SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Security code reviews for the entire software application
Return on security investment (ROSI)
Service level agreements (SLAs)
Cyber extortionist
2. An information security manager has to impress upon the human resources department the need for _____________________.
Multinational organization
Applying the proper classification to the data
Security awareness training for all employees
Regulatory compliance
3. Should be a standard requirement for the service provider.
Inherent risk
The data custodian
Background check
Defined objectives
4. ecurity design flaws require a ____________________.
Deeper level of analysis
Attributes and characteristics of the 'desired state'
Cost of control
SWOT analysis
5. To identify known vulnerabilities based on common misconfigurations and missing updates.
Security code reviews for the entire software application
Inherent risk
A network vulnerability assessment
Comparison of cost of achievement
6. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Cyber extortionist
Certificate authority (CA)
Biometric access control systems
Acceptable use policies
7. Occurs when the electrical supply drops
Undervoltage (brownout)
Well-defined roles and responsibilities
Performing a risk assessment
Defining and ratifying the classification structure of information assets
8. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Normalization
Threat assessment
Cracker
SWOT analysis
9. Useful but only with regard to specific technical skills.
Proficiency testing
Certificate authority (CA)
Creation of a business continuity plan
Stress testing
10. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Service level agreements (SLAs)
Continuous analysis - monitoring and feedback
Waterfall chart
Impractical and is often cost-prohibitive
11. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Data classification
Proficiency testing
Digital signatures
Centralization of information security management
12. Company or person you believe will not send a virus-infect file knowingly
The board of directors and senior management
Do with the information it collects
Trusted source
Single sign-on (SSO) product
13. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Continuous monitoring control initiatives
Do with the information it collects
Virus
Trusted source
14. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Hacker
Proficiency testing
Skills inventory
Tie security risks to key business objectives
15. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Single sign-on (SSO) product
Centralized structure
Access control matrix
Examples of containment defenses
16. Reducing risk to a level too small to measure is _______________.
Cyber extortionist
Threat assessment
Get senior management onboard
Impractical and is often cost-prohibitive
17. Someone who accesses a computer or network illegally
Annually or whenever there is a significant change
Hacker
Calculating the value of the information or asset
Risk management and the requirements of the organization
18. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Is willing to accept
Gap analysis
Vulnerability assessment
Transmit e-mail messages
19. S small warehouse - designed for the end-user needs in a strategic business unit
Use of security metrics
SWOT analysis
The authentication process is broken
Data mart
20. The information security manager needs to prioritize the controls based on ________________________.
Annual loss expectancy (ALE)calculations
Lack of change management
Risk management and the requirements of the organization
Spoofing attacks
21. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Identify the relevant systems and processes
Countermeasure cost-benefit analysis
Background check
Continuous monitoring control initiatives
22. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Exceptions to policy
Public key infrastructure (PKI)
Properly aligned with business goals and objectives
Data warehouse
23. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Overall organizational structure
The data owner
Control risk
Lack of change management
24. A key indicator of performance measurement.
Baseline standard and then develop additional standards
Strategic alignment of security with business objectives
Gain unauthorized access to applications
Increase business value and confidence
25. Information security governance models are highly dependent on the _____________________.
Assess the risks to the business operation
Trojan horse
Overall organizational structure
Information security manager
26. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Phishing
Proficiency testing
Countermeasure cost-benefit analysis
BIA (Business Impact Assessment
27. Same intent as a cracker but does not have the technical skills and knowledge
Key controls
Inherent risk
Script kiddie
Information security manager
28. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Public key infrastructure (PKI)
Worm
Stress testing
Fault-tolerant computer
29. Should be performed to identify the risk and determine needed controls.
Public key infrastructure (PKI)
Gain unauthorized access to applications
Internal risk assessment
Monitoring processes
30. Uses security metrics to measure the performance of the information security program.
BIA (Business Impact Assessment
Data mart
Exceptions to policy
Information security manager
31. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Owner of the information asset
Get senior management onboard
Patch management process
Continuous monitoring control initiatives
32. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Continuous monitoring control initiatives
Strategic alignment of security with business objectives
Access control matrix
Requirements of the data owners
33. Without _____________________ - there cannot be accountability.
Strategic alignment of security with business objectives
Well-defined roles and responsibilities
Alignment with business strategy
Acceptable use policies
34. A Successful risk management should lead to a ________________.
Alignment with business strategy
Breakeven point of risk reduction and cost
The data custodian
Vulnerability assessment
35. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Risk appetite
Regulatory compliance
The database administrator
Role-based access control
36. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Access control matrix
Performing a risk assessment
Worm
IP address packet filtering
37. The PRIMARY goal in developing an information security strategy is to: _________________________.
Role-based access control
Phishing
Support the business objectives of the organization
Access control matrix
38. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Threat assessment
Asset classification
Access control matrix
Well-defined roles and responsibilities
39. Awareness - training and physical security defenses.
Logon banners
Examples of containment defenses
Virus detection
BIA (Business Impact Assessment
40. All within the responsibility of the information security manager.
IP address packet filtering
Proficiency testing
Platform security - intrusion detection and antivirus controls
Tailgating
41. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Equal error rate (EER)
Role-based access control
Resource dependency assessment
Digital signatures
42. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Risk management and the requirements of the organization
Conduct a risk assessment
Security risk
Inherent risk
43. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Data isolation
Breakeven point of risk reduction and cost
Defining high-level business security requirements
Spoofing attacks
44. Occurs after the risk assessment process - it does not measure it.
Control effectiveness
Use of security metrics
Biometric access control systems
Security risk
45. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Security code reviews for the entire software application
Lack of change management
Knowledge management
include security responsibilities in a job description
46. A function of the session keys distributed by the PKI.
Lack of change management
Encryption key management
Examples of containment defenses
Confidentiality
47. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Risk assessment - evaluation and impact analysis
Stress testing
Digital certificate
Negotiating a local version of the organization standards
48. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Applying the proper classification to the data
Process of introducing changes to systems
MAL wear
Reduce risk to an acceptable level
49. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Resource dependency assessment
Security awareness training for all employees
Control effectiveness
Encryption
50. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Patch management
The data owner
Trusted source
Decentralization