Hard CISM practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 19 hard questions available — no sign-up, always free.
An information security manager notices that several individually low-rated risks across different business units all stem from the same unpatched legacy authentication service. Each business unit has independently accepted its portion of the risk as within its local tolerance. What should the security manager do FIRST?
A newly appointed information security manager at a manufacturing firm finds that a technically sound security strategy approved two years ago has been largely ignored by business units. Interviews reveal that employees view security controls as obstacles to production targets, and line managers routinely grant exceptions to keep operations moving. Which action would BEST address the underlying cause of the strategy's poor adoption?
A multinational retailer operates in several countries, each with different breach notification timelines and data protection obligations. The information security manager discovers that one jurisdiction requires notification within 72 hours, while a contractual clause with a major partner requires immediate notification of any incident, and a third country mandates notification only after confirmed harm to individuals. To address these conflicting legal, regulatory, and contractual requirements when developing the incident response and governance approach, what should the information security manager do FIRST?
A manufacturing company signs a contract with a large retail customer that includes strict information security clauses requiring encryption of all customer data and 24-hour breach notification. The company stores this data with a third-party cloud provider whose standard service agreement offers only 72-hour breach notification and does not commit to the required encryption controls. What should the information security manager do FIRST?
A newly appointed information security manager discovers that business units routinely adopt unsanctioned cloud applications ('shadow IT') because the formal approval process is perceived as slow and bureaucratic. Executives value the units' agility and are reluctant to impose heavy controls. Which action would BEST address the root cause while supporting enterprise governance objectives?
During a disaster recovery test, the information security manager observes that a critical order-processing system was restored and made operational within 5 hours, meeting its documented 6-hour recovery time objective (RTO). However, the recovered database was missing the last 3 hours of transactions before the outage, while the documented recovery point objective (RPO) for that system is 30 minutes. Which of the following is the MOST important conclusion the security manager should draw from this test result?
During a contained malware incident, the response team discovers the infection has spread to the systems supporting the organization's primary customer-facing platform, and full restoration is now expected to exceed the documented maximum tolerable downtime. As the information security manager, what is the MOST appropriate next action?
A security manager wants to improve the organization's ability to detect intrusions early. The SIEM currently generates thousands of alerts daily, but most are false positives, and a recent breach went undetected for weeks because malicious activity blended in with normal traffic. Which action would MOST effectively improve the organization's detection capability?
During a confirmed intrusion, an attacker has established a foothold on a single server in a segmented DMZ but has not yet moved laterally. The incident response team is under pressure from operations to keep the customer-facing application online. The information security manager must decide on a containment strategy. Which factor should MOST influence the choice between immediate isolation and delayed containment?
During a post-incident review, an information security manager discovers that the organization detected a sophisticated intrusion three weeks after the initial compromise, well after data had been exfiltrated. The SIEM was properly tuned and alerts were triaged promptly, but no rule existed to detect the specific attacker technique used. Which improvement would MOST effectively reduce the detection time for similar future attacks?
A newly appointed CISO has operated the information security governance program for one year. The board now asks for evidence that governance itself—not just individual controls—is effective and delivering value. Which of the following would BEST demonstrate the effectiveness of the governance program to the board?
During a ransomware outbreak, an incident responder discovers several infected servers actively encrypting shared storage. Management wants the systems isolated immediately, but the legal team has indicated the organization may pursue prosecution and file a cyber-insurance claim. What should the incident responder do FIRST to balance containment with these requirements?
After implementing agreed mitigating controls for a critical customer-facing application, the information security manager reassesses the risk and finds the residual risk still exceeds the organization's documented risk appetite. The business unit insists the application must remain in production to meet revenue targets. What should the information security manager do NEXT?
A manufacturing company deploys new IT and operational technology systems on a near-monthly basis, but risk assessments are only performed during the annual enterprise risk review. As a result, several recently deployed systems introduced significant exposures that were not identified until an incident occurred. Which action would BEST address the root cause of this problem?
A quantitative risk assessment for a legacy inventory system shows an annualized loss expectancy (ALE) of $40,000. The information security manager evaluates a proposed control that would reduce the ALE to $5,000 but costs $90,000 per year to operate. The system is scheduled for decommissioning in 18 months. Which risk response is the MOST appropriate for the security manager to recommend?
An information security manager must recommend which of two risk scenarios to address first. Scenario 1 has a single loss expectancy (SLE) of $50,000 and an annual rate of occurrence (ARO) of 3. Scenario 2 has an SLE of $250,000 and an ARO of 0.5. Mitigation for each costs approximately $80,000 per year. Which scenario should be prioritized for treatment based on cost-effectiveness?
A security manager identifies a critical vulnerability in a customer-facing application. The permanent fix requires a vendor patch that will not be available for four months, and the residual risk during that period exceeds the organization's risk appetite. Which action should the security manager take FIRST?
A newly appointed information security manager has completed an approved security strategy that includes defined objectives and initiatives with allocated budget. Six months into execution, the executive sponsor asks how the manager will demonstrate that the strategy is actually moving the organization toward its intended security posture over time. Which of the following is the MOST effective way to provide this assurance?
A newly approved information security strategy contains 14 initiatives spanning three years. The information security manager must convert the strategy into an actionable roadmap. Several initiatives are interdependent: a data classification program must precede a data loss prevention deployment, and an identity governance rollout depends on completing an HR system integration owned by another department. When developing the roadmap, what should the information security manager do FIRST?