Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Security baselines
Personal firewall
Security code reviews for the entire software application
Data isolation

2. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
A network vulnerability assessment
Compliance with the organization's information security requirements
Transferred risk

3. When the ________________ is more than the cost of the risk - the risk should be accepted.
Reduce risk to an acceptable level
Cost of control
Data mart
Exceptions to policy

4. Used to understand the flow of one process into another.
Virus detection
Two-factor authentication
Regular review of access control lists
Waterfall chart

5. Uses security metrics to measure the performance of the information security program.
Information security manager
Certificate authority (CA)
Its ability to reduce or eliminate business risks
Multinational organization

6. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.

7. Carries out the technical administration.
Vulnerability assessment
The database administrator
0-day vulnerabilities
Biometric access control systems

8. The best measure for preventing the unauthorized disclosure of confidential information.
Methodology used in the assessment
Overall organizational structure
Gap analysis
Acceptable use policies

9. Culture has a significant impact on how information security will be implemented in a ______________________.
The board of directors and senior management
Multinational organization
Worm
The information security officer

10. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Reduce risk to an acceptable level
Certificate authority (CA)
Applying the proper classification to the data
Undervoltage (brownout)

11. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Encryption key management
Continuous monitoring control initiatives
Background checks of prospective employees
Audit objectives

12. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key risk indicator (KRI) setup
Continuous analysis - monitoring and feedback
Data classification
Personal firewall

13. Ensure that transmitted information can be attributed to the named sender.
Worm
Alignment with business strategy
Is willing to accept
Digital signatures

14. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Calculating the value of the information or asset
Skills inventory
Conduct a risk assessment
Tie security risks to key business objectives

15. A key indicator of performance measurement.
Logon banners
Risk assessment - evaluation and impact analysis
Prioritization
Strategic alignment of security with business objectives

16. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Well-defined roles and responsibilities
Nondisclosure agreement (NDA)
Intrusion detection system (IDS)
Transferred risk

17. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Control risk
What happened and how the breach was resolved
Classification of assets needs
Single sign-on (SSO) product

18. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
All personnel
Regulatory compliance
Attributes and characteristics of the 'desired state'

19. A method for analyzing and reducing a relational database to its most streamlined form
Nondisclosure agreement (NDA)
Normalization
Penetration testing
Applying the proper classification to the data

20. Program that hides within or looks like a legit program
Cost of control
Trojan horse
Key controls
Return on security investment (ROSI)

21. Focuses on identifying vulnerabilities.
Stress testing
Penetration testing
Background checks of prospective employees
Personal firewall

22. The primary role of the information security manager in the process of information classification within the organization.
Defining and ratifying the classification structure of information assets
Waterfall chart
Security baselines
Power surge/over voltage (spike)

23. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Personal firewall
Encryption of the hard disks
Virus
Proficiency testing

24. Occurs when the incoming level
Power surge/over voltage (spike)
Methodology used in the assessment
Identify the vulnerable systems and apply compensating controls
Background check

25. Needs to define the access rules - which is troublesome and error prone in large organizations.
Rule-based access control
Internal risk assessment
Spoofing attacks
Tie security risks to key business objectives

26. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Return on security investment (ROSI)
Digital certificate
Data mart
Defining high-level business security requirements

27. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Impractical and is often cost-prohibitive
Information security manager
Assess the risks to the business operation
Residual risk would be reduced by a greater amount

28. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Exceptions to policy
Data classification
SWOT analysis
Trojan horse

29. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Baseline standard and then develop additional standards
Knowledge management
Comparison of cost of achievement
IP address packet filtering

30. Awareness - training and physical security defenses.
Centralization of information security management
Transferred risk
Examples of containment defenses
Data mart

31. Inject malformed input.
Digital signatures
MAL wear
Malicious software and spyware
Cross-site scripting attacks

32. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Developing an information security baseline
Calculating the value of the information or asset
Process of introducing changes to systems
Applying the proper classification to the data

33. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Identify the relevant systems and processes
Control risk
Requirements of the data owners
BIA (Business Impact Assessment

34. Oversees the overall classification management of the information.
Platform security - intrusion detection and antivirus controls
Security risk
The information security officer
Tailgating

35. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Role-based access control
Prioritization
Cyber terrorist

36. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Do with the information it collects
What happened and how the breach was resolved
Is willing to accept
Increase business value and confidence

37. provides the most effective protection of data on mobile devices.
Encryption
Tie security risks to key business objectives
Public key infrastructure (PKI)
Digital certificate

38. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Baseline standard and then develop additional standards
Examples of containment defenses
Prioritization
Control effectiveness

39. A repository of historical data organized by subject to support decision makers in the org
Data warehouse
Risk management and the requirements of the organization
Transmit e-mail messages
Defined objectives

40. Accesses a computer or network illegally
Cracker
Fault-tolerant computer
Risk assessment - evaluation and impact analysis
Use of security metrics

41. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Role-based access control
Platform security - intrusion detection and antivirus controls
Phishing
The database administrator

42. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Asset classification
Exceptions to policy
Digital signatures
Centralization of information security management

43. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Gain unauthorized access to applications
Role-based access control
Continuous analysis - monitoring and feedback
Owner of the information asset

44. BEST option to improve accountability for a system administrator is to _____________________.
Risk assessment - evaluation and impact analysis
include security responsibilities in a job description
Aligned with organizational goals
Two-factor authentication

45. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Assess the risks to the business operation
Security awareness training for all employees
Key controls
Increase business value and confidence

46. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
People
Prioritization
Data mart
Service level agreements (SLAs)

47. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Overall organizational structure
Security baselines
Continuous analysis - monitoring and feedback
Residual risk would be reduced by a greater amount

48. Normally addressed through antivirus and antispyware policies.
Data owners
Malicious software and spyware
Transmit e-mail messages
Asset classification

49. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Negotiating a local version of the organization standards
Power surge/over voltage (spike)
Skills inventory
Cyber terrorist

50. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Virus
Data isolation
Inherent risk
Patch management