SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Has full responsibility over data.
Control risk
The data owner
Assess the risks to the business operation
What happened and how the breach was resolved
2. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Annually or whenever there is a significant change
Tie security risks to key business objectives
Normalization
Regular review of access control lists
3. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Skills inventory
Performing a risk assessment
Data classification
Alignment with business strategy
4. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Single sign-on (SSO) product
Data owners
Increase business value and confidence
The balanced scorecard
5. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Assess the risks to the business operation
0-day vulnerabilities
Developing an information security baseline
Its ability to reduce or eliminate business risks
6. ecurity design flaws require a ____________________.
Nondisclosure agreement (NDA)
Trusted source
Deeper level of analysis
The data custodian
7. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Process of introducing changes to systems
Continuous monitoring control initiatives
What happened and how the breach was resolved
Support the business objectives of the organization
8. provides the most effective protection of data on mobile devices.
IP address packet filtering
Encryption
The board of directors and senior management
Risk assessment - evaluation and impact analysis
9. Program that hides within or looks like a legit program
Control effectiveness
Monitoring processes
Virus
Trojan horse
10. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Creation of a business continuity plan
Encryption of the hard disks
Regulatory compliance
Attributes and characteristics of the 'desired state'
11. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Conduct a risk assessment
Examples of containment defenses
Encryption of the hard disks
Background checks of prospective employees
12. Whenever personal data are transferred across national boundaries; ________________________ are required.
Defining and ratifying the classification structure of information assets
Deeper level of analysis
Defined objectives
The awareness and agreement of the data subjects
13. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Annually or whenever there is a significant change
Virus
Examples of containment defenses
14. An information security manager has to impress upon the human resources department the need for _____________________.
Impractical and is often cost-prohibitive
Encryption of the hard disks
Continuous monitoring control initiatives
Security awareness training for all employees
15. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Encryption
What happened and how the breach was resolved
Control risk
Get senior management onboard
16. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Strategic alignment of security with business objectives
Spoofing attacks
Role-based policy
Background checks of prospective employees
17. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Lack of change management
Control risk
The board of directors and senior management
18. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
BIA (Business Impact Assessment
SWOT analysis
The board of directors and senior management
Waterfall chart
19. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Security risk
Cost of control
Centralization of information security management
Properly aligned with business goals and objectives
20. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Risk assessment - evaluation and impact analysis
Return on security investment (ROSI)
Get senior management onboard
Support the business objectives of the organization
21. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Personal firewall
Regulatory compliance
Assess the risks to the business operation
SWOT analysis
22. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Inherent risk
Intrusion detection system (IDS)
Skills inventory
Digital signatures
23. To identify known vulnerabilities based on common misconfigurations and missing updates.
Access control matrix
A network vulnerability assessment
Platform security - intrusion detection and antivirus controls
Asset classification
24. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Rule-based access control
Methodology used in the assessment
Cyber terrorist
Information contained on the equipment
25. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
The authentication process is broken
The board of directors and senior management
All personnel
Countermeasure cost-benefit analysis
26. Normally addressed through antivirus and antispyware policies.
Cracker
The board of directors and senior management
Get senior management onboard
Malicious software and spyware
27. Oversees the overall classification management of the information.
Nondisclosure agreement (NDA)
Vulnerability assessment
Risk appetite
The information security officer
28. A method for analyzing and reducing a relational database to its most streamlined form
Use of security metrics
Normalization
Examples of containment defenses
The database administrator
29. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
Encryption of the hard disks
Centralized structure
Well-defined roles and responsibilities
30. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Performing a risk assessment
Tailgating
Patch management process
OBusiness case development
31. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Knowledge management
Lack of change management
Examples of containment defenses
Cryptographic secure sockets layer (SSL) implementations and short key lengths
32. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Risk management and the requirements of the organization
Asset classification
Role-based access control
Information security manager
33. Needs to define the access rules - which is troublesome and error prone in large organizations.
OBusiness case development
Service level agreements (SLAs)
Rule-based access control
MAL wear
34. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Phishing
Worm
Return on security investment (ROSI)
35. Occurs when the electrical supply drops
Retention of business records
Undervoltage (brownout)
Information contained on the equipment
The information security officer
36. When the ________________ is more than the cost of the risk - the risk should be accepted.
Aligned with organizational goals
Cost of control
Detection defenses
Compliance with the organization's information security requirements
37. Accesses a computer or network illegally
Cracker
SWOT analysis
Multinational organization
Resource dependency assessment
38. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Centralization of information security management
Key risk indicator (KRI) setup
Undervoltage (brownout)
Overall organizational structure
39. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Control risk
Waterfall chart
Protective switch covers
Control effectiveness
40. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Total cost of ownership (TCO)
Overall organizational structure
Negotiating a local version of the organization standards
Is willing to accept
41. Used to understand the flow of one process into another.
Tie security risks to key business objectives
Certificate authority (CA)
Requirements of the data owners
Waterfall chart
42. Without _____________________ - there cannot be accountability.
MAL wear
Well-defined roles and responsibilities
OBusiness case development
Continuous analysis - monitoring and feedback
43. Someone who uses the internet or network to destroy or damage computers for political reasons
Fault-tolerant computer
Intrusion detection system (IDS)
Negotiating a local version of the organization standards
Cyber terrorist
44. The information security manager needs to prioritize the controls based on ________________________.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Encryption of the hard disks
Patch management process
Risk management and the requirements of the organization
45. All within the responsibility of the information security manager.
Multinational organization
Security baselines
Regular review of access control lists
Platform security - intrusion detection and antivirus controls
46. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Risk management and the requirements of the organization
Continuous monitoring control initiatives
OBusiness case development
Two-factor authentication
47. Reducing risk to a level too small to measure is _______________.
Impractical and is often cost-prohibitive
The awareness and agreement of the data subjects
Strategic alignment of security with business objectives
Phishing
48. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Key risk indicator (KRI) setup
Virus
Lack of change management
Control risk
49. New security ulnerabilities should be managed through a ________________.
Patch management process
Consensus on risks and controls
Security risk
Retention of business records
50. A function of the session keys distributed by the PKI.
Conduct a risk assessment
The information security officer
Spoofing attacks
Confidentiality
