SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Utility program that detects and protects a personal computer from unauthorized intrusions
Notifications and opt-out provisions
Proficiency testing
Personal firewall
Data warehouse
2. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Tie security risks to key business objectives
Biometric access control systems
Identify the vulnerable systems and apply compensating controls
Equal error rate (EER)
3. Program that hides within or looks like a legit program
Transmit e-mail messages
Trojan horse
Consensus on risks and controls
Digital certificate
4. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Power surge/over voltage (spike)
Undervoltage (brownout)
Protective switch covers
Data mart
5. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Defining high-level business security requirements
Consensus on risks and controls
Alignment with business strategy
Protective switch covers
6. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Residual risk would be reduced by a greater amount
Rule-based access control
Return on security investment (ROSI)
Use of security metrics
7. The best measure for preventing the unauthorized disclosure of confidential information.
Continuous analysis - monitoring and feedback
Comparison of cost of achievement
Support the business objectives of the organization
Acceptable use policies
8. Provides process needs but not impact.
Resource dependency assessment
Confidentiality
Get senior management onboard
Patch management process
9. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Annually or whenever there is a significant change
Attributes and characteristics of the 'desired state'
Virus
Decentralization
10. Accesses a computer or network illegally
Platform security - intrusion detection and antivirus controls
Cracker
Applying the proper classification to the data
Residual risk would be reduced by a greater amount
11. Reducing risk to a level too small to measure is _______________.
BIA (Business Impact Assessment
Inherent risk
Impractical and is often cost-prohibitive
Waterfall chart
12. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Its ability to reduce or eliminate business risks
Use of security metrics
Annually or whenever there is a significant change
13. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Intrusion detection system (IDS)
Baseline standard and then develop additional standards
SWOT analysis
Two-factor authentication
14. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
IP address packet filtering
The data custodian
Service level agreements (SLAs)
Total cost of ownership (TCO)
15. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Examples of containment defenses
Continuous analysis - monitoring and feedback
Control risk
What happened and how the breach was resolved
16. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Background checks of prospective employees
Defining high-level business security requirements
Control effectiveness
Threat assessment
17. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
SWOT analysis
Defining and ratifying the classification structure of information assets
Return on security investment (ROSI)
Power surge/over voltage (spike)
18. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Single sign-on (SSO) product
Well-defined roles and responsibilities
The information security officer
Aligned with organizational goals
19. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Total cost of ownership (TCO)
Logon banners
Asset classification
Support the business objectives of the organization
20. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
Virus
BIA (Business Impact Assessment
Owner of the information asset
21. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Role-based access control
IP address packet filtering
Is willing to accept
Methodology used in the assessment
22. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Annually or whenever there is a significant change
Classification of assets needs
Notifications and opt-out provisions
Role-based access control
23. Oversees the overall classification management of the information.
Its ability to reduce or eliminate business risks
The information security officer
Background check
Audit objectives
24. An information security manager has to impress upon the human resources department the need for _____________________.
The data custodian
Negotiating a local version of the organization standards
Logon banners
Security awareness training for all employees
25. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Security awareness training for all employees
0-day vulnerabilities
Aligned with organizational goals
People
26. Applications cannot access data associated with other apps
Data isolation
Equal error rate (EER)
Is willing to accept
Malicious software and spyware
27. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Certificate authority (CA)
Exceptions to policy
Conduct a risk assessment
BIA (Business Impact Assessment
28. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Regular review of access control lists
Risk assessment - evaluation and impact analysis
Continuous monitoring control initiatives
29. When defining the information classification policy - the ___________________ need to be identified.
Normalization
Requirements of the data owners
Background check
SWOT analysis
30. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Its ability to reduce or eliminate business risks
Creation of a business continuity plan
Performing a risk assessment
31. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Alignment with business strategy
Residual risk
Background checks of prospective employees
Centralization of information security management
32. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Breakeven point of risk reduction and cost
Asset classification
Properly aligned with business goals and objectives
Alignment with business strategy
33. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Countermeasure cost-benefit analysis
Regular review of access control lists
Reduce risk to an acceptable level
The authentication process is broken
34. To identify known vulnerabilities based on common misconfigurations and missing updates.
Proficiency testing
Overall organizational structure
A network vulnerability assessment
Worm
35. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Lack of change management
Requirements of the data owners
Compliance with the organization's information security requirements
MAL wear
36. Occurs when the electrical supply drops
Is willing to accept
Retention of business records
Undervoltage (brownout)
Waterfall chart
37. Most effective for evaluating the degree to which information security objectives are being met.
The balanced scorecard
Encryption
Gap analysis
Encryption key management
38. Someone who accesses a computer or network illegally
Hacker
Security code reviews for the entire software application
Transmit e-mail messages
The data owner
39. Occurs when the incoming level
Intrusion detection system (IDS)
Tailgating
Power surge/over voltage (spike)
Lack of change management
40. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
Equal error rate (EER)
Digital signatures
Regulatory compliance
41. Should be a standard requirement for the service provider.
Transmit e-mail messages
Service level agreements (SLAs)
Deeper level of analysis
Background check
42. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Security baselines
Background checks of prospective employees
Threat assessment
Process of introducing changes to systems
43. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Security baselines
Penetration testing
Risk assessment - evaluation and impact analysis
Security risk
44. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Consensus on risks and controls
Classification of assets needs
Equal error rate (EER)
Biometric access control systems
45. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Use of security metrics
All personnel
Security risk
Exceptions to policy
46. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
The information security officer
Creation of a business continuity plan
Digital signatures
Annually or whenever there is a significant change
47. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
The data custodian
Monitoring processes
Intrusion detection system (IDS)
Security awareness training for all employees
48. The most important characteristic of good security policies is that they be ____________________.
Defined objectives
Multinational organization
Inherent risk
Aligned with organizational goals
49. Useful but only with regard to specific technical skills.
Proficiency testing
Undervoltage (brownout)
Hacker
Compliance with the organization's information security requirements
50. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Protective switch covers
Exceptions to policy
Phishing
Defining and ratifying the classification structure of information assets