Information Security Program
Drill 20 practice questions focused entirely on Information Security Program for the ISACA CISM exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
An information security manager is developing the security program for a large enterprise and must ensure that protection levels applied to data are appropriate and cost-effective. Before selecting and applying baseline controls to the organization's information assets, which activity provides the MOST essential foundation for these decisions?
An information security manager is developing handling requirements for a newly classified dataset that feeds an automated financial trading algorithm. Business owners emphasize that the data is not confidential (it is derived from public market feeds) but that corrupted or altered values could trigger erroneous multimillion-dollar trades. When defining the protection baseline for this asset, which control emphasis should the manager prioritize?
An information security manager finds that an organization has a documented data classification policy with four sensitivity levels, but a recent review reveals that employees frequently store confidential files in shared repositories accessible to all staff. Investigation shows the classification levels are well understood, but there is no consistent way to identify how sensitive a given file is once it leaves its original system. What is the MOST likely root cause the security manager should address?
During the rollout of a new information security program, the security manager discovers that many critical data assets have been classified inconsistently, with IT staff making classification decisions based on technical storage requirements rather than business value. Which action should the security manager take FIRST to correct this?
An information security manager discovers that customer datasets originally classified as 'Confidential' three years ago are now aggregated into analytics reports and used broadly across marketing, finance, and operations. The datasets still carry the original classification labels, but their sensitivity and regulatory exposure have grown significantly since the initial classification. What should the security manager do FIRST to address this situation?
A newly appointed information security manager discovers that the organization's security program applies controls inconsistently, and several recent incidents involved systems that no one in IT was aware of. Before proposing new technical controls, which action will provide the MOST foundational basis for building an effective information security program?
An information security manager is establishing a security control baseline for a new application being deployed on a third-party PaaS provider. The provider publishes a SOC 2 Type II report and a shared responsibility matrix indicating it manages physical, network, and hypervisor controls. What should the manager do FIRST when tailoring the organization's control baseline for this application?
Following a ransomware incident that encrypted several file servers, an organization successfully restored operations from backups within its recovery objectives. The information security manager is now reviewing the control set to reduce the impact of any future occurrence. Which type of control was MOST directly responsible for limiting the business impact in this case, and should be prioritized for continued investment?
An information security manager is establishing a new data classification scheme for an organization that currently stores all data at a single sensitivity level. After defining the classification categories (public, internal, confidential, restricted), what should the manager do NEXT to make the scheme operationally effective?
An organization has deployed a data loss prevention (DLP) technology to prevent exfiltration of confidential customer data through email and web channels. Six months later, the DLP tool generates thousands of alerts, but employees continue to inadvertently send sensitive files externally, and staff are unaware which data is considered confidential. Which action would MOST effectively improve the DLP program's outcomes?
A retail organization has strong preventive controls at its network perimeter, but a recent tabletop exercise revealed that if an attacker bypasses these controls, the security team would have no reliable way to identify malicious activity occurring on internal servers. The information security manager wants to close this gap most effectively. Which control should be prioritized?
A development team has adopted a DevOps model that releases code to production multiple times per day through an automated CI/CD pipeline. The information security manager finds that the existing manual security review, which occurred once per release cycle, can no longer keep pace and is being bypassed to meet delivery deadlines. Which approach BEST enables security to remain effective in this environment?
An information security manager discovers that several business units have independently purchased SaaS applications that store customer data, with no security review performed before contracts were signed. To prevent this from recurring, what is the MOST effective action?
A development team at a financial services firm follows an agile methodology and releases new features every two weeks. The information security manager discovers that security requirements are only reviewed during a penetration test conducted just before production deployment, frequently causing last-minute delays and costly rework. Which action would MOST effectively address the root cause of this problem?
A SaaS provider contract is ending, and the business unit is migrating to a new vendor. The information security manager is asked to ensure the transition does not introduce risk. Which action is MOST important to complete during the offboarding of the outgoing vendor?
An organization is finalizing a contract with a SaaS provider that will process sensitive customer data. During review, the information security manager notices the agreement contains no provision allowing the organization to validate the vendor's ongoing security posture. Which contractual element is MOST important to add before signing?
An organization has outsourced its 24/7 security monitoring to a managed security service provider (MSSP). Six months into the engagement, the information security manager notices that although the MSSP delivers monthly reports, several confirmed incidents were escalated hours later than the contract's stated response times, and internal teams were unsure who owned remediation. Which action should the information security manager take FIRST to strengthen oversight of this external service?
An information security manager plans to commission an annual penetration test of a customer-facing application. The application is hosted in a third-party cloud provider's environment under a shared responsibility model. Before the test begins, what is the MOST important action the security manager should take?
A newly built data center houses systems processing highly sensitive customer data. The information security manager must recommend controls to prevent unauthorized physical entry to the server floor while ensuring that access events can be attributed to specific individuals for later investigation. Which combination of physical controls BEST meets both objectives?
A financial services company runs a legacy transaction system that cannot support multifactor authentication due to vendor limitations. The application processes high-value payments and must remain in service for 18 months until replacement. The information security manager needs to reduce the risk of unauthorized access during this period without modifying the application. Which control approach is MOST appropriate?
More CISM practice
Keep going with the other ISACA CISM — Certified Information Security Manager domains, or take a full timed mock exam.
← Back to CISM overview