
C.
D. Infrastructure management
View answer
Correct Answer: A
Question #38
When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices?
A. Centralizing security management
B. Implementing sanctions for noncompliance
C. Policy enforcement by IT management
D. Periodic compliance reviews
View answer
Correct Answer: A
Question #39
Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?
A. Platform security
B. Entitlement changes
C. Intrusion detection
D. Antivirus controls
View answer
Correct Answer: A
Question #40
For risk management purposes, the value of an asset should be based on:
A. original cost
B. net cash flow
C. net present value
View answer
Correct Answer: C
Question #41
An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?
A. A due diligence security review of the business partner's security controls
B. Ensuring that the business partner has an effective business continuity program
C. Ensuring that the third party is contractually obligated to all relevant security requirements
D. Talking to other clients of the business partner to check references for performance
View answer
Correct Answer: B
Question #42
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability?
A. Exclusive use of the hot site is limited to six weeks
B. The hot site may have to be shared with other customers
C. The time of declaration determines site access priority
D. The provider services all major companies in the area
View answer
Correct Answer: C
Question #43
An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:
A. an audit of the service provider uncovers no significant weakness
B. the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property
C. the contract should mandate that the service provider will comply with security policies
D. the third-party service provider conducts regular penetration testing
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: