Information Security Risk Management
Drill 20 practice questions focused entirely on Information Security Risk Management for the ISACA CISM exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
An information security manager compiles monthly KRI data showing that failed patch-deployment rates have steadily risen over three consecutive reporting cycles, though no individual threshold has yet been breached. Before the next executive risk committee meeting, what is the MOST important action the manager should take?
An information security manager notices that several individually low-rated risks across different business units all stem from the same unpatched legacy authentication service. Each business unit has independently accepted its portion of the risk as within its local tolerance. What should the security manager do FIRST?
During a security review, an information security manager identifies that the organization has deployed strong perimeter firewalls but has no monitoring of lateral movement within the internal network. Recent threat intelligence indicates attackers in the industry increasingly use credential theft to move laterally after gaining an initial foothold. Which of the following BEST describes what the manager has identified?
Employees across several business units have rapidly begun using a third-party generative AI service to accelerate their work. The information security manager becomes aware of this trend but has no formal record of the tool in the risk register or any assessment of its data handling. Which action should the information security manager take FIRST to address this emerging risk?
During a risk assessment for a new customer-facing payment portal, a business unit leader argues that the risk should be rated as 'low' because the organization already has strong web application firewalls, encryption, and multifactor authentication in place. The information security manager wants the assessment to first establish an accurate baseline before comparing it against these safeguards. Which risk value should the information security manager insist on documenting first?
An information security manager established a key risk indicator (KRI) that tracks the percentage of privileged accounts without multifactor authentication. The KRI was set with a threshold of 5%. Over the last three monthly reporting cycles the value has climbed from 4% to 6% to 9%, breaching the threshold. What is the security manager's BEST first action?
An information security manager is designing key risk indicators (KRIs) for a program that has repeatedly been surprised by ransomware incidents. The manager wants indicators that give the business advance warning so preventive action can be taken before losses occur. Which of the following would be the MOST useful KRI to add for this purpose?
During a qualitative risk assessment, an information security manager notices that different business unit leaders rate the same shared risk scenario very differently — one calls the impact 'high' while another calls it 'low' — because each interprets the rating scales based on their own judgment. What should the security manager do FIRST to improve the reliability of the assessment?
An information security manager is preparing a quantitative risk analysis to justify investing in a database encryption solution. The organization's customer database is valued at $2,000,000. A successful breach would compromise approximately 40% of the records' value, and threat intelligence indicates such a breach is likely to occur about once every four years. Which figure represents the annualized loss expectancy (ALE) the manager should present to support the decision?
After implementing agreed mitigating controls for a critical customer-facing application, the information security manager reassesses the risk and finds the residual risk still exceeds the organization's documented risk appetite. The business unit insists the application must remain in production to meet revenue targets. What should the information security manager do NEXT?
A business unit manager wants to continue using a legacy application that cannot support multi-factor authentication. The information security manager has documented that this creates a risk exceeding the organization's defined risk appetite. The manager insists the application is critical to revenue and asks the security team to simply accept the risk. What is the MOST appropriate action for the information security manager?
A financial services firm operates a legacy peer-to-peer file-sharing feature that generates minimal revenue but has been repeatedly implicated in data leakage incidents. The residual risk far exceeds the organization's risk appetite even after multiple control enhancements, and no cost-effective mitigation exists. The business owner confirms the feature is not strategically important. Which risk response is MOST appropriate for the information security manager to recommend?
A financial services firm has identified that a single perimeter firewall is the only control protecting a customer database containing sensitive PII. A risk assessment rates the residual risk as high, and management has decided to mitigate rather than accept it. The information security manager is asked to recommend the mitigation approach. Which recommendation BEST reduces the residual risk?
A manufacturing company deploys new IT and operational technology systems on a near-monthly basis, but risk assessments are only performed during the annual enterprise risk review. As a result, several recently deployed systems introduced significant exposures that were not identified until an incident occurred. Which action would BEST address the root cause of this problem?
An information security manager maintains a risk register that was last fully assessed nine months ago. A newly disclosed critical vulnerability is now being actively exploited in the wild against a technology stack the organization uses heavily in a revenue-generating application. What should the information security manager do FIRST?
A quantitative risk assessment for a legacy inventory system shows an annualized loss expectancy (ALE) of $40,000. The information security manager evaluates a proposed control that would reduce the ALE to $5,000 but costs $90,000 per year to operate. The system is scheduled for decommissioning in 18 months. Which risk response is the MOST appropriate for the security manager to recommend?
A financial services firm outsources credit card payment processing to a third-party provider. The contract shifts operational responsibility to the provider, but recent breach headlines have made the firm's leadership nervous about reputational and regulatory consequences if the provider is compromised. The information security manager is asked to characterize the firm's residual exposure after this outsourcing arrangement. Which statement should the security manager convey to leadership?
An information security manager is developing risk scenarios for a newly deployed customer-facing e-commerce platform. The team has documented several threat sources and vulnerabilities but is struggling to prioritize which scenarios warrant deeper analysis. Which input would MOST improve the relevance and prioritization of the risk scenarios?
An information security manager is building risk scenarios for a quantitative analysis and needs to estimate how often a ransomware event is likely to affect the organization each year. Which source would provide the MOST reliable basis for estimating the annualized rate of occurrence?
An information security manager must recommend which of two risk scenarios to address first. Scenario 1 has a single loss expectancy (SLE) of $50,000 and an annual rate of occurrence (ARO) of 3. Scenario 2 has an SLE of $250,000 and an ARO of 0.5. Mitigation for each costs approximately $80,000 per year. Which scenario should be prioritized for treatment based on cost-effectiveness?
More CISM practice
Keep going with the other ISACA CISM — Certified Information Security Manager domains, or take a full timed mock exam.
← Back to CISM overview