SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Worm
Exceptions to policy
Data isolation
Defining and ratifying the classification structure of information assets
2. Only valid if assets have first been identified and appropriately valued.
Annual loss expectancy (ALE)calculations
Methodology used in the assessment
Penetration testing
Nondisclosure agreement (NDA)
3. Has to be integrated into the requirements of every software application's design.
Creation of a business continuity plan
Encryption key management
People
Cyber extortionist
4. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Residual risk
Security baselines
Two-factor authentication
Fault-tolerant computer
5. Someone who accesses a computer or network illegally
Fault-tolerant computer
Cyber terrorist
Encryption of the hard disks
Hacker
6. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Defining and ratifying the classification structure of information assets
Do with the information it collects
Detection defenses
Safeguards over keys
7. Provide metrics to which outsourcing firms can be held accountable.
Key risk indicator (KRI) setup
Service level agreements (SLAs)
Decentralization
The balanced scorecard
8. Ensures that there are no scalability problems.
Audit objectives
Stress testing
Biometric access control systems
Key risk indicator (KRI) setup
9. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Undervoltage (brownout)
All personnel
Properly aligned with business goals and objectives
Return on security investment (ROSI)
10. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Risk management and the requirements of the organization
Background checks of prospective employees
Detection defenses
Virus
11. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Service level agreements (SLAs)
People
Defining high-level business security requirements
Acceptable use policies
12. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Data owners
Protective switch covers
Increase business value and confidence
Cross-site scripting attacks
13. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
SWOT analysis
Cyber terrorist
Encryption of the hard disks
Two-factor authentication
14. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Digital certificate
Classification of assets needs
Centralization of information security management
People
15. All within the responsibility of the information security manager.
Attributes and characteristics of the 'desired state'
Multinational organization
Platform security - intrusion detection and antivirus controls
include security responsibilities in a job description
16. When defining the information classification policy - the ___________________ need to be identified.
Intrusion detection system (IDS)
Requirements of the data owners
MAL wear
Is willing to accept
17. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Encryption key management
Monitoring processes
Worm
Role-based policy
18. An information security manager has to impress upon the human resources department the need for _____________________.
Security awareness training for all employees
Aligned with organizational goals
All personnel
Proficiency testing
19. Culture has a significant impact on how information security will be implemented in a ______________________.
Personal firewall
Multinational organization
Worm
The awareness and agreement of the data subjects
20. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Resource dependency assessment
Notifications and opt-out provisions
Key controls
Regular review of access control lists
21. Company or person you believe will not send a virus-infect file knowingly
Trusted source
Script kiddie
Return on security investment (ROSI)
Control risk
22. Used to understand the flow of one process into another.
SWOT analysis
Waterfall chart
Defining high-level business security requirements
Patch management process
23. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Calculating the value of the information or asset
Well-defined roles and responsibilities
Nondisclosure agreement (NDA)
Penetration testing
24. Uses security metrics to measure the performance of the information security program.
Regular review of access control lists
Risk assessment - evaluation and impact analysis
Information security manager
Nondisclosure agreement (NDA)
25. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Cross-site scripting attacks
Centralized structure
The board of directors and senior management
Spoofing attacks
26. Most effective for evaluating the degree to which information security objectives are being met.
Key risk indicator (KRI) setup
Digital certificate
Transferred risk
The balanced scorecard
27. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Resource dependency assessment
Get senior management onboard
Single sign-on (SSO) product
Centralized structure
28. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Cyber extortionist
Return on security investment (ROSI)
Tailgating
Malicious software and spyware
29. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Normalization
Information contained on the equipment
Properly aligned with business goals and objectives
Transferred risk
30. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Virus
Information contained on the equipment
Do with the information it collects
Strategic alignment of security with business objectives
31. provides the most effective protection of data on mobile devices.
Strategic alignment of security with business objectives
Encryption
Cross-site scripting attacks
Control effectiveness
32. Carries out the technical administration.
People
Strategic alignment of security with business objectives
The database administrator
Encryption key management
33. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Cyber extortionist
Residual risk
Get senior management onboard
Worm
34. When the ________________ is more than the cost of the risk - the risk should be accepted.
Defined objectives
Risk management and the requirements of the organization
Cost of control
Background checks of prospective employees
35. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Use of security metrics
Rule-based access control
SWOT analysis
Data owners
36. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Data owners
Nondisclosure agreement (NDA)
Gain unauthorized access to applications
Countermeasure cost-benefit analysis
37. Should be a standard requirement for the service provider.
Background check
Total cost of ownership (TCO)
Information contained on the equipment
Power surge/over voltage (spike)
38. New security ulnerabilities should be managed through a ________________.
Patch management process
The data custodian
Its ability to reduce or eliminate business risks
Process of introducing changes to systems
39. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Well-defined roles and responsibilities
Control risk
Stress testing
0-day vulnerabilities
40. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Continuous monitoring control initiatives
Inherent risk
Classification of assets needs
Rule-based access control
41. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Normalization
Conduct a risk assessment
Annual loss expectancy (ALE)calculations
Key risk indicator (KRI) setup
42. The MOST important element of an information security strategy.
OBusiness case development
Return on security investment (ROSI)
The information security officer
Defined objectives
43. A method for analyzing and reducing a relational database to its most streamlined form
Patch management
Normalization
Applying the proper classification to the data
Security code reviews for the entire software application
44. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Resource dependency assessment
Identify the vulnerable systems and apply compensating controls
What happened and how the breach was resolved
Lack of change management
45. Normally addressed through antivirus and antispyware policies.
Malicious software and spyware
Digital signatures
Nondisclosure agreement (NDA)
Data owners
46. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Regular review of access control lists
Performing a risk assessment
Strategic alignment of security with business objectives
Audit objectives
47. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Strategic alignment of security with business objectives
Tie security risks to key business objectives
Patch management process
Control effectiveness
48. The job of the information security officer on a management team is to ___________________.
Cracker
Assess the risks to the business operation
Acceptable use policies
Examples of containment defenses
49. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Role-based access control
Two-factor authentication
Penetration testing
Exceptions to policy
50. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Decentralization
The board of directors and senior management
Its ability to reduce or eliminate business risks
Internal risk assessment