SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Encryption
Cyber extortionist
Detection defenses
Creation of a business continuity plan
2. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Retention of business records
Is willing to accept
Continuous analysis - monitoring and feedback
Logon banners
3. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Fault-tolerant computer
Risk appetite
Undervoltage (brownout)
Encryption
4. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Well-defined roles and responsibilities
Cracker
Confidentiality
Role-based policy
5. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Defining and ratifying the classification structure of information assets
Attributes and characteristics of the 'desired state'
Digital certificate
Cryptographic secure sockets layer (SSL) implementations and short key lengths
6. Primarily reduce risk and are most effective for the protection of information assets.
Transferred risk
Patch management process
Key controls
Single sign-on (SSO) product
7. It is easier to manage and control a _________________.
Return on security investment (ROSI)
Risk management and the requirements of the organization
Centralized structure
Assess the risks to the business operation
8. The most important characteristic of good security policies is that they be ____________________.
Phishing
Aligned with organizational goals
Annual loss expectancy (ALE)calculations
BIA (Business Impact Assessment
9. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Decentralization
Breakeven point of risk reduction and cost
Residual risk
Centralization of information security management
10. The information security manager needs to prioritize the controls based on ________________________.
Service level agreements (SLAs)
Encryption
All personnel
Risk management and the requirements of the organization
11. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Nondisclosure agreement (NDA)
Cyber extortionist
Breakeven point of risk reduction and cost
Centralized structure
12. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Transferred risk
SWOT analysis
Performing a risk assessment
13. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Process of introducing changes to systems
Classification of assets needs
Conduct a risk assessment
Skills inventory
14. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
Cyber extortionist
Information contained on the equipment
Proficiency testing
15. When defining the information classification policy - the ___________________ need to be identified.
Deeper level of analysis
Requirements of the data owners
Countermeasure cost-benefit analysis
Reduce risk to an acceptable level
16. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Role-based access control
Encryption
Cyber terrorist
Logon banners
17. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Background check
Security baselines
Single sign-on (SSO) product
Defining high-level business security requirements
18. Risk should be reduced to a level that an organization _____________.
Proficiency testing
Is willing to accept
Vulnerability assessment
The data owner
19. A notice that guarantees a user or a web site is legitimate
Digital certificate
Countermeasure cost-benefit analysis
Background checks of prospective employees
Control effectiveness
20. The PRIMARY goal in developing an information security strategy is to: _________________________.
Well-defined roles and responsibilities
Support the business objectives of the organization
Tailgating
People
21. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Key controls
Gain unauthorized access to applications
Developing an information security baseline
Digital certificate
22. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Its ability to reduce or eliminate business risks
SWOT analysis
Residual risk would be reduced by a greater amount
Data warehouse
23. Provide metrics to which outsourcing firms can be held accountable.
Identify the relevant systems and processes
Cross-site scripting attacks
Deeper level of analysis
Service level agreements (SLAs)
24. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Well-defined roles and responsibilities
Risk management and the requirements of the organization
Lack of change management
Return on security investment (ROSI)
25. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Data warehouse
Risk management and the requirements of the organization
All personnel
Key risk indicator (KRI) setup
26. Has to be integrated into the requirements of every software application's design.
Personal firewall
The board of directors and senior management
Encryption key management
Process of introducing changes to systems
27. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Countermeasure cost-benefit analysis
Information contained on the equipment
Stress testing
Monitoring processes
28. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Conduct a risk assessment
BIA (Business Impact Assessment
A network vulnerability assessment
Undervoltage (brownout)
29. A key indicator of performance measurement.
Strategic alignment of security with business objectives
Access control matrix
Safeguards over keys
Increase business value and confidence
30. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
People
Residual risk would be reduced by a greater amount
Applying the proper classification to the data
Control risk
31. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Power surge/over voltage (spike)
The database administrator
Phishing
BIA (Business Impact Assessment
32. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Asset classification
Compliance with the organization's information security requirements
Identify the relevant systems and processes
33. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
The data owner
Use of security metrics
Role-based policy
Identify the relevant systems and processes
34. S small warehouse - designed for the end-user needs in a strategic business unit
Two-factor authentication
Performing a risk assessment
Attributes and characteristics of the 'desired state'
Data mart
35. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
OBusiness case development
Comparison of cost of achievement
Information contained on the equipment
Data classification
36. Should be determined from the risk assessment results.
Audit objectives
Multinational organization
Attributes and characteristics of the 'desired state'
Prioritization
37. ecurity design flaws require a ____________________.
Identify the vulnerable systems and apply compensating controls
Intrusion detection system (IDS)
Patch management process
Deeper level of analysis
38. Occurs when the electrical supply drops
Undervoltage (brownout)
Hacker
Data owners
Tie security risks to key business objectives
39. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Single sign-on (SSO) product
Risk management and the requirements of the organization
Intrusion detection system (IDS)
Defined objectives
40. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Security risk
Do with the information it collects
Stress testing
Conduct a risk assessment
41. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Applying the proper classification to the data
Defining high-level business security requirements
Monitoring processes
42. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Cross-site scripting attacks
SWOT analysis
Defined objectives
Increase business value and confidence
43. Provides process needs but not impact.
Trojan horse
Undervoltage (brownout)
Resource dependency assessment
Information security manager
44. Needs to define the access rules - which is troublesome and error prone in large organizations.
The authentication process is broken
Rule-based access control
The balanced scorecard
Skills inventory
45. Information security governance models are highly dependent on the _____________________.
A network vulnerability assessment
Penetration testing
Power surge/over voltage (spike)
Overall organizational structure
46. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Background check
Identify the vulnerable systems and apply compensating controls
The balanced scorecard
Get senior management onboard
47. Utility program that detects and protects a personal computer from unauthorized intrusions
Multinational organization
All personnel
The balanced scorecard
Personal firewall
48. When the ________________ is more than the cost of the risk - the risk should be accepted.
Process of introducing changes to systems
Resource dependency assessment
Cost of control
Properly aligned with business goals and objectives
49. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Safeguards over keys
Negotiating a local version of the organization standards
Retention of business records
Asset classification
50. Useful but only with regard to specific technical skills.
Monitoring processes
Role-based policy
Proficiency testing
Examples of containment defenses