SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The data owner is responsible for _______________________.
Vulnerability assessment
SWOT analysis
Defining high-level business security requirements
Applying the proper classification to the data
2. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Personal firewall
Equal error rate (EER)
Annual loss expectancy (ALE)calculations
Key risk indicator (KRI) setup
3. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Its ability to reduce or eliminate business risks
Service level agreements (SLAs)
Cyber extortionist
Encryption of the hard disks
4. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Is willing to accept
Security baselines
Background checks of prospective employees
Developing an information security baseline
5. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Data warehouse
Consensus on risks and controls
Its ability to reduce or eliminate business risks
0-day vulnerabilities
6. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
The data custodian
Two-factor authentication
Data classification
Role-based policy
7. Someone who accesses a computer or network illegally
Process of introducing changes to systems
Patch management process
Trusted source
Hacker
8. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Process of introducing changes to systems
Spoofing attacks
Cyber terrorist
Key risk indicator (KRI) setup
9. To identify known vulnerabilities based on common misconfigurations and missing updates.
Security baselines
Identify the relevant systems and processes
Residual risk would be reduced by a greater amount
A network vulnerability assessment
10. A function of the session keys distributed by the PKI.
Threat assessment
Confidentiality
Comparison of cost of achievement
Internal risk assessment
11. Programs that act without a user's knowledge and deliberately alter a computer's operations
Risk assessment - evaluation and impact analysis
Data mart
MAL wear
Calculating the value of the information or asset
12. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Access control matrix
Data owners
Prioritization
Do with the information it collects
13. Used to understand the flow of one process into another.
Waterfall chart
Annual loss expectancy (ALE)calculations
Examples of containment defenses
Defining and ratifying the classification structure of information assets
14. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Tie security risks to key business objectives
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Patch management process
15. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
Fault-tolerant computer
Well-defined roles and responsibilities
Negotiating a local version of the organization standards
16. New security ulnerabilities should be managed through a ________________.
Data owners
What happened and how the breach was resolved
Patch management process
Resource dependency assessment
17. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Waterfall chart
Worm
Power surge/over voltage (spike)
Data owners
18. When the ________________ is more than the cost of the risk - the risk should be accepted.
The data custodian
Cost of control
Transferred risk
Encryption of the hard disks
19. Needs to define the access rules - which is troublesome and error prone in large organizations.
Get senior management onboard
Developing an information security baseline
Rule-based access control
Security risk
20. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Threat assessment
Requirements of the data owners
Transferred risk
All personnel
21. Provides process needs but not impact.
Resource dependency assessment
Identify the vulnerable systems and apply compensating controls
Virus detection
Threat assessment
22. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Alignment with business strategy
Role-based access control
Assess the risks to the business operation
Single sign-on (SSO) product
23. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Creation of a business continuity plan
Deeper level of analysis
Internal risk assessment
Return on security investment (ROSI)
24. Has full responsibility over data.
Nondisclosure agreement (NDA)
The data owner
Support the business objectives of the organization
Centralized structure
25. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Security risk
0-day vulnerabilities
Nondisclosure agreement (NDA)
Consensus on risks and controls
26. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Risk assessment - evaluation and impact analysis
The data custodian
Background checks of prospective employees
Gap analysis
27. Occurs after the risk assessment process - it does not measure it.
Phishing
Monitoring processes
The database administrator
Use of security metrics
28. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Consensus on risks and controls
Normalization
Access control matrix
Digital certificate
29. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Return on security investment (ROSI)
Role-based policy
Data classification
Cyber extortionist
30. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Information contained on the equipment
Alignment with business strategy
Annual loss expectancy (ALE)calculations
Deeper level of analysis
31. Primarily reduce risk and are most effective for the protection of information assets.
Key controls
Intrusion detection system (IDS)
Transmit e-mail messages
Cost of control
32. Inject malformed input.
Key controls
Defined objectives
Cross-site scripting attacks
Comparison of cost of achievement
33. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Safeguards over keys
Notifications and opt-out provisions
Rule-based access control
Phishing
34. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Methodology used in the assessment
Decentralization
Script kiddie
Strategic alignment of security with business objectives
35. A Successful risk management should lead to a ________________.
Threat assessment
Single sign-on (SSO) product
Encryption of the hard disks
Breakeven point of risk reduction and cost
36. The information security manager needs to prioritize the controls based on ________________________.
Transmit e-mail messages
Risk management and the requirements of the organization
The information security officer
Service level agreements (SLAs)
37. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Defining high-level business security requirements
The authentication process is broken
People
Intrusion detection system (IDS)
38. The primary role of the information security manager in the process of information classification within the organization.
Encryption key management
Multinational organization
Defining and ratifying the classification structure of information assets
Centralized structure
39. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Increase business value and confidence
Residual risk
Retention of business records
Examples of containment defenses
40. Reducing risk to a level too small to measure is _______________.
Classification of assets needs
Biometric access control systems
Control effectiveness
Impractical and is often cost-prohibitive
41. The MOST important element of an information security strategy.
Platform security - intrusion detection and antivirus controls
Trusted source
Defined objectives
Nondisclosure agreement (NDA)
42. Only valid if assets have first been identified and appropriately valued.
Get senior management onboard
Annual loss expectancy (ALE)calculations
Key risk indicator (KRI) setup
Vulnerability assessment
43. A risk assessment should be conducted _________________.
Annually or whenever there is a significant change
A network vulnerability assessment
Normalization
Penetration testing
44. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Centralization of information security management
Examples of containment defenses
Tailgating
Classification of assets needs
45. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
A network vulnerability assessment
Threat assessment
Nondisclosure agreement (NDA)
Data warehouse
46. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
A network vulnerability assessment
include security responsibilities in a job description
Encryption of the hard disks
Reduce risk to an acceptable level
47. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Security code reviews for the entire software application
Waterfall chart
Gap analysis
Digital signatures
48. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
BIA (Business Impact Assessment
Personal firewall
Worm
Owner of the information asset
49. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Certificate authority (CA)
Compliance with the organization's information security requirements
Negotiating a local version of the organization standards
Classification of assets needs
50. It is more efficient to establish a ___________________for locations that must meet specific requirements.
The data owner
Acceptable use policies
Properly aligned with business goals and objectives
Baseline standard and then develop additional standards