SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Methodology used in the assessment
Exceptions to policy
The data custodian
Countermeasure cost-benefit analysis
2. Oversees the overall classification management of the information.
Defining and ratifying the classification structure of information assets
Transmit e-mail messages
Countermeasure cost-benefit analysis
The information security officer
3. Information security governance models are highly dependent on the _____________________.
Baseline standard and then develop additional standards
Cyber terrorist
Trojan horse
Overall organizational structure
4. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Virus
Asset classification
Two-factor authentication
Conduct a risk assessment
5. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
Multinational organization
Classification of assets needs
Digital signatures
6. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Cyber terrorist
Role-based policy
Breakeven point of risk reduction and cost
Get senior management onboard
7. Provide metrics to which outsourcing firms can be held accountable.
Classification of assets needs
Protective switch covers
Impractical and is often cost-prohibitive
Service level agreements (SLAs)
8. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Security risk
Well-defined roles and responsibilities
Total cost of ownership (TCO)
Calculating the value of the information or asset
9. Used to understand the flow of one process into another.
Annual loss expectancy (ALE)calculations
Single sign-on (SSO) product
Waterfall chart
Security code reviews for the entire software application
10. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Power surge/over voltage (spike)
Phishing
Vulnerability assessment
Baseline standard and then develop additional standards
11. Same intent as a cracker but does not have the technical skills and knowledge
Power surge/over voltage (spike)
Security awareness training for all employees
Script kiddie
Identify the vulnerable systems and apply compensating controls
12. Ensure that transmitted information can be attributed to the named sender.
Notifications and opt-out provisions
Inherent risk
Data warehouse
Digital signatures
13. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Virus
Information contained on the equipment
Owner of the information asset
Continuous analysis - monitoring and feedback
14. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Defining and ratifying the classification structure of information assets
Normalization
Defined objectives
What happened and how the breach was resolved
15. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Security awareness training for all employees
Resource dependency assessment
Baseline standard and then develop additional standards
Control risk
16. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Digital signatures
A network vulnerability assessment
Attributes and characteristics of the 'desired state'
People
17. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
Notifications and opt-out provisions
Detection defenses
Countermeasure cost-benefit analysis
18. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
BIA (Business Impact Assessment
Data mart
Script kiddie
Properly aligned with business goals and objectives
19. Has full responsibility over data.
Security awareness training for all employees
Reduce risk to an acceptable level
The data owner
Residual risk would be reduced by a greater amount
20. The most important characteristic of good security policies is that they be ____________________.
Retention of business records
Deeper level of analysis
Aligned with organizational goals
What happened and how the breach was resolved
21. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Intrusion detection system (IDS)
Patch management process
Breakeven point of risk reduction and cost
Continuous analysis - monitoring and feedback
22. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Script kiddie
Power surge/over voltage (spike)
Gap analysis
23. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Centralization of information security management
Two-factor authentication
Biometric access control systems
Risk appetite
24. Program that hides within or looks like a legit program
Patch management process
Trojan horse
Cross-site scripting attacks
Calculating the value of the information or asset
25. A risk assessment should be conducted _________________.
Annually or whenever there is a significant change
Certificate authority (CA)
Role-based access control
Identify the vulnerable systems and apply compensating controls
26. The best measure for preventing the unauthorized disclosure of confidential information.
Acceptable use policies
Intrusion detection system (IDS)
Regular review of access control lists
Public key infrastructure (PKI)
27. BEST option to improve accountability for a system administrator is to _____________________.
Gain unauthorized access to applications
include security responsibilities in a job description
Penetration testing
Nondisclosure agreement (NDA)
28. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Comparison of cost of achievement
Normalization
Total cost of ownership (TCO)
Worm
29. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Background checks of prospective employees
Risk management and the requirements of the organization
Decentralization
Single sign-on (SSO) product
30. All within the responsibility of the information security manager.
Platform security - intrusion detection and antivirus controls
Consensus on risks and controls
Biometric access control systems
Fault-tolerant computer
31. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Detection defenses
include security responsibilities in a job description
Methodology used in the assessment
Its ability to reduce or eliminate business risks
32. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Examples of containment defenses
Virus
Overall organizational structure
include security responsibilities in a job description
33. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
SWOT analysis
Trojan horse
Confidentiality
34. A key indicator of performance measurement.
Strategic alignment of security with business objectives
Role-based policy
Resource dependency assessment
Virus
35. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Do with the information it collects
Rule-based access control
Digital signatures
Comparison of cost of achievement
36. Awareness - training and physical security defenses.
Examples of containment defenses
SWOT analysis
Regular review of access control lists
Breakeven point of risk reduction and cost
37. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Notifications and opt-out provisions
Data owners
Annual loss expectancy (ALE)calculations
Platform security - intrusion detection and antivirus controls
38. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Classification of assets needs
The data custodian
Role-based access control
Prioritization
39. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Multinational organization
Nondisclosure agreement (NDA)
Virus detection
Centralization of information security management
40. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Lack of change management
Trojan horse
The data custodian
Nondisclosure agreement (NDA)
41. Someone who accesses a computer or network illegally
Regular review of access control lists
Assess the risks to the business operation
The balanced scorecard
Hacker
42. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Overall organizational structure
Intrusion detection system (IDS)
Strategic alignment of security with business objectives
Data classification
43. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
Security awareness training for all employees
Creation of a business continuity plan
Acceptable use policies
44. Risk should be reduced to a level that an organization _____________.
Vulnerability assessment
Is willing to accept
Properly aligned with business goals and objectives
Owner of the information asset
45. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Requirements of the data owners
Do with the information it collects
A network vulnerability assessment
Reduce risk to an acceptable level
46. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Monitoring processes
Personal firewall
Nondisclosure agreement (NDA)
Malicious software and spyware
47. An information security manager has to impress upon the human resources department the need for _____________________.
Do with the information it collects
Security awareness training for all employees
Waterfall chart
Negotiating a local version of the organization standards
48. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Classification of assets needs
Overall organizational structure
Lack of change management
Power surge/over voltage (spike)
49. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Encryption
Transferred risk
Multinational organization
All personnel
50. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Calculating the value of the information or asset
The data owner
Countermeasure cost-benefit analysis