Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. The data owner is responsible for _______________________.
Applying the proper classification to the data
IP address packet filtering
Continuous analysis - monitoring and feedback
Owner of the information asset

2. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Assess the risks to the business operation
Two-factor authentication
Tailgating
include security responsibilities in a job description

3. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
OBusiness case development
Deeper level of analysis
SWOT analysis
Equal error rate (EER)

4. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Developing an information security baseline
Phishing
Spoofing attacks
Identify the relevant systems and processes

5. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Single sign-on (SSO) product
Creation of a business continuity plan
Encryption of the hard disks
Biometric access control systems

6. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Performing a risk assessment
Personal firewall
Prioritization
Return on security investment (ROSI)

7. The information security manager needs to prioritize the controls based on ________________________.
Risk management and the requirements of the organization
Patch management process
Access control matrix
Data owners

8. Reducing risk to a level too small to measure is _______________.
Defining and ratifying the classification structure of information assets
Safeguards over keys
Calculating the value of the information or asset
Impractical and is often cost-prohibitive

9. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
Cost of control
Attributes and characteristics of the 'desired state'
OBusiness case development

10. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Impractical and is often cost-prohibitive
Protective switch covers
Requirements of the data owners
Certificate authority (CA)

11. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
People
Power surge/over voltage (spike)
Examples of containment defenses
Phishing

12. Oversees the overall classification management of the information.
Total cost of ownership (TCO)
What happened and how the breach was resolved
Safeguards over keys
The information security officer

13. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Transmit e-mail messages
A network vulnerability assessment
Residual risk
Centralization of information security management

14. Ensure that transmitted information can be attributed to the named sender.
Safeguards over keys
Information contained on the equipment
Trojan horse
Digital signatures

15. Someone who accesses a computer or network illegally
Intrusion detection system (IDS)
Continuous monitoring control initiatives
Developing an information security baseline
Hacker

16. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Data warehouse
Baseline standard and then develop additional standards
Total cost of ownership (TCO)
The balanced scorecard

17. Inject malformed input.
Cross-site scripting attacks
Encryption of the hard disks
Regulatory compliance
Rule-based access control

18. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Notifications and opt-out provisions
Developing an information security baseline
Trojan horse
Risk assessment - evaluation and impact analysis

19. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Penetration testing
Defining high-level business security requirements
Exceptions to policy
Virus detection

20. Utility program that detects and protects a personal computer from unauthorized intrusions
Nondisclosure agreement (NDA)
Normalization
Defining high-level business security requirements
Personal firewall

21. Computer that has duplicate components so it can continue to operate when one of its main components fail
Fault-tolerant computer
Service level agreements (SLAs)
Centralization of information security management
Multinational organization

22. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Control effectiveness
Detection defenses
Performing a risk assessment
Increase business value and confidence

23. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Information security manager
Developing an information security baseline
Nondisclosure agreement (NDA)
Is willing to accept

24. Cannot be minimized
Inherent risk
Exceptions to policy
Digital certificate
Decentralization

25. Useful but only with regard to specific technical skills.
Audit objectives
Owner of the information asset
Virus detection
Proficiency testing

26. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Proficiency testing
Safeguards over keys
Information contained on the equipment
Resource dependency assessment

27. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Skills inventory
Identify the relevant systems and processes
Rule-based access control
Biometric access control systems

28. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
All personnel
The balanced scorecard
Threat assessment
Data owners

29. Provide metrics to which outsourcing firms can be held accountable.
Safeguards over keys
Knowledge management
Tailgating
Service level agreements (SLAs)

30. A function of the session keys distributed by the PKI.
Tie security risks to key business objectives
Consensus on risks and controls
Confidentiality
Security baselines

31. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Creation of a business continuity plan
The information security officer
Intrusion detection system (IDS)
Deeper level of analysis

32. Program that hides within or looks like a legit program
Certificate authority (CA)
Audit objectives
Notifications and opt-out provisions
Trojan horse

33. Has to be integrated into the requirements of every software application's design.
All personnel
Properly aligned with business goals and objectives
Encryption key management
A network vulnerability assessment

34. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Decentralization
Consensus on risks and controls
Skills inventory
0-day vulnerabilities

35. A Successful risk management should lead to a ________________.
Inherent risk
Transmit e-mail messages
Encryption of the hard disks
Breakeven point of risk reduction and cost

36. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Spoofing attacks
Acceptable use policies
Notifications and opt-out provisions
Exceptions to policy

37. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Undervoltage (brownout)
Monitoring processes
Equal error rate (EER)
Encryption key management

38. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Virus
Worm
Return on security investment (ROSI)
Do with the information it collects

39. Focuses on identifying vulnerabilities.
The board of directors and senior management
Annually or whenever there is a significant change
Fault-tolerant computer
Penetration testing

40. Normally addressed through antivirus and antispyware policies.
Decentralization
Owner of the information asset
Malicious software and spyware
Platform security - intrusion detection and antivirus controls

41. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Exceptions to policy
Gain unauthorized access to applications
Notifications and opt-out provisions
Calculating the value of the information or asset

42. Occurs when the incoming level
Equal error rate (EER)
Power surge/over voltage (spike)
Data warehouse
Continuous monitoring control initiatives

43. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
include security responsibilities in a job description
Calculating the value of the information or asset
Continuous analysis - monitoring and feedback
Key risk indicator (KRI) setup

44. It is easier to manage and control a _________________.
Centralized structure
Examples of containment defenses
The balanced scorecard
Control effectiveness

45. The job of the information security officer on a management team is to ___________________.
Assess the risks to the business operation
Owner of the information asset
Residual risk
Certificate authority (CA)

46. Needs to define the access rules - which is troublesome and error prone in large organizations.
Role-based access control
Rule-based access control
Data isolation
Background check

47. Would protect against spoofing an internal address but would not provide strong authentication.
IP address packet filtering
Control effectiveness
Tailgating
Creation of a business continuity plan

48. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Threat assessment
Phishing
Trusted source

49. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Comparison of cost of achievement
Virus
Creation of a business continuity plan
Encryption

50. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Trusted source
Its ability to reduce or eliminate business risks
Confidentiality
Regulatory compliance