Domain 3: Information Security Program Capstone Review — 32 of 47

Domain 3 Capstone Review: Information Security Program

CISM Domain 3 — Information Security Program Capstone Review 30–40 min

This capstone integrates:

  • Program Development
  • Control Design & Implementation
  • Control Testing & Evaluation
  • Awareness & Training
  • External Service Management
  • Program Communications

Think governance. Think sustainability. Think proportionality.

Question 1

A security program invests heavily in advanced monitoring tools but lacks documented procedures.

What is the PRIMARY weakness?

  1. Process immaturity
  2. Encryption gap
  3. Vendor inefficiency
  4. Reduced automation
Answer & Explanation

Correct Answer: A

Technology without defined process undermines program maturity.

Question 2

Sensitive data is stored across multiple platforms without classification.

What should occur FIRST?

  1. Encrypt all data
  2. Conduct formal asset identification and classification
  3. Increase monitoring
  4. Replace storage vendors
Answer & Explanation

Correct Answer: B

Classification drives proportional protection.

Question 3

A complex framework is adopted despite limited staff capacity.

What is the MOST significant risk?

  1. Over-compliance
  2. Encryption downgrade
  3. Vendor inefficiency
  4. Implementation failure due to resource mismatch
Answer & Explanation

Correct Answer: D

Framework adoption must align with organizational maturity.

Question 4

A preventive control disrupts operations significantly while mitigating moderate risk within tolerance.

What is the MOST appropriate response?

  1. Maintain the control regardless
  2. Eliminate the business function
  3. Reevaluate proportionality and alternative control options
  4. Accept the risk automatically
Answer & Explanation

Correct Answer: C

Controls must align with risk appetite and operational feasibility.

Question 5

A control is implemented without change management approval.

What governance issue arises?

  1. Breakdown in structured implementation discipline
  2. Encryption gap
  3. Vendor inefficiency
  4. Monitoring delay
Answer & Explanation

Correct Answer: A

Control implementation must follow formal governance processes.

Question 6

High-risk controls are not tested regularly.

What is the PRIMARY concern?

  1. Over-monitoring
  2. Unvalidated operating effectiveness
  3. Vendor inefficiency
  4. Reduced automation
Answer & Explanation

Correct Answer: B

High-risk controls require periodic validation.

Question 7

Training completion rates are high, but policy violations continue.

What is the MOST appropriate improvement?

  1. Increase training frequency
  2. Eliminate training requirement
  3. Replace IT systems
  4. Implement role-based training and measure behavior outcomes
Answer & Explanation

Correct Answer: D

Effectiveness must be measured beyond attendance.

Question 8

A vendor processes critical data but lacks contractual incident notification timelines.

What is the PRIMARY weakness?

  1. Encryption gap
  2. Monitoring deficiency
  3. Inadequate contractual governance
  4. Vendor inefficiency
Answer & Explanation

Correct Answer: C

Contracts enforce security expectations.

Question 9

Board reporting includes detailed firewall configurations.

What is the PRIMARY issue?

  1. Lack of business-aligned communication
  2. Excess transparency
  3. Encryption weakness
  4. Vendor oversight
Answer & Explanation

Correct Answer: A

Board reporting must focus on enterprise risk posture.

Question 10

Repeated audit findings show access review failures.

What should occur FIRST?

  1. Replace access system
  2. Conduct root cause analysis and remediation tracking
  3. Increase monitoring tools
  4. Ignore minor issues
Answer & Explanation

Correct Answer: B

Repeated findings indicate systemic control weakness.

Question 11

Security roles overlap with unclear accountability.

What is the PRIMARY program risk?

  1. Encryption gap
  2. Vendor inefficiency
  3. Reduced automation
  4. Governance breakdown due to undefined responsibilities
Answer & Explanation

Correct Answer: D

Clear roles are foundational to program effectiveness.

Question 12

A security metric tracks vulnerability volume but not business impact.

What is missing?

  1. Increased scanning
  2. Encryption controls
  3. Outcome-based risk alignment
  4. Vendor reporting
Answer & Explanation

Correct Answer: C

Metrics must demonstrate enterprise risk posture.

Question 13

A control conflicts with existing architecture after deployment.

What should have occurred FIRST?

  1. Conduct integration and compatibility assessment
  2. Increase automation
  3. Replace infrastructure
  4. Ignore conflict
Answer & Explanation

Correct Answer: A

Integration planning prevents operational disruption.

Question 14

Asset classification is outdated after major digital expansion.

What is the PRIMARY risk?

  1. Reduced automation
  2. Misaligned control protection
  3. Vendor inefficiency
  4. Monitoring delay
Answer & Explanation

Correct Answer: B

Classification must evolve with business changes.

Question 15

A third-party vendor uses subcontractors without visibility.

What is the MOST appropriate action?

  1. Ignore subcontractors
  2. Replace vendor immediately
  3. Increase internal encryption
  4. Assess fourth-party exposure and enforce contractual safeguards
Answer & Explanation

Correct Answer: D

Fourth-party oversight is part of vendor governance.

Question 16

Security reports show declining incident detection rates but no analysis.

What is the PRIMARY gap?

  1. Reduced automation
  2. Encryption weakness
  3. Lack of trend interpretation and governance insight
  4. Vendor inefficiency
Answer & Explanation

Correct Answer: C

Metrics require interpretation and context.

Question 17

A high-risk control is tested less frequently than low-risk controls.

What is the PRIMARY issue?

  1. Misaligned testing frequency relative to risk
  2. Over-testing
  3. Encryption gap
  4. Vendor inefficiency
Answer & Explanation

Correct Answer: A

Testing must reflect risk exposure.

Question 18

A security policy exists but lacks enforcement mechanisms.

What is the PRIMARY weakness?

  1. Encryption gap
  2. Governance authority without operational support
  3. Monitoring delay
  4. Vendor inefficiency
Answer & Explanation

Correct Answer: B

Policies must be enforceable to be effective.

Question 19

An awareness program is not updated despite new AI-based phishing techniques.

What is the PRIMARY risk?

  1. Reduced automation
  2. Encryption deficiency
  3. Vendor oversight
  4. Misalignment between training and threat landscape
Answer & Explanation

Correct Answer: D

Training must evolve with emerging threats.

Question 20

A control reduces risk significantly but has no assigned owner.

What is the MOST significant risk?

  1. Encryption failure
  2. Vendor delay
  3. Lack of accountability for ongoing effectiveness
  4. Increased automation
Answer & Explanation

Correct Answer: C

Control ownership ensures sustainability.

Question 21

Security expands tooling without increasing staff capacity.

What is the PRIMARY long-term risk?

  1. Unsustainable program maturity
  2. Encryption gap
  3. Vendor inefficiency
  4. Monitoring delay
Answer & Explanation

Correct Answer: A

Program growth must align with resource capacity.

Question 22

Executive leadership is unaware of rising vendor risk exposure.

What is the PRIMARY governance failure?

  1. Encryption weakness
  2. Inadequate reporting and escalation
  3. Vendor inefficiency
  4. Reduced automation
Answer & Explanation

Correct Answer: B

Program communication ensures governance visibility.

Question 23

A mitigation control was selected without evaluating cost-benefit impact.

What principle was violated?

  1. Automation requirement
  2. Vendor governance
  3. Monitoring frequency
  4. Proportional control design
Answer & Explanation

Correct Answer: D

Controls must be economically and operationally rational.

Question 24

Repeated control failures are identified but not tracked for remediation.

What is the PRIMARY issue?

  1. Encryption gap
  2. Vendor oversight
  3. Lack of remediation governance process
  4. Monitoring delay
Answer & Explanation

Correct Answer: C

Findings must be tracked and resolved formally.

Question 25

A mature security program must demonstrate sustainability. What is MOST critical?

  1. Balanced alignment of people, process, and technology
  2. Advanced tools
  3. Increased vulnerability scanning
  4. Vendor certification
Answer & Explanation

Correct Answer: A

Long-term maturity requires balanced resource alignment.

Domain 3 Executive Pattern Summary

In Domain 3:

  • Design controls proportionally.
  • Implement through governance.
  • Test regularly.
  • Train strategically.
  • Monitor vendors continuously.
  • Communicate in business language.
  • Balance people, process, and technology.

CISM rewards sustainable program leadership — not technical intensity.

Up Next Back to CISM — Domain 4: Incident Management