SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
SWOT analysis
Acceptable use policies
Defining and ratifying the classification structure of information assets
The balanced scorecard
2. Risk should be reduced to a level that an organization _____________.
MAL wear
Stress testing
People
Is willing to accept
3. Identification and _______________ of business risk enables project managers to address areas with most significance.
Defining and ratifying the classification structure of information assets
The data custodian
Prioritization
Aligned with organizational goals
4. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Protective switch covers
Cyber extortionist
Examples of containment defenses
Get senior management onboard
5. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Calculating the value of the information or asset
The balanced scorecard
Data mart
Requirements of the data owners
6. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Internal risk assessment
Monitoring processes
Comparison of cost of achievement
Prioritization
7. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
All personnel
Information contained on the equipment
Baseline standard and then develop additional standards
IP address packet filtering
8. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Public key infrastructure (PKI)
Transmit e-mail messages
Its ability to reduce or eliminate business risks
Asset classification
9. Most effective for evaluating the degree to which information security objectives are being met.
The balanced scorecard
Trusted source
Intrusion detection system (IDS)
Centralization of information security management
10. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
OBusiness case development
Multinational organization
Cross-site scripting attacks
11. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Patch management
Creation of a business continuity plan
Data mart
The database administrator
12. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Data mart
Continuous monitoring control initiatives
Cracker
Biometric access control systems
13. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Cost of control
Properly aligned with business goals and objectives
Threat assessment
14. Without _____________________ - there cannot be accountability.
Well-defined roles and responsibilities
Biometric access control systems
Classification of assets needs
Acceptable use policies
15. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Lack of change management
The board of directors and senior management
The database administrator
Protective switch covers
16. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Detection defenses
Patch management
Security risk
Information contained on the equipment
17. Cannot be minimized
Trusted source
Inherent risk
Properly aligned with business goals and objectives
Single sign-on (SSO) product
18. The most important characteristic of good security policies is that they be ____________________.
Virus
Aligned with organizational goals
include security responsibilities in a job description
Increase business value and confidence
19. Inject malformed input.
Safeguards over keys
Performing a risk assessment
Cross-site scripting attacks
The data custodian
20. Ensure that transmitted information can be attributed to the named sender.
Digital signatures
Virus
Multinational organization
Spoofing attacks
21. Has full responsibility over data.
Control effectiveness
The data owner
Virus
Information contained on the equipment
22. When defining the information classification policy - the ___________________ need to be identified.
Trojan horse
Requirements of the data owners
Return on security investment (ROSI)
Use of security metrics
23. Ensures that there are no scalability problems.
Stress testing
Get senior management onboard
Digital certificate
Internal risk assessment
24. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Return on security investment (ROSI)
Rule-based access control
Audit objectives
Data classification
25. Provide metrics to which outsourcing firms can be held accountable.
Service level agreements (SLAs)
Monitoring processes
Gap analysis
Information contained on the equipment
26. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Is willing to accept
Reduce risk to an acceptable level
Do with the information it collects
Stress testing
27. Should be determined from the risk assessment results.
Audit objectives
Countermeasure cost-benefit analysis
Digital signatures
Cyber terrorist
28. Normally addressed through antivirus and antispyware policies.
Reduce risk to an acceptable level
Consensus on risks and controls
Nondisclosure agreement (NDA)
Malicious software and spyware
29. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Intrusion detection system (IDS)
Data mart
Continuous analysis - monitoring and feedback
Equal error rate (EER)
30. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Annually or whenever there is a significant change
Alignment with business strategy
Audit objectives
Intrusion detection system (IDS)
31. BEST option to improve accountability for a system administrator is to _____________________.
Do with the information it collects
Control effectiveness
Worm
include security responsibilities in a job description
32. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Aligned with organizational goals
Detection defenses
Equal error rate (EER)
All personnel
33. A function of the session keys distributed by the PKI.
Properly aligned with business goals and objectives
Multinational organization
Confidentiality
The board of directors and senior management
34. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Personal firewall
Control effectiveness
Reduce risk to an acceptable level
Encryption of the hard disks
35. Should be performed to identify the risk and determine needed controls.
Assess the risks to the business operation
Developing an information security baseline
Internal risk assessment
Annually or whenever there is a significant change
36. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Information contained on the equipment
Regulatory compliance
Transferred risk
Conduct a risk assessment
37. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
0-day vulnerabilities
Role-based policy
Spoofing attacks
Platform security - intrusion detection and antivirus controls
38. Should PRIMARILY be based on regulatory and legal requirements.
MAL wear
The authentication process is broken
Conduct a risk assessment
Retention of business records
39. Needs to define the access rules - which is troublesome and error prone in large organizations.
Information security manager
Skills inventory
Rule-based access control
Key controls
40. A repository of historical data organized by subject to support decision makers in the org
Data warehouse
Digital signatures
Control risk
Platform security - intrusion detection and antivirus controls
41. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Risk assessment - evaluation and impact analysis
Stress testing
Detection defenses
Encryption
42. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
The data custodian
Total cost of ownership (TCO)
Malicious software and spyware
43. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Gain unauthorized access to applications
Well-defined roles and responsibilities
Logon banners
Performing a risk assessment
44. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Resource dependency assessment
Encryption
Creation of a business continuity plan
Single sign-on (SSO) product
45. The best measure for preventing the unauthorized disclosure of confidential information.
Acceptable use policies
include security responsibilities in a job description
Transmit e-mail messages
Support the business objectives of the organization
46. Carries out the technical administration.
Power surge/over voltage (spike)
The database administrator
Tie security risks to key business objectives
Role-based access control
47. A notice that guarantees a user or a web site is legitimate
Digital certificate
Security baselines
Performing a risk assessment
Cryptographic secure sockets layer (SSL) implementations and short key lengths
48. Provides process needs but not impact.
Resource dependency assessment
Conduct a risk assessment
0-day vulnerabilities
Methodology used in the assessment
49. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Monitoring processes
Decentralization
Comparison of cost of achievement
Owner of the information asset
50. A Successful risk management should lead to a ________________.
Cross-site scripting attacks
Notifications and opt-out provisions
Breakeven point of risk reduction and cost
Phishing
