SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The most important characteristic of good security policies is that they be ____________________.
Breakeven point of risk reduction and cost
Vulnerability assessment
Defining and ratifying the classification structure of information assets
Aligned with organizational goals
2. An information security manager has to impress upon the human resources department the need for _____________________.
Security awareness training for all employees
Continuous monitoring control initiatives
Creation of a business continuity plan
Assess the risks to the business operation
3. Program that hides within or looks like a legit program
Trojan horse
Encryption
Vulnerability assessment
Cross-site scripting attacks
4. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Skills inventory
Knowledge management
Two-factor authentication
5. Occurs after the risk assessment process - it does not measure it.
Defining and ratifying the classification structure of information assets
Cyber terrorist
Use of security metrics
Residual risk
6. The data owner is responsible for _______________________.
Power surge/over voltage (spike)
Single sign-on (SSO) product
Applying the proper classification to the data
Acceptable use policies
7. Should be a standard requirement for the service provider.
Residual risk would be reduced by a greater amount
Nondisclosure agreement (NDA)
Equal error rate (EER)
Background check
8. Provides strong online authentication.
Public key infrastructure (PKI)
Patch management process
Tailgating
Defining high-level business security requirements
9. A notice that guarantees a user or a web site is legitimate
include security responsibilities in a job description
Hacker
Digital certificate
Security awareness training for all employees
10. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Threat assessment
Impractical and is often cost-prohibitive
Data classification
Security awareness training for all employees
11. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
IP address packet filtering
Nondisclosure agreement (NDA)
Properly aligned with business goals and objectives
Compliance with the organization's information security requirements
12. The PRIMARY goal in developing an information security strategy is to: _________________________.
Worm
Proficiency testing
Support the business objectives of the organization
Defining and ratifying the classification structure of information assets
13. A repository of historical data organized by subject to support decision makers in the org
Virus detection
Annually or whenever there is a significant change
Data warehouse
All personnel
14. Provide metrics to which outsourcing firms can be held accountable.
Intrusion detection system (IDS)
Information security manager
Residual risk would be reduced by a greater amount
Service level agreements (SLAs)
15. Primarily reduce risk and are most effective for the protection of information assets.
The data owner
Background checks of prospective employees
Control effectiveness
Key controls
16. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Proficiency testing
Identify the relevant systems and processes
Certificate authority (CA)
Transmit e-mail messages
17. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Decentralization
Inherent risk
Asset classification
Detection defenses
18. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Acceptable use policies
Regulatory compliance
The board of directors and senior management
Two-factor authentication
19. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Vulnerability assessment
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Tie security risks to key business objectives
Performing a risk assessment
20. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Compliance with the organization's information security requirements
Identify the vulnerable systems and apply compensating controls
Retention of business records
What happened and how the breach was resolved
21. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Data isolation
Cyber terrorist
What happened and how the breach was resolved
Virus detection
22. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Classification of assets needs
Gain unauthorized access to applications
Data owners
Total cost of ownership (TCO)
23. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Properly aligned with business goals and objectives
Calculating the value of the information or asset
Prioritization
Risk management and the requirements of the organization
24. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
include security responsibilities in a job description
Asset classification
Key risk indicator (KRI) setup
Transmit e-mail messages
25. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Cost of control
Biometric access control systems
Monitoring processes
Worm
26. Ensure that transmitted information can be attributed to the named sender.
Control effectiveness
Data classification
Monitoring processes
Digital signatures
27. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Audit objectives
What happened and how the breach was resolved
Annually or whenever there is a significant change
Comparison of cost of achievement
28. Without _____________________ - there cannot be accountability.
Encryption key management
Well-defined roles and responsibilities
Key controls
The information security officer
29. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Monitoring processes
Risk assessment - evaluation and impact analysis
Residual risk
Centralized structure
30. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Support the business objectives of the organization
Access control matrix
Deeper level of analysis
The data owner
31. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Digital certificate
Breakeven point of risk reduction and cost
Impractical and is often cost-prohibitive
32. Someone who uses the internet or network to destroy or damage computers for political reasons
Countermeasure cost-benefit analysis
Owner of the information asset
Audit objectives
Cyber terrorist
33. Risk should be reduced to a level that an organization _____________.
Is willing to accept
The data owner
Return on security investment (ROSI)
The board of directors and senior management
34. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Monitoring processes
Do with the information it collects
The data owner
The board of directors and senior management
35. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Rule-based access control
Nondisclosure agreement (NDA)
Equal error rate (EER)
Threat assessment
36. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Baseline standard and then develop additional standards
Annual loss expectancy (ALE)calculations
Overall organizational structure
include security responsibilities in a job description
37. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Data owners
The authentication process is broken
Regulatory compliance
Properly aligned with business goals and objectives
38. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Cyber terrorist
Data mart
Detection defenses
39. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Defined objectives
Defining and ratifying the classification structure of information assets
Certificate authority (CA)
Monitoring processes
40. The information security manager needs to prioritize the controls based on ________________________.
Risk management and the requirements of the organization
Control effectiveness
Developing an information security baseline
Information contained on the equipment
41. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
Two-factor authentication
Examples of containment defenses
Acceptable use policies
42. A Successful risk management should lead to a ________________.
Risk appetite
Encryption key management
Breakeven point of risk reduction and cost
Creation of a business continuity plan
43. A method for analyzing and reducing a relational database to its most streamlined form
Residual risk would be reduced by a greater amount
Consensus on risks and controls
Tailgating
Normalization
44. Someone who accesses a computer or network illegally
Transmit e-mail messages
Hacker
Gap analysis
Classification of assets needs
45. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Residual risk would be reduced by a greater amount
Do with the information it collects
Gap analysis
Access control matrix
46. Company or person you believe will not send a virus-infect file knowingly
Baseline standard and then develop additional standards
Trusted source
Defined objectives
MAL wear
47. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
What happened and how the breach was resolved
The balanced scorecard
Performing a risk assessment
Continuous analysis - monitoring and feedback
48. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Aligned with organizational goals
Assess the risks to the business operation
Data isolation
Identify the relevant systems and processes
49. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Data owners
Prioritization
Safeguards over keys
Identify the vulnerable systems and apply compensating controls
50. The best measure for preventing the unauthorized disclosure of confidential information.
Fault-tolerant computer
Identify the vulnerable systems and apply compensating controls
Acceptable use policies
Residual risk