SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Well-defined roles and responsibilities
OBusiness case development
Protective switch covers
Examples of containment defenses
2. By definition are not previously known and therefore are undetectable.
0-day vulnerabilities
Creation of a business continuity plan
Cost of control
Baseline standard and then develop additional standards
3. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Equal error rate (EER)
Performing a risk assessment
Biometric access control systems
Centralization of information security management
4. Ensures that there are no scalability problems.
Security risk
Strategic alignment of security with business objectives
Stress testing
Overall organizational structure
5. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Role-based access control
Well-defined roles and responsibilities
Reduce risk to an acceptable level
Digital certificate
6. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
All personnel
Developing an information security baseline
OBusiness case development
Data warehouse
7. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Use of security metrics
Comparison of cost of achievement
Examples of containment defenses
Exceptions to policy
8. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
9. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
BIA (Business Impact Assessment
The awareness and agreement of the data subjects
Total cost of ownership (TCO)
Knowledge management
10. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
include security responsibilities in a job description
Background checks of prospective employees
Two-factor authentication
Patch management process
11. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Stress testing
Script kiddie
Knowledge management
Detection defenses
12. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Phishing
Single sign-on (SSO) product
Breakeven point of risk reduction and cost
Strategic alignment of security with business objectives
13. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
OBusiness case development
Hacker
Negotiating a local version of the organization standards
Information contained on the equipment
14. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Use of security metrics
The board of directors and senior management
Risk appetite
Identify the relevant systems and processes
15. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
What happened and how the breach was resolved
Encryption of the hard disks
The data owner
Residual risk
16. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Transmit e-mail messages
Consensus on risks and controls
Impractical and is often cost-prohibitive
Support the business objectives of the organization
17. Risk should be reduced to a level that an organization _____________.
Attributes and characteristics of the 'desired state'
Is willing to accept
Background checks of prospective employees
Inherent risk
18. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Prioritization
Process of introducing changes to systems
Skills inventory
Baseline standard and then develop additional standards
19. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Encryption key management
Compliance with the organization's information security requirements
Virus
Return on security investment (ROSI)
20. The data owner is responsible for _______________________.
Data classification
Return on security investment (ROSI)
Applying the proper classification to the data
0-day vulnerabilities
21. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Worm
Trusted source
Key controls
22. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Notifications and opt-out provisions
Increase business value and confidence
Baseline standard and then develop additional standards
Calculating the value of the information or asset
23. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Detection defenses
Internal risk assessment
Annually or whenever there is a significant change
Security risk
24. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Penetration testing
The data custodian
Developing an information security baseline
Spoofing attacks
25. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Reduce risk to an acceptable level
Continuous analysis - monitoring and feedback
Encryption of the hard disks
Get senior management onboard
26. A notice that guarantees a user or a web site is legitimate
Safeguards over keys
Conduct a risk assessment
Aligned with organizational goals
Digital certificate
27. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
What happened and how the breach was resolved
Calculating the value of the information or asset
Use of security metrics
Security baselines
28. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Data owners
Information contained on the equipment
Consensus on risks and controls
Information security manager
29. The job of the information security officer on a management team is to ___________________.
Logon banners
Platform security - intrusion detection and antivirus controls
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Assess the risks to the business operation
30. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Asset classification
Overall organizational structure
OBusiness case development
Data owners
31. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Protective switch covers
Threat assessment
Deeper level of analysis
Information contained on the equipment
32. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Data classification
Lack of change management
Data warehouse
The board of directors and senior management
33. Has full responsibility over data.
Performing a risk assessment
Cross-site scripting attacks
The data owner
Audit objectives
34. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Key risk indicator (KRI) setup
Impractical and is often cost-prohibitive
Control effectiveness
Biometric access control systems
35. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Annual loss expectancy (ALE)calculations
The board of directors and senior management
Platform security - intrusion detection and antivirus controls
Examples of containment defenses
36. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Regulatory compliance
Overall organizational structure
Detection defenses
Role-based policy
37. Same intent as a cracker but does not have the technical skills and knowledge
include security responsibilities in a job description
Tailgating
Defining and ratifying the classification structure of information assets
Script kiddie
38. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
39. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Hacker
Applying the proper classification to the data
Process of introducing changes to systems
Internal risk assessment
40. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Background check
Transferred risk
Baseline standard and then develop additional standards
Knowledge management
41. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Continuous monitoring control initiatives
Strategic alignment of security with business objectives
The information security officer
IP address packet filtering
42. Identification and _______________ of business risk enables project managers to address areas with most significance.
Prioritization
Trojan horse
Multinational organization
Waterfall chart
43. Has to be integrated into the requirements of every software application's design.
Encryption key management
Key risk indicator (KRI) setup
Risk appetite
Acceptable use policies
44. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Prioritization
Safeguards over keys
Tailgating
Methodology used in the assessment
45. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Defining high-level business security requirements
Residual risk
Defined objectives
Single sign-on (SSO) product
46. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Calculating the value of the information or asset
Malicious software and spyware
Decentralization
SWOT analysis
47. Utility program that detects and protects a personal computer from unauthorized intrusions
Well-defined roles and responsibilities
Key risk indicator (KRI) setup
Personal firewall
Data isolation
48. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
A network vulnerability assessment
Risk assessment - evaluation and impact analysis
Overall organizational structure
Cracker
49. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Alignment with business strategy
Attributes and characteristics of the 'desired state'
BIA (Business Impact Assessment
People
50. Occurs when the electrical supply drops
Undervoltage (brownout)
Logon banners
Patch management
Rule-based access control