Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.






2. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .






3. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.






4. Reducing risk to a level too small to measure is _______________.






5. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.






6. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.






7. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.






8. The PRIMARY goal in developing an information security strategy is to: _________________________.






9. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are






10. Most effective for evaluating the degree to which information security objectives are being met.






11. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.






12. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.






13. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.






14. Occurs when the electrical supply drops






15. Utility program that detects and protects a personal computer from unauthorized intrusions






16. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance






17. Awareness - training and physical security defenses.






18. Culture has a significant impact on how information security will be implemented in a ______________________.






19. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.






20. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.






21. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.






22. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.






23. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.






24. Has to be integrated into the requirements of every software application's design.






25. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.






26. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.






27. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'






28. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e






29. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.






30. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.






31. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.






32. By definition are not previously known and therefore are undetectable.






33. Cannot be minimized






34. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee






35. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process






36. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.






37. Programs that act without a user's knowledge and deliberately alter a computer's operations






38. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.






39. Carries out the technical administration.






40. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability






41. A method for analyzing and reducing a relational database to its most streamlined form






42. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.






43. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.






44. Only valid if assets have first been identified and appropriately valued.






45. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.






46. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.






47. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations






48. Uses security metrics to measure the performance of the information security program.






49. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.






50. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.