Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Programs that act without a user's knowledge and deliberately alter a computer's operations
Aligned with organizational goals
Equal error rate (EER)
Compliance with the organization's information security requirements
MAL wear

2. Has full responsibility over data.
Threat assessment
Fault-tolerant computer
Return on security investment (ROSI)
The data owner

3. Focuses on identifying vulnerabilities.
Patch management
Penetration testing
Digital signatures
Centralized structure

4. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Threat assessment
Security baselines
Malicious software and spyware
Developing an information security baseline

5. Has to be integrated into the requirements of every software application's design.
Encryption key management
Deeper level of analysis
Safeguards over keys
People

6. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Information security manager
Single sign-on (SSO) product
What happened and how the breach was resolved
Decentralization

7. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
include security responsibilities in a job description
Trojan horse
Protective switch covers
Spoofing attacks

8. The primary role of the information security manager in the process of information classification within the organization.
Exceptions to policy
Defining and ratifying the classification structure of information assets
Rule-based access control
Centralization of information security management

9. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Regulatory compliance
Data warehouse
The database administrator
Control risk

10. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Calculating the value of the information or asset
The awareness and agreement of the data subjects
Threat assessment
Strategic alignment of security with business objectives

11. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Worm
Regular review of access control lists
Calculating the value of the information or asset
Developing an information security baseline

12. Utility program that detects and protects a personal computer from unauthorized intrusions
Patch management
Personal firewall
Risk appetite
Reduce risk to an acceptable level

13. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Performing a risk assessment
Continuous analysis - monitoring and feedback
Safeguards over keys
Script kiddie

14. Provide metrics to which outsourcing firms can be held accountable.
Service level agreements (SLAs)
Worm
Biometric access control systems
Negotiating a local version of the organization standards

15. A key indicator of performance measurement.
Encryption
Gain unauthorized access to applications
Strategic alignment of security with business objectives
Properly aligned with business goals and objectives

16. When defining the information classification policy - the ___________________ need to be identified.
Exceptions to policy
Requirements of the data owners
Defined objectives
Trusted source

17. Risk should be reduced to a level that an organization _____________.
IP address packet filtering
Is willing to accept
Phishing
Overall organizational structure

18. Provides process needs but not impact.
Methodology used in the assessment
Resource dependency assessment
Encryption of the hard disks
Penetration testing

19. A Successful risk management should lead to a ________________.
Classification of assets needs
Safeguards over keys
Breakeven point of risk reduction and cost
The balanced scorecard

20. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Methodology used in the assessment
Data warehouse
Multinational organization
Gain unauthorized access to applications

21. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Biometric access control systems
Audit objectives
Fault-tolerant computer
Knowledge management

22. Useful but only with regard to specific technical skills.
Annual loss expectancy (ALE)calculations
Proficiency testing
Patch management
Threat assessment

23. Occurs when the incoming level
Single sign-on (SSO) product
Power surge/over voltage (spike)
Role-based policy
Applying the proper classification to the data

24. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Cross-site scripting attacks
Comparison of cost of achievement
Conduct a risk assessment
Certificate authority (CA)

25. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Defining high-level business security requirements
OBusiness case development
The information security officer
Alignment with business strategy

26. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
OBusiness case development
Return on security investment (ROSI)
Alignment with business strategy
Consensus on risks and controls

27. provides the most effective protection of data on mobile devices.
Defining high-level business security requirements
Single sign-on (SSO) product
Gap analysis
Encryption

28. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Asset classification
Certificate authority (CA)
Reduce risk to an acceptable level
Rule-based access control

29. The MOST useful way to describe the objectives in the information security strategy is through ______________________.

Warning: Invalid argument supplied for foreach() in /var/www/html/basicversity.com/show_quiz.php on line 183

30. Needs to define the access rules - which is troublesome and error prone in large organizations.
Rule-based access control
Compliance with the organization's information security requirements
Role-based policy
Knowledge management

31. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Breakeven point of risk reduction and cost
Cryptographic secure sockets layer (SSL) implementations and short key lengths
The board of directors and senior management
Tie security risks to key business objectives

32. A risk assessment should be conducted _________________.
Prioritization
Protective switch covers
Annually or whenever there is a significant change
Inherent risk

33. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Power surge/over voltage (spike)
Regulatory compliance
Acceptable use policies
Residual risk

34. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Defining high-level business security requirements
Resource dependency assessment
Defined objectives
Process of introducing changes to systems

35. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Inherent risk
Tailgating
Information contained on the equipment
People

36. Only valid if assets have first been identified and appropriately valued.
Patch management
Overall organizational structure
Information contained on the equipment
Annual loss expectancy (ALE)calculations

37. The PRIMARY goal in developing an information security strategy is to: _________________________.
Support the business objectives of the organization
Background checks of prospective employees
Biometric access control systems
Compliance with the organization's information security requirements

38. When the ________________ is more than the cost of the risk - the risk should be accepted.
Skills inventory
Script kiddie
Cost of control
Information contained on the equipment

39. To identify known vulnerabilities based on common misconfigurations and missing updates.
What happened and how the breach was resolved
SWOT analysis
A network vulnerability assessment
Vulnerability assessment

40. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Examples of containment defenses
Identify the relevant systems and processes
Worm
Protective switch covers

41. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Spoofing attacks
Identify the relevant systems and processes
Transferred risk
Its ability to reduce or eliminate business risks

42. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
SWOT analysis
Role-based policy
Threat assessment
Requirements of the data owners

43. Should be determined from the risk assessment results.
Audit objectives
Breakeven point of risk reduction and cost
Virus
Its ability to reduce or eliminate business risks

44. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Personal firewall
Notifications and opt-out provisions
Role-based access control
People

45. A function of the session keys distributed by the PKI.
Confidentiality
Protective switch covers
The balanced scorecard
Power surge/over voltage (spike)

46. Most effective for evaluating the degree to which information security objectives are being met.
Internal risk assessment
Centralized structure
Protective switch covers
The balanced scorecard

47. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Access control matrix
Lack of change management
Creation of a business continuity plan
Waterfall chart

48. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Waterfall chart
Process of introducing changes to systems
All personnel
Data mart

49. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
BIA (Business Impact Assessment
Overall organizational structure
Spoofing attacks
Certificate authority (CA)

50. Would protect against spoofing an internal address but would not provide strong authentication.
IP address packet filtering
Normalization
Use of security metrics
Encryption of the hard disks