SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The MOST important element of an information security strategy.
Defined objectives
Support the business objectives of the organization
Regular review of access control lists
The information security officer
2. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Intrusion detection system (IDS)
Penetration testing
Classification of assets needs
Tailgating
3. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Conduct a risk assessment
Cracker
Defining and ratifying the classification structure of information assets
Power surge/over voltage (spike)
4. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
What happened and how the breach was resolved
Control risk
Risk appetite
Countermeasure cost-benefit analysis
5. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
A network vulnerability assessment
Transmit e-mail messages
Security baselines
Threat assessment
6. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Attributes and characteristics of the 'desired state'
Spoofing attacks
Continuous analysis - monitoring and feedback
Data isolation
7. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Asset classification
Role-based access control
IP address packet filtering
OBusiness case development
8. The data owner is responsible for _______________________.
Applying the proper classification to the data
The data custodian
Intrusion detection system (IDS)
Return on security investment (ROSI)
9. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Regular review of access control lists
Encryption key management
Alignment with business strategy
Stress testing
10. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Return on security investment (ROSI)
Security awareness training for all employees
Cryptographic secure sockets layer (SSL) implementations and short key lengths
MAL wear
11. Applications cannot access data associated with other apps
Support the business objectives of the organization
Overall organizational structure
Data isolation
Its ability to reduce or eliminate business risks
12. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Alignment with business strategy
Creation of a business continuity plan
Residual risk
MAL wear
13. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Residual risk
Security code reviews for the entire software application
Cracker
Risk appetite
14. A risk assessment should be conducted _________________.
Comparison of cost of achievement
Key controls
Is willing to accept
Annually or whenever there is a significant change
15. A Successful risk management should lead to a ________________.
Do with the information it collects
Defined objectives
Prioritization
Breakeven point of risk reduction and cost
16. Occurs after the risk assessment process - it does not measure it.
Tie security risks to key business objectives
Detection defenses
Use of security metrics
All personnel
17. Only valid if assets have first been identified and appropriately valued.
Impractical and is often cost-prohibitive
Trusted source
Annual loss expectancy (ALE)calculations
Certificate authority (CA)
18. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Performing a risk assessment
Process of introducing changes to systems
Transferred risk
Intrusion detection system (IDS)
19. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Key controls
Annually or whenever there is a significant change
Risk assessment - evaluation and impact analysis
The board of directors and senior management
20. Cannot be minimized
Requirements of the data owners
The database administrator
Inherent risk
Countermeasure cost-benefit analysis
21. Responsible for securing the information.
Use of security metrics
Role-based policy
The data custodian
Its ability to reduce or eliminate business risks
22. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Cost of control
Total cost of ownership (TCO)
Exceptions to policy
Skills inventory
23. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Continuous monitoring control initiatives
Centralized structure
Two-factor authentication
Safeguards over keys
24. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Platform security - intrusion detection and antivirus controls
Total cost of ownership (TCO)
OBusiness case development
Encryption of the hard disks
25. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Alignment with business strategy
Threat assessment
Return on security investment (ROSI)
Prioritization
26. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Nondisclosure agreement (NDA)
Transmit e-mail messages
Threat assessment
Gain unauthorized access to applications
27. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Nondisclosure agreement (NDA)
The authentication process is broken
The balanced scorecard
Negotiating a local version of the organization standards
28. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Security code reviews for the entire software application
Continuous analysis - monitoring and feedback
Overall organizational structure
Knowledge management
29. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Confidentiality
Undervoltage (brownout)
Digital certificate
Lack of change management
30. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Get senior management onboard
Virus detection
Centralization of information security management
Worm
31. Occurs when the incoming level
Transferred risk
Security baselines
Prioritization
Power surge/over voltage (spike)
32. Awareness - training and physical security defenses.
Script kiddie
Examples of containment defenses
Protective switch covers
Compliance with the organization's information security requirements
33. Focuses on identifying vulnerabilities.
Penetration testing
Aligned with organizational goals
Proficiency testing
Service level agreements (SLAs)
34. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
The board of directors and senior management
Logon banners
Overall organizational structure
Encryption
35. Oversees the overall classification management of the information.
A network vulnerability assessment
The information security officer
Gain unauthorized access to applications
Regulatory compliance
36. An information security manager has to impress upon the human resources department the need for _____________________.
Continuous analysis - monitoring and feedback
Security awareness training for all employees
Service level agreements (SLAs)
Defined objectives
37. Reducing risk to a level too small to measure is _______________.
Transferred risk
Risk management and the requirements of the organization
Encryption
Impractical and is often cost-prohibitive
38. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Properly aligned with business goals and objectives
Residual risk would be reduced by a greater amount
Prioritization
Background checks of prospective employees
39. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Centralized structure
SWOT analysis
Vulnerability assessment
All personnel
40. ecurity design flaws require a ____________________.
Owner of the information asset
Retention of business records
Its ability to reduce or eliminate business risks
Deeper level of analysis
41. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Support the business objectives of the organization
Patch management
The database administrator
Deeper level of analysis
42. The information security manager needs to prioritize the controls based on ________________________.
Defining and ratifying the classification structure of information assets
Cyber extortionist
Risk management and the requirements of the organization
SWOT analysis
43. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Protective switch covers
Service level agreements (SLAs)
Control effectiveness
Countermeasure cost-benefit analysis
44. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
Calculating the value of the information or asset
Undervoltage (brownout)
Impractical and is often cost-prohibitive
45. The best measure for preventing the unauthorized disclosure of confidential information.
The board of directors and senior management
Gain unauthorized access to applications
Background check
Acceptable use policies
46. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Knowledge management
Script kiddie
Regular review of access control lists
Monitoring processes
47. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Centralized structure
Tie security risks to key business objectives
Centralization of information security management
Public key infrastructure (PKI)
48. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Fault-tolerant computer
Key controls
Safeguards over keys
49. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Detection defenses
The information security officer
Encryption of the hard disks
Control effectiveness
50. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Decentralization
Alignment with business strategy
Information contained on the equipment
Hacker