SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Centralization of information security management
Developing an information security baseline
Reduce risk to an acceptable level
Examples of containment defenses
2. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Continuous monitoring control initiatives
Residual risk
All personnel
Applying the proper classification to the data
3. Only valid if assets have first been identified and appropriately valued.
Rule-based access control
Calculating the value of the information or asset
Annual loss expectancy (ALE)calculations
Stress testing
4. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Classification of assets needs
Tie security risks to key business objectives
0-day vulnerabilities
Annual loss expectancy (ALE)calculations
5. Company or person you believe will not send a virus-infect file knowingly
Trusted source
Overall organizational structure
Centralization of information security management
Gain unauthorized access to applications
6. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Data mart
Retention of business records
Increase business value and confidence
Cyber extortionist
7. By definition are not previously known and therefore are undetectable.
Worm
Assess the risks to the business operation
0-day vulnerabilities
Cracker
8. The PRIMARY goal in developing an information security strategy is to: _________________________.
Security risk
Spoofing attacks
Attributes and characteristics of the 'desired state'
Support the business objectives of the organization
9. Whenever personal data are transferred across national boundaries; ________________________ are required.
Methodology used in the assessment
The awareness and agreement of the data subjects
Performing a risk assessment
Skills inventory
10. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Classification of assets needs
Detection defenses
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Acceptable use policies
11. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Key risk indicator (KRI) setup
Platform security - intrusion detection and antivirus controls
Total cost of ownership (TCO)
The balanced scorecard
12. A notice that guarantees a user or a web site is legitimate
Biometric access control systems
Data owners
Lack of change management
Digital certificate
13. Without _____________________ - there cannot be accountability.
All personnel
Well-defined roles and responsibilities
Compliance with the organization's information security requirements
Role-based policy
14. Someone who accesses a computer or network illegally
Malicious software and spyware
Role-based policy
Hacker
Compliance with the organization's information security requirements
15. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
Defined objectives
Continuous analysis - monitoring and feedback
Resource dependency assessment
16. ecurity design flaws require a ____________________.
Deeper level of analysis
Is willing to accept
Use of security metrics
Decentralization
17. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
The database administrator
Normalization
Security code reviews for the entire software application
Data owners
18. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Control risk
Knowledge management
Skills inventory
Tailgating
19. New security ulnerabilities should be managed through a ________________.
Process of introducing changes to systems
Risk management and the requirements of the organization
Patch management process
Baseline standard and then develop additional standards
20. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Undervoltage (brownout)
Digital signatures
Virus detection
Key risk indicator (KRI) setup
21. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
The data custodian
Countermeasure cost-benefit analysis
Protective switch covers
Transmit e-mail messages
22. Primarily reduce risk and are most effective for the protection of information assets.
Script kiddie
Key controls
Spoofing attacks
Data owners
23. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Inherent risk
Role-based policy
SWOT analysis
Centralization of information security management
24. Applications cannot access data associated with other apps
Logon banners
Data isolation
A network vulnerability assessment
Its ability to reduce or eliminate business risks
25. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Virus
Do with the information it collects
Creation of a business continuity plan
Centralization of information security management
26. A function of the session keys distributed by the PKI.
All personnel
Confidentiality
Fault-tolerant computer
Impractical and is often cost-prohibitive
27. Has full responsibility over data.
Aligned with organizational goals
Breakeven point of risk reduction and cost
The data owner
Phishing
28. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Background check
Residual risk
Continuous monitoring control initiatives
Well-defined roles and responsibilities
29. The information security manager needs to prioritize the controls based on ________________________.
Hacker
Risk management and the requirements of the organization
Digital signatures
Key risk indicator (KRI) setup
30. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Defining high-level business security requirements
Service level agreements (SLAs)
Negotiating a local version of the organization standards
Inherent risk
31. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Return on security investment (ROSI)
Annually or whenever there is a significant change
Platform security - intrusion detection and antivirus controls
Properly aligned with business goals and objectives
32. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Encryption of the hard disks
Fault-tolerant computer
Skills inventory
Identify the relevant systems and processes
33. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Knowledge management
Attributes and characteristics of the 'desired state'
Residual risk would be reduced by a greater amount
Personal firewall
34. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Digital certificate
Certificate authority (CA)
Prioritization
35. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Annual loss expectancy (ALE)calculations
Developing an information security baseline
Data mart
Phishing
36. Should be determined from the risk assessment results.
Use of security metrics
Regulatory compliance
Requirements of the data owners
Audit objectives
37. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Lack of change management
Applying the proper classification to the data
Transferred risk
Residual risk
38. Occurs when the electrical supply drops
IP address packet filtering
Deeper level of analysis
Undervoltage (brownout)
Its ability to reduce or eliminate business risks
39. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Deeper level of analysis
The board of directors and senior management
Properly aligned with business goals and objectives
Background checks of prospective employees
40. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Security code reviews for the entire software application
Centralized structure
Security risk
The balanced scorecard
41. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
Data isolation
The board of directors and senior management
Return on security investment (ROSI)
42. The best measure for preventing the unauthorized disclosure of confidential information.
Examples of containment defenses
Alignment with business strategy
Acceptable use policies
Detection defenses
43. BEST option to improve accountability for a system administrator is to _____________________.
Residual risk would be reduced by a greater amount
include security responsibilities in a job description
Encryption
Its ability to reduce or eliminate business risks
44. Cannot be minimized
Patch management process
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Inherent risk
Control risk
45. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Methodology used in the assessment
Baseline standard and then develop additional standards
Examples of containment defenses
Acceptable use policies
46. Someone who uses the internet or network to destroy or damage computers for political reasons
Cyber terrorist
Consensus on risks and controls
Resource dependency assessment
Encryption
47. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Requirements of the data owners
Decentralization
Monitoring processes
Normalization
48. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Cyber extortionist
Confidentiality
Identify the relevant systems and processes
Baseline standard and then develop additional standards
49. Occurs after the risk assessment process - it does not measure it.
Cross-site scripting attacks
Use of security metrics
Penetration testing
Data classification
50. When defining the information classification policy - the ___________________ need to be identified.
Virus detection
Get senior management onboard
Requirements of the data owners
Deeper level of analysis
