SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Uses security metrics to measure the performance of the information security program.
Exceptions to policy
Information security manager
The board of directors and senior management
People
2. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Developing an information security baseline
Control effectiveness
Exceptions to policy
Compliance with the organization's information security requirements
3. Provides process needs but not impact.
Information security manager
Resource dependency assessment
Calculating the value of the information or asset
Inherent risk
4. Culture has a significant impact on how information security will be implemented in a ______________________.
Service level agreements (SLAs)
Patch management
Multinational organization
The board of directors and senior management
5. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Malicious software and spyware
Key controls
Multinational organization
Increase business value and confidence
6. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
7. It is easier to manage and control a _________________.
Monitoring processes
Confidentiality
Centralized structure
Baseline standard and then develop additional standards
8. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Resource dependency assessment
Confidentiality
Risk appetite
The awareness and agreement of the data subjects
9. The most important characteristic of good security policies is that they be ____________________.
Biometric access control systems
Aligned with organizational goals
Service level agreements (SLAs)
Notifications and opt-out provisions
10. ecurity design flaws require a ____________________.
Identify the vulnerable systems and apply compensating controls
Encryption
Deeper level of analysis
Continuous analysis - monitoring and feedback
11. All within the responsibility of the information security manager.
Platform security - intrusion detection and antivirus controls
Resource dependency assessment
Background checks of prospective employees
Personal firewall
12. Occurs after the risk assessment process - it does not measure it.
Use of security metrics
Resource dependency assessment
Data warehouse
Identify the relevant systems and processes
13. Most effective for evaluating the degree to which information security objectives are being met.
Knowledge management
The balanced scorecard
Encryption key management
Cyber extortionist
14. The data owner is responsible for _______________________.
The information security officer
Residual risk would be reduced by a greater amount
Applying the proper classification to the data
Owner of the information asset
15. Without _____________________ - there cannot be accountability.
Performing a risk assessment
Key risk indicator (KRI) setup
Well-defined roles and responsibilities
Internal risk assessment
16. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Penetration testing
Its ability to reduce or eliminate business risks
Encryption of the hard disks
Performing a risk assessment
17. Has to be integrated into the requirements of every software application's design.
Encryption key management
Security awareness training for all employees
Prioritization
Knowledge management
18. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Conduct a risk assessment
OBusiness case development
Script kiddie
Creation of a business continuity plan
19. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
OBusiness case development
Risk appetite
Hacker
Intrusion detection system (IDS)
20. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Certificate authority (CA)
Skills inventory
Encryption key management
Threat assessment
21. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Continuous analysis - monitoring and feedback
Knowledge management
Support the business objectives of the organization
Key risk indicator (KRI) setup
22. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Notifications and opt-out provisions
Methodology used in the assessment
Information contained on the equipment
Defining high-level business security requirements
23. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
The data owner
Negotiating a local version of the organization standards
Logon banners
24. Only valid if assets have first been identified and appropriately valued.
Annual loss expectancy (ALE)calculations
Trojan horse
Digital signatures
The data owner
25. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Owner of the information asset
Virus
All personnel
Gain unauthorized access to applications
26. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Key risk indicator (KRI) setup
Data mart
Hacker
Continuous analysis - monitoring and feedback
27. A notice that guarantees a user or a web site is legitimate
Continuous analysis - monitoring and feedback
Digital certificate
Strategic alignment of security with business objectives
Identify the relevant systems and processes
28. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Defined objectives
Digital certificate
Support the business objectives of the organization
What happened and how the breach was resolved
29. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Virus detection
IP address packet filtering
Notifications and opt-out provisions
Annually or whenever there is a significant change
30. Risk should be reduced to a level that an organization _____________.
Encryption
Overall organizational structure
Rule-based access control
Is willing to accept
31. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Get senior management onboard
Exceptions to policy
Regulatory compliance
Encryption of the hard disks
32. The job of the information security officer on a management team is to ___________________.
Assess the risks to the business operation
Support the business objectives of the organization
Platform security - intrusion detection and antivirus controls
Trojan horse
33. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Continuous monitoring control initiatives
Equal error rate (EER)
Public key infrastructure (PKI)
Cost of control
34. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
Confidentiality
Cost of control
A network vulnerability assessment
35. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Security code reviews for the entire software application
Encryption key management
Notifications and opt-out provisions
Patch management process
36. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Defining high-level business security requirements
Worm
Data classification
Lack of change management
37. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Notifications and opt-out provisions
Applying the proper classification to the data
Security risk
Residual risk would be reduced by a greater amount
38. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Monitoring processes
Examples of containment defenses
Cracker
The board of directors and senior management
39. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Risk assessment - evaluation and impact analysis
The balanced scorecard
Get senior management onboard
Data owners
40. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
People
Detection defenses
Single sign-on (SSO) product
Identify the relevant systems and processes
41. A risk assessment should be conducted _________________.
Annually or whenever there is a significant change
Data isolation
Internal risk assessment
Security awareness training for all employees
42. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Gain unauthorized access to applications
Information security manager
Tailgating
Resource dependency assessment
43. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Get senior management onboard
Fault-tolerant computer
Two-factor authentication
All personnel
44. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Notifications and opt-out provisions
Tie security risks to key business objectives
Stress testing
45. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Internal risk assessment
Cryptographic secure sockets layer (SSL) implementations and short key lengths
IP address packet filtering
Service level agreements (SLAs)
46. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Reduce risk to an acceptable level
Background checks of prospective employees
Phishing
Spoofing attacks
47. A repository of historical data organized by subject to support decision makers in the org
Defining high-level business security requirements
Data warehouse
Spoofing attacks
Annual loss expectancy (ALE)calculations
48. When the ________________ is more than the cost of the risk - the risk should be accepted.
A network vulnerability assessment
Service level agreements (SLAs)
Cost of control
Encryption key management
49. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Strategic alignment of security with business objectives
Decentralization
Data classification
All personnel
50. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Security awareness training for all employees
Defining and ratifying the classification structure of information assets
Skills inventory
Patch management
