Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.






2. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but






3. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee






4. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.






5. The data owner is responsible for _______________________.






6. Accesses a computer or network illegally






7. Provide metrics to which outsourcing firms can be held accountable.






8. Applications cannot access data associated with other apps






9. All within the responsibility of the information security manager.






10. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information






11. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.






12. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.






13. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.






14. Used to understand the flow of one process into another.






15. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.






16. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'






17. The primary role of the information security manager in the process of information classification within the organization.






18. Oversees the overall classification management of the information.






19. Most effective for evaluating the degree to which information security objectives are being met.






20. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.






21. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.






22. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e






23. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.






24. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.






25. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.






26. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the






27. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.






28. Needs to define the access rules - which is troublesome and error prone in large organizations.






29. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.






30. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.






31. Someone who uses the internet or network to destroy or damage computers for political reasons






32. Has to be integrated into the requirements of every software application's design.






33. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.






34. S small warehouse - designed for the end-user needs in a strategic business unit






35. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.






36. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.

Warning: Invalid argument supplied for foreach() in /var/www/html/basicversity.com/show_quiz.php on line 183


37. The BEST justification to convince management to invest in an information security program is that doing so would _________________.






38. In order to highlight to management the importance of network security - the security manager should FIRST _______________.






39. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.






40. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.






41. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.






42. Uses security metrics to measure the performance of the information security program.






43. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.






44. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance






45. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.






46. The information security manager needs to prioritize the controls based on ________________________.






47. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.






48. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .






49. By definition are not previously known and therefore are undetectable.






50. When defining the information classification policy - the ___________________ need to be identified.