SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Decentralization
Use of security metrics
The board of directors and senior management
Baseline standard and then develop additional standards
2. Occurs after the risk assessment process - it does not measure it.
Control risk
Deeper level of analysis
The authentication process is broken
Use of security metrics
3. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Notifications and opt-out provisions
Transmit e-mail messages
Tie security risks to key business objectives
Normalization
4. The primary role of the information security manager in the process of information classification within the organization.
Protective switch covers
Personal firewall
Security baselines
Defining and ratifying the classification structure of information assets
5. Would protect against spoofing an internal address but would not provide strong authentication.
Cyber terrorist
Rule-based access control
IP address packet filtering
Lack of change management
6. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Continuous monitoring control initiatives
Annual loss expectancy (ALE)calculations
Performing a risk assessment
Data mart
7. All within the responsibility of the information security manager.
Platform security - intrusion detection and antivirus controls
Penetration testing
Audit objectives
Continuous monitoring control initiatives
8. The information security manager needs to prioritize the controls based on ________________________.
Assess the risks to the business operation
Risk management and the requirements of the organization
Monitoring processes
Prioritization
9. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Normalization
People
Biometric access control systems
10. Occurs when the incoming level
Trusted source
Power surge/over voltage (spike)
The authentication process is broken
Consensus on risks and controls
11. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Access control matrix
Phishing
Conduct a risk assessment
Risk management and the requirements of the organization
12. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Certificate authority (CA)
Data classification
Security code reviews for the entire software application
Identify the vulnerable systems and apply compensating controls
13. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Assess the risks to the business operation
Attributes and characteristics of the 'desired state'
The database administrator
Properly aligned with business goals and objectives
14. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Classification of assets needs
Negotiating a local version of the organization standards
Monitoring processes
Background checks of prospective employees
15. Ensure that transmitted information can be attributed to the named sender.
Tailgating
Digital signatures
Identify the vulnerable systems and apply compensating controls
Risk assessment - evaluation and impact analysis
16. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Assess the risks to the business operation
Centralized structure
Information contained on the equipment
Security awareness training for all employees
17. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Lack of change management
Key risk indicator (KRI) setup
The information security officer
Trusted source
18. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Certificate authority (CA)
Risk assessment - evaluation and impact analysis
Lack of change management
Cryptographic secure sockets layer (SSL) implementations and short key lengths
19. S small warehouse - designed for the end-user needs in a strategic business unit
Impractical and is often cost-prohibitive
Data mart
Cyber terrorist
Assess the risks to the business operation
20. Identification and _______________ of business risk enables project managers to address areas with most significance.
Prioritization
Virus detection
Security awareness training for all employees
The information security officer
21. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Process of introducing changes to systems
Detection defenses
The authentication process is broken
The information security officer
22. Only valid if assets have first been identified and appropriately valued.
Phishing
BIA (Business Impact Assessment
Annual loss expectancy (ALE)calculations
Cyber terrorist
23. Awareness - training and physical security defenses.
Security awareness training for all employees
Examples of containment defenses
Risk management and the requirements of the organization
People
24. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Security baselines
Methodology used in the assessment
Exceptions to policy
Centralized structure
25. A Successful risk management should lead to a ________________.
Breakeven point of risk reduction and cost
Retention of business records
Encryption
Patch management
26. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Virus
Do with the information it collects
Skills inventory
The database administrator
27. Should PRIMARILY be based on regulatory and legal requirements.
Internal risk assessment
Retention of business records
Digital signatures
Cryptographic secure sockets layer (SSL) implementations and short key lengths
28. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Two-factor authentication
Consensus on risks and controls
Intrusion detection system (IDS)
Information security manager
29. A function of the session keys distributed by the PKI.
Fault-tolerant computer
Confidentiality
Do with the information it collects
Skills inventory
30. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Countermeasure cost-benefit analysis
Residual risk
Exceptions to policy
Cyber terrorist
31. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Threat assessment
Tie security risks to key business objectives
Public key infrastructure (PKI)
Identify the vulnerable systems and apply compensating controls
32. The data owner is responsible for _______________________.
Use of security metrics
Applying the proper classification to the data
Asset classification
Background checks of prospective employees
33. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Tailgating
Gap analysis
Continuous analysis - monitoring and feedback
Methodology used in the assessment
34. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Tie security risks to key business objectives
Is willing to accept
Normalization
Its ability to reduce or eliminate business risks
35. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
A network vulnerability assessment
Worm
Assess the risks to the business operation
Information security manager
36. By definition are not previously known and therefore are undetectable.
Audit objectives
0-day vulnerabilities
Trusted source
Patch management
37. Accesses a computer or network illegally
IP address packet filtering
Defined objectives
A network vulnerability assessment
Cracker
38. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Continuous monitoring control initiatives
Confidentiality
Countermeasure cost-benefit analysis
Vulnerability assessment
39. A repository of historical data organized by subject to support decision makers in the org
Data warehouse
Annually or whenever there is a significant change
Single sign-on (SSO) product
Classification of assets needs
40. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Classification of assets needs
Single sign-on (SSO) product
Identify the relevant systems and processes
Cyber extortionist
41. The best measure for preventing the unauthorized disclosure of confidential information.
Personal firewall
Acceptable use policies
Defined objectives
Monitoring processes
42. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Alignment with business strategy
Spoofing attacks
Do with the information it collects
Security awareness training for all employees
43. The PRIMARY goal in developing an information security strategy is to: _________________________.
Identify the vulnerable systems and apply compensating controls
Prioritization
Support the business objectives of the organization
Exceptions to policy
44. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Alignment with business strategy
Consensus on risks and controls
Transferred risk
45. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Certificate authority (CA)
Centralization of information security management
Negotiating a local version of the organization standards
Classification of assets needs
46. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
MAL wear
Data owners
Protective switch covers
Encryption
47. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Increase business value and confidence
Spoofing attacks
Nondisclosure agreement (NDA)
OBusiness case development
48. Program that hides within or looks like a legit program
Trojan horse
Get senior management onboard
Acceptable use policies
Service level agreements (SLAs)
49. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
50. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Safeguards over keys
Calculating the value of the information or asset
Centralized structure
Requirements of the data owners