Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.






2. Provide metrics to which outsourcing firms can be held accountable.






3. Should PRIMARILY be based on regulatory and legal requirements.






4. A key indicator of performance measurement.






5. A risk assessment should be conducted _________________.






6. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process






7. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network






8. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.






9. Should be performed to identify the risk and determine needed controls.






10. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are






11. Provides process needs but not impact.






12. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.






13. The best measure for preventing the unauthorized disclosure of confidential information.






14. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'






15. The most important characteristic of good security policies is that they be ____________________.






16. Involves the correction of software weaknesses and would necessarily follow change management procedures.






17. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.






18. Identification and _______________ of business risk enables project managers to address areas with most significance.






19. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.






20. Should be a standard requirement for the service provider.






21. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.






22. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information






23. An information security manager has to impress upon the human resources department the need for _____________________.






24. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.






25. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.






26. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.






27. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.






28. It is easier to manage and control a _________________.






29. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.






30. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.






31. Utility program that detects and protects a personal computer from unauthorized intrusions






32. All within the responsibility of the information security manager.






33. The MOST important element of an information security strategy.






34. When defining the information classification policy - the ___________________ need to be identified.






35. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.






36. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.






37. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.






38. Carries out the technical administration.






39. A Successful risk management should lead to a ________________.






40. The best measure and will involve reviewing the entire source code to detect all instances of back doors.






41. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.






42. Primarily reduce risk and are most effective for the protection of information assets.






43. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.






44. The BEST justification to convince management to invest in an information security program is that doing so would _________________.






45. Computer that has duplicate components so it can continue to operate when one of its main components fail






46. Only valid if assets have first been identified and appropriately valued.






47. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works






48. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.






49. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -






50. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.