Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Patch management
Tie security risks to key business objectives
Decentralization
Data mart

2. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Cyber extortionist
Identify the vulnerable systems and apply compensating controls
Cost of control
Vulnerability assessment

3. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Information contained on the equipment
Resource dependency assessment
Impractical and is often cost-prohibitive

4. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Creation of a business continuity plan
BIA (Business Impact Assessment
Certificate authority (CA)
Role-based access control

5. Uses security metrics to measure the performance of the information security program.
Strategic alignment of security with business objectives
Information security manager
Waterfall chart
Is willing to accept

6. Program that hides within or looks like a legit program
Stress testing
Security risk
Public key infrastructure (PKI)
Trojan horse

7. The data owner is responsible for _______________________.
Digital certificate
Conduct a risk assessment
Increase business value and confidence
Applying the proper classification to the data

8. Occurs when the electrical supply drops
Two-factor authentication
Defined objectives
The balanced scorecard
Undervoltage (brownout)

9. Identification and _______________ of business risk enables project managers to address areas with most significance.
Role-based access control
Personal firewall
Aligned with organizational goals
Prioritization

10. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Encryption key management
Protective switch covers
Performing a risk assessment
Total cost of ownership (TCO)

11. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Identify the vulnerable systems and apply compensating controls
Inherent risk
The authentication process is broken
Risk assessment - evaluation and impact analysis

12. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Assess the risks to the business operation
Residual risk
Risk appetite
Identify the vulnerable systems and apply compensating controls

13. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Breakeven point of risk reduction and cost
Service level agreements (SLAs)
Spoofing attacks
Exceptions to policy

14. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
OBusiness case development
Risk assessment - evaluation and impact analysis
People
Proficiency testing

15. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Owner of the information asset
Phishing
The board of directors and senior management
Security baselines

16. Only valid if assets have first been identified and appropriately valued.
Annual loss expectancy (ALE)calculations
Malicious software and spyware
Data warehouse
Conduct a risk assessment

17. Cannot be minimized
Overall organizational structure
Decentralization
Inherent risk
Undervoltage (brownout)

18. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Knowledge management
Exceptions to policy
Centralized structure
The authentication process is broken

19. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Comparison of cost of achievement
Security code reviews for the entire software application
Performing a risk assessment
Notifications and opt-out provisions

20. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.

Warning: Invalid argument supplied for foreach() in /var/www/html/basicversity.com/show_quiz.php on line 183

21. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Exceptions to policy
Tailgating
Key risk indicator (KRI) setup
Undervoltage (brownout)

22. Focuses on identifying vulnerabilities.
Performing a risk assessment
Worm
Penetration testing
Fault-tolerant computer

23. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Conduct a risk assessment
Data mart
All personnel

24. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Centralization of information security management
Knowledge management
Defining high-level business security requirements
Properly aligned with business goals and objectives

25. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Deeper level of analysis
Data warehouse
Biometric access control systems
Centralized structure

26. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Malicious software and spyware
Threat assessment
Defined objectives
Data isolation

27. The information security manager needs to prioritize the controls based on ________________________.
Data mart
Process of introducing changes to systems
Risk management and the requirements of the organization
Tailgating

28. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Phishing
Audit objectives
Access control matrix
Virus

29. Carries out the technical administration.
Key risk indicator (KRI) setup
The database administrator
Public key infrastructure (PKI)
Platform security - intrusion detection and antivirus controls

30. Risk should be reduced to a level that an organization _____________.
Increase business value and confidence
Identify the relevant systems and processes
Transferred risk
Is willing to accept

31. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Multinational organization
Intrusion detection system (IDS)
Safeguards over keys
Security risk

32. A Successful risk management should lead to a ________________.
Alignment with business strategy
Control effectiveness
Breakeven point of risk reduction and cost
Patch management process

33. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Owner of the information asset
The database administrator
Hacker
Data warehouse

34. Responsible for securing the information.
The balanced scorecard
Two-factor authentication
The data custodian
Malicious software and spyware

35. Inject malformed input.
Patch management
Control risk
Cross-site scripting attacks
Internal risk assessment

36. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Malicious software and spyware
Residual risk would be reduced by a greater amount
Deeper level of analysis

37. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Deeper level of analysis
Creation of a business continuity plan
Biometric access control systems
Data warehouse

38. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Fault-tolerant computer
Platform security - intrusion detection and antivirus controls
Knowledge management
Gain unauthorized access to applications

39. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Virus detection
Intrusion detection system (IDS)
Information security manager
Protective switch covers

40. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Lack of change management
Equal error rate (EER)
Decentralization
Virus

41. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
MAL wear
Security risk
Aligned with organizational goals
Resource dependency assessment

42. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Tie security risks to key business objectives
Audit objectives
Residual risk would be reduced by a greater amount
MAL wear

43. Occurs when the incoming level
Threat assessment
Power surge/over voltage (spike)
Key risk indicator (KRI) setup
Deeper level of analysis

44. Oversees the overall classification management of the information.
The information security officer
Its ability to reduce or eliminate business risks
Identify the vulnerable systems and apply compensating controls
Support the business objectives of the organization

45. All within the responsibility of the information security manager.
Power surge/over voltage (spike)
Resource dependency assessment
Platform security - intrusion detection and antivirus controls
Waterfall chart

46. Used to understand the flow of one process into another.
Security awareness training for all employees
Audit objectives
Identify the vulnerable systems and apply compensating controls
Waterfall chart

47. Has full responsibility over data.
Resource dependency assessment
The data owner
Threat assessment
Platform security - intrusion detection and antivirus controls

48. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Residual risk would be reduced by a greater amount
Security baselines
Equal error rate (EER)
Protective switch covers

49. Someone who accesses a computer or network illegally
Hacker
The data custodian
Lack of change management
Digital certificate

50. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Do with the information it collects
Threat assessment
Nondisclosure agreement (NDA)
Deeper level of analysis