Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

CISMFree trial

By isaca

Verified

25Q per page

Question 51

An organization's information security team presented the risk register at a recent information security steering committee meeting. Which of the following should be of MOST concern to the committee?

A: No owners were identified for some risks.
B: Business applications had the highest number of risks.
C: Risk mitigation action plans had no timelines.
D: Risk mitigation action plan milestones were delayed.

—

Question 52

Which of the following BEST enables an organization to determine what activities and changes have occurred on a system during a cybersecurity incident?

A: Penetration testing
B: Root cause analysis
C: Continuous log monitoring
D: Computer forensics

—

Question 53

Which of the following should the information security manager do FIRST upon learning that a business department wants to use blockchain technology for a new payment process?

A: Include the new requirements in the system development life cycle (SDLC) pipeline.
B: Update the business case to include security budget and resource needs for the new process.
C: Perform a risk assessment to identify emerging risks.
D: Benchmark blockchain solutions to determine which one is most secure.

—

Question 54

Which of the following BEST facilitates the development of information security procedures that effectively support the information security policy?

A: Aligning procedures with industry best practices
B: Classifying the information assets to be protected
C: Considering the impact of systemic risk events
D: Conducting an external benchmarking exercise

—

Question 55

Which of the following would provide the BEST input to a business case for a technical solution to address potential system vulnerabilities?

A: Business impact analysis (BIA)
B: Vulnerability scan results
C: Risk assessment
D: Penetration test results

—

Question 56

Which of the following is MOST helpful for determining priorities when creating a long-term information security roadmap?

A: The organization's information security framework
B: Information security steering committee input
C: Enterprise architecture (EA)
D: Industry best practices

—

Question 57

A KEY consideration in the use of quantitative risk analysis is that it:

A: applies commonly used labels to information assets.
B: assigns numeric values to exposures of information assets.
C: is based on criticality analysis of information assets.
D: aligns with best practice for risk analysis of information assets.

—

Question 58

Which of the following is MOST important when selecting an information security metric?

A: Ensuring the metric is repeatable
B: Aligning the metric to the IT strategy
C: Defining the metric in qualitative terms
D: Defining the metric in quantitative terms

—

Question 59

A situation where an organization has unpatched IT systems in violation of the patching policy should be treated as:

A: an increased threat profile.
B: a vulnerability management failure.
C: an increased risk profile.
D: a security control failure.

—

Question 60

How does data discovery assist with data classification?

A: It provides assurance of data integrity.
B: It shows where specific data is stored.
C: It automatically classifies data by keywords.
D: It helps to identify the data owner.

—

Question 61

Which of the following is the MOST effective control to prevent proliferation of shadow IT?

A: Implement a software allow list.
B: Conduct periodic vulnerability scanning.
C: Install a solution to detect unlicensed software.
D: Conduct software audits.

—

Question 62

Which of the following is the MOST important driver when developing an effective information security strategy?

A: Benchmarking reports
B: Information security standards
C: Business requirements
D: Security audit reports

—

Question 63

Which of the following is MOST important for the improvement of a business continuity plan (BCP)?

A: Implementing an IT resilience solution
B: Implementing management reviews
C: Documenting critical business processes
D: Incorporating lessons learned

—

Question 64

Which of the following is MOST important to consider when choosing a shared alternate location for computing facilities?

A: Incident response team training
B: The organization's risk tolerance
C: The organization's mission
D: Resource availability

—

Question 65

A financial institution has identified a high risk of fraud within its credit department. Which of the following information security controls will BEST reduce the risk of fraud?

A: Mandatory time off
B: Segregation of duties
C: Acceptable use policy
D: Periodic risk assessments

—

Question 66

An employee clicked on a malicious link in an email that resulted in compromising company data. What is the BEST way to mitigate this risk in the future?

A: Assess and update spam filtering rules.
B: Establish an acceptable use policy.
C: Implement disciplinary procedures.
D: Conduct phishing awareness training.

—

Question 67

The business value of an information asset is derived from:

A: its replacement cost.
B: its criticality.
C: the threat profile.
D: the risk assessment.

—

Question 68

Which of the following is the BEST indicator of the maturity level of a vendor risk management process?

A: Number of vendors rejected because of security review results
B: Percentage of vendors that are regularly reviewed against defined criteria
C: Percentage of vendors that have gone through the vendor on boarding process
D: Average time required to complete the vendor risk management process

—

Question 69

Which of the following is the BEST way for an information security manager to justify ongoing annual maintenance fees associated with an intrusion prevention system (IPS)?

A: Establish and present appropriate metrics that track performance.
B: Perform industry research annually and document the overall ranking of the IPS.
C: Perform a penetration test to demonstrate the ability to protect.
D: Provide yearly competitive pricing to illustrate the value of the IPS.

—

Question 70

An international organization with remote branches is implementing a corporate security policy for managing personally identifiable information (PII). Which of the following should be the information security manager's MAIN concern?

A: Data backup strategy
B: Organizational reporting structure
C: Local regulations
D: Consistency in awareness programs

—

Question 71

Which of the following is the BEST reason for senior management to support a business case for developing a monitoring system for a critical application?

A: The system can be replicated for additional use cases.
B: An industry peer experienced a recent breach with a similar application.
C: The cost of implementing the system is less than the impact of downtime.
D: The solution is within the organization's risk tolerance.

—

Question 72

Which of the following is MOST important when developing an information security governance framework?

A: Ensuring alignment with the organization's risk management framework
B: Integrating security within the system development life cycle (SDLC) process
C: Developing policies and procedures to support the framework
D: Developing security incident response measures

—

Question 73

What should be an information security manager's GREATEST concern when an HR department outsources data processing to a cloud service provider?

A: Security posture of the provider
B: Data loss protection insurance
C: Required provider service levels
D: The scope of the data

—

Question 74

Which of the following BEST enables the capability of an organization to sustain the delivery of products and services within acceptable time frames and at predefined capacity during a disruption?

A: Business continuity plan (BCP)
B: Disaster recovery plan (DRP)
C: Business impact analysis (BIA)
D: Service level agreement (SLA)

—

Question 75

Which of the following BEST determines an information asset's classification?

A: Criticality to a business process
B: Value of the information asset in the marketplace
C: Risk assessment from the data owner
D: Cost of producing the information asset

—

Page 3 of 50 • Questions 51-75 of 1249

←

1 2 3 4 5

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!