SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Support the business objectives of the organization
Control risk
Encryption
Prioritization
2. Should be performed to identify the risk and determine needed controls.
Negotiating a local version of the organization standards
Is willing to accept
Internal risk assessment
Security code reviews for the entire software application
3. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Continuous monitoring control initiatives
Penetration testing
Tie security risks to key business objectives
Virus detection
4. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Threat assessment
Spoofing attacks
Tailgating
Identify the relevant systems and processes
5. Responsible for securing the information.
Use of security metrics
Public key infrastructure (PKI)
The data custodian
Encryption of the hard disks
6. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Data classification
People
Biometric access control systems
Public key infrastructure (PKI)
7. A Successful risk management should lead to a ________________.
Data warehouse
Breakeven point of risk reduction and cost
Lack of change management
Skills inventory
8. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Audit objectives
Return on security investment (ROSI)
Use of security metrics
Identify the vulnerable systems and apply compensating controls
9. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Stress testing
Identify the relevant systems and processes
Risk appetite
Single sign-on (SSO) product
10. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Audit objectives
Requirements of the data owners
Virus
Undervoltage (brownout)
11. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Safeguards over keys
Risk assessment - evaluation and impact analysis
Encryption
Key risk indicator (KRI) setup
12. S small warehouse - designed for the end-user needs in a strategic business unit
Skills inventory
Gap analysis
Centralization of information security management
Data mart
13. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Monitoring processes
What happened and how the breach was resolved
Risk appetite
Phishing
14. Ensures that there are no scalability problems.
The database administrator
Protective switch covers
Stress testing
Confidentiality
15. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Continuous monitoring control initiatives
Classification of assets needs
MAL wear
Centralization of information security management
16. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Intrusion detection system (IDS)
Security baselines
Patch management
Consensus on risks and controls
17. Same intent as a cracker but does not have the technical skills and knowledge
Centralized structure
Script kiddie
Gain unauthorized access to applications
Security baselines
18. Only valid if assets have first been identified and appropriately valued.
Control risk
Reduce risk to an acceptable level
Certificate authority (CA)
Annual loss expectancy (ALE)calculations
19. Computer that has duplicate components so it can continue to operate when one of its main components fail
Requirements of the data owners
Script kiddie
Fault-tolerant computer
Negotiating a local version of the organization standards
20. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Cracker
Phishing
Key controls
Classification of assets needs
21. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Creation of a business continuity plan
Information contained on the equipment
Access control matrix
Owner of the information asset
22. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Do with the information it collects
Aligned with organizational goals
Background checks of prospective employees
Reduce risk to an acceptable level
23. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
What happened and how the breach was resolved
Examples of containment defenses
People
Requirements of the data owners
24. Culture has a significant impact on how information security will be implemented in a ______________________.
Equal error rate (EER)
Multinational organization
Phishing
Tie security risks to key business objectives
25. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Consensus on risks and controls
Do with the information it collects
Continuous monitoring control initiatives
Defining and ratifying the classification structure of information assets
26. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Residual risk
Transmit e-mail messages
Continuous analysis - monitoring and feedback
Decentralization
27. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Defined objectives
Owner of the information asset
The information security officer
Breakeven point of risk reduction and cost
28. The job of the information security officer on a management team is to ___________________.
Defined objectives
Applying the proper classification to the data
Well-defined roles and responsibilities
Assess the risks to the business operation
29. Program that hides within or looks like a legit program
Trojan horse
Two-factor authentication
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Patch management process
30. Information security governance models are highly dependent on the _____________________.
Overall organizational structure
Gap analysis
SWOT analysis
Safeguards over keys
31. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Malicious software and spyware
Data owners
Logon banners
Undervoltage (brownout)
32. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Security risk
Retention of business records
Data owners
Process of introducing changes to systems
33. Would protect against spoofing an internal address but would not provide strong authentication.
Encryption
Prioritization
IP address packet filtering
Residual risk
34. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
OBusiness case development
Cost of control
Background check
Total cost of ownership (TCO)
35. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Applying the proper classification to the data
Tailgating
Key controls
Get senior management onboard
36. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Risk management and the requirements of the organization
Classification of assets needs
All personnel
Security code reviews for the entire software application
37. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Knowledge management
Creation of a business continuity plan
Classification of assets needs
Centralization of information security management
38. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Equal error rate (EER)
Residual risk would be reduced by a greater amount
Prioritization
Exceptions to policy
39. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Nondisclosure agreement (NDA)
Strategic alignment of security with business objectives
Control risk
Data classification
40. Someone who accesses a computer or network illegally
Security awareness training for all employees
Hacker
Continuous monitoring control initiatives
Audit objectives
41. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Knowledge management
Certificate authority (CA)
The balanced scorecard
42. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Control risk
Skills inventory
Role-based policy
Virus detection
43. Should be determined from the risk assessment results.
Cyber extortionist
Identify the vulnerable systems and apply compensating controls
Audit objectives
BIA (Business Impact Assessment
44. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Decentralization
Single sign-on (SSO) product
Hacker
Is willing to accept
45. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Tie security risks to key business objectives
People
Access control matrix
OBusiness case development
46. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Worm
Certificate authority (CA)
Impractical and is often cost-prohibitive
The authentication process is broken
47. Primarily reduce risk and are most effective for the protection of information assets.
Assess the risks to the business operation
Prioritization
Power surge/over voltage (spike)
Key controls
48. Ensure that transmitted information can be attributed to the named sender.
Data classification
Background check
Information contained on the equipment
Digital signatures
49. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Negotiating a local version of the organization standards
Prioritization
Annual loss expectancy (ALE)calculations
Methodology used in the assessment
50. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
Knowledge management
Internal risk assessment
Identify the relevant systems and processes