Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Responsible for securing the information.






2. Provide metrics to which outsourcing firms can be held accountable.






3. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.






4. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.






5. Uses security metrics to measure the performance of the information security program.






6. Company or person you believe will not send a virus-infect file knowingly






7. Computer that has duplicate components so it can continue to operate when one of its main components fail






8. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.






9. Used to understand the flow of one process into another.






10. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but






11. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.






12. Provides strong online authentication.






13. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process






14. Accesses a computer or network illegally






15. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.






16. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.






17. Inject malformed input.






18. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.






19. Provides process needs but not impact.






20. New security ulnerabilities should be managed through a ________________.






21. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.






22. Culture has a significant impact on how information security will be implemented in a ______________________.






23. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.






24. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.






25. When defining the information classification policy - the ___________________ need to be identified.






26. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.






27. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.






28. It is easier to manage and control a _________________.






29. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree






30. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.






31. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.






32. The information security manager needs to prioritize the controls based on ________________________.






33. Normally addressed through antivirus and antispyware policies.






34. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.






35. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.






36. The MOST important element of an information security strategy.






37. By definition are not previously known and therefore are undetectable.






38. The data owner is responsible for _______________________.






39. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.






40. Program that hides within or looks like a legit program






41. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.






42. Information security governance models are highly dependent on the _____________________.






43. Has full responsibility over data.






44. The most important characteristic of good security policies is that they be ____________________.






45. S small warehouse - designed for the end-user needs in a strategic business unit






46. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.






47. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.






48. BEST option to improve accountability for a system administrator is to _____________________.






49. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.






50. Carries out the technical administration.