Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Computer that has duplicate components so it can continue to operate when one of its main components fail
Baseline standard and then develop additional standards
Information contained on the equipment
Fault-tolerant computer
Well-defined roles and responsibilities

2. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Two-factor authentication
Process of introducing changes to systems
Detection defenses
The data owner

3. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Data mart
OBusiness case development
Use of security metrics
All personnel

4. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Developing an information security baseline
Impractical and is often cost-prohibitive
Data isolation
Do with the information it collects

5. A Successful risk management should lead to a ________________.
Phishing
Breakeven point of risk reduction and cost
Single sign-on (SSO) product
Classification of assets needs

6. Has full responsibility over data.
All personnel
The data owner
Cyber extortionist
Well-defined roles and responsibilities

7. Has to be integrated into the requirements of every software application's design.
BIA (Business Impact Assessment
Public key infrastructure (PKI)
Waterfall chart
Encryption key management

8. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Centralization of information security management
SWOT analysis
Negotiating a local version of the organization standards
Cryptographic secure sockets layer (SSL) implementations and short key lengths

9. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Performing a risk assessment
Lack of change management
Vulnerability assessment
Examples of containment defenses

10. Would protect against spoofing an internal address but would not provide strong authentication.
Penetration testing
IP address packet filtering
Tie security risks to key business objectives
Do with the information it collects

11. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Methodology used in the assessment
Security baselines
Encryption of the hard disks

12. Program that hides within or looks like a legit program
Total cost of ownership (TCO)
Data warehouse
Trojan horse
Patch management

13. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Notifications and opt-out provisions
Gap analysis
Information contained on the equipment
The awareness and agreement of the data subjects

14. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Platform security - intrusion detection and antivirus controls
Overall organizational structure
Classification of assets needs
Support the business objectives of the organization

15. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Multinational organization
Centralization of information security management
Encryption key management
Countermeasure cost-benefit analysis

16. New security ulnerabilities should be managed through a ________________.
Encryption
Patch management process
Proficiency testing
Centralized structure

17. Someone who accesses a computer or network illegally
Data warehouse
Multinational organization
The data owner
Hacker

18. Responsible for securing the information.
Defining high-level business security requirements
The data custodian
Fault-tolerant computer
Normalization

19. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Security awareness training for all employees
All personnel
Vulnerability assessment
Exceptions to policy

20. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Acceptable use policies
Reduce risk to an acceptable level
Asset classification
Lack of change management

21. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Virus detection
Properly aligned with business goals and objectives
Key risk indicator (KRI) setup
Resource dependency assessment

22. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Monitoring processes
Its ability to reduce or eliminate business risks
All personnel
Resource dependency assessment

23. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Defined objectives
Its ability to reduce or eliminate business risks
Decentralization
Increase business value and confidence

24. A method for analyzing and reducing a relational database to its most streamlined form
Identify the vulnerable systems and apply compensating controls
Normalization
Encryption
Breakeven point of risk reduction and cost

25. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
0-day vulnerabilities
Well-defined roles and responsibilities
Compliance with the organization's information security requirements
Risk appetite

26. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Return on security investment (ROSI)
Developing an information security baseline
People
Cyber terrorist

27. Whenever personal data are transferred across national boundaries; ________________________ are required.
Retention of business records
Assess the risks to the business operation
Support the business objectives of the organization
The awareness and agreement of the data subjects

28. Focuses on identifying vulnerabilities.
Penetration testing
Undervoltage (brownout)
Developing an information security baseline
Two-factor authentication

29. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Data isolation
Cyber extortionist
Monitoring processes
Consensus on risks and controls

30. Utility program that detects and protects a personal computer from unauthorized intrusions
Personal firewall
Gain unauthorized access to applications
Risk appetite
Annual loss expectancy (ALE)calculations

31. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Security baselines
Transmit e-mail messages
Waterfall chart
Service level agreements (SLAs)

32. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Attributes and characteristics of the 'desired state'
Do with the information it collects
Safeguards over keys
Performing a risk assessment

33. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Countermeasure cost-benefit analysis
Consensus on risks and controls
Support the business objectives of the organization
Get senior management onboard

34. Cannot be minimized
The balanced scorecard
Vulnerability assessment
Inherent risk
Prioritization

35. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Risk appetite
Threat assessment
Its ability to reduce or eliminate business risks
Proficiency testing

36. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Consensus on risks and controls
Prioritization
Performing a risk assessment
Information contained on the equipment

37. Inject malformed input.
Retention of business records
Conduct a risk assessment
Cross-site scripting attacks
Data isolation

38. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Return on security investment (ROSI)
Data owners
Two-factor authentication
Worm

39. Used to understand the flow of one process into another.
Continuous analysis - monitoring and feedback
Waterfall chart
Security baselines
Spoofing attacks

40. S small warehouse - designed for the end-user needs in a strategic business unit
Transferred risk
Biometric access control systems
Monitoring processes
Data mart

41. Occurs when the electrical supply drops
Continuous analysis - monitoring and feedback
Undervoltage (brownout)
Notifications and opt-out provisions
Data isolation

42. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Get senior management onboard
Security awareness training for all employees
Encryption of the hard disks
IP address packet filtering

43. Accesses a computer or network illegally
Cracker
Biometric access control systems
Encryption
The board of directors and senior management

44. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Service level agreements (SLAs)
Data classification
Skills inventory
Owner of the information asset

45. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Undervoltage (brownout)
0-day vulnerabilities
Its ability to reduce or eliminate business risks
Equal error rate (EER)

46. A function of the session keys distributed by the PKI.
Risk appetite
Confidentiality
Centralized structure
Deeper level of analysis

47. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Digital signatures
Role-based access control
Audit objectives
Threat assessment

48. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Encryption
Centralization of information security management
Requirements of the data owners
Gain unauthorized access to applications

49. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Assess the risks to the business operation
Process of introducing changes to systems
Reduce risk to an acceptable level
Attributes and characteristics of the 'desired state'

50. Useful but only with regard to specific technical skills.
Proficiency testing
Tailgating
Role-based policy
Information contained on the equipment