Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. In order to highlight to management the importance of network security - the security manager should FIRST _______________.






2. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.






3. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.






4. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.






5. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.






6. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information






7. Whenever personal data are transferred across national boundaries; ________________________ are required.






8. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee






9. A Successful risk management should lead to a ________________.






10. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.






11. A process that helps organizations manipulate important knowledge that is part of the orgs. memory






12. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.






13. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.






14. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'






15. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.






16. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are






17. Uses security metrics to measure the performance of the information security program.






18. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.






19. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.






20. Most effective for evaluating the degree to which information security objectives are being met.






21. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.






22. A risk assessment should be conducted _________________.






23. Used to understand the flow of one process into another.






24. Provides strong online authentication.






25. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree






26. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.






27. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.






28. Useful but only with regard to specific technical skills.






29. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e






30. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.






31. The most important characteristic of good security policies is that they be ____________________.






32. Awareness - training and physical security defenses.






33. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.






34. Cannot be minimized






35. Should PRIMARILY be based on regulatory and legal requirements.






36. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.






37. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -






38. New security ulnerabilities should be managed through a ________________.






39. A method for analyzing and reducing a relational database to its most streamlined form






40. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.






41. Applications cannot access data associated with other apps






42. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.






43. The best measure for preventing the unauthorized disclosure of confidential information.






44. When the ________________ is more than the cost of the risk - the risk should be accepted.






45. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.






46. It is more efficient to establish a ___________________for locations that must meet specific requirements.






47. Risk should be reduced to a level that an organization _____________.






48. The primary role of the information security manager in the process of information classification within the organization.






49. All within the responsibility of the information security manager.






50. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.