Certified Information Security Manager (CISM): Feb – Jun 2020

CAT 1
1. Information security projects should be prioritized on the basis of:
A. Time required for implementation.
B. Impact on the organization.
C. Total cost for implementation.
D. Mix of resources required.

2. An information security manager must understand the relationship between information

security and business operations in order to:
A. Support organizational objectives.
B. Determine likely areas of noncompliance.
C. Assess the possible impacts of compromise.
D. Understand the threats to the business.

3. Which of the following will require the MOST effort when supporting an operational
information security program?
A. Reviewing and modifying procedures
B. Modifying policies to address changing technologies
C. Writing additional policies to address new regulations
D. Drafting standards to address regional differences

4. Who is accountable for ensuring that information is categorized and that specific protective
measures are taken?
A. The security officer
B. Senior management
C. The end user
D. The custodian

5. How should an information security manager balance the potentially conflicting requirements
of an international organization's security standards with local regulation?
A. Give organizational standards preference over local regulations.
B. Follow local regulations only.
C. Make the organization aware of those standards where local regulations cause conflicts.
D. Negotiate a local version of the organization standards.

6. The MOST useful way to describe the objectives in the information security strategy is through:
A. Attributes and characteristics of the “desired state.”
B. Overall control objectives of the security program.
C. Mapping the IT systems to key business processes.
D. Calculation of annual loss expectations.

7. The MOST important aspect in establishing good information security policies is to ensure that
they:

1|P a ge
 A. Have the consensus of all concerned groups.
B. Are easy to access by all employees.
C. Capture the intent of management.
D. Have been approved by the internal audit department.

8. Which of the following is the MOST important objective of an information security strategy
review?
A. Ensuring that risk is identified, analyzed and mitigated to acceptable levels
B. Ensuring that information security strategy is aligned with organizational goals
C. Maximizing the return on information security investments
D. Ensuring the efficient utilization of information security resources

9. Which of the following choices is MOST likely to ensure that responsibilities are carried out?
A. Signed contracts
B. Severe penalties
C. Assigned accountability
D. Clear policies

10. Who in an organization has the responsibility for classifying information?

A. Data custodian
B. Database administrator
C. Information security officer
D. Data owner

11. The MOST important requirement for gaining management commitment to the information
security program is to:
A. Benchmark a number of successful organizations.
B. Demonstrate potential losses and other impacts that can result from a lack of support.
C. Inform management of the legal requirements of due care.
D. Demonstrate support for desired outcomes.

12. The director of auditing has recommended a specific information security monitoring solution
to the information security manager. What should the information security manager do
FIRST?
A. Obtain comparative pricing bids and complete the transaction with the vendor offering the best
deal.
B. Add the purchase to the budget during the next budget preparation cycle to account for costs.
C. Perform an assessment to determine correlation with business goals and objectives.
D. Form a project team to plan the implementation.

13. An organization has decided to implement bring your own device (BYOD) for laptops and
mobile phones. What should the information security manager focus on FIRST?
A. Advising against implementing BYOD because of a security risk.
B. Preparing a business case for new security tools for BYOD.
C. Updating the security awareness program to include BYOD.
D. Determining an information security strategy for BYOD.

2|P a ge
14. Senior management is reluctant to budget for the acquisition of an intrusion prevention system
(IPS). The chief information security officer (CISO) should do which of the following activities?
A. Develop and present a business case for the project.
B. Seek the support of the users and information asset custodians.
C. Invite the vendor for a proof of concept demonstration.
D. Organize security awareness training for management.

15. The PRIMARY goal of developing an information security strategy is to:

A. Establish security metrics and performance monitoring.
B. Educate business process owners regarding their duties.
C. Ensure that legal and regulatory requirements are met.
D. Support the business objectives of the organization.

16. What is the MOST likely reason that an organizational policy can be eliminated?
A. There is no credible threat.
B. The policy is ignored by staff.
C. Underlying standards are obsolete.
D. The policy is not required by regulatory requirements.

17. Which of the following choices will MOST influence how the information security program will
be designed and implemented?
A. Type and nature of risk
B. Organizational culture
C. Overall business objectives
D. Lines of business

18. Which of the following elements is MOST important when developing an information security
strategy?
A. Defined objectives
B. Time frames for delivery
C. Adoption of a control framework
D. Complete policies

19. The MOST basic requirement for an information security governance program is to:
A. Be aligned with the corporate business strategy.
B. Be based on a sound risk management approach.
C. Provide adequate regulatory compliance.
D. Provide good practices for security initiatives.

20. When an information security manager is developing a strategic plan for information security,
the timeline for the plan should be:
A. Aligned with the IT strategic plan.
B. Based on the current rate of technological change.
C. Three to five years for both hardware and software.
D. Aligned with the business strategy.

21. Which person or group should have final approval of an organization's information security
policies?
3|P a ge
 A. Business unit managers
B. Chief information security officer (CISO)
C. Senior management
D. Chief information officer (CIO)

22. In implementing information security governance, the information security manager is

PRIMARILY responsible for:
A. Developing the security strategy.
B. Reviewing the security strategy.
C. Communicating the security strategy.
D. Approving the security strategy.

23. The PRIMARY focus of information security governance is to:

A. Adequately protect the information and knowledge base of the organization.
B. Provide assurance to senior management that the security posture is adequate.
C. Safeguard the IT systems that store and process business information.
D. Optimize the information security strategy to achieve business objectives.

24. Business objectives should be evident in the security strategy by:

A. Inferred connections.
B. Standardized controls.
C. Managed constraints.
D. Direct traceability.

25. Which of the following is MOST appropriate for inclusion in an information security strategy?
A. Business controls designated as key controls
B. Security processes, methods, tools and techniques
C. Firewall rule sets, network defaults and intrusion detection system (IDS) settings
D. Budget estimates to acquire specific security tools

26. Obtaining senior management support for an information security initiative can BEST be
accomplished by:
A. Developing and presenting a business case.
B. Defining the risk that will be addressed.
C. Presenting a financial analysis of benefits.
D. Aligning the initiative with organizational objectives.

27. Which of the following requirements would have the LOWEST level of priority in information
security?
A. Technical
B. Regulatory
C. Privacy
D. Business

28. Which of the following is PRIMARILY related to the emergence of governance, risk and
compliance (GRC)?
A. The increasing need for controls
B. The policy development process
4|P a ge
 C. The integration of assurance-related activities
D. A model for information security program development

29. Which of the following situations must be corrected FIRST to ensure successful information
security governance within an organization?
A. The information security department has had difficulty filling vacancies.
B. The chief operating officer (COO) approves security policy changes.
C. The information security oversight committee only meets quarterly.
D. The data center manager has final signoff on all security projects.

30. Which of the following would be the FIRST step when developing a business case for an
information security investment?
A. Defining the objectives
B. Calculating the cost
C. Defining the need
D. Analyzing the cost-effectiveness

31. Which of the following choices BEST justifies an information security program?
A. The impact on critical IT assets
B. A detailed business case
C. Steering committee approval
D. User acceptance

32. Governance, risk and compliance (GRC) is an emerging approach PRIMARILY for achieving:
A. Enhanced risk management.
B. Better classification processes.
C. Assurance process integration.
D. Increased executive accountability.

33. New regulatory and legal compliance requirements that will have an effect on information
security will MOST likely come from the:
A. Corporate legal officer.
B. Internal audit department.
C. Affected departments.
D. Compliance officer.

34. During a stakeholder meeting, a question was asked regarding who is ultimately accountable
for the protection of sensitive data. Assuming that all of the following roles exist in the
enterprise, which would be the MOST appropriate answer?
A. Security administrators
B. The IT steering committee
C. The board of directors
D. The information security manager

35. Compliance with security policies and standards is the responsibility of:
A. The information security manager.
B. Executive management.
C. The compliance officer.
5|P a ge
 D. All organizational units.

36. Senior management commitment and support for information security can BEST be obtained
through presentations that:
A. Use illustrative examples of successful attacks.
B. Explain the technical risks to the organization.
C. Evaluate the organization against best security practices.
D. Tie security risks to key business objectives.

37. Effective governance of enterprise security is BEST ensured by:

A. Utilizing a bottom-up approach.
B. Management by the IT department.
C. Referring the matter to the organization's legal department.
D. Utilizing a top-down approach.

38. Security technologies should be selected PRIMARILY on the basis of their:

A. Ability to mitigate business risk.
B. Evaluations in trade publications.
C. Use of new and emerging technologies.
D. Benefits in comparison to their costs.

39. The MOST important outcome of aligning information security governance with corporate
governance is to:
A. Show that information security understands the rules.
B. Provide regulatory compliance.
C. Maximize the cost-effectiveness of controls.
D. Minimize the number of rules and regulations required.

40. Which of the following individuals would be in the BEST position to sponsor the creation of an
information security steering group?
A. Information security manager
B. Chief operating officer (COO)
C. Internal auditor
D. Legal counsel

41. The corporate information security policy should:

A. Address corporate network vulnerabilities.
B. Address the process for communicating a violation.
C. Be straightforward and easy to understand.
D. Be customized to specific target audiences.

42. An organization has consolidated global operations. The chief information officer (CIO) has
asked the chief information security officer (CISO) to develop a new organization information
security strategy. Which of the following actions should be taken FIRST?
A. Identify the assets.
B. Conduct a risk assessment.
C. Define the scope.
D. Perform a business impact analysis (BIA).
6|P a ge
43. Which of the following is characteristic of centralized information security management?
A. More expensive to administer
B. Better adherence to policies
C. More aligned with business unit needs
D. Faster turnaround of requests

44. Which of the following is the MOST appropriate task for a chief information security officer
(CISO) to perform?
A. Update platform-level security settings
B. Conduct disaster recovery test exercises
C. Approve access to critical financial systems
D. Develop an information security strategy

45. Which of the following factors is MOST important for the successful implementation of an
organization's information security program?
A. Senior management support
B. Budget for security activities
C. Regular vulnerability assessments
D. Knowledgeable security administrators

46. An organization's board of directors is concerned about recent fraud attempts that originated
over the Internet. What action should the board take to address this concern?
A. Direct information security regarding specific resolutions that are needed to address the risk.
B. Research solutions to determine appropriate actions for the organization.
C. Take no action; information security does not report to the board.
D. Direct management to assess the risk and to report the results to the board.

47. Which of the following is an indicator of effective governance?

A. A defined information security architecture
B. Compliance with international security standards
C. Periodic external audits
D. An established risk management program
A. .

48. Which of the following situations would MOST inhibit the effective implementation of security
governance?
A. The complexity of technology
B. Budgetary constraints
C. Conflicting business priorities
D. Lack of high-level sponsorship

49. The MOST important component of a privacy policy is:

A. Notifications.
B. Warranties.
C. Liabilities.
D. Standards.

7|P a ge
50. Which of the following BEST indicates senior management commitment toward supporting
information security?
A. Assessment of risk to the assets
B. Approval of risk management methodology
C. Review of inherent risk to information assets
D. Review of residual risk for information assets

51. Faced with numerous risk scenarios, the prioritization of treatment options will be MOST
effective if based on the:
A. Existence of identified threats and vulnerabilities.
B. Likelihood of compromise and subsequent impact.
C. Results of vulnerability scans and remediation cost.
D. Exposure of corporate assets and operational risk.

52. Which of the following BEST describes the key objective of an information security program?
A. Achieve strategic business goals and objectives.
B. Protect information assets using manual and automated controls.
C. Automate information security controls.
D. Eliminate threats to the organization.

53. The classification level of an asset must be PRIMARILY based on which of the following
choices?
A. Criticality and sensitivity
B. Likelihood and impact
C. Valuation and replacement cost
D. Threat vector and exposure

54. Which of the following is the BEST quantitative indicator of an organization’s current risk
appetite?
A. The number of incidents and the subsequent mitigation activities
B. The number, type and layering of deterrent control technologies
C. The extent of risk management requirements in policies and standards
D. The ratio of cost to insurance coverage for business interruption protection

55. Which of the following items determines the acceptable level of residual risk in an
organization?
A. Management discretion
B. Regulatory requirements
C. Inherent risk
D. Internal audit findings

56. A business impact analysis (BIA) is the BEST tool for determining:
A. Total cost of ownership (TCO).
B. Priority of restoration.
C. Annualized loss expectancy (ALE).
D. Residual risk.

57. Asset classification should be MOSTLY based on:

8|P a ge
 A. Business value.
B. Book value.
C. Replacement cost.
D. Initial cost.

58. What are the essential elements of risk?

A. Impact and threat
B. Likelihood and consequence
C. Threat and exposure
D. Sensitivity and exposure

59. A company recently developed a breakthrough technology. Because this technology could give
this company a significant competitive edge, which of the following would FIRST govern how
this information is to be protected?
A. Access control policy
B. Data classification policy
C. Encryption standards
D. Acceptable use policy

60. After a risk assessment, it is determined that the cost to mitigate the risk is much greater than
the benefit to be derived. The information security manager should recommend to business
management that the risk be:
A. Transferred.
B. Treated.
C. Accepted.
D. Terminated.

61. When conducting a risk assessment, which of the following elements is the MOST important?
A. Consequences
B. Threat
C. Vulnerability
D. Probability

62. Risk acceptance is a component of which of the following?

A. Risk assessment
B. Risk treatment
C. Risk identification
D. Risk monitoring

63. At what point in the risk management process is residual risk determined?
A. When evaluating the results of the application of new or existing controls or countermeasures
B. When identifying and classifying information resources or assets that need protection
C. When assessing threats and the consequences of a compromise
D. After the elements of risk have been established, when combining them to form an overall view
of risk

64. Which of the following choices is MOST strongly supported by effective management of
information assets?
9|P a ge
 A. An information/data dictionary
B. A data classification program
C. An information-based security culture
D. A business-oriented risk policy

65. Which of the following would be MOST useful in developing a series of recovery time objectives
(RTOs)?
A. Gap analysis
B. Regression analysis
C. Risk analysis
D. Business impact analysis (BIA)

66. In conducting an initial technical vulnerability assessment, which of the following choices
should receive top priority?
A. Systems impacting legal or regulatory standing
B. Externally facing systems or applications
C. Resources subject to performance contracts
D. Systems covered by business interruption insurance

67. Which of the following is the GREATEST concern for an organization in which there is a
widespread use of mobile devices?
A. There is an undue reliance on public networks.
B. Batteries require constant recharges.
C. There is a lack of operating system standardization.
D. Mobile devices can be easily lost or stolen.

68. Which of the following is the MOST important prerequisite to undertaking asset classification?
A. Threat analysis
B. Impact assessment
C. Controls evaluation
D. Penetration testing

69. Which of the following risk scenarios would BEST be assessed using qualitative risk assessment
techniques?
A. Theft of purchased software
B. Power outage lasting 24 hours
C. Permanent decline in customer confidence
D. Temporary loss of email services

70. Which of the following provides the BEST defense against the introduction of malware in end-
user computers via the Internet browser?
A. Input validation checks on structured query language (SQL) injection
B. Restricting access to social media sites
C. Deleting temporary files
D. Restricting execution of mobile code

71. Reducing exposure of a critical asset is an effective mitigation measure because it reduces:
A. The impact of a compromise.
10 | P a g e
 B. The likelihood of being exploited.
C. The vulnerability of the asset.
D. The time needed for recovery.

72. Security risk assessments are MOST cost-effective to a software development organization
when they are performed:
A. Before system development begins.
B. At system deployment.
C. Before developing a business case.
D. At each stage of the software development life cycle (SDLC).

73. Which of the following types of information would the information security manager expect to
have the LOWEST level of security protection in a publicly traded, multinational enterprise?
A. Strategic business plan
B. Upcoming financial results
C. Customer personal information
D. Previous financial results

74. Which of the following would BEST address the risk of data leakage?
A. File backup procedures
B. Database integrity checks
C. Acceptable use policies
D. Incident response procedures

75. Which of the following would be the MOST relevant factor when defining the information
classification policy?
A. Quantity of information
B. Available IT infrastructure
C. Benchmarking
D. Requirements of data owners

76. What is the BEST strategy for risk management?

A. Achieve a balance between risk and organizational goals.
B. Reduce risk to an acceptable level.
C. Ensure that policy development properly considers organizational risk.
D. Ensure that all unmitigated risks are accepted by management.

77. What is the BEST means to standardize security configurations in similar devices?
A. Policies
B. Procedures
C. Technical guides
D. Baselines

78. Monitoring has flagged a security noncompliance. What is the MOST appropriate action?
A. Validate the noncompliance.
B. Escalate the noncompliance to management.
C. Update the risk register.
D. Fine-tune the key risk indicator (KRI) threshold.
11 | P a g e
79. Which of the following are the essential ingredients of a business impact analysis (BIA)?
A. Downtime tolerance, resources and criticality
B. Cost of business outages in a year as a factor of the security budget
C. Business continuity testing methodology being deployed
D. Structure of the crisis management team

80. Which of the following measures would be MOST effective against insider threats to
confidential information?
A. Role-based access control
B. Audit trail monitoring
C. Privacy policy
D. Defense in depth

81. Addressing risk at various life cycle stages is BEST supported by:
A. Change management.
B. Release management.
C. Incident management.
D. Configuration management.

82. What is the MOST cost-effective method of identifying new vendor vulnerabilities?
A. External vulnerability reporting sources
B. Periodic vulnerability assessments performed by consultants
C. Intrusion prevention software
D. Honeypots located in the demilitarized zone (DMZ)

83. Which of the following is the MOST usable deliverable of an information security risk analysis?
A. Business impact analysis (BIA) report
B. List of action items to mitigate risk
C. Assignment of risks to process owners
D. Quantification of organizational risk

84. Under what circumstances is it MOST appropriate to reduce control strength?

A. Assessed risk is below acceptable levels.
B. Risk cannot be determined.
C. The control cost is high.
D. The control is not effective.

85. What is the PRIMARY basis for the selection and implementation of products to protect the IT
infrastructure?
A. Regulatory requirements
B. Technical expert advisories
C. State-of-the-art technology
D. A risk assessment

86. Which of the following is the BEST method to ensure the overall effectiveness of a risk
management program?
A. User assessments of changes
12 | P a g e
 B. Comparison of the program results with industry standards
C. Assignment of risk within the organization
D. Participation by all members of the organization

87. The MOST important factors to consider when prioritizing control development are:
A. Threat and vulnerability.
B. Cost and frequency.
C. Risk appetite and tolerance.
D. Probability and impact.

88. The PRIMARY objective of asset classification is to:

A. Maximize resource management.
B. Comply with IT policy.
C. Define information architecture.
D. Determine protection level.

89. Who is responsible for ensuring that information is classified?

A. Senior management
B. The security manager
C. The data owner
D. The data custodian

90. An IT systems analyst has just received an email alert from an internal IT colleague regarding
a new virus. The alert also contains a patch to an updated virus pattern for the antivirus
software used by the organization. Which of the following choices is the next BEST course of
action for the analyst?
A. Verify the sender’s identity using a digital signature.
B. Obtain a third-party confirmation from a technical group.
C. Check the header of the email to confirm its authenticity.
D. Download the patch immediately to prevent service disruption.

91. Abnormal server communication from inside the organization to external parties may be
monitored to:
A. Record the trace of advanced persistent threats (APTs).
B. Evaluate the process resiliency of server operations.
C. Verify the effectiveness of an intrusion detection system (IDS).
D. Support a nonrepudiation framework in e-commerce.

92. Of the following, retention of business records should be PRIMARILY based on:
A. Periodic vulnerability assessment.
B. Business requirements.
C. Device storage capacity and longevity.
D. Legal requirements.

93. Addressing risk scenarios at various information system life cycle stages is PRIMARILY a
function of:
A. Change management.
B. Release management.
13 | P a g e
 C. Incident management.
D. Configuration management.

94. Which of the following should a successful information security management program use to
determine the amount of resources devoted to mitigating exposures?
A. Risk analysis results
B. Audit report findings
C. Penetration test results
D. Amount of IT budget available

95. In which phase of the development process should risk assessment be FIRST introduced?
A. Programming
B. Specification
C. User testing
D. Feasibility

96. An organization is using a vendor-supplied critical application which has a maximum password
length that does not comply with organizational security standards. Which of the following
approaches BEST helps mitigate the weakness?
A. Shorten the password validity period.
B. Encourage the use of special characters.
C. Strengthen segregation of duties (SoD).
D. Introduce compensatory controls.

97. The MOST effective use of a risk register is to:

A. Identify risks and assign roles and responsibilities for mitigation.
B. Identify threats and probabilities.
C. Facilitate a thorough review of all IT-related risk on a periodic basis.
D. Record the annualized financial amount of expected losses due to risk.

98. What mechanism should be used to identify deficiencies that would provide attackers with an
opportunity to compromise a computer system?
A. Business impact analysis (BIA)
B. Security gap analysis
C. System performance metrics
D. Incident response processes

99. When performing a qualitative risk analysis, which of the following will BEST produce reliable
results?
A. Estimated productivity losses
B. Possible scenarios with threats and impacts
C. Value of information assets
D. Vulnerability assessment

100. After completing a full IT risk assessment, who is in the BEST position to decide which
mitigating controls should be implemented?
A. Senior management
B. The business manager
14 | P a g e
C. The IT audit manager
D. The information security officer

15 | P a g e