
[Aug 29, 2025] Get to the Top with CISM Practice Exam Questions
Use Real CISM Dumps Free Sample Questions and Practice Test Engine
NEW QUESTION # 304
When building support for an information security program, which of the following elements is MOST important?
- A. Threat analysis
- B. Information risk assessment
- C. Business impact analysis (BIA)
- D. Identification of existing vulnerabilities
Answer: B
NEW QUESTION # 305
Deciding the level of protection a particular asset should be given in BEST determined by:
- A. a vulnerability assessment.
- B. a threat assessment.
- C. a risk analysis.
- D. corporate risk appetite.
Answer: C
NEW QUESTION # 306
Senior management has just accepted the risk of noncompliance with a new regulation. What should the information security manager do NEXT?
- A. Assess the impact of the regulation.
- B. Report the decision to the compliance officer.
- C. Reassess the organization's risk tolerance.
- D. Update details within the risk register
Answer: A
NEW QUESTION # 307
Internal audit has reported a number of information security issues that are not in compliance with regulatory requirements. What should the information security manager do FIRST?
- A. Create a security exception
- B. Assess the risk to business operations
- C. Perform a vulnerability assessment
- D. Perform a gap analysis to determine needed resources
Answer: B
Explanation:
Explanation
According to the CISM Manual, the information security manager should first assess the risk to business operations before taking any other action. This will help to prioritize the issues and determine the appropriate response. Performing a vulnerability assessment, a gap analysis, or creating a security exception are possible actions, but they should be based on the risk assessment results. References = CISM Manual, 5th Edition, page
1211; CISM Practice Quiz, question 32
NEW QUESTION # 308
Which of the following groups would be in the BEST position to perform a risk analysis for a business?
- A. A peer group within a similar business
- B. Process owners
- C. A specialized management consultant
- D. External auditors
Answer: B
Explanation:
Explanation/Reference:
Explanation:
Process owners have the most in-depth knowledge of risks and compensating controls within their environment. External parties do not have that level of detailed knowledge on the inner workings of the business. Management consultants are expected to have the necessary skills in risk analysis techniques but are still less effective than a group with intimate knowledge of the business.
NEW QUESTION # 309
An employee is found to be using an external cloud storage service to share corporate information with a third-party consultant, which is against company policy. Which of the following should be the information security manager's FIRST course of action?
- A. Inform higher management a security breach.
- B. Block access to the cloud storage service.
- C. Determine the classification level of the information.
- D. Seek business justification from the employee.
Answer: C
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
NEW QUESTION # 310
A financial company executive is concerned about recently increasing cyberattacks and needs to take action to reduce risk. The organization would BEST respond by:
- A. increasing budget and staffing levels for the incident response team.
- B. implementing an intrusion detection system (IDS).
- C. testing the business continuity plan (BCP).
- D. revalidating and mitigating risks to an acceptable level.
Answer: D
NEW QUESTION # 311
When establishing classifications of security incidents for the development of an incident response plan, which of the following provides the MOST valuable input?
- A. The business continuity plan (BCP)
- B. Business impact analysis (BIA) results
- C. Recommendations from senior management
- D. Vulnerability assessment results
Answer: C
NEW QUESTION # 312
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
- A. corporate data privacy policy.
- B. data privacy policy of the headquarters' country.
- C. data privacy policy where data are collected.
- D. data privacy directive applicable globally.
Answer: C
Explanation:
Explanation
As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.
NEW QUESTION # 313
Which of the following is the BEST approach to make strategic information security decisions?
- A. Establish periodic senior management meetings.
- B. Establish regular information security status reporting.
- C. Establish an information security steering committee.
- D. Establish business unit security working groups.
Answer: D
NEW QUESTION # 314
Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23.00 hrs.)?
- A. The update's success or failure is not known until Monday
- B. Systems are vulnerable to new viruses during the intervening week
- C. Most new viruses* signatures are identified over weekends
- D. Technical personnel are not available to support the operation
Answer: B
Explanation:
Explanation/Reference:
Explanation:
Updating virus signature files on a weekly basis carries the risk that the systems will be vulnerable to viruses released during the week; far more frequent updating is essential. All other issues are secondary to this very serious exposure.
NEW QUESTION # 315
Which of the following would be MOST useful in determining how an organization will be affected by a new regulatory requirement for cloud services?
- A. Data loss protection plan
- B. Information asset inventory
- C. Risk assessment
- D. Data classification policy
Answer: C
NEW QUESTION # 316
Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value?
- A. The number of false positives increases
- B. The number of false negatives increases
- C. Active probing is missed
- D. Attack profiles are ignored
Answer: A
Explanation:
Explanation
Failure to tune an intrusion detection system (IDS) will result in many false positives, especially when the threshold is set to a low value. The other options are less likely given the fact that the threshold for sounding an alarm is set to a low value.
NEW QUESTION # 317
Which of the following is the PRIMARY objective of a cyber resilience strategy?
- A. Regulatory compliance
- B. Business continuity
- C. Executive support
- D. Employee awareness
Answer: B
Explanation:
Business continuity is the primary objective of a cyber resilience strategy, as it aims to ensure that the organization can continue to deliver its essential products and services in the face of cyber disruptions, and recover to normal operations as quickly and effectively as possible. A cyber resilience strategy should align with the business continuity plan and support the organization's mission, vision, and values. (From CISM Review Manual 15th Edition) References: CISM Review Manual 15th Edition, page 178, section 4.3.2.1.
NEW QUESTION # 318
Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does it always introduce?
- A. Remote buffer overflow
- B. Man-in-the-middle attack
- C. Clear text authentication
- D. Cross site scripting
Answer: C
Explanation:
Explanation/Reference:
Explanation:
One of the main problems with using SNMP vl and v°2 is the clear text "community string" that it uses to authenticate. It is easy to sniff and reuse. Most times, the SNMP community string is shared throughout the organization's servers and routers, making this authentication problem a serious threat to security. There have been some isolated cases of remote buffer overflows against SNMP daemons, but generally that is not a problem. Cross site scripting is a web application vulnerability that is not related to SNMP. A man-in- the-middle attack against a user datagram protocol (UDP) makes no sense since there is no active session; every request has the community string and is answered independently.
NEW QUESTION # 319
An organization's operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?
- A. Shared folder operators sign an agreement to pledge not to commit fraudulent activities
- B. Design a training program for the staff involved to heighten information security awareness
- C. The end user develops a PC macro program to compare sender and recipient file contents
- D. Set role-based access permissions on the shared folder
Answer: D
Explanation:
Explanation
Ideally, requesting that the IT department develop an automated integrity check would be desirable, but given the temporary nature of the problem, the risk can be mitigated by setting stringent access permissions on the shared folder. Operations staff should only have write access and disbursement staff should only have read access, and everyone else, including the administrator, should be disallowed. An information security awareness program and/or signing an agreement to not engage in fraudulent activities may help deter attempts made by employees: however, as long as employees see a chance of personal gain when internal control is loose, they may embark on unlawful activities such as alteration of payment files. A PC macro would be an inexpensive automated solution to develop with control reports. However, sound independence or segregation of duties cannot be expected in the reconciliation process since it is run by an end-user group. Therefore, this option may not provide sufficient proof.
NEW QUESTION # 320
Senior management has approved employees working off-site by using a virtual private network (VPN) connection. It is MOST important for the information security manager to periodically:
- A. review the security policy
- B. perform a risk assessment
- C. perform a cost-benefit analysis
- D. review firewall configuration
Answer: A
NEW QUESTION # 321
Which of the following BEST minimizes information security risk in deploying applications to the production environment?
- A. Integrating security controls in each phase of the life cycle
- B. Having a well-defined change process
- C. Conducting penetration testing post implementation
- D. Verifying security during the testing process
Answer: A
Explanation:
= Integrating security controls in each phase of the life cycle is the best way to minimize information security risk in deploying applications to the production environment. This ensures that security requirements are defined, designed, implemented, tested, and maintained throughout the development process. Conducting penetration testing post implementation, having a well-defined change process, and verifying security during the testing process are all important activities, but they are not sufficient to address all the potential risks that may arise during the application life cycle. Penetration testing may reveal some vulnerabilities, but it cannot guarantee that all of them are identified and fixed. A change process may help to control and document the modifications made to the application, but it does not ensure that the changes are secure and do not introduce new risks. Verifying security during the testing process may help to validate the functionality and performance of the security controls, but it does not ensure that the security requirements are complete and consistent with the business objectives and the risk appetite of the organization. Reference = CISM Review Manual, 16th Edition, page 1121; CISM Review Questions, Answers & Explanations Manual, 10th Edition, page 1462
NEW QUESTION # 322
Which of the following architectures for e-business ensures high availability?
- A. Intelligent middleware to direct transactions from a downed system to an alternative
- B. Availability of an adjacent hot site and a standby server with mirrored copies of critical data
- C. A single point of entry allowing transactions to be received and processed quickly
- D. Automatic failover to the web site of another e-business that meets the user's needs
Answer: D
NEW QUESTION # 323
The chief information security officer (CISO) should ideally have a direct reporting relationship to the:
- A. head of internal audit.
- B. chief operations officer (COO).
- C. chief technology officer (CTO).
- D. legal counsel.
Answer: B
Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation
Explanation:
The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations. The head of internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations. Reporting to the chief technology officer (CTO) could become problematic as the CTO's goals for the infrastructure might, at times, run counter to the goals of information security.
NEW QUESTION # 324
Which of the following is the MOST usable deliverable of an information security risk analysis?
- A. Business impact analysis (BIA) report
- B. List of action items to mitigate risk
- C. Quantification of organizational risk
- D. Assignment of risks to process owners
Answer: B
Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation:
Although all of these are important, the list of action items is used to reduce or transfer the current level of risk.
The other options materially contribute to the way the actions are implemented.
NEW QUESTION # 325
Information security should be:
- A. driven by regulatory requirements.
- B. focused on eliminating all risks.
- C. defined by the board of directors.
- D. a balance between technical and business requirements.
Answer: D
Explanation:
Explanation
Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements. It is not practical or feasible to eliminate all risks.
Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction in support of the business goals and objectives.
NEW QUESTION # 326
Which of the following steps in conducting a risk assessment should be performed FIRST?
- A. Identify business risks
- B. Evaluate key controls
- C. Assess vulnerabilities
- D. Identity business assets
Answer: D
Explanation:
Section: INFORMATION RISK MANAGEMENT
Explanation/Reference:
Explanation:
Risk assessment first requires one to identify the business assets that need to be protected before identifying the threats. The next step is to establish whether those threats represent business risk by identifying the likelihood and effect of occurrence, followed by assessing the vulnerabilities that may affect the security of the asset. This process establishes the control objectives against which key controls can be evaluated.
NEW QUESTION # 327
......
Pass ISACA CISM exam - questions - convert Tets Engine to PDF: https://www.examcollectionpass.com/ISACA/CISM-practice-exam-dumps.html
2025 Realistic Verified Free ISACA CISM Exam Questions: https://drive.google.com/open?id=1NHitoYPAgY2zHGwhbWdbEnaRJ9mN6w1h