Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. provides the most effective protection of data on mobile devices.
Use of security metrics
Data mart
Support the business objectives of the organization
Encryption

2. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Worm
Well-defined roles and responsibilities
Get senior management onboard

3. Information security governance models are highly dependent on the _____________________.
Fault-tolerant computer
Continuous monitoring control initiatives
Decentralization
Overall organizational structure

4. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Role-based access control
The data custodian
Penetration testing
Nondisclosure agreement (NDA)

5. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
include security responsibilities in a job description
Logon banners
Do with the information it collects
Hacker

6. Accesses a computer or network illegally
Cracker
Inherent risk
Virus
Defining and ratifying the classification structure of information assets

7. The MOST important element of an information security strategy.
OBusiness case development
Performing a risk assessment
Defined objectives
Normalization

8. Should be performed to identify the risk and determine needed controls.
Prioritization
Internal risk assessment
Creation of a business continuity plan
MAL wear

9. The data owner is responsible for _______________________.
Consensus on risks and controls
Normalization
Role-based policy
Applying the proper classification to the data

10. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Cross-site scripting attacks
Baseline standard and then develop additional standards
BIA (Business Impact Assessment
Centralized structure

11. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Equal error rate (EER)
IP address packet filtering
All personnel
Is willing to accept

12. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
A network vulnerability assessment
Strategic alignment of security with business objectives
Data warehouse
Phishing

13. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Do with the information it collects
Patch management process
Calculating the value of the information or asset
Vulnerability assessment

14. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Defined objectives
Attributes and characteristics of the 'desired state'
Centralization of information security management
Security code reviews for the entire software application

15. Has to be integrated into the requirements of every software application's design.
Encryption key management
Safeguards over keys
Calculating the value of the information or asset
Equal error rate (EER)

16. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Data classification
Negotiating a local version of the organization standards
Alignment with business strategy
A network vulnerability assessment

17. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Virus
The board of directors and senior management
Data mart
Exceptions to policy

18. Provides strong online authentication.
Cross-site scripting attacks
Protective switch covers
Public key infrastructure (PKI)
The balanced scorecard

19. ecurity design flaws require a ____________________.
Breakeven point of risk reduction and cost
0-day vulnerabilities
Deeper level of analysis
Normalization

20. Computer that has duplicate components so it can continue to operate when one of its main components fail
Fault-tolerant computer
Script kiddie
Developing an information security baseline
Patch management

21. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Do with the information it collects
Security code reviews for the entire software application
Control risk
Performing a risk assessment

22. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Do with the information it collects
Continuous analysis - monitoring and feedback
Undervoltage (brownout)
Multinational organization

23. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Intrusion detection system (IDS)
Internal risk assessment
What happened and how the breach was resolved
The information security officer

24. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Tie security risks to key business objectives
Risk appetite
Encryption of the hard disks
Increase business value and confidence

25. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Conduct a risk assessment
Stress testing
Risk appetite
Properly aligned with business goals and objectives

26. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Comparison of cost of achievement
Risk assessment - evaluation and impact analysis
Biometric access control systems
Fault-tolerant computer

27. Occurs when the electrical supply drops
Internal risk assessment
Key risk indicator (KRI) setup
Undervoltage (brownout)
Penetration testing

28. When defining the information classification policy - the ___________________ need to be identified.
Gain unauthorized access to applications
Increase business value and confidence
Requirements of the data owners
Transmit e-mail messages

29. Awareness - training and physical security defenses.
Owner of the information asset
Malicious software and spyware
Examples of containment defenses
Cross-site scripting attacks

30. Identification and _______________ of business risk enables project managers to address areas with most significance.
Background checks of prospective employees
Cross-site scripting attacks
Prioritization
Security baselines

31. S small warehouse - designed for the end-user needs in a strategic business unit
Logon banners
Data mart
Safeguards over keys
Patch management

32. Ensure that transmitted information can be attributed to the named sender.
Breakeven point of risk reduction and cost
Digital signatures
Certificate authority (CA)
Encryption

33. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Developing an information security baseline
Transmit e-mail messages
Information security manager
MAL wear

34. A function of the session keys distributed by the PKI.
Confidentiality
Proficiency testing
Decentralization
Control effectiveness

35. Should be a standard requirement for the service provider.
Background check
Its ability to reduce or eliminate business risks
Creation of a business continuity plan
Well-defined roles and responsibilities

36. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Knowledge management
Centralized structure
Countermeasure cost-benefit analysis
Residual risk would be reduced by a greater amount

37. Occurs when the incoming level
Cryptographic secure sockets layer (SSL) implementations and short key lengths
People
Power surge/over voltage (spike)
Transferred risk

38. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Its ability to reduce or eliminate business risks
Cracker
Gap analysis
Confidentiality

39. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Role-based policy
Patch management
Properly aligned with business goals and objectives
Access control matrix

40. Would protect against spoofing an internal address but would not provide strong authentication.
BIA (Business Impact Assessment
IP address packet filtering
Breakeven point of risk reduction and cost
A network vulnerability assessment

41. Oversees the overall classification management of the information.
Risk appetite
The information security officer
Monitoring processes
Attributes and characteristics of the 'desired state'

42. Programs that act without a user's knowledge and deliberately alter a computer's operations
Intrusion detection system (IDS)
Requirements of the data owners
MAL wear
What happened and how the breach was resolved

43. New security ulnerabilities should be managed through a ________________.
Virus
Patch management process
Tie security risks to key business objectives
Vulnerability assessment

44. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
The awareness and agreement of the data subjects
Data owners
Nondisclosure agreement (NDA)
Identify the vulnerable systems and apply compensating controls

45. Used to understand the flow of one process into another.
Increase business value and confidence
Waterfall chart
Consensus on risks and controls
Requirements of the data owners

46. Reducing risk to a level too small to measure is _______________.
Impractical and is often cost-prohibitive
include security responsibilities in a job description
The data owner
The awareness and agreement of the data subjects

47. Needs to define the access rules - which is troublesome and error prone in large organizations.
Negotiating a local version of the organization standards
Rule-based access control
Baseline standard and then develop additional standards
Phishing

48. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Process of introducing changes to systems
Asset classification
Platform security - intrusion detection and antivirus controls
0-day vulnerabilities

49. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Defining high-level business security requirements
Background checks of prospective employees
Examples of containment defenses
Confidentiality

50. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Patch management
All personnel
Calculating the value of the information or asset
Safeguards over keys