CISM practice questions to

prep for the exam

Risk management is at the core of being a security manager. Practice
your risk management knowledge with these CISM practice
questions.








By

 Sharon Shea, Executive Editor

 McGraw Hill Education

Defining risk management is easy -- it's the process of identifying,

assessing and controlling threats. Putting a risk management strategy into
practice, however, is another story.

To be successful in security management, it's critical to understand not only

what risk management is, but also how to create and implement a plan that
will help your organization counter risks and prepare to expect the
unexpected.

ISACA's Certified Information Security Manager (CISM) certification was

created to help security pros validate they have what it takes to handle risk
management.

"The certification is really a demonstration that you have the knowledge

and experience already and that you're serious about career growth in the
field and want to go further with it," said Peter Gregory, author of CISM:
Certified Information Security Manager Practice Exams, published by
McGraw-Hill.

Ready to go for your CISM to become a security or risk manager? Gregory

readily admits it's a difficult exam -- even for a security pro. But, with some
hard work and a lot of studying, test-takers can master the topics and prove
their skills.

Click to learn more about

CISM: Certified Information
Security Manager Practice Exams
by Peter Gregory.

The following excerpt from Gregory's book offers CISM practice exam
questions from Chapter 3, "Information Risk Management." This area
constitutes 30% of the CISM exam, with questions on developing a risk
management strategy, integrating risk management into an organization's
practices and culture, and monitoring and reporting risk.

Before taking the exam, test your CISM knowledge here. Download
an excerpt of the book for even more questions.

Take our quiz!

Question 1 of 15
What should be the primary objective of a risk management strategy?

A. Determine the organization's risk appetite.

B. Identify credible risks and transfer them to an external party.
C. Identify credible risks and reduce them to an acceptable level.
 D. Eliminate credible risks.

Question 2 of 15
Marie, a CISO at a manufacturing company, is building a new cyber-risk
governance process. For this process to be successful, what is the best
first step for Marie to take?

A. Develop a RACI matrix that defines executive roles and

responsibilities.
B. Charter a security steering committee consisting of IT and
cybersecurity leaders.
C. Develop a risk management process similar to what is found in
ISO/IEC 27001.
D. Charter a security steering committee consisting of IT, security, and
business leaders.

Question 3 of 15
What steps must be completed prior to the start of a risk assessment in an
organization?

A. Determine the qualifications of the firm that will perform the audit.
B. Determine scope, purpose, and criteria for the audit.
C. Determine the qualifications of the person(s) who will perform the
audit.
D. Determine scope, applicability, and purpose for the audit.

Question 4 of 15
A risk manager recently completed a risk assessment in an organization.
Executive management asked the risk manager to remove one of the
findings from the final report. This removal is an example of what?

A. Gerrymandering
B. Internal politics
C. Risk avoidance
D. Risk acceptance

Question 5 of 15
A new CISO in a financial service organization is working to get asset
inventory processes under control. The organization uses on-premises and
IaaS-based virtualization services. What approach will most effectively
identify all assets in use?

A. Perform discovery scans on all networks.

B. Obtain a list of all assets from the patch management platform.
C. Obtain a list of all assets from the security event and information
management (SIEM) system.
D. Count all of the servers in each data center.

Question 6 of 15
An internal audit examination of the employee termination process
determined that in 20 percent of employee terminations, one or more
terminated employee user accounts were not locked or removed. The
internal audit department also found that routine monthly user access
reviews identified 100 percent of missed account closures, resulting in
those user accounts being closed no more than 60 days after users were
terminated. What corrective actions, if any, are warranted?

A. Increase user access review process frequency to twice per week.

B. Increase user access review process frequency to weekly.
C. No action is necessary since monthly user access review process is
effective.
D. Improve the user termination process to reduce the number of missed
account closures.

Question 7 of 15
What is typically the greatest challenge when implementing a data
classification program?

A. Difficulty with industry regulators

B. Understanding the types of data in use
C. Training end users on data handling procedures
D. Implementing and tuning DLP agents on servers and endpoints
Question 8 of 15
Randi, a security architect, is seeking ways to improve a defense-in-depth
to defend against ransomware. Randi's organization employs advanced
antimalware on all endpoints and antivirus software on its e-mail servers.
Endpoints also have an IPS capability that functions while endpoints are
onsite or remote. What other solutions should Randi consider to improve
defenses against ransomware?

A. Data replication
B. Spam and phishing e-mail filtering
C. File integrity monitoring
D. Firewalls

Question 9 of 15
A SaaS provider performs penetration tests on its services once per year,
and many findings are identified each time. The organization's CISO wants
to make changes so that penetration test results will improve. The CISO
should recommend all of the following changes except which one?

A. Add a security review of all proposed software changes into the

SDLC.
B. Introduce safe coding training for all software developers.
C. Increase the frequency of penetration tests from annually to quarterly.
D. Add the inclusion of security and privacy requirements into the SDLC.

Question 10 of 15
An end user in an organization opened an attachment in e-mail, which
resulted in ransomware running on the end user's workstation. This is an
example of what?

A. Incident
B. Vulnerability
C. Threat
D. Insider threat
Question 11 of 15
What is the correct sequence of events when onboarding a third-party
service provider?

A. Contract negotiation, examine services, identify risks, risk treatment

B. Examine services, identify risks, risk treatment, contract negotiation
C. Examine services, contract negotiation, identify risks, risk treatment
D. Examine services, identify risks, risk treatment

Question 12 of 15
The primary advantage of automatic controls versus manual controls
includes all of the following except which one?

A. Automatic controls are generally more reliable than manual controls.

B. Automatic controls are less expensive than manual controls.
C. Automatic controls are generally more consistent than manual
controls.
D. Automatic controls generally perform better in audits than manual
controls.

Question 13 of 15
Which of the following statements about PCI-DSS compliance is true?

A. Only organizations that store, transfer, or process more than 6 million

credit card numbers are required to undergo an annual PCI audit.
B. Service providers are not required to submit an attestation of
compliance (AOC) annually.
C. Merchants that process fewer than 15,000 credit card transactions are
not required to submit an attestation of compliance (AOC).
D. All organizations that store, transfer, or process credit card data are
required to submit an attestation of compliance (AOC) annually.

Question 14 of 15
An organization recently suffered a significant security incident. The
organization was surprised by the incident and believed that this kind of an
event would not occur. To avoid a similar event in the future, what should
the organization do next?
 A. Commission an enterprise-wide risk assessment.
B. Commission a controls maturity assessment.
C. Commission an internal and external penetration test.
D. Commission a controls gap assessment.

Question 15 of 15
Security analysts in the SOC have noticed that the organization's firewall is
being scanned by a port scanner in a hostile country. Security analysts
have notified the security manager. How should the security manager
respond to this matter?

A. Declare a high-severity security event.

B. Declare a low-severity security event.
C. Take no action.
D. Direct the SOC to blackhole the scan's originating IP address.

See How You Did

View Answers
Cyber Security mcq questions and answers
Q. 1 _______ is the practice and precautions taken to protect valuable information
from unauthorized access, recording, disclosure or destruction.
A : Network Security
B : Database Security
C : Information Security
D : Physical Security

Advertisement

Show Answer

Q. 2 _______ platforms are used for safety and protection of information in the
cloud.
A : Cloud workload protection platforms
B : Cloud security protocols
C : AWS
D : One Drive

Advertisement

Show Answer

Q. 3 Compromising confidential information comes under _________

A : Bug
B : Threat
C : Vulnerability
D : Attack

Show Answer

Q. 4 An attempt to harm, damage or cause threat to a system or network is broadly

termed as ______
A : Cyber-crime
B : Cyber Attack
C : System hijacking
D : Digital crime

Advertisement
Show Answer

Q. 5 The CIA triad is often represented by which of the following?

A : Triangle
B : Diagonal
C : Ellipse
D : Circle

Show Answer

Q. 6 Related to information security, confidentiality is the opposite of which of the

following?
A : Closure
B : Disclosure
C : Disaster
D : Disposal

Advertisement

Show Answer

Q. 8 _______ means the protection of data from modification by unknown users.

A : Confidentiality
B : Integrity
C : Authentication
D : Non-repudiation

Show Answer

Q. 9 _______ of information means, only authorized users are capable of accessing

the information.
A : Confidentiality
B : Integrity
C : Non-repudiation
D : Availability

Advertisement

Show Answer

Q. 10 This helps in identifying the origin of information and authentic user. This
referred to here as __________
A : Confidentiality
B : Integrity
C : Authenticity
D : Availability
Show Answer

Information and Cyber Security mcq with answers

Q. 11 Data ___________ is used to ensure confidentiality.
A : Encryption
B : Locking
C : Decryption
D : Backup

Advertisement

Show Answer

Q. 12 What does OSI stand for in the OSI Security Architecure?

A : Open System Interface
B : Open Systems Interconnections
C : Open Source Initiative
D : Open Standard Interconnections

Show Answer

Q. 13 A company requires its users to change passwords every month. This

improves the ________ of the network.
A : Performance
B : Reliability
C : Security
D : None of the above

Advertisement

Show Answer

Q. 14 Release of message contents and Traffic analysis are two types of _________
attacks.
A : Active Attack
B : Modification of Attack
C : Passive attack
D : DoS Attack

Show Answer

Q. 15 The ________ is encrypted text.

A : Cipher scricpt
B : Cipher text
C : Secret text
D : Secret script
 Advertisement

Show Answer

Q. 17 Which of the following Algorithms not belong to symmetric encryption

A : 3DES (TripleDES)
B : RSA
C : RC5
D : IDEA

Show Answer

Q. 18 Which is the largest disadvantage of the symmetric Encryption?

A : More complex and therefore more time-consuming calculations.
B : Problem of the secure transmission of the Secret Key.
C : Less secure encryption function.
D : Isn’t used any more.

Show Answer

Q. 19 In cryptography, what is cipher?

A : algorithm for performing encryption and decryption
B : encrypted message
C : both algorithm for performing encryption and decryption and encrypted message
D : decrypted message

Advertisement

Show Answer

Q. 21 Which one of the following algorithm is not used in asymmetric-key

cryptography?
A : rsa algorithm
B : diffie-hellman algorithm
C : electronic code book algorithm
D : dsa algorithm

Show Answer

Q. 23 What is data encryption standard (DES)?

A : block cipher
B : stream cipher
C : bit cipher
D : byte cipher

Show Answer
Q. 24 A asymmetric-key (or public key ) cipher uses
A : 1 key
B : 2 key
C : 3 key
D : 4 key

Show Answer

Q. 26 _________________ is the process or mechanism used for converting ordinary

plain text into garbled non-human readable text & vice-versa.
A : Malware Analysis
B : Exploit writing
C : Reverse engineering
D : Cryptography

Advertisement

Show Answer

Q.27 ______________ is a means of storing & transmitting information in a specific

format so that only those for whom it is planned can understand or process it.
A : Malware Analysis
B : Cryptography
C : Reverse engineering
D : Exploit writing

Show Answer

Q. 28 Cryptographic algorithms are based on mathematical algorithms where these

algorithms use ___________ for a secure transformation of data.
A : secret key
B : external programs
C : add-ons
D : secondary key

Show Answer

Q. 29 Conventional cryptography is also known as _____________ or symmetric-key

encryption.
A : secret-key
B : public key
C : protected key
D : primary key

Advertisement
Show Answer

Q. 30 The procedure to add bits to the last block is termed as _________________

A : decryption
B : hashing
C : tuning
D : padding

Show Answer

ICS mcq questions and answers

Q. 32 ECC encryption system is __________
A : symmetric key encryption algorithm
B : asymmetric key encryption algorithm
C : not an encryption algorithm
D : block cipher method

Advertisement

Show Answer

Q. 33 ________function creates a message digest out of a message.

A : encryption
B : decryption
C : hash
D : none of the above

Show Answer

Q. 34 Extensions to the X.509 certificates were added in version ____

A:1
B:2
C:3
D:4

Show Answer

Q. 35 A digital signature needs ____ system

A : symmetric-key
B : asymmetric-key
C : either (a) or (b)
D : neither (a) nor (b)

Advertisement

Show Answer
Q. 36 Elliptic curve cryptography follows the associative property.
A : TRUE
B : FALSE

Show Answer

Q. 37 ECC stands for

A : Elliptic curve cryptography
B : Enhanced curve cryptography
C : Elliptic cone cryptography
D : Eclipse curve cryptography

Show Answer

Q. 38 When a hash function is used to provide message authentication, the hash

function value is referred to as
A : Message Field
B : Message Digest
C : Message Score
D : Message Leap

Show Answer

Q. 39 Message authentication code is also known as

A : key code
B : hash code
C : keyed hash function
D : message key hash function

Advertisement

Show Answer

Q. 40 The main difference in MACs and digital signatures is that, in digital

signatures the hash value of the message is encrypted with a user’s public key.
A : TRUE
B : FALSE

Show Answer

Q. 41 The DSS signature uses which hash algorithm?

A : MD5
B : SHA-2
C : SHA-1
D : Does not use hash algorithm
Show Answer

Q. 42 What is the size of the RSA signature hash after the MD5 and SHA-1
processing?
A : 42 bytes
B : 32 bytes
C : 36 bytes
D : 48 bytes

Show Answer

Q. 43 In the handshake protocol which is the message type first sent between client
and server ?
A : server_hello
B : client_hello
C : hello_request
D : certificate_request
Show Answer

Q. 44 One commonly used public-key cryptography method is the ______ algorithm.

A : RSS
B : RAS
C : RSA
D : RAA

Advertisement

Show Answer

Q. 45 The ________ method provides a one-time session key for two parties.
A : Diffie-Hellman
B : RSA
C : DES
D : AES

Show Answer

Q. 46 The _________ attack can endanger the security of the Diffie-Hellman method
if two parties are not authenticated to each other.
A : man-in-the-middle
B : ciphertext attack
C : plaintext attack
D : none of the above

Show Answer
Q. 48 VPN is abbreviated as __________
A : Visual Private Network
B : Virtual Protocol Network
C : Virtual Private Network
D : Virtual Protocol Networking

Show Answer

Q. 49 __________ provides an isolated tunnel across a public network for sending and
receiving data privately as if the computing devices were directly connected to the
private network.
A : Visual Private Network
B : Virtual Protocol Network
C : Virtual Protocol Networking
D : Virtual Private Network

Advertisement

Show Answer

Q. 50 Which of the statements are not true to classify VPN systems?

A : Protocols used for tunnelling the traffic
B : Whether VPNs are providing site-to-site or remote access connection
C : Securing the network from bots and malwares
D : Levels of security provided for sending and receiving data privately
Show Answer

Q. 51 What types of protocols are used in VPNs?

A : Application level protocols
B : Tunnelling protocols
C : Network protocols
D : Mailing protocols

Show Answer

Q. 52 VPNs uses encryption techniques to maintain security and privacy which

communicating remotely via public network.
A : TRUE
B : False

Show Answer

Q. 53 There are _________ types of VPNs.

A:3
B:2
C:5
D:4

Show Answer

Q. 54 _________ type of VPNs are used for home private and secure connectivity.
A : Remote access VPNs
B : Site-to-site VPNs
C : Peer-to-Peer VPNs
D : Router-to-router VPNs

Show Answer

Q. 55 Which types of VPNs are used for corporate connectivity across companies
residing in different geographical location?
A : Remote access VPNs
B : Site-to-site VPNs
C : Peer-to-Peer VPNs
D : Country-to-country VPNs

Show Answer

Q. 56 Site-to-Site VPN architecture is also known as _________

A : Remote connection based VPNs
B : Peer-to-Peer VPNs
C : Extranet based VPN
D : Country-to-country VPNs

Advertisement

Show Answer

Q. 57 There are ________ types of VPN protocols.

A:3
B:4
C:5
D:6

Show Answer

Q. 58 IPSec is designed to provide security at the _________

A : Transport layer
B : Network layer
C : Application layer
D : Session layer
Show Answer

Q. 59 In tunnel mode, IPSec protects the ______

A : Entire IP packet
B : IP header
C : IP payload
D : IP trailer

Show Answer

Q. 60 Pretty good privacy (PGP) is used in ______

A : Browser security
B : Email security
C : FTP security
D : WiFi security

Advertisement

Show Answer

Q. 61 PGP encrypts data by using a block cipher called ______

A : International data encryption algorithm
B : Private data encryption algorithm
C : Internet data encryption algorithm
D : Local data encryption algorithm

Show Answer

Q. 62 IKE creates SAs for _____.

A : SSL
B : PGP
C : IPSec
D : VP

Show Answer

Q. 63 ______ provides either authentication or encryption, or both, for packets at the

IP level.
A : AH
B : ESP
C : PGP
D : SSL

Advertisement

Show Answer
Q. 64 A _______network is used inside an organization.
A : private
B : public
C : semi-private
D : semi-public

Show Answer

Q. 65 SSL provides _________.

A : message integrity
B : confidentiality
C : compression
D : all of the above

Show Answer

Q. 66 IKE uses _______

A : Oakley
B : SKEME
C : ISAKMP
D : all of the above

Advertisement

Show Answer

Q. 67 In ______, there is a single path from the fully trusted authority to any
certificate.
A : X509
B : PGP
C : KDC
D : none of the above

Show Answer

Q. 68 A ______ provides privacy for LANs that must communicate through the global
Internet.
A : VPP
B : VNP
C : VNN
D : VPN

Show Answer

Q. 69 _______ uses the idea of certificate trust levels.

A : X509
B : PGP
C : KDC
D : none of the above

Show Answer

Q. 70 ________ provides privacy, integrity, and authentication in e-mail.

A : IPSec
B : SSL
C : PGP
D : none of the above
 Cyber Security Questions and Answers – Cyber Security
Privacy – Anonymity & Pseudonymity
« Prev

Next »

This set of Cyber Security written test Questions & Answers focuses on “Cyber Security
Privacy – Anonymity & Pseudonymity”.

1. The term _____________ means taking care of a user’s name as well as the identity
hidden or veiled using a variety of applications.
a) pseudonymous
b) anonymous
c) eponymous
d) homonymous
View Answer
2. Sometimes __________________ anonymize them to perform criminal activities.
a) virus
b) incident handlers
c) cyber-criminals
d) ethical hackers
View Answer
3. An _______________ allows users for accessing the web while blocking the trackers
or agents that keep tracing the identity online.
a) intranet
b) extranet
c) complex network
d) anonymity network
View Answer
advertisement

4. _________ services are examples of anonymity services that conceal the location and
usage of any user.
a) Tor
b) Encrypted router
c) Firewall
d) HTTPS
View Answer
5. Another anonymity network is the I2P identity-sensitive network which gets distributed
& is dynamic in nature as they route traffic through other peers.
a) True
b) False
View Answer
6. Which of the following is not an example of approaches for maintaining anonymity?
a) Use of VPNs
b) Use of Tor Browser
c) Use of Proxy servers
d) Use of Antivirus
View Answer
7. Which of the following is not an example of approaches for maintaining anonymity?
a) Using encrypted search engines that don’t share your search data
b) Use firewalls
c) Fake email services
d) Use file shielders
View Answer
8. Big multinational companies are providing us with search engines to easily search for
data for free. But they are also taking our searched data and browsing habits as well as
choices.
a) True
b) False
View Answer
9. Which of the following is not a VPN used for preserving our anonymity?
a) Nord VPN
b) Express VPN
c) Microsoft Security Essential
d) CyberGhost
View Answer
10. __________________ are those search engines that are intended and designed not
to take our searched data or browsing habits hence do not hampers our online privacy.
a) Paid search engines
b) Incognito mode
c) In-private mode
d) Private search engines
View Answer
11. Which of the following is a private search engine?
a) Bing
b) Google
c) Duckduckgo
d) Yahoo
View Answer
12. Which of the following is not a private search engine?
a) StartPage
b) Baidu
c) SearX.me
d) Qwant
View Answer
13. Which of the below-mentioned search engine can provide you with anonymity while
searching?
a) Privatelee
b) Baidu
c) Google
d) Bing
Cyber Security Questions and Answers – Attack Vectors –
Digital Privacy
« Prev

Next »

This set of Cyber Security Multiple Choice Questions & Answers (MCQs) focuses on
“Attack Vectors – Digital Privacy”.

1. _______________deals with the protection of an individual’s information which is

implemented while using the Internet on any computer or personal device.
a) Digital agony
b) Digital privacy
c) Digital secrecy
d) Digital protection
View Answer
2. _______________ is a combined term which encompasses 3 sub-pillars; information
privacy, individual privacy, and communication privacy.
a) Digital Integrity
b) Digital privacy
c) Digital secrecy
d) Digital protection
View Answer
3. Which of the following do not comes under the three pillars of digital privacy?
a) Information privacy
b) Individual privacy
c) Communication privacy
d) Family privacy
View Answer
advertisement

4. Which of the following is not an appropriate solution for preserving privacy?

a) Use privacy-focussed SE
b) Use private Browser-window
c) Disable cookies
d) Uninstall Antivirus
View Answer
5. Which of the following is not an appropriate solution for preserving privacy?
a) Use privacy-focussed SE
b) Close all logical ports
c) Do not use malicious sites and torrent sites
d) Use VPN
View Answer
6. Which of the following is not a private Search-engine?
a) Yahoo
b) DuckDuckGo
c) StartPage
d) Wolfram Alpha
View Answer
7. Which of the following is a private Search-engine and do not track our searching
data?
a) Google
b) Search Encrypt
c) Bing
d) Yahoo
View Answer
8. It is necessary to use ________________ for maintaining searched data privacy.
a) Private email services
b) Private search engines
c) Tor Browser
d) Private Browser window
View Answer
9. Which of the following browser is used for Privacy purpose?
a) Chrome
b) Firefox
c) Opera
d) Tor
View Answer
10. The Tor browser protects your privacy by bouncing your connection and links around
a distributed network over the globe run by volunteers. It gives three layers of anonymity.
a) True
b) False
View Answer
11. The __________________ protects your privacy by bouncing your connection and
links around a distributed network over the globe run by volunteers. It gives three layers
of anonymity.
a) Cookie removers
b) Private Search Engines
c) Tor browser
d) VPNs
View Answer
12. Which of the following is not an example of privacy-browser?
a) Tor
b) Brave
c) Epic
d) Opera
View Answer
13. ____________ allow its users to attach to the internet via a remote or virtual server
which preserves privacy.
a) Cookie removers
b) VPNs
c) Tor browser
d) Private Search Engines
View Answer
14. The ____________ transferred between your device & the server is securely
encrypted if you are using VPNs.
a) data
b) virus
c) music files
d) document files
View Answer
15. The data transferred between your device & the server is securely _____________ if
you’re using VPNs.
a) locked
b) sealed
c) packed
d) encrypted