SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Cross-site scripting attacks
Audit objectives
Risk appetite
Breakeven point of risk reduction and cost
2. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
OBusiness case development
Cross-site scripting attacks
Its ability to reduce or eliminate business risks
Fault-tolerant computer
3. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Digital certificate
Conduct a risk assessment
Vulnerability assessment
Calculating the value of the information or asset
4. Without _____________________ - there cannot be accountability.
Transferred risk
Well-defined roles and responsibilities
Key risk indicator (KRI) setup
Audit objectives
5. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Role-based access control
Attributes and characteristics of the 'desired state'
Equal error rate (EER)
Key risk indicator (KRI) setup
6. Uses security metrics to measure the performance of the information security program.
Patch management
Cost of control
Power surge/over voltage (spike)
Information security manager
7. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
The authentication process is broken
Script kiddie
Transmit e-mail messages
Phishing
8. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Regulatory compliance
Data owners
Return on security investment (ROSI)
Biometric access control systems
9. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Virus
Notifications and opt-out provisions
Comparison of cost of achievement
Applying the proper classification to the data
10. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Process of introducing changes to systems
Owner of the information asset
Risk management and the requirements of the organization
Tie security risks to key business objectives
11. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Alignment with business strategy
Single sign-on (SSO) product
Certificate authority (CA)
Key controls
12. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Knowledge management
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Gap analysis
Trojan horse
13. Should be a standard requirement for the service provider.
Inherent risk
Its ability to reduce or eliminate business risks
Background check
Penetration testing
14. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Encryption of the hard disks
Developing an information security baseline
Use of security metrics
Continuous analysis - monitoring and feedback
15. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
A network vulnerability assessment
Defining high-level business security requirements
Alignment with business strategy
Cyber terrorist
16. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Personal firewall
Role-based access control
The board of directors and senior management
SWOT analysis
17. By definition are not previously known and therefore are undetectable.
Encryption key management
Key controls
The data owner
0-day vulnerabilities
18. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Assess the risks to the business operation
Personal firewall
Retention of business records
Patch management
19. A key indicator of performance measurement.
Strategic alignment of security with business objectives
Intrusion detection system (IDS)
Normalization
Power surge/over voltage (spike)
20. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Negotiating a local version of the organization standards
Data isolation
The information security officer
Lack of change management
21. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Safeguards over keys
Consensus on risks and controls
Return on security investment (ROSI)
Owner of the information asset
22. The MOST important element of an information security strategy.
Calculating the value of the information or asset
Its ability to reduce or eliminate business risks
Countermeasure cost-benefit analysis
Defined objectives
23. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Risk assessment - evaluation and impact analysis
What happened and how the breach was resolved
Background check
24. Information security governance models are highly dependent on the _____________________.
Conduct a risk assessment
Get senior management onboard
Overall organizational structure
Monitoring processes
25. All within the responsibility of the information security manager.
Get senior management onboard
Its ability to reduce or eliminate business risks
Platform security - intrusion detection and antivirus controls
Retention of business records
26. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Annual loss expectancy (ALE)calculations
Conduct a risk assessment
Data classification
Trojan horse
27. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Role-based policy
Tailgating
Risk assessment - evaluation and impact analysis
include security responsibilities in a job description
28. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Negotiating a local version of the organization standards
Do with the information it collects
Retention of business records
Patch management process
29. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Normalization
Malicious software and spyware
Transferred risk
Defined objectives
30. Should PRIMARILY be based on regulatory and legal requirements.
Cyber extortionist
Conduct a risk assessment
Retention of business records
Confidentiality
31. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Conduct a risk assessment
Return on security investment (ROSI)
Exceptions to policy
Safeguards over keys
32. Same intent as a cracker but does not have the technical skills and knowledge
Monitoring processes
Knowledge management
Logon banners
Script kiddie
33. When defining the information classification policy - the ___________________ need to be identified.
Two-factor authentication
Control effectiveness
Requirements of the data owners
Centralization of information security management
34. Has to be integrated into the requirements of every software application's design.
Risk appetite
Gain unauthorized access to applications
Countermeasure cost-benefit analysis
Encryption key management
35. The best measure for preventing the unauthorized disclosure of confidential information.
Acceptable use policies
Spoofing attacks
Increase business value and confidence
Examples of containment defenses
36. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Data warehouse
Cracker
Worm
BIA (Business Impact Assessment
37. Occurs when the electrical supply drops
Get senior management onboard
Calculating the value of the information or asset
A network vulnerability assessment
Undervoltage (brownout)
38. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Deeper level of analysis
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Consensus on risks and controls
Data mart
39. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Logon banners
What happened and how the breach was resolved
Risk appetite
Detection defenses
40. Only valid if assets have first been identified and appropriately valued.
Transmit e-mail messages
Cyber extortionist
Rule-based access control
Annual loss expectancy (ALE)calculations
41. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Personal firewall
Confidentiality
Calculating the value of the information or asset
Waterfall chart
42. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Examples of containment defenses
People
Control effectiveness
Patch management process
43. Occurs after the risk assessment process - it does not measure it.
Use of security metrics
Vulnerability assessment
Baseline standard and then develop additional standards
Malicious software and spyware
44. A risk assessment should be conducted _________________.
Cost of control
Transferred risk
Negotiating a local version of the organization standards
Annually or whenever there is a significant change
45. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
Defining high-level business security requirements
Risk assessment - evaluation and impact analysis
Vulnerability assessment
46. The information security manager needs to prioritize the controls based on ________________________.
Baseline standard and then develop additional standards
Spoofing attacks
The database administrator
Risk management and the requirements of the organization
47. Accesses a computer or network illegally
Tie security risks to key business objectives
Detection defenses
Cyber terrorist
Cracker
48. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Breakeven point of risk reduction and cost
Knowledge management
Support the business objectives of the organization
Biometric access control systems
49. A Successful risk management should lead to a ________________.
Confidentiality
Centralization of information security management
Rule-based access control
Breakeven point of risk reduction and cost
50. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Countermeasure cost-benefit analysis
Cost of control
Defined objectives