Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. The data owner is responsible for _______________________.
Control risk
Data owners
Countermeasure cost-benefit analysis
Applying the proper classification to the data

2. A repository of historical data organized by subject to support decision makers in the org
Role-based policy
Data warehouse
BIA (Business Impact Assessment
Vulnerability assessment

3. Information security governance models are highly dependent on the _____________________.
Data isolation
Intrusion detection system (IDS)
Defined objectives
Overall organizational structure

4. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Normalization
OBusiness case development
Platform security - intrusion detection and antivirus controls
Centralization of information security management

5. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Identify the relevant systems and processes
include security responsibilities in a job description
Security baselines
Residual risk would be reduced by a greater amount

6. Risk should be reduced to a level that an organization _____________.
Security baselines
Support the business objectives of the organization
Impractical and is often cost-prohibitive
Is willing to accept

7. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Consensus on risks and controls
Virus detection
Two-factor authentication

8. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Encryption key management
Do with the information it collects
Tailgating
Data classification

9. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Tailgating
Equal error rate (EER)
Safeguards over keys
Public key infrastructure (PKI)

10. Focuses on identifying vulnerabilities.
Penetration testing
Control risk
Encryption key management
Trusted source

11. Should be determined from the risk assessment results.
Annually or whenever there is a significant change
Audit objectives
Baseline standard and then develop additional standards
Data mart

12. Provide metrics to which outsourcing firms can be held accountable.
Service level agreements (SLAs)
Platform security - intrusion detection and antivirus controls
Well-defined roles and responsibilities
Waterfall chart

13. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Developing an information security baseline
Increase business value and confidence
Reduce risk to an acceptable level
Continuous analysis - monitoring and feedback

14. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Two-factor authentication
Role-based policy
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Trojan horse

15. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Residual risk would be reduced by a greater amount
Gain unauthorized access to applications
Patch management
Risk appetite

16. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
The data custodian
Applying the proper classification to the data
Role-based access control
Virus

17. A method for analyzing and reducing a relational database to its most streamlined form
Normalization
Two-factor authentication
Increase business value and confidence
Spoofing attacks

18. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Compliance with the organization's information security requirements
Vulnerability assessment
Virus detection
Safeguards over keys

19. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Threat assessment
The board of directors and senior management
Fault-tolerant computer
Alignment with business strategy

20. Needs to define the access rules - which is troublesome and error prone in large organizations.
Security code reviews for the entire software application
Data mart
Rule-based access control
Data isolation

21. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Continuous monitoring control initiatives
Notifications and opt-out provisions
Access control matrix
Well-defined roles and responsibilities

22. ecurity design flaws require a ____________________.
Lack of change management
The data custodian
Deeper level of analysis
Consensus on risks and controls

23. Company or person you believe will not send a virus-infect file knowingly
The board of directors and senior management
Trusted source
Cost of control
Notifications and opt-out provisions

24. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Transmit e-mail messages
Normalization
Data warehouse

25. The primary role of the information security manager in the process of information classification within the organization.
Trusted source
Defining and ratifying the classification structure of information assets
Rule-based access control
MAL wear

26. A risk assessment should be conducted _________________.
Continuous analysis - monitoring and feedback
The board of directors and senior management
Patch management
Annually or whenever there is a significant change

27. Primarily reduce risk and are most effective for the protection of information assets.
Classification of assets needs
Logon banners
Inherent risk
Key controls

28. Ensures that there are no scalability problems.
Exceptions to policy
Virus detection
Hacker
Stress testing

29. An information security manager has to impress upon the human resources department the need for _____________________.
Encryption
Security awareness training for all employees
Multinational organization
Security risk

30. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Methodology used in the assessment
Worm
Data classification
Overall organizational structure

31. Computer that has duplicate components so it can continue to operate when one of its main components fail
Examples of containment defenses
Get senior management onboard
Security risk
Fault-tolerant computer

32. A notice that guarantees a user or a web site is legitimate
Security risk
Phishing
The balanced scorecard
Digital certificate

33. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Key controls
Countermeasure cost-benefit analysis
Return on security investment (ROSI)
Digital signatures

34. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Phishing
Encryption key management
Key risk indicator (KRI) setup
Role-based access control

35. The most important characteristic of good security policies is that they be ____________________.
Information security manager
Aligned with organizational goals
Centralization of information security management
Total cost of ownership (TCO)

36. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Deeper level of analysis
Strategic alignment of security with business objectives
Baseline standard and then develop additional standards
Requirements of the data owners

37. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
SWOT analysis
The board of directors and senior management
Use of security metrics
Deeper level of analysis

38. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
The data custodian
Nondisclosure agreement (NDA)
Gap analysis
Skills inventory

39. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Conduct a risk assessment
Control risk
Well-defined roles and responsibilities
The balanced scorecard

40. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Information contained on the equipment
Control effectiveness
Internal risk assessment
Owner of the information asset

41. Cannot be minimized
Exceptions to policy
Inherent risk
Audit objectives
Cyber terrorist

42. Would protect against spoofing an internal address but would not provide strong authentication.
Detection defenses
IP address packet filtering
Proficiency testing
Safeguards over keys

43. Carries out the technical administration.
The database administrator
MAL wear
The data custodian
Logon banners

44. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Encryption
Negotiating a local version of the organization standards
Worm
Access control matrix

45. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Cross-site scripting attacks
Transferred risk
Continuous analysis - monitoring and feedback
Equal error rate (EER)

46. Culture has a significant impact on how information security will be implemented in a ______________________.
The balanced scorecard
Developing an information security baseline
Hacker
Multinational organization

47. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
Knowledge management
Continuous analysis - monitoring and feedback
Continuous monitoring control initiatives

48. Uses security metrics to measure the performance of the information security program.
Security risk
Methodology used in the assessment
Information security manager
Key controls

49. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Developing an information security baseline
Information contained on the equipment
Annually or whenever there is a significant change
Digital signatures

50. Has full responsibility over data.
The data owner
Support the business objectives of the organization
Intrusion detection system (IDS)
Data mart