Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The job of the information security officer on a management team is to ___________________.






2. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.






3. Program that hides within or looks like a legit program






4. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.






5. Normally addressed through antivirus and antispyware policies.






6. The BEST justification to convince management to invest in an information security program is that doing so would _________________.






7. New security ulnerabilities should be managed through a ________________.






8. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.






9. Accesses a computer or network illegally






10. Someone who uses the internet or network to destroy or damage computers for political reasons






11. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'






12. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.






13. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.






14. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.






15. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.






16. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.






17. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.






18. Provides process needs but not impact.






19. Ensures that there are no scalability problems.






20. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -






21. Computer that has duplicate components so it can continue to operate when one of its main components fail






22. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.






23. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.






24. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.






25. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.






26. A risk assessment should be conducted _________________.






27. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.






28. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.






29. When defining the information classification policy - the ___________________ need to be identified.






30. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.






31. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information






32. It is more efficient to establish a ___________________for locations that must meet specific requirements.






33. Has to be integrated into the requirements of every software application's design.






34. Should be a standard requirement for the service provider.






35. Ensure that transmitted information can be attributed to the named sender.






36. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but






37. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.






38. All within the responsibility of the information security manager.






39. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.






40. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.






41. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.






42. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.






43. Should be determined from the risk assessment results.






44. S small warehouse - designed for the end-user needs in a strategic business unit






45. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the






46. Awareness - training and physical security defenses.






47. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.






48. Primarily reduce risk and are most effective for the protection of information assets.






49. The MOST important element of an information security strategy.






50. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.