- (Topic 3)
Which of the following trends would be of GREATEST concern when reviewing the performance of an organization's intrusion detection systems (IDSs)?

1. A. Decrease in false positives
2. B. Increase in false positives
3. C. Increase in false negatives
4. D. Decrease in false negatives

Correct Answer: C
An increase in false negatives would be of greatest concern when reviewing the performance of an organization’s IDSs, because it means that the IDSs are failing to detect and alert on actual attacks that are occurring on the network. False negatives can lead to serious security breaches, data loss, reputational damage, and legal liabilities for the organization. False positives, on the other hand, are alerts that are triggered by benign or normal activities that are mistaken for attacks. False positives can cause annoyance, inefficiency, and desensitization, but they do not pose a direct threat to the security of the network. Therefore, a decrease in false positives would be desirable, and an increase in false positives would be less concerning than an increase in false negatives.
References = CISM Review Manual, 16th Edition, page 2231; Intrusion Detection Systems | NIST

- (Topic 3)
A PRIMARY benefit of adopting an information security framework is that it provides:

1. A. credible emerging threat intelligence.
2. B. security and vulnerability reporting guidelines.
3. C. common exploitability indices.
4. D. standardized security controls.

Correct Answer: D
A standardized security control is a set of rules, guidelines, or best practices that are designed to protect the confidentiality, integrity, and availability of information assets and systems. An information security framework is a collection of standardized security controls that are aligned with the organization’s objectives, strategy, and risk appetite. Adopting an information security framework provides a primary benefit of ensuring consistency, efficiency, and effectiveness in the implementation and management of information security across the organization.
References = CISM Review Manual 2022, page 321; CISM Exam Content Outline, Domain 1, Knowledge Statement 1.22; What is an Information Security Framework?; Information Security Frameworks: What Are They and Why Do You Need One?

- (Topic 1)
Which of the following provides an information security manager with the MOST accurate indication of the organization's ability to respond to a cyber attack?

1. A. Walk-through of the incident response plan
2. B. Black box penetration test
3. C. Simulated phishing exercise
4. D. Red team exercise

Correct Answer: D
A red team exercise is a simulated cyber attack conducted by a group of ethical hackers or security experts (the red team) against an organization’s network, systems, and staff (the blue team) to test the organization’s ability to detect, respond, and recover from a real cyber attack. A red team exercise provides an information security manager with the most accurate indication of the organization’s ability to respond to a cyber attack, because it mimics the tactics, techniques, and procedures of real threat actors, and challenges the organization’s security posture, incident response plan, and security awareness in a realistic and adversarial scenario12. A red team exercise can measure the following aspects of the organization’s cyber attack response capability3:
✑ The effectiveness and efficiency of the security controls and processes in preventing, detecting, and mitigating cyber attacks
✑ The readiness and performance of the incident response team and other stakeholders in following the incident response plan and procedures
✑ The communication and coordination among the internal and external parties involved in the incident response process
✑ The resilience and recovery of the critical assets and functions affected by the cyber attack
✑ The lessons learned and improvement opportunities identified from the cyber attack simulation
The other options, such as a walk-through of the incident response plan, a black box penetration test, or a simulated phishing exercise, are not as accurate as a red team exercise in indicating the organization’s ability to respond to a cyber attack, because they have the following limitations4 :
✑ A walk-through of the incident response plan is a theoretical and hypothetical exercise that involves reviewing and discussing the incident response plan and procedures with the relevant stakeholders, without actually testing them in a live environment. A walk-through can help to familiarize the participants with the incident response roles and responsibilities, and to identify any gaps or inconsistencies in the plan, but it cannot measure the actual performance and effectiveness of the incident response process under a real cyber attack scenario.
✑ A black box penetration test is a technical and targeted exercise that involves testing the security of a specific system or application, without any prior knowledge or access to its internal details or configuration. A black box penetration test can help to identify the vulnerabilities and weaknesses of the system or application, and to simulate the perspective and behavior of an external attacker, but it cannot test the security of the entire network or organization, or the response of the incident response team and other stakeholders to a cyber attack.
✑ A simulated phishing exercise is a social engineering and awareness exercise that involves sending fake emails or messages to the organization’s staff, to test their ability to recognize and report phishing attempts. A simulated phishing exercise can help to measure the level of security awareness and training of the staff, and to simulate one of the most common cyber attack vectors, but it cannot test the security of the network or systems, or the response of the incident response team and other stakeholders to a cyber attack.
References = 1: What is a Red Team Exercise? | Redscan 2: Red Team vs Blue Team: How They Differ and Why You Need Both | CISA 3: Red Team Exercises: What They Are and How to Run Them | Rapid7 4: What is a Walkthrough Test? | Definition and Examples | ISACA : Penetration Testing Types: Black Box, White Box, and Gray Box | CISA

- (Topic 2)
A balanced scorecard MOST effectively enables information security:

1. A. risk management
2. B. project management
3. C. governance
4. D. performance

Correct Answer: C
A balanced scorecard enables information security governance by providing a framework for aligning security objectives with business goals and measuring performance against them. The other choices are not directly related to governance but may be supported by it.
A balanced scorecard is a strategic management tool that describes the cause-and-effect linkages between four high-level perspectives of strategy and execution: financial, customer, internal process, and learning and growth2. It helps organizations communicate and monitor their vision and strategy across different levels and functions2.

- (Topic 3)
To prepare for a third-party forensics investigation following an incident involving malware, the incident response team should:

1. A. isolate the infected systems.
2. B. preserve the evidence.
3. C. image the infected systems.
4. D. clean the malware.

Correct Answer: B
According to the CISM Review Manual, the incident response team should preserve the evidence as the first step to prepare for a third-party forensics investigation, as it helps to maintain the integrity and admissibility of the evidence in a court of law. Preserving the evidence may include isolating and imaging the infected systems, but these are not the only actions required. Cleaning the malware may destroy or alter the evidence and should be avoided until the investigation is completed.
References = CISM Review Manual, 27th Edition, Chapter 3, Section 3.6.2, page 165