SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Performing a risk assessment
Background checks of prospective employees
Comparison of cost of achievement
Certificate authority (CA)
2. A function of the session keys distributed by the PKI.
Logon banners
Confidentiality
Assess the risks to the business operation
Threat assessment
3. Normally addressed through antivirus and antispyware policies.
MAL wear
Get senior management onboard
Malicious software and spyware
Use of security metrics
4. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Alignment with business strategy
Reduce risk to an acceptable level
Breakeven point of risk reduction and cost
Exceptions to policy
5. The information security manager needs to prioritize the controls based on ________________________.
Data warehouse
Safeguards over keys
Total cost of ownership (TCO)
Risk management and the requirements of the organization
6. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
The information security officer
Do with the information it collects
OBusiness case development
Defining high-level business security requirements
7. It is easier to manage and control a _________________.
Asset classification
Key controls
Regulatory compliance
Centralized structure
8. Used to understand the flow of one process into another.
Control effectiveness
Monitoring processes
Transmit e-mail messages
Waterfall chart
9. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Identify the vulnerable systems and apply compensating controls
Calculating the value of the information or asset
Platform security - intrusion detection and antivirus controls
Nondisclosure agreement (NDA)
10. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
0-day vulnerabilities
Conduct a risk assessment
Penetration testing
Data warehouse
11. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
The awareness and agreement of the data subjects
Defining high-level business security requirements
Logon banners
Overall organizational structure
12. provides the most effective protection of data on mobile devices.
Encryption
Single sign-on (SSO) product
Platform security - intrusion detection and antivirus controls
Security baselines
13. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Identify the vulnerable systems and apply compensating controls
The authentication process is broken
Equal error rate (EER)
Tie security risks to key business objectives
14. Same intent as a cracker but does not have the technical skills and knowledge
Encryption of the hard disks
Deeper level of analysis
Defining and ratifying the classification structure of information assets
Script kiddie
15. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
The balanced scorecard
Nondisclosure agreement (NDA)
Data warehouse
Control effectiveness
16. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The database administrator
Notifications and opt-out provisions
Conduct a risk assessment
The authentication process is broken
17. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Data classification
Centralization of information security management
Annually or whenever there is a significant change
Breakeven point of risk reduction and cost
18. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Developing an information security baseline
Increase business value and confidence
Monitoring processes
Risk assessment - evaluation and impact analysis
19. A risk assessment should be conducted _________________.
Fault-tolerant computer
A network vulnerability assessment
Threat assessment
Annually or whenever there is a significant change
20. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Assess the risks to the business operation
Security baselines
Intrusion detection system (IDS)
Breakeven point of risk reduction and cost
21. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
The authentication process is broken
Stress testing
The database administrator
Risk appetite
22. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Cross-site scripting attacks
Risk management and the requirements of the organization
Digital certificate
23. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Background checks of prospective employees
Security risk
Gain unauthorized access to applications
Tie security risks to key business objectives
24. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Security code reviews for the entire software application
Decentralization
Is willing to accept
Reduce risk to an acceptable level
25. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Overall organizational structure
Skills inventory
Alignment with business strategy
Key controls
26. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Confidentiality
Script kiddie
Methodology used in the assessment
Protective switch covers
27. Culture has a significant impact on how information security will be implemented in a ______________________.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Deeper level of analysis
Inherent risk
Multinational organization
28. Occurs when the incoming level
Audit objectives
Resource dependency assessment
Power surge/over voltage (spike)
Examples of containment defenses
29. Ensures that there are no scalability problems.
Data owners
Centralization of information security management
Support the business objectives of the organization
Stress testing
30. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Spoofing attacks
Centralization of information security management
Conduct a risk assessment
Protective switch covers
31. When the ________________ is more than the cost of the risk - the risk should be accepted.
Return on security investment (ROSI)
Protective switch covers
Cost of control
Risk management and the requirements of the organization
32. By definition are not previously known and therefore are undetectable.
The data owner
0-day vulnerabilities
Examples of containment defenses
Breakeven point of risk reduction and cost
33. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Biometric access control systems
Transferred risk
Countermeasure cost-benefit analysis
Key controls
34. The primary role of the information security manager in the process of information classification within the organization.
The board of directors and senior management
Defining and ratifying the classification structure of information assets
Developing an information security baseline
Lack of change management
35. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Data isolation
Centralization of information security management
Penetration testing
36. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Breakeven point of risk reduction and cost
Impractical and is often cost-prohibitive
Attributes and characteristics of the 'desired state'
Threat assessment
37. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Breakeven point of risk reduction and cost
Acceptable use policies
Access control matrix
Notifications and opt-out provisions
38. A method for analyzing and reducing a relational database to its most streamlined form
Normalization
Identify the vulnerable systems and apply compensating controls
Residual risk would be reduced by a greater amount
Reduce risk to an acceptable level
39. Useful but only with regard to specific technical skills.
Proficiency testing
Virus
Trusted source
Key risk indicator (KRI) setup
40. Reducing risk to a level too small to measure is _______________.
Internal risk assessment
Increase business value and confidence
Owner of the information asset
Impractical and is often cost-prohibitive
41. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Assess the risks to the business operation
What happened and how the breach was resolved
Process of introducing changes to systems
The balanced scorecard
42. Without _____________________ - there cannot be accountability.
Owner of the information asset
Its ability to reduce or eliminate business risks
Lack of change management
Well-defined roles and responsibilities
43. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Lack of change management
Certificate authority (CA)
Risk assessment - evaluation and impact analysis
Power surge/over voltage (spike)
44. Provides strong online authentication.
Role-based policy
Public key infrastructure (PKI)
Methodology used in the assessment
Hacker
45. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Deeper level of analysis
Access control matrix
Public key infrastructure (PKI)
Malicious software and spyware
46. Whenever personal data are transferred across national boundaries; ________________________ are required.
Risk management and the requirements of the organization
Process of introducing changes to systems
The awareness and agreement of the data subjects
Information security manager
47. Should be determined from the risk assessment results.
Consensus on risks and controls
Owner of the information asset
Audit objectives
Control risk
48. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Performing a risk assessment
Acceptable use policies
Detection defenses
Service level agreements (SLAs)
49. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
A network vulnerability assessment
Cracker
Cyber extortionist
Continuous monitoring control initiatives
50. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Continuous analysis - monitoring and feedback
Threat assessment
SWOT analysis
The data custodian
