Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Intrusion detection system (IDS)
What happened and how the breach was resolved
Risk management and the requirements of the organization
Proficiency testing

2. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
The awareness and agreement of the data subjects
Data owners
Total cost of ownership (TCO)
A network vulnerability assessment

3. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Waterfall chart
Countermeasure cost-benefit analysis
The authentication process is broken

4. Reducing risk to a level too small to measure is _______________.
Service level agreements (SLAs)
Impractical and is often cost-prohibitive
The information security officer
People

5. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Encryption key management
Countermeasure cost-benefit analysis
Annual loss expectancy (ALE)calculations
Data classification

6. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Security risk
Regular review of access control lists
Patch management
Hacker

7. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Threat assessment
Annual loss expectancy (ALE)calculations
Digital signatures
Monitoring processes

8. The PRIMARY goal in developing an information security strategy is to: _________________________.
A network vulnerability assessment
Impractical and is often cost-prohibitive
Alignment with business strategy
Support the business objectives of the organization

9. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Identify the relevant systems and processes
Notifications and opt-out provisions
Virus detection
Performing a risk assessment

10. Most effective for evaluating the degree to which information security objectives are being met.
The balanced scorecard
Power surge/over voltage (spike)
The board of directors and senior management
Single sign-on (SSO) product

11. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Cyber extortionist
Overall organizational structure
Developing an information security baseline
Tailgating

12. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Process of introducing changes to systems
Security code reviews for the entire software application
Residual risk
Detection defenses

13. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
People
Overall organizational structure
Continuous monitoring control initiatives
Gap analysis

14. Occurs when the electrical supply drops
Detection defenses
Undervoltage (brownout)
Penetration testing
Logon banners

15. Utility program that detects and protects a personal computer from unauthorized intrusions
Annual loss expectancy (ALE)calculations
Background check
Personal firewall
Get senior management onboard

16. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Retention of business records
Comparison of cost of achievement
Transmit e-mail messages
Requirements of the data owners

17. Awareness - training and physical security defenses.
Examples of containment defenses
Risk management and the requirements of the organization
Impractical and is often cost-prohibitive
The database administrator

18. Culture has a significant impact on how information security will be implemented in a ______________________.
Virus
Multinational organization
Data classification
Single sign-on (SSO) product

19. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Cyber extortionist
Transferred risk
Assess the risks to the business operation
What happened and how the breach was resolved

20. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
The authentication process is broken
Background checks of prospective employees
Background check
Breakeven point of risk reduction and cost

21. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Creation of a business continuity plan
Gain unauthorized access to applications
Normalization
Fault-tolerant computer

22. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Control effectiveness
include security responsibilities in a job description
Examples of containment defenses
Calculating the value of the information or asset

23. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Breakeven point of risk reduction and cost
Transferred risk
Service level agreements (SLAs)
Skills inventory

24. Has to be integrated into the requirements of every software application's design.
Digital certificate
Knowledge management
Encryption key management
Risk management and the requirements of the organization

25. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Properly aligned with business goals and objectives
Overall organizational structure
Key risk indicator (KRI) setup
Support the business objectives of the organization

26. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Reduce risk to an acceptable level
Risk assessment - evaluation and impact analysis
Hacker
Alignment with business strategy

27. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security baselines
Annually or whenever there is a significant change
Trusted source
People

28. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
IP address packet filtering
People
Cross-site scripting attacks
Aligned with organizational goals

29. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Asset classification
Monitoring processes
Notifications and opt-out provisions
Breakeven point of risk reduction and cost

30. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
Encryption of the hard disks
Methodology used in the assessment
Centralization of information security management

31. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Virus detection
Comparison of cost of achievement
Safeguards over keys
Defining and ratifying the classification structure of information assets

32. By definition are not previously known and therefore are undetectable.
The balanced scorecard
0-day vulnerabilities
Consensus on risks and controls
Deeper level of analysis

33. Cannot be minimized
Inherent risk
Is willing to accept
Spoofing attacks
Risk assessment - evaluation and impact analysis

34. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Data warehouse
Retention of business records
Deeper level of analysis
Tailgating

35. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
The balanced scorecard
Single sign-on (SSO) product
Role-based policy
Identify the vulnerable systems and apply compensating controls

36. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Nondisclosure agreement (NDA)
Return on security investment (ROSI)
OBusiness case development
Defined objectives

37. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Breakeven point of risk reduction and cost
Encryption key management
Encryption

38. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
Increase business value and confidence
Calculating the value of the information or asset
Regular review of access control lists

39. Carries out the technical administration.
Do with the information it collects
Tailgating
The database administrator
Data isolation

40. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
IP address packet filtering
Encryption of the hard disks
Security risk
Worm

41. A method for analyzing and reducing a relational database to its most streamlined form
Penetration testing
Trojan horse
Normalization
Process of introducing changes to systems

42. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Proficiency testing
Cyber terrorist
Certificate authority (CA)
BIA (Business Impact Assessment

43. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Classification of assets needs
BIA (Business Impact Assessment
The information security officer
Defining and ratifying the classification structure of information assets

44. Only valid if assets have first been identified and appropriately valued.
Information contained on the equipment
Annual loss expectancy (ALE)calculations
Baseline standard and then develop additional standards
Normalization

45. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Confidentiality
Do with the information it collects
Breakeven point of risk reduction and cost
Certificate authority (CA)

46. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Waterfall chart
Notifications and opt-out provisions
Encryption of the hard disks
Two-factor authentication

47. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
The database administrator
Lack of change management
Security awareness training for all employees
Notifications and opt-out provisions

48. Uses security metrics to measure the performance of the information security program.
Assess the risks to the business operation
Increase business value and confidence
Information security manager
Virus detection

49. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Consensus on risks and controls
Data classification
All personnel
Retention of business records

50. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Hacker
Negotiating a local version of the organization standards
Stress testing
Alignment with business strategy