Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Total cost of ownership (TCO)
Undervoltage (brownout)
Its ability to reduce or eliminate business risks
Acceptable use policies

2. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Residual risk
Decentralization
Information contained on the equipment
0-day vulnerabilities

3. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
People
Power surge/over voltage (spike)
Virus
Virus detection

4. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Information security manager
Cost of control
Access control matrix
Gain unauthorized access to applications

5. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Encryption of the hard disks
Baseline standard and then develop additional standards
Key risk indicator (KRI) setup
Transmit e-mail messages

6. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Continuous analysis - monitoring and feedback
Cracker
Strategic alignment of security with business objectives
Conduct a risk assessment

7. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Attributes and characteristics of the 'desired state'
Applying the proper classification to the data
Worm
Two-factor authentication

8. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.

9. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
What happened and how the breach was resolved
Intrusion detection system (IDS)
Data warehouse
IP address packet filtering

10. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
MAL wear
Regulatory compliance
Return on security investment (ROSI)
The information security officer

11. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Personal firewall
Digital signatures
Negotiating a local version of the organization standards
Two-factor authentication

12. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Role-based policy
Power surge/over voltage (spike)
Biometric access control systems
Key risk indicator (KRI) setup

13. Has to be integrated into the requirements of every software application's design.
Encryption key management
Background check
Trojan horse
Spoofing attacks

14. A function of the session keys distributed by the PKI.
Cost of control
The data custodian
Confidentiality
Regular review of access control lists

15. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Exceptions to policy
Confidentiality
Key risk indicator (KRI) setup
Centralized structure

16. A Successful risk management should lead to a ________________.
Skills inventory
Breakeven point of risk reduction and cost
Assess the risks to the business operation
Acceptable use policies

17. Identification and _______________ of business risk enables project managers to address areas with most significance.
Exceptions to policy
Prioritization
Continuous analysis - monitoring and feedback
Inherent risk

18. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Two-factor authentication
Proficiency testing
Role-based access control
Regular review of access control lists

19. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Creation of a business continuity plan
The awareness and agreement of the data subjects
Cost of control

20. New security ulnerabilities should be managed through a ________________.
The authentication process is broken
Security baselines
Intrusion detection system (IDS)
Patch management process

21. Should be performed to identify the risk and determine needed controls.
Cross-site scripting attacks
Internal risk assessment
Skills inventory
Vulnerability assessment

22. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Power surge/over voltage (spike)
Safeguards over keys
Process of introducing changes to systems

23. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
Encryption
Continuous analysis - monitoring and feedback
Gap analysis

24. Only valid if assets have first been identified and appropriately valued.
Phishing
Data owners
Annual loss expectancy (ALE)calculations
People

25. Occurs when the incoming level
Impractical and is often cost-prohibitive
Owner of the information asset
Deeper level of analysis
Power surge/over voltage (spike)

26. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Access control matrix
Consensus on risks and controls
Normalization
Reduce risk to an acceptable level

27. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Strategic alignment of security with business objectives
Equal error rate (EER)
Residual risk would be reduced by a greater amount
BIA (Business Impact Assessment

28. Program that hides within or looks like a legit program
Well-defined roles and responsibilities
Knowledge management
Cyber extortionist
Trojan horse

29. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Well-defined roles and responsibilities
Negotiating a local version of the organization standards
Undervoltage (brownout)
Creation of a business continuity plan

30. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Intrusion detection system (IDS)
Defining and ratifying the classification structure of information assets
Multinational organization
Worm

31. Ensures that there are no scalability problems.
Monitoring processes
Stress testing
Vulnerability assessment
Annually or whenever there is a significant change

32. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Developing an information security baseline
Tailgating
Personal firewall
Alignment with business strategy

33. Carries out the technical administration.
Deeper level of analysis
Support the business objectives of the organization
Return on security investment (ROSI)
The database administrator

34. By definition are not previously known and therefore are undetectable.
Public key infrastructure (PKI)
0-day vulnerabilities
Threat assessment
Background check

35. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Audit objectives
What happened and how the breach was resolved
Rule-based access control

36. Focuses on identifying vulnerabilities.
Penetration testing
Strategic alignment of security with business objectives
Control risk
Properly aligned with business goals and objectives

37. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Centralization of information security management
Process of introducing changes to systems
Properly aligned with business goals and objectives
Threat assessment

38. It is easier to manage and control a _________________.
Classification of assets needs
Reduce risk to an acceptable level
Centralized structure
Get senior management onboard

39. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Information security manager
Risk assessment - evaluation and impact analysis
BIA (Business Impact Assessment
Undervoltage (brownout)

40. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
What happened and how the breach was resolved
Fault-tolerant computer
Knowledge management
Breakeven point of risk reduction and cost

41. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Spoofing attacks
SWOT analysis
The data owner
Transferred risk

42. Reducing risk to a level too small to measure is _______________.
Worm
Impractical and is often cost-prohibitive
Return on security investment (ROSI)
Virus

43. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Malicious software and spyware
Regular review of access control lists
The board of directors and senior management
Monitoring processes

44. An information security manager has to impress upon the human resources department the need for _____________________.
Platform security - intrusion detection and antivirus controls
Breakeven point of risk reduction and cost
Security awareness training for all employees
Annual loss expectancy (ALE)calculations

45. Information security governance models are highly dependent on the _____________________.
Overall organizational structure
Is willing to accept
Skills inventory
Nondisclosure agreement (NDA)

46. Should be determined from the risk assessment results.
Audit objectives
Total cost of ownership (TCO)
Deeper level of analysis
Is willing to accept

47. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
Aligned with organizational goals
Data warehouse
Security baselines

48. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Detection defenses
Transferred risk
Deeper level of analysis
Creation of a business continuity plan

49. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
Annual loss expectancy (ALE)calculations
Vulnerability assessment
The database administrator

50. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Fault-tolerant computer
Single sign-on (SSO) product
The data custodian
Phishing