ISACA Exam Questions CISM (v.3) – CISM Review Notes

CISM Review Notes

Exam Guide

– Exam Guide –

Domain 1 –Information Security Governance (17%)
Domain 2 –Information Security Risk Management (20%)
Domain 3 – Information Security Program (33%)
Domain 4 – Incident Management (30%)

Exam Questions

  • 4 hours (240 minutes), 150 multiple choice questions
  • 200 – 450 Pass – 800
  • 1.6 minutes per question
  • Every question has a stem (question) and four options (answer choices).
  • Choose the correct or best answer from the options.
  • The stem may be in the form of a question or incomplete statement.
  • An exam question may require you to choose the appropriate answer based on a qualifier, such as FIRST, MOST likely or BEST. So, there might be two right answers, so pick the BEST option.
  • Read the question carefully, eliminate known incorrect answers and then make the best choice
  • Answers questions from a Business Risk perspective, rather than technical solution or control.

Domain 1: Information Security Governance

CIA Triad

The three main goals of information security are:

  • Confidentiality prevents unauthorized disclosure
    • Integrity prevents unauthorized alteration\
  • Availability ensures authorized access

Security Strategy and SWOT Analysis

Security activities must be aligned with business strategy, mission, goals, and objectives. This requires strategic, tactical, and operational planning.

SWOT analysis identifies the strengths, weaknesses, opportunities, and threats facing an organization, typically laid out in a grid:

Gap Analysis

A gap analysis compares the current state of security controls to a benchmark and identifies any areas of deviation.

Security Frameworks

Security frameworks provide templates for security activities. These include COBIT, NIST CSF, and ISO 27001/2.

Due Care and Due Diligence

Due care is taking reasonable steps to protect the interest of the organisation. Due diligence ensures those steps are carried out.

Security Governance

Security governance is carried out through

  • Policies which state high-level objectives (mandatory compliance).
  • Standards which state detailed technical requirements (mandatory compliance).
  • Procedures which provide step-by-step processes (mandatory compliance).
  • Guidelines which offer advice and best practices (optional compliance).

For the security policy framework to be successful, it must have the support of senior leadership and other stakeholders.

Security Strategy

Security is a constant balancing act between usability and control. Managers must constantly make trade-offs to allow the organization to achieve both security and business objectives.

Every organization has a risk tolerance (or risk appetite) that describes how much risk the organization is willing to accept. Understanding this tolerance, whether it is explicit or implicit, is crucial to finding the correct balance for security activities.

Key influences on security strategy include:

  • Business environment
  • Emerging technologies
  • Social media
  • Regulatory requirements
  • Threat landscape

Security baselines, such as NIST SP 800-53, provide a standardized set of controls that an organization may use as a benchmark.

Typically, organizations don’t adopt a baseline standard wholesale, but instead tailor a baseline to meet their specific security requirements

Information should be classified based upon its sensitivity to the organization.

Common classes of sensitive information include:

  • Personally identifiable information (PII) which
    uniquely identifies individuals.
  • Protected health information (PHI) which includes
    individual health records.
  • Proprietary information which contains trade

Data Classification

  • Data at Rest – Data stored on a system or media device
  • Data in Motion – Data in transit over a network
  • Data in Use – Data being actively processed in memory

Information Classification

Information should be labeled with its classification and security controls should be defined and appropriate for each classification level.

Collect only data that is necessary for legitimate business purposes. This is known as data minimization.

  • Data Owner – Senior-level executive who establishes rules and determines controls
  • Data Steward – Individual who handles day-to-day data governance activity. Designated by the data owner.
  • Data Custodian – IT staff members responsible for the storage and processing of information.
  • Key Performance Indicator (KPI) – Measures the success of the security program.
  • Key Goal Indicator (KGI) – Measures progress toward defined goals
  • Key Risk Indicator (KRI) – Measures risk on a forward-looking basis.

Budgets are forward-looking financial plans. As budgets are revised each year, they may be approached in two ways:

  • Incremental budgeting starts with the prior years’ budget and adjusts upward or downward
  • Zero-based budgeting starts with a blank slate
    each year

Fiscal years are the 12-month periods used for financial reporting and may differ from the standard calendar year for any organization.

Expenses come in two primary forms:

  • Capital expenses involve fixed-cost investments in major assets
  • Operational expenses cover the day-to-day costs of running the organization

Authentication, authorization, and accounting.

Authorization and Authentication are two distinct concepts in the realm of security and access control. While they are related, they serve different purposes.

Authentication: Authentication is the process of verifying the identity of a user or entity. It ensures that the user is whom they claim to be before granting them access to a system, application, or resource. Authentication typically involves the use of credentials, such as usernames and passwords, biometric information, security tokens, or digital certificates. The goal of authentication is to establish trust and validate the identity of the user or entity requesting access.

Authorization: Authorization, on the other hand, occurs after authentication and involves granting or denying access rights and permissions to authenticated users or entities. Once a user’s identity is verified, authorization determines what actions, resources, or information they are allowed to access. It involves defining and enforcing access controls based on roles, privileges, and permissions assigned to individual users or groups. The authorization ensures that users have appropriate privileges to perform specific actions or access certain resources within the system or application.

Domain 2: Information Risk Management

Assets should be classified according to their own criticality and sensitivity as well as the classification of the information that they store, process, and transmit. These asset classifications ensure that measures taken to protect assets are proportional to their business value.

Risks are the combination of a threat and a corresponding vulnerability.

Quantitative risk assessment uses the following formulas:

  • Single Loss Expectancy = AssetValue * ExposureFactor
  • Annualized Loss Expectancy = AnnualizedRateofOccurence * SLE

Responses to a risk include:

  • Avoid risk by changing business practices
  • Mitigate risk by implementing controls
  • Accept risk and continue operations
  • Transfer risk through insurance or contract

Security tests verify that a control is functioning properly.

Security assessments are comprehensive reviews of the security of a system, application, or other tested environment.

Security audits use testing and assessment techniques but are performed by independent auditors. There are three types of security audits:

  • Internal audits are performed by an organization’s internal audit staff, normally led by a Chief Audit
  • Executive who reports directly to the CEO. External audits are performed by an outside auditing firm.
  • Third-party audits are conducted by, or on behalf of, another organization, such as a regulator.

Organizations that provide services to other organizations may conduct audits under SSAE 16. These engagements produce two different types of reports:

  • Type I reports provide a description of the controls in place, as described by the audited organization, and the auditor’s opinion whether the controls described are sufficient. The auditor does not test the controls.
  • Type II reports results when the auditor actually tests the controls and provides an opinion on their effectiveness.

COBIT, ISO 27001, and ISO 27002 are commonly used standards for cybersecurity audits.

Vulnerability assessments seek to identify known deficiencies in systems and applications.

Network discovery scanning uses tools like nmap to check for active systems and open ports. Common scanning techniques include:

  • TCP SYN scans send a single packet with the SYN flag set.
  • TCP Connect scans attempt to complete the three way handshake.
  • TCP ACK scans seek to impersonate an established connection.
  • Xmas scans set the FIN, PSH, and URG flags.

Network vulnerability scanning first discovers active services on the network and then probes those services for known vulnerabilities. Web application vulnerability
use tools that specialize in probing for web application weaknesses.

The vulnerability management workflow includes three basic steps: detection, remediation, and validation.
Penetration testing goes beyond vulnerability scanning and attempts to exploit vulnerabilities. It includes five steps:

Business continuity planning conducts a business impact assessment and then implements controls designed to keep the business running during adverse

Backups provide an important disaster recovery control. Remember that there are three major categories of backup:

  • Full Backup Copies all files on a system.
  • Differential Backup Copies all files on a system that have changed since the most recent full backup.
  • Incremental Backup Copies all files on a system that have changed
    since the most recent full or incremental backup.

Disaster recovery sites fit into three major categories:

Disaster recovery plans require testing. There are five major test types:

Domain 3: Information Security Program Development and Management

Security Controls Categorization

Security controls are categorized by their purpose as preventive, detective, or corrective controls. They are also categorized by their mechanism of action as technical, physical, or administrative controls. Controls may overlap these categories.

  • Purpose-Based Categorization: Preventive, Detective, Corrective Controls
  • Mechanism-Based Categorization: Technical, Physical, Administrative Controls
  • Overlapping Categories of Controls

Purpose-Based Categorization: Preventive, Detective, Corrective Controls

  • Preventive Controls: These controls are designed to prevent security incidents from occurring. They include measures such as access controls, security awareness training, and security policies.
  • Detective Controls: These controls are focused on detecting security incidents or breaches that have occurred. Examples include intrusion detection systems, security monitoring tools, and log analysis.
  • Corrective Controls: These controls are implemented to correct or mitigate the effects of a security incident. They include activities such as incident response, disaster recovery planning, and system restoration.

Mechanism-Based Categorization: Technical, Physical, Administrative Controls

  • Technical Controls: These controls involve the use of technology to enforce security policies and protect information assets. Examples include firewalls, encryption, antivirus software, and intrusion prevention systems.
  • Physical Controls: These controls are physical measures put in place to secure physical assets and facilities. Examples include locks, access control systems, surveillance cameras, and biometric authentication systems.
  • Administrative Controls: These controls involve policies, procedures, and organizational practices to manage security risks. Examples include security awareness training, security governance frameworks, risk assessments, and incident response plans.


Cryptography is one of the primary controls used to achieve security objectives. Encryption transforms plaintext data into ciphertext, while decryption reverses the process, turning ciphertext back into plaintext.

The two basic cryptographic operations are substitution which modifies characters and transposition, which moves them around.

Cryptography is the practice of securing data through encryption and decryption techniques. It plays a crucial role in achieving security objectives. Here are some key aspects of cryptography:

  • Encryption and Decryption: Encryption transforms plaintext data into ciphertext using an encryption algorithm, while decryption reverses the process, converting ciphertext back into plaintext using a decryption algorithm.
  • Basic Cryptographic Operations: Cryptographic operations involve substitution and transposition. Substitution modifies characters, while transposition moves them around, providing additional security.
  • Symmetric Encryption: Symmetric encryption uses the same shared secret key for both encryption and decryption processes. It is efficient for bulk data encryption but requires secure key management.
  • Asymmetric Encryption: Asymmetric encryption, also known as public-key cryptography, involves the use of public and private key pairs. Each user has their own key pair. Anything encrypted with one key from the pair can only be decrypted using the other key from that same pair. It provides secure key exchange and enables digital signatures.
  • Secure Symmetric Algorithms: Some commonly used secure symmetric encryption algorithms include 3DES, AES (Advanced Encryption Standard), IDEA, and Blowfish. DES (Data Encryption Standard) is considered insecure due to its key length.
  • Secure Asymmetric Algorithms: Secure asymmetric encryption algorithms include RSA, El Gamal, and elliptic curve cryptography (ECC). These algorithms provide strong security for key exchange, digital signatures, and encryption.
  • Diffie-Hellman Algorithm: The Diffie-Hellman algorithm is a key exchange protocol used to securely exchange symmetric keys over an insecure channel. It enables secure communication between parties without prior shared secrets.
  • Hash Functions: Hash functions are one-way functions that produce a unique fixed-size hash value (digest) for each input. They are used for data integrity, password storage, and digital signatures. Hash functions cannot be reversed to obtain the original data.
  • Digital Certificates: Digital certificates use the X.509 standard and contain a copy of an entity’s public key. They are digitally signed by a certificate authority (CA) to establish trust. Digital certificates are widely used in secure communication protocols such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL).

Encryption and Decryption

Symmetric encryption uses the same shared secret key for encryption and decryption.

In asymmetric encryption, users each have their own public/private keypair. Keys are used as follows:

Anything encrypted with one key from a pair may only be decrypted with the other key from that same pair.

Secure symmetric algorithms include 3DES, AES, IDEA, and Blowfish. DES is not secure.

Secure asymmetric algorithms include RSA, El Gamal, and elliptic curve (ECC).

The Diffie-Hellman algorithm may be used for secure exchange of symmetric keys.

Hashes are one-way functions that produce a unique value for every input and cannot be reversed.

Digital certificates use the X.509 standard and contain a copy of an entity’s public key. They are digitally signed by a certificate authority (CA).

Transport Layer Security (TLS) is the replacement for Secure Sockets Layer (SSL) and uses public key cryptography to exchange a shared secret key used to secure web traffic and other network communications.

Two serious issues can occur when users are granted limited access to information in databases or other repositories. Aggregation attacks occur when a user is able to summarize individual records to detect trends that are confidential. Inference attacks occur when a user is able to use several innocuous facts in combination to determine, or infer, more sensitive information.

DNS converts between IP addresses and domain names. ARP converts between MAC addresses and IP addresses. NAT converts between public and private IP addresses.

Wireless networks should be secured using WPA or WPA2 encryption, not WEP.

Network switches generally work at layer 2 and connect directly to endpoints or other switches. Switches may also create virtual LANs (VLANs) to further segment internal networks at layer 2. Routers generally work at layer 3 and connect networks to each other. Firewalls are the primary network security control used to separate networks of differing security levels.

When deploying services in the cloud, organizations may choose from three major cloud strategies:

  • Software-as-a-Service (SaaS) deploys entire applications to the cloud. The customer is only responsible for supplying data and manipulating the application.
  • Infrastructure-as-a-Service (IaaS) sells basic building blocks, such as servers and storage. The customer manages the operating system and configures and installs software.
  • Platform-as-a-Service (PaaS) provides the customer with a managed environment to run their own software without concern for the underlying hardware.

Most Virtual Private Networks (VPN) use either TLS or IPsec. IPsec uses Authentication Headers (AH) to provide authentication, integrity and nonrepudiation and Encapsulating Security Payload (ESP) to provide confidentiality.

Cloud services may be built and/or purchased in several forms:

  • Public cloud providers sell services to many different customers and many customers may share the same physical hardware.
  • Private cloud environments dedicate hardware to a single user.
  • Hybrid cloud environments combine elements of public and private cloud in a single organization.
  • Community cloud environments use a model similar to the public cloud but with access restricted to a specific set of customers.

Access Control and Attacks

Access control refers to the mechanisms and techniques used to limit and control access to information resources and systems. Here are key aspects related to access control and attacks:

  • Aggregation Attacks: Aggregation attacks occur when a user can summarize individual records to detect trends that should remain confidential. These

The core activities of identity and access management are:

  • Identification where a user makes a claim of identity.
  • Authentication where the user proves the claim of
  • identity.
  • Authorization where the system confirms that the
    user is permitted to perform the requested action.

In access control systems, we seek to limit the access
that subjects (e.g. users, applications, processes) have to objects (e.g. information resources, systems)
Access controls work in three different fashions:

  • Technical (or logical) controls use hardware and software mechanisms, such as firewalls and intrusion prevention systems, to limit access.
  • Physical controls, such as locks and keys, limit physical access to controlled spaces.
  • Administrative controls, such as account reviews, provide management of personnel and business

Multifactor authentication systems combine authentication technologies from two or more of the following categories:

  • Something you know (Type 1 factors) rely upon secret information, such as a password.
  • Something you have (Type 2 factors) rely upon physical possession of an object, such as a smartphone.
  • Something you are (Type 3 factors) rely upon biometric characteristics of a person, such as a face scan or fingerprint.

Authentication technologies may experience two types of errors. False positive errors occur when a system accepts an invalid user as correct. It is measured using the false acceptance rate (FAR). False negative errors occur when a system rejects a valid user, measured using the false rejection rate (FRR). We evaluate the effectiveness of an authentication technology using the crossover error rate (CER), as shown here:

RADIUS is an authentication protocol commonly used for backend services. TACACS+ serves a similar purpose and is the only protocol from the TACACS family that is still commonly used.

The implicit deny principle says that any action that is not explicitly authorized for a subject should be denied.

Access control lists (ACLs) form the basis of many access management systems and provide a listing of subjects and their permissions on objects and groups of objects.

Discretionary access control (DAC) systems allow the owners of objects to modify the permissions that other users have on those objects. Mandatory access control (MAC) systems enforce predefined policies that users may not modify.

Role-based access control assigns permissions to individual users based upon their assigned role(s) in the organization. For example, backup administrators might have one set of permissions while sales representatives have an entirely different set.

Brute force attacks against password systems try to guess all possible passwords. Dictionary attacks refine this approach by testing combinations and permutations of dictionary words. Rainbow table attacks precompute hash values for use in comparison. Salting passwords with a random value prior to hashing them reduces the effectiveness of rainbow table attacks.

Man-in-the-middle attacks intercept a client’s initial request for a connection to a server and proxy that connection to the real service. The client is unaware that they are communicating through a proxy and the attacker can eavesdrop on the communication and inject commands.

When managing the physical environment, you should be familiar with common power issues:

Fires require the combination of heat, oxygen, and fuel. They may be fought with fire extinguishers:

  • Class A: common combustible fires
  • Class B: liquid fires
  • Class C: electrical fires
  • Class D: metal fires

Organizations may use wet pipe fire suppression systems that always contain water, dry pipe systems that only fill with water when activated, or preaction systems that fill the pipes at the first sign of fire detection.

Mantraps use a set of double doors to restrict physical access to a facility.

The top ten security vulnerabilities in web applications,
according to OWASP are:

  1. Injection attacks
  2. Broken authentication
  3. Sensitive data exposure
  4. XML external entities
  5. Broken access control
  6. Security misconfiguration
  7. Cross-site scripting
  8. Insecure deserialization
  9. Using components with known vulnerabilities.
  10. Insufficient logging and monitoring

In addition to maintaining current and patched platforms, one of the most effective application security techniques is input validation which ensures that user input matches the expected pattern before using it in code.

Domain 4: Information Security Incident Management

Cyber Investigations

Security professionals are often called upon to participate in a variety of investigations:

  • Criminal investigations look into the violation of a criminal law and use the beyond a reasonable doubt standard of proof.
  • Civil investigations examine potential violations of civil law and use the preponderance of the evidence standard.
  • Regulatory investigations examine the violation of a private or public regulatory standard.
  • Administrative investigations are internal to an organization, supporting administrative activities.


Investigations may use several different types of evidence:

  • Real evidence consists of tangible objects that may be brought into court.
  • Documentary evidence consists of records and other written items and must be authenticated by testimony.
  • Testimonial evidence is evidence given by a witness, either verbally or in writing.

The best evidence rule states that, when using a document as evidence, the original document must be used unless there are exceptional circumstances. The parol evidence rule states that a written agreement is assumed to be the complete agreement.

Chain of Custody and Evidence Handling

Forensic investigators must take steps to ensure that they do not accidentally tamper with evidence and that they preserve the chain of custody documenting evidence handling from collection until use in court.

Business Continuity Planning (BCP)

Business continuity planning (BCP) attempts to design systems and controls in a manner that minimizes the risk that business activity will be disrupted.

Disaster Recovery Process

The disaster recovery process begins when operations are disrupted at the primary site and shifted to an alternate capability. The process only concludes when normal operations are restored.


Exam Questions

Which of the following should be the FIRST step in developing an information security plan?

A. Perform a technical vulnerabilities assessment

B. Analyze the current business strategy

C. Perform a business impact analysis

D. Assess the current levels of security awareness


Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability.