SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Virus detection
Cyber terrorist
Penetration testing
Malicious software and spyware
2. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Transmit e-mail messages
Role-based policy
Calculating the value of the information or asset
Owner of the information asset
3. ecurity design flaws require a ____________________.
Detection defenses
Worm
Deeper level of analysis
Acceptable use policies
4. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Properly aligned with business goals and objectives
Baseline standard and then develop additional standards
Return on security investment (ROSI)
Information security manager
5. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Certificate authority (CA)
Inherent risk
Calculating the value of the information or asset
The board of directors and senior management
6. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Two-factor authentication
Detection defenses
Risk assessment - evaluation and impact analysis
Encryption key management
7. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Reduce risk to an acceptable level
Equal error rate (EER)
Increase business value and confidence
Defining and ratifying the classification structure of information assets
8. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Service level agreements (SLAs)
Gain unauthorized access to applications
Proficiency testing
A network vulnerability assessment
9. All within the responsibility of the information security manager.
Biometric access control systems
Platform security - intrusion detection and antivirus controls
Equal error rate (EER)
Compliance with the organization's information security requirements
10. A key indicator of performance measurement.
Identify the relevant systems and processes
Defining high-level business security requirements
Strategic alignment of security with business objectives
BIA (Business Impact Assessment
11. Most effective for evaluating the degree to which information security objectives are being met.
Annually or whenever there is a significant change
The balanced scorecard
The board of directors and senior management
Strategic alignment of security with business objectives
12. Company or person you believe will not send a virus-infect file knowingly
Trusted source
Transmit e-mail messages
Defined objectives
Well-defined roles and responsibilities
13. Occurs after the risk assessment process - it does not measure it.
Continuous monitoring control initiatives
Personal firewall
Use of security metrics
What happened and how the breach was resolved
14. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Control risk
Calculating the value of the information or asset
Security risk
Single sign-on (SSO) product
15. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Nondisclosure agreement (NDA)
Alignment with business strategy
Defined objectives
Deeper level of analysis
16. S small warehouse - designed for the end-user needs in a strategic business unit
Background check
Performing a risk assessment
Patch management process
Data mart
17. A risk assessment should be conducted _________________.
Trojan horse
Retention of business records
Annually or whenever there is a significant change
Role-based access control
18. A function of the session keys distributed by the PKI.
Cracker
Impractical and is often cost-prohibitive
Confidentiality
Rule-based access control
19. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Monitoring processes
Logon banners
Applying the proper classification to the data
Exceptions to policy
20. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Transmit e-mail messages
Calculating the value of the information or asset
Process of introducing changes to systems
Overall organizational structure
21. Risk should be reduced to a level that an organization _____________.
Data owners
Is willing to accept
Encryption key management
Internal risk assessment
22. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Trusted source
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Control risk
Attributes and characteristics of the 'desired state'
23. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Notifications and opt-out provisions
Properly aligned with business goals and objectives
Skills inventory
Residual risk
24. Has to be integrated into the requirements of every software application's design.
Annual loss expectancy (ALE)calculations
Information contained on the equipment
Increase business value and confidence
Encryption key management
25. A method for analyzing and reducing a relational database to its most streamlined form
Compliance with the organization's information security requirements
Normalization
Increase business value and confidence
Data mart
26. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
Encryption of the hard disks
Negotiating a local version of the organization standards
Gap analysis
27. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Access control matrix
Public key infrastructure (PKI)
Data owners
People
28. Needs to define the access rules - which is troublesome and error prone in large organizations.
Rule-based access control
The board of directors and senior management
Data mart
Skills inventory
29. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Background check
BIA (Business Impact Assessment
The authentication process is broken
Comparison of cost of achievement
30. Would protect against spoofing an internal address but would not provide strong authentication.
IP address packet filtering
Information security manager
Monitoring processes
Data classification
31. Someone who accesses a computer or network illegally
Defining and ratifying the classification structure of information assets
Negotiating a local version of the organization standards
Baseline standard and then develop additional standards
Hacker
32. The best measure for preventing the unauthorized disclosure of confidential information.
Script kiddie
Power surge/over voltage (spike)
Inherent risk
Acceptable use policies
33. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Proficiency testing
Total cost of ownership (TCO)
Public key infrastructure (PKI)
Background check
34. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Script kiddie
include security responsibilities in a job description
Background checks of prospective employees
Well-defined roles and responsibilities
35. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Background check
Protective switch covers
The information security officer
Intrusion detection system (IDS)
36. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Return on security investment (ROSI)
Power surge/over voltage (spike)
Role-based access control
37. Provide metrics to which outsourcing firms can be held accountable.
Logon banners
Lack of change management
Power surge/over voltage (spike)
Service level agreements (SLAs)
38. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Attributes and characteristics of the 'desired state'
Worm
Control effectiveness
Owner of the information asset
39. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Certificate authority (CA)
Total cost of ownership (TCO)
Safeguards over keys
Two-factor authentication
40. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Annual loss expectancy (ALE)calculations
The authentication process is broken
Information contained on the equipment
Identify the relevant systems and processes
41. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
Exceptions to policy
Fault-tolerant computer
Reduce risk to an acceptable level
42. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
43. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Properly aligned with business goals and objectives
Data owners
Assess the risks to the business operation
Fault-tolerant computer
44. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Well-defined roles and responsibilities
Malicious software and spyware
Transmit e-mail messages
Regulatory compliance
45. Applications cannot access data associated with other apps
Data isolation
Security awareness training for all employees
Reduce risk to an acceptable level
Risk assessment - evaluation and impact analysis
46. The PRIMARY goal in developing an information security strategy is to: _________________________.
Support the business objectives of the organization
Skills inventory
Applying the proper classification to the data
Virus
47. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Its ability to reduce or eliminate business risks
Security risk
Consensus on risks and controls
Trojan horse
48. The data owner is responsible for _______________________.
Applying the proper classification to the data
Rule-based access control
Vulnerability assessment
Security awareness training for all employees
49. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Cyber extortionist
The data custodian
Prioritization
50. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Virus
The balanced scorecard
People
Spoofing attacks