4 Flashcards

Question 1

Q

Management would like to understand the risk associated with engaging an Infrastructure- as-a-Service
(laaS) provider compared to hosting internally. Which of the following would provide the BEST method of
comparing risk scenarios?

A. Mapping risk scenarios according to sensitivity of data
B. Reviewing mitigating and compensating controls for each risk scenario
C. Mapping the risk scenarios by likelihood and impact on a chart
D. Performing a risk assessment on the laaS provider

Answer

A

Answer: C

Explanation:
Mapping the risk scenarios by likelihood and impact on a chart is the best method of comparing risk
scenarios, as it helps to visualize and prioritize the different types and levels of risks associated with each
option. A chart can also facilitate the communication and decision-making process by showing the
trade-offs and benefits of each option. A chart can be based on qualitative or quantitative data, depending
on the availability and accuracy of the information.
References = CISM Review Manual 2022, page 371; CISM Exam Content Outline, Domain 1, Task 1.32; A
risk assessment model for selecting cloud service providers; Security best practices for IaaS workloads in
Azure

Question 2

Q

In addition to executive sponsorship and business alignment, which of the following is MOST critical for
information security governance?

A. Ownership of security
B. Compliance with policies
C. Auditability of systems
D. Allocation of training resources

Answer

A

Answer: A

Explanation: Information security governance is the process of establishing and maintaining a framework to
provide assurance that information security strategies are aligned with business objectives and consistent
with applicable laws and regulations. In addition to executive sponsorship and business alignment, a critical
factor for effective information security governance is ownership of security, which means that the roles and
responsibilities for information security are clearly defined and assigned to the appropriate stakeholders,
such as business owners, information owners, information custodians, and users. Ownership of security
also implies accountability for the protection of information assets and the management of security risks.
References: https://www.isac
A.org/credentialing/cism https://www.nist.gov/publications/informationsecurity-
handbook-guide-managers

Question 3

Q

Which of the following tools provides an incident response team with the GREATEST insight into insider
threat activity across multiple systems?

A. A security information and event management (SIEM) system
B. An intrusion prevention system (IPS)
C. A virtual private network (VPN) with multi-factor authentication (MFA)
D. An identity and access management (IAM) system

Answer

A

Answer: A

Explanation:
A SIEM system is the best tool for providing an incident response team with the greatest insight into insider
threat activity across multiple systems because it can collect, correlate, analyze, and report on security
events and logs from various sources, such as network devices, servers, applications, and user activities. A
SIEM system can also detect and alert on anomalous or suspicious behaviors, such as unauthorized
access, data exfiltration, privilege escalation, or policy violations, that may indicate an insider threat. A
SIEM system can also support forensic investigations and incident response actions by providing a
centralized and comprehensive view of the security posture and incidents.
References: The CISM Review Manual 2023 defines SIEM as “a technology that provides real-time
analysis of security alerts generated by network hardware and applications” and states that “SIEM systems
can help identify insider threats by correlating user activity logs with other security events and detecting
deviations from normal patterns” (p. 184). The CISM Review Questions, Answers & Explanations Manual
2023 also provides the following rationale for this Answer: “A security information and event management
(SIEM) system is the correct answer because it can provide the most insight into insider threat activity
across multiple systems by collecting, correlating, analyzing, and reporting on security events and logs from
various sources” (p. 95). Additionally, the Detecting and Identifying Insider Threats article from the CISA
website states that “threat detection and identification is the process by which persons who might present
an insider threat risk due to their observable, concerning behaviors come to the attention of an organization
or insider threat team. Detecting and identifying potential insider threats requires both human and
technological elements” and that “technological elements include tools such as security information and
event management (SIEM) systems, user and entity behavior analytics (UEBA) systems, and data loss
prevention (DLP) systems, which can monitor, analyze, and alert on user activities and network events” (p.
1)1.

Question 4

Q

Which of the following should be the GREATEST concern for an information security manager when an
annual audit reveals the organization’s business continuity plan (BCP) has not been reviewed or updated in
more than a year?

A. An outdated BCP may result in less efficient recovery if an actual incident occurs.
B. The organization may suffer reputational damage for not following industry best practices.
C. The audit finding may impact the overall risk rating of the organization.
D. The lack of updates to the BCP may result in noncompliance with internal policies.

Answer

A

Answer: A

Explanation:
A BCP is a document that outlines the processes and procedures to maintain or resume critical business
functions and minimize the impact of a disruption on the organization’s objectives, customers, and
stakeholders. A BCP should be reviewed and updated regularly to reflect the changes in the organization’s
environment, risks, resources, and requirements. An outdated BCP may result in less efficient recovery if
an actual incident occurs, as it may not account for the current situation, dependencies, priorities, or
recovery strategies. This may lead to increased downtime, losses, or damages for the organization.
References = CISM Review Manual 2022, page 3101; CISM Exam Content Outline, Domain 4, Knowledge
Statement 4.82; CISM 2020: Business Continuity3; Part Two: Business Continuity and Disaster Recovery
Plans

Question 5

Q

Which of the following would BEST enable a new information security manager to obtain senior
management support for an information security governance program?

A. Demonstrating the program’s value to the organization
B. Discussing governance programs found in similar organizations
C. Providing the results of external audits
D. Providing examples of information security incidents within the organization

Answer

A

Answer: A

Explanation: The best way to obtain senior management support for an information
security governance program is to demonstrate the program’s value to the organization, such as how it can
help achieve business objectives, reduce operational risks, enhance resilience, and comply with
regulations. Demonstrating the value of information security governance can help senior management
understand the benefits and costs of the program, and motivate them to participate in the decision-making
process. The other options, such as discussing governance programs in similar organizations, providing
external audit results, or providing examples of incidents, may not be sufficient or persuasive enough to
obtain senior management support, as they may not reflect the specific needs and goals of the organization.
References:
✑ https://www.isac
A.org/resources/news-and-trends/isaca-now-blog/2020/how-toinvolve-
senior-management-in-the-information-security-governance-process
✑ https://www.sans.org/white-papers/992/
✑ https://www.govtech.com/blogs/lohrmann-on-cybersecurity/how-to-getmanagement-
support-for-your-security-program.html

Question 6

Q

Which type of recovery site is MOST reliable and can support stringent recovery requirements?

A. Cold site
B. Warm site
C. Hot site
D. Mobile site

Answer

A

Answer: C

Explanation: A hot site is the most reliable type of recovery site and can support stringent recovery
requirements because it is a fully operational facility that mirrors the primary production center. A hot site
has all the hardware, software, data, network, and personnel ready to resume the critical business functions
within minutes of a disruptive event. A hot site also has backup power, security, and communication
systems to ensure the continuity of operations.
References: The CISM Review Manual 2023 defines a hot site as “a fully operational facility that mirrors the
primary production center” and states that “a hot site can support stringent recovery requirements and
provide the shortest recovery time” (p. 190). The CISM Review Questions, Answers & Explanations Manual
2023 also provides the following rationale for this Answer: “A hot site is the correct answer because it is the
most reliable type of recovery site and can support stringent recovery requirements, as it is a fully
operational facility that mirrors the primary production center and can resume the critical business functions
within minutes of a disruptive event” (p. 96). Additionally, the web search result 1 states that “the recovery
site can be hot, warm, cold or mobile. Hot sites are facilities that mirror the primary production center” and
that “hot sites are the most reliable
and can support stringent recovery requirements” (p. 1).

Question 7

Q

Which of the following should an information security manager do FIRST upon learning that a competitor
has experienced a ransomware attack?

A. Perform a full data backup.
B. Conduct ransomware awareness training for all staff.
C. Update indicators of compromise in the security systems.
D. Review the current risk assessment.

Answer

A

Answer: D

Question 8

Q

Which of the following is MOST helpful in determining the criticality of an organization’s business functions?

A. Disaster recovery plan (DRP)
B. Business impact analysis (BIA)
C. Business continuity plan (BCP)
D. Security assessment report (SAR)

Answer

A

Answer: B

Explanation:
Business impact analysis (BIA) is the most helpful in determining the criticality of an organization’s business
functions because it is a process of identifying and evaluating the potential effects of disruptions or
interruptions to those functions. BIA helps to prioritize the recovery of the most critical functions and to
estimate the resources and time needed for the recovery. Therefore, business impact analysis (BIA) is the
correct answer. References:
✑ https://www.linkedin.com/pulse/business-continuity-critical-functions-tino-marquez
✑ https://www.techtarget.com/searchitchannel/feature/Business-impact-analysis-forbusiness-
continuity-Understanding-impact-criticality

Question 9

Q

Which of the following should be the PRIMARY outcome of an information security program?

A. Strategic alignment
B. Risk elimination
C. Cost reduction
D. Threat reduction

Answer

A

Answer: A

Explanation: According to the CISM Review Manual (Digital Version), Chapter 3, Section 3.2.1, strategic
alignment is the primary outcome of an information security
program1. Strategic alignment means that the information security program supports and is tailored to the
organization’s objectives and business strategy1. It also means that the information security program is
aligned with other assurance functions, such as physical, human resources, quality, and IT1.
The CISM Review Manual (Digital Version) also states that strategic alignment is essential for achieving a
competitive advantage, enhancing customer trust, reducing legal and regulatory risks, and improving
organizational performance1. Strategic alignment requires effective communication and collaboration
among all stakeholders, including senior management, information owners, information security managers,
information security steering committees, and external partners1.
The CISM Exam Content Outline also covers the topic of strategic alignment in Domain 3
— Information Security Program Development and Management (33% exam weight)2. The subtopics
include:
✑ 3.2.1 Information Security Strategy
✑ 3.2.2 Information Security Governance
✑ 3.2.3 Information Security Risk Management
✑ 3.2.4 Information Security Compliance
I hope this answer helps you prepare for your CISM exam. Good luck!

Question 10

Q

Which of the following events is MOST likely to require an organization to revisit its information security
framework?

A. New services offered by IT
B. Changes to the risk landscape
C. A recent cybersecurity attack
D. A new technology implemented

Answer

A

Answer: B

Explanation:
Changes to the risk landscape are the most likely events to require an organization to revisit its information
security framework, because they may affect the organization’s risk appetite, risk tolerance, risk profile, and
risk treatment strategies. The information security framework should be aligned with the organization’s
business objectives and risk management approach, and should be reviewed and updated regularly to
reflect the changing internal and external environment.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 35: “The information security framework should be
reviewed and updated regularly to ensure that it remains aligned with the enterprise’s business objectives
and risk management approach and reflects the changing internal and external environment.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 36: “Changes in the risk landscape may require the
enterprise to revisit its risk appetite, risk tolerance, risk profile, and risk treatment strategies.”

Question 11

Q

Which of the following is the MOST important consideration when updating procedures for managing
security devices?

A. Updates based on the organization’s security framework
B. Notification to management of the procedural changes
C. Updates based on changes m risk technology and process
D. Review and approval of procedures by management

Answer

A

Answer: C

Explanation: According to the CISM Manual, updating procedures for managing security devices should be
based on changes in risk technology and process, not on the organization’s security framework, notification
to management of the procedural changes, or review and approval of procedures by management1. These
are not the most important considerations when updating procedures for managing security devices, as
they do not reflect the actual impact of the changes on the security posture of the organization.
The CISM Manual states that “procedures for managing security devices should be updated whenever
there are significant changes in the risk technology or process that affect the security devices” (IR 8287A)1.
For example, if a new security device is introduced or an existing one is replaced, its procedures should be
updated
accordingly. Similarly, if a new risk technology or process is implemented that affects how security devices
are configured, monitored, or maintained, its procedures should be updated as well1.
The CISM Manual also provides guidance on how to update procedures for managing security devices in a
systematic and consistent manner. It recommends using a change management process that involves
identifying, analyzing, approving, implementing, and evaluating changes to security device procedures1. It
also suggests using a change control board (CCB) that consists of representatives from different
stakeholders who review and approve changes to security device procedures before they are
implemented1.
References: 1: IR 8287A - Managing Security Devices | CSRC NIST

Question 12

Q

Which of the following is MOST important to maintain integration among the incident response plan,
business continuity plan (BCP). and disaster recovery plan (DRP)?

A. Asset classification
B. Recovery time objectives (RTOs)
C. Chain of custody
D. Escalation procedures

Answer

A

Answer: B

Explanation: Recovery time objectives (RTOs) are the maximum acceptable time that an organization can
be offline or unavailable after a disruption. RTOs are important to maintain integration among the incident
response plan, business continuity plan (BCP), and disaster recovery plan (DRP) because they help align
the recovery goals and strategies of each plan. By defining clear and realistic RTOs, an organization can
ensure that its IT infrastructure and systems are restored as quickly as possible after a disaster, minimizing
the impact on business operations and customer satisfaction.
References = CISM Manual, Chapter 6: Incident Response Planning, Section 6.2: Recovery Time
Objectives (RTOs), page 971
1: https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles

Question 13

Q

When assigning a risk owner, the MOST important consideration is to ensure the owner has:

A. adequate knowledge of risk treatment and related control activities.
B. decision-making authority and the ability to allocate resources for risk.
C. sufficient time for monitoring and managing the risk effectively.
D. risk communication and reporting skills to enable decision-making.

Answer

A

Answer: B

Explanation: Comprehensive and Detailed Explanation = The risk owner is the person or entity with the
accountability and authority to manage a risk. The risk owner should have the decision-making authority
and the ability to allocate resources for risk treatment and related control activities. The risk owner should
also be responsible for monitoring and reporting on the risk, but these are not the most important
considerations when assigning a risk owner. The risk owner may not have adequate knowledge of risk
treatment and related control activities, but can delegate or consult with experts as needed. The risk owner
should also have sufficient time for managing the risk effectively, but this is not a prerequisite for assigning
a risk owner.
References =
✑ CISM Review Manual 15th Edition, page 76
✑ CISM Practice Quiz, question 4171

Question 14

Q

Which of the following is the BEST way to contain an SQL injection attack that has been detected by a web
application firewall?

A. Force password changes on the SQL database.
B. Reconfigure the web application firewall to block the attack.
C. Update the detection patterns on the web application firewall.
D. Block the IPs from where the attack originates.

Answer

A

Answer: B

Explanation: According to the CISM Review Manual, one of the best ways to contain an SQL injection
attack that has been detected by a web application firewall is to reconfigure the web application firewall to
block the attack. This means that the web application firewall should be updated with the latest detection
patterns and rules that can identify and prevent SQL injection attacks. By doing so, the web application
firewall can reduce the impact and damage of the attack, and prevent further exploitation of the vulnerable
database1
The other options are not as effective as reconfiguring the web application firewall to block the attack. Force
password changes on the SQL database is a reactive measure that does not address the root cause of the
problem, and may cause data loss or corruption if not done properly. Updating the detection patterns on the
web application firewall is a preventive measure that can help to detect SQL injection attacks, but it does
not stop them from happening in the first place. Blocking IPs from where the attack originates is a defensive
measure that can limit or stop some SQL injection attacks, but it does not protect all possible sources of
malicious traffic, and may also affect legitimate users or applications1
References = 1: CISM Review Manual, 16th Edition, ISACA, 2020, pp. 32-33…

Question 15

Q

The PRIMARY consideration when responding to a ransomware attack should be to ensure:

A. backups are available.
B. the most recent patches have been applied.
C. the ransomware attack is contained
D. the business can operate

Answer

A

Answer: D

Explanation: Ensuring the business can operate is the primary consideration when responding to a
ransomware attack because it helps to minimize the disruption and impact of the attack on the
organization’s mission-critical functions and services. Ransomware is a type of malware that encrypts the
files or systems of the victims and demands payment for their decryption. Ransomware attacks can cause
significant operational, financial, and reputational damage to organizations, especially if they affect their
core business processes or customer dat
A. Therefore, ensuring the business can operate is the primary
consideration when responding to a ransomware attack.
References:
✑ https://www.cis
A.gov/stopransomware/ransomware-guide
✑ https://csrc.nist.gov/Projects/ransomware-protection-and-response
✑ https://learn.microsoft.com/en-us/azure/security/fundamentals/ransomware-detect- respond

Question 16

Q

Which of the following should have the MOST influence on an organization’s response to a new industry
regulation?

A. The organization’s control objectives
B. The organization’s risk management framework
C. The organization’s risk appetite
D. The organization’s risk control baselines

Answer

A

Answer: C

Explanation:
The most influential factor on an organization’s response to a new industry regulation is the organization’s
risk appetite. This is because the risk appetite defines the level of risk that
the organization is willing to accept in pursuit of its objectives, and it guides the decision- making process
for managing risks. The risk appetite also determines the extent to which the organization needs to comply
with the new regulation, and the resources and actions required to achieve compliance. The risk appetite
should be aligned with the organization’s strategy, culture, and values, and it should be communicated and
monitored throughout the organization.

Question 17

Q

A financial institution is planning to develop a new mobile application. Which of the following is the BEST
time to begin assessments of the application’s security compliance?

A. During user acceptance testing (UAT)
B. During the design phase
C. During static code analysis
D. During regulatory review

Answer

A

Answer: B

Question 18

Q

Which of the following BEST facilitates the development of a comprehensive information security policy?

A. Alignment with an established information security framework
B. An established internal audit program
C. Security key performance indicators (KPIs)
D. Areview of recent information security incidents

Answer

A

Answer: A

Explanation:
Alignment with an established information security framework is the BEST way to facilitate the development
of a comprehensive information security policy, because it provides a consistent and structured approach to
define, implement, and maintain the policy across the organization. An information security framework is a
set of best practices, standards, and guidelines that help to ensure the effectiveness, efficiency, and
compliance of the information security policy.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 35: “An information security framework is a set of best
practices, standards, and guidelines that provide a consistent and structured approach to information
security governance.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 36: “The information security policy
should be aligned with an established information security framework to ensure its effectiveness, efficiency,
and compliance.”

Question 19

Q

A finance department director has decided to outsource the organization’s budget application and has
identified potential providers. Which of the following actions should be initiated FIRST by IN information
security manager?

A. Determine the required security controls for the new solution
B. Review the disaster recovery plans (DRPs) of the providers
C. Obtain audit reports on the service providers’ hosting environment
D. Align the roles of the organization’s and the service providers’ stats.

Answer

A

Answer: A

Explanation: Before outsourcing any application or service, an information security manager should first
determine the required security controls for the new solution, based on the organization’s risk appetite,
security policies and standards, and regulatory requirements. This will help to evaluate and select the most
suitable provider, as well as to define the security roles and responsibilities, service level agreements
(SLAs), and audit requirements. References: https://www.isac
A.org/credentialing/cism
https://www.wiley.com/enus/
CISM+Certified+Information+Security+Manager+Study+Guide-p-9781119801948

Question 20

Q

When developing a categorization method for security incidents, the categories MUST:

A. align with industry standards.
B. be created by the incident handler.
C. have agreed-upon definitions.
D. align with reporting requirements.

Answer

A

Answer: C

Explanation: When developing a categorization method for security incidents, the
categories must have agreed-upon definitions. This means that the categories should be clear, consistent,
and understandable for all the parties involved in the incident response process, such as the incident
handlers, the stakeholders, the management, and the external authorities. Having agreed-upon definitions
for the categories can help to ensure that the incidents are classified and reported accurately, that the
appropriate actions and resources are allocated, and that the communication and coordination are effective.
Aligning with industry standards, creating by the incident handler, and aligning with reporting requirements
are not mandatory for developing a categorization method for security incidents, although they may be
desirable or beneficial depending on the context and objectives of the organization. Aligning with industry
standards can help to adopt best practices and benchmarks for incident response, but it may not be
feasible or suitable for all types of incidents or organizations. Creating by the incident handler can allow for
flexibility and customization of the categories, but it may also introduce inconsistency and
ambiguity if the definitions are not shared or agreed upon by others. Aligning with reporting requirements
can help to comply with legal or contractual obligations, but it may not cover all the aspects or dimensions
of the incidents that need to be categorized. References = CISM Review Manual, 16th Edition, pages
200-2011; CISM Review Questions, Answers & Explanations Manual, 10th Edition, page 822
When developing a categorization method for security incidents, the categories MUST have agreed-upon
definitions. This is because having clear and consistent definitions for each category of incidents will help to
ensure a common understanding and communication among the incident response team and other
stakeholders. It will also facilitate the accurate and timely identification, classification, reporting and analysis
of incidents. Having agreed- upon definitions will also help to avoid confusion, ambiguity and inconsistency
in the incident management process

Question 21

Q

Which of the following is the BEST way lo monitor for advanced persistent threats (APT) in an organization?

A. Network with peers in the industry to share information.
B. Browse the Internet to team of potential events
C. Search for anomalies in the environment
D. Search for threat signatures in the environment.

Answer

A

Answer: C

Explanation: An advanced persistent threat (APT) is a stealthy and sophisticated attack
that aims to compromise and maintain access to a target network or system over a long period of time,
often for espionage or sabotage purposes. APTs are difficult to detect by conventional security tools, such
as antivirus or firewalls, that rely on signatures or rules to identify threats. Therefore, the best way to
monitor for APTs is to search for anomalies in the environment, such as unusual network traffic, user
behavior, file activity, or system configuration changes, that may indicate a compromise or an ongoing
attack. References: https://www.isac
A.org/credentialing/cism https://www.nist.gov/publications/informationsecurity-
handbook-guide-managers

Question 22

Q

Which of the following is the BEST starting point for a newly hired information security manager who has
been tasked with identifying and addressing network vulnerabilities?

A. Controls analysis
B. Emerging risk review
C. Penetration testing
D. Traffic monitoring

Answer

A

Answer: C

Explanation: The best starting point for a newly hired information security manager who has been tasked
with identifying and addressing network vulnerabilities is C. Penetration testing. This is because penetration
testing is a method of simulating real-world attacks on a network to evaluate its security posture and identify
any weaknesses or gaps that could be exploited by malicious actors. Penetration testing can help the
information security manager to assess the effectiveness of the existing controls, prioritize the remediation
efforts, and demonstrate compliance with the relevant standards and regulations. Penetration testing can
also provide valuable insights into the network architecture, configuration, and behavior, as well as the
potential impact and likelihood of different types of attacks.
References = CISM Review Manual 15th Edition, Chapter 4, Section 4.2.1, page 2091; CISM Review
Questions, Answers & Explanations Manual 9th Edition, Question 50, page 14

Question 23

Q

Which of the following is the PRIMARY benefit of implementing an information security governance
framework?

A. The framework defines managerial responsibilities for risk impacts to business goals.
B. The framework provides direction to meet business goals while balancing risks and controls.
C. The framework provides a roadmap to maximize revenue through the secure use of technology.
D. The framework is able to confirm the validity of business goals and strategies.

Answer

A

Answer: B

Explanation:
An information security governance framework is a set of principles, policies, standards, and processes that
guide the development, implementation, and management of an effective information security program that
supports the organization’s objectives and strategy. The framework provides direction to meet business
goals while balancing risks and controls, as it helps to align the information security activities with the
business needs, priorities, and risk appetite, and to ensure that the security resources and investments are
optimized and justified.
References = CISM Review Manual 2022, page 321; CISM Exam Content Outline, Domain 1, Knowledge
Statement 1.22; CISM domain 1: Information security governance Updated 2022

Question 24

Q

Which of the following is the MOST important benefit of using a cloud access security broker when
migrating to a cloud environment?

A. Enhanced data governance
B. Increased third-party assurance
C. )Improved incident management
D. Reduced total cost of ownership (TCO)

Answer

A

Answer: A

Explanation:
According to the web search results, a cloud access security broker (CASB) is a software solution that
stands between the cloud service provider and the cloud service user to enforce security controls. One of
the most important benefits of using a CASB when migrating to a cloud environment is enhanced data
governance, as it helps to protect sensitive information from unauthorized access, sharing, or loss. A CASB
can also provide data classification, encryption, data loss prevention (DLP), and other features that enable
organizations to manage and secure their data in the cloud.
References = What Is a Cloud Access Security Broker (CASB)?, A beginner’s guide to cloud access
security brokers

Question 25

Q

An organization is planning to outsource network management to a service provider. Including which of the
following in the contract would be the MOST effective way to mitigate information security risk?

A. Requirement for regular information security awareness
B. Right-to-audit clause
C. Service level agreement (SLA)
D. Requirement to comply with corporate security policy

Answer

A

Answer: D

Explanation: The most effective way to mitigate information security risk when outsourcing network
management to a service provider is to include a requirement for the service provider to comply with the
corporate security policy in the contract. This requirement ensures that the service provider follows the
same security standards, procedures, and controls as the organization, and protects the confidentiality,
integrity, and availability of the organization’s data and systems. The requirement also defines the roles and
responsibilities, the reporting and escalation mechanisms, and the penalties for non- compliance.
References = A Risk-Based Management Approach to Third-Party Data Security, Risk and Compliance,
CISM Domain 2: Information Risk Management (IRM) [2022 update]

Question 26

Q

An organization is considering the feasibility of implementing a big data solution to analyze customer dat
A.
In order to support this initiative, the information security manager should FIRST:

A. inventory sensitive customer data to be processed by the solution.
B. determine information security resource and budget requirements.
C. assess potential information security risk to the organization.
D. develop information security requirements for the big data solution.

Answer

A

Answer: C

Explanation: Assessing potential information security risk to the organization is the first step that the
information security manager should take when considering the feasibility of implementing a big data
solution to analyze customer data, as it helps to identify and evaluate the threats, vulnerabilities, and
impacts that may arise from the collection, processing, storage, and sharing of large volumes and varieties
of customer dat
A. Assessing risk also helps to determine the risk appetite and tolerance of the organization,
and to prioritize the risk treatment options and security controls that are needed to protect the customer
data and the big data solution. (From CISM Review Manual 15th Edition) References: CISM Review
Manual 15th Edition, page 64, section 2.2.1.2; Big Data Security and Privacy Issues in Healthcare1, page 1,
section 1. Introduction.

Question 27

Q

Which of the following is a PRIMARY responsibility of the information security goxernance function?

A. Administering information security awareness training
B. Defining security strategies to support organizational programs
C. Ensuring adequate support for solutions using emerging technologies
D. Advising senior management on optimal levels of risk appetite and tolerance

Answer

A

Answer: B

Explanation:
Defining security strategies to support organizational programs is a primary responsibility of the information
security governance function, as it involves providing strategic direction for security activities and ensuring
that objectives are achieved. According to ISACA, information security governance is a subset of corporate
governance that provides guidance for aligning information security with business objectives, managing
information security risks, and using information resources responsibly12.
References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.1.1, page 2131; CISM Online
Review Course, Module 4, Lesson 1, Topic 12

Question 28

Q

What should an information security manager verify FIRST when reviewing an information asset
management program?

A. System owners have been identified.
B. Key applications have been secured.
C. Information assets have been classified.
D. Information assets have been inventoried.

Answer

A

Answer: C

Explanation: According to the CISM Review Manual, information asset classification is the first step in an
information asset management program, as it provides the basis for determining the level of protection
required for each asset. System owners, key applications and information asset inventory are subsequent
steps that depend on the classification of the assets.
References = CISM Review Manual, 27th Edition, Chapter 1, Section 1.4.2, page 381.

Question 29

Q

Which of the following BEST enables the restoration of operations after a limited ransomware incident
occurs?

A. Reliable image backups
B. Impact assessment
C. Documented eradication procedures
D. Root cause analysis

Answer

A

Answer: A

Question 30

Q

A technical vulnerability assessment on a personnel information management server should be performed
when:

A. the data owner leaves the organization unexpectedly.
B. changes are made to the system configuration.
C. the number of unauthorized access attempts increases.
D. an unexpected server outage has occurred.

Answer

A

Answer: B

Explanation: A technical vulnerability assessment is a process of identifying and evaluating the
weaknesses and risks associated with a specific system, component, or network. A technical vulnerability
assessment can help to determine the potential impact and likelihood of a security breach, as well as the
appropriate measures to prevent or mitigate it. A technical vulnerability assessment should be performed
on a personnel information management server whenever there is an increase in the number of
unauthorized access attempts to the server, as this indicates that the server may have been compromised
or targeted by an attacker12. Therefore, option C is the correct answer. References =
✑ CISM Review Manual (Digital Version), Chapter 5: Information Security Program
Management
✑ CISM Review Manual (Print Version), Chapter 5: Information Security Program Management

Question 31

Q

When determining an acceptable risk level which of the following is the MOST important
consideration?

A. Threat profiles
B. System criticalities
C. Vulnerability scores
D. Risk matrices

Answer

A

Answer: C

Explanation: The effectiveness of an incident response team will be greatest when the incident response
process is updated based on lessons learned. This ensures that the team can continuously improve its
performance and capabilities, and address any gaps or weaknesses identified during previous incidents.
Updating the incident response process based on lessons learned also helps to align the process with the
changing business and security environment, and to incorporate best practices and standards. Meeting on
a regular basis to review log files, having trained security personnel as team members, and using a security
information and event monitoring (SIEM) system are all important factors for an incident response team, but
they are not sufficient to ensure the effectiveness of the team. Reviewing log files may help to detect and
analyze incidents, but it does not guarantee that the team can respond appropriately and efficiently. Having
trained security personnel may enhance the skills and knowledge of the team, but it does not ensure that
the team can work collaboratively and communicate effectively. Using a SIEM system may facilitate the
identification and prioritization of incidents, but it does not ensure that the team can follow the established
procedures and protocols. References = CISM Review Manual, 16th Edition, page 1361; CISM Review
Questions, Answers & Explanations Manual, 10th Edition, page 1492

Question 32

Q

Which of the following is the PRIMARY reason that an information security manager should restrict the use
of generic administrator accounts in a multi-user environment?

A. To ensure separation of duties is maintained
B. To ensure system audit trails are not bypassed
C. To prevent accountability issues
D. To prevent unauthorized user access

Answer

A

Answer: C

Question 33

Q

Which of the following is MOST important to the successful implementation of an information security
program?

A. Adequate security resources are allocated to the program.
B. Key performance indicators (KPIs) are defined.
C. A balanced scorecard is approved by the steering committee.
D. The program is developed using global security standards.

Answer

A

Answer: A

Explanation: The successful implementation of an information security program depends largely on the
availability and allocation of adequate security resources, such as budget, staff, technology, and training.
Without sufficient resources, the program may not be able to achieve its objectives, comply with the
security strategy, or address the security risks. Key performance indicators (KPIs), a balanced scorecard,
and global security standards are also important elements of an information security program, but they are
not as critical as the resource allocation.
References = CISM Review Manual, 16th Edition, page 69

Question 34

Q

Which of the following is the BEST method to protect the confidentiality of data transmitted over the
Internet?

A. Network address translation (NAT)
B. Message hashing
C. Transport Layer Security (TLS)
D. Multi-factor authentication

Answer

A

Answer: C

Explanation: Transport Layer Security (TLS) is a protocol that provides encryption, authentication, and
integrity for data transmitted over the Internet. TLS protects the confidentiality of data by encrypting it
before sending it and decrypting it after receiving it. TLS also verifies the identity of the communicating
parties by using certificates and
prevents data tampering by using message authentication codes. References = CISM
Review Manual, 16th Edition, Chapter 4, Section 4.3.2.11

Question 35

Q

Which of the following provides the BEST evidence that a recently established infofmation security program
is effective?

A. The number of reported incidents has increased
B. Regular IT balanced scorecards are communicated.
C. Senior management has reported fewer junk emails.
D. The number of tickets associated with IT incidents have stayed consistent

Answer

A

Answer: A

Explanation: The number of reported incidents has increased is the best evidence that a recently
established information security program is effective because it indicates that the organization has
improved its detection and reporting capabilities and has raised awareness among employees about
security issues. Regular IT balanced scorecards are communicated is not a good evidence because it does
not measure the actual performance or outcomes of the security program. Senior management has
reported fewer junk emails is not a good evidence because it does not reflect the overall security posture or
maturity of the organization. The number of tickets associated with IT incidents have stayed consistent is
not a good evidence because it does not show any improvement or reduction in security incidents or risks.
References: https://www.isac
A.org/resources/isacajournal/
issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security- using-iso-27004
https://www.isac
A.org/resources/isaca-journal/issues/2014/volume-6/howto-
measure-the-effectiveness-of-your-information-security-management-system

Question 36

Q

An online trading company discovers that a network attack has penetrated the firewall. What should be the
information security manager’s FIRST response?

A. Notify the regulatory agency of the incident.
B. Implement mitigating controls.
C. Evaluate the impact to the business.
D. Examine firewall logs to identify the attacker.

Answer

A

Answer: C

Question 37

Q

Which of the following would BEST support the business case for an increase in the information security
budget?

A. Cost-benefit analysis results
B. Comparison of information security budgets with peer organizations
C. Business impact analysis (BIA) results
D. Frequency of information security incidents

Answer

A

Answer: A

Explanation: Cost-benefit analysis results are the best way to support the business case for an increase in
the information security budget because they help to demonstrate the value and return on investment of the
proposed security initiatives or projects. A cost- benefit analysis is a method of comparing the costs and
benefits of different alternatives or options, taking into account both quantitative and qualitative factors. A
cost-benefit analysis helps to justify the need and feasibility of the security budget, as well as to prioritize
the security spending based on the expected outcomes and impacts. Therefore, cost-benefit analysis
results are the correct answer.
References:
✑ https://www.cis
A.gov/resources-tools/resources/business-case-security
✑ https://www.cis
A.gov/resources-tools/resources/isc-best-practices-making- business-case-security
✑ https://risk3sixty.com/2020/09/21/how-to-build-a-business-case-for-security- initiatives-part-4/

Question 38

Q

Which of the following metrics is MOST appropriate for evaluating the incident notification process?

A. Average total cost of downtime per reported incident
B. Elapsed time between response and resolution
C. Average number of incidents per reporting period
D. Elapsed time between detection, reporting, and response

Answer

A

Answer: D

Explanation: Elapsed time between detection, reporting, and response is the most appropriate metric for
evaluating the incident notification process because it measures how quickly and effectively the
organization identifies, communicates, and responds to security incidents. The incident notification process
is a critical part of the incident response plan that defines the roles and responsibilities, procedures, and
channels for reporting and escalating security incidents to the relevant stakeholders. Elapsed time between
detection, reporting, and response helps to assess the performance and efficiency of the incident
notification process, as well as to identify any bottlenecks or delays that may affect the incident resolution
and recovery. Therefore, elapsed time between detection, reporting, and response is the correct answer.
References:
✑ https://www.atlassian.com/incident-management/kpis/common-metrics
✑ https://securityscorecard.com/blog/how-to-use-incident-response-metrics/
✑ https://www.cis
A.gov/sites/default/files/publications/Incident-Response-Plan- Basics_508c.pdf

Question 39

Q

Which of the following BEST enables the capability of an organization to sustain the delivery of products
and services within acceptable time frames and at predefined capacity during a disruption?

A. Service level agreement (SLA)
B. Business continuity plan (BCP)
C. Disaster recovery plan (DRP)
D. Business impact analysis (BIA)

Answer

A

Answer: B

Explanation:
The best option to enable the capability of an organization to sustain the delivery of products and services
within acceptable time frames and at predefined capacity during a disruption is B. Business continuity plan
(BCP). This is because a BCP is a documented collection of procedures and information that guides the
organization to prepare for, respond to, and recover from a disruption, such as a natural disaster, a
cyberattack, or a pandemic. A BCP aims to ensure the continuity of the critical business functions and
processes that support the delivery of products and services to the customers and
stakeholders. A BCP also defines the roles, responsibilities, resources, and actions required to maintain the
operational resilience of the organization in the face of a disruption.
References = CISM Review Manual 15th Edition, Chapter 4, Section 4.2.3, page 2141; CISM Review
Questions, Answers & Explanations Manual 9th Edition, Question 6, page 3

Question 40

Q

The information security manager of a multinational organization has been asked to consolidate the
information security policies of its regional locations. Which of the following would be of
GREATEST concern?

A. Varying threat environments
B. Disparate reporting lines
C. Conflicting legal requirements
D. Differences in work culture

Answer

A

Answer: C

Explanation:
Conflicting legal requirements would be of greatest concern when consolidating the information security
policies of regional locations, as they may pose significant challenges and risks for the organization’s
compliance, privacy, and data protection obligations. Different jurisdictions may have different laws and
regulations regarding information security, such as the General Data Protection Regulation (GDPR) in the
European Union, the Health Insurance Portability and Accountability Act (HIPAA) in the United States, or
the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canad
A. These laws and
regulations may have different definitions, scopes, standards, and enforcement mechanisms for information
security, which may create conflicts or inconsistencies when applying a unified policy across the
organization. Therefore, the information security manager should conduct a thorough analysis of the legal
requirements of each location, and ensure that the consolidated policy meets the highest level of
compliance and avoids any violations or penalties.
References = CISM Review Manual 2022, page 361; CISM Exam Content Outline, Domain 1, Task 1.22;
CISM 2020: IT Security Policies; Information Security Due Diligence Questionnaire

Question 41

Q

An external security audit has reported multiple instances of control noncompliance. Which of the following
is MOST important for the information security manager to communicate to senior management?

A. Control owner responses based on a root cause analysis
B. The impact of noncompliance on the organization’s risk profile
C. A noncompliance report to initiate remediation activities
D. A business case for transferring the risk

Answer

A

Answer: B

Explanation:
The impact of noncompliance on the organization’s risk profile is the MOST important information for the
information security manager to communicate to senior management, because it helps them understand
the potential consequences of not adhering to the established controls and the need for corrective actions.
Noncompliance may expose the organization to increased threats, vulnerabilities, and losses, as well as
legal, regulatory, and contractual liabilities.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 84: “The information security manager should report
on information security risk, including noncompliance and changes in information risk, to key stakeholders
to facilitate the risk management decision-making process.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 85: “Noncompliance with information security policies,
standards, and procedures may result in increased threats, vulnerabilities, and losses, as well as legal,
regulatory, and contractual liabilities for the enterprise.”

Question 42

Q

Which of the following is MOST important to the effectiveness of an information security program?

A. Security metrics
B. Organizational culture
C. IT governance
D. Risk management

Answer

A

Answer: D

Explanation: Risk management is the most important factor for the effectiveness of an information security
program, as it provides a systematic and consistent approach to identify, assess, treat, and monitor the
information security risks that could affect the organization’s objectives. Risk management also helps to
align the security program with the business strategy, prioritize the security initiatives and resources, and
communicate the value of security to the stakeholders.
References = CISM Review Manual 2022, page 3071; CISM Exam Content Outline, Domain 4, Knowledge
Statement 4.1

Question 43

Q

The MOST useful technique for maintaining management support for the information security program is:

A. informing management about the security of business operations.
B. implementing a comprehensive security awareness and training program.
C. identifying the risks and consequences of failure to comply with standards.
D. benchmarking the security programs of comparable organizations.

Answer

A

Answer: C

Explanation: = According to the CISM Review Manual, one of the key success factors for an information
security program is to maintain management support and commitment. This can be achieved by providing
regular reports to management on the security status of the organization, the effectiveness of the security
controls, and the alignment of the security program with the business objectives and strategy. By informing
management about the security of business operations, the information security manager can demonstrate
the value and benefits of the security program, and ensure that management is aware of the
security risks and issues that need to be addressed. This technique can also help to build trust and
confidence between the information security manager and the senior management, and foster a culture of
security within the organization1
The other options are not as effective as informing management about the security of business operations.
Implementing a comprehensive security awareness and training program is important, but it is mainly
targeted at the end users and staff, not the senior management. Identifying the risks and consequences of
failure to comply with standards can help to justify the need for security controls, but it can also create a
negative impression of the security program as being too restrictive or punitive. Benchmarking the security
programs of comparable organizations can provide some insights and best practices, but it may not reflect
the specific needs and context of the organization, and it may not be relevant or applicable to the
management’s expectations and priorities1 References = 1: CISM Review Manual, 16th Edition, ISACA,
2020, pp. 28-29…

Question 44

Q

Which of the following has the MOST influence on the information security investment process?

A. IT governance framework
B. Information security policy
C. Organizational risk appetite
D. Security key performance indicators (KPIs)

Answer

A

Answer: C

Question 45

Q

Which of the following is the PRIMARY advantage of an organization using Disaster Recovery as a Service
(DRaaS) to help manage its disaster recovery program?

A. It offers the organization flexible deployment options using cloud infrastructure.
B. It allows the organization to prioritize its core operations.
C. It is more secure than traditional data backup architecture.
D. It allows the use of a professional response team at a lower cost.

Answer

A

Answer: B

Explanation:
The primary advantage of an organization using Disaster Recovery as a Service (DRaaS)
to help manage its disaster recovery program is B. It allows the organization to prioritize its core operations.
This is because DRaaS is a cloud computing service model that allows an organization to back up its data
and IT infrastructure in a third-party cloud computing environment and provide all the disaster recovery
orchestration, all through a SaaS
solution, to regain access and functionality to IT infrastructure after a disaster1. DRaaS can help the
organization to prioritize its core operations by:
Reducing the need for provisioning and maintaining its own off-site disaster recovery environment, which
can be costly, complex, and resource-intensive12
Enabling the organization to continue running its applications from the service provider’s cloud or hybrid
cloud environment instead of from the disaster-affected physical servers, which can minimize the downtime,
data loss, and business disruption12
Providing the organization with flexible and scalable deployment options, such as on- demand, pay-per-use,
or subscription-based models, that can meet its changing business needs and budget12
Leveraging the expertise, experience, and best practices of the service provider, who can handle the
disaster recovery planning, testing, and execution, and ensure compliance with the relevant standards and
regulations12
DRaaS is a cloud computing service model that allows an organization to back up its data and IT
infrastructure in a third-party cloud computing environment and provide all the disaster recovery
orchestration, all through a SaaS solution, to regain access and functionality to IT infrastructure after a
disaster. DRaaS can help the organization to prioritize its core operations by reducing the need for
provisioning and maintaining its own off-site disaster recovery environment, enabling the organization to
continue running its applications from the service provider’s cloud or hybrid cloud environment, providing
the organization with flexible and scalable deployment options, and leveraging the expertise, experience,
and best practices of the service provider. (From CISM Manual or related resources)

Question 46

Q

Which of the following is the PRIMARY purpose of an acceptable use policy?

A. To provide steps for carrying out security-related procedures
B. To facilitate enforcement of security process workflows
C. To protect the organization from misuse of information assets
D. To provide minimum security baselines for information assets

Answer

A

Answer: C

Explanation:
The PRIMARY purpose of an acceptable use policy is to protect the organization from misuse of
information assets, such as data, hardware, software, and network resources, by defining the rules and
expectations for the authorized and appropriate use of these assets by the users. An acceptable use policy
helps to prevent or reduce the risks of security breaches, legal liabilities, reputational damage, or loss of
productivity that may result from unauthorized, inappropriate, or unethical use of information assets.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 74: “An acceptable use policy is a policy that
establishes an agreement between users and the enterprise that defines, for all parties, the ranges of use
that are approved before gaining access to a network or the Internet.”
The essentials of an acceptable use policy - Infosec Resources: “An Acceptable Use Policy (henceforward
mentioned as AUP) is agreement between two or more parties to a computer network community,
expressing in writing their intent to adhere to certain standards of behaviour with respect to the proper
usage of specific hardware & software services.”
Acceptable use policy template - Workable: “This Acceptable Use Policy sets the minimum requirements
for the use of our company’s IT resources, including computers, networks, devices, software, and internet.
It aims to protect our company and our employees from harm and liability, and to ensure that our IT
resources are used appropriately, productively, and securely.”

Question 47

Q

Which of the following is the MOST critical consideration when shifting IT operations to an Infrastructure as
a Service (laaS) model hosted in a foreign country?

A. Labeling of data may help to ensure data is assigned to the correct cloud type.
B. Laws and regulations of the origin country may not be applicable.
C. There may be liabilities and penalties in the event of a security breach.
D. Data may be stored in unknown locations and may not be easily retrievable.

Answer

A

Answer: B

Question 48

Q

A new regulatory requirement affecting an organization’s information security program is released. Which of
the following should be the information security manager’s FIRST course of action?

A. Perform a gap analysis.
B. Conduct benchmarking.
C. Notify the legal department.
D. Determine the disruption to the business.

Answer

A

Answer: C

Explanation: = A new regulatory requirement affecting an organization’s information security program is
released. The information security manager’s first course of action should be to notify the legal department,
as they are responsible for ensuring compliance with the relevant laws and regulations. The legal
department can advise the information security manager on how to interpret and implement the new
requirement, as well as what are the potential implications and risks for the organization12.
References = 1: CISM Review Manual (Digital Version), page 271 2: CISM Review Manual (Print Version),
page 271
Learn more: 1. isac
A.org2. csoonline.com

Question 49

Q

Which of the following metrics provides the BEST evidence of alignment of information security governance
with corporate governance?

A. Average return on investment (ROI) associated with security initiatives
B. Average number of security incidents across business units
C. Mean time to resolution (MTTR) for enterprise-wide security incidents
D. Number of vulnerabilities identified for high-risk information assets

Answer

A

Answer: A

Explanation: Average return on investment (ROI) associated with security initiatives is the best metric to
provide evidence of alignment of information security governance with corporate governance because it
demonstrates the value and benefits of security investments to the organization’s strategic goals and
objectives. Average number of security incidents across business units is not a good metric because it does
not measure the effectiveness or efficiency of security initiatives or their alignment with corporate
governance. Mean time to resolution (MTTR) for enterprise-wide security incidents is not a good metric
because it does not measure the impact or outcome of security initiatives or their alignment with corporate
governance. Number of vulnerabilities identified for high-risk information assets is not a good metric
because it does not measure the performance or improvement of security initiatives or their alignment with
corporate governance. References: https://www.isac
A.org/resources/isaca-journal/issues/2015/volume-
6/measuring-the-value-of-information-security-investments
https://www.isac
A.org/resources/isaca-journal/issues/2015/volume-1/how-to-measure-theeffectiveness-
of-information-security-governance

Question 50

Q

An organization wants to integrate information security into its HR management processes. Which of the
following should be the FIRST step?

A. Calculate the return on investment (ROI).
B. Provide security awareness training to HR.
C. Benchmark the processes with best practice to identify gaps.
D. Assess the business objectives of the processes.

Answer

A

Answer: D

Question 51

Q

A forensic examination of a PC is required, but the PC has been switched off. Which of the following should
be done FIRST?

A. Perform a backup of the hard drive using backup utilities.
B. Perform a bit-by-bit backup of the hard disk using a write-blocking device
C. Perform a backup of the computer using the network
D. Reboot the system using third-party forensic software in the CD-ROM drive

Answer

A

Answer: B

Explanation: Performing a bit-by-bit backup of the hard disk using a write-blocking device is the first step to
do when a forensic examination of a PC is required, but the PC has been switched off because it helps to
create a forensically sound copy of the original evidence without altering or damaging it. A bit-by-bit backup,
also known as a physical or raw image, is a complete copy of every bit on the hard disk, including the
unallocated or deleted dat
A. A write-blocking device is a hardware or software tool that prevents any write
operations to the hard disk, such as updating timestamps or changing file attributes. Performing a bit-by- bit
backup of the hard disk using a write-blocking device ensures the integrity and authenticity of the evidence
and allows the forensic analysis to be conducted on the duplicate image rather than the original source.
Therefore, performing a bit-by-bit backup of the hard disk using a write-blocking device is the correct
answer.
References:
✑ https://en.wikipedi
A.org/wiki/Computer_forensics
✑ https://resources.infosecinstitute.com/topic/computer-forensics-forensic-analysisexamination-
planning/
✑ https://www.computer-forensics-recruiter.com/topics/examination_steps/

Question 52

Q

Which of the following should be established FIRST when implementing an information security
governance framework?

A. Security architecture
B. Security policies
C. Security incident management team
D. Security awareness training program

Answer

A

Answer: A

Explanation: This is the most urgent and effective action to prevent further damage or compromise of the
organization’s network and dat
A. The other options are less important or irrelevant in this situation.
According to How to identify suspicious insider activity using Active Directory, one of the steps to detect and
respond to suspicious activity is to isolate the affected device from the network. This can be done by
disabling the network adapter, unplugging the network cable, or blocking the device’s IP address on the
firewall1. This will prevent the device from communicating with any malicious actors or spreading malware
to other devices on the network.

Question 53

Q

Which of the following should be triggered FIRST when unknown malware has infected an organization’s
critical system?

A. Incident response plan
B. Disaster recovery plan (DRP)
C. Business continuity plan (BCP)
D. Vulnerability management plan

Answer

A

Answer: A

Explanation: The document that should be triggered first when unknown malware has infected an
organization’s critical system is the incident response plan because it defines the roles and responsibilities,
procedures and protocols, tools and techniques for responding to and managing a security incident
effectively and efficiently. Disaster recovery plan (DRP) is not a good document for this purpose because it
focuses on restoring the organization’s critical systems and operations after a major disruption or disaster,
which may not be necessary or appropriate at this stage. Business continuity plan (BCP) is not a good
document for this purpose because it focuses on restoring the organization’s critical business functions and
operations after a major disruption or disaster, which may not be necessary or appropriate at this stage.
Vulnerability management plan is not a good document for this purpose because it focuses on identifying
and evaluating the security weaknesses or exposures of the organization’s systems and assets, which may
not be relevant or helpful at this stage. References: https://www.isac
A.org/resources/isacajournal/
issues/2017/volume-5/incident-response-lessons-learned
https://www.isac
A.org/resources/isaca-journal/issues/2018/volume-3/incident-response- lessons-learned

Question 54

Q

Which of the following is the MOST effective way to identify changes in an information security
environment?

A. Business impact analysis (BIA)
B. Annual risk assessments
C. Regular penetration testing
D. Continuous monitoring

Answer

A

Answer: D

Explanation:
Continuous monitoring is the most effective way to identify changes in an information security environment,
as it provides ongoing awareness of the security status, vulnerabilities, and threats that may affect the
organization’s information assets and risk posture. Continuous monitoring also helps to evaluate the
performance and effectiveness of the security controls and processes, and to detect and respond to any
deviations or incidents in a timely manner. (From CISM Review Manual 15th Edition and NIST Special
Publication 800-1371)
References: CISM Review Manual 15th Edition, page 181, section 4.3.2.4; NIST Special Publication
800-1371, page 1, section 1.1.

Question 55

Q

Which of the following BEST facilitates recovery of data lost as a result of a cybersecurity incident?

A. Removable storage media
B. Disaster recovery plan (DRP)
C. Offsite data backups
D. Encrypted data drives

Answer

A

Answer: C

Explanation:
The best option to facilitate recovery of data lost as a result of a cybersecurity incident is offsite data
backups. This is because offsite data backups provide a secure and reliable way to restore data that may
have been corrupted, deleted, or encrypted by malicious actors. Offsite data backups also reduce the risk
of data loss due to physical damage, theft, or natural disasters that may affect the primary data storage
location. Offsite data backups should be part of a comprehensive disaster recovery plan (DRP) that defines
the roles, responsibilities, procedures, and resources for restoring normal operations after a cyber incident.

Question 56

Q

During which phase of an incident response plan is the root cause determined?

A. Recovery
B. Lessons learned
C. Containment
D. Eradication

Answer

A

Answer: D

Explanation: The eradication phase of an incident response plan is where the root cause of the incident is
determined and eliminated. This phase involves identifying and removing all traces of the malicious activity
from the affected systems and restoring them to a secure state.
References = NIST SP 800-61 Revision 2, CISM Review Manual 15th Edition

Question 57

Q

An organization involved in e-commerce activities operating from its home country opened a new office in
another country with stringent security laws. In this scenario, the overall security strategy should be based
on:

A. the security organization structure.
B. international security standards.
C. risk assessment results.
D. the most stringent requirements.

Answer

A

Answer: D

Question 58

Q

Which of the following BEST enables an incident response team to determine appropriate actions during an
initial investigation?

A. Feedback from affected departments
B. Historical data from past incidents
C. Technical capabilities of the team
D. Procedures for incident triage

Answer

A

Answer: D

Question 59

Q

Which of the following BEST enables an organization to effectively manage emerging cyber risk?

A. Periodic internal and external audits
B. Clear lines of responsibility
C. Sufficient cyber budget allocation
D. Cybersecurity policies

Answer

A

Answer: D

Explanation: Cybersecurity policies are the high-level statements that define the organization’s objectives,
principles, and expectations for protecting its information assets from cyber threats. Cybersecurity policies
provide the foundation for developing and implementing cybersecurity strategies, plans, procedures,
standards, and guidelines. However, cybersecurity policies alone are not enough to ensure effective
cybersecurity. The organization also needs to allocate sufficient budget resources to support the
implementation and maintenance of cybersecurity controls, such as hardware, software, personnel, training,
testing, auditing, and incident response. Sufficient cyber budget allocation demonstrates the organization’s
commitment to cybersecurity and enables it to achieve its cybersecurity goals. References:
https://www.isac
A.org/credentialing/cism https://www.wiley.com/enus/
CISM+Certified+Information+Security+Manager+Study+Guide-p-9781119801948

Question 60

Q

An organization is considering using a third party to host sensitive archived dat
A. Which of the following is
MOST important to verify before entering into the relationship?

A. The vendor’s data centers are in the same geographic region.
B. The encryption keys are not provisled to the vendor.
C. The vendor’s controls are in line with the organization’s security standards.
D. Independent audits of the vendor’s operations are regularly conducted.

Answer

A

Answer: C

Explanation:
The most important thing to verify before entering into a relationship with a third party to host sensitive
archived data is the vendor’s controls are in line with the organization’s security standards. This is because
the organization is ultimately responsible for the security and privacy of its data, even if it is stored or
processed by a third party. The organization should ensure that the vendor has adequate and effective
controls to protect the data from unauthorized access, modification, disclosure, or destruction. The
organization should also ensure that the vendor complies with the applicable laws and regulations
regarding data protection, such as the General Data Protection Regulation (GDPR) in the European Union.
The organization should conduct a thorough risk assessment of the vendor and its services, and establish a
clear contract that defines the roles, responsibilities, expectations, and obligations of both parties.
References = CISM Review Manual 15th Edition, Chapter 3, Section 3.2.1, page 1341; CISM Review
Questions, Answers & Explanations Manual 9th Edition, Question 2, page 2

Question 61

Q

Which of the following is the MOST appropriate metric to demonstrate the effectiveness of information
security controls to senior management?

A. Downtime due to malware infections
B. Number of security vulnerabilities uncovered with network scans
C. Percentage of servers patched
D. Annualized loss resulting from security incidents

Answer

A

Answer: D

Explanation:
Annualized loss resulting from security incidents is the most appropriate metric to demonstrate the
effectiveness of information security controls to senior management, as it quantifies the financial impact of
security breaches on the organization’s assets, operations, and reputation. This metric helps to
communicate the value of security
investments, justify the security budget, and prioritize the security initiatives based on the potential loss
reduction. Annualized loss resulting from security incidents can be calculated by multiplying the annualized
rate of occurrence (ARO) of an incident by the single loss expectancy (SLE) of an incident. ARO is the
estimated frequency of an incident occurring in a year, and SLE is the estimated cost of an incident. For
example, if an organization estimates that a ransomware attack may occur once every two years, and that
each attack may cost $100,000 to recover, then the annualized loss resulting from ransomware attacks is
$50,000 ($100,000 / 2).
References = CISM Review Manual 2022, page 3171; CISM Exam Content Outline, Domain 4, Knowledge
Statement 4.112; Key Performance Indicators for Security Governance, Part 1; Performance Measurement
Guide for Information Security

Question 62

Q

Which of the following should be the FIRST step in developing an information security strategy?

A. Perform a gap analysis based on the current state
B. Create a roadmap to identify security baselines and controls.
C. Identify key stakeholders to champion information security.
D. Determine acceptable levels of information security risk.

Answer

A

Answer: A

Explanation: The FIRST step in developing an information security strategy is to perform a gap analysis
based on the current state of the organization’s information security posture. A gap analysis is a systematic
process of comparing the current state with the desired state and identifying the gaps or deficiencies that
need to be addressed. A gap analysis helps to establish a baseline for the information security strategy, as
well as to prioritize the actions and resources needed to achieve the strategic objectives. A gap analysis
also helps to align the information security strategy with the organizational goals and strategies, as well as
to ensure compliance with relevant standards and regulations. References = CISM Review Manual, 16th
Edition, page 331; CISM Review Questions, Answers & Explanations Manual, 10th Edition, page 162
first step in developing an information security strategy is to conduct a risk-aware and comprehensive
inventory of your company’s context, including all digital assets, employees, and vendors. Then you need to
know about the threat environment and which types of attacks are a threat to your company1. This is similar
to performing a gap analysis based on the current state3.

Question 63

Q

Which of the following would provide the BEST input to a business case for a technical solution to address
potential system vulnerabilities?

A. Risk assessment
B. Business impact analysis (BIA)
C. Penetration test results
D. Vulnerability scan results

Answer

A

Answer: A

Explanation:
Risk assessment is the BEST input to a business case for a technical solution to address potential system
vulnerabilities, because it helps to identify and prioritize the most critical risks that the solution should
mitigate or reduce. Risk assessment also helps to evaluate the costs and benefits of the solution in terms of
reducing the likelihood and impact of potential threats and incidents.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 47: “Risk assessment is the process of identifying and
analyzing information security risks and determining their potential impact on the enterprise’s business
objectives.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 48: “Risk assessment provides input to the business
case for information security investments by identifying and prioritizing the most critical risks that need to be
addressed and evaluating the costs and benefits of the proposed solutions.”

Question 64

Q

Which of the following has the GREATEST impact on efforts to improve an organization’s security posture?

A. Regular reporting to senior management
B. Supportive tone at the top regarding security
C. Automation of security controls
D. Well-documented security policies and procedures

Answer

A

Answer: B

Explanation:
The supportive tone at the top regarding security is the greatest impact on efforts to improve an
organization’s security posture. This means that senior management should demonstrate their commitment
and leadership to information security by setting clear goals,
allocating adequate resources, communicating effectively, and rewarding good practices. A supportive tone
at the top can also influence the culture and behavior of the organization,
as well as foster trust and collaboration among stakeholders12. References = CISM Review Manual 15th
Edition, page 1261; CISM Item Development Guide, page 82

Answer 65

A

Answer: A

Answer 66

A

Answer: D

Explanation: A business continuity plan (BCP) is the best option that enables an organization to operate
smoothly with reduced capacities when service has been disrupted, as it defines the processes and
procedures to maintain or resume critical business functions and minimize the impact of the disruption on
the organization’s objectives, customers, and stakeholders. A BCP also includes strategies for resource
management, communication, recovery, and testing.
References = CISM Review Manual 2022, page 3101; CISM Exam Content Outline, Domain 4, Knowledge
Statement 4.82; CISM 2020: Business Continuity3; Part Two: Business Continuity and Disaster Recovery
Plans4

Answer 67

A

Answer: C

Explanation: Decreasing false positives is the best indicator that the information security manager has
tuned the system to address senior management’s concern that the organization’s intrusion prevention
system (IPS) may repeatedly disrupt business operations. False positives are alerts generated by the IPS
when it mistakenly blocks legitimate traffic or activity, causing disruption or downtime. Decreasing false
positives means that the IPS has been configured to reduce such errors and minimize unnecessary
interruptions. Increasing false negatives is not a good indicator because it means that the IPS has failed to
detect or block malicious traffic or activity, increasing the risk of compromise or damage. Decreasing false
negatives is not a good indicator because it does not affect business operations, but rather improves
security detection or prevention. Increasing false positives is not a good indicator because it means that the
IPS has increased its errors and interruptions, worsening senior management’s concern. References:
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-6/the- value-of-penetration-testing
https://www.isac
A.org/resources/isacajournal/
issues/2016/volume-5/security-scanning-versus-penetration-testing

Answer 68

A

Answer: A

Explanation: User access log files contain records of user activities and actions on the system, which can
be used for auditing, monitoring, and investigating purposes. System administrators should not be able to
modify or delete these files to ensure their integrity and availability. References = CISM Review Manual,
16th Edition, Chapter 3, Section 3.3.2.11

Answer 69

A

Answer: D

Explanation:
The ultimate goal of an anti-phishing campaign is to reduce the risk and impact of phishing attacks on the
organization. Therefore, the most relevant and reliable indicator of the effectiveness of an anti-phishing
campaign is the decreased number of incidents that have occurred as a result of phishing. This metric
shows how well the employees have learned to recognize and report phishing emails, and how well the
security controls have prevented or mitigated the damage caused by phishing.
References = Five Ways to Achieve a Successful Anti-Phishing Campaign; Don’t click: towards an effective
anti-phishing training. A comparative literature review; CISA, NSA, FBI, MS-ISAC Publish Guide on
Preventing Phishing Intrusions

Answer 70

A

Answer: D

Explanation: Business impact analysis (BIA) is the process that provides the output of recovery time
objectives (RTOs), which are the maximum acceptable time frames for restoring business functions or
processes after a disruption. Business continuity plan (BCP) is the document that describes the strategies
and procedures for ensuring the continuity of critical business functions or processes in the event of a
disruption. Disaster recovery plan (DRP) is the document that describes the technical steps and resources
for restoring IT systems and data in the event of a disruption. Service level agreement (SLA) is the
document that defines the expectations and obligations between a service provider and a service consumer,
such as availability, performance, and security. References:
https://www.isac
A.org/resources/isaca-journal/issues/2018/volume-1/business-impactanalysis-
bia-and-disaster-recovery-planning-drp https://www.isac
A.org/resources/isacajournal/
issues/2017/volume-6/service-level-agreements-in-the-cloud

Answer 71

A

Answer: C

Explanation:
The primary focus of a status report on the information security program to senior management is to
demonstrate that the risk to the organization’s information assets is managed at the desired level, in
alignment with the business objectives and risk appetite. This can be achieved by providing relevant and
meaningful metrics, indicators, and trends that show the performance, effectiveness, and value of the
information security program,
as well as the current and emerging risks and the corresponding mitigation strategies. (From CISM Review
Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 37, section 1.3.2.2.

Answer 72

A

Answer: D

Explanation: An intrusion detection system (IDS) is a software or hardware device that monitors network
traffic and detects unauthorized or malicious activities, such as attacks, intrusions, or breaches. An IDS can
provide valuable evidence for an information security team to investigate an alleged breach of an
organization’s network, as it can capture and analyze the network traffic in real time or after the fact. An IDS
can help to identify the source, type, scope, and impact of the breach, as well as to generate alerts and
reports for further investigation.
File integrity monitoring software (FIM), security information and event management (SIEM) tool, and
antivirus software are not single sources of evidence for an information security team to review. FIM
software monitors files and directories on a network or system and detects changes or modifications that
may indicate unauthorized access or tampering. SIEM tool collects and correlates data from various
sources, such as logs, events, alerts, incidents, and threats, and provides a unified view of the security
posture of an organization. Antivirus software scans files and programs on a network or system and detects
malware infections that may compromise the security or functionality of the system. However, these tools
are not sufficient by themselves to provide conclusive evidence for an information security team to
investigate an alleged breach of an organization’s network. They may provide some clues or indicators of
compromise (IOCs), but they may also generate false positives or negatives due to various factors, such as
configuration errors, user behavior, benign activities, or evasion techniques. Therefore, an information
security team should use multiple sources of evidence from different tools and methods to verify the validity
and reliability of the findings.
References = CISM Manual, Chapter 6: Incident Response Planning (IRP), Section 6.2:
Evidence Collection1
1: https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles

Answer 73

A

Answer: C

Answer 74

A

Answer: B

Answer 75

A

Answer: C

Explanation: The most important thing to include in security incident escalation procedures is notification
criteri
A. This is because notification criteria define who needs to be informed of an incident, when, and how,
depending on the severity, impact, and nature of the incident. Notification criteria help to ensure that the
appropriate stakeholders are aware of the incident and can take the necessary actions to respond, mitigate,
and recover from it. Notification criteria also help to comply with legal and regulatory requirements for
reporting incidents to external parties, such as customers, authorities, or medi
A. Notification criteria define
who needs to be informed of an incident, when, and how, depending on the severity, impact, and nature of
the incident. (From CISM Manual or related resources)
References = CISM Review Manual 15th Edition, Chapter 4, Section 4.2.2, page 2121; CISM Review
Questions, Answers & Explanations Manual 9th Edition, Question 1, page 1

Answer 76

A

Answer: D

Explanation: The data owner is the person who has the authority and responsibility to classify, grant access,
and monitor the use of the CRM dat
A. The data owner should ensure that the data is protected according to
its classification and business requirements. The data custodian is the person who implements the controls
and procedures to protect the data as directed by the data owner. The information security manager is the
person who advises the data owner on the best practices and standards for data security. The internal IT
audit is the function that evaluates the effectiveness and compliance of the data security controls and
procedures.
References = CISM Review Manual, 16th Edition eBook1, Chapter 1: Information Security Governance,
Section: Information Security Roles and Responsibilities, Subsection: Data Owner, Page 23.

Answer 77

A

Answer: C

Explanation: Chain of custody forms with points of contact are the best way to enable an organization to
maintain legally admissible evidence because they document the sequence of control, transfer, and
analysis of the evidence, and every person who handled it, the dates and times, and the purpose for each
action1. They also ensure the authenticity and integrity of the evidence, and prevent tampering or loss1.
Documented processes around forensic records retention are not sufficient to maintain legally admissible
evidence because they do not track or verify the handling of the evidence. Robust legal framework with
notes of legal actions are not sufficient to maintain legally admissible evidence because they do not record
or validate the preservation of the evidence. Forensic personnel training that includes technical actions are
not sufficient to maintain legally admissible evidence because they do not account or certify the custody of
the evidence.
References: 1
https://www.researchgate.net/publication/326079761_Digital_Chain_of_Custody

Answer 78

A

Answer: B

Explanation: An email digital signature will verify to recipient the integrity of an email message because it
ensures that the message has not been altered or tampered with during transit, and confirms that the
message originated from the sender and not an imposter. An email digital signature will not protect the
confidentiality of an email message because it does not encrypt or hide the message content from
unauthorized parties. An email digital signature will not automatically correct unauthorized modification of
an email message because it does not change or restore the message content if it has been altered or
tampered with. An email digital signature will not prevent unauthorized modification of an email message
because it does not block or stop any attempts to alter or tamper with the message content. References:
https://support.microsoft.com/en-us/office/securemessages-
by-using-a-digital-signature-549ca2f1-a68f-4366-85fa-b3f4b5856fc6
https://www.techtarget.com/searchsecurity/definition/digital-signature

Answer 79

A

Answer: A

Explanation: Authority of the subscriber to approve access to its data is the greatest concern for an
information security manager if omitted from the contract, as it may expose the subscriber’s data to
unauthorized or inappropriate access by the vendor or third parties. The subscriber should have the right to
control who can access its data, for what purposes, and under what conditions. The contract should also
specify the vendor’s obligations to protect the confidentiality, integrity, and availability of the subscriber’s
data, and to notify the subscriber of any breaches or incidents.
References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.2.1, page 2201;
Drafting and Negotiating Effective Cloud Computing Agreements2; CISM Online Review Course, Module 4,
Lesson 2, Topic 13

Answer 80

A

Answer: B

Answer 81

A

Answer: A

Explanation:
The best indicator that an information security governance framework has been successfully implemented
is
A. The framework aligns internal and external resources. This is because the framework should ensure
that the information security strategy, policies, and objectives are aligned with the business goals,
stakeholder expectations, and regulatory requirements. The framework should also enable the effective
allocation and coordination of internal and external resources, such as people, processes, technology, and
finances, to support the information security program and its activities.
The framework should ensure that the information security strategy, policies, and objectives are aligned
with the business goals, stakeholder expectations, and regulatory requirements. The framework should
also enable the effective allocation and coordination of internal and external resources, such as people,
processes, technology, and finances, to support the information security program and its activities. (From
CISM Manual or related resources)
References = CISM Review Manual 15th Edition, Chapter 1, Section 1.2.1, page 181; CISM Review
Questions, Answers & Explanations Manual 9th Edition, Question 49, page 14

Answer 82

A

Answer: D

Explanation: A single point of contact within the organization is the most important element to include when
incorporating media communication procedures into the security incident communication plan because it
helps to ensure a consistent and accurate message to the public and avoid confusion or misinformation. A
single point of contact is a designated person who is authorized and trained to communicate with the media
on behalf of the organization during a security incident. The single point of contact should coordinate with
the incident response team, senior management, legal counsel, and public relations to prepare and deliver
timely and appropriate statements to the media, as well as to respond to any inquiries or requests. A single
point of contact also helps to prevent unauthorized or conflicting disclosures from other employees or
stakeholders that may harm the organization’s reputation or legal position. Therefore, a single point of
contact within the organization is the correct answer.
References:
✑ https://www.lifars.com/2020/09/communication-during-incident-response/
✑ https://ifpo.org/resource-links/articles-and-reports/public-and-mediarelations/
planning-for-effective-media-relations-during-a-critical-incident/
✑ https://www.techtarget.com/searchsecurity/tip/Incident-response-How-toimplement-
a-communication-plan.

Answer 83

A

Answer: D

Answer 84

A

Answer: D

Explanation: The first thing that the information security manager should do after reading about a vendor
product compromise on social media is to validate the risk to the organization. This means verifying the
source and credibility of the information, determining if the organization uses the affected product, and
assessing the potential impact and likelihood of the compromise on the organization’s data and systems.
Validating the risk to the organization will help the information security manager to decide on the
appropriate course of action, such as activating the incident response program, notifying relevant
stakeholders, or performing a BI
A.
References: The CISM Review Manual 2023 states that “the information security manager is responsible
for identifying and assessing the risks associated with the use of third-party
products and services” and that “the information security manager should monitor and review the security
performance and incidents of third-party products and services on a regular basis and take corrective
actions when deviations or violations are detected” (p. 138). The CISM Review Questions, Answers &
Explanations Manual 2023 also provides the following rationale for this Answer: “Validating the risk to the
organization is the correct answer because it is the first and most important step to take after reading about
a vendor product compromise on social media, as it will help the information security manager to confirm
the accuracy and relevance of the information, and to evaluate the potential consequences and probability
of the compromise on the organization’s data and systems” (p. 63). Additionally, the article Defending
Against Software Supply Chain Attacks from the CISA website states that “the first step in responding to a
software supply chain attack is to validate the risk to the organization by verifying the source and credibility
of the information, determining if the organization uses the affected software, and assessing the potential
impact and likelihood of the compromise on the organization’s data and systems” (p. 2)

Answer 85

A

Answer: D

Answer 86

A

Answer: D

Explanation: The organization’s risk appetite is the most important factor to consider when defining control
objectives, because it reflects the amount and type of risk that the organization is willing to accept or avoid
in pursuit of its goals. Control objectives should align with the risk appetite and support the achievement of
the organization’s objectives. Industry best practices, an information security framework, and control
recommendations from a recent audit are also useful sources of guidance, but they are not as critical as the
risk appetite.
References = CISM Review Manual, 16th Edition, page 75

Answer 87

A

Answer: A

Explanation: The role of the information security manager in finalizing contract negotiations with service
providers is to ensure that the outsourcing process is aligned with the organization’s information security
policies, standards, and objectives. One of the key aspects of this process is to perform a risk analysis on
the outsourcing process, which involves identifying, assessing, and mitigating the potential threats and
vulnerabilities that may arise from outsourcing activities. A risk analysis can help the information security
manager to determine the appropriate level of security controls and requirements for the outsourced
process, as well as to monitor and evaluate its performance and compliance. A risk analysis can also help
to avoid or minimize legal, financial, reputational, or operational risks associated with outsourcing1.
References =
✑ CISM Review Manual (Digital Version), Chapter 6: Information Security Program
Management
✑ CISM Review Manual (Print Version), Chapter 6: Information Security Program Management

Answer 88

A

Answer: B

Answer 89

A

Answer: C

Explanation: The best action for the system admin manager to address the issue of negligent handling of
incident alerts by system admins is to provide incident response training to data custodians because it
helps to improve their awareness and skills in recognizing and reporting security incidents, and following
the incident response procedures and protocols. Conducting a risk assessment and sharing the result with
senior management is not a good action because it does not address the root cause of the issue or provide
any solutions or improvements. Revising the incident response plan to align with business processes is not
a good action because it does not address the root cause of the issue or provide any solutions or
improvements. Providing incident response training to data owners is not a good action because data
owners are not responsible for handling incident alerts or performing incident response tasks. References:
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-5/incident-response- lessons-learned
https://www.isac
A.org/resources/isaca-journal/issues/2018/volume- 3/incident-response-lessons-learned

Answer 90

A

Answer: D

Explanation: A key risk indicator (KRI) is a metric that provides an early warning of potential exposure to a
risk. A KRI should be relevant, measurable, timely, and actionable. The most important factor in an
organization’s selection of a KRI is the criticality of information, which means that the KRI should reflect the
value and sensitivity of the information assets that are exposed to the risk. For example, a KRI for data
breach risk could be the number of unauthorized access attempts to a database that contains confidential
customer dat
A. The criticality of information helps to prioritize the risks and focus on the most significant
ones. References: https://www.isac
A.org/credentialing/cism https://www.wiley.com/enus/
CISM+Certified+Information+Security+Manager+Study+Guide-p-9781119801948

Answer 91

A

Answer: C

Answer 92

A

Answer: D

Explanation: The corporate culture of an organization is the set of values, beliefs, norms, and behaviors
that shape how the organization operates and interacts with its stakeholders. The corporate culture can
have a significant impact on an organization’s information security governance mode, which is the way the
organization establishes, implements, monitors, and evaluates its information security policies, standards,
and objectives. A strong information security governance mode requires a supportive corporate culture that
fosters a shared vision, commitment, and accountability for information security among all levels of the
organization. A supportive corporate culture can also help to overcome resistance to change, promote
collaboration and communication, encourage innovation and learning, and enhance trust and confidence in
information
security12. References =
✑ CISM Review Manual (Digital Version), Chapter 1: Information Security Governance
✑ CISM Review Manual (Print Version), Chapter 1: Information Security Governance

Answer 93

A

Answer: A

Explanation:
Conducting periodic user awareness training is the best way to mitigate accidental data loss events
because it can educate the users on the causes, consequences, and prevention of data loss, and increase
their awareness of the security policies and procedures of the organization. User awareness training can
also help users to identify and report potential data loss incidents, and to adopt good practices such as
backing up data, encrypting data, and using secure channels for data transmission and storage.
References: The article Mistakes Happen—Mitigating Unintentional Data Loss from the ISACA Journal
2018 states that “user awareness training is the most effective way to prevent unintentional data loss” and
that “user awareness training should include information on the types and sources of data loss, the impact
and cost of data loss, the legal and regulatory requirements for data protection, the organization’s data
security policies and procedures, the roles and responsibilities of users in data security, the best practices
and tools for data security, and the reporting and escalation process for data loss incidents” (p. 2)1. The
Data Spill Management Guide from the Cyber.gov.au website also states that “user awareness training is
an important preventative measure to reduce the likelihood of data spills” and that “user awareness training
should cover topics such as data classification, data handling, data storage, data transmission, data
disposal, and data spill reporting” (p. 2)

Answer 94

A

Answer: B

Explanation: The business owner is the most appropriate person to own the risk associated with the failure
of a privileged access control because they are ultimately responsible for the protection and use of the
information in their business unit1. The data owner is responsible for determining the access rights for
specific data sets, but not for the access control mechanisms2. The information security manager is
responsible for implementing and enforcing the security policies and standards, but not for owning the risk
3. The compliance manager is responsible for ensuring that the organization meets the regulatory
requirements, but not for owning the risk3. References: 1
https://www.cyberark.com/resources/blog/how-do-you-prioritize-risk-for-privileged-access- management 3
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-
1/capability-framework-for-privileged-access-management 2
https://security.stackexchange.com/questions/218049/what-is-the-difference-between-data-owner-data-cu
stodian-and-system-owner

Answer 95

A

Answer: A

Answer 96

A

Answer: B

Explanation: Data recovery is the process of restoring data that has been lost, corrupted, or deleted. When
a file is deleted, it is usually not physically erased from the disk, but only marked as free space by the
operating system. Therefore, it may be possible to recover the file by using specialized tools that scan the
disk for the file’s dat
A. However, if the file has been overwritten by another file or data, then the original file’s
data is lost and cannot be recovered. The other options are not as challenging as overwriting, because they
only affect the logical structure of the disk, not the physical dat
A. For example, the partition table, the
directory, and the formatting information can be reconstructed or bypassed by using forensic tools.
References = CISM Review Manual, 16th Edition, Chapter 5, Section 5.4.1.2

Answer 97

A

Answer: C

Explanation:
The ultimate responsibility for ensuring the objectives of an information security framework are being met
belongs to the board of directors, as they are accountable for the governance of the organization and the
oversight of the information security strategy. The board of directors should ensure that the information
security framework aligns with the business objectives, supports the business processes, and complies
with the legal and regulatory requirements. The board of directors should also monitor the performance and
effectiveness of the information security framework and provide guidance and direction for its improvement.
References = CISM Review Manual, 16th Edition eBook1, Chapter 1: Information Security Governance,
Section: Enterprise Governance, Subsection: Board of Directors, Page 18.

Answer 98

A

Answer: A

Explanation:
When preventive controls to appropriately mitigate risk are not feasible, the most important action for the
information security manager is to manage the impact, which means taking measures to reduce the
likelihood or severity of the consequences of the risk. Managing the impact can involve using alternative
controls, such as engineering, administrative, or
personal protective controls, that can lower the exposure or harm to the organization. The other options,
such as identifying unacceptable risk levels, assessing vulnerabilities, or evaluating potential threats, are
part of the risk assessment process, but they are not actions to mitigate risk when preventive controls are
not feasible. References:
✑ https://bcmmetrics.com/risk-mitigation-evaluating-your-controls/
✑ https://www.osh
A.gov/safety-management/hazard-prevention
✑ https://www.cdc.gov/niosh/topics/hierarchy/default.html

Answer 99

A

Answer: B

Explanation:
Reviewing the new standard for applicability to the business is the first course of action, as it helps to
understand the changes, gaps, and impacts of the revision on the organization’s security posture,
compliance status, and business objectives. Evaluating the cost of maintaining the certification, modifying
policies to ensure new requirements are covered, and communicating the new standard to senior
leadership are important steps, but they should be done after reviewing the new standard for applicability to
the business. References = CISM Review Manual 2022, page 361; CISM Exam Content Outline, Domain 1,
Task 1.2

Answer 100

A

Answer: D

Explanation: Comprehensive and Detailed Explanation: Employee accountability is the degree to which
employees are responsible for their actions and outcomes related to information security. It reflects the
extent to which employees understand their roles and responsibilities, follow the policies and procedures,
report incidents and breaches, and comply with legal and regulatory requirements. Embedding security
responsibilities into job descriptions helps to clarify the expectations and obligations of employees, as well
as the consequences of non-compliance or negligence. It also helps to align the security objectives with the
business goals and strategies, and to foster a culture of security awareness and responsibility.
References: 1: CISM Review Manual, 15th Edition, Chapter 3, Section 3.2.1.2

Brainscape's Knowledge GenomeTM

4 Flashcards

Brainscape's Knowledge Genome^TM