SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Culture has a significant impact on how information security will be implemented in a ______________________.
Multinational organization
Increase business value and confidence
Spoofing attacks
Digital signatures
2. An information security manager has to impress upon the human resources department the need for _____________________.
Defined objectives
Security awareness training for all employees
Digital certificate
Key controls
3. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Penetration testing
Alignment with business strategy
Patch management
Detection defenses
4. A risk assessment should be conducted _________________.
Risk management and the requirements of the organization
Spoofing attacks
Annually or whenever there is a significant change
Nondisclosure agreement (NDA)
5. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Spoofing attacks
All personnel
Performing a risk assessment
Exceptions to policy
6. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
People
Compliance with the organization's information security requirements
The authentication process is broken
Information security manager
7. The most important characteristic of good security policies is that they be ____________________.
Nondisclosure agreement (NDA)
Comparison of cost of achievement
Aligned with organizational goals
Normalization
8. It is easier to manage and control a _________________.
Encryption of the hard disks
Control effectiveness
Centralized structure
Exceptions to policy
9. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Centralized structure
Control effectiveness
OBusiness case development
Regular review of access control lists
10. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Background checks of prospective employees
Nondisclosure agreement (NDA)
Detection defenses
Patch management
11. When the ________________ is more than the cost of the risk - the risk should be accepted.
Rule-based access control
What happened and how the breach was resolved
Cost of control
Single sign-on (SSO) product
12. Needs to define the access rules - which is troublesome and error prone in large organizations.
Key controls
Gap analysis
Reduce risk to an acceptable level
Rule-based access control
13. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Conduct a risk assessment
The board of directors and senior management
Notifications and opt-out provisions
Vulnerability assessment
14. New security ulnerabilities should be managed through a ________________.
Alignment with business strategy
Strategic alignment of security with business objectives
Prioritization
Patch management process
15. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Defined objectives
Transmit e-mail messages
Protective switch covers
Control effectiveness
16. Provide metrics to which outsourcing firms can be held accountable.
Safeguards over keys
Intrusion detection system (IDS)
Patch management process
Service level agreements (SLAs)
17. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Malicious software and spyware
Reduce risk to an acceptable level
Overall organizational structure
SWOT analysis
18. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Requirements of the data owners
Virus
MAL wear
Process of introducing changes to systems
19. The information security manager needs to prioritize the controls based on ________________________.
Risk management and the requirements of the organization
Annual loss expectancy (ALE)calculations
Logon banners
Two-factor authentication
20. Only valid if assets have first been identified and appropriately valued.
Gain unauthorized access to applications
Annual loss expectancy (ALE)calculations
Protective switch covers
Waterfall chart
21. The MOST important element of an information security strategy.
Defined objectives
Internal risk assessment
Tie security risks to key business objectives
Aligned with organizational goals
22. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Lack of change management
Regulatory compliance
Audit objectives
23. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Is willing to accept
Logon banners
Classification of assets needs
Well-defined roles and responsibilities
24. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Security baselines
Cracker
Data warehouse
Decentralization
25. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Overall organizational structure
Residual risk
Do with the information it collects
Data owners
26. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
Cyber extortionist
Inherent risk
Spoofing attacks
27. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Monitoring processes
Security baselines
Script kiddie
Defining and ratifying the classification structure of information assets
28. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
People
Monitoring processes
Developing an information security baseline
Prioritization
29. Reducing risk to a level too small to measure is _______________.
Regular review of access control lists
The awareness and agreement of the data subjects
Impractical and is often cost-prohibitive
Digital certificate
30. Program that hides within or looks like a legit program
Transmit e-mail messages
Risk appetite
Single sign-on (SSO) product
Trojan horse
31. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Reduce risk to an acceptable level
Properly aligned with business goals and objectives
Retention of business records
The board of directors and senior management
32. A Successful risk management should lead to a ________________.
Breakeven point of risk reduction and cost
Consensus on risks and controls
Security risk
Trusted source
33. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Logon banners
Background checks of prospective employees
Centralization of information security management
Patch management process
34. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Inherent risk
Transferred risk
Proficiency testing
Baseline standard and then develop additional standards
35. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
Reduce risk to an acceptable level
Retention of business records
Protective switch covers
36. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Examples of containment defenses
Gap analysis
Properly aligned with business goals and objectives
Role-based access control
37. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Baseline standard and then develop additional standards
Detection defenses
Information security manager
Notifications and opt-out provisions
38. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Patch management
Fault-tolerant computer
Process of introducing changes to systems
Its ability to reduce or eliminate business risks
39. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Deeper level of analysis
Protective switch covers
Risk management and the requirements of the organization
What happened and how the breach was resolved
40. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Role-based access control
Tailgating
The balanced scorecard
Knowledge management
41. Programs that act without a user's knowledge and deliberately alter a computer's operations
Negotiating a local version of the organization standards
MAL wear
Applying the proper classification to the data
Total cost of ownership (TCO)
42. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Properly aligned with business goals and objectives
Background checks of prospective employees
Attributes and characteristics of the 'desired state'
Continuous monitoring control initiatives
43. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Nondisclosure agreement (NDA)
Risk appetite
Public key infrastructure (PKI)
Developing an information security baseline
44. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Properly aligned with business goals and objectives
Residual risk would be reduced by a greater amount
Countermeasure cost-benefit analysis
Digital signatures
45. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Single sign-on (SSO) product
Creation of a business continuity plan
Process of introducing changes to systems
Spoofing attacks
46. A function of the session keys distributed by the PKI.
Transferred risk
Confidentiality
Classification of assets needs
Creation of a business continuity plan
47. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Defining high-level business security requirements
Transmit e-mail messages
Continuous analysis - monitoring and feedback
Impractical and is often cost-prohibitive
48. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Data isolation
Tie security risks to key business objectives
Information contained on the equipment
Continuous monitoring control initiatives
49. Awareness - training and physical security defenses.
Identify the vulnerable systems and apply compensating controls
Prioritization
Examples of containment defenses
BIA (Business Impact Assessment
50. Cannot be minimized
Identify the relevant systems and processes
Lack of change management
Inherent risk
Certificate authority (CA)
