6 Flashcards
- A business impact analysis (BIA) should be periodically executed PRIMARILY to:
A. validate vulnerabilities on environmental changes.
B. analyze the importance of assets.
C. check compliance with regulations.
D. verify the effectiveness of controls.
Answer: D
Explanation: A business impact analysis (BIA) is a process that helps identify and evaluate the potential
effects of disruptions or incidents on the organization’s mission, objectives, and operations. A BIA should
be periodically executed to verify the effectiveness of the controls that are implemented to prevent, mitigate,
or recover from such disruptions or incidents12.
According to the CISM Manual, a BIA should be performed at least annually for critical systems and
processes, and more frequently for non-critical ones3. A BIA should also be updated whenever there are
significant changes in the organization’s environment, such as new regulations, technologies, business
models, or stakeholder expectations3. A BIA should not be used to validate vulnerabilities on environmental
changes (A), analyze the importance of assets (B), or check compliance with regulations ©, as these are
not the primary purposes of a BI
A.
References: 1: IR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response |
CSRC NIST 2: CISM Domain 4 Preview | BCP - Business Impact Analysis (BIA) - YouTube 3: CISM ITEM
DEVELOPMENT GUIDE - ISACA
- Which of the following is the MOST effective defense against malicious insiders compromising confidential
information?
A. Regular audits of access controls
B. Strong background checks when hiring staff
C. Prompt termination procedures
D. Role-based access control (RBAC)
Answer: D
Explanation:
role-based access control (RBAC) is the most effective defense against malicious insiders compromising
confidential information, as it helps to limit the access of users to the information and resources that are
necessary for their roles and responsibilities. RBAC also helps to enforce the principle of least privilege,
which reduces the risk of unauthorized or inappropriate access, disclosure, modification, or destruction of
information by insiders. RBAC also facilitates the monitoring and auditing of user activities and access
rights. References = Malicious insiders | Cyber.gov.au, Insider Threat Mitigation Guide - CISA, Malicious
Insiders: Types, Indicators & Common Techniques - Ekran System
- An information security team is planning a security assessment of an existing vendor. Which of the
following approaches is MOST helpful for properly scoping the assessment?
A. Focus the review on the infrastructure with the highest risk
B. Review controls listed in the vendor contract
C. Determine whether the vendor follows the selected security framework rules
D. Review the vendor’s security policy
Answer: B
Explanation: Reviewing controls listed in the vendor contract is the most helpful approach for properly
scoping the security assessment of an existing vendor because it helps to determine the security
requirements and expectations that the vendor has agreed to meet.
A vendor contract is a legal document that defines the terms and conditions of the business relationship
between the organization and the vendor, including the scope, deliverables, responsibilities, and
obligations of both parties. A vendor contract should also specify the security controls that the vendor must
implement and maintain to protect the organization’s data and systems, such as encryption, authentication,
access control, backup, monitoring, auditing, etc. Reviewing controls listed in the vendor contract helps to
ensure that the security assessment covers all the relevant aspects of the vendor’s security posture, as well
as to identify any gaps or discrepancies between the contract and the actual practices. Therefore, reviewing
controls listed in the vendor contract is the correct answer. References:
✑ https://medstack.co/blog/vendor-security-assessments-understanding-the-basics/
✑ https://www.ncsc.gov.uk/files/NCSC-Vendor-Security-Assessment.pdf
✑ https://securityscorecard.com/blog/how-to-conduct-vendor-security-assessment
- Which of the following is the BEST method for determining whether a firewall has been configured to
provide a comprehensive perimeter defense9
A. A validation of the current firewall rule set
B. A port scan of the firewall from an internal source
C. A ping test from an external source
D. A simulated denial of service (DoS) attack against the firewall
Answer: A
Explanation: A validation of the current firewall rule set is the best method for determining whether a firewall
has been configured to provide a comprehensive perimeter defense because it verifies that the firewall
rules are consistent, accurate, and effective in allowing or blocking traffic according to the security policies
and standards of the organization. A port scan of the firewall from an internal source is not a good method
because it does not test the firewall’s behavior from an external perspective, which is more relevant for
perimeter defense. A ping test from an external source is not a good method because it only tests the
firewall’s availability and responsiveness, not its security or functionality. A simulated denial of service (DoS)
attack against the firewall is not a good method because it only tests the firewall’s resilience and
performance under high traffic load, not its security or functionality. References:
https://www.isac
A.org/resources/isacajournal/
issues/2016/volume-4/technical-security-standards-for-information-systems
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-2/the-value-of- penetration-testing
https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-
5/security-scanning-versus-penetration-testing
- Which of the following is MOST important for the information security manager to include when presenting
changes in the security risk profile to senior management?
A. Industry benchmarks
B. Security training test results
C. Performance measures for existing controls
D. Number of false positives
Answer: C
- A small organization with limited budget hires a new information security manager who finds the same IT
staff member is assigned the responsibility of system administrator, security administrator, database
administrator (DBA), and application administrator What is the manager’s BEST course of action?
A. Automate user provisioning activities.
B. Maintain strict control over user provisioning activities.
C. Formally document IT administrator activities.
D. Implement monitoring of IT administrator activities.
Answer: D
- An organization is experiencing a sharp increase in incidents related to phishing messages. The root cause
is an outdated email filtering system that is no longer supported by the vendor. Which of the following
should be the information security manager’s FIRST course of action?
A. Reinforce security awareness practices for end users.
B. Temporarily outsource the email system to a cloud provider.
C. Develop a business case to replace the system.
D. Monitor outgoing traffic on the firewall.
Answer: C
Explanation:
Developing a business case to replace the system is the FIRST course of action that the information
security manager should take, because it helps to justify the need for a new and effective email filtering
system that can prevent or reduce phishing incidents. A business case should include the problem
statement, the proposed solution, the costs and benefits, the risks and assumptions, and the expected
outcomes and metrics.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 42: “A business case is a document that provides the
rationale and justification for an information security investment. It should include the problem statement,
the proposed solution, the costs and benefits, the risks and assumptions, and the expected outcomes and
metrics.”
Email Filtering Explained: What Is It and How Does It Work: “Email filtering is a process used to sort emails
and identify unwanted messages such as spam, malware, and phishing attempts. The goal is to ensure that
they don’t reach the recipient’s primary inbox. It is an essential security measure that helps protect users
from unwanted or malicious messages.”
Cloud-based email phishing attack using machine and deep learning …: “This attack is used to attack your
email account and hack sensitive data easily.”
- Which of the following is the BEST way to determine the gap between the present and desired state of an
information security program?
A. Perform a risk analysis for critical applications.
B. Determine whether critical success factors (CSFs) have been defined.
C. Conduct a capability maturity model evaluation.
D. Review and update current operational procedures.
Answer: C
Explanation: A capability maturity model evaluation is the best way to determine the gap between the
present and desired state of an information security program because it provides a systematic and
structured approach to assess the current level of maturity of the
information security processes and practices, and compare them with the desired or target level of maturity
that is aligned with the business objectives and requirements. A capability maturity model evaluation can
also help to identify the strengths and weaknesses of the information security program, prioritize the
improvement areas, and develop a roadmap for achieving the desired state.
References = Information Security Architecture: Gap Assessment and Prioritization, CISM Review Manual
15th Edition
- Which of the following is the MOST important security consideration when developing an incident response
strategy with a cloud provider?
A. Escalation processes
B. Recovery time objective (RTO)
C. Security audit reports
D. Technological capabilities
Answer: A
Explanation:
Escalation processes are the most important security consideration when developing an incident response
strategy with a cloud provider, as they define the roles, responsibilities, communication channels, and
decision-making authority for both parties in the event of a security incident. Escalation processes help to
ensure timely and effective response, coordination, and resolution of security incidents, as well as to avoid
conflicts or confusion. (From CISM Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 184, section 4.3.3.2.
- Which of the following is a viable containment strategy for a distributed denial of service (DDoS) attack?
A. Block IP addresses used by the attacker
B. Redirect the attacker’s traffic
C. Disable firewall ports exploited by the attacker.
D. Power off affected servers
Answer: B
Explanation: Redirecting the attacker’s traffic is a viable containment strategy for a distributed denial of
service (DDoS) attack because it helps to divert the malicious traffic away from the target server and reduce
the impact of the attack. A DDoS attack is an attempt by attackers to overwhelm a server or a network with
a large volume of requests or packets, preventing legitimate users from accessing the service or resource.
Redirecting the attacker’s traffic is a technique that involves changing the DNS settings or routing tables to
send the attacker’s traffic to another destination, such as a sinkhole, a honeypot, or a scrubbing center. A
sinkhole is a server that absorbs and discards the malicious traffic. A honeypot is a decoy server that
mimics the target server and collects information about the attacker’s behavior and techniques. A scrubbing
center is a service that filters out the malicious traffic and forwards only the legitimate traffic to the target
server. Redirecting the attacker’s traffic helps to contain the DDoS attack by reducing the load on the target
server and preserving its availability and performance. Therefore, redirecting the attacker’s traffic is the
correct answer.
References:
✑ https://www.fortinet.com/resources/cyberglossary/implement-ddos-mitigation- strategy
✑ https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-response-strategy
✑ https://www.cloudflare.com/learning/ddos/glossary/sinkholing/.
- Which of the following is the MOST important reason for logging firewall activity?
A. Metrics reporting
B. Firewall tuning
C. Intrusion prevention
D. Incident investigation
Answer: C
- Which of the following should be the PRIMARY objective when establishing a new information security
program?
A. Executing the security strategy
B. Minimizing organizational risk
C. Optimizing resources
D. Facilitating operational security
Answer: A
Explanation:
According to the CISM Review Manual, the primary objective when establishing a new information security
program is to execute the security strategy that has been defined and approved by the senior management.
The security strategy provides the direction, scope, and goals for the information security program, and
aligns with the business objectives and requirements. Minimizing organizational risk, optimizing resources,
and facilitating operational security are possible outcomes or benefits of the information security program,
but they are not the primary objective.
References = CISM Review Manual, 27th Edition, Chapter 3, Section 3.1.1, page 1151.
- Which of the following is the BEST way to reduce the risk associated with a bring your own device (BYOD)
program?
A. Implement a mobile device policy and standard.
B. Provide employee training on secure mobile device practices.
C. Implement a mobile device management (MDM) solution.
D. Require employees to install an effective anti-malware app.
Answer: B
- Which of the following is the MOST important reason for an organization to communicate to affected parties
that a security incident has occurred?
A. To improve awareness of information security
B. To disclose the root cause of the incident
C. To increase goodwill toward the organization
D. To comply with regulations regarding notification
Answer: D
Explanation:
Complying with regulations regarding notification is the most important reason for an organization to
communicate to affected parties that a security incident has occurred, as it helps to avoid legal penalties,
fines, or sanctions that may result from failing to notify the relevant authorities, customers, or other
stakeholders in a timely and appropriate manner. Additionally, complying with regulations regarding
notification may also help to preserve the trust and reputation of the organization, as well as to facilitate the
investigation and resolution of the incident.
References = CISM Review Manual 2022, page 3151; CISM Exam Content Outline, Domain 4, Task 4.5
- Which of the following would BEST demonstrate the status of an organization’s information security
program to the board of directors?
A. Information security program metrics
B. Results of a recent external audit
C. The information security operations matrix
D. Changes to information security risks
Answer: A
Explanation: Information security program metrics are the best way to demonstrate the status of an
organization’s information security program to the board of directors, as they provide relevant and
meaningful information on the performance, effectiveness, and value of the program, as well as the current
and emerging risks and the corresponding mitigation strategies. Information security program metrics
should be aligned with the business objectives and risk appetite of the organization, and should be
presented in a clear and concise manner that enables the board of directors to make informed decisions
and provide oversight. (From CISM Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 37, section 1.3.2.2.
- To inform a risk treatment decision, which of the following should the information security manager
compare with the organization’s risk appetite?
A. Level of residual risk
B. Level of risk treatment
C. Configuration parameters
D. Gap analysis results
Answer: A
Explanation: The information security manager should compare the level of residual risk with the
organization’s risk appetite to inform a risk treatment decision. Residual risk is the risk that remains after
applying the risk treatment options, such as avoiding, transferring, mitigating, or accepting the risk. Risk
appetite is the amount of risk that the organization is willing to accept to achieve its objectives. The
information security manager should ensure that the residual risk is within the risk appetite, and if not, apply
additional risk treatment measures or escalate the risk to the senior management for approval.
References = CISM Review Manual, 16th Edition eBook1, Chapter 2: Information Risk Management,
Section: Risk Management, Subsection: Risk Treatment, Page 102.
- Which of the following is the BEST course of action when an information security manager
identifies that systems are vulnerable to emerging threats?
A. Frequently update systems and monitor the threat landscape.
B. Monitor the network containing the affected systems for malicious traffic.
C. Increase awareness of the threats among employees who work with the systems.
D. Notify senior management and key stakeholders of the threats.
Answer: A
Explanation: The best course of action when an information security manager identifies that systems are
vulnerable to emerging threats is to frequently update systems and monitor the threat landscape, as this will
help to reduce the exposure and impact of the threats, and enable timely detection and response. Updating
systems involves applying patches, fixing vulnerabilities, and implementing security controls. Monitoring the
threat landscape involves collecting and analyzing threat intelligence, identifying new attack vectors and
techniques, and assessing the risk and impact of the threats.
References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.2.1, page 2211; State of
Cybersecurity 2023: Navigating Current and Emerging Threats2; CISM Online Review Course, Module 4,
Lesson 2, Topic 13
- Which of the following is the MOST effective way to ensure information security policies are understood?
A. Implement a whistle-blower program.
B. Provide regular security awareness training.
C. Include security responsibilities in job descriptions.
D. Document security procedures.
Answer: B
Explanation: Security awareness training is the most effective way to ensure information security policies
are understood, as it educates employees on the purpose, content and importance of the policies, and how
to comply with them. (From CISM Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 183, section 4.3.3.1.
- Which of the following is MOST important for guiding the development and management of a
comprehensive information security program?
A. Adopting information security program management best practices
B. Implementing policies and procedures to address the information security strategy
C. Aligning the organization’s business objectives with IT objectives
D. Establishing and maintaining an information security governance framework
Answer: D
Explanation:
An information security governance framework is a set of principles, policies, standards, and processes that
guide the development, implementation, and management of an effective information security program that
supports the organization’s objectives and strategy. The framework provides direction to meet business
goals while balancing risks and controls, as it helps to align the information security activities with the
business needs, priorities, and risk appetite, and to ensure that the security resources and investments are
optimized and justified.
References = CISM Review Manual 2022, page 321; CISM Exam Content Outline, Domain 1, Knowledge
Statement 1.22; CISM domain 1: Information security governance Updated 2022
- Which of the following BEST minimizes information security risk in deploying applications to the production
environment?
A. Integrating security controls in each phase of the life cycle
B. Conducting penetration testing post implementation
C. Having a well-defined change process
D. Verifying security during the testing process
Answer: A
Explanation: = Integrating security controls in each phase of the life cycle is the best way to minimize
information security risk in deploying applications to the production environment. This ensures that security
requirements are defined, designed, implemented, tested, and maintained throughout the development
process. Conducting penetration testing post implementation, having a well-defined change process, and
verifying security during the testing process are all important activities, but they are not sufficient to address
all the potential risks that may arise during the application life cycle. Penetration testing may reveal some
vulnerabilities, but it cannot guarantee that all of them are identified and fixed. A change process may help
to control and document the modifications made to the application, but it does not ensure that the changes
are secure and do not introduce new risks. Verifying security during the testing process may help to validate
the functionality and performance of the security controls, but it does not ensure that the security
requirements are complete and consistent with the business objectives and the risk appetite of the
organization. References = CISM Review Manual, 16th Edition, page 1121; CISM Review Questions,
Answers & Explanations Manual, 10th Edition, page 1462
- The MOST important information for influencing management’s support of information security is:
A. an demonstration of alignment with the business strategy.
B. An identification of the overall threat landscape.
C. A report of a successful attack on a competitor.
D. An identification of organizational risks.
Answer: A
Explanation: The most important information for influencing management’s support of information security
is an demonstration of alignment with the business strategy because it shows how information security
contributes to the achievement of the organization’s goals and objectives, and adds value to the
organization’s performance and competitiveness. An identification of the overall threat landscape is not
very important because it does not indicate how information security addresses or mitigates the threats or
risks. A report of a successful attack on a competitor is not very important because it does not indicate how
information security prevents or responds to such attacks. An identification of organizational risks is not
very important because it does not indicate how information security manages or reduces the risks.
References: https://www.isac
A.org/resources/isacajournal/
issues/2016/volume-4/technical-security-standards-for-information-systems
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-2/how-to-align-securityinitiatives-
with-business-goals-and-objectives
- Which of the following is the GREATEST benefit of incorporating information security governance into the
corporate governance framework?
A. Heightened awareness of information security strategies
B. Improved process resiliency in the event of attacks
C. Promotion of security-by-design principles to the business
D. Management accountability for information security
Answer: D
Explanation:
The greatest benefit of incorporating information security governance into the corporate governance
framework is D. Management accountability for information security. This is because management
accountability for information security means that the senior management and the board of directors are
responsible for defining, overseeing, and supporting the information security strategy, policies, and
objectives of the organization, and ensuring that they are aligned with the business goals, stakeholder
expectations, and regulatory requirements. Management accountability for information security also means
that the senior management and the board of directors are accountable for the performance, value, and
effectiveness of the information security program, and for the management and mitigation of the information
security risks and incidents. Management accountability for information security can help to foster a culture
of security awareness and responsibility, and to enhance the trust and confidence of the customers,
partners, and regulators in the organization’s information security capabilities.
Management accountability for information security means that the senior management and the board of
directors are responsible for defining, overseeing, and supporting the information security strategy, policies,
and objectives of the organization, and ensuring that they are aligned with the business goals, stakeholder
expectations, and regulatory requirements. (From CISM Manual or related resources)
References = CISM Review Manual 15th Edition, Chapter 1, Section 1.2.1, page 181; CISM domain 1:
Information security governance [Updated 2022] | Infosec2; Information Security Governance: Guidance for
Boards of Directors and Executive Management, 2nd Edition3
- Which of the following would BEST help to ensure compliance with an organization’s information security
requirements by an IT service provider?
A. Requiring an external security audit of the IT service provider
B. Requiring regular reporting from the IT service provider
C. Defining information security requirements with internal IT
D. Defining the business recovery plan with the IT service provider
Answer: B
Explanation:
Requiring regular reporting from the IT service provider is the best way to ensure compliance with the
organization’s information security requirements, as it allows the organization to monitor the performance,
security incidents, service levels, and compliance status of the IT service provider. Reporting also helps to
identify any gaps or issues that need to be addressed or resolved. (From CISM Review Manual 15th
Edition)
References: CISM Review Manual 15th Edition, page 184, section 4.3.3.2.
- An information security manager has become aware that a third-party provider is not in compliance with the
statement of work (SOW). Which of the following is the BEST course of action?
A. Notify senior management of the issue.
B. Report the issue to legal personnel.
C. Initiate contract renegotiation.
D. Assess the extent of the issue.
Answer: D
Explanation: The first course of action when the information security manager becomes aware that a
third-party provider is not in compliance with the SOW is to assess the extent of the issue, which means
determining the nature, scope, and impact of the non- compliance on the security of the enterprise’s data
and systems. The assessment should also identify the root cause of the non-compliance and the possible
remediation actions. The assessment will help the information security manager to decide the next steps,
such as notifying senior management, reporting the issue to legal personnel, initiating contract
renegotiation, or terminating the contract.
References = Ensuring Vendor Compliance and Third-Party Risk Mitigation, A Risk-Based Management
Approach to Third-Party Data Security, Risk and Compliance
- Which of the following should an information security manager do FIRST after identifying suspicious activity
on a PC that is not in the organization’s IT asset inventory?
A. Isolate the PC from the network
B. Perform a vulnerability scan
C. Determine why the PC is not included in the inventory
D. Reinforce information security training
Answer: C
Explanation: The first thing an information security manager should do after identifying suspicious activity
on a PC that is not in the organization’s IT asset inventory is to determine why the PC is not included in the
inventory. This will help to identify the source and scope of the threat, as well as the potential impact and
risk to the organization. The IT asset inventory is a list of all the hardware, software, data, and other
resources that are owned, controlled, or used by an organization. It helps to establish accountability,
visibility, and control over the IT assets, as well as to support security policies and procedures.
If a PC is not included in the inventory, it may indicate that it has been compromised by an unauthorized
user or entity, or that it has been moved or transferred without proper authorization. It may also indicate that
there are gaps or errors in the inventory management process, such as missing records, duplicate entries,
outdated information, or inaccurate classification. These issues can pose significant challenges for
information security management, such as:
✑ Lack of visibility into the IT environment and assets
✑ Difficulty in detecting and responding to incidents
✑ Increased risk of data breaches and cyberattacks
✑ Non-compliance with regulatory requirements and standards
✑ Reduced trust and confidence among stakeholders
Therefore, an information security manager should take immediate steps to investigate why the PC is not
included in the inventory and take appropriate actions to remediate the situation.
References = CISM Manual, Chapter 6: Incident Response Planning (IRP), Section 6.2: Inventory
Management1
1: https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles
- The business value of an information asset is derived from:
A. the threat profile.
B. its criticality.
C. the risk assessment.
D. its replacement cost.
Answer: B
Explanation:
The business value of an information asset is derived from its criticality, which is the degree of importance
or dependency of the asset to the organization’s objectives, operations, and stakeholders. The criticality of
an information asset can be determined by assessing its impact on the confidentiality, integrity, and
availability (CIA) of the information, as well as its sensitivity, classification, and regulatory requirements.
The higher the criticality of an information asset, the higher its business value, and the more resources and
controls are needed to protect it.
References = CISM Review Manual 2022, page 371; CISM Exam Content Outline, Domain 1, Task 1.32; IT
Asset Valuation, Risk Assessment and Control Implementation Model1; Managing Data as an Asset3
- A risk owner has accepted a large amount of risk due to the high cost of controls. Which of the following
should be the information security manager’s PRIMARY focus in this situation?
A. Establishing a strong ongoing risk monitoring process
B. Presenting the risk profile for approval by the risk owner
C. Conducting an independent review of risk responses
D. Updating the information security standards to include the accepted risk
Answer: A
Explanation: The information security manager’s PRIMARY focus in this situation should be establishing a
strong ongoing risk monitoring process, which is the process of tracking and evaluating the changes in the
risk environment, the effectiveness of the risk responses, and the impact of the residual risk on the
organization. A strong ongoing risk monitoring process can help the information security manager to
identify any deviations from the expected risk level, to report any significant changes or issues to the risk
owner and other stakeholders, and to recommend any adjustments or improvements to the risk
management strategy. Presenting the risk profile for approval by the risk owner is not the primary focus in
this situation, as it is a step that should be done before the risk owner accepts the risk, not after. Conducting
an independent review of risk responses is not the primary focus in this situation, as it is a quality assurance
activity that can be performed by an external auditor or a third-party expert, not by the information security
manager. Updating the information security standards to include the accepted risk is not the primary focus
in this situation, as it is a documentation activity that does not address the ongoing monitoring and reporting
of the risk. References = CISM Review Manual, 16th Edition, page 2281; CISM Review Questions,
Answers & Explanations Manual, 10th Edition, page 1022
- An information security manager has learned of an increasing trend in attacks that use phishing emails
impersonating an organization’s CEO in an attempt to commit wire transfer fraud. Which of the following is
the BEST way to reduce the risk associated with this type of attack?
A. Temporarily suspend wire transfers for the organization.
B. Provide awareness training to the CEO for this type of phishing attack.
C. Provide awareness training to staff responsible for wire transfers.
D. Disable emails for staff responsible for wire transfers.
Answer: C
- The use of a business case to obtain funding for an information security investment is MOST effective when
the business case:
A. relates the investment to the organization’s strategic plan.
B. translates information security policies and standards into business requirements.
C. articulates management’s intent and information security directives in clear language.
D. realigns information security objectives to organizational strategy.
Answer: D
- Which of the following is MOST important to consider when choosing a shared alternate location for
computing facilities?
A. The organization’s risk tolerance
B. The organization’s mission
C. Resource availability
D. Incident response team training
Answer: A
Explanation: The organization’s risk tolerance is the most important factor to consider when choosing a
shared alternate location for computing facilities, as it determines the acceptable level of risk exposure and
the required recovery time objective (RTO) for the organization. A shared alternate location is a facility that
is used by multiple organizations for disaster recovery purposes, and it may have limited resources,
availability, and security. Therefore, the organization must assess its risk tolerance and ensure that the
shared alternate location can meet its recovery requirements and protect its information assets. References
= CISM Review Manual, 27th Edition, Chapter 4, Section 4.3.2, page 2291; CISM Online Review Course,
Module 4, Lesson 3, Topic 22; BCMpedia, Alternate Site3
- Which of the following control types should be considered FIRST for aligning employee behavior with an
organization’s information security objectives?
A. Administrative security controls
B. Technical security controls
C. Physical security controls
D. Access security controls
Answer: A
- Which of the following BEST indicates the effectiveness of the vendor risk management process?
A. Increase in the percentage of vendors certified to a globally recognized security standard
B. Increase in the percentage of vendors with a completed due diligence review
C. Increase in the percentage of vendors conducting mandatory security training
D. Increase in the percentage of vendors that have reported security breaches
Answer: A
Explanation:
This answer best indicates the effectiveness of the vendor risk management process because it shows that
the organization has established and enforced clear and consistent security requirements and expectations
for its vendors, and that the vendors have demonstrated their compliance and commitment to security best
practices. A globally recognized security standard, such as ISO 27001, NIST CSF, or COBIT, provides a
comprehensive and objective framework for assessing and improving the security posture and performance
of vendors.
References: The CISM Review Manual 2023 states that “the information security manager is responsible
for ensuring that the security requirements and expectations for third-party products and services are
defined, communicated, and enforced” and that “the information security manager should verify that the
third parties have implemented adequate security controls and practices, and that they comply with
applicable standards and regulations” (p. 138). The CISM Review Questions, Answers & Explanations
Manual 2023 also provides the following rationale for this Answer: “Increase in the percentage of vendors
certified to a globally recognized security standard is the correct answer because it best indicates the
effectiveness of the vendor risk management process, as it shows that the organization has established
and enforced clear and consistent security requirements and expectations for
its vendors, and that the vendors have demonstrated their compliance and commitment to security best
practices” (p. 63). Additionally, the article Vendor Risk Management Demystified from the ISACA Journal
2015 states that “a globally recognized security standard provides a common language and framework for
evaluating and improving the security posture and performance of vendors” and that “a vendor certification
to a globally recognized security standard can help to reduce the risk of security breaches, increase the
trust and confidence of customers and stakeholders, and enhance the reputation and competitiveness of
the vendor” (p. 3
- Which of the following would MOST effectively ensure that a new server is appropriately secured?
A. Performing secure code reviews
B. Enforcing technical security standards
C. Conducting penetration testing
D. Initiating security scanning
Answer: B
Explanation: Enforcing technical security standards is the most effective way to ensure that a new server is
appropriately secured because it ensures that the server complies with the organization’s security policies
and best practices, such as encryption, authentication, patching, and hardening. Performing secure code
reviews is not relevant for securing a new server, unless it is running custom applications that need to be
verified for security flaws. Conducting penetration testing is not sufficient for securing a new server,
because it only identifies vulnerabilities that can be exploited by attackers, but does not fix them. Initiating
security scanning is not sufficient for securing a new server, because it only detects known vulnerabilities or
misconfigurations, but does not enforce security standards or remediate issues. References:
https://www.isac
A.org/resources/isacajournal/
issues/2016/volume-4/technical-security-standards-for-information-systems
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-3/secure-code-review
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-2/the-value-of- penetration-testing
https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-
5/security-scanning-versus-penetration-testing
- Which of the following BEST determines an information asset’s classification?
A. Value of the information asset in the marketplace
B. Criticality to a business process
C. Risk assessment from the data owner
D. Cost of producing the information asset
Answer: B
Explanation: According to the CISM Review Manual, 15th Edition1, information asset classification is the
process of assigning a level of sensitivity to information assets based on their importance to the
organization and the potential impact of unauthorized disclosure, modification or destruction. The criticality
of an information asset to a business process is one of the key factors that determines its classification
level.
References = 1: CISM Review Manual, 15th Edition, ISACA, 2016, Chapter 2, page 61.
- Which of the following is the GREATEST concern resulting from the lack of severity criteria in incident
classification?
A. Statistical reports will be incorrect.
B. The service desk will be staffed incorrectly.
C. Escalation procedures will be ineffective.
D. Timely detection of attacks will be impossible.
Answer: C
Explanation: The greatest concern resulting from the lack of severity criteria in incident classification is that
escalation procedures will be ineffective because they rely on severity criteria to determine when and how
to escalate an incident to higher levels of authority or responsibility, and what actions or resources are
required for resolving an incident. Statistical reports will be incorrect is not a great concern because they do
not affect the incident response process directly, but rather provide information or analysis for improvement
or evaluation purposes. The service desk will be staffed incorrectly is not a great concern because it does
not affect the incident response process directly, but rather affects the availability or efficiency of one of its
components. Timely detection of attacks will be impossible is not a great concern because it does not
depend on severity criteria, but rather on monitoring and alerting mechanisms. References:
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-5/incident-response- lessons-learned
https://www.isac
A.org/resources/isaca-journal/issues/2018/volume- 3/incident-response-lessons-learned
- An internal audit has revealed that a number of information assets have been inappropriately classified. To
correct the classifications, the remediation accountability should be assigned to:
A. the business users.
B. the information owners.
C. the system administrators.
D. senior management.
Answer: B
Explanation:
The best automated control to resolve the issue of security incidents not being appropriately escalated by
the help desk is to integrate incident response workflow into the help desk ticketing system. This will ensure
that the help desk staff follow the predefined steps and procedures for handling and escalating security
incidents, based on the severity, impact, and urgency of each incident. The incident response workflow will
also provide clear guidance on who to notify, when to notify, and how to notify the relevant stakeholders
and authorities. This will improve the efficiency, effectiveness, and consistency of the incident response
process.
References = CISM Review Manual, 16th Edition, page 2901; A Practical Approach to Incident
Management Escalation2
- Which of the following is the MOST important issue in a penetration test?
A. Having an independent group perform the test
B. Obtaining permission from audit
C. Performing the test without the benefit of any insider knowledge
D. Having a defined goal as well as success and failure criteria
Answer: D
Explanation: The most important issue in a penetration test is having a defined goal as well as success and
failure criteri
A. A penetration test is a simulated cyber attack against a computer system or an application to
check for exploitable vulnerabilities. The goal of a penetration test is to identify and evaluate the security
risks and weaknesses of the target system or application, and to provide recommendations for
improvement. The success and failure criteria of a penetration test are the metrics and indicators that
measure the effectiveness and efficiency of the test, and the extent to which the test achieves its goal. By
having a defined goal as well as success and failure criteria, the penetration tester can plan and execute
the test in a systematic and structured manner, and can communicate and report the results and findings in
a clear and concise way. The other options are not the most important issue in a penetration test, although
they may be some factors or considerations that affect the test. Having an independent group perform the
test is a desirable practice, as it can provide an unbiased and objective assessment of the target system or
application. However, it is not essential, as long as the penetration tester follows ethical hacking principles
and standards. Obtaining permission from audit is a mandatory requirement, as it ensures that the
penetration test is authorized and compliant with the organization’s policies and regulations. However, it is
not an issue, as it is a prerequisite for conducting the test. Performing the test without the benefit of any
insider knowledge is an optional approach, as it simulates a real-world attack by an external hacker who
does not have access to the internal design or configuration of the target system or application. However, it
is not always feasible or effective, as some vulnerabilities may be hidden or inaccessible from an outsider’s
perspective.
- An information security manager has identified that privileged employee access requests to production
servers are approved; but user actions are not logged. Which of the following should be the GREATEST
concern with this situation?
A. Lack of availability
B. Lack of accountability
C. Improper authorization
D. Inadequate authentication
Answer: B
Explanation: The greatest concern with the situation of privileged employee access requests to production
servers being approved but not logged is the lack of accountability, which means the inability to trace or
verify the actions and decisions of the privileged users. Lack of accountability can lead to security risks
such as unauthorized changes, data breaches, fraud, or misuse of privileges. Logging user actions is a key
component of privileged access management (PAM), which helps to monitor, detect, and prevent
unauthorized privileged access to critical resources. The other options, such as lack of availability, improper
authorization, or inadequate authentication, are not directly related to the situation of not logging user
actions. References:
✑ https://www.microsoft.com/en-us/security/business/security-101/what-is-privilegedaccess-
management-pam
✑ https://www.ekransystem.com/en/blog/privileged-user-monitoring-best-practices
✑ https://www.beyondtrust.com/resources/glossary/privileged-access-management- pam
- Which of the following would BEST enable the timely execution of an incident response plan?
A. The introduction of a decision support tool
B. Definition of trigger events
C. Clearly defined data classification process
D. Centralized service desk
Answer: B
Explanation: Definition of trigger events is the best way to enable the timely execution of an incident
response plan because it helps to specify the conditions or criteria that initiate the incident response
process. Trigger events are predefined scenarios or indicators that signal the occurrence or potential
occurrence of a security incident, such as a ransomware attack, a data breach, a denial-of-service attack,
or an unauthorized access attempt. Definition of trigger events helps to ensure that the incident response
team is alerted and activated as soon as possible, as well as to determine the appropriate level and scope
of response based on the severity and impact of the incident. Therefore, definition of trigger events is the
correct answer.
References:
✑ https://www.atlassian.com/incident-management/kpis/common-metrics
✑ https://www.varonis.com/blog/incident-response-plan/
✑ https://holierthantao.com/2023/05/03/minimizing-disruptions-a-comprehensiveguide-
to-incident-response-planning-and-execution/
- Which of the following is MOST important to complete during the recovery phase of an incident response
process before bringing affected systems back online?
A. Record and close security incident tickets.
B. Test and verify that compromisedsystems are clean.
C. Document recovery steps for senior management reporting.
D. Capture and preserve forensic images of affected systems.
Answer: B
