SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Encryption key management
Continuous monitoring control initiatives
Normalization
Impractical and is often cost-prohibitive
2. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Patch management process
Properly aligned with business goals and objectives
Conduct a risk assessment
Get senior management onboard
3. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Exceptions to policy
Notifications and opt-out provisions
IP address packet filtering
Defining high-level business security requirements
4. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Residual risk would be reduced by a greater amount
Centralization of information security management
Patch management process
Security risk
5. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Gain unauthorized access to applications
Impractical and is often cost-prohibitive
Worm
Regulatory compliance
6. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Cracker
Properly aligned with business goals and objectives
Audit objectives
0-day vulnerabilities
7. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Asset classification
Control effectiveness
Centralization of information security management
Cyber terrorist
8. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Comparison of cost of achievement
Centralization of information security management
The data owner
Intrusion detection system (IDS)
9. Ensures that there are no scalability problems.
Stress testing
Undervoltage (brownout)
Key risk indicator (KRI) setup
Performing a risk assessment
10. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Comparison of cost of achievement
Vulnerability assessment
Background check
Rule-based access control
11. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
12. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Its ability to reduce or eliminate business risks
Examples of containment defenses
Virus
Applying the proper classification to the data
13. To identify known vulnerabilities based on common misconfigurations and missing updates.
Lack of change management
A network vulnerability assessment
Breakeven point of risk reduction and cost
Continuous analysis - monitoring and feedback
14. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Equal error rate (EER)
Patch management process
Total cost of ownership (TCO)
Vulnerability assessment
15. Occurs when the incoming level
Power surge/over voltage (spike)
Examples of containment defenses
Its ability to reduce or eliminate business risks
Resource dependency assessment
16. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Breakeven point of risk reduction and cost
Personal firewall
Do with the information it collects
Stress testing
17. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key risk indicator (KRI) setup
Get senior management onboard
0-day vulnerabilities
Consensus on risks and controls
18. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Notifications and opt-out provisions
The database administrator
Alignment with business strategy
MAL wear
19. Occurs after the risk assessment process - it does not measure it.
The information security officer
Protective switch covers
Countermeasure cost-benefit analysis
Use of security metrics
20. Awareness - training and physical security defenses.
Examples of containment defenses
Role-based access control
Cracker
Annual loss expectancy (ALE)calculations
21. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Access control matrix
Security baselines
Risk assessment - evaluation and impact analysis
Annually or whenever there is a significant change
22. A repository of historical data organized by subject to support decision makers in the org
Security awareness training for all employees
include security responsibilities in a job description
Properly aligned with business goals and objectives
Data warehouse
23. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Gain unauthorized access to applications
Exceptions to policy
Risk assessment - evaluation and impact analysis
Data owners
24. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Identify the vulnerable systems and apply compensating controls
include security responsibilities in a job description
Its ability to reduce or eliminate business risks
Security awareness training for all employees
25. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Transferred risk
Properly aligned with business goals and objectives
Classification of assets needs
Risk appetite
26. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Security awareness training for all employees
Decentralization
Power surge/over voltage (spike)
Defining and ratifying the classification structure of information assets
27. A risk assessment should be conducted _________________.
Risk management and the requirements of the organization
Knowledge management
Annually or whenever there is a significant change
The authentication process is broken
28. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Information contained on the equipment
Audit objectives
Increase business value and confidence
Process of introducing changes to systems
29. A method for analyzing and reducing a relational database to its most streamlined form
Alignment with business strategy
Prioritization
Personal firewall
Normalization
30. Accesses a computer or network illegally
Hacker
Continuous monitoring control initiatives
Cracker
Comparison of cost of achievement
31. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Information security manager
Methodology used in the assessment
Total cost of ownership (TCO)
Aligned with organizational goals
32. Uses security metrics to measure the performance of the information security program.
Worm
Information security manager
Penetration testing
Prioritization
33. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Reduce risk to an acceptable level
Public key infrastructure (PKI)
Inherent risk
34. A notice that guarantees a user or a web site is legitimate
Inherent risk
Digital certificate
Malicious software and spyware
Compliance with the organization's information security requirements
35. Carries out the technical administration.
The board of directors and senior management
The database administrator
Malicious software and spyware
Knowledge management
36. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Knowledge management
Spoofing attacks
Biometric access control systems
Equal error rate (EER)
37. S small warehouse - designed for the end-user needs in a strategic business unit
Virus
Data mart
Data isolation
Attributes and characteristics of the 'desired state'
38. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Identify the vulnerable systems and apply compensating controls
Residual risk
Calculating the value of the information or asset
Patch management
39. Involves the correction of software weaknesses and would necessarily follow change management procedures.
The balanced scorecard
Patch management
Tailgating
The information security officer
40. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Risk assessment - evaluation and impact analysis
Creation of a business continuity plan
Aligned with organizational goals
Properly aligned with business goals and objectives
41. Risk should be reduced to a level that an organization _____________.
Cyber terrorist
Is willing to accept
Negotiating a local version of the organization standards
Continuous analysis - monitoring and feedback
42. The PRIMARY goal in developing an information security strategy is to: _________________________.
Assess the risks to the business operation
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Encryption
Support the business objectives of the organization
43. Someone who accesses a computer or network illegally
Worm
Prioritization
Exceptions to policy
Hacker
44. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Security baselines
Control effectiveness
Regulatory compliance
Its ability to reduce or eliminate business risks
45. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
BIA (Business Impact Assessment
Certificate authority (CA)
Nondisclosure agreement (NDA)
Strategic alignment of security with business objectives
46. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
Certificate authority (CA)
Gain unauthorized access to applications
Data isolation
47. Should be a standard requirement for the service provider.
Confidentiality
Spoofing attacks
What happened and how the breach was resolved
Background check
48. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Encryption key management
Rule-based access control
Increase business value and confidence
49. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Audit objectives
Stress testing
Countermeasure cost-benefit analysis
Safeguards over keys
50. Company or person you believe will not send a virus-infect file knowingly
Regulatory compliance
Defined objectives
Trusted source
Normalization
