SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Information security governance models are highly dependent on the _____________________.
Overall organizational structure
Security awareness training for all employees
Gain unauthorized access to applications
Defining high-level business security requirements
2. The data owner is responsible for _______________________.
Applying the proper classification to the data
Creation of a business continuity plan
Deeper level of analysis
Centralization of information security management
3. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
The data custodian
Owner of the information asset
Classification of assets needs
Cyber extortionist
4. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Role-based access control
Vulnerability assessment
Calculating the value of the information or asset
Defining and ratifying the classification structure of information assets
5. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Negotiating a local version of the organization standards
Risk appetite
Annually or whenever there is a significant change
Transferred risk
6. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Control risk
Acceptable use policies
Transmit e-mail messages
Prioritization
7. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Encryption of the hard disks
Asset classification
Transferred risk
Its ability to reduce or eliminate business risks
8. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Attributes and characteristics of the 'desired state'
Nondisclosure agreement (NDA)
The information security officer
Performing a risk assessment
9. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Attributes and characteristics of the 'desired state'
Cyber extortionist
Residual risk would be reduced by a greater amount
Power surge/over voltage (spike)
10. Occurs when the incoming level
Power surge/over voltage (spike)
Worm
Calculating the value of the information or asset
Information contained on the equipment
11. Ensure that transmitted information can be attributed to the named sender.
Digital signatures
Performing a risk assessment
Data owners
Encryption key management
12. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Security risk
Data owners
Single sign-on (SSO) product
Annually or whenever there is a significant change
13. Needs to define the access rules - which is troublesome and error prone in large organizations.
Rule-based access control
Two-factor authentication
SWOT analysis
Examples of containment defenses
14. Programs that act without a user's knowledge and deliberately alter a computer's operations
Retention of business records
Data mart
Requirements of the data owners
MAL wear
15. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Compliance with the organization's information security requirements
Control risk
Annual loss expectancy (ALE)calculations
Gap analysis
16. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
IP address packet filtering
Detection defenses
Power surge/over voltage (spike)
Support the business objectives of the organization
17. Would protect against spoofing an internal address but would not provide strong authentication.
Cross-site scripting attacks
IP address packet filtering
Consensus on risks and controls
Decentralization
18. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Risk management and the requirements of the organization
Cross-site scripting attacks
Countermeasure cost-benefit analysis
Security baselines
19. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
IP address packet filtering
Role-based access control
Background check
People
20. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Countermeasure cost-benefit analysis
Cyber terrorist
Patch management
Knowledge management
21. Culture has a significant impact on how information security will be implemented in a ______________________.
Retention of business records
Malicious software and spyware
Multinational organization
Regulatory compliance
22. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
The board of directors and senior management
Virus detection
Malicious software and spyware
Baseline standard and then develop additional standards
23. By definition are not previously known and therefore are undetectable.
Encryption key management
0-day vulnerabilities
Risk appetite
Undervoltage (brownout)
24. Program that hides within or looks like a legit program
Proficiency testing
Trojan horse
The information security officer
Aligned with organizational goals
25. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
Control effectiveness
Hacker
include security responsibilities in a job description
26. S small warehouse - designed for the end-user needs in a strategic business unit
Safeguards over keys
Patch management
Return on security investment (ROSI)
Data mart
27. Inject malformed input.
Total cost of ownership (TCO)
Cross-site scripting attacks
Cracker
Security risk
28. An information security manager has to impress upon the human resources department the need for _____________________.
Security awareness training for all employees
Developing an information security baseline
Identify the relevant systems and processes
Get senior management onboard
29. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Process of introducing changes to systems
Public key infrastructure (PKI)
Strategic alignment of security with business objectives
Is willing to accept
30. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Process of introducing changes to systems
Total cost of ownership (TCO)
The board of directors and senior management
Data owners
31. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Normalization
Prioritization
The awareness and agreement of the data subjects
SWOT analysis
32. Should be performed to identify the risk and determine needed controls.
Two-factor authentication
Internal risk assessment
Public key infrastructure (PKI)
Detection defenses
33. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Single sign-on (SSO) product
Patch management process
Identify the vulnerable systems and apply compensating controls
Intrusion detection system (IDS)
34. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Centralization of information security management
Service level agreements (SLAs)
Owner of the information asset
Attributes and characteristics of the 'desired state'
35. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Exceptions to policy
IP address packet filtering
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Security risk
36. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Resource dependency assessment
Applying the proper classification to the data
Vulnerability assessment
Virus
37. Should be a standard requirement for the service provider.
Well-defined roles and responsibilities
Background check
Regulatory compliance
Negotiating a local version of the organization standards
38. Awareness - training and physical security defenses.
Cost of control
Requirements of the data owners
Examples of containment defenses
Strategic alignment of security with business objectives
39. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Total cost of ownership (TCO)
Breakeven point of risk reduction and cost
Access control matrix
Patch management process
40. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Script kiddie
Impractical and is often cost-prohibitive
Security code reviews for the entire software application
Continuous monitoring control initiatives
41. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
IP address packet filtering
Encryption of the hard disks
Vulnerability assessment
42. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Proficiency testing
All personnel
Continuous monitoring control initiatives
Identify the relevant systems and processes
43. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Hacker
The data custodian
Background checks of prospective employees
Countermeasure cost-benefit analysis
44. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Resource dependency assessment
Examples of containment defenses
Threat assessment
Developing an information security baseline
45. ecurity design flaws require a ____________________.
Malicious software and spyware
Phishing
Deeper level of analysis
Undervoltage (brownout)
46. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Attributes and characteristics of the 'desired state'
Skills inventory
Its ability to reduce or eliminate business risks
Virus detection
47. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Increase business value and confidence
BIA (Business Impact Assessment
Comparison of cost of achievement
Encryption
48. Whenever personal data are transferred across national boundaries; ________________________ are required.
The awareness and agreement of the data subjects
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Countermeasure cost-benefit analysis
Patch management
49. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Background check
Digital signatures
Assess the risks to the business operation
Return on security investment (ROSI)
50. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Monitoring processes
Centralized structure
People
Overall organizational structure