Which of the following is the PRIMARY benefit of implementing a vulnerability assessment process?
D
Explanation:
A vulnerability assessment process is a systematic and proactive approach to identify, analyze and
prioritize the vulnerabilities in an information system. It helps to reduce the exposure of the system
to potential threats and improve the security posture of the organization. By implementing a
vulnerability assessment process, the organization can facilitate proactive risk management, which is
the PRIMARY benefit of this process. Proactive risk management is the process of identifying,
assessing and mitigating risks before they become incidents or cause significant impact to the
organization. Proactive risk management enables the organization to align its security strategy with
its business objectives, optimize its security resources and investments, and enhance its resilience
and compliance.
A . Threat management is enhanced. This is a secondary benefit of implementing a vulnerability
assessment process. Threat management is the process of identifying, analyzing and responding to
the threats that may exploit the vulnerabilities in an information system. Threat management is
enhanced by implementing a vulnerability assessment process, as it helps to reduce the attack
surface and prioritize the most critical threats. However, threat management is not the PRIMARY
benefit of implementing a vulnerability assessment process, as it is a reactive rather than proactive
approach to risk management.
B . Compliance status is improved. This is a secondary benefit of implementing a vulnerability
assessment process. Compliance status is the degree to which an organization adheres to the
applicable laws, regulations, standards and policies that govern its information security. Compliance
status is improved by implementing a vulnerability assessment process, as it helps to demonstrate
the organization’s commitment to security best practices and meet the expectations of the
stakeholders and regulators. However, compliance status is not the PRIMARY benefit of
implementing a vulnerability assessment process, as it is a result rather than a driver of risk
management.
C . Security metrics are enhanced. This is a secondary benefit of implementing a vulnerability
assessment process. Security metrics are the quantitative and qualitative measures that indicate the
effectiveness and efficiency of the information security processes and controls. Security metrics are
enhanced by implementing a vulnerability assessment process, as it helps to provide objective and
reliable data for security monitoring and reporting. However, security metrics are not the PRIMARY
benefit of implementing a vulnerability assessment process, as they are a means rather than an end
of risk management.
Reference =
CISM Review Manual 15th Edition, pages 1-301
CISM Exam Content Outline2
Risk Assessment for Technical Vulnerabilities3
A Step-By-Step Guide to Vulnerability Assessment4
When properly implemented, secure transmission protocols protect transactions:
A
Explanation:
Secure transmission protocols are network protocols that ensure the integrity and security of data
transmitted across network connections. The specific network security protocol used depends on the
type of protected data and network connection. Each protocol defines the techniques and
procedures required to protect the network data from unauthorized or malicious attempts to read or
exfiltrate information1. One of the most common threats to network data is eavesdropping, which is
the interception and analysis of network traffic by an unauthorized third party. Eavesdropping can
compromise the confidentiality, integrity, and availability of network data, and can lead to data
breaches, identity theft, fraud, espionage, and sabotage2. Therefore, secure transmission protocols
protect transactions from eavesdropping by using encryption, authentication, and integrity
mechanisms to prevent unauthorized access and modification of network data. Encryption is the
process of transforming data into an unreadable format using a secret key, so that only authorized
parties can decrypt and access the data. Authentication is the process of verifying the identity and
legitimacy of the parties involved in a network communication, using methods such as passwords,
certificates, tokens, or biometrics. Integrity is the process of ensuring that the data has not been
altered or corrupted during transmission, using methods such as checksums, hashes, or digital
signatures3. Some examples of secure transmission protocols are:
Secure Sockets Layer (SSL) and Transport Layer Security (TLS), which are widely used protocols for
securing web, email, and other application layer communications over the Internet. SSL and TLS use
symmetric encryption, asymmetric encryption, and digital certificates to establish secure sessions
between clients and servers, and to encrypt and authenticate the data exchanged.
Internet Protocol Security (IPsec), which is a protocol and algorithm suite that secures data
transferred over public networks like the Internet. IPsec operates at the network layer and provides
end-to-end security for IP packets. IPsec uses two main protocols: Authentication Header (AH), which
provides data integrity and authentication, and Encapsulating Security Payload (ESP), which provides
data confidentiality, integrity, and authentication. IPsec also uses two modes: transport mode, which
protects the payload of IP packets, and tunnel mode, which protects the entire IP packet.
Secure Shell (SSH), which is a protocol that allows secure remote login and command execution over
insecure networks. SSH uses encryption, authentication, and integrity to protect the data transmitted
between a client and a server. SSH also supports port forwarding, which allows secure tunneling of
other network services through SSH connections.
Reference = 1: 6 Network Security Protocols You Should Know | Cato Networks 2: Eavesdropping
Attacks - an overview | ScienceDirect Topics 3: Network Security Protocols - an overview |
ScienceDirect Topics : SSL/TLS (Secure Sockets Layer/Transport Layer Security) - Definition : IPsec -
Wikipedia : Secure Shell - Wikipedia
Which of the following is MOST important to have in place as a basis for developing an effective
information security program that supports the organization's business goals?
D
Explanation:
An information security strategy is the most important element to have in place as a basis for
developing an effective information security program that supports the organization’s business
goals. An information security strategy is a high-level plan that defines the vision, mission,
objectives, scope, and principles of information security for the organization1. It also aligns the
information security program with the organization’s strategy, culture, risk appetite, and governance
framework2. An information security strategy provides the direction, guidance, and justification for
the information security program, and ensures that the program is consistent, coherent, and
comprehensive3. An information security strategy also helps to prioritize the information security
initiatives, allocate the resources, and measure the performance and value of the information
security program4.
The other options are not as important as an information security strategy, because they are either
derived from or dependent on the strategy. Metrics are used to drive the information security
program, but they need to be based on the strategy and aligned with the goals and objectives of the
program. Information security policies are the rules and standards that implement the information
security strategy and define the expected behavior and responsibilities of the stakeholders. A defined
security organizational structure is the way the information security roles and functions are organized
and coordinated within the organization, and it should reflect the strategy and the governance
model. Reference = 1: CISM Review Manual 15th Edition, Chapter 1, Section 1.1 2: CISM Review
Manual 15th Edition, Chapter 1, Section 1.2 3: CISM Review Manual 15th Edition, Chapter 1, Section
1.3 4: CISM Review Manual 15th Edition, Chapter 1, Section 1.4 : CISM Review Manual 15th Edition,
Chapter 1, Section 1.5 : CISM Review Manual 15th Edition, Chapter 1, Section 1.6 : CISM Review
Manual 15th Edition, Chapter 1, Section 1.7
Which of the following is the MOST important consideration when establishing an organization's
information security governance committee?
D
Explanation:
= The most important consideration when establishing an organization’s information security
governance committee is to ensure that members represent functions across the organization. This is
because the information security governance committee is responsible for setting the direction,
scope, and objectives of the information security program, and for ensuring that the program aligns
with the organization’s business goals and strategies. By having members from different functions,
such as finance, human resources, operations, legal, and IT, the committee can ensure that the
information security program considers the needs, expectations, and perspectives of various
stakeholders, and that the program supports the organization’s mission, vision, and values. Having a
diverse and representative committee also helps to foster a culture of security awareness and
accountability throughout the organization, and to promote collaboration and communication
among different functions.
Members having knowledge of information security controls, members being business risk owners,
and members being rotated periodically are all desirable characteristics of an information security
governance committee, but they are not the most important consideration. Members having
knowledge of information security controls can help the committee to understand the technical
aspects of information security and to evaluate the effectiveness and efficiency of the information
security program. However, having technical knowledge is not sufficient to ensure that the
information security program is aligned with the organization’s business goals and strategies, and
that the program considers the needs and expectations of various stakeholders. Members being
business risk owners can help the committee to identify and prioritize the information security risks
that affect the organization’s business objectives, and to allocate appropriate resources and
responsibilities for managing those risks. However, being a business risk owner does not necessarily
imply that the member has a comprehensive and balanced view of the organization’s information
security needs and expectations, and that the member can represent the interests and perspectives
of various functions. Members being rotated periodically can help the committee to maintain its
independence and objectivity, and to avoid conflicts of interest or complacency. However, rotating
members too frequently can also reduce the continuity and consistency of the information security
program, and can affect the committee’s ability to monitor and evaluate the performance and
progress of the information security program. Reference =
ISACA, CISM Review Manual, 16th Edition, 2020, pages 36-37.
ISACA, CISM Review Questions, Answers & Explanations Database, 12th Edition, 2020, question ID
1014.
An information security manager learns that a risk owner has approved exceptions to replace key
controls with weaker compensating controls to improve process efficiency. Which of the following
should be the GREATEST concern?
A
Explanation:
Replacing key controls with weaker compensating controls may introduce new vulnerabilities or
increase the likelihood or impact of existing threats, thus raising the risk levels beyond the
acceptable limits defined by the risk appetite and tolerance of the organization. This may expose the
organization to unacceptable losses or damages, such as financial, reputational, legal, or operational.
Therefore, the information security manager should be most concerned about the potential
elevation of risk levels and ensure that the risk owner is aware of the consequences and accountable
for the decision.
Reference = CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section:
Risk Treatment, page 941.
Which of the following BEST indicates that information assets are classified accurately?
A
Explanation:
The best indicator that information assets are classified accurately is appropriate prioritization of
information risk treatment. Information asset classification is the process of assigning a level of
sensitivity or criticality to information assets based on their value, impact, and legal or regulatory
requirements. The purpose of information asset classification is to facilitate the identification and
protection of information assets according to their importance and risk exposure. Therefore, if
information assets are classified accurately, the organization can prioritize the information risk
treatment activities and allocate the resources accordingly. The other options are not direct
indicators of information asset classification accuracy, although they may be influenced by
it. Reference = CISM Review Manual 15th Edition, page 671; CISM Review Questions, Answers &
Explanations Database - 12 Month Subscription, Question ID: 1031
Which of the following is MOST important to include in a post-incident review following a data
breach?
B
Explanation:
= A post-incident review is a process of analyzing and learning from a security incident, such as a data
breach, to improve the security posture and resilience of an organization. A post-incident review
should include the following elements12:
A clear and accurate description of the incident, including its scope, impact, timeline, root cause, and
contributing factors.
A detailed assessment of the effectiveness and efficiency of the incident response process, including
the roles and responsibilities, communication channels, coordination mechanisms, escalation
procedures, tools and resources, documentation, and reporting.
An evaluation of the adequacy of existing controls, such as policies, standards, procedures, technical
measures, awareness, and training, to prevent, detect, and mitigate similar incidents in the future.
A list of actionable recommendations and improvement plans, based on the lessons learned and best
practices, to address the identified gaps and weaknesses in the security strategy, governance, risk
management, and incident management.
A follow-up and monitoring mechanism to ensure the implementation and verification of the
recommendations and improvement plans.
The most important element to include in a post-incident review following a data breach is the
evaluation of the adequacy of existing controls, because it directly relates to the security objectives
and requirements of the organization, and provides the basis for enhancing the security posture and
resilience of the organization. Evaluating the existing controls helps to identify the vulnerabilities and
risks that led to the data breach, and to determine the appropriate corrective and preventive actions
to reduce the likelihood and impact of similar incidents in the future. Evaluating the existing controls
also helps to align the security strategy and governance with the business goals and objectives, and
to ensure the compliance with legal, regulatory, and contractual obligations.
The other elements, such as an evaluation of the effectiveness of the information security strategy,
documentation of regulatory reporting requirements, and a review of the forensics chain of custody,
are also important, but not as important as the evaluation of the existing controls. An evaluation of
the effectiveness of the information security strategy is a broader and more strategic activity that
may not be directly relevant to the specific incident, and may require more time and resources to
conduct. Documentation of regulatory reporting requirements is a necessary and mandatory task,
but it does not provide much insight or value for improving the security posture and resilience of the
organization. A review of the forensics chain of custody is a technical and procedural activity that
ensures the integrity and admissibility of the digital evidence collected during the incident
investigation, but it does not address the root cause or the mitigation of the incident. Reference = 1:
CISM Exam Content Outline | CISM Certification | ISACA 2: CISM Review Manual 15th Edition, page
Which of the following should be the PRIMARY area of focus when mitigating security risks
associated with emerging technologies?
D
Explanation:
= The primary area of focus when mitigating security risks associated with emerging technologies is
unknown vulnerabilities. Emerging technologies are new and complex, and often involve multiple
parties, interdependencies, and uncertainties. Therefore, they may have unknown vulnerabilities
that could expose the organization to threats that are difficult to predict, detect, or
prevent1. Unknown vulnerabilities could also result from the lack of experience, knowledge, or best
practices in implementing, operating, or securing emerging technologies2. Unknown vulnerabilities
could lead to serious consequences, such as data breaches, system failures, reputational damage,
legal liabilities, or regulatory sanctions3. Therefore, it is important to focus on identifying, assessing,
and addressing unknown vulnerabilities when mitigating security risks associated with emerging
technologies.
The other options are not as important as unknown vulnerabilities, because they are either more
predictable, manageable, or specific. Compatibility with legacy systems is a technical issue that could
affect the performance, functionality, or reliability of emerging technologies, but it is not a security
risk per se. It could be resolved by testing, upgrading, or replacing legacy systems4. Application of
corporate hardening standards is a security measure that could reduce the attack surface and
improve the resilience of emerging technologies, but it is not a sufficient or comprehensive solution.
It could be limited by the availability, applicability, or effectiveness of the standards. Integration with
existing access controls is a security requirement that could prevent unauthorized or inappropriate
access to emerging technologies, but it is not a guarantee of security. It could be challenged by the
complexity, diversity, or dynamism of the access scenarios. Reference = 1: Performing Risk
Assessments of Emerging Technologies - ISACA 2: Assessing the Risk of Emerging Technology -
ISACA 3: Factors Influencing Public Risk Perception of Emerging Technologies: A … 4: CISM Review
Manual 15th Edition, Chapter 3, Section 3.3 : CISM Review Manual 15th Edition, Chapter 3, Section
3.4 : CISM Review Manual 15th Edition, Chapter 3, Section 3.5
Which of the following would be the MOST effective way to present quarterly reports to the board on
the status of the information security program?
C
Explanation:
An information security dashboard is the most effective way to present quarterly reports to the
board on the status of the information security program, because it provides a concise, visual, and
high-level overview of the key performance indicators (KPIs), metrics, and trends of the information
security program. An information security dashboard can help the board to quickly and easily
understand the current state, progress, and performance of the information security program, and to
identify any gaps, issues, or areas of improvement. An information security dashboard can also help
the board to align the information security program with the organization’s business goals and
strategies, and to support the decision-making and oversight functions of the board.
A capability and maturity assessment is a way of measuring the effectiveness and efficiency of the
information security program, and of identifying the strengths and weaknesses of the program.
However, a capability and maturity assessment is not the most effective way to present quarterly
reports to the board, because it may not provide a clear and timely picture of the status of the
information security program, and it may not reflect the changes and dynamics of the information
security environment. A capability and maturity assessment is more suitable for periodic or annual
reviews, rather than quarterly reports.
A detailed analysis of security program KPIs is a way of evaluating the performance and progress of
the information security program, and of determining the extent to which the program meets the
predefined objectives and targets. However, a detailed analysis of security program KPIs is not the
most effective way to present quarterly reports to the board, because it may be too technical,
complex, or lengthy for the board to comprehend and appreciate. A detailed analysis of security
program KPIs is more suitable for operational or tactical level reporting, rather than strategic level
reporting.
An information security risk register is a tool for recording and tracking the information security risks
that affect the organization, and for documenting the risk assessment, treatment, and monitoring
activities. However, an information security risk register is not the most effective way to present
quarterly reports to the board, because it may not provide a comprehensive and balanced view of
the information security program, and it may not highlight the achievements and benefits of the
program. An information security risk register is more suitable for risk management or audit
purposes, rather than performance reporting. Reference =
ISACA, CISM Review Manual, 16th Edition, 2020, pages 47-48, 59-60, 63-64, 67-68.
ISACA, CISM Review Questions, Answers & Explanations Database, 12th Edition, 2020, question ID
1019.
An information security dashboard is an effective way to present quarterly reports to the board on
the status of the information security program. It allows the board to quickly view key metrics and
trends at a glance and to drill down into more detailed information as needed. The dashboard should
include metrics such as total incidents, patching compliance, vulnerability scanning results, and
more. It should also include high-level overviews of the security program and its components, such
as the security policy, security architecture, and security controls.
Which of the following Is MOST useful to an information security manager when conducting a post-
incident review of an attack?
C
Explanation:
= The method of operation used by the attacker is the most useful information for an information
security manager when conducting a post-incident review of an attack. This information can help
identify the root cause of the incident, the vulnerabilities exploited, the impact and severity of the
attack, and the effectiveness of the existing security controls. The method of operation can also
provide insights into the attacker’s motives, skills, and resources, which can help improve the
organization’s threat intelligence and risk assessment. The cost of the attack to the organization, the
location of the attacker, and the details from IDS logs are all relevant information for a post-incident
review, but they are not as useful as the method of operation for improving the incident handling
process and preventing future attacks. Reference = CISM Review Manual 2022, page 316; CISM Item
Development Guide 2022, page 9; ISACA CISM: PRIMARY goal of a post-incident review should be to?