SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Normalization
Methodology used in the assessment
Monitoring processes
Classification of assets needs
2. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Use of security metrics
Identify the relevant systems and processes
Cyber terrorist
Tailgating
3. Should be performed to identify the risk and determine needed controls.
Its ability to reduce or eliminate business risks
Internal risk assessment
Classification of assets needs
Identify the relevant systems and processes
4. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
0-day vulnerabilities
Negotiating a local version of the organization standards
Prioritization
Classification of assets needs
5. Occurs after the risk assessment process - it does not measure it.
Gap analysis
The balanced scorecard
Use of security metrics
Creation of a business continuity plan
6. Only valid if assets have first been identified and appropriately valued.
Script kiddie
Trojan horse
Annual loss expectancy (ALE)calculations
Normalization
7. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Continuous analysis - monitoring and feedback
Confidentiality
Calculating the value of the information or asset
Tie security risks to key business objectives
8. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Examples of containment defenses
All personnel
The balanced scorecard
Continuous analysis - monitoring and feedback
9. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Cost of control
Trusted source
Biometric access control systems
Tie security risks to key business objectives
10. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Identify the relevant systems and processes
Platform security - intrusion detection and antivirus controls
The data owner
Security risk
11. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Centralized structure
Consensus on risks and controls
Negotiating a local version of the organization standards
12. The data owner is responsible for _______________________.
Residual risk
Phishing
Logon banners
Applying the proper classification to the data
13. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transmit e-mail messages
Transferred risk
Strategic alignment of security with business objectives
Cracker
14. A method for analyzing and reducing a relational database to its most streamlined form
A network vulnerability assessment
Normalization
Role-based access control
Certificate authority (CA)
15. The best measure for preventing the unauthorized disclosure of confidential information.
Developing an information security baseline
Digital certificate
Acceptable use policies
Total cost of ownership (TCO)
16. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Certificate authority (CA)
The data custodian
Cost of control
17. Utility program that detects and protects a personal computer from unauthorized intrusions
Tailgating
Risk management and the requirements of the organization
Continuous monitoring control initiatives
Personal firewall
18. Provides strong online authentication.
Patch management process
Public key infrastructure (PKI)
The data owner
Personal firewall
19. An information security manager has to impress upon the human resources department the need for _____________________.
Acceptable use policies
Undervoltage (brownout)
Penetration testing
Security awareness training for all employees
20. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Malicious software and spyware
Alignment with business strategy
include security responsibilities in a job description
Use of security metrics
21. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Assess the risks to the business operation
Gap analysis
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Notifications and opt-out provisions
22. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Threat assessment
Transmit e-mail messages
Background checks of prospective employees
The awareness and agreement of the data subjects
23. A function of the session keys distributed by the PKI.
Penetration testing
Confidentiality
Virus detection
Breakeven point of risk reduction and cost
24. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Safeguards over keys
Lack of change management
SWOT analysis
Risk appetite
25. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Calculating the value of the information or asset
Risk assessment - evaluation and impact analysis
Security code reviews for the entire software application
Residual risk
26. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Lack of change management
All personnel
Knowledge management
Fault-tolerant computer
27. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Data mart
Encryption key management
Worm
Patch management process
28. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
The information security officer
Creation of a business continuity plan
Equal error rate (EER)
Safeguards over keys
29. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The data custodian
Personal firewall
Calculating the value of the information or asset
The authentication process is broken
30. Inject malformed input.
Safeguards over keys
Alignment with business strategy
Its ability to reduce or eliminate business risks
Cross-site scripting attacks
31. Used to understand the flow of one process into another.
Methodology used in the assessment
Proficiency testing
Waterfall chart
Vulnerability assessment
32. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Cross-site scripting attacks
Nondisclosure agreement (NDA)
Inherent risk
Process of introducing changes to systems
33. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Baseline standard and then develop additional standards
Background check
Asset classification
Examples of containment defenses
34. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Phishing
Comparison of cost of achievement
Biometric access control systems
Security baselines
35. Accesses a computer or network illegally
Strategic alignment of security with business objectives
The information security officer
Data classification
Cracker
36. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Alignment with business strategy
What happened and how the breach was resolved
Centralization of information security management
Safeguards over keys
37. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Requirements of the data owners
Regulatory compliance
Background check
Biometric access control systems
38. Primarily reduce risk and are most effective for the protection of information assets.
Key controls
The database administrator
Platform security - intrusion detection and antivirus controls
Monitoring processes
39. Carries out the technical administration.
Centralized structure
Countermeasure cost-benefit analysis
The awareness and agreement of the data subjects
The database administrator
40. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
41. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Total cost of ownership (TCO)
Virus detection
Prioritization
Penetration testing
42. Involves the correction of software weaknesses and would necessarily follow change management procedures.
The authentication process is broken
Patch management
Process of introducing changes to systems
Background checks of prospective employees
43. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Security baselines
Skills inventory
Identify the vulnerable systems and apply compensating controls
SWOT analysis
44. Applications cannot access data associated with other apps
Total cost of ownership (TCO)
Background check
Risk appetite
Data isolation
45. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Digital signatures
OBusiness case development
Acceptable use policies
Security baselines
46. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Breakeven point of risk reduction and cost
Internal risk assessment
Background checks of prospective employees
Do with the information it collects
47. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Public key infrastructure (PKI)
Classification of assets needs
Calculating the value of the information or asset
Its ability to reduce or eliminate business risks
48. Programs that act without a user's knowledge and deliberately alter a computer's operations
Monitoring processes
MAL wear
Control risk
Well-defined roles and responsibilities
49. It is easier to manage and control a _________________.
Hacker
Centralized structure
Phishing
Nondisclosure agreement (NDA)
50. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Residual risk would be reduced by a greater amount
Platform security - intrusion detection and antivirus controls
Biometric access control systems
Key risk indicator (KRI) setup