Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Regular review of access control lists
Consensus on risks and controls
Asset classification
The database administrator

2. Ensures that there are no scalability problems.
Residual risk
Patch management process
Cyber extortionist
Stress testing

3. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Single sign-on (SSO) product
Security code reviews for the entire software application
Exceptions to policy
Monitoring processes

4. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Monitoring processes
Information contained on the equipment
Comparison of cost of achievement
Process of introducing changes to systems

5. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Logon banners
Asset classification
Key controls
0-day vulnerabilities

6. A Successful risk management should lead to a ________________.
Breakeven point of risk reduction and cost
Rule-based access control
Single sign-on (SSO) product
Support the business objectives of the organization

7. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Detection defenses
Calculating the value of the information or asset
Cost of control
Gap analysis

8. Accesses a computer or network illegally
IP address packet filtering
Certificate authority (CA)
Cracker
Retention of business records

9. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Cost of control
Background checks of prospective employees
Security risk
Control effectiveness

10. Ensure that transmitted information can be attributed to the named sender.
Its ability to reduce or eliminate business risks
The data owner
Public key infrastructure (PKI)
Digital signatures

11. A notice that guarantees a user or a web site is legitimate
Increase business value and confidence
Data mart
The data owner
Digital certificate

12. Normally addressed through antivirus and antispyware policies.
Key controls
0-day vulnerabilities
Trojan horse
Malicious software and spyware

13. A risk assessment should be conducted _________________.
Access control matrix
Audit objectives
Annually or whenever there is a significant change
Residual risk

14. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Performing a risk assessment
Vulnerability assessment
Trojan horse
Annually or whenever there is a significant change

15. Risk should be reduced to a level that an organization _____________.
Security awareness training for all employees
Security baselines
Is willing to accept
Access control matrix

16. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
The data owner
Prioritization
BIA (Business Impact Assessment
Defining and ratifying the classification structure of information assets

17. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Attributes and characteristics of the 'desired state'
Worm
Classification of assets needs
Annual loss expectancy (ALE)calculations

18. Carries out the technical administration.
Rule-based access control
Risk management and the requirements of the organization
The database administrator
Undervoltage (brownout)

19. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Data isolation
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Spoofing attacks
0-day vulnerabilities

20. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Developing an information security baseline
The database administrator
Worm
The balanced scorecard

21. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Residual risk
Data owners
Reduce risk to an acceptable level
SWOT analysis

22. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Personal firewall
Identify the relevant systems and processes
Strategic alignment of security with business objectives
Do with the information it collects

23. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Key controls
Developing an information security baseline
Encryption key management
Acceptable use policies

24. Whenever personal data are transferred across national boundaries; ________________________ are required.
The awareness and agreement of the data subjects
Nondisclosure agreement (NDA)
Biometric access control systems
Patch management process

25. Provide metrics to which outsourcing firms can be held accountable.
Requirements of the data owners
Service level agreements (SLAs)
Threat assessment
Security baselines

26. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Key controls
Increase business value and confidence
Centralization of information security management
The database administrator

27. The PRIMARY goal in developing an information security strategy is to: _________________________.
Patch management
Safeguards over keys
Well-defined roles and responsibilities
Support the business objectives of the organization

28. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Encryption
Classification of assets needs
Consensus on risks and controls
Virus

29. An information security manager has to impress upon the human resources department the need for _____________________.
Exceptions to policy
The authentication process is broken
Security awareness training for all employees
Audit objectives

30. The best measure for preventing the unauthorized disclosure of confidential information.
Annually or whenever there is a significant change
The awareness and agreement of the data subjects
Acceptable use policies
Certificate authority (CA)

31. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
Key controls
Hacker
Breakeven point of risk reduction and cost

32. Useful but only with regard to specific technical skills.
Knowledge management
Proficiency testing
Is willing to accept
Regulatory compliance

33. The information security manager needs to prioritize the controls based on ________________________.
Risk management and the requirements of the organization
Creation of a business continuity plan
Well-defined roles and responsibilities
Service level agreements (SLAs)

34. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Control risk
Requirements of the data owners
Do with the information it collects
Control effectiveness

35. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Cyber extortionist
Equal error rate (EER)
A network vulnerability assessment
Fault-tolerant computer

36. Has full responsibility over data.
Phishing
The data owner
Aligned with organizational goals
Information contained on the equipment

37. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
SWOT analysis
Patch management
Normalization
Regular review of access control lists

38. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Access control matrix
SWOT analysis
Data mart
Defined objectives

39. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Service level agreements (SLAs)
Decentralization
Single sign-on (SSO) product
Threat assessment

40. Applications cannot access data associated with other apps
Virus
Overall organizational structure
Data isolation
Penetration testing

41. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Patch management
Do with the information it collects
MAL wear

42. Only valid if assets have first been identified and appropriately valued.
Equal error rate (EER)
Protective switch covers
The authentication process is broken
Annual loss expectancy (ALE)calculations

43. Uses security metrics to measure the performance of the information security program.
Information security manager
Classification of assets needs
Encryption key management
Vulnerability assessment

44. Would protect against spoofing an internal address but would not provide strong authentication.
Asset classification
Trusted source
The awareness and agreement of the data subjects
IP address packet filtering

45. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Tie security risks to key business objectives
Control effectiveness
Monitoring processes
Creation of a business continuity plan

46. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Transferred risk
People
A network vulnerability assessment
Script kiddie

47. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Nondisclosure agreement (NDA)
Cyber terrorist
Control risk
Risk assessment - evaluation and impact analysis

48. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Monitoring processes
SWOT analysis
Background checks of prospective employees
Identify the relevant systems and processes

49. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Access control matrix
Examples of containment defenses
Return on security investment (ROSI)
MAL wear

50. S small warehouse - designed for the end-user needs in a strategic business unit
Data mart
Get senior management onboard
MAL wear
Power surge/over voltage (spike)