SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Lack of change management
Stress testing
All personnel
Classification of assets needs
2. Should be a standard requirement for the service provider.
Tie security risks to key business objectives
Background check
Breakeven point of risk reduction and cost
Hacker
3. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Single sign-on (SSO) product
Use of security metrics
Rule-based access control
Notifications and opt-out provisions
4. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
0-day vulnerabilities
Data mart
Do with the information it collects
Strategic alignment of security with business objectives
5. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
The data custodian
Role-based policy
Data isolation
Cost of control
6. Focuses on identifying vulnerabilities.
Virus detection
Worm
Penetration testing
Certificate authority (CA)
7. A repository of historical data organized by subject to support decision makers in the org
Background check
Proficiency testing
Single sign-on (SSO) product
Data warehouse
8. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Logon banners
Cross-site scripting attacks
Is willing to accept
Cost of control
9. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Tie security risks to key business objectives
Transferred risk
0-day vulnerabilities
Tailgating
10. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
The board of directors and senior management
Owner of the information asset
Process of introducing changes to systems
Personal firewall
11. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Methodology used in the assessment
All personnel
Is willing to accept
12. An information security manager has to impress upon the human resources department the need for _____________________.
Security awareness training for all employees
Audit objectives
Requirements of the data owners
Its ability to reduce or eliminate business risks
13. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
All personnel
Encryption of the hard disks
Key controls
Control effectiveness
14. Program that hides within or looks like a legit program
Penetration testing
Trojan horse
Its ability to reduce or eliminate business risks
Transferred risk
15. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Centralized structure
Control risk
Developing an information security baseline
OBusiness case development
16. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Increase business value and confidence
Consensus on risks and controls
Residual risk would be reduced by a greater amount
Regulatory compliance
17. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Background checks of prospective employees
Developing an information security baseline
Conduct a risk assessment
All personnel
18. Useful but only with regard to specific technical skills.
Creation of a business continuity plan
Defining high-level business security requirements
Proficiency testing
Encryption of the hard disks
19. Carries out the technical administration.
Cost of control
Nondisclosure agreement (NDA)
Inherent risk
The database administrator
20. Accesses a computer or network illegally
Classification of assets needs
Cracker
People
Properly aligned with business goals and objectives
21. Company or person you believe will not send a virus-infect file knowingly
Well-defined roles and responsibilities
Defined objectives
Inherent risk
Trusted source
22. When the ________________ is more than the cost of the risk - the risk should be accepted.
Data owners
Waterfall chart
Exceptions to policy
Cost of control
23. Involves the correction of software weaknesses and would necessarily follow change management procedures.
include security responsibilities in a job description
Patch management
Virus
Platform security - intrusion detection and antivirus controls
24. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Residual risk would be reduced by a greater amount
Examples of containment defenses
Cracker
25. Oversees the overall classification management of the information.
Strategic alignment of security with business objectives
Cyber extortionist
Malicious software and spyware
The information security officer
26. The information security manager needs to prioritize the controls based on ________________________.
Risk management and the requirements of the organization
Requirements of the data owners
Power surge/over voltage (spike)
OBusiness case development
27. Computer that has duplicate components so it can continue to operate when one of its main components fail
Platform security - intrusion detection and antivirus controls
Fault-tolerant computer
Acceptable use policies
Support the business objectives of the organization
28. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Two-factor authentication
Monitoring processes
Inherent risk
Consensus on risks and controls
29. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Patch management
Identify the vulnerable systems and apply compensating controls
Encryption
Regular review of access control lists
30. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Encryption key management
Cyber terrorist
Centralization of information security management
Virus
31. Occurs when the electrical supply drops
Script kiddie
Undervoltage (brownout)
Defining and ratifying the classification structure of information assets
Background checks of prospective employees
32. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Is willing to accept
Multinational organization
Phishing
Security risk
33. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Negotiating a local version of the organization standards
Script kiddie
Safeguards over keys
Monitoring processes
34. provides the most effective protection of data on mobile devices.
Applying the proper classification to the data
Background check
Security baselines
Encryption
35. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Gain unauthorized access to applications
The board of directors and senior management
Compliance with the organization's information security requirements
Requirements of the data owners
36. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Centralization of information security management
Public key infrastructure (PKI)
Performing a risk assessment
37. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Security baselines
Knowledge management
Audit objectives
People
38. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
Penetration testing
Classification of assets needs
Data isolation
39. A Successful risk management should lead to a ________________.
Defining high-level business security requirements
Impractical and is often cost-prohibitive
Security code reviews for the entire software application
Breakeven point of risk reduction and cost
40. New security ulnerabilities should be managed through a ________________.
Phishing
Patch management process
Virus
Return on security investment (ROSI)
41. BEST option to improve accountability for a system administrator is to _____________________.
Vulnerability assessment
Acceptable use policies
Asset classification
include security responsibilities in a job description
42. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Vulnerability assessment
Rule-based access control
Audit objectives
43. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Risk management and the requirements of the organization
Key risk indicator (KRI) setup
Baseline standard and then develop additional standards
Stress testing
44. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Applying the proper classification to the data
Protective switch covers
Total cost of ownership (TCO)
45. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
OBusiness case development
Stress testing
Background check
46. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Do with the information it collects
Alignment with business strategy
Properly aligned with business goals and objectives
Information contained on the equipment
47. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Penetration testing
People
Stress testing
Owner of the information asset
48. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
The data owner
Alignment with business strategy
Residual risk
Vulnerability assessment
49. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Key risk indicator (KRI) setup
Continuous analysis - monitoring and feedback
0-day vulnerabilities
Audit objectives
50. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Return on security investment (ROSI)
Risk appetite
Annual loss expectancy (ALE)calculations
What happened and how the breach was resolved