Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
Transmit e-mail messages
Annual loss expectancy (ALE)calculations
Threat assessment

2. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Encryption
Logon banners
Lack of change management
Virus detection

3. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Patch management process
Data mart
Role-based policy
Cyber extortionist

4. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Return on security investment (ROSI)
Two-factor authentication
Logon banners
Undervoltage (brownout)

5. Would protect against spoofing an internal address but would not provide strong authentication.
Conduct a risk assessment
Encryption
The board of directors and senior management
IP address packet filtering

6. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Aligned with organizational goals
Reduce risk to an acceptable level
Get senior management onboard

7. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Virus detection
Single sign-on (SSO) product
Tie security risks to key business objectives
Countermeasure cost-benefit analysis

8. Inject malformed input.
Cross-site scripting attacks
Undervoltage (brownout)
Cost of control
A network vulnerability assessment

9. Has full responsibility over data.
Data owners
The data owner
Knowledge management
Aligned with organizational goals

10. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Certificate authority (CA)
Assess the risks to the business operation
Transferred risk
The authentication process is broken

11. Ensures that there are no scalability problems.
Process of introducing changes to systems
Owner of the information asset
Role-based policy
Stress testing

12. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Decentralization
Cyber terrorist
Tailgating
Countermeasure cost-benefit analysis

13. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Public key infrastructure (PKI)
Equal error rate (EER)
Control risk
Strategic alignment of security with business objectives

14. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Calculating the value of the information or asset
Proficiency testing
Strategic alignment of security with business objectives
Access control matrix

15. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
The board of directors and senior management
Identify the vulnerable systems and apply compensating controls
Conduct a risk assessment
Intrusion detection system (IDS)

16. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Continuous analysis - monitoring and feedback
Centralization of information security management
Lack of change management
The database administrator

17. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Decentralization
Audit objectives
Defining high-level business security requirements
Performing a risk assessment

18. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Logon banners
Asset classification
Key risk indicator (KRI) setup
Annually or whenever there is a significant change

19. BEST option to improve accountability for a system administrator is to _____________________.
Methodology used in the assessment
Breakeven point of risk reduction and cost
include security responsibilities in a job description
Strategic alignment of security with business objectives

20. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Certificate authority (CA)
Impractical and is often cost-prohibitive
Owner of the information asset
A network vulnerability assessment

21. Accesses a computer or network illegally
MAL wear
Do with the information it collects
Security baselines
Cracker

22. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Annually or whenever there is a significant change
Monitoring processes
Retention of business records
What happened and how the breach was resolved

23. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
All personnel
Data isolation
Spoofing attacks
Security awareness training for all employees

24. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Rule-based access control
Creation of a business continuity plan
Skills inventory
Information security manager

25. Computer that has duplicate components so it can continue to operate when one of its main components fail
Phishing
Information security manager
Breakeven point of risk reduction and cost
Fault-tolerant computer

26. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Certificate authority (CA)
Encryption key management
Deeper level of analysis
Information security manager

27. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Get senior management onboard
Negotiating a local version of the organization standards
Prioritization
Information security manager

28. Reducing risk to a level too small to measure is _______________.
Methodology used in the assessment
Do with the information it collects
Impractical and is often cost-prohibitive
Requirements of the data owners

29. Cannot be minimized
Platform security - intrusion detection and antivirus controls
Inherent risk
Fault-tolerant computer
Logon banners

30. A risk assessment should be conducted _________________.
Gain unauthorized access to applications
Detection defenses
Continuous analysis - monitoring and feedback
Annually or whenever there is a significant change

31. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Notifications and opt-out provisions
Defining and ratifying the classification structure of information assets
Decentralization
Trusted source

32. Should be a standard requirement for the service provider.
Background check
People
Creation of a business continuity plan
Logon banners

33. S small warehouse - designed for the end-user needs in a strategic business unit
Properly aligned with business goals and objectives
Data mart
Calculating the value of the information or asset
Data classification

34. Most effective for evaluating the degree to which information security objectives are being met.
The balanced scorecard
Notifications and opt-out provisions
The data owner
Personal firewall

35. Oversees the overall classification management of the information.
The information security officer
Protective switch covers
Return on security investment (ROSI)
Risk management and the requirements of the organization

36. Uses security metrics to measure the performance of the information security program.
Normalization
Undervoltage (brownout)
Equal error rate (EER)
Information security manager

37. The MOST useful way to describe the objectives in the information security strategy is through ______________________.

38. A Successful risk management should lead to a ________________.
Defined objectives
The board of directors and senior management
Breakeven point of risk reduction and cost
Total cost of ownership (TCO)

39. Someone who accesses a computer or network illegally
Confidentiality
Hacker
Rule-based access control
Countermeasure cost-benefit analysis

40. By definition are not previously known and therefore are undetectable.
0-day vulnerabilities
Lack of change management
Strategic alignment of security with business objectives
Data owners

41. provides the most effective protection of data on mobile devices.
Malicious software and spyware
Risk appetite
Encryption
OBusiness case development

42. Focuses on identifying vulnerabilities.
Control effectiveness
Penetration testing
Properly aligned with business goals and objectives
Worm

43. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Use of security metrics
Conduct a risk assessment
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Retention of business records

44. Ensure that transmitted information can be attributed to the named sender.
Role-based policy
Digital signatures
Use of security metrics
Knowledge management

45. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Security baselines
Is willing to accept
Spoofing attacks
Normalization

46. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Gain unauthorized access to applications
Defining and ratifying the classification structure of information assets
0-day vulnerabilities
Classification of assets needs

47. The MOST important element of an information security strategy.
Data owners
Patch management
Defined objectives
Fault-tolerant computer

48. Provides process needs but not impact.
Negotiating a local version of the organization standards
Support the business objectives of the organization
Script kiddie
Resource dependency assessment

49. Identification and _______________ of business risk enables project managers to address areas with most significance.
Classification of assets needs
Prioritization
A network vulnerability assessment
Role-based policy

50. The information security manager needs to prioritize the controls based on ________________________.
Risk management and the requirements of the organization
Attributes and characteristics of the 'desired state'
The database administrator
Biometric access control systems