DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Latest CISM Practice Tests and Exam Dumps 2024, Certified Information Security Manager | SPOTO

Prepare comprehensively for the ISACA CISM exam with our latest CISM practice tests and exam dumps for 2024. Our meticulously curated materials cover key topics including information security governance, risk management, incident management, and regulatory compliance, ensuring you're fully prepared for the exam. Access our comprehensive exam preparation resources, including exam questions and answers, to sharpen your skills and knowledge. Say goodbye to unreliable sources and embrace trusted exam practice with SPOTO. With our exam simulator, you can simulate the exam environment and refine your exam-taking strategies effectively. Whether you need sample questions or mock exams, SPOTO provides the tools you need to succeed. Start with our free test to experience the quality of our practice tests firsthand and elevate your exam preparation to the next level.
Take other online exams

Question #1
An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur?
A. Nothing, since a risk assessment was completed during development
B. A vulnerability assessment should be conducted
C. A new risk assessment should be performed
D. The new vendor's SAS 70 type II report should be reviewed
View answer
Correct Answer: C

View The Updated CISM Exam Questions

SPOTO Provides 100% Real CISM Exam Questions for You to Pass Your CISM Exam!

Question #2
In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:
A. ensure access to individual functions can be granted to individual users only
B. implement role-based access control in the application
C. enforce manual procedures ensuring separation of conflicting duties
D. create service accounts that can only be used by authorized team members
View answer
Correct Answer: B
Question #3
In risk assessment, after the identification of threats to organizational assets, the information security manager would:
A. evaluate the controls currently in place
B. implement controls to achieve target risk levels
C. request funding for the security program
D. determine threats to be reported to upper management
View answer
Correct Answer: A
Question #4
Security risk assessments should cover only information assets that:
A. are classified and labeled
B. are inside the organization
C. support business processes
D. have tangible value
View answer
Correct Answer: A
Question #5
The advantage of Virtual Private Network (VPN) tunneling for remote users is that it:
A. helps ensure that communications are secure
B. increases security between multi-tier systems
C. allows passwords to be changed less frequently
D. eliminates the need for secondary authentication
View answer
Correct Answer: A
Question #6
Security awareness training is MOST likely to lead to which of the following?
A. Decrease in intrusion incidents
B. Increase in reported incidents
C. Decrease in security policy changes
D. Increase in access rule violations
View answer
Correct Answer: B
Question #7
An information security manager is reviewing the business case for a security project that is entering the development phase. It is determined that the estimated cost of the controls is now greater than the risk being mitigated. The information security manager’s BEST recommendation would be to:
A. eliminate some of the controls from the project scope
B. discontinue the project to release funds for other efforts
C. pursue the project until the benefits cover the costs
D. slow the pace of the project to spread costs over a longer period
View answer
Correct Answer: C
Question #8
The chief information security officer (CISO) has developed an information security strategy, but is struggling to obtain senior management commitment for funds to implement the strategy. Which of the following is the MOST likely reason?
A. The strategy does not include a cost-benefit analysis
B. The CISO reports to the CIO
C. There was a lack of engagement with the business during development
D. The strategy does not comply with security standards
View answer
Correct Answer: C
Question #9
An organization plans to allow employees to use their own devices on the organization’s network. Which of the following is the information security manager’s BEST course of action?
A. Implement automated software
B. Assess associated risk
C. Conduct awareness training
D. Update the security policy
View answer
Correct Answer: B
Question #10
What is the MOST important success factor in launching a corporate information security awareness program?
A. Adequate budgetary support
B. Centralized program management
C. Top-down approach
D. Experience of the awareness trainers
View answer
Correct Answer: C
Question #11
Which of the following is the MOST important consideration in a bring your own device (BYOD) program to protect company data in the event of a loss?
A. The ability to remotely locate devices
B. The ability to centrally manage devices
C. The ability to restrict unapproved applications The ability to classify types of devices B Which of the following is the GREATEST benefit of integrating information security program requirements into vendor management?
A. The ability to reduce risk in the supply chain
B. The ability to meet industry compliance requirements
C. The ability to define service level agreements (SLAs)
D. The ability to improve vendor performance
View answer
Correct Answer: A
Question #12
Which of the following has the MOST direct impact on the usability of an organization's asset classification program?
A. The granularity of classifications in the hierarchy
B. The frequency of updates to the organization’s risk register
C. The business objectives of the organization
D. The support of senior management for the classification scheme
D.
View answer
Correct Answer: A
Question #13
Which of the following is the BEST method to provide a new user with their initial password for e-mail system access?
A. Interoffice a system-generated complex password with 30 days expiration
B. Give a dummy password over the telephone set for immediate expiration
C. Require no password but force the user to set their own in 10 days
D. Set initial password equal to the user ID with expiration in 30 days
View answer
Correct Answer: B
Question #14
Which of the following should be the PRIMARY consideration when selecting a recovery site?
A. Regulatory requirements
B. Recovery time objective
C. Geographical location
D. Recovery point objective
View answer
Correct Answer: A
Question #15
Which of the following approaches is BEST for selecting controls to minimize information security risks?
A. Cost-benefit analysis
B. Control-effectiveness
C. Risk assessment
D. Industry best practices
View answer
Correct Answer: C
Question #16
Which of the following is a step in establishing a security policy?
A. Developing platform-level security baselines
B. Creating a RACI matrix
C. Implementing a process for developing and maintaining the policy
D. Developing configuration parameters for the network
View answer
Correct Answer: A
Question #17
Which of the following measures would be MOST effective against insider threats to confidential information?
A. Role-based access control
B. Audit trail monitoring
C. Privacy policy
D. Defense-in-depth
View answer
Correct Answer: A
Question #18
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network?
A. Configuration of firewalls
B. Strength of encryption algorithms
C. Authentication within application
D. Safeguards over keys
View answer
Correct Answer: D
Question #19
Which of the following is the PRIMARY responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations?
A. Require remote wipe capabilities for devices
B. Enforce passwords and data encryption on the devices
C. Conduct security awareness training
D. Review and update existing security policies
View answer
Correct Answer: D
Question #20
Which of the following would BEST ensure that security risk assessment is integrated into the life cycle of major IT projects?
A. Integrating the risk assessment into the internal audit program
B. Applying global security standards to the IT projects
C. Training project managers on risk assessment
D. Having the information security manager participate on the project setting committees
View answer
Correct Answer: B
Question #21
The MOST important reason that statistical anomaly-based intrusion detection systems (slat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs:
A. create more overhead than signature-based IDSs
B. cause false positives from minor changes to system variables
C. generate false alarms from varying user or system actions
D. cannot detect new types of attacks
View answer
Correct Answer: C
Question #22
What is the MOST appropriate change management procedure for the handling of emergency program changes?
A. Formal documentation does not need to be completed before the change
B. Business management approval must be obtained prior to the change
C. Documentation is completed with approval soon after the change
D. All changes must follow the same process
View answer
Correct Answer: D
Question #23
An information security manager has been informed of a new vulnerability in an online banking application, and patch to resolve this issue is expected to be released in the next 72 hours. The information security manager’s MOST important course of action should be to:
A. assess the risk and advise senior management
B. identify and implement mitigating controls
C. run the application system in offline mode
D. perform a business impact analysis (BIA)
View answer
Correct Answer: A
Question #24
An organization faces severe fines and penalties if not in compliance with local regulatory requirements by an established deadline. Senior management has asked the information security manager to prepare an action plan to achieve compliance. Which of the following would provide the MOST useful information for planning purposes?
A. Results from a gap analysis
B. Results from a business impact analysis
C. Deadlines and penalties for noncompliance
D. An inventory of security controls currently in place
View answer
Correct Answer: D
Question #25
Management has announced the acquisition of a new company. The information security manager of parent company is concerned that conflicting access rights may cause critical information to be exposed during the integration of the two companies. To BEST address this concern, the information security manager should:
A. escalate concern for conflicting access rights to management
B. implement consistent access control standards
C. review access rights as the acquisition integration occurs
D. perform a risk assessment of the access rights
View answer
Correct Answer: A
Question #26
Which of the following is the MOST significant security risk in IT asset management?
A. IT assets may be used by staff for private purposes
B. Unregistered IT assets may not be supported
C. Unregistered IT assets may not be included in security documentation
D. Unregistered IT assets may not be configured properly
View answer
Correct Answer: A
Question #27
Which of the following is the MOST important step in risk ranking?
A. Impact assessment
B. Mitigation cost
C. Threat assessment
D. Vulnerability analysis
View answer
Correct Answer: A
Question #28
C.
D. Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?
A. Programming
B. Specification User testing Feasibility
View answer
Correct Answer: D
Question #29
Which of the following tasks should be performed once a disaster recovery plan has been developed?
A. Analyze the business impact
B. Define response team roles
C. Develop the test plan
D. Identify recovery time objectives
View answer
Correct Answer: B
Question #30
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?
A. Authentication
B. Hardening
C. Encryption
D. Nonrepudiation
View answer
Correct Answer: C
Question #31
The BEST time to ensure that a corporation acquires secure software products when outsourcing software development is during:
A. corporate security reviews
B. contract performance audits
C. contract negotiation
D. security policy development
View answer
Correct Answer: B
Question #32
Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers?
A. Termination conditions
B. Liability limits
C. Service levels
D. Privacy restrictions
View answer
Correct Answer: C
Question #33
When developing an information security strategy, the MOST important requirement is that:
A. standards capture the intent of management
B. a schedule is developed to achieve objectives
C. the desired outcome is known
D. critical success factors (CSFs) are developed
View answer
Correct Answer: B
Question #34
Secure customer use of an e-commerce application can BEST be accomplished through:
A. data encryption
B. digital signatures
C. strong passwords
D. two-factor authentication
View answer
Correct Answer: A
Question #35
Good information security procedures should:
A. define the allowable limits of behavior
B. underline the importance of security governance
C. describe security baselines for each platform
D. be updated frequently as new software is released
View answer
Correct Answer: B
Question #36
Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application?
A. User security procedures
B. Business process flow
C. IT security policy
D. Regulatory requirements
View answer
Correct Answer: C
Question #37
A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is:
A. an effective control over connectivity and continuity
B. a service level agreement (SLA) including code escrow
C. a business impact analysis (BIA)
D. a third-party certification
View answer
Correct Answer: B
Question #38
Which of the following is the PRIMARY reason for performing an analysis of the threat landscape on a regular basis?
A. To determine the basis for proposing an increase in security budgets
B. To determine if existing business continuity plans are adequate
C. To determine if existing vulnerabilities present a risk
D. To determine critical information for executive management
View answer
Correct Answer: C
Question #39
Which of the following would be the MOST significant security risk in a pharmaceutical institution?
A. Compromised customer information
B. Unavailability of online transactions
C. Theft of security tokens
D. Theft of a Research and Development laptop
View answer
Correct Answer: B
Question #40
Which of the following should an information security manager perform FIRST when an organization’s residual risk has increased?
A. Implement security measures to reduce the risk
B. Communicate the information to senior management
C. Transfer the risk to third parties
D. Assess the business impact
View answer
Correct Answer: D
Question #41
Which of the following is the MOST practical control that an organization can implement to prevent unauthorized downloading of data to universal serial bus (USB) storage devices?
A. Two-factor authentication
B. Restrict drive usage
C. Strong encryption
D. Disciplinary action
View answer
Correct Answer: A
Question #42
An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to have access to critical business information. The security manager should focus PRIMARILY on defining:
A. security metrics
B. service level agreements (SLAs)
C. risk-reporting methodologies
D. security requirements for the process being outsourced
View answer
Correct Answer: A
Question #43
An organization with a strict need-to-know information access policy is about to launch a knowledge management intranet. Which of the following is the MOST important activity to ensure compliance with existing security policies?
A. Develop a control procedure to check content before it is published
B. Change organization policy to allow wider use of the new web site
C. Ensure that access to the web site is limited to senior managers and the board
A. Support for buy-in from organizational employees
B. Allocation of resources to highest priorities
C. Prevention of deviations from risk tolerance thresholds
D. Increased maturity of incident response processes
View answer
Correct Answer: C
Question #44
Which of the following defines the triggers within a business continuity plan (BCP)?
A. Disaster recovery plan
B. Needs of the organization
C. Gap analysis
D. Information security policy
View answer
Correct Answer: D
Question #45
An organization’s marketing department wants to use an online collaboration service which is not in compliance with the information security policy. A risk assessment is performed, and risk acceptance is being pursued. Approval of risk acceptance should be provided by:
A. the information security manager
B. business senior management
C. the chief risk officer
D. the compliance officer
View answer
Correct Answer: D
Question #46
When implementing security architecture, an information security manager MUST ensure that security controls:
A. form multiple barriers against threats
B. are transparent
C. are the least expensive
D. are communicated through security policies
View answer
Correct Answer: C
Question #47
When developing security processes for handling credit card data on the business unit’s information system, the information security manager should FIRST:
A. review corporate policies regarding credit card information
B. implement the credit card companies’ security requirements
C. ensure that systems handle credit card data are segmented
D. review industry’s best practices for handling secure payments
View answer
Correct Answer: A
Question #48
Which of the following is MOST important for a successful information security program? Adequate training on emerging security technologies
B. Open communication with key process owners
C. Adequate policies, standards and procedures
D. Executive management commitment
View answer
Correct Answer: D
Question #49
An information security manager is asked to provide evidence that the organization is fulfilling its legal obligation to protect personally identifiable information (PII). Which of the following would be MOST helpful for this purpose?
A. Metrics related to program effectiveness
B. Written policies and standards
C. Privacy awareness training
D. Risk assessments of privacy-related applications
View answer
Correct Answer: S
Question #50
The risk of mishandling alerts identified by an intrusion detection system (IDS) would be the GREATEST when:
A. standard operating procedures are not formalized
B. the IT infrastructure is diverse
C. IDS sensors are misconfigured
D. operations and monitoring are handled by different teams
View answer
Correct Answer: A
Question #51
Which of the following is the BEST way to determine if an organization’s current risk is within the risk appetite?
A. Conducting a business impact analysis (BIA)
B. Implementing key performance indicators (KPIs)
C. Implementing key risk indicators (KRIs)
D. Developing additional mitigating controls
View answer
Correct Answer: A
Question #52
What is the MOST important element to include when developing user security awareness material?
A. Information regarding social engineering
B. Detailed security policies
C. Senior management endorsement
D. Easy-to-read and compelling information
View answer
Correct Answer: C
Question #53
Which of the following is the BEST approach to make strategic information security decisions?
A. Establish an information security steering committee
B. Establish periodic senior management meetings
C. Establish regular information security status reporting
A. Compliance risk assessment
B. Critical audit findings
C. Industry comparison analysis
D. Number of reported security incidents
View answer
Correct Answer: B
Question #54
Which of the following would a security manager establish to determine the target for restoration of normal processing?
A. Recover time objective (RTO)
C. D
B. Maximum tolerable outage (MTO) Recovery point objectives (RPOs) Services delivery objectives (SDOs)
View answer
Correct Answer: A
Question #55
An organization has recently experienced unauthorized device access to its network. To proactively manage the problem and mitigate this risk, the BEST preventive control would be to:
A. keep an inventory of network and hardware addresses of all systems connected to the network
B. install a stateful inspection firewall to prevent unauthorized network traffic
C. implement network-level authentication and login to regulate access of devices to the network
D. deploy an automated asset inventory discovery tool to identify devices that access the network
View answer
Correct Answer: C
Question #56
Which of the following needs to be established between an IT service provider and its clients to the BEST enable adequate continuity of service in preparation for an outage?
A. Data retention policies
B. Server maintenance plans
C. Recovery time objectives
D. Reciprocal site agreement
View answer
Correct Answer: B
Question #57
When performing an information risk analysis, an information security manager should FIRST: establish the ownership of assets.
B. evaluate the risks to the assets
C. take an asset inventory
D. categorize the assets
View answer
Correct Answer: C
Question #58
A. An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution? Rewrite the application to conform to the upgraded operating system
B. Compensate for not installing the patch with mitigating controls
C. Alter the patch to allow the application to run in a privileged state
D. Run the application on a test platform; tune production to allow patch and application
View answer
Correct Answer: B
Question #59
An information security manager has recently been notified of potential security risks associated with a third-party service provider. What should be done NEXT to address this concern?
A. Conduct a risk analysis
B. Escalate to the chief risk officer
C. Conduct a vulnerability analysis
D. Determine compensating controls
View answer
Correct Answer: A

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: