Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. A risk assessment should be conducted _________________.






2. Only valid if assets have first been identified and appropriately valued.






3. Change management controls the _____________________. This is often the point at which a weakness will be introduced.






4. New security ulnerabilities should be managed through a ________________.






5. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.






6. Occurs when the incoming level






7. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.






8. Has full responsibility over data.






9. Someone who uses the internet or network to destroy or damage computers for political reasons






10. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.






11. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee






12. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -






13. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.






14. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.






15. To identify known vulnerabilities based on common misconfigurations and missing updates.






16. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations






17. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.






18. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability






19. The data owner is responsible for _______________________.






20. Occurs after the risk assessment process - it does not measure it.






21. The PRIMARY goal in developing an information security strategy is to: _________________________.






22. The BEST justification to convince management to invest in an information security program is that doing so would _________________.






23. When defining the information classification policy - the ___________________ need to be identified.






24. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.






25. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.






26. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.






27. The job of the information security officer on a management team is to ___________________.






28. Occurs when the electrical supply drops






29. The best measure and will involve reviewing the entire source code to detect all instances of back doors.






30. Should be a standard requirement for the service provider.






31. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.






32. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.






33. Has to be integrated into the requirements of every software application's design.






34. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.






35. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i






36. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.






37. The primary role of the information security manager in the process of information classification within the organization.






38. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.






39. S small warehouse - designed for the end-user needs in a strategic business unit






40. A repository of historical data organized by subject to support decision makers in the org






41. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree






42. Ensure that transmitted information can be attributed to the named sender.






43. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.






44. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.






45. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.






46. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.






47. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.






48. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but






49. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.






50. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.