Free CISM Exam Prep Practice Test

Attempt CISM practice test questions and test your skills. This free CISM exam prep material simulates the actual certification exam.

  • 200 Questions,
  • 240 Minutes
Related course

CISM®

The course helps you understand IT security systems and develop expertise to manage, design, oversee, and assess information security fo ...

Instructions:

1. This is a FREE test and can be attempted multiple times. But it is recommended to take the test when you are ready for best practice experience.

2. Test Duration: 240 Minutes

3. Number of questions: 200 Multiple Choice Questions

4. Each question has multiple options out of which one or more may be correct

5. You can pause the test in between and you are allowed to re-take the test later. Your test will resume from where you left, but the test time will be reduced by the amount of time you’hv taken in the previous attempt.

Please fill the form below to start the Practice Test
Name*
Email*
+91-
Phone Number*
{{seconds | secondsToDate | date:'HH:mm:ss'}} Time remaining
1. As an IS Manager, you would like to lay down clearly-defined roles and responsibilities? What is the BEST benefit that you expect?
2. Who would you look to enforce access rights to application data?
3. You need to get approval form senior management to implement a warm site. How can you BEST achieve this?
4. As an IS Manager you are developing IS Strategy for your organization. Which is the MOST important component of the strategy?
5. Which of the following is MOST important to understand when developing a meaningful information security strategy?
6. You are implementing IS policy within your organization. There is a sense of discomfort from within the organization about certain components of the policy. What is the BEST approach to counter this?
7. You have joined an organization recently as an IS Manager. You have requested a meeting with the senior management to discuss organization's network security to the senior managerment. What would you present FIRST?
8. You are an IS Manager of an ecommerce portal. You have seen in the media about a new regulation that affects ecommerce transactions. What should you do FIRST?
9. Which of the following would help to change an organization's security culture?
10. The PRIMARY goal in developing an information security strategy is to:
11. The MOST important reason for aligning information security governance with corporate governance is to:
12. A systems approach to managing information security can be a benefit PRIMARILY because it is:
13. An information security manager must understand the relationship between information security and business operations in order to:
14. Which of the following requirements would have the lowest level of priority in information security?
15. The MOST complete business case for procuring and implementing security solutions is one that:
16. Laws and regulations should be addressed by the information security manager:
17. What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?
18. An outcome of effective security governance is:
19. Which of the following is the PRIMARY reason to change policies during program development?
20. Information security projects should be prioritized on the basis of:
21. The MOST important component of a privacy policy is:
22. Which of the following is MOST likely to be discretionary?
23. What is the PRIMARY role of the information security manager in the process of information classification within an organization?
24. Information security policies should:
25. Which person or group should have final approval of an organization's information security policies?
26. An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
27. When implementing effective security governance within the requirements of the company\'s security strategy, which of the following is the MOST important factor to consider?
28. Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:
29. Which of the following should drive the risk analysis for an organization?
30. Which of the following are seldom changed in response to technological changes?
31. Who is responsible for ensuring that information is categorized and that specific protective measures are taken?
32. Which of the following is the BEST approach to obtain senior management commitment to the information security program?
33. What will have the HIGHEST impact on standard information security governance models?
34. The data access requirements for an application should be determined by the:
35. Which of the following is a key area of the ISO 27001 framework?
36. The MOST important characteristic of good security policies is that they:
37. Which of the following is responsible for legal and regulatory liability?
38. Priority should be given to which of the following to ensure effective implementation of information security governance?
39. Security technologies should be selected PRIMARILY on the basis of their:
40. An organization that has decided to implement a formal information security program should FIRST:
41. Which of the following would be the BEST approach to securing approval for information security expenditures?
42. The FIRST step in developing a business case is to:
43. Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?
44. The MOST important requirement for gaining management commitment to the information security program is to:
45. While implementing information security governance an organization should FIRST:
46. The security responsibility of data custodians in an organization will include:
47. A regulatory authority has just introduced a new regulation pertaining to the release of quarterly financial results. The FIRST task that the security officer should perform is to:
48. Information security should be:
49. The MOST complete business case for security solutions is one that:
50. When personal information is transmitted across networks, there MUST be adequate controls over:
51. You are a IS Manager recently appointed. You now need to evaluate the data classification in the organization. Who would you talk to?
52. What would be the BEST outcome for any risk management process?
53. Which of the following is the MOST appropriate use of gap analysis?
54. As an IS Manager, which part of data classification would consider as MOST important?
55. You are an IS Manager discussing with the IT team of your organization, on implementation project plan of a new application to be rolled out. The IT team feels that as this is a technology based application, business managers or their team members need not be part of the project team. What should you do?
56. As an IS Manager, you are considering to upgrade and implement controls to establish a layered protection to your organization. Which is the MOST important consideration?
57. What mechanisms are used to identify weakness or threats that can affect a business critical application?
58. How, as an IS Manager would you test the effectiveness of a control you implemented.
59. What from the following is NOT true of transfer of risk?
60. As an IS Manager, you are designing the networks for your organization. From a risk perspective, which of the following requires your close attention?
61. You have initiated a process to identify owners for information assets. Which of the follow would you consider? :
62. What is the purpose of vulnerability assessment?
63. Which of the following would help management determine the resources needed to mitigate a risk to the organization?
64. You are in a meeting with CEO and the board and discussing implementation of a key control. One of the main agenda points is the investment for the control. What technique would you adopt to get their support?
65. You have completed the risk assessment process of your organization and now are left with residual risks. However, the likelihood and impact of these risks are high. What is the BEST solution?
66. As an IS Manager you need to determine the criticality and sensitivity of information assets. What would you carry out?
67. What is the purpose of carrying out a Business impact analysis?
68. A business critical system has a requirement to have an account that cannot be automatically locked by the system. What would be the BEST countermeasure to prevent a hacker running a brute force attack on the account.
69. Which of the following would be of GREATEST importance to the security manager in determining whether to further mitigate residual risk?
70. A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST?
71. Security risk assessments are MOST cost-effective to a software development organization when they are performed:
72. What is the TYPICAL output of a risk assessment?
73. Tightly integrated IT systems are MOST likely to be affected by:
74. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:
75. Segregation of duties assists with:
76. Which of the following measures would be MOST effective against insider threats to confidential information?
77. An information security manager performing a security review determines that compliance with access control policies to the data center is inconsistent across employees. The FIRST step to address this issue should be to:
78. Which of the following steps in conducting a risk assessment should be performed FIRST?
79. An enterprise is transferring its IT operations to an offshore location. An information security manager should be PRIMARILY concerned about:
80. In controlling information leakage, management should FIRST establish:
81. There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
82. During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
83. Which one of the following factors of a risk assessment typically involves the GREATEST amount of speculation?
84. Which of the following is the MOST important reason to include an effective threat and vulnerability assessment in the change management process?
85. The goals of information security risk management inside an enterprise are BEST achieved if these risk management activities are:
86. Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?
87. A permissive controls policy would be reflected in which one of the following implementations?
88. Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
89. Which of the following would be the BEST indicator of an asset's value to an organization?
90. In which phase of the development process should risk assessment be FIRST introduced?
91. Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?
92. Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?
93. A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?
94. Which of the following is the BEST quantitative indicator of an organization's current risk tolerance?
95. Which of the following is the MOST important element to consider when initiating asset classification?
96. Legal and regulatory requirements pertaining to information security should be addressed by the information security manager:
97. Which of the following authentication methods prevents authentication replay?
98. Which of the following groups would be in the BEST position to perform a risk analysis for a business?
99. The PRIMARY reason to consider information security during the first stage of a project life cycle is:
100. The PRIMARY objective when selecting controls and countermeasures is to:
101. Which of the following is the MOST important consideration when developing a service level agreement (SLA) to mitigate the risk that outsourcing will result in a loss to the business?
102. To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to:
103. Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
104. Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems?
105. Which of the following should be done FIRST when making a decision to allow access to the information processing facility (IPF) of an enterprise to a new external party?
106. Which of the following is the MOST important reason for an information security review of contracts? To help ensure that:
107. An organization's information security manager is planning the structure of the Information Security Steering Committee. Which of the following groups should the manager invite?
108. Which of the following is the BEST indicator that security awareness training has been effective?
109. Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise?
110. Which of the following would raise security awareness among an organization's employees?
111. Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?
112. Which of the following security controls addresses availability?
113. Which of the following is an advantage of a centralized information security organizational structure?
114. Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?
115. The MOST appropriate individual to determine the level of information security needed for a specific business application is the:
116. What is the MOST important reason for conducting security awareness programs throughout an organization?
117. A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is:
118. Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
119. Which of the following devices should be placed within a DMZ?
120. Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?
121. Which of the following will BEST protect against malicious activity by a former employee?
122. What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They:
123. The effectiveness of virus detection software is MOST dependent on which of the following?
124. Which of the following is the BEST way to erase confidential information stored on magnetic tapes?
125. The MOST effective technical approach to mitigate the risk of confidential information being disclosed in e-mail attachments is to implement:
126. At what point should a risk assessment of a new process occur to determine appropriate controls? It should occur:
127. What is the BEST policy for securing data on mobile universal serial bus (USB) drives?
128. Which of the following is the BEST approach to dealing with inadequate funding of the security program?
129. An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?
130. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is:
131. An enterprise requires the use of Windows XP Service Pack 3 version on all desktops and Windows 2003 Service Pack 1 version on all servers. This is an example of a:
132. The data backup policy will contain which of the following?
133. Which of the following would be the BEST defense against sniffing?
134. Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
135. When considering outsourcing services, at what point should information security become involved in the vendor management process?
136. Which of the following will BEST ensure that management takes ownership of the decision making process for information security?
137. Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?
138. Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)?
139. An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:
140. What is the GREATEST risk when there is an excessive number of firewall rules?
141. Which item would be the BEST to include in the information security awareness training program for new general staff employees?
142. Which of the following is MOST effective in protecting against the attack technique known as phishing?
143. To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:
144. When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set:
145. The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:
146. Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?
147. Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:
148. The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
149. Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files?
150. Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?
151. When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:
152. Which of the following application systems should have the shortest recovery time objective (RTO)?
153. Which of the following is the BEST mechanism to determine the effectiveness of the incident response process?
154. The BEST time to determine who should be responsible for declaring a disaster is:
155. Proximity factors must be considered when:
156. Which of the following recovery strategies has the GREATEST chance of failure?
157. An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:
158. Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot
159. Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site?
160. Three employees reported the theft or loss of their laptops while on business trips. The FIRST course of action for the security manager is to:
161. Which of the following actions should take place immediately after a security breach is reported to an information security manager?
162. At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor's hot site facility?
163. What is the FIRST action an information security manager should take when a company laptop is reported stolen?
164. Which of the following is the MOST effective method to ensure that a business continuity plan (BCP) meets an organization's needs?
165. An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to:
166. Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?
167. When a significant security breach occurs, what should be reported FIRST to senior management?
168. Establishing severity criteria should be based PRIMARILY on:
169. An intrusion detection system (IDS) should:
170. During the recovery process following a natural disaster, a server that hosts an important new customer-facing web service was among the last systems restored, resulting in significant lost sales. Which of the following is the BEST approach to prevent this from happening again?
171. When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority?
172. The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:
173. When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost estimates?
174. Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files?
175. The typical requirement for security incidents to be resolved quickly and service restored is:
176. Which of the following is the MOST important consideration for an organization interacting with the media during a disaster?
177. Which of the following is the MOST important to ensure a successful recovery?
178. Which of the following is the MOST important aspect of forensic investigations that will potentially involve legal action?
179. In a large organization, effective management of security incidents will be MOST dependent on:
180. Which of the following is MOST closely associated with a business continuity program?
181. A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat?
182. Which of the following would be a MAJOR consideration for an organization defining its business continuity plan (BCP) or disaster recovery program (DRP)?
183. A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to:
184. Which of the following should be the PRIMARY basis for making a decision to establish an alternate site for disaster recovery?
185. Why is 'slack space' of value to an information security manager as part of an incident investigation?
186. Which of the following MOST effectively reduces false-positive alerts generated by a security information and event management (SIEM) process?
187. Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?
188. When performing a business impact analysis (BIA), which of the following would be the MOST appropriate to calculate the recovery time and cost estimates?
189. The BEST approach in managing a security incident involving a successful penetration should be to:
190. The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:
191. Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract?
192. A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager?
193. The business continuity policy should contain which of the following?
194. Observations made by staff during a disaster recovery test are PRIMARILY reviewed to:
195. When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern?,1,
196. Which of the following should be determined FIRST when establishing a business continuity program?
197. The factor that is MOST likely to result in identification of security incidents is:
198. A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability?
199. A password hacking tool was used to capture detailed bank account information and personal identification numbers (PINs). Upon confirming the incident, the NEXT step is to:
200. Which of the following is the MOST significant risk of using reciprocal agreements for disaster recovery?
{{ seconds | secondsToDate | date:'HH:mm:ss'}} Time remaining
NOTE

All test progress will be lost in case you close the browser without finishing the test. Please finish the test to access your results.