SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Someone who accesses a computer or network illegally
Transferred risk
Nondisclosure agreement (NDA)
Hacker
The awareness and agreement of the data subjects
2. All within the responsibility of the information security manager.
Platform security - intrusion detection and antivirus controls
Compliance with the organization's information security requirements
Calculating the value of the information or asset
Vulnerability assessment
3. Utility program that detects and protects a personal computer from unauthorized intrusions
Key controls
Properly aligned with business goals and objectives
Personal firewall
Creation of a business continuity plan
4. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Get senior management onboard
Gain unauthorized access to applications
Deeper level of analysis
Data mart
5. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Transferred risk
Penetration testing
Consensus on risks and controls
Security risk
6. Cannot be minimized
Digital signatures
Annual loss expectancy (ALE)calculations
Deeper level of analysis
Inherent risk
7. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Notifications and opt-out provisions
Role-based policy
Digital signatures
Encryption key management
8. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Is willing to accept
Calculating the value of the information or asset
All personnel
Inherent risk
9. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Data warehouse
OBusiness case development
Assess the risks to the business operation
Undervoltage (brownout)
10. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Cyber extortionist
Key risk indicator (KRI) setup
Aligned with organizational goals
Defining high-level business security requirements
11. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Role-based access control
Alignment with business strategy
Digital signatures
The authentication process is broken
12. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Personal firewall
Data mart
The board of directors and senior management
Security awareness training for all employees
13. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Conduct a risk assessment
Normalization
Regulatory compliance
Data classification
14. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Malicious software and spyware
Aligned with organizational goals
Patch management
Asset classification
15. Culture has a significant impact on how information security will be implemented in a ______________________.
Gap analysis
Logon banners
Multinational organization
Biometric access control systems
16. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Its ability to reduce or eliminate business risks
Virus
Get senior management onboard
Owner of the information asset
17. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Audit objectives
The data custodian
The authentication process is broken
Phishing
18. The primary role of the information security manager in the process of information classification within the organization.
Breakeven point of risk reduction and cost
Compliance with the organization's information security requirements
Consensus on risks and controls
Defining and ratifying the classification structure of information assets
19. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Overall organizational structure
Countermeasure cost-benefit analysis
Regular review of access control lists
20. Provides strong online authentication.
Risk management and the requirements of the organization
Public key infrastructure (PKI)
Detection defenses
Control effectiveness
21. The MOST important element of an information security strategy.
The balanced scorecard
Creation of a business continuity plan
Defined objectives
Trusted source
22. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Decentralization
Defined objectives
Access control matrix
Transferred risk
23. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Resource dependency assessment
Defining high-level business security requirements
Conduct a risk assessment
Exceptions to policy
24. Focuses on identifying vulnerabilities.
Single sign-on (SSO) product
All personnel
Normalization
Penetration testing
25. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Transmit e-mail messages
Tailgating
Power surge/over voltage (spike)
Knowledge management
26. The PRIMARY goal in developing an information security strategy is to: _________________________.
Support the business objectives of the organization
Comparison of cost of achievement
Continuous monitoring control initiatives
Knowledge management
27. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Prioritization
Security code reviews for the entire software application
Certificate authority (CA)
Gain unauthorized access to applications
28. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Requirements of the data owners
BIA (Business Impact Assessment
The data custodian
Internal risk assessment
29. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
include security responsibilities in a job description
Certificate authority (CA)
Hacker
MAL wear
30. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Monitoring processes
Regular review of access control lists
Risk assessment - evaluation and impact analysis
Proficiency testing
31. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Increase business value and confidence
Role-based access control
Aligned with organizational goals
Certificate authority (CA)
32. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Continuous analysis - monitoring and feedback
Platform security - intrusion detection and antivirus controls
Process of introducing changes to systems
Trojan horse
33. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Control risk
Methodology used in the assessment
The data owner
Data classification
34. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Comparison of cost of achievement
Personal firewall
Normalization
Platform security - intrusion detection and antivirus controls
35. S small warehouse - designed for the end-user needs in a strategic business unit
Requirements of the data owners
Personal firewall
Data mart
Security code reviews for the entire software application
36. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Return on security investment (ROSI)
The balanced scorecard
Nondisclosure agreement (NDA)
Owner of the information asset
37. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Classification of assets needs
Well-defined roles and responsibilities
Spoofing attacks
SWOT analysis
38. Accesses a computer or network illegally
The information security officer
Negotiating a local version of the organization standards
Cracker
Intrusion detection system (IDS)
39. ecurity design flaws require a ____________________.
Information contained on the equipment
Protective switch covers
Trojan horse
Deeper level of analysis
40. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Internal risk assessment
Developing an information security baseline
Key risk indicator (KRI) setup
41. Should PRIMARILY be based on regulatory and legal requirements.
Encryption of the hard disks
Virus
Nondisclosure agreement (NDA)
Retention of business records
42. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Creation of a business continuity plan
Cyber terrorist
Annual loss expectancy (ALE)calculations
Data classification
43. Used to understand the flow of one process into another.
Transferred risk
Waterfall chart
Deeper level of analysis
Equal error rate (EER)
44. Needs to define the access rules - which is troublesome and error prone in large organizations.
Properly aligned with business goals and objectives
Rule-based access control
The balanced scorecard
Encryption
45. Has to be integrated into the requirements of every software application's design.
Exceptions to policy
Identify the relevant systems and processes
Data warehouse
Encryption key management
46. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Is willing to accept
Power surge/over voltage (spike)
Cross-site scripting attacks
Skills inventory
47. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Centralized structure
Continuous monitoring control initiatives
Requirements of the data owners
Equal error rate (EER)
48. New security ulnerabilities should be managed through a ________________.
Tie security risks to key business objectives
Control risk
Security risk
Patch management process
49. Same intent as a cracker but does not have the technical skills and knowledge
A network vulnerability assessment
Security awareness training for all employees
Script kiddie
Phishing
50. A notice that guarantees a user or a web site is legitimate
Background checks of prospective employees
Transmit e-mail messages
Digital certificate
Deeper level of analysis
