SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Culture has a significant impact on how information security will be implemented in a ______________________.
Multinational organization
Assess the risks to the business operation
Skills inventory
Phishing
2. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Digital signatures
Service level agreements (SLAs)
Identify the vulnerable systems and apply compensating controls
Get senior management onboard
3. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Multinational organization
The awareness and agreement of the data subjects
Well-defined roles and responsibilities
Gain unauthorized access to applications
4. Should be a standard requirement for the service provider.
Regulatory compliance
Risk assessment - evaluation and impact analysis
Background check
Centralization of information security management
5. A function of the session keys distributed by the PKI.
Confidentiality
Information security manager
Background checks of prospective employees
Its ability to reduce or eliminate business risks
6. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Certificate authority (CA)
Skills inventory
Service level agreements (SLAs)
Tie security risks to key business objectives
7. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Information contained on the equipment
Properly aligned with business goals and objectives
Data isolation
Creation of a business continuity plan
8. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Negotiating a local version of the organization standards
IP address packet filtering
Certificate authority (CA)
Cryptographic secure sockets layer (SSL) implementations and short key lengths
9. The job of the information security officer on a management team is to ___________________.
Assess the risks to the business operation
Lack of change management
Continuous analysis - monitoring and feedback
Encryption
10. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Alignment with business strategy
Negotiating a local version of the organization standards
Exceptions to policy
Acceptable use policies
11. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Rule-based access control
Consensus on risks and controls
Knowledge management
Tie security risks to key business objectives
12. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
Properly aligned with business goals and objectives
Platform security - intrusion detection and antivirus controls
Use of security metrics
13. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Decentralization
Performing a risk assessment
Knowledge management
Notifications and opt-out provisions
14. A repository of historical data organized by subject to support decision makers in the org
Gap analysis
Use of security metrics
Data warehouse
Total cost of ownership (TCO)
15. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Role-based policy
OBusiness case development
Performing a risk assessment
MAL wear
16. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Role-based policy
BIA (Business Impact Assessment
What happened and how the breach was resolved
Asset classification
17. All within the responsibility of the information security manager.
Information contained on the equipment
Platform security - intrusion detection and antivirus controls
Two-factor authentication
Trojan horse
18. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Virus detection
Worm
Tailgating
Audit objectives
19. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Gap analysis
Identify the vulnerable systems and apply compensating controls
Aligned with organizational goals
Personal firewall
20. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Increase business value and confidence
Stress testing
Regulatory compliance
Its ability to reduce or eliminate business risks
21. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Threat assessment
include security responsibilities in a job description
Calculating the value of the information or asset
Tailgating
22. By definition are not previously known and therefore are undetectable.
0-day vulnerabilities
Data owners
Safeguards over keys
Knowledge management
23. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
The balanced scorecard
Decentralization
Certificate authority (CA)
Security risk
24. Programs that act without a user's knowledge and deliberately alter a computer's operations
Continuous monitoring control initiatives
The balanced scorecard
MAL wear
Audit objectives
25. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Logon banners
Certificate authority (CA)
Penetration testing
Platform security - intrusion detection and antivirus controls
26. It is easier to manage and control a _________________.
Inherent risk
Centralized structure
Total cost of ownership (TCO)
Reduce risk to an acceptable level
27. A Successful risk management should lead to a ________________.
Performing a risk assessment
Fault-tolerant computer
Breakeven point of risk reduction and cost
Service level agreements (SLAs)
28. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Security awareness training for all employees
Intrusion detection system (IDS)
Information contained on the equipment
Asset classification
29. Only valid if assets have first been identified and appropriately valued.
Annual loss expectancy (ALE)calculations
Conduct a risk assessment
Gain unauthorized access to applications
Information contained on the equipment
30. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Key controls
Patch management process
0-day vulnerabilities
Biometric access control systems
31. Responsible for securing the information.
Platform security - intrusion detection and antivirus controls
Its ability to reduce or eliminate business risks
The data custodian
Trojan horse
32. provides the most effective protection of data on mobile devices.
Encryption
Transferred risk
Defining high-level business security requirements
Information security manager
33. Inject malformed input.
Cross-site scripting attacks
Continuous monitoring control initiatives
Power surge/over voltage (spike)
Defining high-level business security requirements
34. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Defined objectives
Residual risk would be reduced by a greater amount
BIA (Business Impact Assessment
Gap analysis
35. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Examples of containment defenses
Single sign-on (SSO) product
The data owner
36. The data owner is responsible for _______________________.
Risk assessment - evaluation and impact analysis
Applying the proper classification to the data
Identify the relevant systems and processes
The authentication process is broken
37. New security ulnerabilities should be managed through a ________________.
Resource dependency assessment
The data owner
OBusiness case development
Patch management process
38. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Cracker
Role-based access control
Regulatory compliance
Single sign-on (SSO) product
39. Carries out the technical administration.
The database administrator
Continuous monitoring control initiatives
Script kiddie
Equal error rate (EER)
40. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
All personnel
Resource dependency assessment
Security code reviews for the entire software application
Trusted source
41. Normally addressed through antivirus and antispyware policies.
Negotiating a local version of the organization standards
Malicious software and spyware
Breakeven point of risk reduction and cost
The information security officer
42. Would protect against spoofing an internal address but would not provide strong authentication.
IP address packet filtering
Background checks of prospective employees
Identify the relevant systems and processes
Hacker
43. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Cross-site scripting attacks
Residual risk would be reduced by a greater amount
Owner of the information asset
Monitoring processes
44. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Assess the risks to the business operation
Increase business value and confidence
Nondisclosure agreement (NDA)
Asset classification
45. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Increase business value and confidence
Asset classification
Alignment with business strategy
Identify the relevant systems and processes
46. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Increase business value and confidence
Asset classification
Data mart
Calculating the value of the information or asset
47. The most important characteristic of good security policies is that they be ____________________.
Stress testing
Security awareness training for all employees
Data warehouse
Aligned with organizational goals
48. Occurs when the incoming level
Monitoring processes
Security risk
Knowledge management
Power surge/over voltage (spike)
49. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Process of introducing changes to systems
Platform security - intrusion detection and antivirus controls
Detection defenses
Cyber terrorist
50. The PRIMARY goal in developing an information security strategy is to: _________________________.
Continuous analysis - monitoring and feedback
Support the business objectives of the organization
Service level agreements (SLAs)
Baseline standard and then develop additional standards