Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Virus
Monitoring processes
Fault-tolerant computer
Worm

2. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Penetration testing
Knowledge management
Notifications and opt-out provisions
Alignment with business strategy

3. Should be a standard requirement for the service provider.
Penetration testing
Baseline standard and then develop additional standards
Background check
Information contained on the equipment

4. Occurs when the incoming level
Is willing to accept
Power surge/over voltage (spike)
Multinational organization
Negotiating a local version of the organization standards

5. Normally addressed through antivirus and antispyware policies.
Transferred risk
Monitoring processes
Malicious software and spyware
Methodology used in the assessment

6. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Intrusion detection system (IDS)
Cost of control
Return on security investment (ROSI)
Internal risk assessment

7. Responsible for securing the information.
Vulnerability assessment
The data custodian
Lack of change management
Role-based access control

8. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Countermeasure cost-benefit analysis
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Worm
BIA (Business Impact Assessment

9. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
Is willing to accept
OBusiness case development
Cross-site scripting attacks

10. Someone who accesses a computer or network illegally
Hacker
Inherent risk
Risk appetite
Rule-based access control

11. Oversees the overall classification management of the information.
Information security manager
Breakeven point of risk reduction and cost
The information security officer
Security code reviews for the entire software application

12. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Service level agreements (SLAs)
Platform security - intrusion detection and antivirus controls
Virus detection
Data mart

13. Should be determined from the risk assessment results.
Transmit e-mail messages
Residual risk would be reduced by a greater amount
Virus detection
Audit objectives

14. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Support the business objectives of the organization
Retention of business records
Get senior management onboard
Regulatory compliance

15. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
Intrusion detection system (IDS)
Normalization
The balanced scorecard

16. Cannot be minimized
Applying the proper classification to the data
Inherent risk
Data mart
Patch management

17. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Logon banners
Continuous monitoring control initiatives
Virus detection
Consensus on risks and controls

18. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
Encryption key management
Overall organizational structure
Methodology used in the assessment

19. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.

Warning: Invalid argument supplied for foreach() in /var/www/html/basicversity.com/show_quiz.php on line 183

20. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Classification of assets needs
Confidentiality
Encryption
Performing a risk assessment

21. All within the responsibility of the information security manager.
Prioritization
Platform security - intrusion detection and antivirus controls
0-day vulnerabilities
Identify the relevant systems and processes

22. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
People
Encryption
Consensus on risks and controls
Safeguards over keys

23. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Identify the relevant systems and processes
Certificate authority (CA)
Vulnerability assessment
Resource dependency assessment

24. Without _____________________ - there cannot be accountability.
Annually or whenever there is a significant change
Developing an information security baseline
The database administrator
Well-defined roles and responsibilities

25. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Increase business value and confidence
Security awareness training for all employees
Negotiating a local version of the organization standards
Skills inventory

26. Inject malformed input.
Cross-site scripting attacks
Consensus on risks and controls
Role-based access control
Regulatory compliance

27. Culture has a significant impact on how information security will be implemented in a ______________________.
Multinational organization
Gap analysis
Use of security metrics
Process of introducing changes to systems

28. The MOST useful way to describe the objectives in the information security strategy is through ______________________.

Warning: Invalid argument supplied for foreach() in /var/www/html/basicversity.com/show_quiz.php on line 183

29. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Logon banners
Lack of change management
Cost of control
SWOT analysis

30. S small warehouse - designed for the end-user needs in a strategic business unit
Continuous monitoring control initiatives
Data mart
What happened and how the breach was resolved
Certificate authority (CA)

31. A repository of historical data organized by subject to support decision makers in the org
Decentralization
Data warehouse
Tailgating
Power surge/over voltage (spike)

32. Same intent as a cracker but does not have the technical skills and knowledge
Defining high-level business security requirements
Regulatory compliance
A network vulnerability assessment
Script kiddie

33. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Defined objectives
Regular review of access control lists
Data owners
Transferred risk

34. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Security code reviews for the entire software application
Increase business value and confidence
The authentication process is broken
Digital signatures

35. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Certificate authority (CA)
Identify the vulnerable systems and apply compensating controls
All personnel
Vulnerability assessment

36. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Virus detection
Annual loss expectancy (ALE)calculations
Logon banners
Transferred risk

37. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Malicious software and spyware
Return on security investment (ROSI)
Security baselines
Power surge/over voltage (spike)

38. Applications cannot access data associated with other apps
Data isolation
Trusted source
Defining high-level business security requirements
Use of security metrics

39. Focuses on identifying vulnerabilities.
A network vulnerability assessment
Penetration testing
People
Data classification

40. Carries out the technical administration.
Lack of change management
The database administrator
Total cost of ownership (TCO)
Monitoring processes

41. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Residual risk
Decentralization
Conduct a risk assessment
Security risk

42. The MOST important element of an information security strategy.
Process of introducing changes to systems
Defined objectives
Tailgating
Defining high-level business security requirements

43. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Process of introducing changes to systems
Support the business objectives of the organization
Protective switch covers
Calculating the value of the information or asset

44. Needs to define the access rules - which is troublesome and error prone in large organizations.
Logon banners
Rule-based access control
Trojan horse
Control risk

45. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Encryption of the hard disks
Role-based policy
Two-factor authentication
Personal firewall

46. Occurs when the electrical supply drops
Internal risk assessment
Comparison of cost of achievement
Undervoltage (brownout)
Threat assessment

47. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Performing a risk assessment
Methodology used in the assessment
Data warehouse
Baseline standard and then develop additional standards

48. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Information contained on the equipment
Retention of business records
Attributes and characteristics of the 'desired state'
Consensus on risks and controls

49. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
The board of directors and senior management
Public key infrastructure (PKI)
0-day vulnerabilities

50. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Nondisclosure agreement (NDA)
Confidentiality
0-day vulnerabilities
Data classification