SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Without _____________________ - there cannot be accountability.
Well-defined roles and responsibilities
BIA (Business Impact Assessment
Confidentiality
Examples of containment defenses
2. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Creation of a business continuity plan
A network vulnerability assessment
Platform security - intrusion detection and antivirus controls
Worm
3. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Security code reviews for the entire software application
The awareness and agreement of the data subjects
Cost of control
Well-defined roles and responsibilities
4. Inject malformed input.
The database administrator
Cross-site scripting attacks
Multinational organization
Return on security investment (ROSI)
5. Reducing risk to a level too small to measure is _______________.
Lack of change management
Normalization
Examples of containment defenses
Impractical and is often cost-prohibitive
6. S small warehouse - designed for the end-user needs in a strategic business unit
Data mart
Malicious software and spyware
BIA (Business Impact Assessment
Cost of control
7. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Identify the vulnerable systems and apply compensating controls
Access control matrix
Rule-based access control
Threat assessment
8. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Defining high-level business security requirements
Retention of business records
Patch management
9. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Protective switch covers
Background check
Decentralization
Control effectiveness
10. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Continuous analysis - monitoring and feedback
Countermeasure cost-benefit analysis
Annually or whenever there is a significant change
Compliance with the organization's information security requirements
11. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Transferred risk
Retention of business records
Alignment with business strategy
Data mart
12. By definition are not previously known and therefore are undetectable.
Continuous monitoring control initiatives
0-day vulnerabilities
Platform security - intrusion detection and antivirus controls
Total cost of ownership (TCO)
13. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Control effectiveness
Trusted source
Negotiating a local version of the organization standards
Conduct a risk assessment
14. Focuses on identifying vulnerabilities.
People
Penetration testing
Annual loss expectancy (ALE)calculations
Trusted source
15. The best measure for preventing the unauthorized disclosure of confidential information.
Waterfall chart
Return on security investment (ROSI)
Acceptable use policies
Certificate authority (CA)
16. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Information contained on the equipment
Worm
Properly aligned with business goals and objectives
Cracker
17. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Gap analysis
Proficiency testing
Skills inventory
The board of directors and senior management
18. Provides process needs but not impact.
Regulatory compliance
Resource dependency assessment
Security baselines
Certificate authority (CA)
19. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
IP address packet filtering
Residual risk
Conduct a risk assessment
The authentication process is broken
20. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
21. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Transmit e-mail messages
Defining and ratifying the classification structure of information assets
Security baselines
Identify the vulnerable systems and apply compensating controls
22. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Threat assessment
Tie security risks to key business objectives
Do with the information it collects
Residual risk
23. Same intent as a cracker but does not have the technical skills and knowledge
All personnel
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Information contained on the equipment
Script kiddie
24. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Public key infrastructure (PKI)
Risk assessment - evaluation and impact analysis
Conduct a risk assessment
Cost of control
25. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
BIA (Business Impact Assessment
Regular review of access control lists
The data custodian
Spoofing attacks
26. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
All personnel
Decentralization
Intrusion detection system (IDS)
Safeguards over keys
27. provides the most effective protection of data on mobile devices.
Methodology used in the assessment
Encryption
Examples of containment defenses
Normalization
28. A key indicator of performance measurement.
Power surge/over voltage (spike)
Strategic alignment of security with business objectives
Performing a risk assessment
Continuous analysis - monitoring and feedback
29. Should be performed to identify the risk and determine needed controls.
Defining high-level business security requirements
The information security officer
Internal risk assessment
Process of introducing changes to systems
30. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Notifications and opt-out provisions
Audit objectives
Strategic alignment of security with business objectives
Public key infrastructure (PKI)
31. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Penetration testing
Biometric access control systems
Calculating the value of the information or asset
Malicious software and spyware
32. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Risk appetite
include security responsibilities in a job description
Total cost of ownership (TCO)
Overall organizational structure
33. Should be determined from the risk assessment results.
Audit objectives
The information security officer
Encryption key management
The data owner
34. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Patch management process
Spoofing attacks
Data owners
The awareness and agreement of the data subjects
35. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
SWOT analysis
Digital certificate
Negotiating a local version of the organization standards
Personal firewall
36. A repository of historical data organized by subject to support decision makers in the org
MAL wear
Power surge/over voltage (spike)
Methodology used in the assessment
Data warehouse
37. Company or person you believe will not send a virus-infect file knowingly
Tie security risks to key business objectives
Transferred risk
Process of introducing changes to systems
Trusted source
38. Primarily reduce risk and are most effective for the protection of information assets.
Key controls
Virus detection
Process of introducing changes to systems
Information security manager
39. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security baselines
Confidentiality
Skills inventory
Data owners
40. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Role-based policy
Return on security investment (ROSI)
Rule-based access control
Properly aligned with business goals and objectives
41. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Lack of change management
Equal error rate (EER)
Support the business objectives of the organization
Asset classification
42. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
IP address packet filtering
Retention of business records
Gain unauthorized access to applications
The balanced scorecard
43. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
The awareness and agreement of the data subjects
Get senior management onboard
Do with the information it collects
Residual risk
44. Occurs when the incoming level
The information security officer
Alignment with business strategy
Threat assessment
Power surge/over voltage (spike)
45. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Key controls
Negotiating a local version of the organization standards
Countermeasure cost-benefit analysis
Encryption key management
46. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Prioritization
Comparison of cost of achievement
Security baselines
Cyber terrorist
47. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Residual risk
Alignment with business strategy
Asset classification
Exceptions to policy
48. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Reduce risk to an acceptable level
Confidentiality
Patch management process
Risk appetite
49. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
Centralized structure
Fault-tolerant computer
Gap analysis
50. When the ________________ is more than the cost of the risk - the risk should be accepted.
Cost of control
A network vulnerability assessment
Patch management process
Increase business value and confidence