Isaca CISM Certified Information Security Manager Exam Practice Test

Organization-wide involvement

Documented escalation processes

Impact to production systems

Stakeholder notification procedures

Isolate the noncompliant system from the rest of the network.

Conduct an impact analysis to quantify the associated risk

Request risk acceptance from senior management.

Submit the issue to the steering committee for escalation.

Areas requiring investment are identified.

Staff is educated about current threats.

An action plan is available for senior management.

Internal procedures are improved.

Defense in depth

Threat management

Vulnerability management

Increased security awareness

Business impact analysis (B1A)

Risk analysis

Business case

Threat assessment

Software escrow is not addressed in the contract

The contract has no requirement for secure development practices

The mobile app s programmers are all offshore contractors.

SLAs after deployment are not clearly defined.

Reduce the number of applications marked as critical.

Halt the test until the network bandwidth is increased.

Document the deficiency for review by business leadership.

Pursue risk acceptance for the slower response time

Log aggregation and correlation

Established security baselines

An intrusion detection system (IDS)

Penetration testing

the security requirements are included in the service level agreement (SLA).

escrow agreements are in place.

the responsibility for security is transferred in the service level agreement (SLA).

nondisclosure clauses are in the contract.

Obtaining support for the integration from business owners

Evaluating and reporting the degree of integration

Obtaining approval for the information security budget

Defining metrics to demonstrate alignment

End user acceptance

Disparate device security

Mobile application control

Configuration management

a sandbox environment

device encryption,

two-factor authentication

a strong password policy

inform the system owner of any residual risks and propose measures to reduce them.

establish an overall security program that minimizes the residual risks of that production system

inform the IT manager of the residual risks and propose measures to reduce them.

inform the development team of any residual risks and together formulate risk reduction measures.

Board of directors

Chief information officer (CIO)

Chief information security officer (CISO)

information security steering committee

The information security policies are not communicated across the organization.

The information security policies lack alignment with corporate goals.

The information security program is not adequately funded.

The organization is operating in a highly regulated industry.

Auditing purposes

Incident investigation

Firewall tuning

Intrusion detection

Complying with regulatory requirement

Ensuring the amount of residual risk is acceptable

Avoiding identified system threats

Reducing the number of vulnerabilities detected

Projected increase in maturity level

Estimated increase in efficiency

Projected costs over time

Estimated reduction in risk

provide status of incidents

resolve incidents

track ongoing incidents

identify potential incidents.

logical access controls for information systems

Information security architecture to increase monitoring activities

Relevant and timely content included in awareness programs

Management support for information security

Benchmarking information security efforts of industry competitors

Obtaining better pricing from information security service vendors

Presenting a report of current threats to the organization

Educating management on information security best practices

Average number of security incidents across business units

Number of vulnerabilities identified for high-risk information assets

Security project justifications provided in terms of business value

Mean time to resolution for enterprise-wide security incidents

Implement a mobile device management solution.

Implement a web application firewall.

Educate users regarding the use of approved applications.

Establish a mobile device acceptable use policy

Information security initiatives are directly correlated to business processes.

The information security team is able to provide key performance indicators (KPIs) to senior management.

Business senior management supports the information security policies.

The information security program manages risk within the business1* risk tolerance.

Organizational risk tolerance

Cost to contain and remediate the incident

Criticality of affected resources

Short-term impact to shareholder value

Improved vulnerability management

Standardization of system support

Decreased risk to the organization's systems

Reduced frequency of incidents

To ensure alignment with industry standards and trends

To facilitate alignment between risk management and organizational objectives

To comply with the organization’s regulatory and legal requirements

To ensure adequate funding is available for risk management and mitigation

Retention schedules

Organizational risk

System access specifications

Definitions of responsibilities

Industry benchmarks

Risk assessment results

Business impact analysis (BIA) results

Key performance indicators (KPIs)

Escalation paths

Right-to-audit clause

Termination language

Key performance indicators (KPIs)

The committee has strong regulatory knowledge.

The committee has cross-organizational representation.

The committee has strong representation from IT.

The committee is driven by industry best practices.

job control statements.

code review.

use of compilers.

program library software.

Analysis of control gaps

Identification of risk

Design of key risk indicators (KRIs)

Selection of risk treatment options

Identification of threats and vulnerabilities

Prioritization of action plans

Validation of current capabilities

Benchmarking against industry peers

Information security governance

Risk assessment program

Information security metrics

Information security awareness training

Audit trail

Password control

Account lockout

Hash totals

Performing integration testing with vendor systems

Establishing communication paths with vendors

Requiring security awareness training for vendor staff

Including service level agreements (SLAs) in vendor contracts

Deny the request as noncompliant with policy

Accept the request immediately based on the business criticality.

Notify the IT network manager and make an approval decision jointly.

Document the risk and mark for future review.

SWOT analysis

Balanced scorecard

Cost-benefit analysis

Industry benchmarks

Update roles and responsibilities of the incident response team.

Validate that the information security strategy maps to corporate objectives

Train the incident response team on escalation procedures.

Implement a monitoring solution for incident response activities.

Determine mitigation options with IT management

Communicate the potential impact to the application owner.

Report the risk to the information security steering committee.

Escalate the risk to senior management.

Frequency of security incidents

Benchmarking to industry peers

Evolving business goals

Unmitigated risk

Masking sensitive data

Requiring two-factor authentication

Using a secure communications protocol

Requiring a digital signature

Present a risk analysis with recommendations to senior management.

Update the risk register so that senior management is kept informed

Remove the rules that trigger the increased number of alerts

Evaluate and update the enterprise network security architecture

Report the decision to the compliance officer.

Update details within the risk register

Reassess the organization's risk tolerance

Assess the impact of the regulation

Implement a SIEM solution.

Perform a post-incident review.

Perform a threat analysis.

Establish performance metrics for the team.

Conduct a risk assessment.

Initiate a device reset.

Disable remote access,

Initiate incident response.

Conduct interviews with organizational units

Participate in emergency response activities

Perform post-incident reviews

Establish incident key performance indicators (KPIs).

To communicate escalation procedures

To minimize business disruption

To establish appropriate service level agreements (SLAs)

To define roles and responsibilities

Timely reporting of incidents

Containment of incidents

Optimization of resources

Determination of incident impact

predictable operations.

international standards

security awareness

corporate policy

conduct a risk assessment.

develop a business case.

map the strategy to business objectives.

D, perform a cost-benefit analysis.

The organization's security incident trends

Risk management metrics

Results of vulnerability assessments

External audit findings

Existence of an industry-accepted framework

Up-to-date policy and procedures documentation

A report on the maturity of controls

Results of an independent assessment

An independent auditor for identification of control deficiencies

A penetration tester to validate the attack

A forensics expert for evidence management

A damage assessment expert for calculating losses

Data ownership

Application logging

Incident response

Access log review

Include information security clauses in the vendor contract.

Develop metrics for vendor performance.

Include information security criteria as part of vendor selection.

Review third-party reports of potential vendors.

Perform regular audits on the service providers' applicable controls.

Provide information security awareness training to service provider staff.

Conduct regular vulnerability assessments on the service providers' IT systems.

Review the service providers' information security policies and procedures.

Control owner responses based on a root cause analysis

An accountability risk to initiate remediation activities

A plan for mitigating the risk due to noncompliance

The impact of noncompliance on the organization's risk profile

Conduct a mobile device risk assessment.

Create an acceptable use policy.

Deploy mobile device management (MDM).

Implement remote wipe capability.

Deploy host-based intrusion detection.

Monitor application level logs.

Install anti-spyware software.

Deploy an application firewall.

Number of detected security defects per thousand lines of code

Average time to release code into production

Average time to fix each discovered security defect

Number of security defects discovered in development versus production

contractual obligations.

Independent audits

service level agreements (SLAs).

industry standard alignment.

Reduction in the number of threats to an organization

Reduction In the cost of risk remediation for an organization

Reduction in the amount of risk exposure in an organization

Reduction In the number of vulnerabilities in an organization

Chief information security officer (CISO)

Information security steering committee

Audit committee

Chief executive officer (CEO)

Conducting a business impact analysis (BIA)

Conducting information security awareness training

Integrating security requirements with processes

Performing security assessments and gap analyses

Enhance IT application support for users.

Protect against malware-based attacks.

Conserve storage for approved applications.

Allow IT to monitor application usage.

To determine if existing business continuity plans are adequate

To determine the basis for proposing an increase in security budgets

To determine if existing vulnerabilities present a risk

To determine critical information for executive management

Provide the estimated return on investment (ROI)

Provide an analysis of current risk exposures.

Include historical data of reported incidents.

include industry benchmarking comparisons.

Rehearsing incident response procedures rote, and responsibilities

Providing annual awareness training regarding incident response for team members

Validating the incident response plan against industry best practices

Defining modern seventy levels during a business impact analysis (BIA)

Ensure an audit of the provider is conducted to identify control gaps.

Review the provider's information security policies and procedures.

Obtain documentation of the encryption management practices.

Verify the provider follows a cloud service framework standard.

A data backup policy

A data recovery policy

Data classification

Privacy impact assessment

Isolate the computer from the network.

Take a forensic copy of the hard drive.

Use anti-malware software to clean the infected computer.

Restore the files from a secure backup.

Redundant

Mobile

Warm

Shared

Requesting senior management to periodically review security incidents

Establishing a change control process for continued updating of security policies

Implementing an automated solution for monitoring information security processes

Establishing metrics to measure the effectiveness of the information security program

Developing an asset classification model

Assigning the asset classification level

Securing assets in accordance with their classification

Assigning asset ownership

Prohibit remote access to the site

Periodically recertify access rights.

Conduct vulnerability assessment

Enforce document life cycle management

Email filtering

Security strategy training

Application whitelisting

Network encryption

Ensuring that key controls are embedded in the processes

Providing information security policy training to the process owners

Allocating sufficient resources

Identifying risks in the processes and managing those risks

Management direction on security

A well-defined security organization

Sufficient resource allocation by management

A risk-aware security culture

Adopting an information security framework

Establishing a baseline of network operations

Conducting a risk assessment

Performing vulnerability scans

data is encrypted in transit and at rest

data sharing complies with local laws and regulations at both locations.

a nondisclosure agreement is signed.

risk coverage is split between the two locations sharing data.

on a shared Internal server

on a dedicated encrypted storage server,

In an encrypted folder on each server.

on a cold site server.

Deliver regular social media awareness training to all employees.

Hire a social media manager to control content delivered via social media.

Restrict the use of social media on corporate networks and devices

Scan social media platforms for company references

A steering committee is established

A baseline risk assessment is performed.

Compliance with regulations is demonstrated.

The information security manager develops the strategy

Ability to enforce contractual obligations

Ability to meet service level agreements (SLAs)

Ability to logically separate client data

Ability to meet business resiliency requirements

Establishing a steering committee

Molding periodic meetings with business owners

Creating communication channels

Promoting security training

Implement mitigating controls

Examine firewall logs to identity the attacker

Notify the regulatory agency of the incident

Evaluate the impact to the business.

A security steering committee is set up within the IT deployment.

Key information security policy are updated on a regular basis

Policies are created with input from business unit managers.

Business leaders participate in information security decision making

Availability of capable information security resources

Measurement of security performance against IT goals

Results of a technology risk assessment

Results of an information security gap analysis

Inducting information security clauses within contracts

Auditing the service delivery of third-party providers

Requiring third parties to sign confidentiality agreements

Providing information security training to third-party personnel

Data isolation

Data classification

Data transfer

Data backup

strong password controls.

a reverse lookup.

a secure protocol.

a firewall

modify behavior

understand intrusion methods

reduce negative audit findings

increase compliance.

Evaluate data encryption technologies.

Conduct a vulnerability assessment.

Move the system into a separate network.

Conduct a privacy impact assessment (PIA).

Requirements for data encryption

Results of the cloud provider's control report

A destruction-of-data clause in the contract

Right to terminate clauses in the contract

Well-designed firewall system

Biometric security access control

Screening prospective employees

Well-designed intrusion detection system (IDS)

document the disaster recovery process.

obtain the support of executive management.

map the business process to supporting IT and other corporate resources.

identify critical processes and the degree of reliance on support services.

data owner

system administrator.

data end user

information security manager

Continuous monitoring

Two-factor authentication

Layered protection

Penetration testing

Lack of training for end users on security policies

Inadequate buy-in from system owners to support the policies

Availability of security policy documents on a public website

Lack of an information security governance framework

Report the noncompliance to the board of directors.

Prioritize the risk and implement treatment options.

Inform respective risk owners of the impact of exceptions.

Design mitigating controls for the exceptions.

Conduct vulnerability assessments on social network platforms

Develop security controls for the use of social networks

Assess the security risk associated with the use of social networks

Establish processes to publish content on social networks

Risk reduction associated with the system

Benchmarking results

Effectiveness of controls

Audit-logging capabilities

Critical audit findings

Number of reported security incidents

Compliance risk assessment

Industry comparison analysis

Require staff to sign confidentiality agreements.

Provide regular security awareness training.

Develop a RAO matrix for the organization.

Specify information security responsibilities in job descriptions.

Help desk response time to resolve incidents is improved.

The number of successful social engineering attacks is reduced.

The board is held accountable for risk management.

The number of reported security incidents steadily decreases.

Data classification results

Risk management framework

Risk assessment methodology

Penetration test results

senior management approval of the information security budgets.

improved efficiencies of security operations.

information security controls that reduce enterprise risk.

more effective security risk management processes.

Encryption

Retention

Report distribution

Tuning

Risk heat map

Recent audit results

Balanced scorecard

Gap analysis

Present an analysis of the cost and benefit of the changes

Elaborate on the positive impact to information security

Present industry benchmarking results to business units

Discuss the risk and impact of security incidents if not implemented

Determine new factors that could influence the information security strategy.

Implement the current information security program in the acquired company.

Merge the two information security programs to establish continuity.

Ensure information security s included in any change control efforts

prioritize risk management activities.

provide a basis for asset classification.

determine the value of each asset

eliminate the least significant assets.

remain unchanged to avoid variations across the organization

be updated to address emerging threats and vulnerabilities.

be changed for different subsets of the systems to minimize impact,

not deviate from industry best practice baselines.

Risk analysis specific to the organization

Research on trends in global information security breaches

Rating of the organization s security, based on international standards

Annual report of security incidents within the organization

Existence of an industry-accepted framework

Up-to-date policy and procedures documentation

A report on the maturity of controls

Results of an independent assessment

User awareness training

Email encryption

Strong user authentication protocols

Prohibition on the personal use of email

The security awareness programs

Firewall logs

The risk management processes

Post-incident analysis results

Recovery time objectives (RTOs)

Mission, goals and objectives

Incident response maturity assessment

Documentation from preparedness tests

Dedicated funding for incident management

Adequate incident response staffing

Monitored program metrics

Defined incident thresholds

Mature security policy

Information security roles and responsibilities

Organizational information security awareness

Organizational culture

assign accountability for transactions made with the user's ID.

maintain compliance with industry best practices.

serve as evidence of security awareness training.

maintain an accurate record of users access rights

Access is restricted to read-only.

USB storage devices are enabled based on user roles

Users accept the risk of noncompliance.

The benefit is greater than the potential risk

the experience level of personnel and the function location.

prior testing results and the degree of detail of the business continuity plan

the importance of the function to be tested and the cost of testing,

manual processing capabilities and the test location

key performance indicators (KPIs).

compliance with industry regulations.

timeliness m responding to attacks.

level of support from senior management.

To support business cases for information security investments

To support risk treatment decisions

To develop threat briefings for senior management

To implement a proactive approach for threat management

Escalate the emergency status rating.

Request additional financial recovery resources.

Notify the risk management team.

D Modify the RTO as needed

Key performance indicators (KPIs)

References to known industry standards

An established internal audit program

An adequately funded information security budget

Report violations to senior management.

Provide awareness training to end users.

Require management approval for policy exceptions.

Implement a mobile device management (MDM) solution.

Report the risk to relevant stakeholders.

Recommend compensating controls to mitigate the risk.

Provide a date of remediation to the cloud provider.

Discontinue engagement with the cloud provider.

Maintaining chain of custody

Notifying the relevant stakeholders

Identifying the relevant strain of malware

Determining the classification of stored data

Establish a storing committee with representation from across the organization.

Appoint a business manager as head of information security

Promote organization-wide information security awareness campaigns.

Develop the information security strategy based on the enterprise strategy

The intrusion detection system (IDS) generates potential alerts.

Mature escalation procedures are in place for incidents

Staff regularly report suspicious activity.

Incidents are contained before they cause damage

Providing ongoing training to the incident response team

Implementing proactive systems monitoring

Implementing a honeypot environment

Updating information security awareness materials

threats to the organization may change.

compliance with legal and regulatory standards should be reassessed.

control effectiveness may weaken.

controls should be regularly tested.

whether the level of risk exceeds risk appetite.

the criticality of the risk.

whether the level of risk exceeds inherent risk.

availability of financial resources.

Implement security assessments throughout the systems development life cycle.

Conduct regular security audits during system implementation stages.

Require penetration tests before production implementation.

Train and test system developers m secure coding practices.

Perform a vulnerability assessment of the acquired company s infrastructure.

Add the outstanding risk to the acquiring organization's risk registry

Re-assess the outstanding risk of the acquired company.

Re-evaluate the risk treatment plan for the outstanding risk.

IT architecture

Impact assessment

Risk assessment

Escalation procedures

Create a security exception

Perform a vulnerability assessment

Assess the risk to business operations

Perform a gap analysis to determine needed resources.

Business or rote-based segmentation

Log analysis of system access

Using security groups

Encryption of data traversing networks

Requirements for investigative evidence

Appropriate team members

Test plans for containment and recovery procedures

Guidelines for preserving digital evidence

The number of reported incidents has increased

Senior management has reported fewer junk emails

Regular IT balanced scorecards are communicated

The number of tickets associated with IT incidents have stayed consistent

Determine the level of access granted

Review the related service level agreement (SLA).

Revoke the access.

Declare a security incident.

Results of a vulnerability scan

Results of a security pokey review

Results of a security risk assessment

Results of a red team exercise

Perform a root cause analysis.

Conduct a lessons learned exercise.

Implement compensating controls.

Update the incident response plan.

executive management

chief information security officer (CISO).

steering committee.

board of directors.

Conduct a security audit on the cloud service providers.

Review the cloud service providers" controls reports.

Perform a cost-benefit analysis of using cloud services.

Perform a risk assessment of adopting cloud services.

Implement a dedicated firewall configured to block suspicious activity.

Obligate the vendor to report suspicious activity and database breaches.

Implement tog monitoring of the database environment for suspicious activity.

Review independent audit reports of the vendors data center environment.

Two-factor authentication

Periodic reaccredinations

Third-party certificates

Receipt acknowledgment

Statistical pattern recognition

Attack signatures

Heuristic analysis

Traffic analysis

The current threat levels are being assessed.

Technology risks must be mitigated.

The environment changes constantly.

Management requires regular reports.

Commence security training for staff at the organization.

Rebuild the email application

Arrange for an independent review.

Restrict the distribution of confidential emails.

To convey information about the incident to those affected by it

To prevent reputation damage to the organization

To prevent unannounced visits from the media during crisis

To fulfill regulatory requirements for incident response

Threat profile

Inherent risk

Residual risk

Vulnerability landscape

Create a stakeholder nap

Reference an industry standard.

Establish an information security governance committee

Download a policy template

provide information to remediate risk events.

demonstrate the alignment of risk management efforts.

map potential risk to key organizational strategic initiatives.

identify triggers that exceed risk thresholds

Cost-benefit analysis report

Business impact analysis (B1A) report

Risk assessment report

Vulnerability assessment report

threat perspective.

compliance perspective

risk perspective.

policy perspective.

desktop virus definition files are not up to date

system software does not undergo integrity checks.

hosts have static IP addresses.

executable code is run from inside the firewall

perform a cost-benefit analysis.

perform a risk assessment.

review firewall configuration.

review the security policy.

Conducting security training for the development staff

Integrating security requirements into the development process

Requiring a security assessment before implementation

Integrating a security audit throughout the development process

Red team testing results

Average incident closure time

Independent audit assessment

Tabletop exercise results

Detailed information security policies are established and regularly reviewed.

The information security manager meets regularly with the lines of business.

Key performance indicators (KPIs) are defined for the information security program.

Risk assessments are conducted frequently by the information security team.

perform a gap analysis of compliance requirements

assess the penalties for noncompliance.

review the organization s most recent audit report

determine the cost of compliance

Reporting of security metrics

Regular security awareness training

Endorsement by senior management

Implementation of security standards

Critical evidence may be lost.

The reputation of the organization may be damaged

A trapdoor may have been installed m the application.

Resources may not be available to support the implementation.

Requiring cross-functional information security training

Implementing user awareness campaigns for the entire company

Publishing an acceptable use policy

Establishing security policies based on industry standards

Indemnity clauses

Independent controls assessment

Incident response plans

Business continuity plans

ensure timely risk mitigation.

justify the information security budget

obtain senior management’s commitment.

provide a holistic view of risk

A recent penetration test has uncovered a control weakness.

A major business application has been upgraded.

Management has decided to implement an emerging technology.

A new chief technology officer has been hired

Post-incident review

Social engineering test

Vulnerability scan

Tabletop test

defining policies for new technologies.

enabling adoption of new Technologies.

requiring accreditation for new technologies.

managing risks of new technologies

has not been updated with the latest patches

is hosted by a cloud service provider

has performance issues

is not collecting logs from relevant devices.

Report The situation to the data owner.

Train the customer service team on properly controlling file permissions.

Isolate the server from the network.

Remove access privileges to the folder containing the data.

Key risk indicators (KRIs)

Capability maturity models

Key performance indicators (KPls)

Critical success factors (CSFs)

Segregation of responsibilities

Periodic data restoration

An intrusion detection system (IDS)

a warning banner

Develop an information security heat map.

Issue periodic reports to demonstrate compliance with security standards.

Publish the information security strategy across the organization.

Establish a balanced scorecard dashboard.

The owner of the affected business function is not available.

The time-related service levels for response are below risk threshold levels.

The impact of the incident exceeds the organization's risk tolerance.

The incident impacts a business-critical system.

Receiving senior management approval

Mapping each metric to a specific control

Understanding the business objectives

Mapping each metric to information security objectives

Identifying critical business processes

Identifying key business risks

Identifying risk mitigation options

Identifying the threat environment

Security operations team

Application owners

Data owners

Communications department

Engage a third-party review.

Review internal audit results.

Evaluate key performance indicators (KPls).

Perform a self-assessment.

Lessons learned

Snapshot of system logs

The incident response plan

Detailed metrics

Security management processes aligned with security objectives

The existing organizational security culture

Organizational security controls deployed in line with regulations

Security policies that adhere to industry best practices

Threat assessment

Vulnerability assessment

Business impact analysis (BIA)

Residual risk analysis

Ensure a security audit is performed of the service provider.

Ensure the service provider has the appropriate certifications.

Explain security issues associated with the solution to management.

Determine how to securely implement the solution.

Business continuity plan (BCP)

Business impact analysis (BIA)

Cost-benefit analysis

Feasibility assessment

Define the issues to be addressed.

Conduct a feasibility study.

Calculate the total cost of ownership (TCO).

Perform a cost-benefit analysis.

Demonstrate that implemented program controls are effective.

Demonstrate that the program enables business activities.

Demonstrate an increase in ransomware attacks targeting peer organizations.

Demonstrate the readiness of business continuity plans.

Update the incident response plan to address this situation.

Send periodic fake phishing emails to employees and track responses.

Conduct information security awareness training for employees.

Block personal shopping sites using proxy filtering.

assessed level of security risk at a particular point m time.

current and target security state for the business.

security program priorities to achieve an accepted risk level.

level of compliance with internal policy.

Recovery time objective (RTO)

Business impact analysis (BIA)

Recovery point objective (RPO)

Mean time to report (MTR)

Assess the risk associated with the cloud services.

Create an information security action plan.

Determine information security requirements for the cloud.

Develop key risk indicators (KRIs).

Key risk indicators (KRls)

A security balanced scorecard

Risk heat map

Management satisfaction surveys

Remove the recommendations.

Document the decision.

Perform a reassessment.

Implement the recommendations.

Roles and responsibilities matrix

Job descriptions

Skills inventory

RACl chart

Provide incident response training to data custodians.

Revise the incident response plan to align with business processes.

Conduct a risk assessment and share the results with senior management.

Provide incident response training to data owners.

The information security strategy

The information security policy

The organization's risk appetite

The organization's cost of noncompliance