SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Return on security investment (ROSI)
Gain unauthorized access to applications
Centralization of information security management
Script kiddie
2. A risk assessment should be conducted _________________.
OBusiness case development
Penetration testing
Gap analysis
Annually or whenever there is a significant change
3. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Internal risk assessment
Performing a risk assessment
Data warehouse
Security code reviews for the entire software application
4. ecurity design flaws require a ____________________.
A network vulnerability assessment
Security risk
Encryption of the hard disks
Deeper level of analysis
5. Ensures that there are no scalability problems.
Transferred risk
Monitoring processes
Intrusion detection system (IDS)
Stress testing
6. Program that hides within or looks like a legit program
Trojan horse
The authentication process is broken
Security code reviews for the entire software application
Defining and ratifying the classification structure of information assets
7. By definition are not previously known and therefore are undetectable.
Is willing to accept
0-day vulnerabilities
Background check
Stress testing
8. It is easier to manage and control a _________________.
Breakeven point of risk reduction and cost
Its ability to reduce or eliminate business risks
Knowledge management
Centralized structure
9. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Role-based policy
Exceptions to policy
Script kiddie
10. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Digital certificate
Control effectiveness
Its ability to reduce or eliminate business risks
Cross-site scripting attacks
11. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Control effectiveness
OBusiness case development
Risk management and the requirements of the organization
Gap analysis
12. Responsible for securing the information.
Lack of change management
The data custodian
Power surge/over voltage (spike)
IP address packet filtering
13. New security ulnerabilities should be managed through a ________________.
Identify the vulnerable systems and apply compensating controls
Cyber extortionist
Patch management process
Spoofing attacks
14. Focuses on identifying vulnerabilities.
Penetration testing
Role-based policy
Safeguards over keys
Malicious software and spyware
15. BEST option to improve accountability for a system administrator is to _____________________.
Examples of containment defenses
include security responsibilities in a job description
Methodology used in the assessment
Increase business value and confidence
16. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Personal firewall
Consensus on risks and controls
Annually or whenever there is a significant change
Continuous analysis - monitoring and feedback
17. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Information contained on the equipment
Control risk
Security risk
Service level agreements (SLAs)
18. Risk should be reduced to a level that an organization _____________.
Is willing to accept
Encryption key management
Applying the proper classification to the data
Transferred risk
19. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Classification of assets needs
Penetration testing
Role-based access control
Encryption of the hard disks
20. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Countermeasure cost-benefit analysis
Security code reviews for the entire software application
Role-based access control
All personnel
21. Uses security metrics to measure the performance of the information security program.
Requirements of the data owners
Data isolation
Information security manager
Control effectiveness
22. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Cost of control
Decentralization
Retention of business records
Owner of the information asset
23. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Rule-based access control
Cost of control
Background checks of prospective employees
Two-factor authentication
24. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Security code reviews for the entire software application
Well-defined roles and responsibilities
Knowledge management
Creation of a business continuity plan
25. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Annually or whenever there is a significant change
Calculating the value of the information or asset
Two-factor authentication
Tie security risks to key business objectives
26. Useful but only with regard to specific technical skills.
Proficiency testing
Audit objectives
Cyber extortionist
Developing an information security baseline
27. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Continuous analysis - monitoring and feedback
Knowledge management
BIA (Business Impact Assessment
Identify the relevant systems and processes
28. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Data warehouse
Deeper level of analysis
Identify the vulnerable systems and apply compensating controls
Monitoring processes
29. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Well-defined roles and responsibilities
Transferred risk
Tie security risks to key business objectives
Classification of assets needs
30. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Breakeven point of risk reduction and cost
Get senior management onboard
Detection defenses
Return on security investment (ROSI)
31. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Patch management
Its ability to reduce or eliminate business risks
Centralization of information security management
Intrusion detection system (IDS)
32. A notice that guarantees a user or a web site is legitimate
Undervoltage (brownout)
Digital certificate
MAL wear
Regular review of access control lists
33. Company or person you believe will not send a virus-infect file knowingly
Single sign-on (SSO) product
Trusted source
The board of directors and senior management
Continuous analysis - monitoring and feedback
34. Provide metrics to which outsourcing firms can be held accountable.
Service level agreements (SLAs)
Spoofing attacks
Proficiency testing
Virus detection
35. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Centralization of information security management
Developing an information security baseline
Data warehouse
Process of introducing changes to systems
36. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Penetration testing
Background check
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Skills inventory
37. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Knowledge management
Acceptable use policies
Baseline standard and then develop additional standards
Defining high-level business security requirements
38. Has to be integrated into the requirements of every software application's design.
Use of security metrics
Encryption key management
Threat assessment
Continuous analysis - monitoring and feedback
39. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Key risk indicator (KRI) setup
The balanced scorecard
Residual risk
Tailgating
40. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Centralized structure
Classification of assets needs
Spoofing attacks
Key controls
41. A key indicator of performance measurement.
All personnel
Strategic alignment of security with business objectives
Phishing
BIA (Business Impact Assessment
42. Most effective for evaluating the degree to which information security objectives are being met.
The balanced scorecard
Calculating the value of the information or asset
Patch management
Transferred risk
43. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Gap analysis
Assess the risks to the business operation
Impractical and is often cost-prohibitive
44. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
What happened and how the breach was resolved
Public key infrastructure (PKI)
Identify the vulnerable systems and apply compensating controls
Gap analysis
45. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Annual loss expectancy (ALE)calculations
Data warehouse
Properly aligned with business goals and objectives
Key risk indicator (KRI) setup
46. Should be determined from the risk assessment results.
Internal risk assessment
BIA (Business Impact Assessment
Its ability to reduce or eliminate business risks
Audit objectives
47. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Get senior management onboard
Attributes and characteristics of the 'desired state'
Aligned with organizational goals
Comparison of cost of achievement
48. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Service level agreements (SLAs)
Logon banners
Background checks of prospective employees
49. Oversees the overall classification management of the information.
Patch management
The information security officer
Consensus on risks and controls
The data custodian
50. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Stress testing
Continuous monitoring control initiatives
Notifications and opt-out provisions
Role-based policy