- (Topic 3)
The PRIMARY objective of timely declaration of a disaster is to:

1. A. ensure the continuity of the organization's essential services.
2. B. protect critical physical assets from further loss.
3. C. assess and correct disaster recovery process deficiencies.
4. D. ensure engagement of business management in the recovery process.

Correct Answer: A
The primary objective of timely declaration of a disaster is to ensure the continuity of the organization’s essential services, as it enables the activation of the business continuity plan (BCP) and the disaster recovery plan (DRP) that outline the processes and procedures to maintain or resume the critical business functions and minimize the impact of the disruption. A timely declaration of a disaster also helps to communicate the situation to the stakeholders, mobilize the resources, and request external assistance if needed.
References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.3.1, page 2271; FEMA, How a Disaster Gets Declared2; CISM Online Review Course, Module 4, Lesson 3, Topic 13

- (Topic 3)
Which of the following BEST facilitates the effectiveness of cybersecurity incident response?

1. A. Utilizing a security information and event management (SIEM) tool.
2. B. Utilizing industry-leading network penetration testing tools.
3. C. Increasing communication with all incident response stakeholders.
4. D. Continuously updating signatures of the anti-malware solution.

Correct Answer: C
Communication is a key factor for the effectiveness of cybersecurity incident response, as it ensures that all relevant parties are informed, coordinated, and aligned on the incident status, impact, actions, and responsibilities. Communication also helps to maintain trust, confidence, and transparency among the stakeholders, such as senior management, business units, customers, regulators, law enforcement, and media. References = CISM Review Manual, 16th Edition, Chapter 5, Section 5.4.2.11

- (Topic 3)
Which of the following is the MOST important constraint to be considered when developing an information security strategy?

1. A. Legal and regulatory requirements
2. B. Established security policies and standards
3. C. Compliance with an international security standard
4. D. Information security architecture

Correct Answer: A
Legal and regulatory requirements are the most important constraint to be considered when developing an information security strategy, as they define the minimum level of security that the organization must comply with to avoid legal sanctions, fines, or reputational damage. Legal and regulatory requirements may vary depending on the jurisdiction, industry, and type of data that the organization handles, and they may impose specific security controls, standards, or frameworks that the organization must follow. References = CISM Review Manual, 16th Edition, Chapter 1, Section 1.2.1.11

- (Topic 1)
Which of the following is MOST important when conducting a forensic investigation?

1. A. Analyzing system memory
2. B. Documenting analysis steps
3. C. Capturing full system images
4. D. Maintaining a chain of custody

Correct Answer: D
Maintaining a chain of custody is the most important step when conducting a forensic investigation, as this ensures that the evidence is preserved, protected, and documented from the time of collection to the time of presentation in court. A chain of custody provides a record of who handled the evidence, when, where, why, and how, and prevents any tampering, alteration, or loss of the evidence. A chain of custody also establishes the authenticity, reliability, and admissibility of the evidence in legal
proceedings. Analyzing system memory, documenting analysis steps, and capturing full system images are also important, but not as important as maintaining a chain of custody, as they do not guarantee the integrity and validity of the evidence. References = CISM Review Manual 2023, page 1701; CISM Review Questions, Answers & Explanations Manual 2023, page 332; ISACA CISM - iSecPrep, page 183

- (Topic 3)
An organization is experiencing a sharp increase in incidents related to phishing messages. The root cause is an outdated email filtering system that is no longer supported by the vendor. Which of the following should be the information security manager's FIRST course of action?

1. A. Reinforce security awareness practices for end users.
2. B. Temporarily outsource the email system to a cloud provider.
3. C. Develop a business case to replace the system.
4. D. Monitor outgoing traffic on the firewall.

Correct Answer: C
Developing a business case to replace the system is the FIRST course of action that the information security manager should take, because it helps to justify the need for a new and effective email filtering system that can prevent or reduce phishing incidents. A business case should include the problem statement, the proposed solution, the costs and benefits, the risks and assumptions, and the expected outcomes and metrics.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 42: “A business case is a document that provides the rationale and justification for an information security investment. It should include the problem statement, the proposed solution, the costs and benefits, the risks and assumptions, and the expected outcomes and metrics.”
Email Filtering Explained: What Is It and How Does It Work: “Email filtering is a process used to sort emails and identify unwanted messages such as spam, malware, and phishing attempts. The goal is to ensure that they don’t reach the recipient’s primary inbox. It is an essential security measure that helps protect users from unwanted or malicious messages.”
Cloud-based email phishing attack using machine and deep learning …: “This attack is used to attack your email account and hack sensitive data easily.”