SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Calculating the value of the information or asset
Control risk
Virus detection
Gain unauthorized access to applications
2. Should be a standard requirement for the service provider.
Classification of assets needs
Undervoltage (brownout)
Key controls
Background check
3. Primarily reduce risk and are most effective for the protection of information assets.
Owner of the information asset
Control risk
Key controls
Breakeven point of risk reduction and cost
4. Without _____________________ - there cannot be accountability.
Identify the relevant systems and processes
Cyber extortionist
Well-defined roles and responsibilities
Resource dependency assessment
5. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Threat assessment
Data isolation
MAL wear
6. Program that hides within or looks like a legit program
Trojan horse
Performing a risk assessment
Security risk
Encryption of the hard disks
7. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Regular review of access control lists
Breakeven point of risk reduction and cost
Cracker
Properly aligned with business goals and objectives
8. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Exceptions to policy
Defining and ratifying the classification structure of information assets
Risk assessment - evaluation and impact analysis
Regular review of access control lists
9. Inject malformed input.
Aligned with organizational goals
Cross-site scripting attacks
Skills inventory
Continuous analysis - monitoring and feedback
10. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Process of introducing changes to systems
SWOT analysis
Creation of a business continuity plan
Service level agreements (SLAs)
11. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Gap analysis
Key controls
Digital certificate
Residual risk would be reduced by a greater amount
12. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Normalization
Risk appetite
Its ability to reduce or eliminate business risks
Classification of assets needs
13. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Knowledge management
Data isolation
Countermeasure cost-benefit analysis
Applying the proper classification to the data
14. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
Service level agreements (SLAs)
Decentralization
Well-defined roles and responsibilities
15. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Platform security - intrusion detection and antivirus controls
Cyber extortionist
Hacker
Equal error rate (EER)
16. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Baseline standard and then develop additional standards
Asset classification
Use of security metrics
What happened and how the breach was resolved
17. Only valid if assets have first been identified and appropriately valued.
Annual loss expectancy (ALE)calculations
Monitoring processes
Data owners
Digital signatures
18. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Encryption of the hard disks
Risk appetite
Waterfall chart
19. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
Encryption of the hard disks
Asset classification
Digital certificate
20. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key risk indicator (KRI) setup
Exceptions to policy
Annual loss expectancy (ALE)calculations
Audit objectives
21. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Return on security investment (ROSI)
Regulatory compliance
Detection defenses
The data custodian
22. Risk should be reduced to a level that an organization _____________.
Intrusion detection system (IDS)
Internal risk assessment
Is willing to accept
Countermeasure cost-benefit analysis
23. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Digital certificate
Negotiating a local version of the organization standards
Access control matrix
Identify the vulnerable systems and apply compensating controls
24. A key indicator of performance measurement.
Use of security metrics
Strategic alignment of security with business objectives
Transmit e-mail messages
Security code reviews for the entire software application
25. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Tailgating
Lack of change management
Continuous monitoring control initiatives
Asset classification
26. The MOST important element of an information security strategy.
Gap analysis
The board of directors and senior management
Defined objectives
Knowledge management
27. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Inherent risk
Biometric access control systems
Deeper level of analysis
Identify the vulnerable systems and apply compensating controls
28. Uses security metrics to measure the performance of the information security program.
Biometric access control systems
Data isolation
Information security manager
Intrusion detection system (IDS)
29. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Key risk indicator (KRI) setup
OBusiness case development
include security responsibilities in a job description
Transferred risk
30. The best measure for preventing the unauthorized disclosure of confidential information.
Spoofing attacks
Risk appetite
Detection defenses
Acceptable use policies
31. Information security governance models are highly dependent on the _____________________.
BIA (Business Impact Assessment
Annual loss expectancy (ALE)calculations
Overall organizational structure
SWOT analysis
32. Identification and _______________ of business risk enables project managers to address areas with most significance.
Cost of control
Acceptable use policies
Multinational organization
Prioritization
33. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Continuous monitoring control initiatives
SWOT analysis
Retention of business records
Security baselines
34. The data owner is responsible for _______________________.
Process of introducing changes to systems
Applying the proper classification to the data
Examples of containment defenses
MAL wear
35. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
MAL wear
Process of introducing changes to systems
Digital signatures
36. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Logon banners
Applying the proper classification to the data
Assess the risks to the business operation
Asset classification
37. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Detection defenses
Get senior management onboard
Fault-tolerant computer
Residual risk
38. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Increase business value and confidence
Deeper level of analysis
The awareness and agreement of the data subjects
39. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Spoofing attacks
Stress testing
Consensus on risks and controls
Get senior management onboard
40. Most effective for evaluating the degree to which information security objectives are being met.
Process of introducing changes to systems
The balanced scorecard
People
MAL wear
41. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Attributes and characteristics of the 'desired state'
BIA (Business Impact Assessment
Gain unauthorized access to applications
Virus
42. The information security manager needs to prioritize the controls based on ________________________.
Audit objectives
Cross-site scripting attacks
Two-factor authentication
Risk management and the requirements of the organization
43. When the ________________ is more than the cost of the risk - the risk should be accepted.
Data mart
Cost of control
The data owner
Risk assessment - evaluation and impact analysis
44. Would protect against spoofing an internal address but would not provide strong authentication.
Worm
Assess the risks to the business operation
IP address packet filtering
Continuous analysis - monitoring and feedback
45. A Successful risk management should lead to a ________________.
Use of security metrics
Service level agreements (SLAs)
Regular review of access control lists
Breakeven point of risk reduction and cost
46. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Transmit e-mail messages
Internal risk assessment
Role-based access control
Tie security risks to key business objectives
47. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Creation of a business continuity plan
Waterfall chart
Cyber extortionist
Single sign-on (SSO) product
48. Awareness - training and physical security defenses.
Patch management process
Countermeasure cost-benefit analysis
Examples of containment defenses
Information security manager
49. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Digital signatures
The database administrator
The information security officer
Vulnerability assessment
50. Provide metrics to which outsourcing firms can be held accountable.
Logon banners
Consensus on risks and controls
Process of introducing changes to systems
Service level agreements (SLAs)