SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Cannot be minimized
Impractical and is often cost-prohibitive
Penetration testing
Baseline standard and then develop additional standards
Inherent risk
2. Responsible for securing the information.
Waterfall chart
The information security officer
People
The data custodian
3. The data owner is responsible for _______________________.
Encryption of the hard disks
Intrusion detection system (IDS)
Applying the proper classification to the data
Defining and ratifying the classification structure of information assets
4. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Transmit e-mail messages
Encryption of the hard disks
Data owners
Defining high-level business security requirements
5. A repository of historical data organized by subject to support decision makers in the org
Logon banners
The authentication process is broken
Patch management
Data warehouse
6. The PRIMARY goal in developing an information security strategy is to: _________________________.
Information contained on the equipment
Identify the relevant systems and processes
Regulatory compliance
Support the business objectives of the organization
7. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
8. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Reduce risk to an acceptable level
Rule-based access control
SWOT analysis
Proficiency testing
9. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Use of security metrics
Cracker
Alignment with business strategy
Do with the information it collects
10. New security ulnerabilities should be managed through a ________________.
The balanced scorecard
Spoofing attacks
Stress testing
Patch management process
11. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Support the business objectives of the organization
Developing an information security baseline
include security responsibilities in a job description
BIA (Business Impact Assessment
12. Useful but only with regard to specific technical skills.
Annually or whenever there is a significant change
Regulatory compliance
Risk appetite
Proficiency testing
13. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Regulatory compliance
Comparison of cost of achievement
Gain unauthorized access to applications
Confidentiality
14. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Internal risk assessment
Breakeven point of risk reduction and cost
Single sign-on (SSO) product
Vulnerability assessment
15. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
The authentication process is broken
Increase business value and confidence
Audit objectives
Security awareness training for all employees
16. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Intrusion detection system (IDS)
A network vulnerability assessment
Security risk
Tie security risks to key business objectives
17. Oversees the overall classification management of the information.
Methodology used in the assessment
Control effectiveness
Normalization
The information security officer
18. Accesses a computer or network illegally
Alignment with business strategy
Cracker
Equal error rate (EER)
Cryptographic secure sockets layer (SSL) implementations and short key lengths
19. Primarily reduce risk and are most effective for the protection of information assets.
The authentication process is broken
Malicious software and spyware
Certificate authority (CA)
Key controls
20. Same intent as a cracker but does not have the technical skills and knowledge
Return on security investment (ROSI)
Retention of business records
Script kiddie
Data classification
21. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
Audit objectives
Tie security risks to key business objectives
Role-based access control
22. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Cyber extortionist
Notifications and opt-out provisions
Public key infrastructure (PKI)
Performing a risk assessment
23. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Encryption of the hard disks
Two-factor authentication
0-day vulnerabilities
24. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Process of introducing changes to systems
Service level agreements (SLAs)
Patch management
Monitoring processes
25. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Proficiency testing
Security risk
Residual risk
Gap analysis
26. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Equal error rate (EER)
Fault-tolerant computer
Role-based policy
Public key infrastructure (PKI)
27. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Centralization of information security management
Risk appetite
Worm
Security code reviews for the entire software application
28. Occurs when the electrical supply drops
Access control matrix
Monitoring processes
Undervoltage (brownout)
Skills inventory
29. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Threat assessment
Applying the proper classification to the data
Well-defined roles and responsibilities
30. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Nondisclosure agreement (NDA)
Acceptable use policies
Risk appetite
Two-factor authentication
31. Has full responsibility over data.
Trojan horse
The data owner
Residual risk would be reduced by a greater amount
Multinational organization
32. The information security manager needs to prioritize the controls based on ________________________.
Encryption of the hard disks
Risk management and the requirements of the organization
Normalization
Tie security risks to key business objectives
33. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Centralization of information security management
Exceptions to policy
Owner of the information asset
Annual loss expectancy (ALE)calculations
34. Only valid if assets have first been identified and appropriately valued.
Comparison of cost of achievement
Detection defenses
Normalization
Annual loss expectancy (ALE)calculations
35. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Waterfall chart
Knowledge management
Get senior management onboard
Return on security investment (ROSI)
36. Occurs when the incoming level
Baseline standard and then develop additional standards
Power surge/over voltage (spike)
Platform security - intrusion detection and antivirus controls
Encryption key management
37. Whenever personal data are transferred across national boundaries; ________________________ are required.
The awareness and agreement of the data subjects
Baseline standard and then develop additional standards
Is willing to accept
Role-based policy
38. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Consensus on risks and controls
Do with the information it collects
Reduce risk to an acceptable level
Power surge/over voltage (spike)
39. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Consensus on risks and controls
Centralization of information security management
Cost of control
Cryptographic secure sockets layer (SSL) implementations and short key lengths
40. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Detection defenses
Creation of a business continuity plan
Logon banners
Background checks of prospective employees
41. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Data classification
Digital certificate
Certificate authority (CA)
42. Should be a standard requirement for the service provider.
Defining high-level business security requirements
The information security officer
Background check
Encryption key management
43. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Comparison of cost of achievement
Risk appetite
Requirements of the data owners
Cryptographic secure sockets layer (SSL) implementations and short key lengths
44. The primary role of the information security manager in the process of information classification within the organization.
Regulatory compliance
Defining and ratifying the classification structure of information assets
Background check
Patch management
45. S small warehouse - designed for the end-user needs in a strategic business unit
Stress testing
Data mart
Conduct a risk assessment
Annual loss expectancy (ALE)calculations
46. Information security governance models are highly dependent on the _____________________.
Overall organizational structure
Normalization
Logon banners
Comparison of cost of achievement
47. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
OBusiness case development
Retention of business records
Patch management
48. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Retention of business records
Skills inventory
Virus detection
Spoofing attacks
49. Should be performed to identify the risk and determine needed controls.
A network vulnerability assessment
Tie security risks to key business objectives
Cracker
Internal risk assessment
50. Risk should be reduced to a level that an organization _____________.
Is willing to accept
Nondisclosure agreement (NDA)
The database administrator
Negotiating a local version of the organization standards
