Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Transmit e-mail messages
What happened and how the breach was resolved
Encryption of the hard disks
Confidentiality

2. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Digital certificate
Reduce risk to an acceptable level
Examples of containment defenses
SWOT analysis

3. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Annual loss expectancy (ALE)calculations
Methodology used in the assessment
Encryption of the hard disks
Data isolation

4. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Spoofing attacks
Threat assessment
OBusiness case development
What happened and how the breach was resolved

5. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Defining high-level business security requirements
MAL wear
Centralization of information security management
Information contained on the equipment

6. Should be a standard requirement for the service provider.
Strategic alignment of security with business objectives
Access control matrix
Background check
Risk assessment - evaluation and impact analysis

7. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Malicious software and spyware
Detection defenses
Creation of a business continuity plan

8. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security baselines
Threat assessment
0-day vulnerabilities
Continuous analysis - monitoring and feedback

9. A key indicator of performance measurement.
Cracker
Strategic alignment of security with business objectives
Public key infrastructure (PKI)
0-day vulnerabilities

10. A method for analyzing and reducing a relational database to its most streamlined form
Deeper level of analysis
Spoofing attacks
Normalization
Audit objectives

11. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Requirements of the data owners
Decentralization
Protective switch covers
Centralization of information security management

12. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Alignment with business strategy
Developing an information security baseline
Data isolation
Get senior management onboard

13. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Threat assessment
Certificate authority (CA)
Regulatory compliance
Alignment with business strategy

14. The data owner is responsible for _______________________.
Equal error rate (EER)
Inherent risk
Applying the proper classification to the data
Properly aligned with business goals and objectives

15. All within the responsibility of the information security manager.
Public key infrastructure (PKI)
Security code reviews for the entire software application
The data custodian
Platform security - intrusion detection and antivirus controls

16. Ensure that transmitted information can be attributed to the named sender.
Digital signatures
Compliance with the organization's information security requirements
Continuous analysis - monitoring and feedback
Background check

17. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Risk appetite
Identify the relevant systems and processes
Total cost of ownership (TCO)
Patch management

18. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Exceptions to policy
Fault-tolerant computer
Consensus on risks and controls
Is willing to accept

19. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Baseline standard and then develop additional standards
Residual risk
Attributes and characteristics of the 'desired state'
Logon banners

20. Identification and _______________ of business risk enables project managers to address areas with most significance.
Prioritization
Background checks of prospective employees
Power surge/over voltage (spike)
Patch management

21. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Aligned with organizational goals
Spoofing attacks
Control risk
Annually or whenever there is a significant change

22. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Knowledge management
Well-defined roles and responsibilities
Data classification
Residual risk would be reduced by a greater amount

23. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
SWOT analysis
Threat assessment
Annual loss expectancy (ALE)calculations

24. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Requirements of the data owners
Owner of the information asset
Equal error rate (EER)
Cyber terrorist

25. Awareness - training and physical security defenses.
Personal firewall
Risk management and the requirements of the organization
Methodology used in the assessment
Examples of containment defenses

26. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Control risk
Spoofing attacks
Certificate authority (CA)
Background checks of prospective employees

27. The PRIMARY goal in developing an information security strategy is to: _________________________.
Cyber terrorist
Support the business objectives of the organization
Centralized structure
Residual risk

28. The job of the information security officer on a management team is to ___________________.
Access control matrix
Resource dependency assessment
Assess the risks to the business operation
Encryption

29. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Notifications and opt-out provisions
BIA (Business Impact Assessment
Developing an information security baseline
Key risk indicator (KRI) setup

30. Oversees the overall classification management of the information.
The information security officer
Certificate authority (CA)
Multinational organization
Data classification

31. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Audit objectives
Virus
Increase business value and confidence
Centralization of information security management

32. New security ulnerabilities should be managed through a ________________.
Overall organizational structure
Examples of containment defenses
Do with the information it collects
Patch management process

33. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
Control risk
Knowledge management
Notifications and opt-out provisions

34. Accesses a computer or network illegally
Virus
Logon banners
Cracker
Information security manager

35. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
Methodology used in the assessment
0-day vulnerabilities
Continuous monitoring control initiatives

36. A notice that guarantees a user or a web site is legitimate
Digital certificate
Virus
Prioritization
Regular review of access control lists

37. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Strategic alignment of security with business objectives
Process of introducing changes to systems
Protective switch covers
Exceptions to policy

38. The primary role of the information security manager in the process of information classification within the organization.
Defining and ratifying the classification structure of information assets
Security risk
Breakeven point of risk reduction and cost
Digital signatures

39. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Alignment with business strategy
Gain unauthorized access to applications
Security risk
Data isolation

40. Occurs when the incoming level
Public key infrastructure (PKI)
Detection defenses
Power surge/over voltage (spike)
Encryption of the hard disks

41. Culture has a significant impact on how information security will be implemented in a ______________________.
Logon banners
Multinational organization
Tailgating
Risk management and the requirements of the organization

42. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Applying the proper classification to the data
Regular review of access control lists
Virus
Two-factor authentication

43. Provides strong online authentication.
Public key infrastructure (PKI)
Platform security - intrusion detection and antivirus controls
Equal error rate (EER)
Consensus on risks and controls

44. The most important characteristic of good security policies is that they be ____________________.
Data classification
Comparison of cost of achievement
Aligned with organizational goals
Penetration testing

45. Utility program that detects and protects a personal computer from unauthorized intrusions
Consensus on risks and controls
Personal firewall
Access control matrix
Spoofing attacks

46. Should be performed to identify the risk and determine needed controls.
Internal risk assessment
Increase business value and confidence
Do with the information it collects
Data isolation

47. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Cross-site scripting attacks
Use of security metrics
Tie security risks to key business objectives
Safeguards over keys

48. Risk should be reduced to a level that an organization _____________.
Is willing to accept
Aligned with organizational goals
Normalization
OBusiness case development

49. Uses security metrics to measure the performance of the information security program.
Detection defenses
Information security manager
Virus
OBusiness case development

50. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Trojan horse
The authentication process is broken
Multinational organization
Decentralization