SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Residual risk would be reduced by a greater amount
Attributes and characteristics of the 'desired state'
Developing an information security baseline
Threat assessment
2. Someone who uses the internet or network to destroy or damage computers for political reasons
Do with the information it collects
Cyber terrorist
The awareness and agreement of the data subjects
Creation of a business continuity plan
3. Provide metrics to which outsourcing firms can be held accountable.
Annual loss expectancy (ALE)calculations
Strategic alignment of security with business objectives
Penetration testing
Service level agreements (SLAs)
4. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
All personnel
A network vulnerability assessment
Transmit e-mail messages
Identify the relevant systems and processes
5. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Worm
People
Key controls
6. A Successful risk management should lead to a ________________.
Process of introducing changes to systems
Key risk indicator (KRI) setup
Methodology used in the assessment
Breakeven point of risk reduction and cost
7. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Security awareness training for all employees
Access control matrix
Undervoltage (brownout)
8. New security ulnerabilities should be managed through a ________________.
Background checks of prospective employees
Risk appetite
Patch management process
Patch management
9. The most important characteristic of good security policies is that they be ____________________.
Aligned with organizational goals
Cyber extortionist
Encryption key management
Script kiddie
10. It is easier to manage and control a _________________.
What happened and how the breach was resolved
Worm
Asset classification
Centralized structure
11. Has to be integrated into the requirements of every software application's design.
Breakeven point of risk reduction and cost
BIA (Business Impact Assessment
Security code reviews for the entire software application
Encryption key management
12. Computer that has duplicate components so it can continue to operate when one of its main components fail
Fault-tolerant computer
Risk management and the requirements of the organization
Role-based access control
Exceptions to policy
13. Program that hides within or looks like a legit program
Tailgating
Trojan horse
Service level agreements (SLAs)
BIA (Business Impact Assessment
14. The primary role of the information security manager in the process of information classification within the organization.
Get senior management onboard
Defining high-level business security requirements
Defining and ratifying the classification structure of information assets
Properly aligned with business goals and objectives
15. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Requirements of the data owners
Role-based policy
Conduct a risk assessment
Fault-tolerant computer
16. Responsible for securing the information.
Inherent risk
The data custodian
Is willing to accept
The balanced scorecard
17. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
18. Oversees the overall classification management of the information.
The information security officer
The balanced scorecard
Regular review of access control lists
Proficiency testing
19. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Cyber extortionist
Reduce risk to an acceptable level
Negotiating a local version of the organization standards
Decentralization
20. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Gap analysis
Security baselines
Baseline standard and then develop additional standards
21. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Identify the vulnerable systems and apply compensating controls
Resource dependency assessment
Control effectiveness
Impractical and is often cost-prohibitive
22. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Skills inventory
Risk management and the requirements of the organization
Defining and ratifying the classification structure of information assets
Cyber extortionist
23. By definition are not previously known and therefore are undetectable.
Aligned with organizational goals
0-day vulnerabilities
Patch management process
Retention of business records
24. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Virus
Strategic alignment of security with business objectives
Intrusion detection system (IDS)
Cyber terrorist
25. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Asset classification
Encryption of the hard disks
Lack of change management
Security baselines
26. Applications cannot access data associated with other apps
Transmit e-mail messages
Data warehouse
Patch management process
Data isolation
27. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Continuous analysis - monitoring and feedback
Identify the vulnerable systems and apply compensating controls
Annual loss expectancy (ALE)calculations
Spoofing attacks
28. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Penetration testing
Certificate authority (CA)
Background checks of prospective employees
Cyber terrorist
29. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Requirements of the data owners
The database administrator
Comparison of cost of achievement
Gap analysis
30. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Two-factor authentication
Residual risk
Data classification
Assess the risks to the business operation
31. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Aligned with organizational goals
Total cost of ownership (TCO)
Properly aligned with business goals and objectives
Transmit e-mail messages
32. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
The database administrator
Is willing to accept
Monitoring processes
33. Occurs after the risk assessment process - it does not measure it.
Process of introducing changes to systems
Background checks of prospective employees
Inherent risk
Use of security metrics
34. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Key controls
Residual risk
Detection defenses
Internal risk assessment
35. Has full responsibility over data.
Monitoring processes
Developing an information security baseline
Retention of business records
The data owner
36. The best measure for preventing the unauthorized disclosure of confidential information.
Trusted source
Impractical and is often cost-prohibitive
A network vulnerability assessment
Acceptable use policies
37. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Information contained on the equipment
Skills inventory
Owner of the information asset
The balanced scorecard
38. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Protective switch covers
Transferred risk
Do with the information it collects
Audit objectives
39. provides the most effective protection of data on mobile devices.
Properly aligned with business goals and objectives
Rule-based access control
Encryption
Acceptable use policies
40. A risk assessment should be conducted _________________.
Conduct a risk assessment
Annually or whenever there is a significant change
Background check
OBusiness case development
41. A notice that guarantees a user or a web site is legitimate
Control effectiveness
Digital certificate
MAL wear
Defined objectives
42. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Hacker
What happened and how the breach was resolved
Stress testing
Centralization of information security management
43. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
People
Logon banners
Is willing to accept
A network vulnerability assessment
44. Should be a standard requirement for the service provider.
Reduce risk to an acceptable level
Exceptions to policy
Control risk
Background check
45. Awareness - training and physical security defenses.
Examples of containment defenses
Annually or whenever there is a significant change
Centralized structure
Data classification
46. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Regulatory compliance
Properly aligned with business goals and objectives
Defined objectives
Two-factor authentication
47. A function of the session keys distributed by the PKI.
Gap analysis
All personnel
A network vulnerability assessment
Confidentiality
48. Culture has a significant impact on how information security will be implemented in a ______________________.
Public key infrastructure (PKI)
Detection defenses
Multinational organization
Waterfall chart
49. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
SWOT analysis
Patch management process
Monitoring processes
OBusiness case development
50. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Spoofing attacks
The awareness and agreement of the data subjects
Tie security risks to key business objectives
Monitoring processes