DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Expert-Designed CISM Practice Tests 2024, Certified Information Security Manager | SPOTO

Prepare effectively for the ISACA CISM exam with SPOTO's high-quality practice tests. Our comprehensive resources cover key topics such as information security governance, risk management, incident management, regulatory compliance, security program development, and information security management. Access a variety of exam materials, including exam dumps, sample questions, and mock exams, to reinforce your understanding of these crucial areas. Utilize our exam simulator for realistic exam practice, simulating the exam environment and enhancing your time management skills. With SPOTO, you'll have all the tools you need to succeed in your CISM exam preparation. Start your journey to certification success today and unlock your potential as an information security professional.
Take other online exams

Question #1
Which would be the BEST recommendation to protect against phishing attacks?
A. Install an antispam system
B. Publish security guidance for customers
C. Provide security awareness to the organization's staff
D. D
View answer
Correct Answer: C

View The Updated CISM Exam Questions

SPOTO Provides 100% Real CISM Exam Questions for You to Pass Your CISM Exam!

Question #2
When a significant security breach occurs, what should be reported FIRST to senior management?
A. A summary of the security logs that illustrates the sequence of events
B. An explanation of the incident and corrective action taken
C. An analysis of the impact of similar attacks at other organizations
D. A business case for implementing stronger logical access controls
View answer
Correct Answer: C
Question #3
Which of the following is the GREATEST security threat when an organization allows remote access to a virtual private network (VPN)?
A. Client logins are subject to replay attack
B. Compromised VPN clients could impact the network
C. Attackers could compromise the VPN gateway
D. VPN traffic could be sniffed and captured
View answer
Correct Answer: A
Question #4
A test plan to validate the security controls of a new system should be developed during which phase of the project?
A. Testing
B. Initiation
C. Design
D. Development
View answer
Correct Answer: D
Question #5
Which of the following is the BEST indicator that an effective security control is built into an organization?
A. The monthly service level statistics indicate a minimal impact from security issues
B. The cost of implementing a security control is less than the value of the assets
C. The percentage of systems that is compliant with security standards
D. The audit reports do not reflect any significant findings on security
View answer
Correct Answer: A
Question #6
In the event that a password policy cannot be implemented for a legacy application, which of the following is the BEST course of action?
A. Update the application security policy
B. Implement compensating control
C. Submit a waiver for the legacy application
D. Perform an application security assessment
View answer
Correct Answer: B
Question #7
The recovery point objective (RPO) requires which of the following?
A. Disaster declaration
B. Before-image restoration
C. System restoration
D. After-image processing
View answer
Correct Answer: C
Question #8
Which of the following sites would be MOST appropriate in the case of a very short recovery time objective (RTO)?
A. Warm
B. Redundant
C. Shared
D. Mobile
View answer
Correct Answer: C
Question #9
The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is:
A. messages displayed at every logon
B. periodic security-related e-mail messages
C. an Intranet web site for information security
D. circulating the information security policy
View answer
Correct Answer: A
Question #10
Which of the following would BEST protect an organization's confidential data stored on a laptop computer from unauthorized access?
A. Strong authentication by password
B. Encrypted hard drives
C. Multifactor authentication procedures
D. Network-based data backup
View answer
Correct Answer: B
Question #11
An organization has a policy in which all criminal activity is prosecuted. What is MOST important for the information security manager to ensure when an employee is suspected of using a company computer to commit fraud?
A. The forensics process is immediately initiated
B. The incident response plan is initiated
C. The employee’s log files are backed-up
D. Senior management is informed of the situation
View answer
Correct Answer: D
Question #12
To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:
A. end users
B. legal counsel
C. operational units
D. audit management
View answer
Correct Answer: D
Question #13
Risk management programs are designed to reduce risk to:
A. a level that is too small to be measurable
B. the point at which the benefit exceeds the expense
C. a level that the organization is willing to accept
D. a rate of return that equals the current cost of capital
View answer
Correct Answer: B
Question #14
Before engaging outsourced providers, an information security manager should ensure that the organization's data classification requirements:
A. are compatible with the provider's own classification
B. are communicated to the provider
C. exceed those of the outsourcer
D. are stated in the contract
View answer
Correct Answer: A
Question #15
Which of the following would BEST help to identify vulnerabilities introduced by changes to an organization’s technical infrastructure?
A. An intrusion detection system
B. Established security baselines
C. Penetration testing
D. Log aggregation and correlation
View answer
Correct Answer: A
Question #16
Which of the following is the BEST approach to make strategic information security decisions?
A. Establish an information security steering committee
B. Establish periodic senior management meetings
C. Establish regular information security status reporting
D. Establish business unit security working groups
View answer
Correct Answer: D
Question #17
Which of the following change management activities would be a clear indicator that normal operational procedures require examination? A high percentage of:
A. similar change requests
B. change request postponements
C. canceled change requests
D. emergency change requests
View answer
Correct Answer: B
Question #18
What is the MOST important reason for conducting security awareness programs throughout an organization?
A. Reducing the human risk
B. Maintaining evidence of training records to ensure compliance
C. Informing business units about the security strategy
D. Training personnel in security incident response
View answer
Correct Answer: D
Question #19
An information security manager is developing a business case for an investment in an information security control. The FIRST step should be to:
A. research vendor pricing to show cost efficiency
B. assess potential impact to the organization
C. demonstrate increased productivity of security staff
D. gain audit buy-in for the security control
View answer
Correct Answer: D
Question #20
What is the BEST policy for securing data on mobile universal serial bus (USB) drives?
A. Authentication
B. Encryption
C. Prohibit employees from copying data to USB devices
D. Limit the use of USB devices
View answer
Correct Answer: B
Question #21
A multinational organization’s information security manager has been advised that the city in which a contracted regional data center is located is experiencing civil unrest. The information security manager should FIRST:
A. delete the organization’s sensitive data at the provider’s location
B. engage another service provider at a safer location
C. verify the provider’s ability to protect the organization’s data
D. evaluate options to recover if the data center becomes unreachable
View answer
Correct Answer: A
Question #22
Which of the following would be the BEST defense against sniffing? Password protect the files Implement a dynamic IP address scheme
C. Encrypt the data being transmitted
D. Set static mandatory access control (MAC) addresses
View answer
Correct Answer: A
Question #23
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability?
A. Exclusive use of the hot site is limited to six weeks
B. The hot site may have to be shared with other customers
C. The time of declaration determines site access priority
D. The provider services all major companies in the area
View answer
Correct Answer: B
Question #24
The MOST appropriate individual to determine the level of information security needed for a specific business application is the:
A. system developer
B. information security manager
C. steering committee
D. system data owner
View answer
Correct Answer: A
Question #25
The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:
A. simulate an attack and review IDS performance
B. use a honeypot to check for unusual activity
C. audit the configuration of the IDS
D. benchmark the IDS against a peer site
View answer
Correct Answer: C
Question #26
The MAIN goal of an information security strategic plan is to:
A. develop a risk assessment plan
B. develop a data protection plan
C. protect information assets and resources
D. establish security governance
View answer
Correct Answer: D
Question #27
An intrusion detection system (IDS) should:
A. run continuously
B. ignore anomalies
C. require a stable, rarely changed environment
D. be located on the network
View answer
Correct Answer: C
Question #28
What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?
A. Business impact analyses
B. Security gap analyses
C. System performance metrics
D. Incident response processes
View answer
Correct Answer: B
Question #29
After detecting an advanced persistent threat (APT), which of the following should be the information security manager’s FIRST step?
A. Notify management
B. Contain the threat
C. Remove the threat
D. Perform root-cause analysis
View answer
Correct Answer: A
Question #30
Which of the following outsourced services has the GREATEST need for security monitoring?
A. Enterprise infrastructure
B. Application development
C. Virtual private network (VPN) services
D. Web site hosting
View answer
Correct Answer: D
Question #31
An organization to integrate information security into its human resource management processes. Which of the following should be the FIRST step?
A. Evaluate the cost of information security integration
B. Assess the business objectives of the processes
C. Identify information security risk associated with the processes
D. Benchmark the processes with best practice to identify gaps
View answer
Correct Answer: A
Question #32
D. An account with full administrative privileges over a production file is found to be accessible by a member of the software development team
View answer
Correct Answer: D
Question #33
A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?
A. User
B. Network
C. Operations
D. Database
View answer
Correct Answer: A
Question #34
A. The PRIORITY action to be taken when a server is infected with a virus is to: isolate the infected server(s) from the network
View answer
Correct Answer: B
Question #35
Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?
A. Penetration attempts investigated
B. Violation log reports produced
C. Violation log entries
D. Frequency of corrective actions taken
View answer
Correct Answer: B
Question #36
What does a network vulnerability assessment intend to identify?
A. 0-day vulnerabilities
B. Malicious software and spyware
C. Security design flaws
D. Misconfiguration and missing updates
View answer
Correct Answer: B
Question #37
Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following?
A. Reconciliation of the annual systems inventory to the disaster recovery, business continuity plans
B. Periodic audits of the disaster recovery/business continuity plans
C. Comprehensive walk-through testing
D. Inclusion as a required step in the system life cycle process
View answer
Correct Answer: D
Question #38
Which of the following would a security manager establish to determine the target for restoration of normal processing?
A. Recover time objective (RTO)
B. Maximum tolerable outage (MTO)
C. Recovery point objectives (RPOs)
D. Services delivery objectives (SDOs)
View answer
Correct Answer: B
Question #39
An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:
A. threat
B. loss
C. vulnerability
D. probability
View answer
Correct Answer: B
Question #40
When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss?
A. Evaluate productivity losses
B. Assess the impact of confidential data disclosure
C. Calculate the value of the information or asset
D. Measure the probability of occurrence of each threat
View answer
Correct Answer: C
Question #41
Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that:
A. the third party provides a demonstration on a test system
B. goals and objectives are clearly defined
C. the technical staff has been briefed on what to expect
D. special backups of production servers are taken
View answer
Correct Answer: D
Question #42
When developing security standards, which of the following would be MOST appropriate to include?
A. Accountability for licenses
B. Acceptable use of IT assets
C. operating system requirements
D. Inventory management
View answer
Correct Answer: A
Question #43
Which of the following results from the risk assessment process would BEST assist risk management decision making?
A. Control risk
B. Inherent risk
C. Risk exposure
D. Residual risk
View answer
Correct Answer: D
Question #44
Which of the following provides the BKST confirmation that the business continuity/disaster recovery plan objectives have been achieved?
A. The recovery time objective (RTO) was not exceeded during testing
B. Objective testing of the business continuity/disaster recovery plan has been carried out consistently
C. The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing
D. Information assets have been valued and assigned to owners per the business continuity plan, disaster recovery plan
View answer
Correct Answer: A
Question #45
In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?
A. Implementing on-screen masking of passwords
B. Conducting periodic security awareness programs
C. Increasing the frequency of password changes
D. Requiring that passwords be kept strictly confidential
View answer
Correct Answer: D
Question #46
Which of the following will BEST help to proactively prevent the exploitation of vulnerabilities in operating system software?
A. Patch management
B. Threat management
C. Intrusion detection system
D. Anti-virus software
View answer
Correct Answer: B
Question #47
Which of the following characteristics is MOST important to a bank in a high-value online financial transaction system?
A. Identification
B. Confidentiality
C. Authentication
D. Audit monitoring
View answer
Correct Answer: A
Question #48
The contribution of recovery point objective (RPO) to disaster recovery is to:
A. define backup strategy
B. eliminate single points of failure
C. reduce mean time between failures (MTBF)
D. minimize outage period
View answer
Correct Answer: C
Question #49
When defining responsibilities with a cloud computing vendor, which of the following should be regarded as a shared responsibility between user and provider?
A. Data ownership
B. Access log review
C. Application logging
D. Incident response
View answer
Correct Answer: C
Question #50
Of the following, whose input is of GREATEST importance in the development of an information security strategy?
A. End users
B. Corporate auditors
C. Process owners
D. Security architects
View answer
Correct Answer: D
Question #51
The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?
A. Data owner
B. Data custodian
C. Systems programmer
D. Security administrator
View answer
Correct Answer: A
Question #52
Which of the following will BEST prevent external security attacks?
A. Static IP addressing
B. Network address translation
C. Background checks for temporary employees
D. Securing and analyzing system access logs
View answer
Correct Answer: C
Question #53
What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective?
A. Provide detailed instructions on how to carry out different types of tasks
B. Ensure consistency of activities to provide a more stable environment
C. Ensure compliance to security standards and regulatory requirements
D. Ensure reusability to meet compliance to quality requirements
View answer
Correct Answer: A
Question #54
The BEST way to establish a recovery time objective (RTO) that balances cost with a realistic recovery time frame is to:
A. perform a business impact analysis
B. determine daily downtime cost
C. analyze cost metrics
D. conduct a risk assessment
View answer
Correct Answer: C
Question #55
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?
A. System analyst
B. Quality control manager
C. Process owner
D. Information security manager
View answer
Correct Answer: B
Question #56
A.
B. At what stage of the applications development process would encryption key management initially be addressed? Requirements development Deployment
C. Systems testing
D. Code reviews
View answer
Correct Answer: B
Question #57
Which of the following techniques would be the BEST test of security effectiveness?
A. Performing an external penetration test
B. Reviewing security policies and standards
C. Reviewing security logs
D. Analyzing technical security practices
View answer
Correct Answer: A
Question #58
Which of the following groups would be in the BEST position to perform a risk analysis for a business?
A. External auditors
B. A peer group within a similar businessC
D. A specialized management consultant
View answer
Correct Answer: A
Question #59
A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?
A. Access control policy
B. Data classification policy
C. Encryption standards
D. Acceptable use policy
View answer
Correct Answer: C
Question #60
The authorization to transfer the handling of an internal security incident to a third-party support provider is PRIMARILY defined by the:
A. information security manager
B. escalation procedures
C. disaster recovery plan
D. chain of custody
View answer
Correct Answer: D
Question #61
To ensure the information security of outsourced IT services, which of the following is the MOST critical due diligence activity?
A. Review samples of service level reports from the service provider
B. Assess the level of security awareness of the service provider
C. Request that the service provider comply with information security policy
D. Review the security status of the service provider
View answer
Correct Answer: B

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: