Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
The board of directors and senior management
Continuous monitoring control initiatives
Owner of the information asset
Performing a risk assessment

2. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Trusted source
Do with the information it collects
Classification of assets needs
What happened and how the breach was resolved

3. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Increase business value and confidence
Decentralization
Fault-tolerant computer
Monitoring processes

4. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Service level agreements (SLAs)
Examples of containment defenses
Notifications and opt-out provisions
Vulnerability assessment

5. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Owner of the information asset
Performing a risk assessment
What happened and how the breach was resolved
Consensus on risks and controls

6. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Baseline standard and then develop additional standards
Fault-tolerant computer
Risk assessment - evaluation and impact analysis
Detection defenses

7. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Creation of a business continuity plan
Personal firewall
Logon banners

8. BEST option to improve accountability for a system administrator is to _____________________.
Breakeven point of risk reduction and cost
Encryption
Inherent risk
include security responsibilities in a job description

9. Culture has a significant impact on how information security will be implemented in a ______________________.
Support the business objectives of the organization
Nondisclosure agreement (NDA)
Multinational organization
Comparison of cost of achievement

10. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Knowledge management
Calculating the value of the information or asset
Cyber terrorist
Asset classification

11. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Undervoltage (brownout)
Acceptable use policies
Reduce risk to an acceptable level
Baseline standard and then develop additional standards

12. A method for analyzing and reducing a relational database to its most streamlined form
Normalization
Risk assessment - evaluation and impact analysis
Identify the vulnerable systems and apply compensating controls
Fault-tolerant computer

13. Responsible for securing the information.
Aligned with organizational goals
The data custodian
What happened and how the breach was resolved
Identify the vulnerable systems and apply compensating controls

14. Whenever personal data are transferred across national boundaries; ________________________ are required.
The database administrator
Threat assessment
The awareness and agreement of the data subjects
Regulatory compliance

15. Needs to define the access rules - which is troublesome and error prone in large organizations.
Spoofing attacks
BIA (Business Impact Assessment
Retention of business records
Rule-based access control

16. Programs that act without a user's knowledge and deliberately alter a computer's operations
Threat assessment
MAL wear
OBusiness case development
Use of security metrics

17. Program that hides within or looks like a legit program
A network vulnerability assessment
Security baselines
Compliance with the organization's information security requirements
Trojan horse

18. Useful but only with regard to specific technical skills.
Its ability to reduce or eliminate business risks
Data classification
Annually or whenever there is a significant change
Proficiency testing

19. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Continuous monitoring control initiatives
Centralization of information security management
Multinational organization
include security responsibilities in a job description

20. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Control risk
IP address packet filtering
Security risk
Biometric access control systems

21. Someone who uses the internet or network to destroy or damage computers for political reasons
Power surge/over voltage (spike)
Overall organizational structure
Lack of change management
Cyber terrorist

22. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Properly aligned with business goals and objectives
Cross-site scripting attacks
Key controls

23. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
0-day vulnerabilities
Digital signatures
Phishing
Baseline standard and then develop additional standards

24. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Return on security investment (ROSI)
Protective switch covers
Information contained on the equipment
Cost of control

25. Company or person you believe will not send a virus-infect file knowingly
Trusted source
Undervoltage (brownout)
Retention of business records
Internal risk assessment

26. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Increase business value and confidence
Conduct a risk assessment
Data isolation
MAL wear

27. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Stress testing
Data warehouse
Two-factor authentication
Security risk

28. Accesses a computer or network illegally
Confidentiality
Identify the vulnerable systems and apply compensating controls
Cracker
People

29. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Personal firewall
Asset classification
BIA (Business Impact Assessment
Malicious software and spyware

30. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Get senior management onboard
Transmit e-mail messages
Information security manager
Encryption

31. Occurs when the electrical supply drops
Undervoltage (brownout)
Impractical and is often cost-prohibitive
Data warehouse
Security risk

32. Inject malformed input.
Vulnerability assessment
Strategic alignment of security with business objectives
Cross-site scripting attacks
Support the business objectives of the organization

33. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Comparison of cost of achievement
Cracker
Patch management
Knowledge management

34. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Reduce risk to an acceptable level
Lack of change management
Control effectiveness
0-day vulnerabilities

35. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Virus
Threat assessment
Knowledge management
Monitoring processes

36. Ensure that transmitted information can be attributed to the named sender.
Fault-tolerant computer
Stress testing
Digital signatures
BIA (Business Impact Assessment

37. Focuses on identifying vulnerabilities.
Overall organizational structure
BIA (Business Impact Assessment
Cross-site scripting attacks
Penetration testing

38. Utility program that detects and protects a personal computer from unauthorized intrusions
Personal firewall
Countermeasure cost-benefit analysis
Certificate authority (CA)
OBusiness case development

39. A Successful risk management should lead to a ________________.
Methodology used in the assessment
The data custodian
Breakeven point of risk reduction and cost
Do with the information it collects

40. By definition are not previously known and therefore are undetectable.
Identify the relevant systems and processes
Confidentiality
0-day vulnerabilities
MAL wear

41. Normally addressed through antivirus and antispyware policies.
Biometric access control systems
Malicious software and spyware
Impractical and is often cost-prohibitive
Developing an information security baseline

42. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
The board of directors and senior management
Platform security - intrusion detection and antivirus controls
Defining and ratifying the classification structure of information assets

43. Oversees the overall classification management of the information.
Support the business objectives of the organization
People
The information security officer
Get senior management onboard

44. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Worm
Regular review of access control lists
Control risk
Decentralization

45. Same intent as a cracker but does not have the technical skills and knowledge
Security risk
Skills inventory
Is willing to accept
Script kiddie

46. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Properly aligned with business goals and objectives
Gain unauthorized access to applications
Residual risk would be reduced by a greater amount
Assess the risks to the business operation

47. Has full responsibility over data.
Vulnerability assessment
Two-factor authentication
Regular review of access control lists
The data owner

48. An information security manager has to impress upon the human resources department the need for _____________________.
Owner of the information asset
Security awareness training for all employees
Do with the information it collects
Intrusion detection system (IDS)

49. Uses security metrics to measure the performance of the information security program.
Malicious software and spyware
SWOT analysis
What happened and how the breach was resolved
Information security manager

50. New security ulnerabilities should be managed through a ________________.
The awareness and agreement of the data subjects
Patch management process
Personal firewall
Continuous analysis - monitoring and feedback