SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Control risk
Virus detection
Total cost of ownership (TCO)
Asset classification
2. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
The awareness and agreement of the data subjects
Process of introducing changes to systems
Security risk
Encryption of the hard disks
3. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
Residual risk
Encryption key management
Well-defined roles and responsibilities
4. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Encryption
Normalization
Classification of assets needs
Exceptions to policy
5. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Skills inventory
Encryption of the hard disks
Tailgating
All personnel
6. Reducing risk to a level too small to measure is _______________.
Impractical and is often cost-prohibitive
Exceptions to policy
Stress testing
Risk management and the requirements of the organization
7. Primarily reduce risk and are most effective for the protection of information assets.
Risk appetite
Logon banners
Key controls
Normalization
8. Has full responsibility over data.
The data owner
Data classification
Its ability to reduce or eliminate business risks
Continuous analysis - monitoring and feedback
9. Company or person you believe will not send a virus-infect file knowingly
Trusted source
Acceptable use policies
Encryption of the hard disks
What happened and how the breach was resolved
10. ecurity design flaws require a ____________________.
Cracker
Deeper level of analysis
Identify the vulnerable systems and apply compensating controls
Decentralization
11. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Cost of control
Virus
Confidentiality
Skills inventory
12. Useful but only with regard to specific technical skills.
Biometric access control systems
Script kiddie
Proficiency testing
Regulatory compliance
13. Should PRIMARILY be based on regulatory and legal requirements.
Security risk
Reduce risk to an acceptable level
Impractical and is often cost-prohibitive
Retention of business records
14. Applications cannot access data associated with other apps
The data owner
Data isolation
Aligned with organizational goals
Defining high-level business security requirements
15. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Negotiating a local version of the organization standards
Lack of change management
Gain unauthorized access to applications
A network vulnerability assessment
16. Responsible for securing the information.
Certificate authority (CA)
The data custodian
Data owners
Cross-site scripting attacks
17. The information security manager needs to prioritize the controls based on ________________________.
Confidentiality
The board of directors and senior management
Risk management and the requirements of the organization
Negotiating a local version of the organization standards
18. The most important characteristic of good security policies is that they be ____________________.
Conduct a risk assessment
Aligned with organizational goals
SWOT analysis
Is willing to accept
19. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Transmit e-mail messages
Classification of assets needs
Fault-tolerant computer
Data isolation
20. Ensures that there are no scalability problems.
Breakeven point of risk reduction and cost
Stress testing
Normalization
Residual risk would be reduced by a greater amount
21. Provides strong online authentication.
Total cost of ownership (TCO)
Encryption
0-day vulnerabilities
Public key infrastructure (PKI)
22. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Do with the information it collects
Detection defenses
Power surge/over voltage (spike)
Encryption of the hard disks
23. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Multinational organization
Script kiddie
The data custodian
24. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Information security manager
Notifications and opt-out provisions
Regular review of access control lists
Increase business value and confidence
25. It is easier to manage and control a _________________.
Centralized structure
Risk assessment - evaluation and impact analysis
Residual risk would be reduced by a greater amount
Exceptions to policy
26. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
People
Process of introducing changes to systems
Defined objectives
Total cost of ownership (TCO)
27. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
The data custodian
Continuous analysis - monitoring and feedback
Security baselines
Tailgating
28. Should be a standard requirement for the service provider.
Background check
Risk assessment - evaluation and impact analysis
The data custodian
Asset classification
29. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Tailgating
Examples of containment defenses
Performing a risk assessment
IP address packet filtering
30. Someone who uses the internet or network to destroy or damage computers for political reasons
Cyber terrorist
Creation of a business continuity plan
Defining high-level business security requirements
Knowledge management
31. Occurs when the incoming level
Examples of containment defenses
Control risk
Power surge/over voltage (spike)
Transferred risk
32. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Identify the relevant systems and processes
Security code reviews for the entire software application
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Its ability to reduce or eliminate business risks
33. When the ________________ is more than the cost of the risk - the risk should be accepted.
Methodology used in the assessment
Cost of control
Is willing to accept
The information security officer
34. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Hacker
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Well-defined roles and responsibilities
Residual risk would be reduced by a greater amount
35. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Tie security risks to key business objectives
Nondisclosure agreement (NDA)
Stress testing
Knowledge management
36. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Patch management process
Security risk
Consensus on risks and controls
Annually or whenever there is a significant change
37. Computer that has duplicate components so it can continue to operate when one of its main components fail
Spoofing attacks
Fault-tolerant computer
Detection defenses
Lack of change management
38. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Tailgating
Spoofing attacks
Cyber extortionist
Get senior management onboard
39. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
include security responsibilities in a job description
Creation of a business continuity plan
Control effectiveness
40. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Calculating the value of the information or asset
The data custodian
Role-based access control
Residual risk
41. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
OBusiness case development
Deeper level of analysis
Consensus on risks and controls
Comparison of cost of achievement
42. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Retention of business records
Rule-based access control
Alignment with business strategy
The data owner
43. Normally addressed through antivirus and antispyware policies.
Get senior management onboard
Malicious software and spyware
The data owner
Normalization
44. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Resource dependency assessment
Security baselines
Decentralization
Transferred risk
45. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Impractical and is often cost-prohibitive
Normalization
Conduct a risk assessment
Notifications and opt-out provisions
46. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Identify the vulnerable systems and apply compensating controls
Gap analysis
Notifications and opt-out provisions
Safeguards over keys
47. BEST option to improve accountability for a system administrator is to _____________________.
Deeper level of analysis
include security responsibilities in a job description
Skills inventory
Notifications and opt-out provisions
48. Occurs when the electrical supply drops
Undervoltage (brownout)
Cyber terrorist
Fault-tolerant computer
Do with the information it collects
49. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Applying the proper classification to the data
Patch management
Nondisclosure agreement (NDA)
Continuous analysis - monitoring and feedback
50. Risk should be reduced to a level that an organization _____________.
Patch management process
Is willing to accept
Return on security investment (ROSI)
Methodology used in the assessment