Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Ensure that transmitted information can be attributed to the named sender.
Power surge/over voltage (spike)
Equal error rate (EER)
Digital signatures
Encryption

2. All within the responsibility of the information security manager.
Platform security - intrusion detection and antivirus controls
All personnel
Skills inventory
Role-based policy

3. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Risk management and the requirements of the organization
Transferred risk
Breakeven point of risk reduction and cost

4. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Knowledge management
Data owners
Residual risk
Multinational organization

5. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
The data owner
The awareness and agreement of the data subjects
Total cost of ownership (TCO)
SWOT analysis

6. Only valid if assets have first been identified and appropriately valued.
Platform security - intrusion detection and antivirus controls
Control risk
Annual loss expectancy (ALE)calculations
Identify the relevant systems and processes

7. Useful but only with regard to specific technical skills.
Cross-site scripting attacks
Proficiency testing
Penetration testing
Requirements of the data owners

8. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Creation of a business continuity plan
Detection defenses
Worm
Audit objectives

9. A risk assessment should be conducted _________________.
Data owners
Do with the information it collects
Applying the proper classification to the data
Annually or whenever there is a significant change

10. Applications cannot access data associated with other apps
The information security officer
Notifications and opt-out provisions
Data isolation
Creation of a business continuity plan

11. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Data classification
Risk management and the requirements of the organization
Consensus on risks and controls
Virus detection

12. It is easier to manage and control a _________________.
Data classification
Centralized structure
Transmit e-mail messages
Methodology used in the assessment

13. Without _____________________ - there cannot be accountability.
Monitoring processes
Well-defined roles and responsibilities
Asset classification
Control risk

14. Someone who uses the internet or network to destroy or damage computers for political reasons
Stress testing
Audit objectives
Waterfall chart
Cyber terrorist

15. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
The awareness and agreement of the data subjects
Lack of change management
Continuous analysis - monitoring and feedback
Return on security investment (ROSI)

16. Primarily reduce risk and are most effective for the protection of information assets.
Key controls
Spoofing attacks
Impractical and is often cost-prohibitive
Increase business value and confidence

17. S small warehouse - designed for the end-user needs in a strategic business unit
Audit objectives
The database administrator
Data mart
Key risk indicator (KRI) setup

18. Utility program that detects and protects a personal computer from unauthorized intrusions
Applying the proper classification to the data
Personal firewall
Security awareness training for all employees
Cryptographic secure sockets layer (SSL) implementations and short key lengths

19. Risk should be reduced to a level that an organization _____________.
Encryption of the hard disks
Certificate authority (CA)
Is willing to accept
Conduct a risk assessment

20. provides the most effective protection of data on mobile devices.
Role-based access control
Encryption key management
Encryption
Protective switch covers

21. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Access control matrix
Assess the risks to the business operation
Acceptable use policies
Undervoltage (brownout)

22. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
The board of directors and senior management
Its ability to reduce or eliminate business risks
Methodology used in the assessment

23. A function of the session keys distributed by the PKI.
0-day vulnerabilities
Asset classification
Confidentiality
Negotiating a local version of the organization standards

24. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Deeper level of analysis
Key risk indicator (KRI) setup
Patch management
Residual risk would be reduced by a greater amount

25. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
What happened and how the breach was resolved
Key controls
include security responsibilities in a job description
Role-based access control

26. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Service level agreements (SLAs)
Continuous monitoring control initiatives
Centralization of information security management
Undervoltage (brownout)

27. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Protective switch covers
Key controls
Data classification
Tailgating

28. Normally addressed through antivirus and antispyware policies.
Continuous analysis - monitoring and feedback
MAL wear
Malicious software and spyware
People

29. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Compliance with the organization's information security requirements
Data mart
Certificate authority (CA)
Inherent risk

30. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Patch management
Attributes and characteristics of the 'desired state'
Defining high-level business security requirements
Continuous analysis - monitoring and feedback

31. Occurs when the electrical supply drops
A network vulnerability assessment
Undervoltage (brownout)
The authentication process is broken
Well-defined roles and responsibilities

32. Provides process needs but not impact.
Audit objectives
Patch management process
Resource dependency assessment
Security risk

33. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Strategic alignment of security with business objectives
Digital signatures
Patch management process
Information contained on the equipment

34. Provides strong online authentication.
Public key infrastructure (PKI)
Digital certificate
Asset classification
Breakeven point of risk reduction and cost

35. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Use of security metrics
Patch management
The authentication process is broken
Control effectiveness

36. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security baselines
Continuous analysis - monitoring and feedback
Penetration testing
Protective switch covers

37. The PRIMARY goal in developing an information security strategy is to: _________________________.
Tailgating
Support the business objectives of the organization
Attributes and characteristics of the 'desired state'
Stress testing

38. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Conduct a risk assessment
Use of security metrics
Retention of business records
All personnel

39. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Aligned with organizational goals
The board of directors and senior management
Penetration testing
Classification of assets needs

40. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Annual loss expectancy (ALE)calculations
Malicious software and spyware
Platform security - intrusion detection and antivirus controls
Increase business value and confidence

41. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Fault-tolerant computer
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Defined objectives
Decentralization

42. Awareness - training and physical security defenses.
Performing a risk assessment
Logon banners
Annually or whenever there is a significant change
Examples of containment defenses

43. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Identify the relevant systems and processes
Increase business value and confidence
Digital certificate
Asset classification

44. Culture has a significant impact on how information security will be implemented in a ______________________.
Information security manager
The information security officer
Control effectiveness
Multinational organization

45. BEST option to improve accountability for a system administrator is to _____________________.
Breakeven point of risk reduction and cost
Rule-based access control
include security responsibilities in a job description
Cross-site scripting attacks

46. Has full responsibility over data.
Role-based policy
Confidentiality
Centralized structure
The data owner

47. The MOST useful way to describe the objectives in the information security strategy is through ______________________.

Warning: Invalid argument supplied for foreach() in /var/www/html/basicversity.com/show_quiz.php on line 183

48. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
People
Security risk
Deeper level of analysis
Biometric access control systems

49. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
The board of directors and senior management
Gain unauthorized access to applications
Creation of a business continuity plan
Owner of the information asset

50. A notice that guarantees a user or a web site is legitimate
Digital certificate
Internal risk assessment
OBusiness case development
Negotiating a local version of the organization standards