Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. A repository of historical data organized by subject to support decision makers in the org






2. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.






3. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.






4. Information security governance models are highly dependent on the _____________________.






5. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.






6. Provide metrics to which outsourcing firms can be held accountable.






7. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.






8. By definition are not previously known and therefore are undetectable.






9. The best measure and will involve reviewing the entire source code to detect all instances of back doors.






10. Provides process needs but not impact.






11. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.






12. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree






13. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.






14. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.






15. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.






16. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.






17. Provides strong online authentication.






18. Most effective for evaluating the degree to which information security objectives are being met.






19. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the






20. It is easier to manage and control a _________________.






21. Program that hides within or looks like a legit program






22. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.






23. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing






24. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.






25. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.






26. Needs to define the access rules - which is troublesome and error prone in large organizations.






27. Ensures that there are no scalability problems.






28. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.






29. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability






30. A key indicator of performance measurement.






31. Whenever personal data are transferred across national boundaries; ________________________ are required.






32. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.






33. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .






34. A method for analyzing and reducing a relational database to its most streamlined form






35. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.






36. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.






37. A process that helps organizations manipulate important knowledge that is part of the orgs. memory






38. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.






39. Carries out the technical administration.






40. Ensure that transmitted information can be attributed to the named sender.






41. Responsible for securing the information.






42. Identification and _______________ of business risk enables project managers to address areas with most significance.






43. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.






44. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.






45. Has to be integrated into the requirements of every software application's design.






46. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.






47. The BEST justification to convince management to invest in an information security program is that doing so would _________________.






48. All within the responsibility of the information security manager.






49. Normally addressed through antivirus and antispyware policies.






50. The most important characteristic of good security policies is that they be ____________________.