SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Useful but only with regard to specific technical skills.
Consensus on risks and controls
Biometric access control systems
Transferred risk
Proficiency testing
2. Utility program that detects and protects a personal computer from unauthorized intrusions
Personal firewall
The awareness and agreement of the data subjects
Biometric access control systems
Role-based policy
3. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Calculating the value of the information or asset
Breakeven point of risk reduction and cost
Data classification
4. Normally addressed through antivirus and antispyware policies.
Baseline standard and then develop additional standards
Residual risk
Residual risk would be reduced by a greater amount
Malicious software and spyware
5. A key indicator of performance measurement.
Its ability to reduce or eliminate business risks
Strategic alignment of security with business objectives
What happened and how the breach was resolved
SWOT analysis
6. Reducing risk to a level too small to measure is _______________.
Encryption key management
Impractical and is often cost-prohibitive
The information security officer
Encryption
7. Without _____________________ - there cannot be accountability.
Platform security - intrusion detection and antivirus controls
Well-defined roles and responsibilities
Multinational organization
Digital certificate
8. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Malicious software and spyware
Continuous monitoring control initiatives
Virus detection
Confidentiality
9. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
Overall organizational structure
Classification of assets needs
Gap analysis
10. A repository of historical data organized by subject to support decision makers in the org
Do with the information it collects
Data warehouse
Regulatory compliance
Deeper level of analysis
11. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Role-based access control
Patch management
Identify the relevant systems and processes
Methodology used in the assessment
12. All within the responsibility of the information security manager.
Biometric access control systems
Cost of control
Platform security - intrusion detection and antivirus controls
Breakeven point of risk reduction and cost
13. Computer that has duplicate components so it can continue to operate when one of its main components fail
Fault-tolerant computer
Tie security risks to key business objectives
Prioritization
Total cost of ownership (TCO)
14. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Tie security risks to key business objectives
Skills inventory
Normalization
Data classification
15. The data owner is responsible for _______________________.
Applying the proper classification to the data
Data classification
Public key infrastructure (PKI)
Consensus on risks and controls
16. Awareness - training and physical security defenses.
Proficiency testing
Countermeasure cost-benefit analysis
Examples of containment defenses
Data warehouse
17. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Reduce risk to an acceptable level
Notifications and opt-out provisions
Assess the risks to the business operation
Knowledge management
18. Should be performed to identify the risk and determine needed controls.
Internal risk assessment
Requirements of the data owners
Regular review of access control lists
Do with the information it collects
19. Has full responsibility over data.
Trusted source
The data owner
include security responsibilities in a job description
Monitoring processes
20. provides the most effective protection of data on mobile devices.
Security code reviews for the entire software application
Centralization of information security management
Encryption
Single sign-on (SSO) product
21. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Confidentiality
Role-based access control
Worm
Regular review of access control lists
22. Whenever personal data are transferred across national boundaries; ________________________ are required.
The awareness and agreement of the data subjects
Logon banners
Prioritization
Virus
23. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Logon banners
Decentralization
Examples of containment defenses
Patch management
24. Should be a standard requirement for the service provider.
Background check
Negotiating a local version of the organization standards
Proficiency testing
Asset classification
25. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Methodology used in the assessment
The information security officer
Role-based access control
Encryption
26. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
What happened and how the breach was resolved
Key risk indicator (KRI) setup
Consensus on risks and controls
27. Should PRIMARILY be based on regulatory and legal requirements.
Patch management process
Retention of business records
Reduce risk to an acceptable level
Key controls
28. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Baseline standard and then develop additional standards
Defined objectives
Data owners
Requirements of the data owners
29. The best measure for preventing the unauthorized disclosure of confidential information.
Acceptable use policies
Calculating the value of the information or asset
Confidentiality
0-day vulnerabilities
30. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
OBusiness case development
The data owner
The data custodian
The balanced scorecard
31. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
What happened and how the breach was resolved
The data owner
Compliance with the organization's information security requirements
Is willing to accept
32. A function of the session keys distributed by the PKI.
All personnel
Assess the risks to the business operation
Confidentiality
Equal error rate (EER)
33. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Well-defined roles and responsibilities
Stress testing
Aligned with organizational goals
Properly aligned with business goals and objectives
34. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Negotiating a local version of the organization standards
Risk assessment - evaluation and impact analysis
Tie security risks to key business objectives
Monitoring processes
35. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Waterfall chart
Worm
Do with the information it collects
Lack of change management
36. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Developing an information security baseline
Two-factor authentication
Retention of business records
Malicious software and spyware
37. ecurity design flaws require a ____________________.
Deeper level of analysis
Process of introducing changes to systems
Internal risk assessment
Role-based policy
38. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Annually or whenever there is a significant change
Tie security risks to key business objectives
Logon banners
Phishing
39. Ensure that transmitted information can be attributed to the named sender.
Digital signatures
Data mart
Regulatory compliance
Data isolation
40. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Undervoltage (brownout)
Residual risk
Comparison of cost of achievement
Risk appetite
41. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Transferred risk
Continuous analysis - monitoring and feedback
Personal firewall
Proficiency testing
42. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Calculating the value of the information or asset
Risk appetite
Role-based access control
43. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Digital signatures
Malicious software and spyware
Increase business value and confidence
Patch management
44. Only valid if assets have first been identified and appropriately valued.
Identify the vulnerable systems and apply compensating controls
Performing a risk assessment
Annual loss expectancy (ALE)calculations
Resource dependency assessment
45. A risk assessment should be conducted _________________.
Role-based access control
Annually or whenever there is a significant change
Trusted source
Well-defined roles and responsibilities
46. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Performing a risk assessment
Malicious software and spyware
Platform security - intrusion detection and antivirus controls
47. Occurs when the incoming level
0-day vulnerabilities
Power surge/over voltage (spike)
Phishing
Confidentiality
48. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Waterfall chart
People
Virus
Attributes and characteristics of the 'desired state'
49. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Identify the relevant systems and processes
Logon banners
Transferred risk
Safeguards over keys
50. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Certificate authority (CA)
Role-based policy
Security risk
Retention of business records