SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
OBusiness case development
Security risk
Overall organizational structure
Countermeasure cost-benefit analysis
2. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Baseline standard and then develop additional standards
Waterfall chart
Internal risk assessment
Power surge/over voltage (spike)
3. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
All personnel
Countermeasure cost-benefit analysis
Strategic alignment of security with business objectives
Attributes and characteristics of the 'desired state'
4. Most effective for evaluating the degree to which information security objectives are being met.
Prioritization
Power surge/over voltage (spike)
Patch management process
The balanced scorecard
5. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Centralization of information security management
Defining and ratifying the classification structure of information assets
Confidentiality
Role-based policy
6. Has to be integrated into the requirements of every software application's design.
Prioritization
Cracker
Encryption key management
Creation of a business continuity plan
7. The job of the information security officer on a management team is to ___________________.
Multinational organization
Assess the risks to the business operation
Decentralization
Safeguards over keys
8. Information security governance models are highly dependent on the _____________________.
Overall organizational structure
What happened and how the breach was resolved
Safeguards over keys
Trusted source
9. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Biometric access control systems
Use of security metrics
Access control matrix
Stress testing
10. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
People
Identify the vulnerable systems and apply compensating controls
Total cost of ownership (TCO)
Malicious software and spyware
11. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Lack of change management
Identify the relevant systems and processes
Cost of control
Fault-tolerant computer
12. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Trusted source
Decentralization
People
Cross-site scripting attacks
13. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Personal firewall
Detection defenses
Encryption of the hard disks
14. Useful but only with regard to specific technical skills.
Safeguards over keys
Normalization
Proficiency testing
Reduce risk to an acceptable level
15. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Phishing
Multinational organization
Comparison of cost of achievement
Data owners
16. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Transmit e-mail messages
Risk assessment - evaluation and impact analysis
Notifications and opt-out provisions
BIA (Business Impact Assessment
17. Provides process needs but not impact.
Equal error rate (EER)
Resource dependency assessment
Classification of assets needs
Tie security risks to key business objectives
18. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Conduct a risk assessment
Performing a risk assessment
Cracker
Data owners
19. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Safeguards over keys
Security code reviews for the entire software application
Negotiating a local version of the organization standards
Regular review of access control lists
20. Accesses a computer or network illegally
Regulatory compliance
Certificate authority (CA)
Return on security investment (ROSI)
Cracker
21. The MOST important element of an information security strategy.
Cost of control
People
include security responsibilities in a job description
Defined objectives
22. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security code reviews for the entire software application
Security baselines
Assess the risks to the business operation
Properly aligned with business goals and objectives
23. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Encryption of the hard disks
Penetration testing
Cyber terrorist
Inherent risk
24. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Equal error rate (EER)
Detection defenses
Knowledge management
Intrusion detection system (IDS)
25. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Retention of business records
Cracker
Biometric access control systems
26. Ensures that there are no scalability problems.
Public key infrastructure (PKI)
Stress testing
Gap analysis
Security risk
27. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
What happened and how the breach was resolved
Access control matrix
Support the business objectives of the organization
Key risk indicator (KRI) setup
28. When defining the information classification policy - the ___________________ need to be identified.
Hacker
Encryption
Requirements of the data owners
Defining high-level business security requirements
29. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Encryption of the hard disks
Strategic alignment of security with business objectives
SWOT analysis
Role-based access control
30. Needs to define the access rules - which is troublesome and error prone in large organizations.
Rule-based access control
All personnel
Normalization
Data owners
31. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Control risk
Stress testing
Internal risk assessment
All personnel
32. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Security risk
Alignment with business strategy
Residual risk
Tie security risks to key business objectives
33. Focuses on identifying vulnerabilities.
Conduct a risk assessment
MAL wear
Penetration testing
Deeper level of analysis
34. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Knowledge management
Virus detection
Gap analysis
Well-defined roles and responsibilities
35. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Penetration testing
Intrusion detection system (IDS)
Centralization of information security management
Owner of the information asset
36. Without _____________________ - there cannot be accountability.
Trojan horse
Well-defined roles and responsibilities
Acceptable use policies
Support the business objectives of the organization
37. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Safeguards over keys
Control effectiveness
Get senior management onboard
Continuous monitoring control initiatives
38. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Risk assessment - evaluation and impact analysis
Equal error rate (EER)
Malicious software and spyware
Phishing
39. The best measure for preventing the unauthorized disclosure of confidential information.
Monitoring processes
Is willing to accept
Acceptable use policies
Spoofing attacks
40. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Malicious software and spyware
The database administrator
Continuous monitoring control initiatives
Creation of a business continuity plan
41. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Data classification
Creation of a business continuity plan
Security code reviews for the entire software application
Classification of assets needs
42. Should PRIMARILY be based on regulatory and legal requirements.
Residual risk would be reduced by a greater amount
Audit objectives
Retention of business records
The awareness and agreement of the data subjects
43. By definition are not previously known and therefore are undetectable.
Certificate authority (CA)
0-day vulnerabilities
Risk appetite
Normalization
44. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Background check
Risk management and the requirements of the organization
Properly aligned with business goals and objectives
Control effectiveness
45. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Its ability to reduce or eliminate business risks
OBusiness case development
The data owner
Creation of a business continuity plan
46. A method for analyzing and reducing a relational database to its most streamlined form
Trusted source
Control effectiveness
Normalization
Security baselines
47. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Process of introducing changes to systems
Asset classification
Security code reviews for the entire software application
Waterfall chart
48. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
0-day vulnerabilities
Centralization of information security management
SWOT analysis
Centralized structure
49. Whenever personal data are transferred across national boundaries; ________________________ are required.
Stress testing
Hacker
The awareness and agreement of the data subjects
Undervoltage (brownout)
50. A repository of historical data organized by subject to support decision makers in the org
Decentralization
Data warehouse
Residual risk
Cracker