SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Focuses on identifying vulnerabilities.
Penetration testing
Gain unauthorized access to applications
Strategic alignment of security with business objectives
Cost of control
2. Responsible for securing the information.
The data custodian
Centralized structure
Requirements of the data owners
Control risk
3. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Strategic alignment of security with business objectives
Transferred risk
Key risk indicator (KRI) setup
Cryptographic secure sockets layer (SSL) implementations and short key lengths
4. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
Spoofing attacks
Asset classification
Increase business value and confidence
5. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security baselines
Equal error rate (EER)
What happened and how the breach was resolved
Alignment with business strategy
6. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Threat assessment
Key risk indicator (KRI) setup
Process of introducing changes to systems
Reduce risk to an acceptable level
7. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Audit objectives
Countermeasure cost-benefit analysis
Tailgating
Certificate authority (CA)
8. Used to understand the flow of one process into another.
Detection defenses
Control risk
The board of directors and senior management
Waterfall chart
9. Carries out the technical administration.
Strategic alignment of security with business objectives
Undervoltage (brownout)
The database administrator
Examples of containment defenses
10. Identification and _______________ of business risk enables project managers to address areas with most significance.
Information contained on the equipment
Prioritization
Power surge/over voltage (spike)
Patch management process
11. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Deeper level of analysis
Its ability to reduce or eliminate business risks
Penetration testing
Residual risk would be reduced by a greater amount
12. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
OBusiness case development
Do with the information it collects
Residual risk
Internal risk assessment
13. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Spoofing attacks
Worm
Prioritization
Vulnerability assessment
14. A Successful risk management should lead to a ________________.
Breakeven point of risk reduction and cost
Aligned with organizational goals
Undervoltage (brownout)
Methodology used in the assessment
15. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Role-based policy
Control risk
Hacker
Consensus on risks and controls
16. The best measure for preventing the unauthorized disclosure of confidential information.
Continuous monitoring control initiatives
Two-factor authentication
A network vulnerability assessment
Acceptable use policies
17. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Worm
Countermeasure cost-benefit analysis
Detection defenses
Inherent risk
18. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Acceptable use policies
Fault-tolerant computer
0-day vulnerabilities
What happened and how the breach was resolved
19. Needs to define the access rules - which is troublesome and error prone in large organizations.
Continuous monitoring control initiatives
Rule-based access control
Annual loss expectancy (ALE)calculations
Applying the proper classification to the data
20. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
The data custodian
Biometric access control systems
Worm
21. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Asset classification
Is willing to accept
Applying the proper classification to the data
Attributes and characteristics of the 'desired state'
22. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Impractical and is often cost-prohibitive
Tie security risks to key business objectives
Single sign-on (SSO) product
Process of introducing changes to systems
23. Whenever personal data are transferred across national boundaries; ________________________ are required.
Is willing to accept
Hacker
The awareness and agreement of the data subjects
Continuous analysis - monitoring and feedback
24. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Cracker
Trojan horse
Digital certificate
25. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Defining high-level business security requirements
Monitoring processes
Identify the relevant systems and processes
Role-based policy
26. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Examples of containment defenses
Owner of the information asset
Power surge/over voltage (spike)
Access control matrix
27. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Impractical and is often cost-prohibitive
Single sign-on (SSO) product
Gap analysis
Applying the proper classification to the data
28. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Requirements of the data owners
Negotiating a local version of the organization standards
Safeguards over keys
OBusiness case development
29. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Gain unauthorized access to applications
Patch management
Fault-tolerant computer
Hacker
30. Computer that has duplicate components so it can continue to operate when one of its main components fail
Intrusion detection system (IDS)
Background checks of prospective employees
The authentication process is broken
Fault-tolerant computer
31. Applications cannot access data associated with other apps
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Encryption
Data isolation
Malicious software and spyware
32. Ensure that transmitted information can be attributed to the named sender.
The database administrator
Residual risk would be reduced by a greater amount
Transferred risk
Digital signatures
33. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Requirements of the data owners
Identify the relevant systems and processes
Overall organizational structure
Phishing
34. Company or person you believe will not send a virus-infect file knowingly
MAL wear
Data isolation
Role-based access control
Trusted source
35. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Role-based policy
Defining high-level business security requirements
Nondisclosure agreement (NDA)
Transmit e-mail messages
36. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Asset classification
Return on security investment (ROSI)
Access control matrix
Impractical and is often cost-prohibitive
37. When defining the information classification policy - the ___________________ need to be identified.
Internal risk assessment
Requirements of the data owners
Performing a risk assessment
The authentication process is broken
38. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Properly aligned with business goals and objectives
Biometric access control systems
Background checks of prospective employees
Stress testing
39. A repository of historical data organized by subject to support decision makers in the org
Aligned with organizational goals
Patch management process
Cyber extortionist
Data warehouse
40. Occurs after the risk assessment process - it does not measure it.
Information contained on the equipment
Use of security metrics
Power surge/over voltage (spike)
Multinational organization
41. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Do with the information it collects
Annual loss expectancy (ALE)calculations
Protective switch covers
Baseline standard and then develop additional standards
42. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Stress testing
Role-based policy
Regular review of access control lists
Do with the information it collects
43. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Role-based access control
Knowledge management
Properly aligned with business goals and objectives
Digital certificate
44. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
The balanced scorecard
Encryption
Two-factor authentication
Methodology used in the assessment
45. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Spoofing attacks
Information contained on the equipment
Asset classification
Residual risk would be reduced by a greater amount
46. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Security code reviews for the entire software application
Reduce risk to an acceptable level
Continuous analysis - monitoring and feedback
Intrusion detection system (IDS)
47. Uses security metrics to measure the performance of the information security program.
Performing a risk assessment
Reduce risk to an acceptable level
Information security manager
Data isolation
48. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
The data custodian
Overall organizational structure
Acceptable use policies
Risk appetite
49. provides the most effective protection of data on mobile devices.
Control effectiveness
Single sign-on (SSO) product
Encryption
Tie security risks to key business objectives
50. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Methodology used in the assessment
Virus
Asset classification
include security responsibilities in a job description