SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Virus
Defining and ratifying the classification structure of information assets
Proficiency testing
Control effectiveness
2. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Overall organizational structure
Is willing to accept
Impractical and is often cost-prohibitive
Countermeasure cost-benefit analysis
3. Programs that act without a user's knowledge and deliberately alter a computer's operations
Information security manager
Aligned with organizational goals
MAL wear
What happened and how the breach was resolved
4. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Virus
Encryption
Gain unauthorized access to applications
Trusted source
5. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Platform security - intrusion detection and antivirus controls
Phishing
Fault-tolerant computer
Spoofing attacks
6. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Countermeasure cost-benefit analysis
Process of introducing changes to systems
Defining high-level business security requirements
Key risk indicator (KRI) setup
7. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Data isolation
Threat assessment
Do with the information it collects
Developing an information security baseline
8. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Compliance with the organization's information security requirements
The data custodian
Developing an information security baseline
9. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Deeper level of analysis
Calculating the value of the information or asset
Logon banners
Patch management process
10. Someone who accesses a computer or network illegally
Cyber extortionist
Annual loss expectancy (ALE)calculations
Examples of containment defenses
Hacker
11. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Fault-tolerant computer
Defining high-level business security requirements
Increase business value and confidence
Vulnerability assessment
12. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Risk assessment - evaluation and impact analysis
Patch management
Security risk
Personal firewall
13. Most effective for evaluating the degree to which information security objectives are being met.
Encryption of the hard disks
All personnel
Identify the relevant systems and processes
The balanced scorecard
14. Only valid if assets have first been identified and appropriately valued.
Security code reviews for the entire software application
Script kiddie
Requirements of the data owners
Annual loss expectancy (ALE)calculations
15. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Tie security risks to key business objectives
Protective switch covers
Residual risk
Conduct a risk assessment
16. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
Risk management and the requirements of the organization
Process of introducing changes to systems
Equal error rate (EER)
17. A notice that guarantees a user or a web site is legitimate
Digital certificate
Examples of containment defenses
Script kiddie
Background checks of prospective employees
18. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Encryption
Deeper level of analysis
Overall organizational structure
Tailgating
19. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Certificate authority (CA)
Trusted source
Patch management
Internal risk assessment
20. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Patch management process
Cross-site scripting attacks
Alignment with business strategy
21. A Successful risk management should lead to a ________________.
The board of directors and senior management
Information security manager
Breakeven point of risk reduction and cost
Script kiddie
22. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Encryption key management
Classification of assets needs
IP address packet filtering
Consensus on risks and controls
23. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Role-based access control
Overall organizational structure
Consensus on risks and controls
Control risk
24. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Background checks of prospective employees
Encryption of the hard disks
The database administrator
Hacker
25. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
The data owner
Return on security investment (ROSI)
Logon banners
Its ability to reduce or eliminate business risks
26. The information security manager needs to prioritize the controls based on ________________________.
Risk management and the requirements of the organization
include security responsibilities in a job description
Threat assessment
Data classification
27. Whenever personal data are transferred across national boundaries; ________________________ are required.
Multinational organization
The awareness and agreement of the data subjects
Methodology used in the assessment
IP address packet filtering
28. Has to be integrated into the requirements of every software application's design.
Data owners
Encryption key management
Process of introducing changes to systems
Its ability to reduce or eliminate business risks
29. When the ________________ is more than the cost of the risk - the risk should be accepted.
Stress testing
Cost of control
Properly aligned with business goals and objectives
Script kiddie
30. Needs to define the access rules - which is troublesome and error prone in large organizations.
Audit objectives
Rule-based access control
Trojan horse
Methodology used in the assessment
31. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Service level agreements (SLAs)
Script kiddie
Conduct a risk assessment
Security baselines
32. Should PRIMARILY be based on regulatory and legal requirements.
Annual loss expectancy (ALE)calculations
Risk appetite
SWOT analysis
Retention of business records
33. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Script kiddie
Spoofing attacks
Annually or whenever there is a significant change
OBusiness case development
34. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Role-based access control
Data mart
Owner of the information asset
Certificate authority (CA)
35. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
36. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Consensus on risks and controls
Threat assessment
IP address packet filtering
People
37. Utility program that detects and protects a personal computer from unauthorized intrusions
BIA (Business Impact Assessment
Encryption key management
The balanced scorecard
Personal firewall
38. Identification and _______________ of business risk enables project managers to address areas with most significance.
Transmit e-mail messages
Prioritization
Aligned with organizational goals
Cryptographic secure sockets layer (SSL) implementations and short key lengths
39. Would protect against spoofing an internal address but would not provide strong authentication.
IP address packet filtering
SWOT analysis
Assess the risks to the business operation
Residual risk
40. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
All personnel
Two-factor authentication
Owner of the information asset
Assess the risks to the business operation
41. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Residual risk
Conduct a risk assessment
Decentralization
42. ecurity design flaws require a ____________________.
Information contained on the equipment
Deeper level of analysis
Data owners
Impractical and is often cost-prohibitive
43. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Classification of assets needs
Risk appetite
Continuous monitoring control initiatives
Hacker
44. Uses security metrics to measure the performance of the information security program.
Information security manager
Monitoring processes
Total cost of ownership (TCO)
Baseline standard and then develop additional standards
45. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Process of introducing changes to systems
Trusted source
Continuous analysis - monitoring and feedback
Identify the vulnerable systems and apply compensating controls
46. Reducing risk to a level too small to measure is _______________.
Nondisclosure agreement (NDA)
Total cost of ownership (TCO)
Identify the relevant systems and processes
Impractical and is often cost-prohibitive
47. Awareness - training and physical security defenses.
A network vulnerability assessment
Gap analysis
Examples of containment defenses
Retention of business records
48. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Alignment with business strategy
Support the business objectives of the organization
Defining and ratifying the classification structure of information assets
Nondisclosure agreement (NDA)
49. The primary role of the information security manager in the process of information classification within the organization.
Virus detection
Defining and ratifying the classification structure of information assets
Increase business value and confidence
Comparison of cost of achievement
50. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Worm
Centralization of information security management
Aligned with organizational goals
Penetration testing