Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Focuses on identifying vulnerabilities.
Equal error rate (EER)
Internal risk assessment
Nondisclosure agreement (NDA)
Penetration testing

2. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Performing a risk assessment
Intrusion detection system (IDS)
Asset classification
Rule-based access control

3. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
The information security officer
The data custodian
The database administrator
Lack of change management

4. Uses security metrics to measure the performance of the information security program.
Return on security investment (ROSI)
Information security manager
Examples of containment defenses
Inherent risk

5. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Centralized structure
Waterfall chart
Asset classification

6. A notice that guarantees a user or a web site is legitimate
Digital certificate
Digital signatures
Encryption of the hard disks
Intrusion detection system (IDS)

7. When the ________________ is more than the cost of the risk - the risk should be accepted.
Cost of control
Deeper level of analysis
BIA (Business Impact Assessment
Inherent risk

8. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Gain unauthorized access to applications
Access control matrix
Vulnerability assessment
0-day vulnerabilities

9. Most effective for evaluating the degree to which information security objectives are being met.
Tailgating
Requirements of the data owners
The balanced scorecard
Return on security investment (ROSI)

10. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Intrusion detection system (IDS)
Continuous analysis - monitoring and feedback
Spoofing attacks
Digital certificate

11. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Properly aligned with business goals and objectives
Annually or whenever there is a significant change
Virus
SWOT analysis

12. Computer that has duplicate components so it can continue to operate when one of its main components fail
Overall organizational structure
Fault-tolerant computer
Normalization
Trusted source

13. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
Total cost of ownership (TCO)
Cross-site scripting attacks
Is willing to accept

14. A Successful risk management should lead to a ________________.
Breakeven point of risk reduction and cost
Proficiency testing
Penetration testing
Risk management and the requirements of the organization

15. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Data classification
Multinational organization
Audit objectives
Logon banners

16. Responsible for securing the information.
Defining high-level business security requirements
SWOT analysis
Creation of a business continuity plan
The data custodian

17. provides the most effective protection of data on mobile devices.
Overall organizational structure
Properly aligned with business goals and objectives
Encryption
Reduce risk to an acceptable level

18. A method for analyzing and reducing a relational database to its most streamlined form
Normalization
Breakeven point of risk reduction and cost
Two-factor authentication
OBusiness case development

19. A function of the session keys distributed by the PKI.
Information contained on the equipment
The information security officer
Confidentiality
The authentication process is broken

20. Occurs when the electrical supply drops
Undervoltage (brownout)
Prioritization
Reduce risk to an acceptable level
Comparison of cost of achievement

21. Culture has a significant impact on how information security will be implemented in a ______________________.
Intrusion detection system (IDS)
Multinational organization
Key risk indicator (KRI) setup
Tailgating

22. The information security manager needs to prioritize the controls based on ________________________.
Get senior management onboard
Defined objectives
Risk management and the requirements of the organization
Equal error rate (EER)

23. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Increase business value and confidence
Control risk
Skills inventory
Tailgating

24. Occurs after the risk assessment process - it does not measure it.
Data warehouse
Data isolation
Use of security metrics
Residual risk

25. Primarily reduce risk and are most effective for the protection of information assets.
Key controls
Digital certificate
The database administrator
Acceptable use policies

26. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Virus
Transmit e-mail messages
Security baselines

27. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Data isolation
Access control matrix
What happened and how the breach was resolved

28. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Properly aligned with business goals and objectives
Intrusion detection system (IDS)
Monitoring processes
Owner of the information asset

29. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Certificate authority (CA)
Proficiency testing
Transferred risk
The board of directors and senior management

30. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
The information security officer
Gap analysis
Methodology used in the assessment
Digital certificate

31. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Patch management
Residual risk would be reduced by a greater amount
Penetration testing
Process of introducing changes to systems

32. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Total cost of ownership (TCO)
The balanced scorecard
Performing a risk assessment
Gap analysis

33. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Patch management
Gain unauthorized access to applications
Reduce risk to an acceptable level
Is willing to accept

34. S small warehouse - designed for the end-user needs in a strategic business unit
Worm
Data mart
Asset classification
Security risk

35. When defining the information classification policy - the ___________________ need to be identified.
Breakeven point of risk reduction and cost
Stress testing
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Requirements of the data owners

36. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Patch management
OBusiness case development
Proficiency testing
Breakeven point of risk reduction and cost

37. The PRIMARY goal in developing an information security strategy is to: _________________________.
Waterfall chart
The board of directors and senior management
Support the business objectives of the organization
Confidentiality

38. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
MAL wear
Malicious software and spyware
Transmit e-mail messages
Threat assessment

39. Only valid if assets have first been identified and appropriately valued.
Normalization
Do with the information it collects
Annual loss expectancy (ALE)calculations
Centralization of information security management

40. Should be performed to identify the risk and determine needed controls.
Classification of assets needs
Proficiency testing
Get senior management onboard
Internal risk assessment

41. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Decentralization
Trusted source
Virus
Exceptions to policy

42. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
The data owner
Tailgating
Threat assessment
What happened and how the breach was resolved

43. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Cyber extortionist
Knowledge management
Transferred risk
The database administrator

44. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Comparison of cost of achievement
Background checks of prospective employees
Hacker
The information security officer

45. New security ulnerabilities should be managed through a ________________.
Protective switch covers
Patch management process
Malicious software and spyware
include security responsibilities in a job description

46. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Continuous analysis - monitoring and feedback
Regular review of access control lists
Hacker
Virus detection

47. A repository of historical data organized by subject to support decision makers in the org
Data warehouse
The information security officer
Risk appetite
Trojan horse

48. Reducing risk to a level too small to measure is _______________.
Rule-based access control
Impractical and is often cost-prohibitive
Get senior management onboard
Knowledge management

49. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Tie security risks to key business objectives
Well-defined roles and responsibilities
Rule-based access control
BIA (Business Impact Assessment

50. Inject malformed input.
Support the business objectives of the organization
Virus detection
Normalization
Cross-site scripting attacks