Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.






2. Should be a standard requirement for the service provider.






3. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but






4. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.






5. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.






6. Occurs when the incoming level






7. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.






8. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.






9. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.






10. Inject malformed input.






11. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .






12. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.






13. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.






14. A function of the session keys distributed by the PKI.






15. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.






16. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations






17. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.






18. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.






19. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.






20. ecurity design flaws require a ____________________.






21. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.






22. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.






23. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.






24. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.






25. Information security governance models are highly dependent on the _____________________.






26. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.






27. The information security manager needs to prioritize the controls based on ________________________.






28. Normally addressed through antivirus and antispyware policies.






29. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.






30. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.






31. The job of the information security officer on a management team is to ___________________.






32. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.






33. Oversees the overall classification management of the information.






34. A Successful risk management should lead to a ________________.






35. S small warehouse - designed for the end-user needs in a strategic business unit






36. The data owner is responsible for _______________________.






37. Used to understand the flow of one process into another.






38. By definition are not previously known and therefore are undetectable.






39. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.






40. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.






41. Someone who accesses a computer or network illegally






42. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.






43. The MOST important element of an information security strategy.






44. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.






45. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee






46. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.






47. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.






48. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.






49. Needs to define the access rules - which is troublesome and error prone in large organizations.






50. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.