Free CISM Exam Sample Questions

Enforcing device registration using MAC address allow lists is correct because it enforces device level access by allowing only preapproved hardware identifiers to associate with the wireless network.

MAC address allow lists work by registering each device’s hardware MAC address in the access point or switch and permitting association only for those registered addresses. This directly implements the requirement to restrict connectivity to known hardware identifiers and it is applied at the network access layer so unauthorized devices cannot join the wireless LAN.

MAC allow lists do have operational and security limitations. MAC addresses can be discovered and spoofed on an open network, and managing large lists introduces administrative overhead. For stronger assurance of device identity you would normally use certificate based methods, but the question specifically targets enforcement based on hardware identifiers.

Implementing 802.1X authentication with per device certificates is not the best match for this question because it relies on cryptographic certificates and identity based authentication rather than admitting devices strictly by their hardware MAC addresses. It is a more robust security control in general but it does not satisfy the stated requirement to enforce access by known hardware identifiers.

Requiring all wireless users to connect through a client VPN is incorrect because a VPN authenticates and protects user traffic after the device has already connected to the wireless network. A VPN does not prevent an unauthorized device from associating to the wireless SSID based on its hardware identifier.

Placing a stateful perimeter firewall to filter wireless traffic is incorrect because a firewall controls traffic flows between network segments and does not enforce per device admission at the Wi Fi association layer. It cannot by itself restrict which hardware devices are allowed to join the wireless LAN.

The correct option is Data Owner.

Data Owner is the person or role that is ultimately accountable for classifying corporate data and for ensuring that required safeguards are applied. The data owner defines classification levels, approves access and handling rules, and authorizes protective controls and retention decisions. Being accountable means the data owner makes risk acceptance decisions and ensures compliance with legal and regulatory obligations for the data they own.

Data Steward is incorrect because stewards typically implement and maintain data policies and processes rather than hold final accountability. A steward supports the data owner by managing quality and enforcement but does not usually make ownership or risk acceptance decisions.

Chief Information Officer is incorrect because the CIO provides executive oversight and strategy for information management across the organization rather than owning and classifying specific data assets. The CIO may sponsor governance and allocate resources but the responsibility for classifying particular data sets rests with the data owner.

Notify the application owner of remaining vulnerabilities and recommend remediation steps is correct.

The Notify the application owner of remaining vulnerabilities and recommend remediation steps choice is correct because the application owner retains responsibility for the application and for accepting or rejecting residual risk. The information security lead should document the vulnerabilities, propose concrete remediation steps and timelines, and work with the owner and engineering to validate fixes when implemented.

Inform the engineering team about residual risks and work with them to implement fixes is not the best answer because telling only engineering skips the accountability that rests with the application owner and it does not formally capture risk acceptance or prioritization.

Escalate the residual risks to the risk and compliance committee for formal risk acceptance is incorrect as the immediate step because committees are for formal acceptance when the owner cannot remediate. The owner should be notified first and given remediation options before routine escalation.

Incorporate the assessment findings into the enterprise security program and adjust organizational controls is a valid long term action but it does not address the urgent need to notify the application owner and propose remediation for an operational application.

The correct option is Reduced operational and security risk.

Reduced operational and security risk is the primary benefit because robust configuration management enforces consistent system state across environments and prevents configuration drift that often causes outages and security exposures.

Using declarative configurations and automated policy enforcement makes changes auditable and repeatable. This lets teams detect and remediate misconfigurations quickly reduce human error and apply security patches uniformly which all contribute to lower operational and security risk.

Cloud Identity is incorrect because it is an identity and access management service and not a configuration management practice that directly provides the enterprise level consistency and risk reduction described in the question.

Faster and more reliable deployments is not the best choice because while configuration management can enable faster and more consistent deployments this is a secondary benefit. The question asks for the primary enterprise benefit which is the reduction of operational and security risk.

Immediately disable the departing employee’s logical accounts and revoke their credentials is the most effective action to protect corporate data when an employee leaves the company.

Disabling accounts and revoking credentials severs access at the source and prevents a former employee from using existing passwords, tokens, or active sessions to reach systems or sensitive data.

This should be done promptly and followed by recovering company devices, rotating any shared credentials or keys the person had access to, and reviewing audit logs for signs of unauthorized activity.

Conduct a structured exit interview with the departing employee is a useful HR step for understanding reasons for departure and retrieving property, but it does not by itself remove technical access and so it will not prevent immediate misuse of accounts.

Cloud Identity and Access Management describes a set of tools and controls rather than a discrete action. It is relevant to access control, but selecting the product name alone does not satisfy the requirement to immediately revoke access unless you explicitly disable accounts and revoke credentials.

Encrypt all sensitive repositories so the information is unreadable after the employee leaves is a sound long term control but it does not stop someone who already held decryption access or cached credentials. Encryption also may be impractical to apply retroactively compared with the immediate protection gained by revoking access.

Independent third party audit is the most useful perspective to evaluate a cloud platform’s security readiness for adoption.

Independent third party audit provides an objective assessment against established security standards and frameworks and it delivers documented evidence of controls and their effectiveness. Audit reports and certifications are produced by qualified assessors who operate independently from the platform vendor and they allow organizations to compare providers on a consistent basis. Relying on this external validation helps reduce bias and supports regulatory and risk decisions in ways that internal or vendor perspectives cannot.

Internal IT assessment reflects the organization’s own viewpoint and may lack independence and the external rigor needed to fully evaluate a cloud provider’s controls. It can be a useful complement but it does not substitute for a formal independent audit when assessing a new platform for adoption.

Platform vendor CTO can explain architecture and design intent and they are useful for clarifying implementation details. Their perspective is not independent though and it may emphasize strengths while downplaying limitations, so vendor statements should be supported by independent audit evidence.

The correct option is Encrypt sensitive data at rest and during transit.

Encrypt sensitive data at rest and during transit is the most direct technical control to prevent unauthorized access because encryption makes data unreadable to anyone who does not possess the required cryptographic keys. Implementing strong encryption for stored data and for data moving across networks protects confidentiality even if storage media are stolen or network traffic is intercepted. Proper key management and rotation complement Encrypt sensitive data at rest and during transit to ensure the encryption remains effective.

The option Apply Data Loss Prevention and tokenization is not the best single answer because data loss prevention and tokenization help reduce exposure and assist with classification. These methods are valuable but they do not by themselves guarantee that data is unreadable if storage or transport are compromised.

The option Enforce Identity and Access Management with least privilege is important for controlling who can access data but it does not protect the data if credentials are stolen or if the underlying storage is exfiltrated. Access controls are complementary and work best when combined with encryption.

The option Conduct mandatory user security awareness training helps reduce human risk and is a necessary part of a security program. Training alone cannot technically prevent unauthorized access to data that is exposed through lost media or intercepted in transit.

The correct option is Aligning security objectives with the organization’s strategic business goals.

Aligning security objectives with the organization’s strategic business goals ensures that security efforts directly support business value and decision making. Integrating security into the strategic planning cycle means defining security priorities in terms of business risk, resource allocation, and measurable outcomes so that security enables and protects business initiatives.

Establishing operational security metrics and dashboards is important for monitoring and reporting but it is a tactical activity. Metrics and dashboards track performance after strategic priorities are set and they do not by themselves establish alignment with business strategy.

Adopting an enterprise security framework such as ISO 27001 can provide useful structure and controls but it is an implementation choice. Selecting and implementing a framework should follow from a clear alignment between security objectives and business goals so that the framework maps to what the organization needs to protect and enable.

The correct answer is Network time server.

Network time server provides a single authoritative clock to many devices by distributing time using protocols such as NTP. Investigators can align logs from different systems to that common reference so timestamps match and the ordering of events is accurate across the environment.

Cloud Audit Logs records actions and includes timestamps but it is a logging service rather than a time authority. It cannot synchronize clocks across devices and so it does not provide the unified time reference investigators need.

Domain Name System resolves hostnames to IP addresses and it does not provide time synchronization. DNS helps locate services but it does not act as an authoritative clock for aligning timestamps.

Proxy server forwards or mediates network traffic and it may record timestamps for requests but it is not intended to synchronize system clocks across multiple devices. A proxy cannot replace a network time server as the unified time reference.

The correct option is Perform scheduled configuration audits of firewalls and routers.

Regular configuration audits provide a reliable way to confirm that firewall rules and router settings match the intended security policy and to detect configuration drift or unintended changes.

Configuration audits let you compare running configurations against baselines, inspect rule order and priorities, verify access control lists and routing, and ensure logging and state are enabled for enforcement and investigation.

Continuously monitor live network traffic for anomalies is useful for detecting suspicious activity and for incident response but it does not by itself confirm that firewall rules and router configurations are correctly set to enforce policy because monitoring observes traffic outcomes and may miss silent misconfigurations or rules that are present but misordered.

Rely solely on automated vulnerability scanners is not reliable for confirming policy enforcement because scanners focus on known vulnerabilities and missing patches and they often do not validate rule order, priorities, or business policy intent.

The correct option is Harmonize both parties’ security controls to ensure combined security is not degraded.

Harmonizing controls focuses on maintaining a consistent and complete security posture across both organizations. It requires mapping each party’s controls to a common set of objectives, resolving gaps and overlaps, and agreeing on shared responsibilities for detection, response, and monitoring. This approach directly addresses the primary risk which is that mismatched controls can introduce vulnerabilities during collaboration.

Evaluate the financial and operational cost of implementing joint controls is a valid planning concern but it is secondary. Cost and operational effort matter for implementation decisions, but the primary priority is ensuring security is not weakened by the partnership.

Use GCP Organization Policy and Cloud IAM roles as a common technical baseline points to useful tools for enforcing policies on Google Cloud. This option is limited because it assumes both parties operate on the same platform and it does not cover procedural, contractual, and cross-platform controls that must also be harmonized.

Give precedence to the policies of the partner with the most mature cybersecurity program risks overlooking unique risks and constraints of the other partner. Simply adopting one partner’s policies can create incompatibilities and blind spots that reduce the overall security of the collaboration.

The correct option is Include mission critical systems in the test.

Including mission critical systems in the test ensures the exercise validates real world dependencies and verifies that the organization can continue essential functions under disruption. It reveals gaps in recovery procedures, communication, and third party integrations that matter most to customers and the business.

Focusing on mission critical systems in the test also helps prioritize effort and resources so that recovery time and recovery point objectives are measured against the services that have the highest impact if they fail.

Validate recovery time and recovery point objectives is important but it is narrower than including the actual mission critical systems in an exercise. Validating RTOs and RPOs is typically done as part of tests that include the mission critical systems and it is not the single most important consideration for a full business continuity exercise.

Test backup generator capacity and fuel reserves is a useful operational check for infrastructure availability but it addresses only one dimension of resilience. A generator test does not by itself confirm that applications, data, and dependent services will recover correctly during a disruptive event.

Identifying the specific systems databases and categories of data that were affected is the primary concern when establishing the order of response actions.

Determining which systems and which types of data are impacted lets you prioritize actions by business impact and legal obligation. Data sensitivity and system criticality drive decisions about containment methods preservation for forensics and notification timelines.

Assessing the likely reputation and media fallout across European news outlets is important for communications and stakeholder management but it should follow the immediate technical assessment. Media planning does not determine the technical order of containment and recovery.

Mapping the geographic distribution of impacted customers and endpoints helps with jurisdictional notification and localized response but it is secondary to identifying which data and systems are affected. You usually map geography after you know the scope so you can target notifications correctly.

Engaging the local operations team to understand their containment steps is necessary for coordination and execution but it is not the primary factor in sequencing response actions. You must first know what is affected so you can direct operations to the right containment and remediation steps.

The point where False Acceptance Rate equals False Rejection Rate is correct.

Equal Error Rate denotes the operating point on a system’s performance curve where the False Acceptance Rate and the False Rejection Rate are the same. This gives a single summary measure that reflects the trade off between allowing unauthorized access and denying authorized users, and a lower Equal Error Rate indicates better overall biometric accuracy.

The threshold that minimizes the combined False Acceptance and False Rejection rates is incorrect because the minimum of the sum of the two error rates is a different criterion and does not necessarily occur where the rates are equal. The EER is specifically the equality point rather than a global minimization of their sum.

The rate at which unauthorized users are incorrectly granted access is incorrect because that phrase describes the False Acceptance Rate alone. The EER compares both false acceptances and false rejections rather than describing only one of those rates.

The correct option is Clear accountability for actions.

When job duties and responsibilities are explicitly assigned across the organization, Clear accountability for actions gives an immediate advantage because it defines who is responsible for specific tasks and decisions. This clarity speeds incident response and root cause assignment, reduces ambiguity during escalations, and creates a clear trail for follow up and corrective actions.

Segregation of duties is related to good control design because it splits responsibilities to reduce fraud and error, but it is not the immediate outcome of simply assigning duties. Segregation is a structural control that prevents conflicts over time rather than the instant clarity that accountability provides.

Cloud Identity and Access Management is a useful technology for enforcing who can access resources, but it is a tool rather than the organizational advantage achieved by assigning responsibilities. IAM supports enforcement of roles and permissions, but it does not by itself create the clear personal ownership that accountability does.

Improved compliance with policies can be a beneficial result of explicit assignments, but it is usually an indirect or longer term effect. Compliance improves as responsibilities are acted upon and monitored, whereas accountability produces an immediate clarity about who must act.

The correct answer is Conduct a business impact analysis.

Starting with a Conduct a business impact analysis is the proper first step because the analysis identifies critical functions and dependencies and it defines acceptable downtime and recovery objectives. This information lets you prioritize efforts and choose the right recovery strategies before investing in infrastructure or specific mitigation actions.

Provision secondary resources in Google Cloud is incorrect because provisioning infrastructure is an implementation step that should follow the analysis and planning. You should not allocate or configure secondary resources until you know what needs to be recovered and what recovery objectives are required.

Identify critical business functions is incorrect as a standalone first action because identifying functions is part of the broader business impact analysis. The BIA formally documents priorities, impacts, and dependencies so it is the comprehensive starting point rather than a separate initial task.

The correct option is Incidents occur frequently and they result in substantial operational impact.

This situation calls for continuous monitoring because when incidents happen often and they cause significant operational harm you need near real time detection and response to reduce dwell time and limit business impact. Continuous controls give automated alerts and faster remediation which is essential when problems are recurring and disruptive.

Continuous monitoring also enables correlation and trend analysis across logs and events so patterns that spot checks would miss become visible. That capability helps the bank identify root causes and recurring attack vectors and it improves the effectiveness of incident response and recovery.

Online sales drive most of the company revenue is not correct because having important online revenue does not by itself mean incidents are frequent or that continuous surveillance is required. Business importance is a factor but the monitoring cadence should be driven by observed risk and incident frequency.

Regulatory requirements mandate ongoing security surveillance is not correct because many regulations require logging, retention, and periodic reviews rather than continuous active surveillance. The question asks when continuous monitoring should be prioritized and the better indicator is recurring, high impact incidents rather than a generic regulatory statement.

Events are rare but would cause severe disruption if they happen is not correct because rare high impact risks often call for strong contingency planning and targeted controls rather than 24 7 continuous monitoring. Continuous monitoring is most clearly justified when events are frequent and already producing operational impact.

Communicating the organization’s approved security practices and standards is the correct primary purpose of a security playbook.

A security playbook exists to set out the organization’s approved approaches, roles, escalation paths, and decision criteria so that teams respond consistently and in line with policy and governance. It is a guidance and communication document that helps align people and processes with organizational security expectations.

Providing reusable templates and operational checklists for technical teams is not the primary purpose because templates and checklists are typically part of runbooks or standard operating procedures that support execution. Those artifacts help with tactical execution but they do not replace the playbook’s role in communicating approved practices and standards.

Serving as documentary evidence for audits or regulatory reviews is also not the primary purpose. A playbook can support an audit by showing intended processes but audit evidence usually comes from logs, records of actions taken, and formal compliance artifacts rather than the playbook itself.

The correct option is Collect and analyze server and firewall logs immediately.

Collect and analyze server and firewall logs immediately gives the fastest and most actionable evidence about who contacted which hosts and when. Firewall logs and server logs already record source IPs, timestamps, user accounts, commands and transferred files and they allow investigators to reconstruct an attacker timeline and infer intent without taking systems offline.

Capture forensic disk and memory images from the affected hosts is useful for deep artifact and malware analysis but it is time consuming and often requires specialized tooling. Memory capture can be valuable but it may not be the fastest path to determine origin and intent and an incorrect procedure can alter or destroy evidence.

Quarantine the compromised network segment is important for containment but isolating systems too early can sever active connections and stop collection of live logs and network artifacts. Containment should follow rapid collection of ephemeral evidence so investigators can attribute and understand attacker actions.

Enable VPC Flow Logs for the impacted virtual networks can record network flows but turning on flow logs after an incident will not recover past traffic. Flow logs are most useful if they were already enabled and collecting data before the intrusion.

The correct option is Encrypted payment handling and fraud prevention.

Encrypted payment handling and fraud prevention should receive the greatest security emphasis because it directly protects cardholder data during collection, transmission, processing, and storage. Strong encryption, tokenization, and key management reduce the chance that sensitive payment data can be exposed, and integrated fraud detection can stop unauthorized transactions before they impact customers.

Encrypted payment handling and fraud prevention also encompasses real time monitoring, anomaly detection, and adaptive authentication which together reduce financial loss and reputational risk more effectively than controls that do not focus on the data and transactions themselves.

Google Cloud Armor is a network and application layer protection service that helps mitigate distributed attacks and block malicious traffic. It is useful as a perimeter control but it does not by itself encrypt payment data or provide comprehensive fraud detection for transactions.

PCI DSS compliance is an important regulatory framework that defines required controls for cardholder data protection. It represents compliance and verification requirements rather than the specific operational emphasis on encryption and active fraud prevention that most directly reduces payment risk.

User experience design improves usability and conversion and can indirectly support secure behavior through clearer flows. It is not the primary security focus when the question asks about the greatest emphasis for protecting online payments.