SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Alignment with business strategy
Increase business value and confidence
Cryptographic secure sockets layer (SSL) implementations and short key lengths
What happened and how the breach was resolved
2. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Stress testing
Identify the vulnerable systems and apply compensating controls
Public key infrastructure (PKI)
IP address packet filtering
3. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Public key infrastructure (PKI)
Transferred risk
Hacker
Background check
4. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Continuous monitoring control initiatives
Risk assessment - evaluation and impact analysis
All personnel
Continuous analysis - monitoring and feedback
5. The information security manager needs to prioritize the controls based on ________________________.
Background check
Risk management and the requirements of the organization
Countermeasure cost-benefit analysis
0-day vulnerabilities
6. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Data mart
Encryption
Audit objectives
Developing an information security baseline
7. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
BIA (Business Impact Assessment
Background checks of prospective employees
Platform security - intrusion detection and antivirus controls
Baseline standard and then develop additional standards
8. Utility program that detects and protects a personal computer from unauthorized intrusions
Personal firewall
Data warehouse
Control risk
Classification of assets needs
9. An information security manager has to impress upon the human resources department the need for _____________________.
Security awareness training for all employees
Skills inventory
Identify the vulnerable systems and apply compensating controls
Identify the relevant systems and processes
10. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Support the business objectives of the organization
Rule-based access control
Comparison of cost of achievement
Spoofing attacks
11. Should PRIMARILY be based on regulatory and legal requirements.
Methodology used in the assessment
MAL wear
Consensus on risks and controls
Retention of business records
12. A notice that guarantees a user or a web site is legitimate
Exceptions to policy
Negotiating a local version of the organization standards
Digital certificate
Safeguards over keys
13. New security ulnerabilities should be managed through a ________________.
Multinational organization
Patch management process
People
0-day vulnerabilities
14. Needs to define the access rules - which is troublesome and error prone in large organizations.
Control risk
Virus
Transmit e-mail messages
Rule-based access control
15. To identify known vulnerabilities based on common misconfigurations and missing updates.
Applying the proper classification to the data
Fault-tolerant computer
Multinational organization
A network vulnerability assessment
16. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
A network vulnerability assessment
All personnel
Data classification
Impractical and is often cost-prohibitive
17. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Access control matrix
Return on security investment (ROSI)
0-day vulnerabilities
Encryption
18. Without _____________________ - there cannot be accountability.
Well-defined roles and responsibilities
Increase business value and confidence
Gain unauthorized access to applications
Defined objectives
19. A Successful risk management should lead to a ________________.
OBusiness case development
Reduce risk to an acceptable level
Breakeven point of risk reduction and cost
The balanced scorecard
20. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Biometric access control systems
Breakeven point of risk reduction and cost
Intrusion detection system (IDS)
Increase business value and confidence
21. Normally addressed through antivirus and antispyware policies.
People
Countermeasure cost-benefit analysis
Strategic alignment of security with business objectives
Malicious software and spyware
22. Oversees the overall classification management of the information.
Access control matrix
Risk management and the requirements of the organization
The information security officer
Equal error rate (EER)
23. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Prioritization
Power surge/over voltage (spike)
Identify the relevant systems and processes
Identify the vulnerable systems and apply compensating controls
24. The job of the information security officer on a management team is to ___________________.
Increase business value and confidence
Centralization of information security management
Assess the risks to the business operation
Defining high-level business security requirements
25. Should be determined from the risk assessment results.
Audit objectives
Overall organizational structure
Baseline standard and then develop additional standards
Inherent risk
26. Awareness - training and physical security defenses.
Vulnerability assessment
Assess the risks to the business operation
Examples of containment defenses
Centralization of information security management
27. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Cost of control
Gap analysis
The information security officer
Patch management process
28. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Countermeasure cost-benefit analysis
Stress testing
Increase business value and confidence
Reduce risk to an acceptable level
29. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Waterfall chart
All personnel
Stress testing
30. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Knowledge management
Proficiency testing
Patch management
Continuous monitoring control initiatives
31. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Centralized structure
Patch management
Residual risk would be reduced by a greater amount
Safeguards over keys
32. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
The board of directors and senior management
Data warehouse
Continuous analysis - monitoring and feedback
33. A method for analyzing and reducing a relational database to its most streamlined form
The data custodian
Normalization
Continuous monitoring control initiatives
Stress testing
34. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Certificate authority (CA)
Spoofing attacks
Monitoring processes
Compliance with the organization's information security requirements
35. Company or person you believe will not send a virus-infect file knowingly
Regulatory compliance
Data isolation
Trusted source
Platform security - intrusion detection and antivirus controls
36. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Protective switch covers
Centralization of information security management
Conduct a risk assessment
Owner of the information asset
37. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
The data custodian
Data owners
Assess the risks to the business operation
Reduce risk to an acceptable level
38. Should be a standard requirement for the service provider.
Cyber extortionist
The balanced scorecard
Background check
Creation of a business continuity plan
39. A repository of historical data organized by subject to support decision makers in the org
Platform security - intrusion detection and antivirus controls
Transferred risk
Data warehouse
Identify the relevant systems and processes
40. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Exceptions to policy
Security awareness training for all employees
Classification of assets needs
Assess the risks to the business operation
41. Carries out the technical administration.
Methodology used in the assessment
Spoofing attacks
Resource dependency assessment
The database administrator
42. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Defining high-level business security requirements
The balanced scorecard
Gain unauthorized access to applications
Continuous monitoring control initiatives
43. The PRIMARY goal in developing an information security strategy is to: _________________________.
Conduct a risk assessment
Continuous monitoring control initiatives
Annual loss expectancy (ALE)calculations
Support the business objectives of the organization
44. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Penetration testing
Background checks of prospective employees
Residual risk would be reduced by a greater amount
Worm
45. Would protect against spoofing an internal address but would not provide strong authentication.
Cyber terrorist
IP address packet filtering
Skills inventory
Single sign-on (SSO) product
46. Applications cannot access data associated with other apps
Internal risk assessment
Requirements of the data owners
Penetration testing
Data isolation
47. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
All personnel
Lack of change management
Resource dependency assessment
48. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Skills inventory
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Patch management process
Transmit e-mail messages
49. Occurs after the risk assessment process - it does not measure it.
Continuous analysis - monitoring and feedback
Negotiating a local version of the organization standards
Use of security metrics
People
50. Cannot be minimized
Digital certificate
The authentication process is broken
Inherent risk
Conduct a risk assessment
