Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Two-factor authentication
Single sign-on (SSO) product
Role-based access control
Risk appetite

2. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Digital signatures
Attributes and characteristics of the 'desired state'
Monitoring processes
Virus detection

3. Programs that act without a user's knowledge and deliberately alter a computer's operations
Process of introducing changes to systems
MAL wear
Regulatory compliance
Penetration testing

4. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Risk management and the requirements of the organization
The balanced scorecard
Trojan horse
Do with the information it collects

5. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Compliance with the organization's information security requirements
Well-defined roles and responsibilities
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Phishing

6. Has to be integrated into the requirements of every software application's design.
Encryption key management
Creation of a business continuity plan
Prioritization
Examples of containment defenses

7. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Return on security investment (ROSI)
Centralization of information security management
Cyber terrorist
Identify the vulnerable systems and apply compensating controls

8. A method for analyzing and reducing a relational database to its most streamlined form
Normalization
Centralized structure
Digital signatures
Baseline standard and then develop additional standards

9. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Logon banners
Its ability to reduce or eliminate business risks
OBusiness case development
Role-based access control

10. Used to understand the flow of one process into another.
Creation of a business continuity plan
Waterfall chart
Proficiency testing
Platform security - intrusion detection and antivirus controls

11. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Logon banners
Continuous monitoring control initiatives
Security code reviews for the entire software application
Data warehouse

12. Carries out the technical administration.
The database administrator
Retention of business records
Resource dependency assessment
Requirements of the data owners

13. Normally addressed through antivirus and antispyware policies.
Cost of control
Get senior management onboard
Overall organizational structure
Malicious software and spyware

14. The PRIMARY goal in developing an information security strategy is to: _________________________.
Support the business objectives of the organization
Security awareness training for all employees
Transmit e-mail messages
Process of introducing changes to systems

15. Provides process needs but not impact.
Resource dependency assessment
Tie security risks to key business objectives
The data custodian
Conduct a risk assessment

16. Provide metrics to which outsourcing firms can be held accountable.
Residual risk
Regular review of access control lists
Increase business value and confidence
Service level agreements (SLAs)

17. By definition are not previously known and therefore are undetectable.
Annually or whenever there is a significant change
Skills inventory
0-day vulnerabilities
Control effectiveness

18. ecurity design flaws require a ____________________.
Decentralization
Defining high-level business security requirements
Background check
Deeper level of analysis

19. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Data isolation
Impractical and is often cost-prohibitive
Asset classification

20. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Safeguards over keys
A network vulnerability assessment
Multinational organization
Two-factor authentication

21. Ensure that transmitted information can be attributed to the named sender.
Equal error rate (EER)
Digital signatures
A network vulnerability assessment
Background checks of prospective employees

22. The most important characteristic of good security policies is that they be ____________________.
Continuous analysis - monitoring and feedback
Data mart
Aligned with organizational goals
Tie security risks to key business objectives

23. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Conduct a risk assessment
Defining high-level business security requirements
Fault-tolerant computer
Trojan horse

24. Someone who accesses a computer or network illegally
Security code reviews for the entire software application
Platform security - intrusion detection and antivirus controls
Hacker
Applying the proper classification to the data

25. Same intent as a cracker but does not have the technical skills and knowledge
Worm
People
Script kiddie
Centralized structure

26. Risk should be reduced to a level that an organization _____________.
Inherent risk
A network vulnerability assessment
Background check
Is willing to accept

27. Occurs when the electrical supply drops
Role-based policy
Lack of change management
Undervoltage (brownout)
The information security officer

28. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Undervoltage (brownout)
Lack of change management
Stress testing
Residual risk

29. Cannot be minimized
Digital certificate
Defined objectives
Waterfall chart
Inherent risk

30. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
The awareness and agreement of the data subjects
Consensus on risks and controls
Control risk
Assess the risks to the business operation

31. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Encryption
Protective switch covers
Encryption of the hard disks
Tailgating

32. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Platform security - intrusion detection and antivirus controls
Gap analysis
Decentralization
Single sign-on (SSO) product

33. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
Hacker
Risk management and the requirements of the organization
MAL wear

34. Company or person you believe will not send a virus-infect file knowingly
Script kiddie
Trusted source
Lack of change management
Encryption of the hard disks

35. BEST option to improve accountability for a system administrator is to _____________________.
Alignment with business strategy
Malicious software and spyware
include security responsibilities in a job description
Risk assessment - evaluation and impact analysis

36. Uses security metrics to measure the performance of the information security program.
Resource dependency assessment
Information security manager
Residual risk
Audit objectives

37. Reducing risk to a level too small to measure is _______________.
BIA (Business Impact Assessment
Impractical and is often cost-prohibitive
Background checks of prospective employees
Continuous analysis - monitoring and feedback

38. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Process of introducing changes to systems
Waterfall chart
Breakeven point of risk reduction and cost
Data owners

39. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Certificate authority (CA)
Requirements of the data owners
Identify the relevant systems and processes
Data classification

40. S small warehouse - designed for the end-user needs in a strategic business unit
Trusted source
Data mart
Countermeasure cost-benefit analysis
Inherent risk

41. Needs to define the access rules - which is troublesome and error prone in large organizations.
Nondisclosure agreement (NDA)
Asset classification
Rule-based access control
Digital signatures

42. The MOST useful way to describe the objectives in the information security strategy is through ______________________.

Warning: Invalid argument supplied for foreach() in /var/www/html/basicversity.com/show_quiz.php on line 183

43. The data owner is responsible for _______________________.
Virus detection
The data owner
Applying the proper classification to the data
Acceptable use policies

44. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Annually or whenever there is a significant change
Power surge/over voltage (spike)
Notifications and opt-out provisions
The database administrator

45. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Encryption key management
Notifications and opt-out provisions
Data mart

46. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Defined objectives
Encryption of the hard disks
Data warehouse

47. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Annually or whenever there is a significant change
Centralization of information security management
Stress testing
Audit objectives

48. Information security governance models are highly dependent on the _____________________.
Audit objectives
Increase business value and confidence
Residual risk would be reduced by a greater amount
Overall organizational structure

49. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Overall organizational structure
Intrusion detection system (IDS)
Data owners
Impractical and is often cost-prohibitive

50. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Conduct a risk assessment
Internal risk assessment
Certificate authority (CA)
Single sign-on (SSO) product