SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Provide metrics to which outsourcing firms can be held accountable.
Residual risk would be reduced by a greater amount
Service level agreements (SLAs)
Normalization
Control effectiveness
2. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Inherent risk
Data owners
Service level agreements (SLAs)
Baseline standard and then develop additional standards
3. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Digital certificate
The data custodian
Defining high-level business security requirements
Notifications and opt-out provisions
4. New security ulnerabilities should be managed through a ________________.
Patch management process
Breakeven point of risk reduction and cost
Lack of change management
Monitoring processes
5. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Identify the relevant systems and processes
Phishing
Decentralization
Applying the proper classification to the data
6. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Control effectiveness
Resource dependency assessment
Nondisclosure agreement (NDA)
Decentralization
7. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Penetration testing
Countermeasure cost-benefit analysis
Encryption of the hard disks
Two-factor authentication
8. Awareness - training and physical security defenses.
The awareness and agreement of the data subjects
Examples of containment defenses
A network vulnerability assessment
Personal firewall
9. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Is willing to accept
include security responsibilities in a job description
Gain unauthorized access to applications
Properly aligned with business goals and objectives
10. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Cyber terrorist
Return on security investment (ROSI)
Calculating the value of the information or asset
Key risk indicator (KRI) setup
11. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Process of introducing changes to systems
Notifications and opt-out provisions
Knowledge management
Inherent risk
12. A function of the session keys distributed by the PKI.
Identify the relevant systems and processes
Regular review of access control lists
Defining and ratifying the classification structure of information assets
Confidentiality
13. Only valid if assets have first been identified and appropriately valued.
Proficiency testing
Security awareness training for all employees
Regular review of access control lists
Annual loss expectancy (ALE)calculations
14. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Monitoring processes
Digital certificate
Personal firewall
15. When defining the information classification policy - the ___________________ need to be identified.
Strategic alignment of security with business objectives
Residual risk
Breakeven point of risk reduction and cost
Requirements of the data owners
16. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Encryption
Role-based policy
Power surge/over voltage (spike)
Breakeven point of risk reduction and cost
17. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Retention of business records
Certificate authority (CA)
Residual risk would be reduced by a greater amount
Encryption
18. Occurs when the electrical supply drops
Countermeasure cost-benefit analysis
Undervoltage (brownout)
Defining high-level business security requirements
Stress testing
19. Computer that has duplicate components so it can continue to operate when one of its main components fail
Cost of control
Fault-tolerant computer
Background checks of prospective employees
Hacker
20. The PRIMARY goal in developing an information security strategy is to: _________________________.
Get senior management onboard
Return on security investment (ROSI)
Support the business objectives of the organization
Audit objectives
21. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security baselines
Prioritization
Audit objectives
Support the business objectives of the organization
22. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Encryption of the hard disks
Applying the proper classification to the data
Defined objectives
Examples of containment defenses
23. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Stress testing
Cyber extortionist
Identify the relevant systems and processes
OBusiness case development
24. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
The awareness and agreement of the data subjects
Control effectiveness
The board of directors and senior management
Key controls
25. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Creation of a business continuity plan
Impractical and is often cost-prohibitive
Is willing to accept
Requirements of the data owners
26. Occurs when the incoming level
Its ability to reduce or eliminate business risks
Baseline standard and then develop additional standards
Security awareness training for all employees
Power surge/over voltage (spike)
27. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Data classification
Tie security risks to key business objectives
Continuous analysis - monitoring and feedback
Control effectiveness
28. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Process of introducing changes to systems
Security risk
IP address packet filtering
Baseline standard and then develop additional standards
29. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Well-defined roles and responsibilities
Power surge/over voltage (spike)
Transmit e-mail messages
Exceptions to policy
30. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Breakeven point of risk reduction and cost
Decentralization
Deeper level of analysis
31. Would protect against spoofing an internal address but would not provide strong authentication.
Continuous analysis - monitoring and feedback
IP address packet filtering
Countermeasure cost-benefit analysis
Developing an information security baseline
32. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Requirements of the data owners
Risk assessment - evaluation and impact analysis
Skills inventory
Owner of the information asset
33. Without _____________________ - there cannot be accountability.
0-day vulnerabilities
Key controls
Use of security metrics
Well-defined roles and responsibilities
34. Normally addressed through antivirus and antispyware policies.
Strategic alignment of security with business objectives
Risk assessment - evaluation and impact analysis
Two-factor authentication
Malicious software and spyware
35. ecurity design flaws require a ____________________.
Stress testing
Knowledge management
Deeper level of analysis
Security code reviews for the entire software application
36. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Cross-site scripting attacks
Logon banners
Classification of assets needs
Identify the relevant systems and processes
37. Program that hides within or looks like a legit program
Examples of containment defenses
Strategic alignment of security with business objectives
Trojan horse
Gain unauthorized access to applications
38. A key indicator of performance measurement.
Stress testing
Use of security metrics
Strategic alignment of security with business objectives
Two-factor authentication
39. provides the most effective protection of data on mobile devices.
Defining high-level business security requirements
Tie security risks to key business objectives
Inherent risk
Encryption
40. Applications cannot access data associated with other apps
Classification of assets needs
Undervoltage (brownout)
Security code reviews for the entire software application
Data isolation
41. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Total cost of ownership (TCO)
Comparison of cost of achievement
Data classification
Gain unauthorized access to applications
42. Has to be integrated into the requirements of every software application's design.
Encryption key management
Trojan horse
The information security officer
Notifications and opt-out provisions
43. Reducing risk to a level too small to measure is _______________.
Impractical and is often cost-prohibitive
include security responsibilities in a job description
Patch management process
Acceptable use policies
44. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Baseline standard and then develop additional standards
Intrusion detection system (IDS)
Examples of containment defenses
MAL wear
45. Provides process needs but not impact.
Resource dependency assessment
Conduct a risk assessment
Owner of the information asset
Intrusion detection system (IDS)
46. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Alignment with business strategy
Inherent risk
Identify the vulnerable systems and apply compensating controls
Certificate authority (CA)
47. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Cyber extortionist
The information security officer
Patch management process
What happened and how the breach was resolved
48. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Cyber extortionist
Defining high-level business security requirements
Platform security - intrusion detection and antivirus controls
Regular review of access control lists
49. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Control risk
Requirements of the data owners
Continuous analysis - monitoring and feedback
Detection defenses
50. A method for analyzing and reducing a relational database to its most streamlined form
Normalization
Worm
Threat assessment
Cost of control
