SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Script kiddie
Virus detection
The information security officer
Gap analysis
2. Awareness - training and physical security defenses.
Examples of containment defenses
Hacker
Threat assessment
Exceptions to policy
3. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Certificate authority (CA)
Nondisclosure agreement (NDA)
Inherent risk
Patch management
4. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Countermeasure cost-benefit analysis
Equal error rate (EER)
Stress testing
Tie security risks to key business objectives
5. The data owner is responsible for _______________________.
Deeper level of analysis
Breakeven point of risk reduction and cost
Return on security investment (ROSI)
Applying the proper classification to the data
6. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
7. A Successful risk management should lead to a ________________.
Negotiating a local version of the organization standards
Conduct a risk assessment
The awareness and agreement of the data subjects
Breakeven point of risk reduction and cost
8. Accesses a computer or network illegally
Residual risk
Cracker
Cost of control
Exceptions to policy
9. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Tailgating
Baseline standard and then develop additional standards
Developing an information security baseline
Process of introducing changes to systems
10. A key indicator of performance measurement.
Gain unauthorized access to applications
Script kiddie
Strategic alignment of security with business objectives
Owner of the information asset
11. Risk should be reduced to a level that an organization _____________.
Resource dependency assessment
Biometric access control systems
Threat assessment
Is willing to accept
12. Should PRIMARILY be based on regulatory and legal requirements.
Breakeven point of risk reduction and cost
Single sign-on (SSO) product
Retention of business records
Well-defined roles and responsibilities
13. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Role-based access control
Safeguards over keys
Encryption of the hard disks
include security responsibilities in a job description
14. All within the responsibility of the information security manager.
Key risk indicator (KRI) setup
Spoofing attacks
Continuous monitoring control initiatives
Platform security - intrusion detection and antivirus controls
15. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Spoofing attacks
Residual risk
Creation of a business continuity plan
Process of introducing changes to systems
16. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Monitoring processes
Return on security investment (ROSI)
Detection defenses
Continuous monitoring control initiatives
17. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
18. Programs that act without a user's knowledge and deliberately alter a computer's operations
Requirements of the data owners
Total cost of ownership (TCO)
MAL wear
Undervoltage (brownout)
19. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Lack of change management
Performing a risk assessment
Get senior management onboard
Cyber extortionist
20. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Patch management
Breakeven point of risk reduction and cost
Fault-tolerant computer
A network vulnerability assessment
21. Oversees the overall classification management of the information.
Malicious software and spyware
Defined objectives
The information security officer
Decentralization
22. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
OBusiness case development
Consensus on risks and controls
Prioritization
Lack of change management
23. Should be performed to identify the risk and determine needed controls.
Attributes and characteristics of the 'desired state'
Platform security - intrusion detection and antivirus controls
Internal risk assessment
Identify the relevant systems and processes
24. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Data isolation
Continuous monitoring control initiatives
Baseline standard and then develop additional standards
25. Has full responsibility over data.
The data owner
Threat assessment
Centralization of information security management
Undervoltage (brownout)
26. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Identify the vulnerable systems and apply compensating controls
Countermeasure cost-benefit analysis
Control effectiveness
Information security manager
27. Someone who uses the internet or network to destroy or damage computers for political reasons
Exceptions to policy
Security awareness training for all employees
Cyber terrorist
Examples of containment defenses
28. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Encryption key management
Platform security - intrusion detection and antivirus controls
Malicious software and spyware
Regulatory compliance
29. The best measure for preventing the unauthorized disclosure of confidential information.
Intrusion detection system (IDS)
Tie security risks to key business objectives
Acceptable use policies
Performing a risk assessment
30. Identification and _______________ of business risk enables project managers to address areas with most significance.
Service level agreements (SLAs)
Annual loss expectancy (ALE)calculations
include security responsibilities in a job description
Prioritization
31. Normally addressed through antivirus and antispyware policies.
Malicious software and spyware
Proficiency testing
Attributes and characteristics of the 'desired state'
Control risk
32. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
SWOT analysis
Intrusion detection system (IDS)
Data classification
Tailgating
33. When the ________________ is more than the cost of the risk - the risk should be accepted.
Requirements of the data owners
Cost of control
All personnel
Data warehouse
34. Company or person you believe will not send a virus-infect file knowingly
Aligned with organizational goals
The data custodian
Trusted source
Personal firewall
35. By definition are not previously known and therefore are undetectable.
Public key infrastructure (PKI)
Do with the information it collects
Cost of control
0-day vulnerabilities
36. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Security baselines
Data mart
Countermeasure cost-benefit analysis
Data classification
37. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Risk assessment - evaluation and impact analysis
Worm
Comparison of cost of achievement
Examples of containment defenses
38. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Control risk
Data isolation
Tie security risks to key business objectives
Regular review of access control lists
39. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Confidentiality
Impractical and is often cost-prohibitive
Methodology used in the assessment
40. The primary role of the information security manager in the process of information classification within the organization.
Risk assessment - evaluation and impact analysis
The data custodian
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Defining and ratifying the classification structure of information assets
41. Applications cannot access data associated with other apps
Defining and ratifying the classification structure of information assets
Data isolation
The board of directors and senior management
Annually or whenever there is a significant change
42. A repository of historical data organized by subject to support decision makers in the org
Data warehouse
Breakeven point of risk reduction and cost
Reduce risk to an acceptable level
0-day vulnerabilities
43. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
A network vulnerability assessment
Malicious software and spyware
Centralized structure
44. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Do with the information it collects
Defining high-level business security requirements
include security responsibilities in a job description
Performing a risk assessment
45. To identify known vulnerabilities based on common misconfigurations and missing updates.
Data mart
Waterfall chart
The database administrator
A network vulnerability assessment
46. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Cyber terrorist
Its ability to reduce or eliminate business risks
BIA (Business Impact Assessment
Countermeasure cost-benefit analysis
47. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Owner of the information asset
Nondisclosure agreement (NDA)
Knowledge management
The data owner
48. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Methodology used in the assessment
Is willing to accept
Skills inventory
Identify the relevant systems and processes
49. Needs to define the access rules - which is troublesome and error prone in large organizations.
0-day vulnerabilities
Patch management process
Rule-based access control
SWOT analysis
50. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Encryption
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Control risk
Use of security metrics