SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. All within the responsibility of the information security manager.
Requirements of the data owners
Platform security - intrusion detection and antivirus controls
Fault-tolerant computer
Data classification
2. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Defining and ratifying the classification structure of information assets
Spoofing attacks
Owner of the information asset
Comparison of cost of achievement
3. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Background check
Acceptable use policies
Information security manager
4. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Data classification
Stress testing
Conduct a risk assessment
Performing a risk assessment
5. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Waterfall chart
Role-based access control
Audit objectives
Continuous analysis - monitoring and feedback
6. Utility program that detects and protects a personal computer from unauthorized intrusions
Regular review of access control lists
Patch management
Personal firewall
Control effectiveness
7. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Process of introducing changes to systems
Certificate authority (CA)
Transmit e-mail messages
Platform security - intrusion detection and antivirus controls
8. Normally addressed through antivirus and antispyware policies.
Malicious software and spyware
Fault-tolerant computer
Audit objectives
Exceptions to policy
9. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Knowledge management
Lack of change management
Residual risk would be reduced by a greater amount
OBusiness case development
10. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Its ability to reduce or eliminate business risks
Certificate authority (CA)
Patch management
Get senior management onboard
11. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Strategic alignment of security with business objectives
Malicious software and spyware
Data isolation
12. provides the most effective protection of data on mobile devices.
Total cost of ownership (TCO)
A network vulnerability assessment
Its ability to reduce or eliminate business risks
Encryption
13. Computer that has duplicate components so it can continue to operate when one of its main components fail
Safeguards over keys
Alignment with business strategy
Risk assessment - evaluation and impact analysis
Fault-tolerant computer
14. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
Increase business value and confidence
Digital certificate
Security awareness training for all employees
15. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Detection defenses
Logon banners
Is willing to accept
Centralization of information security management
16. Cannot be minimized
Negotiating a local version of the organization standards
Data classification
Increase business value and confidence
Inherent risk
17. Reducing risk to a level too small to measure is _______________.
Digital certificate
Role-based access control
Impractical and is often cost-prohibitive
Key controls
18. A Successful risk management should lead to a ________________.
Impractical and is often cost-prohibitive
Breakeven point of risk reduction and cost
Encryption of the hard disks
The authentication process is broken
19. Identification and _______________ of business risk enables project managers to address areas with most significance.
Prioritization
Gain unauthorized access to applications
SWOT analysis
Script kiddie
20. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Alignment with business strategy
Calculating the value of the information or asset
Identify the relevant systems and processes
Multinational organization
21. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Regular review of access control lists
Compliance with the organization's information security requirements
Reduce risk to an acceptable level
Logon banners
22. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Examples of containment defenses
BIA (Business Impact Assessment
Patch management
Control risk
23. Focuses on identifying vulnerabilities.
0-day vulnerabilities
Notifications and opt-out provisions
Safeguards over keys
Penetration testing
24. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
Residual risk
Residual risk would be reduced by a greater amount
Resource dependency assessment
25. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
Retention of business records
Encryption of the hard disks
Trusted source
26. Occurs after the risk assessment process - it does not measure it.
Use of security metrics
Risk appetite
Return on security investment (ROSI)
SWOT analysis
27. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Background checks of prospective employees
Its ability to reduce or eliminate business risks
Fault-tolerant computer
Monitoring processes
28. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Annually or whenever there is a significant change
Increase business value and confidence
Centralization of information security management
Digital certificate
29. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Regular review of access control lists
Identify the vulnerable systems and apply compensating controls
Security baselines
Conduct a risk assessment
30. Awareness - training and physical security defenses.
Spoofing attacks
Examples of containment defenses
Malicious software and spyware
Decentralization
31. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Centralization of information security management
Consensus on risks and controls
Is willing to accept
Conduct a risk assessment
32. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Nondisclosure agreement (NDA)
Creation of a business continuity plan
Certificate authority (CA)
Fault-tolerant computer
33. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Increase business value and confidence
Negotiating a local version of the organization standards
Regulatory compliance
A network vulnerability assessment
34. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Asset classification
The board of directors and senior management
Cross-site scripting attacks
What happened and how the breach was resolved
35. The best measure for preventing the unauthorized disclosure of confidential information.
Logon banners
Annual loss expectancy (ALE)calculations
Acceptable use policies
Penetration testing
36. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Background checks of prospective employees
People
Spoofing attacks
The data custodian
37. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Security risk
Identify the vulnerable systems and apply compensating controls
Calculating the value of the information or asset
Encryption key management
38. Should be determined from the risk assessment results.
SWOT analysis
Trojan horse
The information security officer
Audit objectives
39. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
OBusiness case development
Personal firewall
Role-based policy
Risk appetite
40. When defining the information classification policy - the ___________________ need to be identified.
Owner of the information asset
Overall organizational structure
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Requirements of the data owners
41. Someone who accesses a computer or network illegally
Centralized structure
Attributes and characteristics of the 'desired state'
Transmit e-mail messages
Hacker
42. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Use of security metrics
Safeguards over keys
Patch management process
Cyber extortionist
43. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Multinational organization
Waterfall chart
SWOT analysis
Identify the vulnerable systems and apply compensating controls
44. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Inherent risk
All personnel
Penetration testing
45. It is easier to manage and control a _________________.
Single sign-on (SSO) product
Transmit e-mail messages
Continuous analysis - monitoring and feedback
Centralized structure
46. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Cracker
Confidentiality
Control effectiveness
Access control matrix
47. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Exceptions to policy
Defining high-level business security requirements
Reduce risk to an acceptable level
Residual risk would be reduced by a greater amount
48. The job of the information security officer on a management team is to ___________________.
Is willing to accept
Transmit e-mail messages
Assess the risks to the business operation
Multinational organization
49. BEST option to improve accountability for a system administrator is to _____________________.
Personal firewall
Background check
include security responsibilities in a job description
Role-based access control
50. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Skills inventory
OBusiness case development
Proficiency testing
Get senior management onboard
