Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.






2. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.






3. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.






4. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.






5. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.






6. Without _____________________ - there cannot be accountability.






7. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.






8. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.






9. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but






10. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.






11. Program that hides within or looks like a legit program






12. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.






13. S small warehouse - designed for the end-user needs in a strategic business unit






14. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.






15. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.






16. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.






17. Should be performed to identify the risk and determine needed controls.






18. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.






19. Primarily reduce risk and are most effective for the protection of information assets.






20. Change management controls the _____________________. This is often the point at which a weakness will be introduced.






21. BEST option to improve accountability for a system administrator is to _____________________.






22. Involves the correction of software weaknesses and would necessarily follow change management procedures.






23. Someone who accesses a computer or network illegally






24. An information security manager has to impress upon the human resources department the need for _____________________.






25. It is easier to manage and control a _________________.






26. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.






27. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.






28. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.






29. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.






30. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.






31. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.






32. Accesses a computer or network illegally






33. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.






34. A function of the session keys distributed by the PKI.






35. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.






36. Should be a standard requirement for the service provider.






37. A process that helps organizations manipulate important knowledge that is part of the orgs. memory






38. The data owner is responsible for _______________________.






39. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i






40. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.






41. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.






42. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.






43. Useful but only with regard to specific technical skills.






44. Used to understand the flow of one process into another.






45. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.






46. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.






47. Ensure that transmitted information can be attributed to the named sender.






48. Occurs when the incoming level






49. Provides strong online authentication.






50. Carries out the technical administration.