Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Gain unauthorized access to applications
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Identify the vulnerable systems and apply compensating controls
Detection defenses

2. Reducing risk to a level too small to measure is _______________.
Deeper level of analysis
Lack of change management
Risk management and the requirements of the organization
Impractical and is often cost-prohibitive

3. Normally addressed through antivirus and antispyware policies.
Encryption
Penetration testing
Cross-site scripting attacks
Malicious software and spyware

4. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Tie security risks to key business objectives
Risk management and the requirements of the organization
Alignment with business strategy
Knowledge management

5. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
A network vulnerability assessment
Power surge/over voltage (spike)
Security baselines
Monitoring processes

6. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Consensus on risks and controls
Control effectiveness
Support the business objectives of the organization
Comparison of cost of achievement

7. Primarily reduce risk and are most effective for the protection of information assets.
The information security officer
The data owner
Security awareness training for all employees
Key controls

8. Occurs when the incoming level
Power surge/over voltage (spike)
A network vulnerability assessment
Cross-site scripting attacks
Reduce risk to an acceptable level

9. Identification and _______________ of business risk enables project managers to address areas with most significance.
Data warehouse
Proficiency testing
Prioritization
The data owner

10. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Properly aligned with business goals and objectives
Two-factor authentication
Acceptable use policies
Key risk indicator (KRI) setup

11. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Its ability to reduce or eliminate business risks
Security risk
Key controls
Role-based access control

12. Should be determined from the risk assessment results.
Risk management and the requirements of the organization
Waterfall chart
Audit objectives
Baseline standard and then develop additional standards

13. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Impractical and is often cost-prohibitive
Virus
Key controls
Decentralization

14. Computer that has duplicate components so it can continue to operate when one of its main components fail
Fault-tolerant computer
Developing an information security baseline
Return on security investment (ROSI)
Key controls

15. The information security manager needs to prioritize the controls based on ________________________.
Encryption key management
Information security manager
Risk management and the requirements of the organization
The authentication process is broken

16. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Background check
Stress testing
Increase business value and confidence
Hacker

17. Awareness - training and physical security defenses.
Properly aligned with business goals and objectives
Examples of containment defenses
What happened and how the breach was resolved
Decentralization

18. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
The database administrator
Fault-tolerant computer
Defining high-level business security requirements
Transferred risk

19. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Cyber extortionist
Confidentiality
Do with the information it collects
Acceptable use policies

20. To identify known vulnerabilities based on common misconfigurations and missing updates.
What happened and how the breach was resolved
Data isolation
Annual loss expectancy (ALE)calculations
A network vulnerability assessment

21. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Internal risk assessment
Data mart
Access control matrix
Threat assessment

22. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Background checks of prospective employees
Access control matrix
BIA (Business Impact Assessment
Developing an information security baseline

23. Programs that act without a user's knowledge and deliberately alter a computer's operations
Virus detection
MAL wear
Cracker
Negotiating a local version of the organization standards

24. Responsible for securing the information.
Key risk indicator (KRI) setup
Waterfall chart
The data owner
The data custodian

25. A method for analyzing and reducing a relational database to its most streamlined form
Normalization
Digital signatures
Role-based policy
Threat assessment

26. It is easier to manage and control a _________________.
Information security manager
Detection defenses
Centralized structure
Residual risk would be reduced by a greater amount

27. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Control effectiveness
Risk appetite
Residual risk
Comparison of cost of achievement

28. Occurs when the electrical supply drops
Undervoltage (brownout)
Threat assessment
Malicious software and spyware
Data owners

29. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Internal risk assessment
Reduce risk to an acceptable level
Tailgating
Owner of the information asset

30. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Equal error rate (EER)
Centralization of information security management
The data owner
Access control matrix

31. Occurs after the risk assessment process - it does not measure it.
Aligned with organizational goals
Use of security metrics
Cross-site scripting attacks
Well-defined roles and responsibilities

32. All within the responsibility of the information security manager.
The balanced scorecard
Platform security - intrusion detection and antivirus controls
Risk appetite
Audit objectives

33. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Calculating the value of the information or asset
Deeper level of analysis
Control effectiveness
The data custodian

34. A risk assessment should be conducted _________________.
Inherent risk
Annually or whenever there is a significant change
Patch management
Stress testing

35. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Consensus on risks and controls
The awareness and agreement of the data subjects
Cost of control
Baseline standard and then develop additional standards

36. The primary role of the information security manager in the process of information classification within the organization.
Return on security investment (ROSI)
Defining and ratifying the classification structure of information assets
Key controls
Cracker

37. The best measure for preventing the unauthorized disclosure of confidential information.
Acceptable use policies
Data owners
Classification of assets needs
The data owner

38. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.

Warning: Invalid argument supplied for foreach() in /var/www/html/basicversity.com/show_quiz.php on line 183

39. Provide metrics to which outsourcing firms can be held accountable.
A network vulnerability assessment
Service level agreements (SLAs)
Its ability to reduce or eliminate business risks
The database administrator

40. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Inherent risk
Key controls
Equal error rate (EER)
Alignment with business strategy

41. Utility program that detects and protects a personal computer from unauthorized intrusions
OBusiness case development
Virus detection
Safeguards over keys
Personal firewall

42. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Security risk
Residual risk would be reduced by a greater amount
Data owners
Encryption of the hard disks

43. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Return on security investment (ROSI)
Virus detection
Multinational organization
Do with the information it collects

44. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Logon banners
Stress testing
Process of introducing changes to systems
Patch management process

45. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Cyber terrorist
BIA (Business Impact Assessment
Gain unauthorized access to applications
Transferred risk

46. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Script kiddie
Its ability to reduce or eliminate business risks
Cracker
Data classification

47. Same intent as a cracker but does not have the technical skills and knowledge
Encryption
Regular review of access control lists
Script kiddie
Stress testing

48. The PRIMARY goal in developing an information security strategy is to: _________________________.
Support the business objectives of the organization
Examples of containment defenses
Key controls
Decentralization

49. Ensure that transmitted information can be attributed to the named sender.
Resource dependency assessment
Digital signatures
Residual risk would be reduced by a greater amount
Is willing to accept

50. Needs to define the access rules - which is troublesome and error prone in large organizations.
Tie security risks to key business objectives
Confidentiality
Rule-based access control
Well-defined roles and responsibilities