Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.






2. Information security governance models are highly dependent on the _____________________.






3. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.






4. Useful but only with regard to specific technical skills.






5. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.






6. The primary role of the information security manager in the process of information classification within the organization.






7. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i






8. Programs that act without a user's knowledge and deliberately alter a computer's operations






9. Ensure that transmitted information can be attributed to the named sender.






10. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.






11. Whenever personal data are transferred across national boundaries; ________________________ are required.






12. A repository of historical data organized by subject to support decision makers in the org






13. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.






14. A key indicator of performance measurement.






15. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.






16. Should be determined from the risk assessment results.






17. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.






18. Primarily reduce risk and are most effective for the protection of information assets.






19. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.






20. A function of the session keys distributed by the PKI.






21. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.






22. Provides strong online authentication.






23. Has full responsibility over data.






24. By definition are not previously known and therefore are undetectable.






25. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.






26. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.






27. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.






28. When the ________________ is more than the cost of the risk - the risk should be accepted.






29. Culture has a significant impact on how information security will be implemented in a ______________________.






30. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information






31. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing






32. Occurs after the risk assessment process - it does not measure it.






33. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.






34. Someone who uses the internet or network to destroy or damage computers for political reasons






35. Utility program that detects and protects a personal computer from unauthorized intrusions






36. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.






37. The PRIMARY goal in developing an information security strategy is to: _________________________.






38. BEST option to improve accountability for a system administrator is to _____________________.






39. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.






40. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.






41. Occurs when the electrical supply drops






42. It is easier to manage and control a _________________.






43. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.






44. Provide metrics to which outsourcing firms can be held accountable.






45. Should PRIMARILY be based on regulatory and legal requirements.






46. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.






47. Without _____________________ - there cannot be accountability.






48. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.






49. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.






50. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e