SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Phishing
Reduce risk to an acceptable level
People
Certificate authority (CA)
2. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
include security responsibilities in a job description
BIA (Business Impact Assessment
Logon banners
Risk appetite
3. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Do with the information it collects
Equal error rate (EER)
Safeguards over keys
Return on security investment (ROSI)
4. The information security manager needs to prioritize the controls based on ________________________.
Get senior management onboard
Risk management and the requirements of the organization
Gap analysis
OBusiness case development
5. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Background check
Assess the risks to the business operation
Resource dependency assessment
6. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Examples of containment defenses
The information security officer
Use of security metrics
7. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Proficiency testing
Notifications and opt-out provisions
Personal firewall
Is willing to accept
8. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Methodology used in the assessment
Tie security risks to key business objectives
The database administrator
Return on security investment (ROSI)
9. Someone who accesses a computer or network illegally
Impractical and is often cost-prohibitive
Hacker
Skills inventory
Security code reviews for the entire software application
10. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Encryption
Digital certificate
SWOT analysis
Acceptable use policies
11. By definition are not previously known and therefore are undetectable.
Malicious software and spyware
0-day vulnerabilities
Alignment with business strategy
Platform security - intrusion detection and antivirus controls
12. All within the responsibility of the information security manager.
Cross-site scripting attacks
Platform security - intrusion detection and antivirus controls
Strategic alignment of security with business objectives
Support the business objectives of the organization
13. The primary role of the information security manager in the process of information classification within the organization.
Residual risk
Personal firewall
Defining and ratifying the classification structure of information assets
Intrusion detection system (IDS)
14. Should be determined from the risk assessment results.
Use of security metrics
Continuous analysis - monitoring and feedback
Key risk indicator (KRI) setup
Audit objectives
15. Most effective for evaluating the degree to which information security objectives are being met.
The balanced scorecard
Well-defined roles and responsibilities
Trojan horse
Use of security metrics
16. provides the most effective protection of data on mobile devices.
Consensus on risks and controls
Encryption
Normalization
Cost of control
17. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
Exceptions to policy
Annually or whenever there is a significant change
include security responsibilities in a job description
18. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Annually or whenever there is a significant change
Information contained on the equipment
Threat assessment
Impractical and is often cost-prohibitive
19. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Vulnerability assessment
The awareness and agreement of the data subjects
Key controls
Phishing
20. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Exceptions to policy
Patch management process
Identify the relevant systems and processes
Comparison of cost of achievement
21. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Defining and ratifying the classification structure of information assets
Residual risk would be reduced by a greater amount
Role-based policy
Transferred risk
22. Needs to define the access rules - which is troublesome and error prone in large organizations.
Conduct a risk assessment
Continuous analysis - monitoring and feedback
Rule-based access control
Examples of containment defenses
23. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Intrusion detection system (IDS)
Skills inventory
Conduct a risk assessment
Encryption key management
24. Provides process needs but not impact.
Power surge/over voltage (spike)
Resource dependency assessment
Patch management process
Regulatory compliance
25. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Detection defenses
Stress testing
Exceptions to policy
Data classification
26. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
27. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Data warehouse
Risk assessment - evaluation and impact analysis
OBusiness case development
Assess the risks to the business operation
28. A repository of historical data organized by subject to support decision makers in the org
Service level agreements (SLAs)
Information security manager
Data warehouse
Multinational organization
29. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Regular review of access control lists
Risk management and the requirements of the organization
The authentication process is broken
Continuous analysis - monitoring and feedback
30. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Creation of a business continuity plan
Encryption of the hard disks
Risk appetite
Digital certificate
31. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Risk appetite
The awareness and agreement of the data subjects
Gain unauthorized access to applications
All personnel
32. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Protective switch covers
The data owner
Detection defenses
Examples of containment defenses
33. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Reduce risk to an acceptable level
Applying the proper classification to the data
Tie security risks to key business objectives
Virus
34. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Logon banners
Control effectiveness
Alignment with business strategy
Lack of change management
35. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Encryption of the hard disks
Deeper level of analysis
The database administrator
Tailgating
36. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
The board of directors and senior management
Overall organizational structure
Centralization of information security management
Malicious software and spyware
37. Someone who uses the internet or network to destroy or damage computers for political reasons
Defined objectives
Cyber terrorist
Proficiency testing
Transmit e-mail messages
38. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Nondisclosure agreement (NDA)
Control risk
Rule-based access control
39. Occurs when the incoming level
Power surge/over voltage (spike)
Risk appetite
Proficiency testing
Cracker
40. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Aligned with organizational goals
Defined objectives
The data custodian
41. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Nondisclosure agreement (NDA)
Access control matrix
Cracker
Patch management process
42. BEST option to improve accountability for a system administrator is to _____________________.
Retention of business records
Inherent risk
Do with the information it collects
include security responsibilities in a job description
43. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Key risk indicator (KRI) setup
Defined objectives
Assess the risks to the business operation
People
44. An information security manager has to impress upon the human resources department the need for _____________________.
Get senior management onboard
A network vulnerability assessment
Security awareness training for all employees
Key risk indicator (KRI) setup
45. Uses security metrics to measure the performance of the information security program.
Consensus on risks and controls
Information security manager
Logon banners
Residual risk would be reduced by a greater amount
46. Provides strong online authentication.
Single sign-on (SSO) product
Return on security investment (ROSI)
Public key infrastructure (PKI)
Platform security - intrusion detection and antivirus controls
47. Awareness - training and physical security defenses.
Examples of containment defenses
Inherent risk
Retention of business records
Risk management and the requirements of the organization
48. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
49. Normally addressed through antivirus and antispyware policies.
Acceptable use policies
Malicious software and spyware
Skills inventory
Notifications and opt-out provisions
50. The PRIMARY goal in developing an information security strategy is to: _________________________.
Nondisclosure agreement (NDA)
Support the business objectives of the organization
Inherent risk
Assess the risks to the business operation