SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Residual risk would be reduced by a greater amount
Do with the information it collects
Asset classification
Encryption of the hard disks
2. New security ulnerabilities should be managed through a ________________.
Knowledge management
Security risk
Patch management process
Security awareness training for all employees
3. Provides strong online authentication.
Defining and ratifying the classification structure of information assets
Script kiddie
Process of introducing changes to systems
Public key infrastructure (PKI)
4. provides the most effective protection of data on mobile devices.
Encryption
Acceptable use policies
Deeper level of analysis
The information security officer
5. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Key controls
Stress testing
All personnel
Get senior management onboard
6. Useful but only with regard to specific technical skills.
Support the business objectives of the organization
Security code reviews for the entire software application
Proficiency testing
People
7. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Skills inventory
Centralization of information security management
Performing a risk assessment
Notifications and opt-out provisions
8. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Access control matrix
Encryption of the hard disks
Proficiency testing
Regulatory compliance
9. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Defining high-level business security requirements
OBusiness case development
Patch management
Residual risk would be reduced by a greater amount
10. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Control effectiveness
OBusiness case development
The information security officer
Penetration testing
11. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Return on security investment (ROSI)
Retention of business records
Strategic alignment of security with business objectives
Control risk
12. Occurs when the electrical supply drops
Script kiddie
Developing an information security baseline
Protective switch covers
Undervoltage (brownout)
13. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Use of security metrics
Properly aligned with business goals and objectives
Stress testing
Script kiddie
14. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Process of introducing changes to systems
Defining high-level business security requirements
Role-based access control
Audit objectives
15. The most important characteristic of good security policies is that they be ____________________.
Aligned with organizational goals
Negotiating a local version of the organization standards
Fault-tolerant computer
Overall organizational structure
16. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Strategic alignment of security with business objectives
Get senior management onboard
Calculating the value of the information or asset
Phishing
17. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Information contained on the equipment
Breakeven point of risk reduction and cost
Role-based access control
The board of directors and senior management
18. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Spoofing attacks
Transferred risk
Tie security risks to key business objectives
Performing a risk assessment
19. Risk should be reduced to a level that an organization _____________.
Attributes and characteristics of the 'desired state'
Encryption of the hard disks
Audit objectives
Is willing to accept
20. Would protect against spoofing an internal address but would not provide strong authentication.
Centralized structure
IP address packet filtering
Increase business value and confidence
Exceptions to policy
21. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Security baselines
Knowledge management
Developing an information security baseline
Continuous monitoring control initiatives
22. Should be performed to identify the risk and determine needed controls.
Internal risk assessment
Cost of control
Protective switch covers
Centralized structure
23. Has full responsibility over data.
Gap analysis
The data owner
Data isolation
Risk management and the requirements of the organization
24. Provide metrics to which outsourcing firms can be held accountable.
Security risk
Service level agreements (SLAs)
Key controls
Exceptions to policy
25. It is easier to manage and control a _________________.
Service level agreements (SLAs)
Defined objectives
Centralized structure
Protective switch covers
26. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Encryption
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Data warehouse
Transferred risk
27. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Decentralization
Applying the proper classification to the data
Gain unauthorized access to applications
Transferred risk
28. Carries out the technical administration.
The database administrator
Public key infrastructure (PKI)
Classification of assets needs
Worm
29. Utility program that detects and protects a personal computer from unauthorized intrusions
Assess the risks to the business operation
Residual risk
Personal firewall
Proficiency testing
30. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Encryption of the hard disks
Residual risk would be reduced by a greater amount
Reduce risk to an acceptable level
Protective switch covers
31. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Creation of a business continuity plan
Access control matrix
32. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Key controls
The data custodian
Threat assessment
Two-factor authentication
33. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Negotiating a local version of the organization standards
Decentralization
Continuous monitoring control initiatives
Two-factor authentication
34. By definition are not previously known and therefore are undetectable.
Script kiddie
Equal error rate (EER)
0-day vulnerabilities
Data warehouse
35. Needs to define the access rules - which is troublesome and error prone in large organizations.
Resource dependency assessment
Regular review of access control lists
Equal error rate (EER)
Rule-based access control
36. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Increase business value and confidence
Platform security - intrusion detection and antivirus controls
Virus
Exceptions to policy
37. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Residual risk
Biometric access control systems
Data mart
Risk assessment - evaluation and impact analysis
38. Focuses on identifying vulnerabilities.
Penetration testing
Background checks of prospective employees
Logon banners
Get senior management onboard
39. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Asset classification
Data warehouse
Process of introducing changes to systems
Equal error rate (EER)
40. Primarily reduce risk and are most effective for the protection of information assets.
Defined objectives
Key controls
Protective switch covers
Virus detection
41. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
The board of directors and senior management
Alignment with business strategy
Single sign-on (SSO) product
Key risk indicator (KRI) setup
42. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Platform security - intrusion detection and antivirus controls
SWOT analysis
Tailgating
Alignment with business strategy
43. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Digital signatures
Gap analysis
Inherent risk
Calculating the value of the information or asset
44. Whenever personal data are transferred across national boundaries; ________________________ are required.
Inherent risk
Centralization of information security management
The awareness and agreement of the data subjects
What happened and how the breach was resolved
45. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Is willing to accept
Performing a risk assessment
Total cost of ownership (TCO)
SWOT analysis
46. Information security governance models are highly dependent on the _____________________.
Overall organizational structure
Owner of the information asset
What happened and how the breach was resolved
Cryptographic secure sockets layer (SSL) implementations and short key lengths
47. When the ________________ is more than the cost of the risk - the risk should be accepted.
Hacker
Cost of control
Resource dependency assessment
Creation of a business continuity plan
48. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Key controls
Is willing to accept
Methodology used in the assessment
Negotiating a local version of the organization standards
49. Responsible for securing the information.
Encryption of the hard disks
The data custodian
Virus detection
Public key infrastructure (PKI)
50. A method for analyzing and reducing a relational database to its most streamlined form
Its ability to reduce or eliminate business risks
Normalization
The data owner
Continuous analysis - monitoring and feedback
