Fraudulent attempt to obtain sensitive information

CISM Certification MCQ Multiple Choice Questions - Page 2 for Practice

Q: 31. What is the purpose of incident management?

Correct Answer is: Detect, respond to, and recover from incidents

Q: 32. Which phase comes first in incident response?

Correct Answer is: Detection and Analysis

Q: 33. What is the primary goal of incident containment?

Correct Answer is: Prevent further damage

Q: 34. What is the purpose of lessons learned after an incident?

Correct Answer is: Improve future response capabilities

Q: 35. What is a security awareness program designed to do?

Correct Answer is: Train users on security responsibilities

Q: 36. Which attack relies on manipulating people rather than systems?

Correct Answer is: Social Engineering

Q: 37. What is phishing?

Correct Answer is: Fraudulent attempt to obtain sensitive information

Q: 38. What is the purpose of vendor risk management?

Correct Answer is: Assess and monitor third-party risks

Q: 39. Which document defines security requirements for vendors?

Correct Answer is: All of These

Q: 40. What is the purpose of security metrics?

Correct Answer is: Measure security program effectiveness

CISM Certification MCQ Questions for Practice

31. What is the purpose of incident management?

Prevent software updates
Detect, respond to, and recover from incidents
Manage databases
Conduct audits

32. Which phase comes first in incident response?

Recovery
Detection and Analysis
Containment
Lessons Learned

33. What is the primary goal of incident containment?

Prevent further damage
Restore backups
Notify auditors
Replace hardware

34. What is the purpose of lessons learned after an incident?

Assign blame
Improve future response capabilities
Increase budgets
Replace software

35. What is a security awareness program designed to do?

Train users on security responsibilities
Replace security controls
Conduct audits
Manage vendors

36. Which attack relies on manipulating people rather than systems?

SQL Injection
Social Engineering
DDoS
Brute Force

37. What is phishing?

Fraudulent attempt to obtain sensitive information
Malware removal
Backup process
Network scan

38. What is the purpose of vendor risk management?

Manage employee performance
Assess and monitor third-party risks
Install software
Conduct penetration tests

39. Which document defines security requirements for vendors?

SLA
Contract
Security Agreement
All of These

40. What is the purpose of security metrics?

Measure security program effectiveness
Encrypt data
Backup systems
Monitor bandwidth

41. Which metric measures the frequency of incidents?

Incident Rate
RPO
ROI
SLA

42. What is governance primarily concerned with?

Daily operations
Strategic direction and oversight
Coding standards
Hardware maintenance

43. What is the purpose of a security steering committee?

Manage servers
Provide strategic security oversight
Develop software
Monitor firewalls

44. Which framework is commonly used for IT governance?

COBIT
Apache
Linux
Docker

45. What does COBIT stand for?

Control Objectives for Information and Related Technologies
Central Operations Business IT
Certified Objectives for IT
Control Operations Business Information Technology

46. What is risk assessment?

Eliminating risk
Identifying and evaluating risks
Auditing systems
Installing controls

47. What is the purpose of data classification?

Organize information based on sensitivity
Increase storage
Improve speed
Reduce staffing

48. Which classification level typically requires the highest protection?

Public
Internal
Confidential
Restricted

49. What is a compensating control?

Alternative control providing equivalent protection
Backup control
Preventive control
Detective control

50. What is the purpose of encryption?

Protect confidentiality of data
Improve performance
Increase storage
Monitor traffic

51. Which authentication method provides the strongest assurance?

Password Only
Multifactor Authentication
Shared Account
Security Questions

52. What is the primary goal of access management?

Grant unrestricted access
Ensure appropriate access rights
Reduce hardware costs
Improve coding

53. Which security principle ensures accountability?

Logging and Monitoring
Encryption
Compression
Caching

54. What is a Key Risk Indicator (KRI)?

Metric indicating risk exposure
Security patch
Audit report
Incident ticket

55. What is a Key Performance Indicator (KPI)?

Measure of process effectiveness
Security control
Risk register
Firewall rule

56. What is the primary objective of information security strategy?

Align security with business objectives
Increase IT costs
Eliminate all risks
Replace governance

57. Which process ensures security requirements are incorporated into projects?

Security Integration
Risk Acceptance
Patch Management
Change Control

58. What is the best indicator of a mature security program?

High spending
Strong governance and measurable results
Large security team
Frequent audits

59. Which CISM domain focuses on creating and managing security programs?

Information Security Program Development and Management
Governance
Risk Management
Incident Management

60. What is the ultimate goal of CISM practices?

Eliminate all cyber threats
Support and protect business objectives through effective security management
Reduce staffing
Increase technology spending