Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. New security ulnerabilities should be managed through a ________________.
Single sign-on (SSO) product
Certificate authority (CA)
Total cost of ownership (TCO)
Patch management process

2. Whenever personal data are transferred across national boundaries; ________________________ are required.
Transferred risk
The awareness and agreement of the data subjects
Developing an information security baseline
Information contained on the equipment

3. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Data isolation
Residual risk
Defined objectives
Phishing

4. Has to be integrated into the requirements of every software application's design.
Baseline standard and then develop additional standards
Encryption key management
Role-based policy
Trusted source

5. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Single sign-on (SSO) product
Countermeasure cost-benefit analysis
Resource dependency assessment
IP address packet filtering

6. Occurs when the electrical supply drops
The information security officer
Undervoltage (brownout)
Risk assessment - evaluation and impact analysis
Role-based access control

7. Inject malformed input.
Worm
Notifications and opt-out provisions
Cross-site scripting attacks
The database administrator

8. Utility program that detects and protects a personal computer from unauthorized intrusions
Personal firewall
Key risk indicator (KRI) setup
Data owners
Transmit e-mail messages

9. A Successful risk management should lead to a ________________.
Fault-tolerant computer
Virus
Rule-based access control
Breakeven point of risk reduction and cost

10. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Single sign-on (SSO) product
Vulnerability assessment
Security baselines
Baseline standard and then develop additional standards

11. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Classification of assets needs
Get senior management onboard
Cyber extortionist
Total cost of ownership (TCO)

12. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
The data custodian
Centralization of information security management
Compliance with the organization's information security requirements

13. Uses security metrics to measure the performance of the information security program.
Information security manager
Defining high-level business security requirements
Knowledge management
Tailgating

14. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Inherent risk
OBusiness case development
Safeguards over keys

15. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Platform security - intrusion detection and antivirus controls
Return on security investment (ROSI)
OBusiness case development
Identify the vulnerable systems and apply compensating controls

16. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Control effectiveness
Key controls
OBusiness case development
Gain unauthorized access to applications

17. Provide metrics to which outsourcing firms can be held accountable.
Requirements of the data owners
Service level agreements (SLAs)
Confidentiality
Owner of the information asset

18. Focuses on identifying vulnerabilities.
Penetration testing
Trusted source
Platform security - intrusion detection and antivirus controls
Power surge/over voltage (spike)

19. Applications cannot access data associated with other apps
Role-based access control
Defined objectives
Data isolation
Virus

20. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Continuous analysis - monitoring and feedback
Logon banners
Penetration testing

21. The data owner is responsible for _______________________.
The authentication process is broken
Annual loss expectancy (ALE)calculations
Applying the proper classification to the data
Its ability to reduce or eliminate business risks

22. The primary role of the information security manager in the process of information classification within the organization.
Worm
Defining and ratifying the classification structure of information assets
Support the business objectives of the organization
Creation of a business continuity plan

23. Should be determined from the risk assessment results.
Stress testing
Personal firewall
Audit objectives
Power surge/over voltage (spike)

24. Ensures that there are no scalability problems.
Trojan horse
Control effectiveness
Stress testing
The balanced scorecard

25. Has full responsibility over data.
Information security manager
Single sign-on (SSO) product
The data owner
Key risk indicator (KRI) setup

26. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Reduce risk to an acceptable level
Continuous analysis - monitoring and feedback
Multinational organization
Detection defenses

27. Company or person you believe will not send a virus-infect file knowingly
Do with the information it collects
Gap analysis
Trusted source
Total cost of ownership (TCO)

28. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Patch management process
Get senior management onboard
Calculating the value of the information or asset
Consensus on risks and controls

29. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Tailgating
Defining high-level business security requirements
Information contained on the equipment
Deeper level of analysis

30. BEST option to improve accountability for a system administrator is to _____________________.
Conduct a risk assessment
Role-based access control
Encryption
include security responsibilities in a job description

31. The PRIMARY goal in developing an information security strategy is to: _________________________.
Personal firewall
People
Lack of change management
Support the business objectives of the organization

32. Reducing risk to a level too small to measure is _______________.
Impractical and is often cost-prohibitive
A network vulnerability assessment
Public key infrastructure (PKI)
Vulnerability assessment

33. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Centralization of information security management
Tie security risks to key business objectives
Logon banners
Information contained on the equipment

34. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Do with the information it collects
Breakeven point of risk reduction and cost
Virus detection
Exceptions to policy

35. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Patch management
Is willing to accept
Security code reviews for the entire software application
Properly aligned with business goals and objectives

36. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Single sign-on (SSO) product
The board of directors and senior management
Centralization of information security management
Identify the vulnerable systems and apply compensating controls

37. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Impractical and is often cost-prohibitive
Comparison of cost of achievement
Inherent risk
The database administrator

38. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Resource dependency assessment
Data owners
Confidentiality

39. Needs to define the access rules - which is troublesome and error prone in large organizations.
Return on security investment (ROSI)
The balanced scorecard
Rule-based access control
Knowledge management

40. Computer that has duplicate components so it can continue to operate when one of its main components fail
Residual risk
Fault-tolerant computer
The database administrator
Use of security metrics

41. The best measure for preventing the unauthorized disclosure of confidential information.
Phishing
Acceptable use policies
Internal risk assessment
Penetration testing

42. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Asset classification
Total cost of ownership (TCO)
Script kiddie
Biometric access control systems

43. Provides process needs but not impact.
Use of security metrics
Resource dependency assessment
Tie security risks to key business objectives
Normalization

44. A method for analyzing and reducing a relational database to its most streamlined form
Examples of containment defenses
Normalization
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Risk management and the requirements of the organization

45. Accesses a computer or network illegally
Tailgating
Cracker
Continuous analysis - monitoring and feedback
Defined objectives

46. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Continuous monitoring control initiatives
Role-based policy
Digital signatures
Performing a risk assessment

47. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Owner of the information asset
Deeper level of analysis
Spoofing attacks
Data warehouse

48. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Classification of assets needs
Retention of business records
Information contained on the equipment
Identify the vulnerable systems and apply compensating controls

49. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Data isolation
The authentication process is broken
Cyber extortionist
Hacker

50. Without _____________________ - there cannot be accountability.
Well-defined roles and responsibilities
Retention of business records
Patch management
Identify the vulnerable systems and apply compensating controls