Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Occurs when the incoming level
People
Undervoltage (brownout)
Power surge/over voltage (spike)
Data classification

2. When defining the information classification policy - the ___________________ need to be identified.
Threat assessment
Tailgating
Patch management process
Requirements of the data owners

3. Should be performed to identify the risk and determine needed controls.
Internal risk assessment
Well-defined roles and responsibilities
Support the business objectives of the organization
Data classification

4. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Developing an information security baseline
Undervoltage (brownout)
The data custodian
Asset classification

5. The most important characteristic of good security policies is that they be ____________________.
Aligned with organizational goals
Trojan horse
Detection defenses
MAL wear

6. A method for analyzing and reducing a relational database to its most streamlined form
SWOT analysis
The data custodian
Normalization
Lack of change management

7. Without _____________________ - there cannot be accountability.
Proficiency testing
Annually or whenever there is a significant change
Well-defined roles and responsibilities
Consensus on risks and controls

8. Has full responsibility over data.
Fault-tolerant computer
Return on security investment (ROSI)
The data owner
Confidentiality

9. Provide metrics to which outsourcing firms can be held accountable.
Penetration testing
Conduct a risk assessment
Service level agreements (SLAs)
Properly aligned with business goals and objectives

10. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Continuous analysis - monitoring and feedback
Two-factor authentication
Alignment with business strategy
Control risk

11. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
Resource dependency assessment
Cyber terrorist
Is willing to accept

12. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Methodology used in the assessment
Tie security risks to key business objectives
0-day vulnerabilities
Data owners

13. Cannot be minimized
Inherent risk
Cryptographic secure sockets layer (SSL) implementations and short key lengths
0-day vulnerabilities
Exceptions to policy

14. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security baselines
Information contained on the equipment
Aligned with organizational goals
Logon banners

15. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
Defining high-level business security requirements
Penetration testing
Confidentiality

16. Needs to define the access rules - which is troublesome and error prone in large organizations.
Proficiency testing
Worm
Rule-based access control
Data owners

17. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Cracker
Continuous monitoring control initiatives
Malicious software and spyware
Patch management

18. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Cracker
Identify the vulnerable systems and apply compensating controls
Virus detection
Countermeasure cost-benefit analysis

19. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Data classification
Comparison of cost of achievement
Developing an information security baseline
Lack of change management

20. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Service level agreements (SLAs)
Certificate authority (CA)
Normalization
Return on security investment (ROSI)

21. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Script kiddie
The board of directors and senior management
Its ability to reduce or eliminate business risks
Residual risk

22. S small warehouse - designed for the end-user needs in a strategic business unit
Virus
Data mart
Consensus on risks and controls
Background checks of prospective employees

23. Oversees the overall classification management of the information.
The information security officer
Role-based policy
Exceptions to policy
Certificate authority (CA)

24. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Trusted source
Control effectiveness
Creation of a business continuity plan
Virus

25. The PRIMARY goal in developing an information security strategy is to: _________________________.
Its ability to reduce or eliminate business risks
The information security officer
Requirements of the data owners
Support the business objectives of the organization

26. Used to understand the flow of one process into another.
Methodology used in the assessment
Key controls
Use of security metrics
Waterfall chart

27. A notice that guarantees a user or a web site is legitimate
Prioritization
Multinational organization
Digital certificate
Process of introducing changes to systems

28. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Owner of the information asset
Data classification
Penetration testing
Total cost of ownership (TCO)

29. Useful but only with regard to specific technical skills.
IP address packet filtering
Personal firewall
Proficiency testing
Attributes and characteristics of the 'desired state'

30. A function of the session keys distributed by the PKI.
Residual risk would be reduced by a greater amount
Detection defenses
Confidentiality
IP address packet filtering

31. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Cost of control
Monitoring processes
The awareness and agreement of the data subjects
Inherent risk

32. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Control effectiveness
Comparison of cost of achievement
Detection defenses
Negotiating a local version of the organization standards

33. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Stress testing
Safeguards over keys
Biometric access control systems

34. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
SWOT analysis
Use of security metrics
Lack of change management
Annually or whenever there is a significant change

35. provides the most effective protection of data on mobile devices.
Internal risk assessment
Encryption
Gap analysis
Annual loss expectancy (ALE)calculations

36. Primarily reduce risk and are most effective for the protection of information assets.
Normalization
Transferred risk
Regular review of access control lists
Key controls

37. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Lack of change management
Risk management and the requirements of the organization
Vulnerability assessment
Data mart

38. A repository of historical data organized by subject to support decision makers in the org
Annual loss expectancy (ALE)calculations
Digital certificate
Data warehouse
Access control matrix

39. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
People
Patch management
Internal risk assessment
Comparison of cost of achievement

40. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Digital signatures
Gap analysis
Residual risk would be reduced by a greater amount
Confidentiality

41. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Control risk
Applying the proper classification to the data
Exceptions to policy
Security risk

42. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Notifications and opt-out provisions
Protective switch covers
All personnel
Owner of the information asset

43. Company or person you believe will not send a virus-infect file knowingly
Trusted source
The board of directors and senior management
Creation of a business continuity plan
Its ability to reduce or eliminate business risks

44. Culture has a significant impact on how information security will be implemented in a ______________________.
Multinational organization
Negotiating a local version of the organization standards
Penetration testing
What happened and how the breach was resolved

45. Same intent as a cracker but does not have the technical skills and knowledge
Patch management
Return on security investment (ROSI)
Tie security risks to key business objectives
Script kiddie

46. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Safeguards over keys
Digital certificate
Deeper level of analysis
Encryption key management

47. Utility program that detects and protects a personal computer from unauthorized intrusions
Risk assessment - evaluation and impact analysis
Personal firewall
Knowledge management
Performing a risk assessment

48. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Information contained on the equipment
Exceptions to policy
Support the business objectives of the organization
Do with the information it collects

49. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Defining high-level business security requirements
Detection defenses
Control risk
Encryption

50. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Encryption key management
All personnel
Residual risk would be reduced by a greater amount
Two-factor authentication