SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. To identify known vulnerabilities based on common misconfigurations and missing updates.
Attributes and characteristics of the 'desired state'
A network vulnerability assessment
Cost of control
Defining and ratifying the classification structure of information assets
2. Ensure that transmitted information can be attributed to the named sender.
Compliance with the organization's information security requirements
Data mart
Digital signatures
Cyber extortionist
3. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Owner of the information asset
Performing a risk assessment
Encryption of the hard disks
Classification of assets needs
4. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Threat assessment
Monitoring processes
Overall organizational structure
Risk appetite
5. Someone who uses the internet or network to destroy or damage computers for political reasons
Residual risk
MAL wear
Key controls
Cyber terrorist
6. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Continuous analysis - monitoring and feedback
Negotiating a local version of the organization standards
Virus detection
Notifications and opt-out provisions
7. Useful but only with regard to specific technical skills.
Proficiency testing
Residual risk would be reduced by a greater amount
Is willing to accept
Defined objectives
8. Culture has a significant impact on how information security will be implemented in a ______________________.
MAL wear
Multinational organization
Data isolation
Identify the relevant systems and processes
9. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Virus
Transmit e-mail messages
Undervoltage (brownout)
Stress testing
10. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Countermeasure cost-benefit analysis
Role-based policy
Hacker
Notifications and opt-out provisions
11. provides the most effective protection of data on mobile devices.
Malicious software and spyware
The awareness and agreement of the data subjects
Impractical and is often cost-prohibitive
Encryption
12. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Owner of the information asset
Two-factor authentication
Cost of control
Regulatory compliance
13. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
Developing an information security baseline
Role-based access control
Classification of assets needs
14. Same intent as a cracker but does not have the technical skills and knowledge
BIA (Business Impact Assessment
Access control matrix
Support the business objectives of the organization
Script kiddie
15. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Nondisclosure agreement (NDA)
Data classification
Control risk
Transferred risk
16. Company or person you believe will not send a virus-infect file knowingly
Trusted source
Increase business value and confidence
Malicious software and spyware
Impractical and is often cost-prohibitive
17. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Virus detection
Security awareness training for all employees
Lack of change management
Knowledge management
18. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The information security officer
Data mart
The board of directors and senior management
Data isolation
19. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Performing a risk assessment
Virus detection
Gap analysis
20. Ensures that there are no scalability problems.
Stress testing
Deeper level of analysis
Data warehouse
Identify the relevant systems and processes
21. Provide metrics to which outsourcing firms can be held accountable.
Security risk
SWOT analysis
Certificate authority (CA)
Service level agreements (SLAs)
22. A Successful risk management should lead to a ________________.
Breakeven point of risk reduction and cost
Audit objectives
Reduce risk to an acceptable level
Phishing
23. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Data mart
Centralization of information security management
Information contained on the equipment
Confidentiality
24. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Tie security risks to key business objectives
Gap analysis
Negotiating a local version of the organization standards
Encryption of the hard disks
25. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Two-factor authentication
Public key infrastructure (PKI)
Process of introducing changes to systems
Classification of assets needs
26. Provides process needs but not impact.
Resource dependency assessment
Cost of control
Confidentiality
Access control matrix
27. Should be determined from the risk assessment results.
Audit objectives
Detection defenses
What happened and how the breach was resolved
Support the business objectives of the organization
28. Program that hides within or looks like a legit program
Regulatory compliance
Trojan horse
Public key infrastructure (PKI)
Access control matrix
29. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Patch management process
Comparison of cost of achievement
Data owners
Asset classification
30. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Owner of the information asset
Consensus on risks and controls
Malicious software and spyware
Encryption of the hard disks
31. Information security governance models are highly dependent on the _____________________.
Conduct a risk assessment
Overall organizational structure
Power surge/over voltage (spike)
Inherent risk
32. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Background checks of prospective employees
Decentralization
What happened and how the breach was resolved
Malicious software and spyware
33. Primarily reduce risk and are most effective for the protection of information assets.
OBusiness case development
Key controls
Service level agreements (SLAs)
Risk appetite
34. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
OBusiness case development
Residual risk would be reduced by a greater amount
include security responsibilities in a job description
Biometric access control systems
35. Provides strong online authentication.
Acceptable use policies
Public key infrastructure (PKI)
Identify the relevant systems and processes
Increase business value and confidence
36. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
The data custodian
Security awareness training for all employees
Cyber extortionist
Confidentiality
37. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Nondisclosure agreement (NDA)
Protective switch covers
Reduce risk to an acceptable level
Defined objectives
38. Occurs when the electrical supply drops
Support the business objectives of the organization
Undervoltage (brownout)
Classification of assets needs
Threat assessment
39. BEST option to improve accountability for a system administrator is to _____________________.
Gain unauthorized access to applications
Virus detection
Biometric access control systems
include security responsibilities in a job description
40. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Digital certificate
Defining high-level business security requirements
Public key infrastructure (PKI)
Logon banners
41. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Nondisclosure agreement (NDA)
Data classification
Encryption key management
Script kiddie
42. Should be a standard requirement for the service provider.
Background check
Gap analysis
Defining high-level business security requirements
Fault-tolerant computer
43. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Compliance with the organization's information security requirements
Risk appetite
Regular review of access control lists
Trojan horse
44. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Knowledge management
Defining high-level business security requirements
Owner of the information asset
45. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Penetration testing
Cross-site scripting attacks
Alignment with business strategy
MAL wear
46. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Single sign-on (SSO) product
Background checks of prospective employees
Gap analysis
Audit objectives
47. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Continuous analysis - monitoring and feedback
Classification of assets needs
Patch management
Aligned with organizational goals
48. Only valid if assets have first been identified and appropriately valued.
Annual loss expectancy (ALE)calculations
Certificate authority (CA)
Cyber terrorist
Compliance with the organization's information security requirements
49. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Certificate authority (CA)
Vulnerability assessment
Defining high-level business security requirements
Data classification
50. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Information security manager
Encryption key management
Worm