ISACA CISM Certification Practice Exams

Apply an account lockout or login rate limiting policy on failed authentication attempts is the correct option.

Apply an account lockout or login rate limiting policy on failed authentication attempts directly limits how many guesses an attacker can make against the root account in a short period. This stops automated tools and slow credential stuffing attacks by blocking or throttling further attempts from the same account or source and it therefore most effectively reduces the chance of a successful online brute force attack.

Enforce a longer and more complex root password can increase the work required to guess a password but it does not prevent repeated online attempts and it is less effective at stopping live brute force activity without throttling.

Migrate to a secure file transfer protocol such as SFTP or FTPS improves encryption and protects credentials in transit but it does not inherently limit repeated login attempts. Migration may enable stronger authentication options but it is not by itself the primary control to stop brute force against the root account.

Require multi factor authentication for FTP logins would be a strong control when supported but many traditional FTP services do not support MFA and it may not be practical to deploy. The question asks for the control that most directly and immediately lowers the chance of a successful brute force attack.

Set contractor accounts to expire automatically on preset dates is correct.

Automatically expiring contractor accounts ensures that access ends on a known date without relying on manual steps and it reduces the risk of orphaned or lingering accounts. This approach can be implemented through your identity management system so that account disablement or deletion is enforced and logged for audit purposes.

Require supervisors to e-mail the security team is wrong because it relies on manual human action which is error prone and hard to scale. Manual e mail requests often lead to delays and they are difficult to track consistently in an auditable way.

Use IAM time-bound access is wrong in this context because time bound role grants typically provide temporary permissions rather than automatically removing or disabling the user account itself. Temporary role bindings do not guarantee the account is deleted or fully deprovisioned when a contract ends.

The correct answer is Prioritized risk assessment report.

A Prioritized risk assessment report summarizes the audit findings and ranks the weaknesses by likelihood and business impact while assigning owners and suggested remediation timelines so senior leaders can see which issues present the greatest risk and which actions will most quickly reduce exposure. It translates technical deficiencies into business risk language and a clear set of prioritized, time bound recommendations so leadership can allocate budget and mandate remediation promptly.

Cloud Security Command Center summary is more of an operational security dashboard and it typically presents cloud findings in technical detail rather than a business prioritized remediation plan so it is less effective for forcing executive prioritization.

Business impact analysis focuses on recovery priorities and the consequences of service interruptions rather than mapping vulnerabilities to threat likelihood and immediate remediation priorities so it does not directly drive security remediation decisions.

Return on security investment analysis attempts to quantify financial benefits of security projects but it can be speculative and slow to produce and it does not by itself present a prioritized list of risks and short term remediation steps that compel urgent action.

Isolate the compromised network segment is the correct immediate containment step to limit the attack while maintaining business continuity.

Isolating the affected segment reduces the attacker�s ability to move laterally and it confines the blast radius so critical services can continue to operate. It allows the incident response team to perform targeted remediation and to collect forensic evidence from the isolated systems without risking further spread to other parts of the network.

Deploy Google Cloud Armor is not the best immediate containment action because Cloud Armor focuses on protecting edge HTTP(S) traffic and mitigating certain external threats and it will not stop internal lateral movement within a compromised segment. It is useful for perimeter defenses but it does not replace isolating an affected internal network.

Collect forensic logs to secure external storage is an important preservation step and should be done as soon as practical but it does not by itself contain an ongoing intrusion. Log collection can and should occur in parallel when safe to do so but isolating the compromised segment must come first to limit damage.

The correct answer is WPA2.

WPA2 is the strongest choice among

the options because it implements the IEEE 802.11i security framework and uses AES with CCMP for robust encryption. When deployed in an enterprise configuration with 802.1X and EAP it provides strong authentication and per-user keying which is suitable for corporate WiFi networks.

SSL is incorrect because it is a transport layer protocol for securing web and application connections and it does not provide link layer WiFi encryption.

WPA is incorrect because it was an interim improvement over WEP and typically uses TKIP which is weaker than the AES/CCMP used by WPA2.

WEP is incorrect because it is deprecated and has well known vulnerabilities that allow it to be cracked quickly, so it is not suitable for enterprise protection.

The correct answer is Include business units in security decision making.

Include business units in security decision making aligns security priorities with strategic objectives by ensuring that risk decisions reflect business goals and acceptable risk levels. Involving business stakeholders creates shared ownership so security controls are prioritized by impact and are more likely to be adopted and sustained.

Embed security into project and product governance is useful for integrating controls into development and delivery processes but it can focus narrowly on execution and miss wider strategic trade offs. It does not by itself ensure that security choices are aligned with overall business strategy.

Run regular security awareness and training programs improves staff behavior and reduces human risk but training alone does not set priorities or resolve conflicts between security objectives and business goals. Awareness supports alignment but it is not the primary mechanism for it.

Mandate strict policy enforcement across business units can produce rigid rules that hinder innovation and generate resistance. Strict enforcement without business input often leads to poor adoption and misaligned controls which weakens the effectiveness of security initiatives.

The correct action is Obtain a signed contract that binds the vendor to required security controls.

A signed contract creates enforceable obligations that specify which security controls the vendor must implement and maintain. It defines responsibilities for data handling, breach notification, audit rights, liability and retention so the company has legal recourse if customer data is mishandled.

Securing a contract is the single most important step before sharing customer data because technical and personnel measures are valuable but do not establish legal requirements or enforcement mechanisms. The contract lets you require encryption, background checks and disaster recovery and it lets you verify and enforce those requirements.

Confirm the vendor maintains a proven disaster recovery and business continuity program is a useful verification of resilience but it is not sufficient on its own. Disaster recovery plans do not by themselves create legal obligations, define data handling rules or guarantee notification and remediation processes.

Perform background checks on the vendor’s personnel can reduce insider risk but it does not establish the vendor’s contractual responsibilities or provide rights to audit and enforce security controls if something goes wrong.

Implement end to end encryption for customer records prior to transfer is an important technical control but it does not replace the need for contractual terms that govern permitted use, retention, breach notification and liability. Encryption may also not address all processing needs.

The correct answer is Confirm that the reported event is a legitimate security incident.

Before starting containment or evidence collection the incident response manager should verify and triage the report to determine whether it is an actual security incident and to assess its scope and severity. This confirmation step prevents unnecessary disruption and ensures that resources are focused on real threats while enabling a proper investigation plan.

Collect and preserve system and application logs for analysis is essential for investigation and forensics but it normally follows initial confirmation and a coordinated preservation plan. Gathering logs without first confirming the incident can waste resources and may risk improper handling that affects evidence integrity.

Isolate the affected virtual machine instance is a containment action that is appropriate after the incident is confirmed and after you have considered preservation and business impact. Isolating too early can disrupt services or destroy volatile evidence that investigators need.

Prepare and present a compliance business case to secure funding and authority is the correct first action when Acorn Insurance faces a newly introduced regulatory mandate.

Preparing and presenting a business case secures the executive sponsorship funding and formal authority needed to scope and implement the compliance response. With approval and resources in place the information security team can define priorities obtain tools hire or assign staff and integrate the mandate into existing programs. The business case also frames the expected costs benefits and timelines so leaders can make an informed decision quickly.

Perform a gap analysis against the new mandate is not the initial step because a gap analysis requires defined scope resources and authority to be meaningful. Running assessments before securing sponsorship risks producing findings that cannot be actioned or funded.

Update the enterprise risk register to reflect the new regulatory exposure is premature as a first action because the risk register entry should be based on an agreed assessment and remediation plan. The register is important but it follows once the mandate has been scoped and funding and roles have been established.

Escalate the matter to the executive compliance committee for direction is not ideal as the very first step because escalation without a recommended plan and a funding request may delay decisions. A concise business case allows the committee or executives to approve authority and resources and to direct implementation effectively.

Adopt flexible contract lifecycle management with iterative reviews is the best approach to maintain contractual compliance as obligations evolve over time.

This approach creates a central process for versioning agreements and tracking obligations while enabling scheduled and ad hoc reviews as circumstances change. It supports mapping contractual terms to operational controls and maintaining an audit trail for changes so that compliance can be demonstrated continuously rather than only at discrete points in time.

Conduct recurring external compliance audits is not the best choice because audits are periodic and reactive. External audits provide important validation but they do not by themselves ensure that evolving obligations are captured and acted on between audit cycles.

Organization Policy and Config Validator focus on enforcing technical and resource configuration policies within Google Cloud and Kubernetes. Those tools help with technical compliance and guardrails, but they do not manage contract language, stakeholder responsibilities, or the business processes needed to iterate contractual obligations over time.

To decide if assessed risks fall within the organization’s acceptable thresholds is the correct option.

The risk evaluation stage compares the outputs of risk assessment against the organization’s risk criteria and appetite and determines whether risks are acceptable or require further action.

This stage helps decide which risks can be accepted, which must be treated, and how to prioritize limited resources to reduce residual risk to an acceptable level.

Cloud Identity and Access Management is incorrect because Identity and Access Management is a set of controls and services rather than the purpose of evaluating risk.

To carry out agreed risk treatment measures is incorrect because implementing treatments belongs to the risk treatment stage and not to evaluation.

To catalog potential risk scenarios is incorrect because cataloging is part of risk identification and assessment and occurs before evaluation.

The correct option is Internal security analysts with application security and cloud configuration expertise.

Internal security analysts with application security and cloud configuration expertise are most critical because they can perform threat modeling, review code, run targeted penetration tests, and examine cloud configurations in the context of the payments application. They can prioritize findings based on business risk and verify that remediation actually fixes the underlying issues. Automated tools and vendor reports provide inputs but those inputs must be interpreted and validated by skilled analysts who understand the application logic and the cloud environment.

Vendor security certifications and compliance reports are not the best answer because they describe implemented controls and historical compliance but they do not reveal application specific vulnerabilities or real time misconfigurations. They are useful for baseline assurance but they cannot replace active analysis and testing.

Automated cloud security platforms such as Google Cloud Security Command Center are valuable for detection and monitoring and they help surface misconfigurations and known vulnerabilities. They are not sufficient on their own because they require tuning and expert interpretation and they often miss business logic flaws and complex attack paths that experienced analysts can identify.

The possibility that several regional sites will require backup services at the same time is the correct answer because concurrent demand across regions is the most likely factor to overwhelm a distributed set of local backup appliances and stop timely recovery.

Local appliances give fast restores for individual site failures but they assume that not many sites will need full restores at once. If a large scale incident drives simultaneous restores then network bandwidth, spare hardware, and operations capacity can be exhausted and recovery time objectives will be missed. Planning for concurrent restore capacity and offsite redundancy is essential to handle this risk.

Backup resources are distributed or allocated based on the timing of individual requests is incorrect because this describes a scheduling or allocation detail and it does not by itself create the systemic concurrency risk that simultaneous restores cause.

Google Cloud Storage multi region is incorrect because a multi region cloud storage service is an example of offsite redundancy that reduces regional appliance dependence rather than creating the weakness. This option would normally help mitigation unless the design specifically omits offsite copies.

Daily backup operations are confined to a narrow window is incorrect because a narrow backup window affects when backups complete and may complicate operations but it is less likely to be the single most serious weakness for recovery after a large scale incident compared with the risk of simultaneous regional restore demand.

The correct choice is Embed risk management in daily operations and strategic planning.

This option strengthens governance because it makes risk awareness and treatment part of routine decision making and business strategy. Embedding risk processes ensures that security considerations influence priorities and resource allocation across the organization and that governance is proactive rather than reactive.

When risk management is integrated into operations there is continuous identification and mitigation of threats and management can measure and report on risk against defined appetite. That alignment between operations and strategic planning supports consistent oversight and long term resilience.

Define clear roles and responsibilities for security governance is necessary as a foundation because people need to know who is accountable and who is responsible. However clear roles alone do not ensure that risk is managed continuously or that security is integrated into every business decision.

Empower internal auditors to assess and report on governance activities provides valuable assurance and transparency and it helps verify that controls are working. Auditing is typically retrospective and it does not by itself embed risk management into daily operations or strategic planning.

The correct answer is Potential for inconsistent device configurations and loss of control over security settings.

A bring your own device program increases the variety of operating systems versions and vendor defaults that the company must interact with and this makes it easy for devices to drift into insecure states. Unmanaged or inconsistently configured endpoints can lack required encryption or patching and they can have settings that permit data exfiltration or malware persistence, which makes Potential for inconsistent device configurations and loss of control over security settings the primary concern from an information security perspective.

Addressing this concern requires a combination of device inventory controls mobile device management or endpoint management and conditional access so that the firm can enforce baseline security settings and remove or quarantine noncompliant devices before they access corporate data.

Higher demand for helpdesk support for a wide variety of devices is an operational impact and it will increase costs and complexity, but it is not the primary security risk. The question asks for the information security head primary concern and helpdesk load is secondary to security posture.

Complexity of integrating Cloud Identity for centralized access control may be a technical challenge and it can be mitigated by planning and using vendor guidance, but it is an implementation detail rather than the core security risk that arises from uncontrolled device configurations.

Employees not using the latest phone and laptop models can increase vulnerability exposure, but the main issue is not the device age by itself. The central problem is inconsistent configuration and lack of enforcement of security controls rather than whether each device is the latest model.

The correct answer is Perform a legal and regulatory review of the host country’s data protection requirements.

That review must come first because laws and regulations determine whether personal or sensitive data can be transferred overseas and what specific safeguards are required. Understanding the legal landscape tells you if transfers are permitted, whether you need additional contractual mechanisms or transfer instruments, and what technical controls are mandatory to meet compliance.

Implement Google Cloud VPC Service Controls is a useful technical control to limit service access and reduce exfiltration risk, but it does not address whether a cross border transfer is legally allowed or what regulatory obligations apply.

Use mutual encryption with managed keys provides strong protection for data in transit and at rest, but encryption alone does not satisfy legal or regulatory requirements when a jurisdiction forbids transfers or requires specific contractual or procedural steps.

Establish a data processing agreement with the partner is an important contractual step and it is often required, but you should perform the legal and regulatory review first so the agreement can be drafted to meet the specific obligations and permitted transfer mechanisms identified by that review.

The correct answer is Perform a risk assessment to identify new threats to critical functions.

A risk assessment is the right first step because a Business Impact Analysis must be informed by the current threat landscape and by how those threats affect people processes and technology. The risk assessment identifies new threats and vulnerabilities and helps quantify likelihood and impact so recovery priorities and resource needs in the BIA can be updated accurately. Without completing the risk assessment you cannot reliably determine which functions have changed criticality or which dependencies require different continuity measures.

Cloud Monitoring is not correct because it is an operational telemetry and alerting tool and it does not perform the strategic analysis needed to identify new threats to business functions. Monitoring data can support an assessment later but it does not replace a formal risk assessment.

Audit existing continuity plans for alignment with strategic goals is an important follow up activity but it is not the first step. You should first identify new threats and impacts so that the audit can verify whether plans still meet the updated risks and recovery objectives.

Engage senior leadership to confirm business priorities is a necessary activity for validation and sponsorship but it is not the initial action. Leadership engagement is best informed by initial risk findings so that priorities can be confirmed against concrete changes in risk and impact.

The correct option is Deploy a containerized work profile.

A containerized work profile creates a clear separation between corporate apps and data and personal apps and data on employee owned devices. IT can manage apps and policies inside the work profile and perform a selective wipe to remove only corporate data while leaving personal content intact. This makes the work profile the most effective choice for BYOD scenarios where isolation and selective management are required.

Use Google Endpoint Management is not the best answer on its own because endpoint management is a broader toolset for enforcing policies and managing devices. It can work together with a work profile but it does not by itself provide the same built in isolation and selective wipe capability that a containerized work profile provides.

Apply device level encryption is not sufficient because encryption protects data at rest but it does not separate corporate data from personal data and it does not enable selective wiping of only corporate content. Device encryption is useful for security but it does not meet the isolation requirements for BYOD environments.

The correct option is Owners of business functions.

Owners of business functions are accountable for the business processes and for the data those processes generate and maintain. They understand the legal, regulatory, and business requirements for confidentiality and they can identify which records are sensitive across departments. Their decisions determine classification labels and retention requirements and their input is essential when locating confidential records.

Owners of business functions also coordinate with technical teams and with data stewards to implement controls and to operationalize classification. Business owners have the authority to declare data as confidential and to prioritize protections based on business impact.

End users can provide useful details about how data is used and where it is kept but they typically lack the authority and the enterprise-wide visibility to set classification policy or to decide what is business sensitive.

IT administrators are responsible for implementing technical controls and for managing systems but they do not normally define the business sensitivity of information. They act on requirements set by owners and stewards rather than making the classification decisions themselves.

Data stewards are important for data quality, metadata, and operational handling and they provide valuable contextual knowledge. They usually support and enforce classification work but they are not the primary decision makers who accept business accountability for classifying and protecting data.

If project risks exceed the organization’s risk appetite is correct. You must first determine whether the risks the platform initiative introduces are acceptable to the organization before you approve the work.

This check is the primary gate because an initiative that pushes risks beyond the organization’s tolerance should be paused or redesigned even if it offers strong benefits. Assessing whether If project risks exceed the organization’s risk appetite ensures leadership can make an informed go or no go decision and it frames what level of mitigation is required if the project proceeds.

Cloud services intended for use is not the first thing to evaluate because identifying which services are planned is useful only after you know whether the overall risk posture is acceptable. Service selection matters for implementation details, but it does not replace the initial assessment of risk appetite.

Planned security controls and mitigation plans are important, but they come after you determine whether the project risks sit within the organization’s appetite. Controls may reduce risk, but you first need to know if the residual risk after those controls would still exceed the organization’s limits.