SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Uses security metrics to measure the performance of the information security program.
Normalization
All personnel
Spoofing attacks
Information security manager
2. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
Defining high-level business security requirements
Encryption key management
Data mart
3. Identification and _______________ of business risk enables project managers to address areas with most significance.
Data isolation
Prioritization
Role-based policy
People
4. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Support the business objectives of the organization
Control risk
Encryption
Centralization of information security management
5. Should be performed to identify the risk and determine needed controls.
Its ability to reduce or eliminate business risks
Stress testing
Virus
Internal risk assessment
6. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Skills inventory
Service level agreements (SLAs)
Alignment with business strategy
Patch management process
7. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Key risk indicator (KRI) setup
Risk appetite
Classification of assets needs
8. Company or person you believe will not send a virus-infect file knowingly
Trusted source
Notifications and opt-out provisions
Data classification
Deeper level of analysis
9. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Normalization
Exceptions to policy
Centralization of information security management
Continuous monitoring control initiatives
10. Should PRIMARILY be based on regulatory and legal requirements.
Monitoring processes
Decentralization
Retention of business records
Biometric access control systems
11. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Assess the risks to the business operation
Annually or whenever there is a significant change
Residual risk
Gap analysis
12. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Trusted source
Encryption key management
Compliance with the organization's information security requirements
13. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Hacker
The board of directors and senior management
Safeguards over keys
Control risk
14. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Identify the vulnerable systems and apply compensating controls
Skills inventory
Audit objectives
IP address packet filtering
15. Applications cannot access data associated with other apps
Data isolation
Threat assessment
Spoofing attacks
Data classification
16. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Conduct a risk assessment
Applying the proper classification to the data
Role-based access control
17. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Power surge/over voltage (spike)
Cyber extortionist
Virus
Attributes and characteristics of the 'desired state'
18. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Inherent risk
Well-defined roles and responsibilities
Centralization of information security management
Threat assessment
19. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Background check
Residual risk would be reduced by a greater amount
Two-factor authentication
Power surge/over voltage (spike)
20. The best measure for preventing the unauthorized disclosure of confidential information.
Support the business objectives of the organization
Data classification
Threat assessment
Acceptable use policies
21. Used to understand the flow of one process into another.
Annual loss expectancy (ALE)calculations
Security risk
Waterfall chart
Encryption of the hard disks
22. The primary role of the information security manager in the process of information classification within the organization.
Defining and ratifying the classification structure of information assets
Lack of change management
Data warehouse
Tie security risks to key business objectives
23. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Threat assessment
Increase business value and confidence
Alignment with business strategy
Internal risk assessment
24. Normally addressed through antivirus and antispyware policies.
The authentication process is broken
Two-factor authentication
Malicious software and spyware
Alignment with business strategy
25. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Role-based access control
Worm
Audit objectives
Assess the risks to the business operation
26. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Trusted source
Total cost of ownership (TCO)
Aligned with organizational goals
Certificate authority (CA)
27. Without _____________________ - there cannot be accountability.
Risk management and the requirements of the organization
Spoofing attacks
Well-defined roles and responsibilities
Personal firewall
28. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Tie security risks to key business objectives
Increase business value and confidence
Tailgating
Cryptographic secure sockets layer (SSL) implementations and short key lengths
29. Provide metrics to which outsourcing firms can be held accountable.
The awareness and agreement of the data subjects
Identify the relevant systems and processes
Aligned with organizational goals
Service level agreements (SLAs)
30. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Centralized structure
Return on security investment (ROSI)
A network vulnerability assessment
Countermeasure cost-benefit analysis
31. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Is willing to accept
Key risk indicator (KRI) setup
Skills inventory
Classification of assets needs
32. A method for analyzing and reducing a relational database to its most streamlined form
A network vulnerability assessment
Cyber terrorist
Conduct a risk assessment
Normalization
33. Culture has a significant impact on how information security will be implemented in a ______________________.
Tailgating
Multinational organization
Nondisclosure agreement (NDA)
Cryptographic secure sockets layer (SSL) implementations and short key lengths
34. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Impractical and is often cost-prohibitive
Deeper level of analysis
Digital certificate
What happened and how the breach was resolved
35. To identify known vulnerabilities based on common misconfigurations and missing updates.
Encryption of the hard disks
A network vulnerability assessment
Identify the vulnerable systems and apply compensating controls
Identify the relevant systems and processes
36. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
BIA (Business Impact Assessment
Detection defenses
MAL wear
The data custodian
37. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Negotiating a local version of the organization standards
Conduct a risk assessment
Reduce risk to an acceptable level
Worm
38. Involves the correction of software weaknesses and would necessarily follow change management procedures.
OBusiness case development
Encryption key management
Patch management
Is willing to accept
39. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Gain unauthorized access to applications
Strategic alignment of security with business objectives
Patch management process
40. A Successful risk management should lead to a ________________.
Data classification
Inherent risk
Breakeven point of risk reduction and cost
Classification of assets needs
41. When the ________________ is more than the cost of the risk - the risk should be accepted.
Spoofing attacks
The data owner
Cost of control
Return on security investment (ROSI)
42. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Lack of change management
Resource dependency assessment
Background checks of prospective employees
Regular review of access control lists
43. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Get senior management onboard
Access control matrix
Consensus on risks and controls
44. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Return on security investment (ROSI)
Assess the risks to the business operation
Continuous analysis - monitoring and feedback
Cyber extortionist
45. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Baseline standard and then develop additional standards
Hacker
Background check
46. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Intrusion detection system (IDS)
Undervoltage (brownout)
Vulnerability assessment
Patch management
47. Ensures that there are no scalability problems.
Stress testing
Access control matrix
Well-defined roles and responsibilities
Cyber extortionist
48. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
The authentication process is broken
All personnel
What happened and how the breach was resolved
Trojan horse
49. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Knowledge management
Fault-tolerant computer
Information security manager
Key risk indicator (KRI) setup
50. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Normalization
Encryption of the hard disks
What happened and how the breach was resolved
include security responsibilities in a job description