Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Regular review of access control lists
Exceptions to policy
Calculating the value of the information or asset
IP address packet filtering

2. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
The database administrator
Penetration testing
Reduce risk to an acceptable level
Information security manager

3. The information security manager needs to prioritize the controls based on ________________________.
Digital signatures
Phishing
Risk management and the requirements of the organization
OBusiness case development

4. Risk should be reduced to a level that an organization _____________.
Proficiency testing
Is willing to accept
Strategic alignment of security with business objectives
Lack of change management

5. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
Skills inventory
Cost of control
Acceptable use policies

6. A repository of historical data organized by subject to support decision makers in the org
Lack of change management
Patch management process
Cyber terrorist
Data warehouse

7. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Gain unauthorized access to applications
Information contained on the equipment
include security responsibilities in a job description
Alignment with business strategy

8. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
What happened and how the breach was resolved
Regulatory compliance
Personal firewall
The information security officer

9. Company or person you believe will not send a virus-infect file knowingly
Alignment with business strategy
Calculating the value of the information or asset
The board of directors and senior management
Trusted source

10. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Audit objectives
Vulnerability assessment
Conduct a risk assessment
Personal firewall

11. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Internal risk assessment
Data warehouse
Public key infrastructure (PKI)
Detection defenses

12. provides the most effective protection of data on mobile devices.
MAL wear
Encryption
Annually or whenever there is a significant change
Control effectiveness

13. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Security code reviews for the entire software application
People
Certificate authority (CA)
Return on security investment (ROSI)

14. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Detection defenses
Two-factor authentication
Negotiating a local version of the organization standards
Cracker

15. The most important characteristic of good security policies is that they be ____________________.
Script kiddie
Aligned with organizational goals
Worm
Data owners

16. Occurs after the risk assessment process - it does not measure it.
Personal firewall
Use of security metrics
Asset classification
Data owners

17. A key indicator of performance measurement.
Breakeven point of risk reduction and cost
Security risk
Baseline standard and then develop additional standards
Strategic alignment of security with business objectives

18. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Role-based access control
The data owner
Monitoring processes
Worm

19. Inject malformed input.
Cross-site scripting attacks
Fault-tolerant computer
Data isolation
The authentication process is broken

20. The primary role of the information security manager in the process of information classification within the organization.
Prioritization
Defining and ratifying the classification structure of information assets
Annual loss expectancy (ALE)calculations
Baseline standard and then develop additional standards

21. Whenever personal data are transferred across national boundaries; ________________________ are required.
Residual risk would be reduced by a greater amount
The awareness and agreement of the data subjects
Security risk
Requirements of the data owners

22. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Background checks of prospective employees
Inherent risk
Multinational organization
Risk management and the requirements of the organization

23. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Control risk
Risk assessment - evaluation and impact analysis
Creation of a business continuity plan

24. Should be determined from the risk assessment results.
Transmit e-mail messages
Audit objectives
Digital signatures
Regular review of access control lists

25. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Deeper level of analysis
Decentralization
Residual risk
Defining and ratifying the classification structure of information assets

26. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Decentralization
Waterfall chart
Key risk indicator (KRI) setup
Trojan horse

27. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
The board of directors and senior management
Protective switch covers
Consensus on risks and controls

28. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Asset classification
Biometric access control systems
Annually or whenever there is a significant change
Exceptions to policy

29. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Conduct a risk assessment
Control risk
Digital signatures
Assess the risks to the business operation

30. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Regulatory compliance
Notifications and opt-out provisions
Conduct a risk assessment
Comparison of cost of achievement

31. Focuses on identifying vulnerabilities.
Developing an information security baseline
Comparison of cost of achievement
Power surge/over voltage (spike)
Penetration testing

32. Most effective for evaluating the degree to which information security objectives are being met.
Notifications and opt-out provisions
Personal firewall
Skills inventory
The balanced scorecard

33. Provide metrics to which outsourcing firms can be held accountable.
Service level agreements (SLAs)
All personnel
What happened and how the breach was resolved
The data custodian

34. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Defining high-level business security requirements
Threat assessment
Countermeasure cost-benefit analysis
Centralized structure

35. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Developing an information security baseline
Deeper level of analysis
Get senior management onboard
Cryptographic secure sockets layer (SSL) implementations and short key lengths

36. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Aligned with organizational goals
Return on security investment (ROSI)
Digital signatures
SWOT analysis

37. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Data warehouse
Aligned with organizational goals
Intrusion detection system (IDS)
Cost of control

38. It is easier to manage and control a _________________.
Personal firewall
Inherent risk
Virus detection
Centralized structure

39. Provides strong online authentication.
Lack of change management
People
Public key infrastructure (PKI)
Control risk

40. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
Baseline standard and then develop additional standards
Key controls
Encryption key management

41. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Digital signatures
Defining and ratifying the classification structure of information assets
Fault-tolerant computer
Two-factor authentication

42. A Successful risk management should lead to a ________________.
Breakeven point of risk reduction and cost
Total cost of ownership (TCO)
Vulnerability assessment
Developing an information security baseline

43. Utility program that detects and protects a personal computer from unauthorized intrusions
Spoofing attacks
include security responsibilities in a job description
Personal firewall
Patch management process

44. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Residual risk would be reduced by a greater amount
Compliance with the organization's information security requirements
Security code reviews for the entire software application
Platform security - intrusion detection and antivirus controls

45. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Performing a risk assessment
What happened and how the breach was resolved
Security baselines
The authentication process is broken

46. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Two-factor authentication
Key risk indicator (KRI) setup
Exceptions to policy
Knowledge management

47. A notice that guarantees a user or a web site is legitimate
Performing a risk assessment
The data owner
Background checks of prospective employees
Digital certificate

48. Needs to define the access rules - which is troublesome and error prone in large organizations.
Rule-based access control
Defining high-level business security requirements
Monitoring processes
Use of security metrics

49. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Equal error rate (EER)
Encryption key management
Calculating the value of the information or asset
Transferred risk

50. Occurs when the electrical supply drops
Undervoltage (brownout)
Information security manager
include security responsibilities in a job description
Access control matrix