SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Total cost of ownership (TCO)
Retention of business records
Waterfall chart
2. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Regulatory compliance
Is willing to accept
OBusiness case development
Access control matrix
3. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Script kiddie
IP address packet filtering
Information security manager
Tailgating
4. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Virus
Identify the vulnerable systems and apply compensating controls
Applying the proper classification to the data
Defining and ratifying the classification structure of information assets
5. The data owner is responsible for _______________________.
Continuous monitoring control initiatives
Cost of control
Applying the proper classification to the data
Background check
6. Accesses a computer or network illegally
All personnel
Confidentiality
Cracker
A network vulnerability assessment
7. Provide metrics to which outsourcing firms can be held accountable.
include security responsibilities in a job description
BIA (Business Impact Assessment
Undervoltage (brownout)
Service level agreements (SLAs)
8. Applications cannot access data associated with other apps
Data isolation
Two-factor authentication
Protective switch covers
Risk management and the requirements of the organization
9. All within the responsibility of the information security manager.
Platform security - intrusion detection and antivirus controls
Two-factor authentication
Notifications and opt-out provisions
Patch management process
10. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Audit objectives
Phishing
Threat assessment
Classification of assets needs
11. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Encryption
Do with the information it collects
Nondisclosure agreement (NDA)
Comparison of cost of achievement
12. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
Do with the information it collects
Cyber terrorist
Prioritization
13. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Get senior management onboard
Equal error rate (EER)
Threat assessment
Is willing to accept
14. Used to understand the flow of one process into another.
Protective switch covers
Total cost of ownership (TCO)
Waterfall chart
Transmit e-mail messages
15. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Well-defined roles and responsibilities
The authentication process is broken
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Attributes and characteristics of the 'desired state'
16. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Virus detection
Security baselines
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Requirements of the data owners
17. The primary role of the information security manager in the process of information classification within the organization.
Increase business value and confidence
Defining and ratifying the classification structure of information assets
Cyber terrorist
Get senior management onboard
18. Oversees the overall classification management of the information.
Information security manager
Identify the vulnerable systems and apply compensating controls
Notifications and opt-out provisions
The information security officer
19. Most effective for evaluating the degree to which information security objectives are being met.
Logon banners
The balanced scorecard
Defined objectives
Developing an information security baseline
20. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Return on security investment (ROSI)
Asset classification
Defining high-level business security requirements
Use of security metrics
21. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
Security baselines
BIA (Business Impact Assessment
Digital signatures
22. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
People
Internal risk assessment
Risk appetite
Examples of containment defenses
23. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Reduce risk to an acceptable level
Monitoring processes
Gain unauthorized access to applications
Safeguards over keys
24. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Negotiating a local version of the organization standards
Threat assessment
Transmit e-mail messages
The authentication process is broken
25. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Exceptions to policy
Key risk indicator (KRI) setup
Performing a risk assessment
Encryption key management
26. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Overall organizational structure
Data classification
Security code reviews for the entire software application
Two-factor authentication
27. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Background checks of prospective employees
Transferred risk
Consensus on risks and controls
IP address packet filtering
28. Needs to define the access rules - which is troublesome and error prone in large organizations.
Deeper level of analysis
Asset classification
Resource dependency assessment
Rule-based access control
29. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
OBusiness case development
Data classification
Logon banners
Vulnerability assessment
30. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Strategic alignment of security with business objectives
Tailgating
Certificate authority (CA)
Control effectiveness
31. Someone who uses the internet or network to destroy or damage computers for political reasons
Do with the information it collects
Total cost of ownership (TCO)
Cyber terrorist
Monitoring processes
32. Has to be integrated into the requirements of every software application's design.
People
Overall organizational structure
Encryption key management
Single sign-on (SSO) product
33. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Identify the vulnerable systems and apply compensating controls
Use of security metrics
Transferred risk
Continuous analysis - monitoring and feedback
34. S small warehouse - designed for the end-user needs in a strategic business unit
Data isolation
Exceptions to policy
Cracker
Data mart
35. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Calculating the value of the information or asset
Information contained on the equipment
Classification of assets needs
Service level agreements (SLAs)
36. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
37. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Residual risk
Attributes and characteristics of the 'desired state'
Regular review of access control lists
Increase business value and confidence
38. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Comparison of cost of achievement
Patch management
Background check
Conduct a risk assessment
39. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
The authentication process is broken
Fault-tolerant computer
Developing an information security baseline
Knowledge management
40. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
SWOT analysis
Power surge/over voltage (spike)
Defining high-level business security requirements
Data owners
41. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
BIA (Business Impact Assessment
Tie security risks to key business objectives
Certificate authority (CA)
Role-based access control
42. Uses security metrics to measure the performance of the information security program.
Threat assessment
Information security manager
Security baselines
Examples of containment defenses
43. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Tie security risks to key business objectives
What happened and how the breach was resolved
Role-based access control
Patch management process
44. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Defining high-level business security requirements
Comparison of cost of achievement
Exceptions to policy
Single sign-on (SSO) product
45. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Get senior management onboard
Identify the relevant systems and processes
What happened and how the breach was resolved
Regular review of access control lists
46. The information security manager needs to prioritize the controls based on ________________________.
Encryption key management
Risk management and the requirements of the organization
Data warehouse
Nondisclosure agreement (NDA)
47. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Script kiddie
Virus detection
Control risk
Access control matrix
48. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Digital signatures
Safeguards over keys
What happened and how the breach was resolved
49. By definition are not previously known and therefore are undetectable.
Properly aligned with business goals and objectives
Performing a risk assessment
Biometric access control systems
0-day vulnerabilities
50. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Vulnerability assessment
Risk management and the requirements of the organization
Encryption