Information Security Incident Management for CISM

Sample Practice Questions

1. Question 1

   Which of the following is the MOST important security consideration when developing an incident response strategy with a cloud provider?
   1. A. Security audit reports
   2. B. Recovery time objective (RTO)
   3. C. Technological capabilities
   4. D. Escalation processes
   Explanation

   The correct answer is: D. Escalation processes.

   The most important security consideration when developing an incident response strategy with a cloud provider is the escalation processes because cloud incident response depends on coordinated handoffs between customer and provider, and the escalation processes specify how and when those handoffs occur. CISM emphasizes escalation as the central operational concern in cloud IR because the customer has limited direct control over the underlying infrastructure. Security audit reports provide evidence of the provider's control posture but do not govern the operational response. The recovery time objective sets continuity targets but is not the IR-specific consideration the question asks about. Technological capabilities of the provider matter but are meaningful only when activated by the escalation process that initiates the joint response.

2. Question 2

   Which of the following is the MOST important incident management consideration for an organization subscribing to a cloud service?
   1. A. Decision on the classification of cloud-hosted data
   2. B. Expertise of personnel providing incident response
   3. C. Implementation of a SIEM in the organization
   4. D. An agreement on the definition of a security incident
   Explanation

   The correct answer is: D. An agreement on the definition of a security incident.

   The most important incident management consideration for an organization subscribing to a cloud service is having an agreement on the definition of a security incident because both parties must classify and respond to events using the same vocabulary for any joint response to function. CISM treats definitional alignment as the prerequisite for cloud IR integration. The classification of cloud-hosted data is an important data governance decision but is upstream of incident handling itself. The expertise of personnel providing incident response affects execution quality but is meaningful only within the framework of agreed definitions. Implementation of a SIEM provides telemetry but does not address the joint-handling agreement; an agreed incident definition is the operational foundation that the rest of the cloud incident management rests on.

3. Question 3

   What is the PRIMARY purpose of an unannounced disaster recovery exercise?
   1. A. To provide metrics to senior management
   2. B. To evaluate how personnel react to the situation
   3. C. To assess service level agreements (SLAs)
   4. D. To estimate the recovery time objective (RTO)
   Explanation

   The correct answer is: B. To evaluate how personnel react to the situation.

   The primary purpose of an unannounced disaster recovery exercise is to evaluate how personnel react to the situation because the surprise element is what reveals actual readiness rather than rehearsed performance. CISM positions unannounced exercises as the validation tool for behavioral readiness, which announced exercises cannot reliably measure. Providing metrics to senior management is a possible reporting output of any exercise but does not require the exercise to be unannounced. Assessing service level agreements addresses contractual measurement and again does not require an unannounced format. Estimating the recovery time objective is the work of the BIA rather than an exercise output, and the RTO is set in advance rather than measured by exercise; personnel reaction under realistic surprise conditions is the distinctive purpose of an unannounced exercise.

4. Question 4

   Which of the following BEST prepares a computer incident response team for a variety of information security scenarios?
   1. A. Tabletop exercises
   2. B. Forensics certification
   3. C. Penetration tests
   4. D. Disaster recovery drills
   Explanation

   The correct answer is: A. Tabletop exercises.

   Tabletop exercises best prepare a computer incident response team for a variety of information security scenarios because the tabletop format efficiently walks the team through many different scenario types in low-disruption discussion sessions, producing broad familiarity with response patterns. CISM treats tabletop exercises as the principal training format for scenario breadth because the cost per scenario is low and many can be covered. Forensics certification develops one specialized skill but does not produce scenario breadth. Penetration tests stress defensive controls rather than train the response team across scenarios. Disaster recovery drills exercise one specific scenario type at a time and are more resource-intensive than tabletop exercises; for variety of scenarios, the tabletop format is the most cost-effective and comprehensive preparation method.

5. Question 5

   When designing security controls, it is MOST important to:
   1. A. focus on preventive controls.
   2. B. apply controls to confidential information.
   3. C. evaluate the costs associated with the controls.
   4. D. apply a risk-based approach.
   Explanation

   The correct answer is: D. apply a risk-based approach..

   When designing security controls, it is most important to apply a risk-based approach because risk is the basis on which control selection, layering, and prioritization are made defensibly. CISM treats risk-based control design as the canonical method because it aligns investment with what the organization is actually exposed to. Focusing on preventive controls overemphasizes one control category and ignores the layered defense that risk-based design produces. Applying controls to confidential information addresses one classification tier but ignores the broader risk landscape that includes integrity and availability concerns. Evaluating the costs associated with controls is an essential component of risk-based design but is one input within the broader framework; the risk-based approach is the overarching design methodology that integrates cost with impact and likelihood to produce justified control selections.

Other CISM domains

• Information Risk Management (252 questions)
• Information Security Governance (290 questions)
• Information Security Program Development and Management (478 questions)