SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key risk indicator (KRI) setup
Safeguards over keys
Assess the risks to the business operation
The board of directors and senior management
2. Program that hides within or looks like a legit program
Spoofing attacks
Trojan horse
Background check
Data warehouse
3. The best measure for preventing the unauthorized disclosure of confidential information.
Aligned with organizational goals
Acceptable use policies
Undervoltage (brownout)
Compliance with the organization's information security requirements
4. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Undervoltage (brownout)
Total cost of ownership (TCO)
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Identify the vulnerable systems and apply compensating controls
5. Only valid if assets have first been identified and appropriately valued.
What happened and how the breach was resolved
0-day vulnerabilities
Annual loss expectancy (ALE)calculations
Retention of business records
6. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Gain unauthorized access to applications
Information security manager
SWOT analysis
Data mart
7. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk assessment - evaluation and impact analysis
Risk appetite
Data mart
SWOT analysis
8. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
All personnel
Owner of the information asset
Compliance with the organization's information security requirements
Threat assessment
9. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Acceptable use policies
Safeguards over keys
Nondisclosure agreement (NDA)
Alignment with business strategy
10. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Identify the vulnerable systems and apply compensating controls
Performing a risk assessment
Well-defined roles and responsibilities
Asset classification
11. A repository of historical data organized by subject to support decision makers in the org
Annually or whenever there is a significant change
Data warehouse
Threat assessment
Support the business objectives of the organization
12. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
Transferred risk
Stress testing
Vulnerability assessment
13. Should be a standard requirement for the service provider.
Monitoring processes
Risk appetite
Background check
Retention of business records
14. Programs that act without a user's knowledge and deliberately alter a computer's operations
People
Centralization of information security management
Nondisclosure agreement (NDA)
MAL wear
15. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Script kiddie
The authentication process is broken
Aligned with organizational goals
Get senior management onboard
16. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Owner of the information asset
Internal risk assessment
Single sign-on (SSO) product
17. Applications cannot access data associated with other apps
Equal error rate (EER)
Data isolation
Notifications and opt-out provisions
Total cost of ownership (TCO)
18. Information security governance models are highly dependent on the _____________________.
Annual loss expectancy (ALE)calculations
Overall organizational structure
Attributes and characteristics of the 'desired state'
The database administrator
19. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security baselines
Data isolation
Key risk indicator (KRI) setup
Worm
20. Identification and _______________ of business risk enables project managers to address areas with most significance.
Detection defenses
Encryption
Prioritization
Continuous monitoring control initiatives
21. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Tie security risks to key business objectives
Vulnerability assessment
Calculating the value of the information or asset
Proficiency testing
22. Responsible for securing the information.
The data custodian
Inherent risk
A network vulnerability assessment
Stress testing
23. New security ulnerabilities should be managed through a ________________.
Public key infrastructure (PKI)
Its ability to reduce or eliminate business risks
Increase business value and confidence
Patch management process
24. An information security manager has to impress upon the human resources department the need for _____________________.
Increase business value and confidence
Security awareness training for all employees
Is willing to accept
Retention of business records
25. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Risk management and the requirements of the organization
Logon banners
Decentralization
The authentication process is broken
26. Someone who accesses a computer or network illegally
Conduct a risk assessment
Hacker
Patch management process
Cryptographic secure sockets layer (SSL) implementations and short key lengths
27. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Transmit e-mail messages
Background check
Fault-tolerant computer
BIA (Business Impact Assessment
28. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Multinational organization
Residual risk would be reduced by a greater amount
Consensus on risks and controls
Increase business value and confidence
29. Should be determined from the risk assessment results.
Undervoltage (brownout)
Risk assessment - evaluation and impact analysis
Audit objectives
Key risk indicator (KRI) setup
30. Accesses a computer or network illegally
Equal error rate (EER)
The information security officer
Cracker
Cyber extortionist
31. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
OBusiness case development
Safeguards over keys
Script kiddie
Patch management process
32. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Intrusion detection system (IDS)
Nondisclosure agreement (NDA)
Developing an information security baseline
Risk assessment - evaluation and impact analysis
33. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Encryption key management
Retention of business records
Data isolation
Total cost of ownership (TCO)
34. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Information contained on the equipment
Background checks of prospective employees
Spoofing attacks
Security code reviews for the entire software application
35. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
Inherent risk
Assess the risks to the business operation
Fault-tolerant computer
36. Ensures that there are no scalability problems.
Protective switch covers
Stress testing
Data isolation
Two-factor authentication
37. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Waterfall chart
Classification of assets needs
Fault-tolerant computer
Certificate authority (CA)
38. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Multinational organization
Residual risk would be reduced by a greater amount
The board of directors and senior management
Classification of assets needs
39. The job of the information security officer on a management team is to ___________________.
The data custodian
Inherent risk
Security baselines
Assess the risks to the business operation
40. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Platform security - intrusion detection and antivirus controls
Access control matrix
Equal error rate (EER)
Cost of control
41. Uses security metrics to measure the performance of the information security program.
The authentication process is broken
Information security manager
Waterfall chart
Detection defenses
42. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Continuous monitoring control initiatives
Cyber terrorist
Control effectiveness
Baseline standard and then develop additional standards
43. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Retention of business records
Gain unauthorized access to applications
Patch management
44. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Risk management and the requirements of the organization
Control risk
Data warehouse
Defining high-level business security requirements
45. A function of the session keys distributed by the PKI.
Notifications and opt-out provisions
Data classification
The balanced scorecard
Confidentiality
46. Provide metrics to which outsourcing firms can be held accountable.
Identify the vulnerable systems and apply compensating controls
Is willing to accept
Service level agreements (SLAs)
Continuous monitoring control initiatives
47. All within the responsibility of the information security manager.
The awareness and agreement of the data subjects
Trojan horse
Digital signatures
Platform security - intrusion detection and antivirus controls
48. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Nondisclosure agreement (NDA)
Security baselines
Well-defined roles and responsibilities
Encryption of the hard disks
49. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Its ability to reduce or eliminate business risks
Applying the proper classification to the data
Penetration testing
Gap analysis
50. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Knowledge management
Patch management
Proficiency testing
Owner of the information asset