SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Accesses a computer or network illegally
Cracker
Continuous monitoring control initiatives
Risk appetite
Multinational organization
2. By definition are not previously known and therefore are undetectable.
Applying the proper classification to the data
Centralized structure
Normalization
0-day vulnerabilities
3. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Logon banners
Breakeven point of risk reduction and cost
Alignment with business strategy
4. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Identify the vulnerable systems and apply compensating controls
Conduct a risk assessment
The data owner
Nondisclosure agreement (NDA)
5. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Encryption of the hard disks
Intrusion detection system (IDS)
Is willing to accept
Single sign-on (SSO) product
6. ecurity design flaws require a ____________________.
Access control matrix
Annual loss expectancy (ALE)calculations
Deeper level of analysis
Knowledge management
7. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Access control matrix
Annual loss expectancy (ALE)calculations
Proficiency testing
Normalization
8. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Increase business value and confidence
Applying the proper classification to the data
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Worm
9. Information security governance models are highly dependent on the _____________________.
Fault-tolerant computer
Safeguards over keys
Single sign-on (SSO) product
Overall organizational structure
10. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
The awareness and agreement of the data subjects
Background check
Spoofing attacks
Threat assessment
11. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Centralization of information security management
Stress testing
Protective switch covers
Key controls
12. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Role-based policy
Is willing to accept
Detection defenses
Encryption of the hard disks
13. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Virus
Asset classification
What happened and how the breach was resolved
Requirements of the data owners
14. The primary role of the information security manager in the process of information classification within the organization.
Regular review of access control lists
Patch management process
Comparison of cost of achievement
Defining and ratifying the classification structure of information assets
15. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Use of security metrics
Defining and ratifying the classification structure of information assets
Classification of assets needs
Regular review of access control lists
16. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Decentralization
Role-based policy
Security baselines
Creation of a business continuity plan
17. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Monitoring processes
Role-based policy
The data custodian
Encryption key management
18. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Phishing
Cracker
Deeper level of analysis
Security baselines
19. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Encryption of the hard disks
Conduct a risk assessment
Patch management
Inherent risk
20. A notice that guarantees a user or a web site is legitimate
Negotiating a local version of the organization standards
Two-factor authentication
Key controls
Digital certificate
21. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
Overall organizational structure
Increase business value and confidence
Threat assessment
22. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Transferred risk
Data warehouse
Rule-based access control
Its ability to reduce or eliminate business risks
23. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Compliance with the organization's information security requirements
Monitoring processes
Defined objectives
Security risk
24. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
What happened and how the breach was resolved
Exceptions to policy
Increase business value and confidence
Stress testing
25. Program that hides within or looks like a legit program
Detection defenses
Nondisclosure agreement (NDA)
Regular review of access control lists
Trojan horse
26. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Patch management process
Multinational organization
Annual loss expectancy (ALE)calculations
27. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Nondisclosure agreement (NDA)
Audit objectives
Safeguards over keys
Encryption key management
28. Ensure that transmitted information can be attributed to the named sender.
Digital signatures
Centralized structure
Performing a risk assessment
Access control matrix
29. Has full responsibility over data.
The data owner
Two-factor authentication
Residual risk
Encryption of the hard disks
30. Needs to define the access rules - which is troublesome and error prone in large organizations.
Encryption
Rule-based access control
Consensus on risks and controls
Gap analysis
31. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Identify the vulnerable systems and apply compensating controls
Encryption
Stress testing
Script kiddie
32. Responsible for securing the information.
The data custodian
Patch management process
Breakeven point of risk reduction and cost
Cost of control
33. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Data isolation
Fault-tolerant computer
Phishing
Notifications and opt-out provisions
34. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Attributes and characteristics of the 'desired state'
Calculating the value of the information or asset
Data owners
Encryption
35. A function of the session keys distributed by the PKI.
Confidentiality
A network vulnerability assessment
Alignment with business strategy
Continuous analysis - monitoring and feedback
36. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Detection defenses
Risk appetite
Security code reviews for the entire software application
Identify the relevant systems and processes
37. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Prioritization
SWOT analysis
Digital certificate
Control risk
38. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Access control matrix
Consensus on risks and controls
Virus detection
include security responsibilities in a job description
39. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Regulatory compliance
Decentralization
Residual risk
40. The best measure for preventing the unauthorized disclosure of confidential information.
Methodology used in the assessment
Acceptable use policies
Resource dependency assessment
IP address packet filtering
41. Should be a standard requirement for the service provider.
Deeper level of analysis
A network vulnerability assessment
Transferred risk
Background check
42. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Compliance with the organization's information security requirements
Tie security risks to key business objectives
Encryption key management
Rule-based access control
43. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Audit objectives
SWOT analysis
Tailgating
Protective switch covers
44. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Key controls
Methodology used in the assessment
IP address packet filtering
45. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Do with the information it collects
Process of introducing changes to systems
Resource dependency assessment
46. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
SWOT analysis
Centralized structure
Transmit e-mail messages
Regular review of access control lists
47. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
include security responsibilities in a job description
Information contained on the equipment
MAL wear
Performing a risk assessment
48. Provides process needs but not impact.
Use of security metrics
Resource dependency assessment
Requirements of the data owners
Public key infrastructure (PKI)
49. The data owner is responsible for _______________________.
Applying the proper classification to the data
Risk assessment - evaluation and impact analysis
Creation of a business continuity plan
Process of introducing changes to systems
50. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Residual risk
Audit objectives
Worm
Background checks of prospective employees