SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Defined objectives
Information security manager
Impractical and is often cost-prohibitive
Owner of the information asset
2. Ensure that transmitted information can be attributed to the named sender.
Prioritization
Role-based access control
Digital signatures
Well-defined roles and responsibilities
3. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Increase business value and confidence
Risk management and the requirements of the organization
Lack of change management
Data isolation
4. The most important characteristic of good security policies is that they be ____________________.
Cost of control
Centralization of information security management
Asset classification
Aligned with organizational goals
5. Whenever personal data are transferred across national boundaries; ________________________ are required.
Virus
Access control matrix
Key controls
The awareness and agreement of the data subjects
6. Risk should be reduced to a level that an organization _____________.
Is willing to accept
Key controls
Lack of change management
Patch management process
7. Used to understand the flow of one process into another.
Waterfall chart
Properly aligned with business goals and objectives
Intrusion detection system (IDS)
Knowledge management
8. Has to be integrated into the requirements of every software application's design.
Encryption
Encryption key management
Process of introducing changes to systems
Data warehouse
9. A method for analyzing and reducing a relational database to its most streamlined form
Normalization
Centralized structure
Platform security - intrusion detection and antivirus controls
Continuous analysis - monitoring and feedback
10. A notice that guarantees a user or a web site is legitimate
Digital certificate
Is willing to accept
The data custodian
Virus detection
11. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Security risk
Background checks of prospective employees
Annual loss expectancy (ALE)calculations
Conduct a risk assessment
12. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Waterfall chart
Residual risk
0-day vulnerabilities
Risk appetite
13. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Certificate authority (CA)
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Vulnerability assessment
The board of directors and senior management
14. The primary role of the information security manager in the process of information classification within the organization.
Defining and ratifying the classification structure of information assets
Undervoltage (brownout)
The board of directors and senior management
Reduce risk to an acceptable level
15. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Residual risk
Two-factor authentication
Creation of a business continuity plan
Cyber extortionist
16. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Continuous monitoring control initiatives
IP address packet filtering
What happened and how the breach was resolved
BIA (Business Impact Assessment
17. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
IP address packet filtering
Exceptions to policy
Single sign-on (SSO) product
Monitoring processes
18. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Certificate authority (CA)
The database administrator
People
Impractical and is often cost-prohibitive
19. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Data owners
Identify the relevant systems and processes
Detection defenses
Rule-based access control
20. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Data classification
Examples of containment defenses
A network vulnerability assessment
Logon banners
21. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Patch management process
Control effectiveness
Developing an information security baseline
22. Most effective for evaluating the degree to which information security objectives are being met.
Gain unauthorized access to applications
Support the business objectives of the organization
The balanced scorecard
Data warehouse
23. Provides process needs but not impact.
Resource dependency assessment
Consensus on risks and controls
Stress testing
Identify the vulnerable systems and apply compensating controls
24. Cannot be minimized
Conduct a risk assessment
Power surge/over voltage (spike)
Cost of control
Inherent risk
25. Occurs after the risk assessment process - it does not measure it.
Properly aligned with business goals and objectives
Key controls
Use of security metrics
Support the business objectives of the organization
26. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Residual risk would be reduced by a greater amount
Acceptable use policies
Access control matrix
27. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Protective switch covers
Process of introducing changes to systems
Information contained on the equipment
Creation of a business continuity plan
28. Information security governance models are highly dependent on the _____________________.
Overall organizational structure
Detection defenses
Annually or whenever there is a significant change
Continuous monitoring control initiatives
29. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Cost of control
Data warehouse
Countermeasure cost-benefit analysis
Public key infrastructure (PKI)
30. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Consensus on risks and controls
Risk appetite
Security baselines
Methodology used in the assessment
31. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Annually or whenever there is a significant change
Tie security risks to key business objectives
Confidentiality
People
32. Should PRIMARILY be based on regulatory and legal requirements.
Creation of a business continuity plan
Consensus on risks and controls
Retention of business records
Risk assessment - evaluation and impact analysis
33. When defining the information classification policy - the ___________________ need to be identified.
Key risk indicator (KRI) setup
Requirements of the data owners
Control effectiveness
Patch management
34. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Role-based access control
Its ability to reduce or eliminate business risks
Gain unauthorized access to applications
Consensus on risks and controls
35. A function of the session keys distributed by the PKI.
Confidentiality
Role-based access control
Regulatory compliance
Reduce risk to an acceptable level
36. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Get senior management onboard
Monitoring processes
Identify the vulnerable systems and apply compensating controls
Patch management process
37. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Is willing to accept
Decentralization
Risk assessment - evaluation and impact analysis
38. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
39. A key indicator of performance measurement.
Trojan horse
Strategic alignment of security with business objectives
BIA (Business Impact Assessment
Get senior management onboard
40. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Security risk
Data mart
Calculating the value of the information or asset
Centralized structure
41. Has full responsibility over data.
Decentralization
The data owner
Normalization
Safeguards over keys
42. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Vulnerability assessment
Safeguards over keys
Risk assessment - evaluation and impact analysis
Power surge/over voltage (spike)
43. All within the responsibility of the information security manager.
Attributes and characteristics of the 'desired state'
Impractical and is often cost-prohibitive
Platform security - intrusion detection and antivirus controls
Nondisclosure agreement (NDA)
44. Should be a standard requirement for the service provider.
Background check
Continuous analysis - monitoring and feedback
Information contained on the equipment
Support the business objectives of the organization
45. Identification and _______________ of business risk enables project managers to address areas with most significance.
Prioritization
Notifications and opt-out provisions
Asset classification
IP address packet filtering
46. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
Multinational organization
Script kiddie
Tie security risks to key business objectives
47. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
OBusiness case development
Role-based access control
Assess the risks to the business operation
The data custodian
48. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security baselines
Virus
Identify the vulnerable systems and apply compensating controls
Annual loss expectancy (ALE)calculations
49. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
SWOT analysis
Security code reviews for the entire software application
Residual risk
50. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Overall organizational structure
Audit objectives
Internal risk assessment
The board of directors and senior management