SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Centralization of information security management
Tie security risks to key business objectives
Its ability to reduce or eliminate business risks
Transmit e-mail messages
2. The data owner is responsible for _______________________.
Exceptions to policy
Applying the proper classification to the data
Access control matrix
Gain unauthorized access to applications
3. Without _____________________ - there cannot be accountability.
Well-defined roles and responsibilities
Lack of change management
Stress testing
Increase business value and confidence
4. Needs to define the access rules - which is troublesome and error prone in large organizations.
Security code reviews for the entire software application
Support the business objectives of the organization
Cyber extortionist
Rule-based access control
5. Risk should be reduced to a level that an organization _____________.
Baseline standard and then develop additional standards
Is willing to accept
Centralization of information security management
Asset classification
6. Most effective for evaluating the degree to which information security objectives are being met.
Its ability to reduce or eliminate business risks
The balanced scorecard
Rule-based access control
Spoofing attacks
7. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Asset classification
include security responsibilities in a job description
Prioritization
Defining high-level business security requirements
8. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Methodology used in the assessment
Background check
Identify the relevant systems and processes
Regular review of access control lists
9. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Consensus on risks and controls
Regulatory compliance
Trusted source
Encryption key management
10. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Cross-site scripting attacks
Annually or whenever there is a significant change
Tailgating
Trusted source
11. Responsible for securing the information.
Calculating the value of the information or asset
Get senior management onboard
Trusted source
The data custodian
12. Primarily reduce risk and are most effective for the protection of information assets.
Key controls
The data owner
Risk appetite
Lack of change management
13. Ensure that transmitted information can be attributed to the named sender.
Increase business value and confidence
Digital signatures
include security responsibilities in a job description
Performing a risk assessment
14. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Acceptable use policies
Get senior management onboard
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Return on security investment (ROSI)
15. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Methodology used in the assessment
Cyber terrorist
Security baselines
Data owners
16. Information security governance models are highly dependent on the _____________________.
Well-defined roles and responsibilities
Regulatory compliance
Overall organizational structure
Role-based access control
17. When the ________________ is more than the cost of the risk - the risk should be accepted.
Security risk
Cost of control
OBusiness case development
Annual loss expectancy (ALE)calculations
18. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Increase business value and confidence
Power surge/over voltage (spike)
Baseline standard and then develop additional standards
Control effectiveness
19. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Alignment with business strategy
Creation of a business continuity plan
Defining high-level business security requirements
Multinational organization
20. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
Proficiency testing
Defined objectives
IP address packet filtering
21. By definition are not previously known and therefore are undetectable.
Methodology used in the assessment
Normalization
0-day vulnerabilities
Gain unauthorized access to applications
22. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Prioritization
Process of introducing changes to systems
Risk appetite
Biometric access control systems
23. Has to be integrated into the requirements of every software application's design.
Malicious software and spyware
OBusiness case development
Encryption key management
Protective switch covers
24. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
All personnel
Risk management and the requirements of the organization
Lack of change management
Worm
25. Occurs when the incoming level
Digital certificate
Power surge/over voltage (spike)
Residual risk would be reduced by a greater amount
Identify the relevant systems and processes
26. Whenever personal data are transferred across national boundaries; ________________________ are required.
Defining and ratifying the classification structure of information assets
The awareness and agreement of the data subjects
Proficiency testing
Properly aligned with business goals and objectives
27. Someone who accesses a computer or network illegally
Digital certificate
Control effectiveness
Risk appetite
Hacker
28. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Security code reviews for the entire software application
OBusiness case development
Methodology used in the assessment
29. Identification and _______________ of business risk enables project managers to address areas with most significance.
Cross-site scripting attacks
Hacker
Data owners
Prioritization
30. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Gap analysis
Waterfall chart
Attributes and characteristics of the 'desired state'
Gain unauthorized access to applications
31. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
The database administrator
Return on security investment (ROSI)
Examples of containment defenses
Notifications and opt-out provisions
32. Provide metrics to which outsourcing firms can be held accountable.
The information security officer
Trojan horse
Resource dependency assessment
Service level agreements (SLAs)
33. The best measure for preventing the unauthorized disclosure of confidential information.
Data owners
Well-defined roles and responsibilities
Lack of change management
Acceptable use policies
34. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Certificate authority (CA)
Centralization of information security management
Alignment with business strategy
0-day vulnerabilities
35. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
IP address packet filtering
Virus detection
Examples of containment defenses
Encryption of the hard disks
36. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Knowledge management
Breakeven point of risk reduction and cost
Defined objectives
Vulnerability assessment
37. When defining the information classification policy - the ___________________ need to be identified.
Resource dependency assessment
Requirements of the data owners
Proficiency testing
Attributes and characteristics of the 'desired state'
38. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Cost of control
The balanced scorecard
Do with the information it collects
BIA (Business Impact Assessment
39. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Logon banners
Nondisclosure agreement (NDA)
Data isolation
Transferred risk
40. Computer that has duplicate components so it can continue to operate when one of its main components fail
SWOT analysis
Attributes and characteristics of the 'desired state'
Equal error rate (EER)
Fault-tolerant computer
41. A repository of historical data organized by subject to support decision makers in the org
Return on security investment (ROSI)
Equal error rate (EER)
Virus
Data warehouse
42. Awareness - training and physical security defenses.
Role-based access control
Lack of change management
Regular review of access control lists
Examples of containment defenses
43. Would protect against spoofing an internal address but would not provide strong authentication.
IP address packet filtering
Well-defined roles and responsibilities
Detection defenses
Public key infrastructure (PKI)
44. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Multinational organization
Reduce risk to an acceptable level
Cracker
Performing a risk assessment
45. A notice that guarantees a user or a web site is legitimate
Digital signatures
Digital certificate
Data mart
Nondisclosure agreement (NDA)
46. Uses security metrics to measure the performance of the information security program.
Information security manager
Baseline standard and then develop additional standards
Return on security investment (ROSI)
Reduce risk to an acceptable level
47. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Strategic alignment of security with business objectives
0-day vulnerabilities
Spoofing attacks
Information contained on the equipment
48. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Vulnerability assessment
Notifications and opt-out provisions
Role-based access control
Deeper level of analysis
49. Reducing risk to a level too small to measure is _______________.
The awareness and agreement of the data subjects
Impractical and is often cost-prohibitive
Confidentiality
Intrusion detection system (IDS)
50. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Undervoltage (brownout)
Personal firewall
Countermeasure cost-benefit analysis