SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Tie security risks to key business objectives
Data owners
Attributes and characteristics of the 'desired state'
Risk assessment - evaluation and impact analysis
2. Risk should be reduced to a level that an organization _____________.
Single sign-on (SSO) product
Is willing to accept
Strategic alignment of security with business objectives
Risk assessment - evaluation and impact analysis
3. provides the most effective protection of data on mobile devices.
Get senior management onboard
Power surge/over voltage (spike)
Encryption
Threat assessment
4. Ensures that there are no scalability problems.
Monitoring processes
Defined objectives
Classification of assets needs
Stress testing
5. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Increase business value and confidence
Control risk
The data custodian
Applying the proper classification to the data
6. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Consensus on risks and controls
Access control matrix
Patch management
7. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
All personnel
Centralization of information security management
Data isolation
8. Provides process needs but not impact.
Baseline standard and then develop additional standards
Vulnerability assessment
Resource dependency assessment
Patch management process
9. Normally addressed through antivirus and antispyware policies.
Undervoltage (brownout)
Malicious software and spyware
Continuous monitoring control initiatives
Safeguards over keys
10. Occurs when the electrical supply drops
Background check
Centralization of information security management
Undervoltage (brownout)
Spoofing attacks
11. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Skills inventory
Gain unauthorized access to applications
Annual loss expectancy (ALE)calculations
Cryptographic secure sockets layer (SSL) implementations and short key lengths
12. Identification and _______________ of business risk enables project managers to address areas with most significance.
Consensus on risks and controls
Stress testing
Reduce risk to an acceptable level
Prioritization
13. Focuses on identifying vulnerabilities.
Service level agreements (SLAs)
Threat assessment
Breakeven point of risk reduction and cost
Penetration testing
14. To identify known vulnerabilities based on common misconfigurations and missing updates.
OBusiness case development
A network vulnerability assessment
Impractical and is often cost-prohibitive
Properly aligned with business goals and objectives
15. Culture has a significant impact on how information security will be implemented in a ______________________.
Creation of a business continuity plan
Use of security metrics
Background checks of prospective employees
Multinational organization
16. Programs that act without a user's knowledge and deliberately alter a computer's operations
Comparison of cost of achievement
MAL wear
Examples of containment defenses
Digital signatures
17. Reducing risk to a level too small to measure is _______________.
Impractical and is often cost-prohibitive
Security code reviews for the entire software application
0-day vulnerabilities
Strategic alignment of security with business objectives
18. BEST option to improve accountability for a system administrator is to _____________________.
Tie security risks to key business objectives
Annual loss expectancy (ALE)calculations
Nondisclosure agreement (NDA)
include security responsibilities in a job description
19. Needs to define the access rules - which is troublesome and error prone in large organizations.
The data owner
Role-based policy
Biometric access control systems
Rule-based access control
20. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Rule-based access control
The board of directors and senior management
Encryption of the hard disks
Knowledge management
21. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Risk management and the requirements of the organization
Patch management process
The data owner
Virus
22. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Safeguards over keys
Comparison of cost of achievement
Security code reviews for the entire software application
Cyber terrorist
23. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
OBusiness case development
Calculating the value of the information or asset
Alignment with business strategy
Detection defenses
24. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Notifications and opt-out provisions
Data owners
Nondisclosure agreement (NDA)
Centralized structure
25. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Encryption key management
Comparison of cost of achievement
Cyber extortionist
26. Occurs after the risk assessment process - it does not measure it.
Security risk
Cyber extortionist
Use of security metrics
Negotiating a local version of the organization standards
27. S small warehouse - designed for the end-user needs in a strategic business unit
Data mart
Intrusion detection system (IDS)
Identify the relevant systems and processes
Data warehouse
28. It is easier to manage and control a _________________.
Role-based policy
Internal risk assessment
Defined objectives
Centralized structure
29. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Digital certificate
Role-based policy
Get senior management onboard
Support the business objectives of the organization
30. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
BIA (Business Impact Assessment
Classification of assets needs
Get senior management onboard
Digital certificate
31. The MOST important element of an information security strategy.
Safeguards over keys
What happened and how the breach was resolved
Data owners
Defined objectives
32. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
The awareness and agreement of the data subjects
Digital signatures
Phishing
33. Primarily reduce risk and are most effective for the protection of information assets.
Waterfall chart
Risk appetite
Virus
Key controls
34. Should be a standard requirement for the service provider.
Background check
Two-factor authentication
Penetration testing
Acceptable use policies
35. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Virus detection
Negotiating a local version of the organization standards
Nondisclosure agreement (NDA)
Its ability to reduce or eliminate business risks
36. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Do with the information it collects
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Detection defenses
Process of introducing changes to systems
37. The information security manager needs to prioritize the controls based on ________________________.
Patch management process
Decentralization
Risk management and the requirements of the organization
Confidentiality
38. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Patch management process
Multinational organization
Trusted source
Defining high-level business security requirements
39. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Key risk indicator (KRI) setup
Spoofing attacks
Rule-based access control
40. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Skills inventory
Breakeven point of risk reduction and cost
Intrusion detection system (IDS)
Transmit e-mail messages
41. Should be performed to identify the risk and determine needed controls.
Aligned with organizational goals
Negotiating a local version of the organization standards
SWOT analysis
Internal risk assessment
42. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Defined objectives
Decentralization
Key risk indicator (KRI) setup
Security awareness training for all employees
43. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
The database administrator
SWOT analysis
A network vulnerability assessment
Key risk indicator (KRI) setup
44. Someone who accesses a computer or network illegally
Data owners
Encryption
Encryption key management
Hacker
45. When the ________________ is more than the cost of the risk - the risk should be accepted.
Cost of control
Undervoltage (brownout)
Owner of the information asset
Script kiddie
46. Utility program that detects and protects a personal computer from unauthorized intrusions
Risk management and the requirements of the organization
Reduce risk to an acceptable level
Personal firewall
Assess the risks to the business operation
47. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Cost of control
Platform security - intrusion detection and antivirus controls
Reduce risk to an acceptable level
Gap analysis
48. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Transmit e-mail messages
Security risk
Protective switch covers
Examples of containment defenses
49. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Biometric access control systems
Tailgating
Safeguards over keys
Control effectiveness
50. Should be determined from the risk assessment results.
The data owner
Encryption
Audit objectives
Risk management and the requirements of the organization
