SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Increase business value and confidence
Power surge/over voltage (spike)
Conduct a risk assessment
Risk assessment - evaluation and impact analysis
2. Occurs after the risk assessment process - it does not measure it.
Penetration testing
Use of security metrics
Audit objectives
Virus
3. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Total cost of ownership (TCO)
Owner of the information asset
Consensus on risks and controls
Internal risk assessment
4. Identification and _______________ of business risk enables project managers to address areas with most significance.
Assess the risks to the business operation
Prioritization
Information security manager
All personnel
5. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Threat assessment
Assess the risks to the business operation
Digital certificate
Information security manager
6. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Data owners
Normalization
Performing a risk assessment
Internal risk assessment
7. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Virus detection
What happened and how the breach was resolved
Single sign-on (SSO) product
Retention of business records
8. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Key controls
Continuous analysis - monitoring and feedback
Information contained on the equipment
Aligned with organizational goals
9. The primary role of the information security manager in the process of information classification within the organization.
Data mart
Trusted source
Residual risk
Defining and ratifying the classification structure of information assets
10. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Owner of the information asset
Applying the proper classification to the data
Protective switch covers
Defining high-level business security requirements
11. Program that hides within or looks like a legit program
Trojan horse
Patch management
Equal error rate (EER)
Negotiating a local version of the organization standards
12. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Nondisclosure agreement (NDA)
Internal risk assessment
People
Transmit e-mail messages
13. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
BIA (Business Impact Assessment
Safeguards over keys
Internal risk assessment
Annual loss expectancy (ALE)calculations
14. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Transmit e-mail messages
Regulatory compliance
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Fault-tolerant computer
15. Occurs when the incoming level
Power surge/over voltage (spike)
Rule-based access control
Increase business value and confidence
Cracker
16. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Monitoring processes
Information contained on the equipment
Methodology used in the assessment
The balanced scorecard
17. Whenever personal data are transferred across national boundaries; ________________________ are required.
The awareness and agreement of the data subjects
The database administrator
Centralization of information security management
Access control matrix
18. Applications cannot access data associated with other apps
Hacker
Is willing to accept
Security awareness training for all employees
Data isolation
19. Cannot be minimized
Security risk
Developing an information security baseline
Inherent risk
Confidentiality
20. Culture has a significant impact on how information security will be implemented in a ______________________.
include security responsibilities in a job description
Logon banners
What happened and how the breach was resolved
Multinational organization
21. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Hacker
Identify the vulnerable systems and apply compensating controls
Patch management process
The database administrator
22. Only valid if assets have first been identified and appropriately valued.
Process of introducing changes to systems
Defining high-level business security requirements
Annual loss expectancy (ALE)calculations
Vulnerability assessment
23. All within the responsibility of the information security manager.
Biometric access control systems
Breakeven point of risk reduction and cost
Logon banners
Platform security - intrusion detection and antivirus controls
24. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
Malicious software and spyware
Data mart
Virus
25. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Digital signatures
Continuous analysis - monitoring and feedback
Compliance with the organization's information security requirements
Tie security risks to key business objectives
26. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Patch management
Is willing to accept
Retention of business records
Security baselines
27. Has to be integrated into the requirements of every software application's design.
Encryption key management
The information security officer
Undervoltage (brownout)
Conduct a risk assessment
28. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Public key infrastructure (PKI)
Get senior management onboard
Security risk
Methodology used in the assessment
29. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Detection defenses
include security responsibilities in a job description
Information contained on the equipment
Data warehouse
30. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Control risk
Conduct a risk assessment
Public key infrastructure (PKI)
Residual risk
31. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
SWOT analysis
Reduce risk to an acceptable level
Security code reviews for the entire software application
32. Should be determined from the risk assessment results.
Exceptions to policy
Continuous monitoring control initiatives
Background checks of prospective employees
Audit objectives
33. Responsible for securing the information.
Public key infrastructure (PKI)
The authentication process is broken
The data custodian
Defining high-level business security requirements
34. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Process of introducing changes to systems
Decentralization
Applying the proper classification to the data
Normalization
35. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Do with the information it collects
Key risk indicator (KRI) setup
Proficiency testing
Countermeasure cost-benefit analysis
36. Provide metrics to which outsourcing firms can be held accountable.
Script kiddie
Service level agreements (SLAs)
BIA (Business Impact Assessment
include security responsibilities in a job description
37. Company or person you believe will not send a virus-infect file knowingly
The balanced scorecard
Two-factor authentication
Detection defenses
Trusted source
38. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
The board of directors and senior management
Information security manager
Regular review of access control lists
Tie security risks to key business objectives
39. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
SWOT analysis
Centralized structure
Public key infrastructure (PKI)
Two-factor authentication
40. Most effective for evaluating the degree to which information security objectives are being met.
Is willing to accept
Compliance with the organization's information security requirements
Impractical and is often cost-prohibitive
The balanced scorecard
41. When defining the information classification policy - the ___________________ need to be identified.
Security baselines
Role-based policy
Requirements of the data owners
Total cost of ownership (TCO)
42. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Role-based policy
Spoofing attacks
Developing an information security baseline
Negotiating a local version of the organization standards
43. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Consensus on risks and controls
MAL wear
Notifications and opt-out provisions
Transferred risk
44. Someone who accesses a computer or network illegally
Key controls
Continuous analysis - monitoring and feedback
Asset classification
Hacker
45. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
OBusiness case development
The awareness and agreement of the data subjects
Prioritization
SWOT analysis
46. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Logon banners
include security responsibilities in a job description
Baseline standard and then develop additional standards
The data owner
47. Inject malformed input.
Cross-site scripting attacks
Asset classification
Role-based policy
Well-defined roles and responsibilities
48. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Control risk
Security code reviews for the entire software application
Acceptable use policies
49. The MOST important element of an information security strategy.
People
Defined objectives
The data owner
Security baselines
50. Uses security metrics to measure the performance of the information security program.
Access control matrix
Information security manager
Attributes and characteristics of the 'desired state'
Countermeasure cost-benefit analysis
