



























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The CSPM exam assesses the knowledge and skills required to manage security projects effectively. It focuses on risk management, project planning, budgeting, and security solutions implementation. Candidates will demonstrate their ability to manage resources, security systems, and project teams while ensuring compliance with industry standards.
Typology: Exams
1 / 99
This page cannot be seen from the preview
Don't miss anything!




























































































Question 1. In the security project charter, which element most directly ties the project to regulatory compliance requirements? A) Scope statement B) Business case C) Stakeholder register D) Risk register Answer: A Explanation: The scope statement defines the boundaries of the project and specifically includes compliance objectives (e.g., GDPR, HIPAA), linking the work to regulatory requirements. Question 2. A Security Project Manager is performing stakeholder analysis. Which stakeholder is most likely to influence the technical design of an access‑control system? A) Facilities Manager B) Chief Security Officer (CSO) C) Legal Counsel D) Procurement Officer Answer: B Explanation: The CSO has authority over security policies and technical standards, thus directly influencing the design of security systems. Question 3. When calculating Return on Security Investment (ROSI), which of the following is NOT a typical input? A) Cost of a data breach B) Annual maintenance expense of the security system C) Projected increase in sales revenue
D) Savings from avoided regulatory fines Answer: C Explanation: ROSI focuses on cost avoidance and risk reduction, not on revenue generation. Sales revenue is unrelated to security investment calculations. Question 4. Which technique is most effective for eliciting security requirements that address confidentiality, integrity, and availability (CIA)? A) Brainstorming with end users B) Interviewing the IT network team C) Conducting a threat‑modeling workshop D) Reviewing the organization’s budget spreadsheet Answer: C Explanation: Threat‑modeling explicitly maps threats to CIA objectives, ensuring requirements address all three security pillars. Question 5. In system specification development for a video surveillance solution, the term “minimum resolvable detail” primarily relates to: A) Storage capacity planning B) Camera lens focal length C) Image quality needed for identification D) Network bandwidth allocation Answer: C Explanation: Minimum resolvable detail defines the smallest facial feature that must be discernible, guiding camera resolution specifications.
Answer: C Explanation: Segregating ACS traffic on a dedicated VLAN improves security and performance by isolating control traffic from other network traffic. Question 9. When planning storage for a VMS that records at 1080p/30 fps using H. compression, which factor most heavily influences the required capacity? A) Number of camera lenses B) Frame rate (fps) C) Size of the server rack D) Type of hard‑drive interface (SATA vs. SAS) Answer: B Explanation: Higher frame rates generate more video data per second, directly increasing storage requirements. Question 10. A motion sensor in an intrusion detection system (IDS) is placed near a high‑traffic hallway. Which configuration reduces false alarms? A) Set the sensor to “continuous” mode B) Increase the sensitivity threshold C) Reduce the detection zone angle to 90° D) Disable the sensor during business hours Answer: C Explanation: Narrowing the detection zone limits the area monitored, reducing triggers from unrelated movement. Question 11. Which principle of CPTED focuses on designing spaces that increase natural surveillance?
A) Territorial reinforcement B) Natural surveillance C) Access control D) Maintenance Answer: B Explanation: Natural surveillance uses sightlines, lighting, and placement to make illicit activity more observable. Question 12. In a security risk assessment, the “likelihood” component is best expressed as: A) Monetary loss estimate B) Number of affected records C) Probability of occurrence (e.g., 0.1 %) D) Duration of system downtime Answer: C Explanation: Likelihood quantifies how probable a threat event is, typically expressed as a probability or frequency. Question 13. When drafting an RFP for a biometric access‑control system, which specification is essential to ensure data privacy compliance? A) Minimum finger‑print resolution of 500 dpi B) Encryption of biometric templates at rest and in transit C) Use of a proprietary operating system D) Integration with legacy RFID readers Answer: B
B) Social engineering phone call C) Red‑team physical intrusion attempt D) Application source‑code review Answer: C Explanation: A red‑team physical intrusion test simulates an attacker attempting to breach the facility’s physical defenses. Question 17. In the installation phase, which PPE is mandatory when working with high‑voltage power supplies for door locks? A) Safety glasses only B) Insulated gloves and safety boots C) Hard hat and hearing protection D) Respirator mask Answer: B Explanation: Insulated gloves and safety boots protect against electric shock when handling high‑voltage components. Question 18. Which practice ensures that configuration files for IP cameras are not exposed during project handover? A) Storing them on a public SharePoint site B) Encrypting the files and transferring via a secure file‑transfer protocol (SFTP) C) Printing hard copies for the client D) Embedding passwords in the camera firmware Answer: B Explanation: Encrypting and using SFTP protects sensitive configuration data during transfer.
Question 19. After a security project is completed, which artifact captures lessons related to vendor performance and regulatory hurdles? A) Project charter B) Risk register Answer: C Explanation: The lessons‑learned document records insights on vendor performance, compliance challenges, and other project experiences. Question 20. A security system’s expected useful life is 7 years. Which maintenance approach aligns with this lifecycle? A) Reactive maintenance only after failure B) Scheduled preventive maintenance every 12 months C) Replacing all components every 3 years D) No maintenance; rely on warranties Answer: B Explanation: Preventive maintenance on an annual basis helps ensure the system remains functional throughout its 7‑year lifespan. Question 21. Which convergence scenario requires coordination between physical access control and logical network access? A) Installing a new fire alarm panel B) Deploying a badge‑reader that also triggers VPN authentication C) Adding more CCTV cameras D) Upgrading the building’s HVAC system Answer: B
B) Configuring a tiered alert system that requires human verification before escalation C) Increasing camera resolution to 4K D) Using analog cameras instead of IP Answer: B Explanation: A tiered alert system ensures that only verified events trigger response actions, reducing unnecessary alarms. Question 25. Redundant power for a critical CCTV server is best provided by: A) A single UPS with a 30‑minute runtime B) Dual UPS units in an N+1 configuration with generator backup C) Additional battery packs placed on the floor D) Relying on the building’s main power only Answer: B Explanation: Dual UPS units with N+1 redundancy and generator backup ensure continuous power even if one component fails. Question 26. In a disaster‑recovery (DR) plan for a security system, which component should be replicated off‑site? A) Door hardware locks B) Video footage archives C) Physical badge cards D) Security guard schedules Answer: B Explanation: Off‑site replication of video archives protects critical evidence from site‑specific disasters.
Question 27. Which project integration process ensures that the security project aligns with the organization’s overall risk‑management framework? A) Scope definition B) Stakeholder communication plan C) Change control management D) Integration of the security risk register into the enterprise risk register Answer: D Explanation: Merging the project’s risk register with the enterprise register guarantees alignment with overall risk‑management strategies. Question 28. During requirements elicitation, a “use case” diagram is most useful for: A) Defining network topology B) Illustrating interactions between users and the ACS C) Calculating storage requirements D) Selecting camera lenses Answer: B Explanation: Use case diagrams capture functional interactions between actors (e.g., employees) and the system, aiding requirement definition. Question 29. Which standard provides guidelines for fire‑rated enclosures used to protect security equipment? A) UL 94 B) NFPA 70 C) IEC 60601 D) ISO 27001 Answer: A
B) Color of the badge cards C) Length of the Ethernet cable runs D) Height of the building Answer: A Explanation: The number of badge holders determines the size of the database tables and indexing requirements. Question 33. In a video‑surveillance system, the term “bit‑rate” directly affects: A) Camera mounting height B) Required storage capacity and network bandwidth C) Lens focal length D) Motion‑sensor sensitivity Answer: B Explanation: Bit‑rate is the amount of data transmitted per second; higher bit‑rates increase storage and bandwidth needs. Question 34. Which of the following is a key consideration when selecting a lock for a high‑security door that must meet UL 437 standards? A) Color of the lock housing B) Use of a magnetic latch instead of a mechanical lock C) Compatibility with both electric strike and magnetic lock actuation D) Availability of a keypad for PIN entry only Answer: C Explanation: UL 437 certification requires that the lock function correctly with approved actuators, such as electric strikes or mag‑locks.
Question 35. During a physical‑security audit, a “tailgating” observation is recorded. Which mitigation aligns with CPTED principles? A) Installing more CCTV cameras B) Adding a turnstile with anti‑tailgating sensors C) Increasing the number of security guards D) Re‑keying all doors annually Answer: B Explanation: Anti‑tailgating turnstiles physically prevent unauthorized individuals from following authorized users, enhancing natural surveillance. Question 36. A project manager must choose between two video‑analytics vendors. Vendor A offers on‑premises AI processing; Vendor B offers cloud‑based analytics. Which factor is most critical when the organization has strict data‑residency requirements? A) License cost per camera B) Ability to process video locally without sending data off‑site C) Number of supported camera models D) Availability of a mobile app Answer: B Explanation: On‑premises processing keeps video data within the organization’s jurisdiction, satisfying data‑residency constraints. Question 37. Which procurement clause most directly protects the organization if a security device is found to have a critical vulnerability after installation? A) “Force‑majeure” clause B) “Warranty of merchantability” clause C) “Security patch and update obligation” clause
B) Ability to tolerate two simultaneous disk failures C) Lower cost per terabyte compared to single‑disk storage D) Simplified backup procedures Answer: B Explanation: RAID 6 provides dual‑parity, allowing the array to survive two concurrent disk failures, enhancing data availability. Question 41. When integrating a biometric reader with an existing ACS, which data‑privacy principle must be documented in the system’s privacy impact assessment? A) Data minimization – storing only the template, not raw biometric images B. Data duplication across multiple servers C. Unlimited retention of raw biometric images D. Sharing templates with third‑party marketing firms Answer: A Explanation: Data minimization reduces privacy risk by retaining only the necessary biometric template. Question 42. Which of the following is the most appropriate KPI to monitor the effectiveness of an intrusion‑detection system? A) Number of cameras installed per floor B) Mean time to acknowledge (MTTA) an alarm event C) Total length of cable runs D) Average badge‑holder enrollment time Answer: B Explanation: MTTA measures how quickly the security team responds to an IDS alarm, reflecting system effectiveness.
Question 43. During project closure, which document formally transfers ownership of the security system to the operations team? A) Project charter B. Acceptance certificate (or “punch‑list” sign‑off) C. Risk register D. Stakeholder register Answer: B Explanation: The acceptance certificate confirms that the deliverables meet requirements and transfers responsibility to operations. Question 44. Which emerging technology enables a security manager to remotely audit door‑access logs using blockchain for tamper‑evidence? A. Distributed ledger‑based access‑log system B. Traditional SQL database with audit trails C. RFID tags with local storage only D. Analog key‑card logbooks Answer: A Explanation: Blockchain’s immutable ledger provides tamper‑evident logging for remote auditability. Question 45. A security project requires integration with an existing Identity‑and‑Access‑Management (IAM) platform. Which protocol is most commonly used for this purpose? A. SMTP B. SAML (Security Assertion Markup Language)
Question 48. Which clause in a security‑system SLA specifies the maximum allowable downtime per month? A. Service availability guarantee B. Data retention clause C. Change‑management procedure D. Termination for convenience Answer: A Explanation: The availability guarantee defines uptime percentages and permissible downtime. Question 49. When performing a security‑system “walk‑through” inspection, the presence of “tamper‑evident seals” on camera enclosures primarily addresses which security objective? A. Confidentiality B. Integrity C. Availability D. Non‑repudiation Answer: B Explanation: Tamper‑evident seals help ensure that hardware has not been altered, protecting system integrity. Question 50. Which of the following best describes “defense‑in‑depth” in the context of a security project? A. Using a single, highly robust firewall B. Layering multiple security controls across physical, technical, and administrative domains C. Relying solely on encryption for data protection
D. Outsourcing all security functions to a third‑party vendor Answer: B Explanation: Defense‑in‑depth employs overlapping controls at different layers to reduce the chance of a single point of failure. Question 51. A project manager must decide on a video‑compression codec. Which codec generally offers the best storage efficiency while maintaining acceptable image quality for forensic review? A. MJPEG B. H.264 (AVC) C. MPEG‑ 2 D. H.265 (HEVC) Answer: D Explanation: H.265 provides roughly 50 % better compression than H.264 at comparable quality, reducing storage needs. Question 52. Which security standard defines requirements for the physical protection of information processing facilities? A. ISO 27001 B. IEC 62443 C. NIST SP 800‑53 (Physical and Environmental Protection) D. PCI‑DSS Answer: C Explanation: NIST SP 800‑53 includes a dedicated family for Physical and Environmental Protection controls.