SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. It is easier to manage and control a _________________.
Centralized structure
A network vulnerability assessment
Role-based policy
Exceptions to policy
2. Someone who uses the internet or network to destroy or damage computers for political reasons
Cyber terrorist
Residual risk would be reduced by a greater amount
Assess the risks to the business operation
Cryptographic secure sockets layer (SSL) implementations and short key lengths
3. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
Prioritization
Cost of control
BIA (Business Impact Assessment
4. All within the responsibility of the information security manager.
Defining high-level business security requirements
Platform security - intrusion detection and antivirus controls
Cross-site scripting attacks
Increase business value and confidence
5. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Power surge/over voltage (spike)
Countermeasure cost-benefit analysis
Methodology used in the assessment
Data mart
6. Reducing risk to a level too small to measure is _______________.
Do with the information it collects
Prioritization
Impractical and is often cost-prohibitive
Increase business value and confidence
7. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Information contained on the equipment
Performing a risk assessment
Security baselines
Phishing
8. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Single sign-on (SSO) product
Centralization of information security management
Multinational organization
Detection defenses
9. Program that hides within or looks like a legit program
Strategic alignment of security with business objectives
Compliance with the organization's information security requirements
Trojan horse
The board of directors and senior management
10. Has full responsibility over data.
The data owner
Consensus on risks and controls
Digital signatures
Trusted source
11. Applications cannot access data associated with other apps
Data isolation
Tailgating
Internal risk assessment
Worm
12. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Do with the information it collects
Background check
Comparison of cost of achievement
Two-factor authentication
13. Oversees the overall classification management of the information.
The information security officer
Lack of change management
Annually or whenever there is a significant change
Waterfall chart
14. Inject malformed input.
Malicious software and spyware
Background checks of prospective employees
Cross-site scripting attacks
Centralization of information security management
15. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Increase business value and confidence
Continuous monitoring control initiatives
Control effectiveness
Continuous analysis - monitoring and feedback
16. The most important characteristic of good security policies is that they be ____________________.
Trojan horse
Aligned with organizational goals
Residual risk would be reduced by a greater amount
Notifications and opt-out provisions
17. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Residual risk would be reduced by a greater amount
Increase business value and confidence
Protective switch covers
Nondisclosure agreement (NDA)
18. Carries out the technical administration.
The database administrator
Performing a risk assessment
A network vulnerability assessment
Proficiency testing
19. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Patch management
Identify the relevant systems and processes
Defining and ratifying the classification structure of information assets
Process of introducing changes to systems
20. Awareness - training and physical security defenses.
Data warehouse
Two-factor authentication
Cyber extortionist
Examples of containment defenses
21. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Key controls
Lack of change management
Digital signatures
Multinational organization
22. Company or person you believe will not send a virus-infect file knowingly
Exceptions to policy
Trusted source
Impractical and is often cost-prohibitive
Support the business objectives of the organization
23. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Threat assessment
Aligned with organizational goals
Script kiddie
Identify the vulnerable systems and apply compensating controls
24. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
All personnel
Virus
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Continuous monitoring control initiatives
25. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Monitoring processes
Identify the vulnerable systems and apply compensating controls
A network vulnerability assessment
26. Occurs after the risk assessment process - it does not measure it.
The data owner
Well-defined roles and responsibilities
Properly aligned with business goals and objectives
Use of security metrics
27. Normally addressed through antivirus and antispyware policies.
Data isolation
Total cost of ownership (TCO)
Annual loss expectancy (ALE)calculations
Malicious software and spyware
28. Provides strong online authentication.
Cyber extortionist
Regular review of access control lists
Public key infrastructure (PKI)
include security responsibilities in a job description
29. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Cyber terrorist
Security baselines
Background checks of prospective employees
Prioritization
30. An information security manager has to impress upon the human resources department the need for _____________________.
Breakeven point of risk reduction and cost
Residual risk
Encryption key management
Security awareness training for all employees
31. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Creation of a business continuity plan
Nondisclosure agreement (NDA)
Data classification
Properly aligned with business goals and objectives
32. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Impractical and is often cost-prohibitive
Cost of control
Developing an information security baseline
33. The information security manager needs to prioritize the controls based on ________________________.
Countermeasure cost-benefit analysis
Waterfall chart
Risk management and the requirements of the organization
Residual risk would be reduced by a greater amount
34. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Normalization
Owner of the information asset
Data owners
The data custodian
35. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Risk management and the requirements of the organization
Knowledge management
0-day vulnerabilities
Return on security investment (ROSI)
36. Information security governance models are highly dependent on the _____________________.
Key controls
Overall organizational structure
Defined objectives
Internal risk assessment
37. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Patch management
Impractical and is often cost-prohibitive
include security responsibilities in a job description
The data owner
38. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Increase business value and confidence
Get senior management onboard
Lack of change management
Risk management and the requirements of the organization
39. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Lack of change management
Certificate authority (CA)
Centralization of information security management
Acceptable use policies
40. A function of the session keys distributed by the PKI.
Data owners
Confidentiality
Reduce risk to an acceptable level
Alignment with business strategy
41. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Regulatory compliance
Control risk
Gain unauthorized access to applications
Compliance with the organization's information security requirements
42. Without _____________________ - there cannot be accountability.
Well-defined roles and responsibilities
Multinational organization
Internal risk assessment
Increase business value and confidence
43. Used to understand the flow of one process into another.
Certificate authority (CA)
Defining high-level business security requirements
Waterfall chart
Aligned with organizational goals
44. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
MAL wear
Data warehouse
Decentralization
Examples of containment defenses
45. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Security awareness training for all employees
Impractical and is often cost-prohibitive
Fault-tolerant computer
46. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Requirements of the data owners
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Penetration testing
Worm
47. Culture has a significant impact on how information security will be implemented in a ______________________.
Assess the risks to the business operation
Multinational organization
Risk appetite
Control effectiveness
48. Should be determined from the risk assessment results.
Cyber terrorist
Baseline standard and then develop additional standards
Service level agreements (SLAs)
Audit objectives
49. Would protect against spoofing an internal address but would not provide strong authentication.
A network vulnerability assessment
MAL wear
Its ability to reduce or eliminate business risks
IP address packet filtering
50. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Breakeven point of risk reduction and cost
People
Access control matrix
Encryption