SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Should be a standard requirement for the service provider.
Security awareness training for all employees
Impractical and is often cost-prohibitive
Background check
The awareness and agreement of the data subjects
2. Utility program that detects and protects a personal computer from unauthorized intrusions
Get senior management onboard
Encryption key management
Data classification
Personal firewall
3. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Nondisclosure agreement (NDA)
Patch management
Security code reviews for the entire software application
The balanced scorecard
4. S small warehouse - designed for the end-user needs in a strategic business unit
Data mart
Retention of business records
Do with the information it collects
Rule-based access control
5. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Requirements of the data owners
Normalization
Data isolation
Virus
6. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Increase business value and confidence
BIA (Business Impact Assessment
0-day vulnerabilities
Breakeven point of risk reduction and cost
7. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Cracker
OBusiness case development
Performing a risk assessment
Malicious software and spyware
8. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Knowledge management
Resource dependency assessment
Cracker
Calculating the value of the information or asset
9. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Access control matrix
Exceptions to policy
MAL wear
Personal firewall
10. Has full responsibility over data.
Risk management and the requirements of the organization
The data owner
The balanced scorecard
Tie security risks to key business objectives
11. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Impractical and is often cost-prohibitive
Its ability to reduce or eliminate business risks
Security code reviews for the entire software application
Data mart
12. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Security awareness training for all employees
Audit objectives
Logon banners
The board of directors and senior management
13. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Resource dependency assessment
Methodology used in the assessment
Requirements of the data owners
Alignment with business strategy
14. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Regulatory compliance
Centralized structure
Public key infrastructure (PKI)
Performing a risk assessment
15. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Classification of assets needs
Tailgating
Examples of containment defenses
Defining high-level business security requirements
16. Culture has a significant impact on how information security will be implemented in a ______________________.
Background checks of prospective employees
Multinational organization
The data owner
Annual loss expectancy (ALE)calculations
17. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
The board of directors and senior management
Risk management and the requirements of the organization
Regulatory compliance
People
18. Uses security metrics to measure the performance of the information security program.
Information security manager
Role-based access control
Resource dependency assessment
Nondisclosure agreement (NDA)
19. Responsible for securing the information.
Safeguards over keys
The data custodian
Cracker
The authentication process is broken
20. Same intent as a cracker but does not have the technical skills and knowledge
Skills inventory
Risk assessment - evaluation and impact analysis
Script kiddie
Penetration testing
21. Someone who accesses a computer or network illegally
Hacker
0-day vulnerabilities
Owner of the information asset
Personal firewall
22. Useful but only with regard to specific technical skills.
Digital signatures
Proficiency testing
Data warehouse
Tie security risks to key business objectives
23. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Well-defined roles and responsibilities
Background checks of prospective employees
Inherent risk
Vulnerability assessment
24. Has to be integrated into the requirements of every software application's design.
Risk management and the requirements of the organization
Encryption key management
Consensus on risks and controls
Security risk
25. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Transferred risk
Identify the relevant systems and processes
The board of directors and senior management
Acceptable use policies
26. Information security governance models are highly dependent on the _____________________.
Impractical and is often cost-prohibitive
Overall organizational structure
Cracker
Virus detection
27. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Role-based policy
Audit objectives
Conduct a risk assessment
Identify the relevant systems and processes
28. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Security awareness training for all employees
A network vulnerability assessment
The data custodian
Role-based access control
29. By definition are not previously known and therefore are undetectable.
Defined objectives
Acceptable use policies
Script kiddie
0-day vulnerabilities
30. Would protect against spoofing an internal address but would not provide strong authentication.
Annual loss expectancy (ALE)calculations
Creation of a business continuity plan
IP address packet filtering
Risk appetite
31. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Access control matrix
Security code reviews for the entire software application
Intrusion detection system (IDS)
Waterfall chart
32. ecurity design flaws require a ____________________.
Malicious software and spyware
Decentralization
Notifications and opt-out provisions
Deeper level of analysis
33. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Lack of change management
The awareness and agreement of the data subjects
Spoofing attacks
Platform security - intrusion detection and antivirus controls
34. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Centralization of information security management
Normalization
All personnel
Residual risk
35. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Aligned with organizational goals
Continuous analysis - monitoring and feedback
Deeper level of analysis
Stress testing
36. Provides strong online authentication.
Developing an information security baseline
Do with the information it collects
Public key infrastructure (PKI)
Return on security investment (ROSI)
37. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Data warehouse
Deeper level of analysis
Risk appetite
People
38. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Trojan horse
Impractical and is often cost-prohibitive
Threat assessment
Centralization of information security management
39. Occurs after the risk assessment process - it does not measure it.
Strategic alignment of security with business objectives
Use of security metrics
Breakeven point of risk reduction and cost
include security responsibilities in a job description
40. The most important characteristic of good security policies is that they be ____________________.
Fault-tolerant computer
Information security manager
Aligned with organizational goals
Role-based access control
41. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Security risk
Reduce risk to an acceptable level
Consensus on risks and controls
People
42. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Requirements of the data owners
Public key infrastructure (PKI)
Calculating the value of the information or asset
Key risk indicator (KRI) setup
43. Focuses on identifying vulnerabilities.
Hacker
Exceptions to policy
Control effectiveness
Penetration testing
44. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Is willing to accept
Encryption
Asset classification
Equal error rate (EER)
45. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Background check
Encryption
Phishing
Continuous monitoring control initiatives
46. Ensures that there are no scalability problems.
Stress testing
The authentication process is broken
Equal error rate (EER)
Calculating the value of the information or asset
47. Needs to define the access rules - which is troublesome and error prone in large organizations.
Rule-based access control
Internal risk assessment
0-day vulnerabilities
Do with the information it collects
48. Ensure that transmitted information can be attributed to the named sender.
Acceptable use policies
The balanced scorecard
Control effectiveness
Digital signatures
49. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Worm
Control risk
Annually or whenever there is a significant change
Cyber terrorist
50. Should be determined from the risk assessment results.
Audit objectives
Properly aligned with business goals and objectives
Lack of change management
Cracker