Risk management is at the core of being a security manager. Practice your risk management knowledge with these CISM practice questions.

Defining risk management is easy — it’s the process of identifying, assessing and controlling threats. Putting a risk management strategy into practice, however, is another story.

To be successful in security management, it’s critical to understand not only what risk management is, but also how to create and implement a plan that will help your organization counter risks and prepare to expect the unexpected.

ISACA’s Certified Information Security Manager (CISM) certification was created to help security pros validate they have what it takes to handle risk management.

“The certification is really a demonstration that you have the knowledge and experience already and that you’re serious about career growth in the field and want to go further with it,” said Peter Gregory, author of CISM: Certified Information Security Manager Practice Exams, published by McGraw-Hill.

Ready to go for your CISM to become a security or risk manager? Gregory readily admits it’s a difficult exam — even for a security pro. But, with some hard work and a lot of studying, test-takers can master the topics and prove their skills.

The following excerpt from Gregory’s book offers CISM practice exam questions from Chapter 3, “Information Risk Management.” This area constitutes 30% of the CISM exam, with questions on developing a risk management strategy, integrating risk management into an organization’s practices and culture, and monitoring and reporting risk.

Before taking the exam, test your CISM knowledge here. Download an excerpt of the book for even more questions.

QUIZ

QUESTION 1 |CISM practice questions

What should be the primary objective of a risk management strategy?

• Determine the organization’s risk appetite.
• Identify credible risks and transfer them to an external party.
• Identify credible risks and reduce them to an acceptable level.
• Eliminate credible risks.

CORRECT ANSWER : Identify credible risks and reduce them to an acceptable level. 

The primary objective of a risk management strategy is the identification of risks, followed by the reduction of those risks to levels acceptable to executive management.

“Determine the organization’s risk appetite” is incorrect because the determination of risk appetite, while important — and essential to the proper functioning of a risk management program — is not the main purpose of a risk management strategy. “Identify credible risks and transfer them to an external party” is incorrect because transferring risks to external parties is but one of several possible outcomes for risks that are identified. “Eliminate credible risks” is incorrect because risks cannot be eliminated, only reduced to acceptable levels.

——————————————————————————————————————-

QUESTION 2 | CISM practice questions

Marie, a CISO at a manufacturing company, is building a new cyber-risk governance process. For this process to be successful, what is the best first step for Marie to take?

• Develop a RACI matrix that defines executive roles and responsibilities.
• Charter a security steering committee consisting of IT and cybersecurity leaders.
• Develop a risk management process similar to what is found in ISO/IEC 27001.
• Charter a security steering committee consisting of IT, security, and business leaders.

CORRECT ANSWER: Charter a security steering committee consisting of IT, security, and business leaders. 

The best course of action is the formation of a chartered information security steering committee that consists of IT and security leaders, as well as business leaders. For security governance to succeed, business leaders need to be involved and participate in discussions and decisions.

“Develop a RACI matrix that defines executive roles and responsibilities” is incorrect because a RACI matrix, while important, is but a small part of a chartered information security steering committee. “Charter a security steering committee consisting of IT and cybersecurity leaders” is incorrect because a security steering committee must include business leaders. “Develop a risk management process similar to what is found in ISO/IEC 27001” is incorrect because this question is about security governance, which is more than just a risk management process.

——————————————————————————————————————-

QUESTION 3 | CISM practice questions

What steps must be completed prior to the start of a risk assessment in an organization?

• Determine the qualifications of the firm that will perform the audit.
• Determine scope, purpose, and criteria for the audit.
• Determine the qualifications of the person(s) who will perform the audit.
• Determine scope, applicability, and purpose for the audit.

CORRECT ANSWER: Determine scope, purpose, and criteria for the audit.

According to ISO/IEC 27005 and other risk management frameworks, it is first necessary to establish the context of an audit. This means making a determination of the scope of the audit — which parts of the organization are to be included. Also, it is necessary to determine the purpose of the risk assessment; for example, determining control coverage, control effectiveness, or business process effectiveness. Finally, the criteria for the audit need to be determined.

“Determine the qualifications of the firm that will perform the audit ” and “determine the qualifications of the person(s) who will perform the audit” are incorrect because any confirmation of qualifications would be determined prior to this point. “Determine scope, applicability, and purpose for the audit” is incorrect because an audit that was not applicable should not be performed.

——————————————————————————————————————-

QUESTION 4 CISM practice questions

A risk manager recently completed a risk assessment in an organization. Executive management asked the risk manager to remove one of the findings from the final report. This removal is an example of what?

• Gerrymandering
• Internal politics
• Risk avoidance
• Risk acceptance

CORRECT ANSWER: Risk acceptance

Although this is a questionable approach, removal of a risk finding in a report is, implicitly, risk acceptance. It could, however, be even worse than that, and in some industries, this could be considered negligent and a failure of due care. A risk manager should normally object to such an action and may consider documenting the matter or even filing a formal protest.

“Gerrymandering” is incorrect because the term “gerrymandering” is related to the formation of electoral districts in government. “Internal politics” is incorrect because, although the situation may be an example of internal politics, this is not the best answer. “Risk avoidance” is incorrect because risk avoidance is defined as a discontinuation of the activity related to the risk.

————————————————————————————————————-

QUESTION 5 | CISM practice questions

A new CISO in a financial service organization is working to get asset inventory processes under control. The organization uses on-premises and IaaS-based virtualization services. What approach will most effectively identify all assets in use?

• Perform discovery scans on all networks.
• Obtain a list of all assets from the patch management platform.
• Obtain a list of all assets from the security event and information management (SIEM) system.
• Count all of the servers in each data center.

CORRECT ANSWER: Perform discovery scans on all networks

Although none of these approaches is ideal, performing discovery scans on all networks is the best first step. Even so, it will be necessary to consult with network engineers to ensure that discovery scans will scan all known networks in on-premises and IaaS environments. Other helpful steps include interviewing system engineers to understand virtual machine management systems and obtain inventory information from them.

“Obtain a list of all assets from the patch management platform” is incorrect because patch management systems may not be covering all assets in the organization’s environment. “Obtain a list of all assets from the patch management platform” is incorrect because the SIEM may not be receiving log data from all assets in the organization’s environment. “Count all of the servers in each data center” is incorrect because the organization is using virtualization technology, as well as IaaS-based platforms; counting servers in an on-premises data center will fail to discover virtual assets and IaaS-based assets.

——————————————————————————————————————

QUESTION 6 |CISM practice questions

An internal audit examination of the employee termination process determined that in 20 percent of employee terminations, one or more terminated employee user accounts were not locked or removed. The internal audit department also found that routine monthly user access reviews identified 100 percent of missed account closures, resulting in those user accounts being closed no more than 60 days after users were terminated. What corrective actions, if any, are warranted?

• Increase user access review process frequency to twice per week.
• Increase user access review process frequency to weekly.
• No action is necessary since monthly user access review process is effective.
• Improve the user termination process to reduce the number of missed account closures.

CORRECT ANSWER: Improve the user termination process to reduce the number of missed account closures.

The rate that user terminations are not performed properly is too high. Increasing the frequency of user access reviews will likely take too much time. The best remedy is to find ways of improving the user termination process. Since the “miss” rate is 20 percent, it is assumed that all processes are manual.

“Increase user access review process frequency to twice per week” and “increase user access review process frequency to the weekly” are incorrect because the user access review process likely takes too much effort. Since the “miss” rate is 20 percent, it is assumed that all processes are manual. “No action is necessary since the monthly user access review process is effective” is incorrect, since the “miss” rate of 20 percent would be considered too high in most organizations. An acceptable rate would be under 2 percent.

---

QUESTION 7 | CISM practice questions

What is typically the greatest challenge when implementing a data classification program?

• Difficulty with industry regulators
• Understanding the types of data in use
• Training end users on data handling procedures
• Implementing and tuning DLP agents on servers and endpoints

CORRECT ANSWER: Training end users on data handling procedures

The most difficult challenge associated with implementing a data classification program is ensuring that workers understand and are willing to comply with data handling procedures. By comparison, automation is simpler primarily because it is deterministic.

“Difficulty with industry regulators” is incorrect because regulators are not typically as concerned with data classification as they are with the protection of relevant information. “Understanding the types of data in use” is incorrect because, although it can be a challenge understanding the data in use in an organization, user compliance is typically the biggest challenge. “Implementing and tuning DLP agents on servers and endpoints” is incorrect because implementing and tuning agents are not usually as challenging as end-user behavior training.

---

QUESTION 8 | CISM practice questions

Randi, a security architect, is seeking ways to improve a defense-in-depth to defend against ransomware. Randi’s organization employs advanced antimalware on all endpoints and antivirus software on its e-mail servers. Endpoints also have an IPS capability that functions while endpoints are onsite or remote. What other solutions should Randi consider to improve defenses against ransomware?

• Data replication
• Spam and phishing e-mail filtering
• File integrity monitoring
• Firewalls

CORRECT ANSWER: Spam and phishing e-mail filtering

The next solution that should be considered is a solution that will block all incoming spam and phishing e-mail messages from reaching end users. This will provide a better defense-in-depth for ransomware since several other good controls are in place.

“Data replication” is incorrect because data replication is not an adequate defense against ransomware, because files encrypted by ransomware are likely to be replicated onto backup file stores. Instead, offline backup such as magnetic tape or e-vaulting should be used. “File integrity monitoring” is incorrect because file integrity monitoring (FIM) is generally not chosen as a defense against ransomware. “Firewalls” is incorrect because firewalls are not an effective defense against ransomware, unless they also have an IPS component that can detect and block command-and-control traffic.

——————————————————————————————————————

QUESTION 9 | CISM practice questions

A SaaS provider performs penetration tests on its services once per year, and many findings are identified each time. The organization’s CISO wants to make changes so that penetration test results will improve. The CISO should recommend all of the following changes except which one?

• Add a security review of all proposed software changes into the SDLC.
• Introduce safe coding training for all software developers.
• Increase the frequency of penetration tests from annually to quarterly.
• Add the inclusion of security and privacy requirements into the SDLC.

CORRECT ANSWER: Increase the frequency of penetration tests from annually to quarterly.

Increasing the frequency of penetration tests is not likely to get to the root cause of the problem, which is the creation of too many security-related software defects.

“Add a security review of all proposed software changes into the SDLC” is incorrect because the addition of a security review for proposed changes is likely to reveal issues that can be corrected prior to development. “Introduce safe coding training for all software developers” is incorrect because safe coding training can help developers better understand coding practices that will result in fewer security defects. “Add the inclusion of security and privacy requirements into the SDLC.” is incorrect because the addition of security and privacy requirements will help better define the nature of new and changed features.

QUESTION 10 | CISM practice questions

An end-user in an organization opened an attachment in an e-mail, which resulted in ransomware running on the end user’s workstation. This is an example of what?

• Incident
• Vulnerability
• Threat
• Insider threat

CORRECT ANSWER: Incident

Ransomware executing on an end user’s workstation is considered an incident. It may have been allowed to execute because of one or more vulnerabilities.

“Vulnerability” is incorrect because vulnerability is a configuration setting or a software defect that can, if exploited, result in an incident. “Threat” is incorrect because ransomware, by itself, is considered a threat, but ransomware executing on a system is considered an incident. “Insider threat” is incorrect because this is not considered an insider threat. However, users having poor judgment (which may include clicking on phishing messages) is considered an insider threat.

QUESTION 11

What is the correct sequence of events when onboarding a third-party service provider?

• Contract negotiation, examine services, identify risks, risk treatment
• Examine services, identify risks, risk treatment, contract negotiation
• Examine services, contract negotiation, identify risks, risk treatment
• Examine services, identify risks, risk treatment

CORRECT ANSWER: Examine services, identify risks, risk treatment, contract negotiation

The best sequence here is to examine the services offered by the third party, identify risks associated with doing service with the third party, make decisions about what to do about these risks, and enter into contract negotiations.

“Contract negotiation, examine services, identify risks, risk treatment” and “Examine services, contract negotiation, identify risks, risk treatment” are incorrect because contract negotiation should not take place prior to identifying risks that may need to be addressed in a contract. “Examine services, identify risks, risk treatment” is incorrect because contract negotiation is not included.

—————————————————————————————————————

QUESTION 12

The primary advantage of automatic controls versus manual controls includes all of the following except which one?

• Automatic controls are generally more reliable than manual controls.
• Automatic controls are less expensive than manual controls.
• Automatic controls are generally more consistent than manual controls.
• Automatic controls generally perform better in audits than manual controls.

CORRECT ANSWER: Automatic controls are less expensive than manual controls. 

Automatic controls are not necessarily less expensive than manual controls; in some cases, they may be considerably more expensive than manual controls.

“Automatic controls are generally more reliable than manual controls” is incorrect because automated controls are typically more reliable and accurate than manual controls. “Automatic controls are generally more consistent than manual controls” is incorrect because automated controls are typically more consistent than manual controls. “Automatic controls generally perform better in audits than manual controls” is incorrect because automated controls generally perform better in audits.

QUESTION 13

Which of the following statements about PCI-DSS compliance is true?

• Only organizations that store, transfer, or process more than 6 million credit card numbers are required to undergo an annual PCI audit.
• Service providers are not required to submit an attestation of compliance (AOC) annually.
• Merchants that process fewer than 15,000 credit card transactions are not required to submit an attestation of compliance (AOC).
• All organizations that store, transfer, or process credit card data are required to submit an attestation of compliance (AOC) annually.

CORRECT ANSWER: All organizations that store, transfer, or process credit card data are required to submit an attestation of compliance (AOC) annually.

All organizations that store, process, or transmit credit card data are required to submit an attestation of compliance (AOC) annually to their acquiring bank, processing bank, or card brand.

“Only organizations that store, transfer, or process more than 6 million credit card numbers are required to undergo an annual PCI audit” is incorrect because some organizations that process fewer credit card numbers are also required to undergo annual PCI audits — for example, organizations that have suffered a breach may be required to undergo audits. “Service providers are not required to submit an attestation of compliance (AOC) annually” is incorrect because service providers are required to submit attestations of compliance (AOC) annually. “Merchants that process fewer than 15,000 credit card transactions are not required to submit an attestation of compliance (AOC)” is incorrect because all merchants are required to submit attestations of compliance (AOC).

QUESTION 14

An organization recently suffered a significant security incident. The organization was surprised by the incident and believed that this kind of an event would not occur. To avoid a similar event in the future, what should the organization do next?

• Commission an enterprise-wide risk assessment.
• Commission a controls maturity assessment.
• Commission an internal and external penetration test.
• Commission a controls gap assessment.

CORRECT ANSWER: Commission an enterprise-wide risk assessment.

An enterprise-wide risk assessment is the best option here so that risks of all kinds can be identified and remedies suggested for mitigating them.

“Commission a controls maturity assessment” is incorrect because it’s possible that there are missing controls; a controls maturity assessment takes too narrow a view here and focuses only on existing controls when the problem might be controls that are nonexistent. “Commission an internal and external penetration test” is incorrect because the nature of the incident is unknown and may not be related to technical vulnerabilities that a penetration test would reveal (for example, it may have been phishing or fraud). “Commission a controls gap assessment” is incorrect because a controls gap assessment takes too narrow a view here and focuses only on existing controls when the problem might be controls that are nonexistent.

QUESTION 15 |

Security analysts in the SOC have noticed that the organization’s firewall is being scanned by a port scanner in a hostile country. Security analysts have notified the security manager. How should the security manager respond to this matter?

• Declare a high-severity security event.
• Declare a low-severity security event.
• Take no action.
• Direct the SOC to blackhole the scan’s originating IP address.

CORRECT ANSWER: Direct the SOC to blackhole the scan’s originating IP address.

The best course of action is to blackhole the IP address that is the origination of the port scan. However, even this may not be necessary because a port scan is not, by itself, a serious matter. However, it may represent reconnaissance by an intruder that is targeting the organization.

“Declare a high-severity security event” is incorrect because a port scan is not a high-severity security matter. “Declare a low-severity security event” is incorrect because this is not the best answer; however, some organizations might consider a port scan a low-level security incident and respond in some way, such as blackholing the IP address. “Take no action” is incorrect because taking no action at all is not the best course of action.

==========================================================================

==========================================================================

===========================================================================

---

Agile project management Artificial Intelligence aws blockchain cloud computing coding interview coding interviews Collaboration Coursera css cybersecurity cyber threats data analysis data breaches data science data visualization devops django docker excel flask Grafana html It Certification java javascript ketan kk Kubernetes machine learning machine learning engineer Network & Security nodejs online courses online learning Operating Systems Other It & Software pen testing Project Management python Software Engineering Terraform Udemy courses VLAN web development