SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Baseline standard and then develop additional standards
Well-defined roles and responsibilities
Creation of a business continuity plan
2. Primarily reduce risk and are most effective for the protection of information assets.
Cyber extortionist
Personal firewall
BIA (Business Impact Assessment
Key controls
3. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Threat assessment
Risk management and the requirements of the organization
Inherent risk
Methodology used in the assessment
4. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Developing an information security baseline
Examples of containment defenses
The authentication process is broken
5. Someone who uses the internet or network to destroy or damage computers for political reasons
A network vulnerability assessment
Alignment with business strategy
Cyber terrorist
Its ability to reduce or eliminate business risks
6. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
People
Breakeven point of risk reduction and cost
Protective switch covers
Single sign-on (SSO) product
7. A repository of historical data organized by subject to support decision makers in the org
Monitoring processes
Data warehouse
The database administrator
Centralized structure
8. Cannot be minimized
Cyber terrorist
Hacker
Inherent risk
Support the business objectives of the organization
9. Utility program that detects and protects a personal computer from unauthorized intrusions
Personal firewall
Spoofing attacks
Stress testing
Normalization
10. A risk assessment should be conducted _________________.
Strategic alignment of security with business objectives
The board of directors and senior management
Defined objectives
Annually or whenever there is a significant change
11. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Data classification
Nondisclosure agreement (NDA)
Classification of assets needs
Transferred risk
12. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
13. Needs to define the access rules - which is troublesome and error prone in large organizations.
Alignment with business strategy
The data custodian
Rule-based access control
A network vulnerability assessment
14. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Access control matrix
Performing a risk assessment
Continuous analysis - monitoring and feedback
BIA (Business Impact Assessment
15. When the ________________ is more than the cost of the risk - the risk should be accepted.
Prioritization
Applying the proper classification to the data
Cost of control
Deeper level of analysis
16. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Virus
SWOT analysis
Defining high-level business security requirements
Regulatory compliance
17. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Retention of business records
Trojan horse
Virus
Centralization of information security management
18. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
The balanced scorecard
Digital certificate
What happened and how the breach was resolved
19. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Data isolation
Two-factor authentication
Exceptions to policy
Waterfall chart
20. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Baseline standard and then develop additional standards
Information contained on the equipment
Fault-tolerant computer
Cyber extortionist
21. Reducing risk to a level too small to measure is _______________.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Owner of the information asset
Return on security investment (ROSI)
Impractical and is often cost-prohibitive
22. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Examples of containment defenses
Identify the vulnerable systems and apply compensating controls
Owner of the information asset
Malicious software and spyware
23. Without _____________________ - there cannot be accountability.
The data owner
Defining high-level business security requirements
Fault-tolerant computer
Well-defined roles and responsibilities
24. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Prioritization
Risk appetite
Impractical and is often cost-prohibitive
Safeguards over keys
25. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Undervoltage (brownout)
Logon banners
Strategic alignment of security with business objectives
The authentication process is broken
26. Normally addressed through antivirus and antispyware policies.
Malicious software and spyware
Residual risk would be reduced by a greater amount
Centralization of information security management
Owner of the information asset
27. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Conduct a risk assessment
Confidentiality
Fault-tolerant computer
Digital signatures
28. The MOST important element of an information security strategy.
Skills inventory
Cyber extortionist
Patch management
Defined objectives
29. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Lack of change management
The data custodian
Background check
Compliance with the organization's information security requirements
30. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Audit objectives
Its ability to reduce or eliminate business risks
Platform security - intrusion detection and antivirus controls
Skills inventory
31. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Identify the relevant systems and processes
Return on security investment (ROSI)
Stress testing
Developing an information security baseline
32. provides the most effective protection of data on mobile devices.
Encryption
Safeguards over keys
Detection defenses
Personal firewall
33. The best measure for preventing the unauthorized disclosure of confidential information.
Information contained on the equipment
Penetration testing
Get senior management onboard
Acceptable use policies
34. New security ulnerabilities should be managed through a ________________.
Deeper level of analysis
Security risk
Alignment with business strategy
Patch management process
35. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Skills inventory
Identify the vulnerable systems and apply compensating controls
Knowledge management
Total cost of ownership (TCO)
36. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Gap analysis
Identify the relevant systems and processes
Breakeven point of risk reduction and cost
Asset classification
37. The PRIMARY goal in developing an information security strategy is to: _________________________.
Risk appetite
Support the business objectives of the organization
OBusiness case development
Creation of a business continuity plan
38. A Successful risk management should lead to a ________________.
Continuous analysis - monitoring and feedback
Trusted source
Breakeven point of risk reduction and cost
Deeper level of analysis
39. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Security awareness training for all employees
Script kiddie
Conduct a risk assessment
Nondisclosure agreement (NDA)
40. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Power surge/over voltage (spike)
Encryption key management
Information security manager
Data classification
41. The information security manager needs to prioritize the controls based on ________________________.
Tie security risks to key business objectives
Proficiency testing
Deeper level of analysis
Risk management and the requirements of the organization
42. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Equal error rate (EER)
Residual risk would be reduced by a greater amount
Examples of containment defenses
Biometric access control systems
43. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Detection defenses
Aligned with organizational goals
Centralized structure
Public key infrastructure (PKI)
44. Most effective for evaluating the degree to which information security objectives are being met.
Stress testing
Data mart
The balanced scorecard
OBusiness case development
45. It is easier to manage and control a _________________.
Centralized structure
Transferred risk
The balanced scorecard
Encryption
46. Would protect against spoofing an internal address but would not provide strong authentication.
Retention of business records
IP address packet filtering
Trojan horse
Centralization of information security management
47. The data owner is responsible for _______________________.
Applying the proper classification to the data
Virus detection
Continuous monitoring control initiatives
Cracker
48. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Spoofing attacks
Support the business objectives of the organization
Transmit e-mail messages
Audit objectives
49. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Malicious software and spyware
Reduce risk to an acceptable level
Impractical and is often cost-prohibitive
Centralized structure
50. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key risk indicator (KRI) setup
Malicious software and spyware
Certificate authority (CA)
The information security officer