Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.






2. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.






3. Only valid if assets have first been identified and appropriately valued.






4. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.






5. Company or person you believe will not send a virus-infect file knowingly






6. The BEST justification to convince management to invest in an information security program is that doing so would _________________.






7. By definition are not previously known and therefore are undetectable.






8. The PRIMARY goal in developing an information security strategy is to: _________________________.






9. Whenever personal data are transferred across national boundaries; ________________________ are required.






10. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.






11. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .






12. A notice that guarantees a user or a web site is legitimate






13. Without _____________________ - there cannot be accountability.






14. Someone who accesses a computer or network illegally






15. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.






16. ecurity design flaws require a ____________________.






17. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.






18. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.






19. New security ulnerabilities should be managed through a ________________.






20. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.






21. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.






22. Primarily reduce risk and are most effective for the protection of information assets.






23. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.






24. Applications cannot access data associated with other apps






25. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.






26. A function of the session keys distributed by the PKI.






27. Has full responsibility over data.






28. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.






29. The information security manager needs to prioritize the controls based on ________________________.






30. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.






31. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.






32. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.






33. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.






34. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.






35. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information






36. Should be determined from the risk assessment results.






37. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations






38. Occurs when the electrical supply drops






39. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.






40. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability






41. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.






42. The best measure for preventing the unauthorized disclosure of confidential information.






43. BEST option to improve accountability for a system administrator is to _____________________.






44. Cannot be minimized






45. It is more efficient to establish a ___________________for locations that must meet specific requirements.






46. Someone who uses the internet or network to destroy or damage computers for political reasons






47. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.






48. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.






49. Occurs after the risk assessment process - it does not measure it.






50. When defining the information classification policy - the ___________________ need to be identified.