Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Continuous analysis - monitoring and feedback
Cracker
Conduct a risk assessment
Skills inventory

2. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Do with the information it collects
Confidentiality
Service level agreements (SLAs)
Identify the vulnerable systems and apply compensating controls

3. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Proficiency testing
Logon banners
Risk management and the requirements of the organization
People

4. The information security manager needs to prioritize the controls based on ________________________.
Defining and ratifying the classification structure of information assets
The balanced scorecard
Residual risk would be reduced by a greater amount
Risk management and the requirements of the organization

5. Responsible for securing the information.
Cyber terrorist
Requirements of the data owners
Skills inventory
The data custodian

6. The most important characteristic of good security policies is that they be ____________________.
Risk management and the requirements of the organization
Virus
Aligned with organizational goals
What happened and how the breach was resolved

7. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Comparison of cost of achievement
Cracker
Intrusion detection system (IDS)
Gain unauthorized access to applications

8. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Public key infrastructure (PKI)
Data owners
Do with the information it collects

9. A key indicator of performance measurement.
Strategic alignment of security with business objectives
Defined objectives
Conduct a risk assessment
Centralization of information security management

10. Primarily reduce risk and are most effective for the protection of information assets.
Attributes and characteristics of the 'desired state'
Key controls
Resource dependency assessment
Regulatory compliance

11. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Conduct a risk assessment
Control risk
Residual risk
Assess the risks to the business operation

12. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Encryption key management
Identify the relevant systems and processes
Multinational organization
Aligned with organizational goals

13. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Lack of change management
Equal error rate (EER)
Deeper level of analysis
Role-based access control

14. By definition are not previously known and therefore are undetectable.
Protective switch covers
Properly aligned with business goals and objectives
Continuous monitoring control initiatives
0-day vulnerabilities

15. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
Negotiating a local version of the organization standards
Tailgating
Well-defined roles and responsibilities

16. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Cyber terrorist
Classification of assets needs
SWOT analysis
Waterfall chart

17. A risk assessment should be conducted _________________.
Security code reviews for the entire software application
Gap analysis
Performing a risk assessment
Annually or whenever there is a significant change

18. Information security governance models are highly dependent on the _____________________.
Overall organizational structure
Assess the risks to the business operation
People
Return on security investment (ROSI)

19. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Data isolation
Applying the proper classification to the data
Deeper level of analysis
Gain unauthorized access to applications

20. A notice that guarantees a user or a web site is legitimate
All personnel
Digital certificate
Alignment with business strategy
Rule-based access control

21. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Baseline standard and then develop additional standards
Malicious software and spyware
Data isolation
Lack of change management

22. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Multinational organization
Safeguards over keys
0-day vulnerabilities
IP address packet filtering

23. Should be determined from the risk assessment results.
The board of directors and senior management
Audit objectives
Stress testing
Information contained on the equipment

24. A repository of historical data organized by subject to support decision makers in the org
Residual risk
Gap analysis
Role-based access control
Data warehouse

25. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Security baselines
Virus detection
BIA (Business Impact Assessment
Personal firewall

26. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Virus
Conduct a risk assessment
Well-defined roles and responsibilities
Skills inventory

27. A Successful risk management should lead to a ________________.
The information security officer
Breakeven point of risk reduction and cost
Negotiating a local version of the organization standards
Data mart

28. The best measure for preventing the unauthorized disclosure of confidential information.
Personal firewall
Acceptable use policies
Annual loss expectancy (ALE)calculations
A network vulnerability assessment

29. All within the responsibility of the information security manager.
Encryption key management
Trojan horse
Data isolation
Platform security - intrusion detection and antivirus controls

30. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Encryption key management
Cross-site scripting attacks
Patch management
MAL wear

31. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
BIA (Business Impact Assessment
Compliance with the organization's information security requirements
Increase business value and confidence
Key controls

32. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Baseline standard and then develop additional standards
Impractical and is often cost-prohibitive
Comparison of cost of achievement

33. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
BIA (Business Impact Assessment
Methodology used in the assessment
Performing a risk assessment
Return on security investment (ROSI)

34. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Comparison of cost of achievement
Security baselines
Calculating the value of the information or asset
Virus

35. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Public key infrastructure (PKI)
Threat assessment
Cross-site scripting attacks
Protective switch covers

36. The PRIMARY goal in developing an information security strategy is to: _________________________.
Centralized structure
Support the business objectives of the organization
Undervoltage (brownout)
Worm

37. The MOST important element of an information security strategy.
Defined objectives
OBusiness case development
The balanced scorecard
Two-factor authentication

38. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Tailgating
Background checks of prospective employees
Virus
Is willing to accept

39. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Get senior management onboard
IP address packet filtering
Security risk
Transmit e-mail messages

40. Occurs when the electrical supply drops
Comparison of cost of achievement
Regular review of access control lists
Background checks of prospective employees
Undervoltage (brownout)

41. Reducing risk to a level too small to measure is _______________.
Impractical and is often cost-prohibitive
Spoofing attacks
Nondisclosure agreement (NDA)
Power surge/over voltage (spike)

42. Program that hides within or looks like a legit program
Well-defined roles and responsibilities
Trojan horse
Retention of business records
Key controls

43. Most effective for evaluating the degree to which information security objectives are being met.
Data warehouse
Methodology used in the assessment
Residual risk would be reduced by a greater amount
The balanced scorecard

44. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Vulnerability assessment
Information contained on the equipment
Proficiency testing
Countermeasure cost-benefit analysis

45. Provides process needs but not impact.
Resource dependency assessment
Logon banners
All personnel
Proficiency testing

46. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Skills inventory
Reduce risk to an acceptable level
Tailgating
A network vulnerability assessment

47. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Virus detection
Encryption key management
Key controls

48. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Defining and ratifying the classification structure of information assets
Access control matrix
Identify the relevant systems and processes
Platform security - intrusion detection and antivirus controls

49. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
What happened and how the breach was resolved
Security baselines
Safeguards over keys
Data warehouse

50. Oversees the overall classification management of the information.
Residual risk would be reduced by a greater amount
The information security officer
Get senior management onboard
Continuous monitoring control initiatives