Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Without _____________________ - there cannot be accountability.






2. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.






3. The best measure and will involve reviewing the entire source code to detect all instances of back doors.






4. Inject malformed input.






5. Reducing risk to a level too small to measure is _______________.






6. S small warehouse - designed for the end-user needs in a strategic business unit






7. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.






8. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.






9. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.






10. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.






11. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.






12. By definition are not previously known and therefore are undetectable.






13. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.






14. Focuses on identifying vulnerabilities.






15. The best measure for preventing the unauthorized disclosure of confidential information.






16. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.






17. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.






18. Provides process needs but not impact.






19. In order to highlight to management the importance of network security - the security manager should FIRST _______________.






20. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.


21. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.






22. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.






23. Same intent as a cracker but does not have the technical skills and knowledge






24. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.






25. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.






26. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.






27. provides the most effective protection of data on mobile devices.






28. A key indicator of performance measurement.






29. Should be performed to identify the risk and determine needed controls.






30. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are






31. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing






32. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .






33. Should be determined from the risk assessment results.






34. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.






35. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.






36. A repository of historical data organized by subject to support decision makers in the org






37. Company or person you believe will not send a virus-infect file knowingly






38. Primarily reduce risk and are most effective for the protection of information assets.






39. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'






40. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.






41. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.






42. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.






43. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.






44. Occurs when the incoming level






45. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.






46. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance






47. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.






48. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.






49. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information






50. When the ________________ is more than the cost of the risk - the risk should be accepted.