SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
2. When defining the information classification policy - the ___________________ need to be identified.
Stress testing
Requirements of the data owners
Asset classification
Get senior management onboard
3. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
OBusiness case development
Continuous analysis - monitoring and feedback
Countermeasure cost-benefit analysis
Two-factor authentication
4. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Requirements of the data owners
The information security officer
Gap analysis
The awareness and agreement of the data subjects
5. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key risk indicator (KRI) setup
Personal firewall
Rule-based access control
Service level agreements (SLAs)
6. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Safeguards over keys
Use of security metrics
Retention of business records
Intrusion detection system (IDS)
7. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Script kiddie
Malicious software and spyware
OBusiness case development
Knowledge management
8. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Tailgating
Do with the information it collects
Defining and ratifying the classification structure of information assets
Owner of the information asset
9. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Cyber terrorist
Inherent risk
Regulatory compliance
Consensus on risks and controls
10. An information security manager has to impress upon the human resources department the need for _____________________.
Security awareness training for all employees
Role-based policy
Stress testing
Exceptions to policy
11. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
BIA (Business Impact Assessment
Patch management
Examples of containment defenses
Regular review of access control lists
12. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Properly aligned with business goals and objectives
Penetration testing
Digital signatures
Well-defined roles and responsibilities
13. The most important characteristic of good security policies is that they be ____________________.
Use of security metrics
BIA (Business Impact Assessment
Inherent risk
Aligned with organizational goals
14. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Risk assessment - evaluation and impact analysis
Virus detection
Performing a risk assessment
Well-defined roles and responsibilities
15. Useful but only with regard to specific technical skills.
Malicious software and spyware
Proficiency testing
Certificate authority (CA)
The authentication process is broken
16. To identify known vulnerabilities based on common misconfigurations and missing updates.
Aligned with organizational goals
Control risk
A network vulnerability assessment
Multinational organization
17. Occurs when the incoming level
Identify the relevant systems and processes
Power surge/over voltage (spike)
Consensus on risks and controls
Data isolation
18. New security ulnerabilities should be managed through a ________________.
Knowledge management
Assess the risks to the business operation
Residual risk would be reduced by a greater amount
Patch management process
19. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
include security responsibilities in a job description
Stress testing
Spoofing attacks
Its ability to reduce or eliminate business risks
20. A notice that guarantees a user or a web site is legitimate
Hacker
Security baselines
Requirements of the data owners
Digital certificate
21. Occurs after the risk assessment process - it does not measure it.
Use of security metrics
Identify the vulnerable systems and apply compensating controls
Performing a risk assessment
Skills inventory
22. Occurs when the electrical supply drops
Aligned with organizational goals
Control effectiveness
The authentication process is broken
Undervoltage (brownout)
23. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Is willing to accept
Patch management process
SWOT analysis
Tailgating
24. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Impractical and is often cost-prohibitive
Developing an information security baseline
Security baselines
Data owners
25. A method for analyzing and reducing a relational database to its most streamlined form
Monitoring processes
Defined objectives
Multinational organization
Normalization
26. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Continuous monitoring control initiatives
Key controls
Attributes and characteristics of the 'desired state'
Stress testing
27. Company or person you believe will not send a virus-infect file knowingly
Identify the relevant systems and processes
Trusted source
Control risk
Centralized structure
28. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Confidentiality
Normalization
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Access control matrix
29. The MOST important element of an information security strategy.
Attributes and characteristics of the 'desired state'
Defined objectives
Penetration testing
Risk management and the requirements of the organization
30. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Classification of assets needs
Breakeven point of risk reduction and cost
Continuous analysis - monitoring and feedback
31. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Trojan horse
The database administrator
Data warehouse
Cryptographic secure sockets layer (SSL) implementations and short key lengths
32. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
What happened and how the breach was resolved
Regulatory compliance
Information contained on the equipment
Total cost of ownership (TCO)
33. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Information contained on the equipment
Countermeasure cost-benefit analysis
Residual risk
Cyber extortionist
34. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Residual risk would be reduced by a greater amount
Negotiating a local version of the organization standards
Trusted source
0-day vulnerabilities
35. The data owner is responsible for _______________________.
The authentication process is broken
Notifications and opt-out provisions
Patch management
Applying the proper classification to the data
36. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Cyber terrorist
Annually or whenever there is a significant change
Gain unauthorized access to applications
Well-defined roles and responsibilities
37. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Intrusion detection system (IDS)
Role-based access control
Increase business value and confidence
Residual risk would be reduced by a greater amount
38. It is easier to manage and control a _________________.
Requirements of the data owners
Centralized structure
Residual risk would be reduced by a greater amount
Alignment with business strategy
39. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
Resource dependency assessment
Annual loss expectancy (ALE)calculations
Gap analysis
40. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Cyber extortionist
Asset classification
Residual risk would be reduced by a greater amount
Data mart
41. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Security awareness training for all employees
Gain unauthorized access to applications
Encryption of the hard disks
Decentralization
42. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Impractical and is often cost-prohibitive
Cracker
Intrusion detection system (IDS)
Background check
43. Would protect against spoofing an internal address but would not provide strong authentication.
Tailgating
Breakeven point of risk reduction and cost
Support the business objectives of the organization
IP address packet filtering
44. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Worm
Proficiency testing
What happened and how the breach was resolved
Tailgating
45. Provides process needs but not impact.
Personal firewall
Resource dependency assessment
Equal error rate (EER)
Aligned with organizational goals
46. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Encryption of the hard disks
Decentralization
Detection defenses
Control effectiveness
47. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Skills inventory
Applying the proper classification to the data
Exceptions to policy
Process of introducing changes to systems
48. BEST option to improve accountability for a system administrator is to _____________________.
The awareness and agreement of the data subjects
include security responsibilities in a job description
The information security officer
Data owners
49. Cannot be minimized
Stress testing
Do with the information it collects
Support the business objectives of the organization
Inherent risk
50. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Consensus on risks and controls
Security awareness training for all employees
Continuous analysis - monitoring and feedback
Countermeasure cost-benefit analysis