Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. It is easier to manage and control a _________________.
Centralized structure
Compliance with the organization's information security requirements
Data classification
Service level agreements (SLAs)

2. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Data mart
Certificate authority (CA)
Cyber extortionist
All personnel

3. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Applying the proper classification to the data
Decentralization
Developing an information security baseline
Inherent risk

4. A function of the session keys distributed by the PKI.
Consensus on risks and controls
Acceptable use policies
Key risk indicator (KRI) setup
Confidentiality

5. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Security risk
Lack of change management
Continuous analysis - monitoring and feedback
Threat assessment

6. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Safeguards over keys
The database administrator
Script kiddie
Tailgating

7. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Key risk indicator (KRI) setup
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Performing a risk assessment
Personal firewall

8. Culture has a significant impact on how information security will be implemented in a ______________________.
Gap analysis
Virus detection
Multinational organization
Safeguards over keys

9. The job of the information security officer on a management team is to ___________________.
Comparison of cost of achievement
Assess the risks to the business operation
Requirements of the data owners
Two-factor authentication

10. Occurs when the incoming level
Power surge/over voltage (spike)
Owner of the information asset
Attributes and characteristics of the 'desired state'
Tie security risks to key business objectives

11. Reducing risk to a level too small to measure is _______________.
Impractical and is often cost-prohibitive
Alignment with business strategy
Phishing
Centralized structure

12. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Continuous analysis - monitoring and feedback
Gain unauthorized access to applications
Centralization of information security management
Undervoltage (brownout)

13. Identification and _______________ of business risk enables project managers to address areas with most significance.
Prioritization
Audit objectives
Vulnerability assessment
Key controls

14. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Platform security - intrusion detection and antivirus controls
Compliance with the organization's information security requirements
Two-factor authentication
Creation of a business continuity plan

15. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Identify the relevant systems and processes
Penetration testing
Intrusion detection system (IDS)
Data warehouse

16. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
A network vulnerability assessment
Asset classification
Notifications and opt-out provisions
Transmit e-mail messages

17. Same intent as a cracker but does not have the technical skills and knowledge
Resource dependency assessment
Retention of business records
Script kiddie
Single sign-on (SSO) product

18. Oversees the overall classification management of the information.
The information security officer
Service level agreements (SLAs)
Digital certificate
Logon banners

19. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Defined objectives
Methodology used in the assessment
Support the business objectives of the organization
Performing a risk assessment

20. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Identify the vulnerable systems and apply compensating controls
Examples of containment defenses
Protective switch covers
Comparison of cost of achievement

21. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Deeper level of analysis
The board of directors and senior management
Get senior management onboard
Service level agreements (SLAs)

22. The best measure for preventing the unauthorized disclosure of confidential information.
Acceptable use policies
Identify the vulnerable systems and apply compensating controls
Key controls
Compliance with the organization's information security requirements

23. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Control risk
Negotiating a local version of the organization standards
Identify the relevant systems and processes

24. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Security baselines
Single sign-on (SSO) product
Classification of assets needs

25. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Classification of assets needs
Security risk
Risk management and the requirements of the organization
Its ability to reduce or eliminate business risks

26. The most important characteristic of good security policies is that they be ____________________.
Aligned with organizational goals
Centralization of information security management
Prioritization
All personnel

27. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Owner of the information asset
Assess the risks to the business operation
The balanced scorecard

28. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Control risk
Gain unauthorized access to applications
Baseline standard and then develop additional standards
Equal error rate (EER)

29. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Encryption
Asset classification
Overall organizational structure
Breakeven point of risk reduction and cost

30. Provides process needs but not impact.
The board of directors and senior management
Worm
Trojan horse
Resource dependency assessment

31. Should be a standard requirement for the service provider.
The data custodian
Security code reviews for the entire software application
Background check
Defined objectives

32. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Two-factor authentication
Total cost of ownership (TCO)
The data owner
Internal risk assessment

33. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Methodology used in the assessment
Total cost of ownership (TCO)
Detection defenses

34. When the ________________ is more than the cost of the risk - the risk should be accepted.
Cost of control
0-day vulnerabilities
MAL wear
Transferred risk

35. Useful but only with regard to specific technical skills.
Penetration testing
Proficiency testing
Assess the risks to the business operation
Audit objectives

36. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
Platform security - intrusion detection and antivirus controls
Transferred risk
Virus detection

37. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Control effectiveness
SWOT analysis
Risk assessment - evaluation and impact analysis
Reduce risk to an acceptable level

38. Someone who uses the internet or network to destroy or damage computers for political reasons
The database administrator
Residual risk would be reduced by a greater amount
Cyber terrorist
Prioritization

39. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Overall organizational structure
Data owners
Data mart
Lack of change management

40. Most effective for evaluating the degree to which information security objectives are being met.
Tie security risks to key business objectives
BIA (Business Impact Assessment
The balanced scorecard
IP address packet filtering

41. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Increase business value and confidence
Consensus on risks and controls
Inherent risk

42. Program that hides within or looks like a legit program
Overall organizational structure
Trojan horse
Threat assessment
A network vulnerability assessment

43. provides the most effective protection of data on mobile devices.
Negotiating a local version of the organization standards
Encryption
Owner of the information asset
Acceptable use policies

44. The primary role of the information security manager in the process of information classification within the organization.
Reduce risk to an acceptable level
Use of security metrics
The data custodian
Defining and ratifying the classification structure of information assets

45. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Two-factor authentication
Defining high-level business security requirements
Tailgating
Key controls

46. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Inherent risk
Regulatory compliance
Data classification
Countermeasure cost-benefit analysis

47. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
The authentication process is broken
Performing a risk assessment
Virus
Background checks of prospective employees

48. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Information contained on the equipment
Calculating the value of the information or asset
Properly aligned with business goals and objectives
OBusiness case development

49. Would protect against spoofing an internal address but would not provide strong authentication.
Tailgating
The data owner
IP address packet filtering
Data owners

50. Should PRIMARILY be based on regulatory and legal requirements.
Annual loss expectancy (ALE)calculations
Retention of business records
Risk assessment - evaluation and impact analysis
Support the business objectives of the organization