SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Risk management and the requirements of the organization
Digital certificate
Control risk
Cost of control
2. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Continuous monitoring control initiatives
Service level agreements (SLAs)
Support the business objectives of the organization
Baseline standard and then develop additional standards
3. Identification and _______________ of business risk enables project managers to address areas with most significance.
Digital signatures
Hacker
Prioritization
People
4. ecurity design flaws require a ____________________.
Decentralization
Digital certificate
Deeper level of analysis
Penetration testing
5. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Exceptions to policy
The data custodian
Impractical and is often cost-prohibitive
Total cost of ownership (TCO)
6. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Baseline standard and then develop additional standards
Knowledge management
Centralization of information security management
Access control matrix
7. Provide metrics to which outsourcing firms can be held accountable.
Risk assessment - evaluation and impact analysis
Use of security metrics
Transferred risk
Service level agreements (SLAs)
8. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Cyber extortionist
Applying the proper classification to the data
Data classification
9. Someone who accesses a computer or network illegally
The board of directors and senior management
Hacker
Prioritization
Data owners
10. Responsible for securing the information.
The data custodian
Logon banners
Access control matrix
Identify the relevant systems and processes
11. Inject malformed input.
Centralization of information security management
Information security manager
Cross-site scripting attacks
Impractical and is often cost-prohibitive
12. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Performing a risk assessment
Patch management
Cryptographic secure sockets layer (SSL) implementations and short key lengths
The data custodian
13. To identify known vulnerabilities based on common misconfigurations and missing updates.
Knowledge management
A network vulnerability assessment
The awareness and agreement of the data subjects
Transferred risk
14. It is easier to manage and control a _________________.
Centralized structure
The balanced scorecard
Acceptable use policies
Deeper level of analysis
15. When the ________________ is more than the cost of the risk - the risk should be accepted.
Risk assessment - evaluation and impact analysis
Protective switch covers
Cost of control
The authentication process is broken
16. Should be a standard requirement for the service provider.
Support the business objectives of the organization
Waterfall chart
Background check
Threat assessment
17. An information security manager has to impress upon the human resources department the need for _____________________.
Data mart
Script kiddie
Security awareness training for all employees
Data classification
18. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Identify the relevant systems and processes
Its ability to reduce or eliminate business risks
Countermeasure cost-benefit analysis
Resource dependency assessment
19. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Detection defenses
Calculating the value of the information or asset
Proficiency testing
Reduce risk to an acceptable level
20. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Worm
Role-based policy
Confidentiality
Process of introducing changes to systems
21. A notice that guarantees a user or a web site is legitimate
Digital certificate
Worm
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Reduce risk to an acceptable level
22. The job of the information security officer on a management team is to ___________________.
Worm
Role-based access control
Total cost of ownership (TCO)
Assess the risks to the business operation
23. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Return on security investment (ROSI)
Transmit e-mail messages
Properly aligned with business goals and objectives
Spoofing attacks
24. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Data owners
Countermeasure cost-benefit analysis
Vulnerability assessment
People
25. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Security code reviews for the entire software application
Gap analysis
Cost of control
Risk appetite
26. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Breakeven point of risk reduction and cost
Residual risk would be reduced by a greater amount
Centralization of information security management
Comparison of cost of achievement
27. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Retention of business records
Regular review of access control lists
Hacker
The data owner
28. By definition are not previously known and therefore are undetectable.
Increase business value and confidence
Requirements of the data owners
0-day vulnerabilities
Security code reviews for the entire software application
29. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Certificate authority (CA)
Owner of the information asset
Is willing to accept
Confidentiality
30. Occurs when the incoming level
Encryption
Access control matrix
Transmit e-mail messages
Power surge/over voltage (spike)
31. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Phishing
Applying the proper classification to the data
Skills inventory
Gap analysis
32. Information security governance models are highly dependent on the _____________________.
The awareness and agreement of the data subjects
Deeper level of analysis
Overall organizational structure
All personnel
33. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Comparison of cost of achievement
Background checks of prospective employees
Identify the relevant systems and processes
The data custodian
34. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Logon banners
Power surge/over voltage (spike)
Control effectiveness
Encryption
35. Awareness - training and physical security defenses.
include security responsibilities in a job description
Deeper level of analysis
Examples of containment defenses
Comparison of cost of achievement
36. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Encryption
Transmit e-mail messages
Encryption key management
Nondisclosure agreement (NDA)
37. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Service level agreements (SLAs)
OBusiness case development
Conduct a risk assessment
Safeguards over keys
38. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Multinational organization
Patch management process
The data custodian
Classification of assets needs
39. When defining the information classification policy - the ___________________ need to be identified.
A network vulnerability assessment
Platform security - intrusion detection and antivirus controls
Requirements of the data owners
Lack of change management
40. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Security code reviews for the entire software application
Aligned with organizational goals
Patch management
Information contained on the equipment
41. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
Baseline standard and then develop additional standards
Cost of control
Centralized structure
42. Applications cannot access data associated with other apps
Data warehouse
Methodology used in the assessment
Data isolation
Malicious software and spyware
43. A repository of historical data organized by subject to support decision makers in the org
Biometric access control systems
Logon banners
Data warehouse
Notifications and opt-out provisions
44. S small warehouse - designed for the end-user needs in a strategic business unit
Data mart
Classification of assets needs
A network vulnerability assessment
Security awareness training for all employees
45. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Cost of control
Spoofing attacks
MAL wear
46. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Service level agreements (SLAs)
Risk assessment - evaluation and impact analysis
Protective switch covers
Defining high-level business security requirements
47. Should PRIMARILY be based on regulatory and legal requirements.
Properly aligned with business goals and objectives
Data isolation
Retention of business records
Information security manager
48. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
People
Residual risk
Risk management and the requirements of the organization
Platform security - intrusion detection and antivirus controls
49. Reducing risk to a level too small to measure is _______________.
Compliance with the organization's information security requirements
Audit objectives
Acceptable use policies
Impractical and is often cost-prohibitive
50. Needs to define the access rules - which is troublesome and error prone in large organizations.
SWOT analysis
Service level agreements (SLAs)
Rule-based access control
Security awareness training for all employees