Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Trusted source
Rule-based access control
Control effectiveness

2. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Decentralization
Risk appetite
Patch management
Defining and ratifying the classification structure of information assets

3. The MOST useful way to describe the objectives in the information security strategy is through ______________________.

4. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Spoofing attacks
Calculating the value of the information or asset
Continuous analysis - monitoring and feedback
Deeper level of analysis

5. Only valid if assets have first been identified and appropriately valued.
Methodology used in the assessment
Role-based policy
Annual loss expectancy (ALE)calculations
Power surge/over voltage (spike)

6. Provides strong online authentication.
Methodology used in the assessment
Public key infrastructure (PKI)
Centralized structure
Patch management

7. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Key controls
Logon banners
Transmit e-mail messages
Risk appetite

8. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Defining high-level business security requirements
Gap analysis
Cross-site scripting attacks
Regulatory compliance

9. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Performing a risk assessment
BIA (Business Impact Assessment
Stress testing
Requirements of the data owners

10. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Developing an information security baseline
Vulnerability assessment
Personal firewall
Breakeven point of risk reduction and cost

11. Identification and _______________ of business risk enables project managers to address areas with most significance.
Monitoring processes
Role-based policy
Malicious software and spyware
Prioritization

12. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Assess the risks to the business operation
Penetration testing
A network vulnerability assessment
Data classification

13. Someone who accesses a computer or network illegally
Normalization
Platform security - intrusion detection and antivirus controls
Hacker
Worm

14. The data owner is responsible for _______________________.
Script kiddie
Compliance with the organization's information security requirements
Two-factor authentication
Applying the proper classification to the data

15. Has to be integrated into the requirements of every software application's design.
Encryption key management
Its ability to reduce or eliminate business risks
Resource dependency assessment
Identify the vulnerable systems and apply compensating controls

16. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
Risk management and the requirements of the organization
Digital signatures
Spoofing attacks

17. Cannot be minimized
Decentralization
Malicious software and spyware
Inherent risk
Owner of the information asset

18. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Identify the vulnerable systems and apply compensating controls
Process of introducing changes to systems
IP address packet filtering
People

19. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Monitoring processes
Use of security metrics
Waterfall chart
Alignment with business strategy

20. When the ________________ is more than the cost of the risk - the risk should be accepted.
Cost of control
Decentralization
Virus detection
Background checks of prospective employees

21. Program that hides within or looks like a legit program
Continuous analysis - monitoring and feedback
Resource dependency assessment
Data warehouse
Trojan horse

22. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
0-day vulnerabilities
OBusiness case development
Conduct a risk assessment
Spoofing attacks

23. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Residual risk
Centralization of information security management
Creation of a business continuity plan
Cyber extortionist

24. Awareness - training and physical security defenses.
Data warehouse
Examples of containment defenses
Attributes and characteristics of the 'desired state'
Notifications and opt-out provisions

25. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Control risk
include security responsibilities in a job description
Regular review of access control lists
Security code reviews for the entire software application

26. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Residual risk
Transmit e-mail messages
Continuous monitoring control initiatives
Impractical and is often cost-prohibitive

27. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Detection defenses
Biometric access control systems
Transmit e-mail messages
Creation of a business continuity plan

28. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Return on security investment (ROSI)
Creation of a business continuity plan
Assess the risks to the business operation
Security awareness training for all employees

29. Provides process needs but not impact.
Resource dependency assessment
Negotiating a local version of the organization standards
The database administrator
Process of introducing changes to systems

30. Most effective for evaluating the degree to which information security objectives are being met.
Get senior management onboard
Transferred risk
The balanced scorecard
Normalization

31. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Inherent risk
Phishing
Equal error rate (EER)
Aligned with organizational goals

32. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Penetration testing
Impractical and is often cost-prohibitive
Reduce risk to an acceptable level

33. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Performing a risk assessment
Detection defenses
0-day vulnerabilities
Equal error rate (EER)

34. A method for analyzing and reducing a relational database to its most streamlined form
Aligned with organizational goals
Reduce risk to an acceptable level
Virus
Normalization

35. Has full responsibility over data.
Notifications and opt-out provisions
The data owner
Role-based policy
The information security officer

36. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Platform security - intrusion detection and antivirus controls
BIA (Business Impact Assessment
Encryption of the hard disks

37. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Multinational organization
Personal firewall
Get senior management onboard
Alignment with business strategy

38. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Undervoltage (brownout)
Key risk indicator (KRI) setup
Rule-based access control
Trusted source

39. Whenever personal data are transferred across national boundaries; ________________________ are required.
The awareness and agreement of the data subjects
Do with the information it collects
Comparison of cost of achievement
Return on security investment (ROSI)

40. Utility program that detects and protects a personal computer from unauthorized intrusions
Negotiating a local version of the organization standards
Key risk indicator (KRI) setup
Multinational organization
Personal firewall

41. Computer that has duplicate components so it can continue to operate when one of its main components fail
include security responsibilities in a job description
Fault-tolerant computer
Data classification
Information contained on the equipment

42. Risk should be reduced to a level that an organization _____________.
Detection defenses
Is willing to accept
Tailgating
Transferred risk

43. The most important characteristic of good security policies is that they be ____________________.
Calculating the value of the information or asset
Audit objectives
Applying the proper classification to the data
Aligned with organizational goals

44. An information security manager has to impress upon the human resources department the need for _____________________.
Security risk
Service level agreements (SLAs)
Security awareness training for all employees
Developing an information security baseline

45. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Tailgating
Virus
Creation of a business continuity plan

46. Someone who uses the internet or network to destroy or damage computers for political reasons
Cyber terrorist
Transferred risk
Requirements of the data owners
Hacker

47. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
Total cost of ownership (TCO)
Internal risk assessment
The information security officer

48. Should be a standard requirement for the service provider.
Background check
Baseline standard and then develop additional standards
Defining high-level business security requirements
Alignment with business strategy

49. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Security awareness training for all employees
Cross-site scripting attacks
Regulatory compliance

50. A Successful risk management should lead to a ________________.
Overall organizational structure
Breakeven point of risk reduction and cost
Compliance with the organization's information security requirements
Defining high-level business security requirements