DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Comprehensive CISM Exam Test Questions & Answers, Certified Information Security Manager | SPOTO

Prepare comprehensively for the Certified Information Security Manager (CISM) certification exam with SPOTO's comprehensive practice questions and answers. Our practice tests cover a wide range of exam topics, including information risk management, governance, incident management, and program development. Access free sample questions to evaluate your knowledge, explore exam dumps for in-depth understanding, and take mock exams to simulate real testing scenarios. Utilize our curated exam materials with detailed answers and explanations to reinforce your learning. With SPOTO's online exam simulator, practice exam questions, refine your exam strategy, and prepare effectively for the CISM exam. Whether you're practicing exam questions, reviewing sample scenarios, or honing your exam strategy, SPOTO's comprehensive CISM exam practice questions and answers will help you succeed.
Take other online exams

Question #1
What information is MOST helpful in demonstrating to senior management how information security governance aligns with business objectives?
A. Updates on information security projects in development
B. Drafts of proposed policy changes
C. Metrics of key information security deliverables
D. A list of monitored threats, risks, and exposures
View answer
Correct Answer: C
Question #2
An organization is considering moving one of its critical business applications to a cloud hosting service. The cloud provider may not provide the same level of security for this application as the organization. Which of the following will provide the BEST information to help maintain the security posture?
A. Risk assessment
B. Cloud security strategy
C. Vulnerability assessment
D. Risk governance framework
View answer
Correct Answer: A
Question #3
The BEST metric for evaluating the effectiveness of a firewall is the:
A. number of attacks blocked
B. number of packets dropped
C. average throughput rate
D. number of firewall rules
View answer
Correct Answer: C
Question #4
Which of the following would be the BEST indicator that an organization is appropriately managing risk?
A. The number of security incident events reported by staff has increased
B. Risk assessment results are within tolerance
C. A penetration test does not identify any high-risk system vulnerabilities
D. The number of events reported from the intrusion detection system has declined
View answer
Correct Answer: B
Question #5
A business previously accepted the risk associated with a zero-day vulnerability. The same vulnerability was recently exploited in a high-profile attack on another organization in the same industry. Which of the following should be the information security manager’s FIRST course of action?
A. Reassess the risk in terms of likelihood and impact
B. Develop best and worst case scenarios
C. Report the breach of the other organization to senior management
D. Evaluate the cost of remediating the vulnerability
View answer
Correct Answer: B
Question #6
The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:
A. the plan aligns with the organization's business plan
B. departmental budgets are allocated appropriately to pay for the plan
C. regulatory oversight requirements are met
D. the impact of the plan on the business units is reduced
View answer
Correct Answer: A
Question #7
An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?
A. Direct information security on what they need to do
B. Research solutions to determine the proper solutions
C. Require management to report on compliance
D. Nothing; information security does not report to the board
View answer
Correct Answer: C
Question #8
Which of the following would be MOST useful in a report to senior management for evaluating changes in the organization’s information security risk position?
A. Risk register
B. Trend analysis
C. Industry benchmarks
D. Management action plan
View answer
Correct Answer: B
Question #9
Which of the following situations would MOST inhibit the effective implementation of security governance?
A. The complexity of technology
B. Budgetary constraints
C. Conflicting business priorities
D. High-level sponsorship
View answer
Correct Answer: D
Question #10
Following a recent acquisition, an information security manager has been requested to address the outstanding risk reported early in the acquisition process. Which of the following would be the manager’s BEST course of action?
A. Add the outstanding risk to the acquiring organization’s risk registry
B. Re-assess the outstanding risk of the acquired company
C. Re-evaluate the risk treatment plan for the outstanding risk
D. Perform a vulnerability assessment of the acquired company’s infrastructure
View answer
Correct Answer: A
Question #11
Which of the following is MOST essential for a risk management program to be effective?
A. Flexible security budget
B. Sound risk baseline
C. New risks detection
D. Accurate risk reporting
View answer
Correct Answer: C
Question #12
An information security manager uses security metrics to measure the:
A. performance of the information security program
B. performance of the security baseline
C. effectiveness of the security risk analysis
D. effectiveness of the incident response team
View answer
Correct Answer: C
Question #13
When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?
A. Number of controls
B. Cost of achieving control objectives
C. Effectiveness of controls
D. Test results of controls
View answer
Correct Answer: D
Question #14
When the inherent risk of a business activity is lower than the acceptable risk level, the BEST course of action would be to:
A. monitor for business changes
B. review the residual risk level
C. report compliance to management
D. implement controls to mitigate the risk
View answer
Correct Answer: B
Question #15
When selecting risk response options to manage risk, an information security manager’s MAIN focus should be on reducing:
A. exposure to meet risk tolerance levels
B. the likelihood of threat
C. financial loss by transferring risk
D. the number of security vulnerabilities
View answer
Correct Answer: A
Question #16
Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application?
A. Patch management
B. Change management
C. Security metricsD
View answer
Correct Answer: D
Question #17
A risk mitigation report would include recommendations for:
A. assessment
B. acceptance
C. evaluation
D. quantification
View answer
Correct Answer: B
Question #18
The effectiveness of virus detection software is MOST dependent on which of the following?
A. Packet filtering
B. Intrusion detection
C. Software upgrades
D. Definition tables
View answer
Correct Answer: A
Question #19
Which of the following is an indicator of improvement in the ability to identify security risks?
A. Increased number of reported security incidents
B. Decreased number of staff requiring information security training
C. Decreased number of information security risk assessments
D. Increased number of security audit issues resolved
View answer
Correct Answer: A
Question #20
What should be the PRIMARY basis for prioritizing incident containment?
A. Legal and regulatory requirements
B. The recovery cost of affected assets
C. The business value of affected assets
D. Input from senior management
View answer
Correct Answer: A
Question #21
Which of the following would be the BEST metric for the IT risk management process?
A. Number of risk management action plans
B. Percentage of critical assets with budgeted remedial
C. Percentage of unresolved risk exposures
D. Number of security incidents identified
View answer
Correct Answer: B
Question #22
Which of the following devices should be placed within a DMZ?
A. Router
B. Firewall
C. Mail relay
D. Authentication server
View answer
Correct Answer: B
Question #23
What is the BEST technique to determine which security controls to implement with a limited budget?
A. Risk analysis
B. Annualized loss expectancy (ALE) calculations
C. Cost-benefit analysis
D. Impact analysis
View answer
Correct Answer: C
Question #24
In addition to business alignment and security ownership, which of the following is MOST critical for information security governance?
A. Auditability of systems
B. Compliance with policies
C. Reporting of security metrics
D. Executive sponsorship
View answer
Correct Answer: A
Question #25
In a business impact analysis, the value of an information system should be based on the overall cost:
A. of recovery
B. to recreate
C. if unavailable
D. of emergency operations
View answer
Correct Answer: C
Question #26
Which of the following is the BEST method to protect against data exposure when a mobile device is stolen?
A. Remote wipe capability
B. Password protection
C. Insurance
D. Encryption
View answer
Correct Answer: A
Question #27
To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:
A. review the functionalities and implementation requirements of the solution
B. review comparison reports of tool implementation in peer companies
C. provide examples of situations where such a tool would be useful
D. substantiate the investment in meeting organizational needs
View answer
Correct Answer: D
Question #28
Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?
A. Security compliant servers trend report
B. Percentage of security compliant servers
C. Number of security patches applied
D. Security patches applied trend report
View answer
Correct Answer: D
Question #29
Following a significant change to the underlying code of an application, it is MOST important for the information security manager to:
A. inform senior management
B. update the risk assessment
C. validate the user acceptance testing
D. modify key risk indicators
View answer
Correct Answer: A
Question #30
The data access requirements for an application should be determined by the:
A. legal department
B. compliance officer
C. information security manager
D. business owner
View answer
Correct Answer: D
Question #31
The information classification scheme should:
A. consider possible impact of a security breach
B. classify personal information in electronic form
C. be performed by the information security manager
D. classify systems according to the data processed
View answer
Correct Answer: B
Question #32
A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?
A. Prevent the system from being accessed remotely D
B. Create a strong random password
C. Ask for a vendor patch Track usage of the account by audit trails
View answer
Correct Answer: B
Question #33
The MOST important reason for conducting periodic risk assessments is because:
A. risk assessments are not always precise
B. security risks are subject to frequent change
C. reviewers can optimize and reduce the cost of controls
D. it demonstrates to senior management that the security function can add value
View answer
Correct Answer: B
Question #34
When implementing a new risk assessment methodology, which of the following is the MOST important requirement?
A. Risk assessments must be conducted by certified staff
B. The methodology must be approved by the chief executive officer
C. Risk assessments must be reviewed annually
D. The methodology used must be consistent across the organization
View answer
Correct Answer: D
Question #35
C. What is the MOST important item to be included in an information security policy?A
View answer
Correct Answer: B
Question #36
A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:
A. there are sufficient safeguards in place to prevent this risk from happening
B. the needed countermeasure is too complicated to deploy
C. the cost of countermeasure outweighs the value of the asset and potential loss
D. The likelihood of the risk occurring is unknown
View answer
Correct Answer: C
Question #37
B. Who can BEST approve plans to implement an information security governance framework?A
View answer
Correct Answer: A
Question #38
Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?
A. Symmetric cryptography
B. Public key infrastructure (PKI)
C. Message hashing
D. Message authentication code
View answer
Correct Answer: C
Question #39
When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices?
A. Centralizing security management
B. Implementing sanctions for noncompliance
C. Policy enforcement by IT management
D. Periodic compliance reviews
View answer
Correct Answer: D
Question #40
Who can BEST advocate the development of and ensure the success of an information security program?
A. Internal auditor
B. Chief operating officer (COO)
C. Steering committee
D. IT management
View answer
Correct Answer: A
Question #41
Who should drive the risk analysis for an organization?
A. Senior management
B. Security managerC
D. Legal department
View answer
Correct Answer: B
Question #42
The effectiveness of the information security process is reduced when an outsourcing organization:
A. is responsible for information security governance activities
B. receives additional revenue when security service levels are met
C. incurs penalties for failure to meet security service-level agreements
D. standardizes on a single access-control software product
View answer
Correct Answer: A
Question #43
Acceptable risk is achieved when:
A. residual risk is minimized
B. transferred risk is minimized
C. control risk is minimized
D. inherent risk is minimized
View answer
Correct Answer: A
Question #44
In order to highlight to management, the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:
A. prepare a security budget
B. conduct a risk assessment
C. develop an information security policy
D. obtain benchmarking information
View answer
Correct Answer: B
Question #45
An incident was detected where customer records were altered without authorization. The GREATEST concern for forensic analysis would be that the log data:
A. has been disclosed
B. could be temporarily available
C. may not be time-synchronized
D. may be modified
View answer
Correct Answer: D
Question #46
Effective IT governance is BEST ensured by:
A. utilizing a bottom-up approach
B. management by the IT department
C. referring the matter to the organization's legal department
D. utilizing a top-down approach
View answer
Correct Answer: D
Question #47
Which of the following is the BEST way to facilitate the alignment between an organization’s information security program and business objectives?
A. Information security is considered at the feasibility stage of all IT projects
B. The information security governance committee includes representation from key business areas
C. The chief executive officer reviews and approves the information security program
D. The information security program is audited by the internal audit department
View answer
Correct Answer: B
Question #48
Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts?
A. Use security tokens for authentication
B. Connect through an IPSec VPN
C. Use https with a server-side certificate
D. Enforce static media access control (MAC) addresses
View answer
Correct Answer: A
Question #49
Which of the following BEST enables the deployment of consistent security throughout international branches within a multinational organization?
A. Maturity of security processes
B. Remediation of audit findings
C. Decentralization of security governance
D. Establishment of security governance
View answer
Correct Answer: D
Question #50
How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?
A. Give organization standards preference over local regulations
B. Follow local regulations only
C. Make the organization aware of those standards where local regulations causes conflicts
D. Negotiate a local version of the organization standards
View answer
Correct Answer: D
Question #51
Business units within an organization are resistant to proposed changes to the information security program. Which of the following is the BEST way to address this issue?
A. Implementing additional security awareness training
B. Communicating critical risk assessment results to business unit managers
C. Including business unit representation on the security steering committee
D. Publishing updated information security policies
View answer
Correct Answer: B
Question #52
Which of the following is MOST effective in preventing security weaknesses in operating systems?
A. Patch management
B. Change management
C. Security baselines
D. Configuration management
View answer
Correct Answer: C
Question #53
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?
A. Number of attacks detected
B. Number of successful attacks
C. Ratio of false positives to false negatives
D. Ratio of successful to unsuccessful attacks
View answer
Correct Answer: C
Question #54
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices? C.
A. Regular review of access control lists
B. Security guard escort of visitors Visitor registry log at the door
D. A biometric coupled with a PIN
View answer
Correct Answer: B
Question #55
Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database?
A. Screened subnets
B. Information classification policies and procedures
C. Role-based access controls
D. Intrusion detection system (IDS)
View answer
Correct Answer: D
Question #56
An organization has recently experienced unauthorized device access to its network. To proactively manage the problem and mitigate this risk, the BEST preventive control would be to:
A. keep an inventory of network and hardware addresses of all systems connected to the network
B. install a stateful inspection firewall to prevent unauthorized network traffic
C. implement network-level authentication and login to regulate access of devices to the network
D. deploy an automated asset inventory discovery tool to identify devices that access the network
View answer
Correct Answer: B
Question #57
Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender?
A. Biometric authentication
B. Embedded steganographic Two-factor authentication
D. Embedded digital signature
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: