Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Cannot be minimized
Examples of containment defenses
The balanced scorecard
Inherent risk
Centralized structure

2. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Lack of change management
Malicious software and spyware
Identify the relevant systems and processes

3. Computer that has duplicate components so it can continue to operate when one of its main components fail
Calculating the value of the information or asset
Audit objectives
Fault-tolerant computer
Process of introducing changes to systems

4. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Two-factor authentication
Rule-based access control
Properly aligned with business goals and objectives
Risk appetite

5. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Skills inventory
Knowledge management
Security baselines
Gap analysis

6. Provides strong online authentication.
Service level agreements (SLAs)
Public key infrastructure (PKI)
Regular review of access control lists
Two-factor authentication

7. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Annual loss expectancy (ALE)calculations
Transferred risk
The balanced scorecard
Decentralization

8. Carries out the technical administration.
The database administrator
The data custodian
Access control matrix
Intrusion detection system (IDS)

9. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Logon banners
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Information security manager
Single sign-on (SSO) product

10. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Threat assessment
Methodology used in the assessment
Knowledge management
Cyber terrorist

11. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Requirements of the data owners
Impractical and is often cost-prohibitive
The authentication process is broken
Classification of assets needs

12. A risk assessment should be conducted _________________.
Annually or whenever there is a significant change
Defined objectives
The information security officer
Risk assessment - evaluation and impact analysis

13. A Successful risk management should lead to a ________________.
Alignment with business strategy
Breakeven point of risk reduction and cost
Risk assessment - evaluation and impact analysis
Negotiating a local version of the organization standards

14. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
The balanced scorecard
Alignment with business strategy
Well-defined roles and responsibilities
Intrusion detection system (IDS)

15. Applications cannot access data associated with other apps
Cyber extortionist
Well-defined roles and responsibilities
Data isolation
Proficiency testing

16. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Reduce risk to an acceptable level
The database administrator
Baseline standard and then develop additional standards
Control effectiveness

17. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Detection defenses
Compliance with the organization's information security requirements
Tie security risks to key business objectives
Intrusion detection system (IDS)

18. The primary role of the information security manager in the process of information classification within the organization.
Inherent risk
Consensus on risks and controls
Defining and ratifying the classification structure of information assets
Power surge/over voltage (spike)

19. Uses security metrics to measure the performance of the information security program.
The awareness and agreement of the data subjects
Gain unauthorized access to applications
Information security manager
Information contained on the equipment

20. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Background check
Two-factor authentication
Identify the relevant systems and processes
Examples of containment defenses

21. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Risk appetite
SWOT analysis
Safeguards over keys
Regulatory compliance

22. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Trojan horse
Security baselines
Lack of change management
Security risk

23. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
A network vulnerability assessment
Annually or whenever there is a significant change
Trojan horse

24. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Data owners
Defining high-level business security requirements
Penetration testing
Breakeven point of risk reduction and cost

25. The most important characteristic of good security policies is that they be ____________________.
Increase business value and confidence
Spoofing attacks
Key risk indicator (KRI) setup
Aligned with organizational goals

26. S small warehouse - designed for the end-user needs in a strategic business unit
Continuous monitoring control initiatives
Digital certificate
Knowledge management
Data mart

27. New security ulnerabilities should be managed through a ________________.
Inherent risk
Patch management process
Cryptographic secure sockets layer (SSL) implementations and short key lengths
A network vulnerability assessment

28. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
What happened and how the breach was resolved
Well-defined roles and responsibilities
Negotiating a local version of the organization standards
Cyber extortionist

29. Inject malformed input.
Encryption
Safeguards over keys
Cross-site scripting attacks
Data mart

30. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Patch management process
Applying the proper classification to the data
Data mart
Consensus on risks and controls

31. Oversees the overall classification management of the information.
BIA (Business Impact Assessment
Access control matrix
Background check
The information security officer

32. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Support the business objectives of the organization
People
Cyber terrorist
Data classification

33. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Public key infrastructure (PKI)
All personnel
Malicious software and spyware
Identify the vulnerable systems and apply compensating controls

34. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Gap analysis
Certificate authority (CA)
BIA (Business Impact Assessment
Stress testing

35. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Tie security risks to key business objectives
Identify the vulnerable systems and apply compensating controls
Biometric access control systems
Power surge/over voltage (spike)

36. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Certificate authority (CA)
Threat assessment
Intrusion detection system (IDS)
Stress testing

37. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Background checks of prospective employees
Data warehouse
0-day vulnerabilities
The data owner

38. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Patch management
Support the business objectives of the organization
Inherent risk
Risk appetite

39. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Role-based policy
Total cost of ownership (TCO)
Encryption
Hacker

40. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Creation of a business continuity plan
Lack of change management
Deeper level of analysis
Virus detection

41. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Security risk
Gain unauthorized access to applications
Properly aligned with business goals and objectives
Security code reviews for the entire software application

42. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Transmit e-mail messages
Key risk indicator (KRI) setup
Role-based access control
Identify the relevant systems and processes

43. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Public key infrastructure (PKI)
Defining high-level business security requirements
Transmit e-mail messages
Impractical and is often cost-prohibitive

44. Occurs when the electrical supply drops
Information contained on the equipment
Undervoltage (brownout)
Return on security investment (ROSI)
Tie security risks to key business objectives

45. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Overall organizational structure
Personal firewall
Annual loss expectancy (ALE)calculations

46. Should be performed to identify the risk and determine needed controls.
IP address packet filtering
Knowledge management
Defining high-level business security requirements
Internal risk assessment

47. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Security code reviews for the entire software application
Role-based access control
Transmit e-mail messages
The authentication process is broken

48. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Security awareness training for all employees
Baseline standard and then develop additional standards
Penetration testing
Resource dependency assessment

49. The job of the information security officer on a management team is to ___________________.
Vulnerability assessment
Knowledge management
Defined objectives
Assess the risks to the business operation

50. Provide metrics to which outsourcing firms can be held accountable.
Risk management and the requirements of the organization
Inherent risk
Centralized structure
Service level agreements (SLAs)