DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Comprehensive CISM Exam Practice Questions & Answers, Certified Information Security Manager | SPOTO

Prepare comprehensively for the Certified Information Security Manager (CISM) certification exam with SPOTO's extensive collection of practice questions and answers. As an advanced certification, CISM signifies your expertise in developing and managing enterprise information security programs. Our practice tests cover a wide range of exam topics, including information risk management, governance, incident management, and program development. Access free sample questions to evaluate your knowledge, explore exam dumps for in-depth understanding, and take mock exams to simulate real testing scenarios. Utilize our curated exam materials with detailed answers and explanations to reinforce your learning. With SPOTO's online exam simulator, practice exam questions, refine your exam strategy, and prepare effectively for the CISM exam.
Take other online exams

Question #1
A common concern with poorly written web applications is that they can allow an attacker to:
A. gain control through a buffer overflo
B. conduct a distributed denial of service (DoS) attac
C. abuse a race conditio
D. inject structured query language (SQL) statement
View answer
Correct Answer: D
Question #2
A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:
A. there are sufficient safeguards in place to prevent this risk from happenin
B. the needed countermeasure is too complicated to deplo
C. the cost of countermeasure outweighs the value of the asset and potential los
D. The likelihood of the risk occurring is unknow
View answer
Correct Answer: A
Question #3
Which of the following is MOST important for a successful information security program?
A. Adequate training on emerging security technologies
B. Open communication with key process owners
C. Adequate policies, standards and procedures
D. Executive management commitment
View answer
Correct Answer: A
Question #4
After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?
A. Senior management
B. Business manager
C. IT audit manager
D. Information security officer (ISO)
View answer
Correct Answer: A
Question #5
When performing a risk assessment, the MOST important consideration is that:
A. management supports risk mitigation effort
B. annual loss expectations (ALEs) have been calculated for critical asset
C. assets have been identified and appropriately value
D. attack motives, means and opportunities be understoo
View answer
Correct Answer: B
Question #6
An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?
A. Security metrics reports
B. Risk assessment reports
C. Business impact analysis (BIA)
D. Return on security investment report
View answer
Correct Answer: C
Question #7
Attackers who exploit cross-site scripting vulnerabilities take advantage of:
A. a lack of proper input validation control
B. weak authentication controls in the web application laye
C. flawed cryptographic secure sockets layer (SSL) implementations and short key length
D. implicit web application trust relationship
View answer
Correct Answer: B
Question #8
The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
A. Laws and regulations of the country of origin may not be enforceable in the foreign countr
B. A security breach notification might get delayed due to the time differenc
C. Additional network intrusion detection sensors should be installed, resulting in an additional cos
D. The company could lose physical control over the server and be unable to monitor the physical security posture of the server
View answer
Correct Answer: C
Question #9
When implementing effective security governance within the requirements of the company's security strategy, which of the following is the MOST important factor to consider?
A. Preserving the confidentiality of sensitive data
B. Establishing international security standards for data sharing
C. Adhering to corporate privacy standards
D. Establishing system manager responsibility for information security
View answer
Correct Answer: B
Question #10
Which of the following is the MOST important prerequisite for establishing information security management within an organization?
A. Senior management commitment
B. Information security framework
C. Information security organizational structure
D. Information security policy
View answer
Correct Answer: A
Question #11
One way to determine control effectiveness is by determining:
A. whether it is preventive, detective or compensator
B. the capability of providing notification of failur
C. the test results of intended objective
D. the evaluation and analysis of reliabilit
View answer
Correct Answer: B
Question #12
The MOST complete business case for security solutions is one that.
A. includes appropriate justificatio
B. explains the current risk profil
C. details regulatory requirement
D. identifies incidents and losse
View answer
Correct Answer: B
Question #13
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSI.), confidentiality is MOST vulnerable to which of the following?
A. IP spoofing
B. Man-in-the-middle attack
C. Repudiation
D. Trojan
View answer
Correct Answer: B
Question #14
Who in an organization has the responsibility for classifying information?
A. Data custodian
B. Database administrator
C. Information security officer
D. Data owner
View answer
Correct Answer: B
Question #15
When performing an information risk analysis, an information security manager should FIRST:
A. establish the ownership of asset
B. evaluate the risks to the asset
C. take an asset inventor
D. categorize the asset
View answer
Correct Answer: B
Question #16
The FIRST step to create an internal culture that focuses on information security is to:
A. implement stronger control
B. conduct periodic awareness trainin
C. actively monitor operation
D. gain the endorsement of executive managemen
View answer
Correct Answer: D
Question #17
Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?
A. Historical cost of the asset
B. Acceptable level of potential business impacts
C. Cost versus benefit of additional mitigating controls
D. Annualized loss expectancy (ALE)
View answer
Correct Answer: A
Question #18
Investments in information security technologies should be based on:
A. vulnerability assessment
B. value analysi
C. business climat
D. audit recommendation
View answer
Correct Answer: A
Question #19
The decision as to whether a risk has been reduced to an acceptable level should be determined by:
A. organizational requirement
B. information systems requirement
C. information security requirement
D. international standard
View answer
Correct Answer: B
Question #20
When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?
A. Compliance with international security standard
B. Use of a two-factor authentication syste
C. Existence of an alternate hot site in case of business disruptio
D. Compliance with the organization's information security requirement
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: