SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. By definition are not previously known and therefore are undetectable.
0-day vulnerabilities
Patch management process
Classification of assets needs
Cracker
2. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Logon banners
Safeguards over keys
Information contained on the equipment
Comparison of cost of achievement
3. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
The balanced scorecard
Intrusion detection system (IDS)
Asset classification
Is willing to accept
4. Responsible for securing the information.
Digital certificate
The data custodian
Encryption
Safeguards over keys
5. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Regulatory compliance
Assess the risks to the business operation
Continuous analysis - monitoring and feedback
Background checks of prospective employees
6. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Security code reviews for the entire software application
Internal risk assessment
Residual risk would be reduced by a greater amount
Deeper level of analysis
7. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Developing an information security baseline
Properly aligned with business goals and objectives
Fault-tolerant computer
Tailgating
8. The best measure for preventing the unauthorized disclosure of confidential information.
Requirements of the data owners
Public key infrastructure (PKI)
Normalization
Acceptable use policies
9. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Tie security risks to key business objectives
Notifications and opt-out provisions
Vulnerability assessment
Methodology used in the assessment
10. Occurs after the risk assessment process - it does not measure it.
Centralized structure
Use of security metrics
The authentication process is broken
Assess the risks to the business operation
11. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Security code reviews for the entire software application
Developing an information security baseline
Background checks of prospective employees
12. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
The data owner
Digital certificate
Countermeasure cost-benefit analysis
Calculating the value of the information or asset
13. Primarily reduce risk and are most effective for the protection of information assets.
Owner of the information asset
Classification of assets needs
Inherent risk
Key controls
14. Only valid if assets have first been identified and appropriately valued.
Biometric access control systems
Aligned with organizational goals
Annual loss expectancy (ALE)calculations
Notifications and opt-out provisions
15. Oversees the overall classification management of the information.
Risk appetite
Creation of a business continuity plan
The information security officer
Digital signatures
16. A risk assessment should be conducted _________________.
People
Annually or whenever there is a significant change
Applying the proper classification to the data
Cross-site scripting attacks
17. Culture has a significant impact on how information security will be implemented in a ______________________.
Multinational organization
Hacker
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Countermeasure cost-benefit analysis
18. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Tailgating
Continuous monitoring control initiatives
Vulnerability assessment
Cracker
19. Provides strong online authentication.
Data isolation
Phishing
Applying the proper classification to the data
Public key infrastructure (PKI)
20. Useful but only with regard to specific technical skills.
Transmit e-mail messages
Proficiency testing
Asset classification
Virus
21. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Acceptable use policies
Encryption key management
Negotiating a local version of the organization standards
The balanced scorecard
22. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Is willing to accept
Risk appetite
Calculating the value of the information or asset
Cyber extortionist
23. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Get senior management onboard
Penetration testing
Regular review of access control lists
Cryptographic secure sockets layer (SSL) implementations and short key lengths
24. The primary role of the information security manager in the process of information classification within the organization.
Patch management process
Equal error rate (EER)
Defining and ratifying the classification structure of information assets
Rule-based access control
25. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Reduce risk to an acceptable level
Owner of the information asset
The information security officer
What happened and how the breach was resolved
26. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Worm
Methodology used in the assessment
Use of security metrics
Annually or whenever there is a significant change
27. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Regulatory compliance
Logon banners
Its ability to reduce or eliminate business risks
Exceptions to policy
28. Accesses a computer or network illegally
Conduct a risk assessment
Cracker
Encryption of the hard disks
Gap analysis
29. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Detection defenses
Phishing
Intrusion detection system (IDS)
Increase business value and confidence
30. A method for analyzing and reducing a relational database to its most streamlined form
The data owner
Normalization
Notifications and opt-out provisions
Equal error rate (EER)
31. Has to be integrated into the requirements of every software application's design.
Is willing to accept
The information security officer
People
Encryption key management
32. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Information security manager
Gap analysis
Developing an information security baseline
33. Most effective for evaluating the degree to which information security objectives are being met.
Examples of containment defenses
Alignment with business strategy
Detection defenses
The balanced scorecard
34. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Phishing
Control risk
Annually or whenever there is a significant change
35. Cannot be minimized
Encryption of the hard disks
Reduce risk to an acceptable level
Inherent risk
Negotiating a local version of the organization standards
36. An information security manager has to impress upon the human resources department the need for _____________________.
Script kiddie
Normalization
Security awareness training for all employees
Phishing
37. Whenever personal data are transferred across national boundaries; ________________________ are required.
People
Cyber terrorist
Breakeven point of risk reduction and cost
The awareness and agreement of the data subjects
38. ecurity design flaws require a ____________________.
Rule-based access control
Internal risk assessment
Deeper level of analysis
Identify the relevant systems and processes
39. Information security governance models are highly dependent on the _____________________.
Role-based policy
Overall organizational structure
Centralized structure
Assess the risks to the business operation
40. Normally addressed through antivirus and antispyware policies.
Process of introducing changes to systems
The balanced scorecard
Malicious software and spyware
Nondisclosure agreement (NDA)
41. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Audit objectives
Alignment with business strategy
Trojan horse
Protective switch covers
42. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Two-factor authentication
Access control matrix
Well-defined roles and responsibilities
Acceptable use policies
43. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Risk assessment - evaluation and impact analysis
A network vulnerability assessment
Trojan horse
44. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Role-based policy
include security responsibilities in a job description
Monitoring processes
Attributes and characteristics of the 'desired state'
45. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Identify the relevant systems and processes
Digital signatures
Defining high-level business security requirements
SWOT analysis
46. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Data classification
Annually or whenever there is a significant change
Negotiating a local version of the organization standards
Security risk
47. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Single sign-on (SSO) product
Security awareness training for all employees
Rule-based access control
Certificate authority (CA)
48. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Background checks of prospective employees
Gain unauthorized access to applications
What happened and how the breach was resolved
Knowledge management
49. Someone who accesses a computer or network illegally
Nondisclosure agreement (NDA)
Regulatory compliance
Information contained on the equipment
Hacker
50. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Impractical and is often cost-prohibitive
Owner of the information asset
Single sign-on (SSO) product
Applying the proper classification to the data
