SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
People
SWOT analysis
The awareness and agreement of the data subjects
2. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Encryption
Annual loss expectancy (ALE)calculations
Acceptable use policies
Spoofing attacks
3. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Conduct a risk assessment
Negotiating a local version of the organization standards
Waterfall chart
Total cost of ownership (TCO)
4. The PRIMARY goal in developing an information security strategy is to: _________________________.
Support the business objectives of the organization
Patch management process
Return on security investment (ROSI)
Confidentiality
5. A key indicator of performance measurement.
Knowledge management
Centralization of information security management
Strategic alignment of security with business objectives
Transmit e-mail messages
6. Provide metrics to which outsourcing firms can be held accountable.
Requirements of the data owners
Service level agreements (SLAs)
Annual loss expectancy (ALE)calculations
include security responsibilities in a job description
7. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key risk indicator (KRI) setup
Decentralization
Overall organizational structure
Script kiddie
8. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Increase business value and confidence
Breakeven point of risk reduction and cost
Penetration testing
Proficiency testing
9. Occurs when the incoming level
Regulatory compliance
Applying the proper classification to the data
Power surge/over voltage (spike)
Waterfall chart
10. An information security manager has to impress upon the human resources department the need for _____________________.
Proficiency testing
Audit objectives
Strategic alignment of security with business objectives
Security awareness training for all employees
11. Risk should be reduced to a level that an organization _____________.
Is willing to accept
Do with the information it collects
The information security officer
Personal firewall
12. The job of the information security officer on a management team is to ___________________.
Monitoring processes
Assess the risks to the business operation
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Exceptions to policy
13. The primary role of the information security manager in the process of information classification within the organization.
Decentralization
Data mart
Defining and ratifying the classification structure of information assets
Asset classification
14. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
Virus detection
BIA (Business Impact Assessment
Tailgating
15. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Multinational organization
Return on security investment (ROSI)
Consensus on risks and controls
MAL wear
16. A method for analyzing and reducing a relational database to its most streamlined form
The awareness and agreement of the data subjects
Skills inventory
Normalization
Consensus on risks and controls
17. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Security code reviews for the entire software application
Data isolation
The information security officer
Comparison of cost of achievement
18. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
The balanced scorecard
Process of introducing changes to systems
Cost of control
Intrusion detection system (IDS)
19. The MOST important element of an information security strategy.
The awareness and agreement of the data subjects
Skills inventory
Virus
Defined objectives
20. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Knowledge management
Regular review of access control lists
Platform security - intrusion detection and antivirus controls
Skills inventory
21. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Comparison of cost of achievement
OBusiness case development
Protective switch covers
Identify the relevant systems and processes
22. Company or person you believe will not send a virus-infect file knowingly
Safeguards over keys
The board of directors and senior management
Trusted source
Use of security metrics
23. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Consensus on risks and controls
Reduce risk to an acceptable level
Impractical and is often cost-prohibitive
Skills inventory
24. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Security code reviews for the entire software application
Transferred risk
Prioritization
Baseline standard and then develop additional standards
25. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Encryption of the hard disks
Platform security - intrusion detection and antivirus controls
Phishing
Compliance with the organization's information security requirements
26. Whenever personal data are transferred across national boundaries; ________________________ are required.
Notifications and opt-out provisions
Is willing to accept
Data classification
The awareness and agreement of the data subjects
27. The information security manager needs to prioritize the controls based on ________________________.
Risk management and the requirements of the organization
Security risk
Key risk indicator (KRI) setup
Annually or whenever there is a significant change
28. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Increase business value and confidence
Safeguards over keys
Logon banners
Creation of a business continuity plan
29. Only valid if assets have first been identified and appropriately valued.
Service level agreements (SLAs)
Annual loss expectancy (ALE)calculations
All personnel
Virus detection
30. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Defining and ratifying the classification structure of information assets
Script kiddie
Countermeasure cost-benefit analysis
Cyber extortionist
31. Applications cannot access data associated with other apps
The database administrator
Residual risk would be reduced by a greater amount
Encryption
Data isolation
32. A risk assessment should be conducted _________________.
Gap analysis
Annually or whenever there is a significant change
Background check
Detection defenses
33. Someone who uses the internet or network to destroy or damage computers for political reasons
Public key infrastructure (PKI)
Security baselines
Cyber terrorist
Hacker
34. Most effective for evaluating the degree to which information security objectives are being met.
The balanced scorecard
Defining high-level business security requirements
Control effectiveness
Data mart
35. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Encryption of the hard disks
Process of introducing changes to systems
Annually or whenever there is a significant change
Background check
36. Used to understand the flow of one process into another.
Patch management process
Worm
Waterfall chart
Breakeven point of risk reduction and cost
37. Should be determined from the risk assessment results.
Digital signatures
Audit objectives
Notifications and opt-out provisions
All personnel
38. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Do with the information it collects
SWOT analysis
Strategic alignment of security with business objectives
Information contained on the equipment
39. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Process of introducing changes to systems
A network vulnerability assessment
Stress testing
40. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Public key infrastructure (PKI)
OBusiness case development
Consensus on risks and controls
Use of security metrics
41. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
The database administrator
Negotiating a local version of the organization standards
Return on security investment (ROSI)
Tailgating
42. Carries out the technical administration.
Data warehouse
Is willing to accept
The database administrator
Digital certificate
43. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
44. Identification and _______________ of business risk enables project managers to address areas with most significance.
Control effectiveness
Prioritization
Residual risk would be reduced by a greater amount
Acceptable use policies
45. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Encryption
Role-based access control
Risk management and the requirements of the organization
Calculating the value of the information or asset
46. Ensures that there are no scalability problems.
Support the business objectives of the organization
Stress testing
Digital signatures
The awareness and agreement of the data subjects
47. Someone who accesses a computer or network illegally
Transferred risk
0-day vulnerabilities
Hacker
Biometric access control systems
48. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Requirements of the data owners
Increase business value and confidence
Resource dependency assessment
Baseline standard and then develop additional standards
49. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Defined objectives
Cryptographic secure sockets layer (SSL) implementations and short key lengths
What happened and how the breach was resolved
Risk appetite
50. Occurs when the electrical supply drops
Undervoltage (brownout)
Data isolation
Regulatory compliance
Worm