SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
Annually or whenever there is a significant change
Fault-tolerant computer
Classification of assets needs
2. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Performing a risk assessment
Identify the vulnerable systems and apply compensating controls
Patch management process
Regular review of access control lists
3. All within the responsibility of the information security manager.
Deeper level of analysis
Platform security - intrusion detection and antivirus controls
Return on security investment (ROSI)
Public key infrastructure (PKI)
4. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Compliance with the organization's information security requirements
Gap analysis
Its ability to reduce or eliminate business risks
Nondisclosure agreement (NDA)
5. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Patch management
Data warehouse
Data classification
Breakeven point of risk reduction and cost
6. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Transferred risk
IP address packet filtering
Monitoring processes
People
7. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Normalization
Exceptions to policy
Risk appetite
8. Oversees the overall classification management of the information.
Digital certificate
The information security officer
Methodology used in the assessment
Control effectiveness
9. Focuses on identifying vulnerabilities.
Penetration testing
The data custodian
Get senior management onboard
Resource dependency assessment
10. A key indicator of performance measurement.
Strategic alignment of security with business objectives
Certificate authority (CA)
Trusted source
Trojan horse
11. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Identify the relevant systems and processes
IP address packet filtering
Data classification
Impractical and is often cost-prohibitive
12. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Logon banners
Proficiency testing
Information contained on the equipment
Public key infrastructure (PKI)
13. Provide metrics to which outsourcing firms can be held accountable.
Trusted source
Centralized structure
Service level agreements (SLAs)
Continuous analysis - monitoring and feedback
14. Ensures that there are no scalability problems.
Continuous monitoring control initiatives
Baseline standard and then develop additional standards
Stress testing
Calculating the value of the information or asset
15. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Requirements of the data owners
MAL wear
Script kiddie
16. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Power surge/over voltage (spike)
Information security manager
BIA (Business Impact Assessment
Background checks of prospective employees
17. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Use of security metrics
Virus
Gap analysis
Phishing
18. Normally addressed through antivirus and antispyware policies.
Risk appetite
Intrusion detection system (IDS)
Malicious software and spyware
Threat assessment
19. New security ulnerabilities should be managed through a ________________.
Requirements of the data owners
Well-defined roles and responsibilities
Cyber terrorist
Patch management process
20. Someone who uses the internet or network to destroy or damage computers for political reasons
The information security officer
Cyber terrorist
Knowledge management
Role-based access control
21. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
The balanced scorecard
Data owners
Knowledge management
Security baselines
22. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Vulnerability assessment
Stress testing
Comparison of cost of achievement
Normalization
23. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Decentralization
Notifications and opt-out provisions
Defining and ratifying the classification structure of information assets
Deeper level of analysis
24. Should be performed to identify the risk and determine needed controls.
Undervoltage (brownout)
Internal risk assessment
Intrusion detection system (IDS)
Retention of business records
25. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
SWOT analysis
Data owners
Increase business value and confidence
Get senior management onboard
26. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Defining and ratifying the classification structure of information assets
The data owner
Consensus on risks and controls
Developing an information security baseline
27. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Key risk indicator (KRI) setup
Information contained on the equipment
Continuous monitoring control initiatives
Cross-site scripting attacks
28. A notice that guarantees a user or a web site is legitimate
Regulatory compliance
Digital certificate
The balanced scorecard
Equal error rate (EER)
29. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Normalization
Risk appetite
Key controls
Role-based access control
30. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Background check
OBusiness case development
Spoofing attacks
Performing a risk assessment
31. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Security code reviews for the entire software application
Patch management
Control risk
Data owners
32. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Key risk indicator (KRI) setup
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Virus
Information contained on the equipment
33. Carries out the technical administration.
The database administrator
Centralization of information security management
Confidentiality
Total cost of ownership (TCO)
34. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Use of security metrics
The balanced scorecard
Worm
Skills inventory
35. When defining the information classification policy - the ___________________ need to be identified.
Cyber extortionist
Aligned with organizational goals
A network vulnerability assessment
Requirements of the data owners
36. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Risk assessment - evaluation and impact analysis
Encryption
Equal error rate (EER)
Service level agreements (SLAs)
37. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Comparison of cost of achievement
Defining high-level business security requirements
Use of security metrics
Control effectiveness
38. Only valid if assets have first been identified and appropriately valued.
Trusted source
Well-defined roles and responsibilities
Annual loss expectancy (ALE)calculations
Data classification
39. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Regular review of access control lists
The board of directors and senior management
The database administrator
Continuous analysis - monitoring and feedback
40. ecurity design flaws require a ____________________.
Deeper level of analysis
The balanced scorecard
Acceptable use policies
Creation of a business continuity plan
41. Cannot be minimized
Inherent risk
Total cost of ownership (TCO)
Assess the risks to the business operation
Digital signatures
42. The PRIMARY goal in developing an information security strategy is to: _________________________.
Security baselines
Support the business objectives of the organization
Properly aligned with business goals and objectives
Audit objectives
43. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Notifications and opt-out provisions
Two-factor authentication
Data owners
Increase business value and confidence
44. Whenever personal data are transferred across national boundaries; ________________________ are required.
The information security officer
The awareness and agreement of the data subjects
Baseline standard and then develop additional standards
Gap analysis
45. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Properly aligned with business goals and objectives
Data classification
Decentralization
OBusiness case development
46. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Key controls
Lack of change management
Acceptable use policies
Nondisclosure agreement (NDA)
47. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
What happened and how the breach was resolved
Residual risk would be reduced by a greater amount
Total cost of ownership (TCO)
Regulatory compliance
48. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Data warehouse
Comparison of cost of achievement
BIA (Business Impact Assessment
Encryption of the hard disks
49. To identify known vulnerabilities based on common misconfigurations and missing updates.
Role-based access control
Alignment with business strategy
A network vulnerability assessment
Assess the risks to the business operation
50. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Tailgating
Security code reviews for the entire software application
Applying the proper classification to the data
Cyber extortionist