Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Risk assessment - evaluation and impact analysis
The data owner
Information contained on the equipment
Two-factor authentication

2. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
Service level agreements (SLAs)
The balanced scorecard
Malicious software and spyware

3. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Fault-tolerant computer
Virus
Classification of assets needs
Monitoring processes

4. Needs to define the access rules - which is troublesome and error prone in large organizations.
Rule-based access control
Information contained on the equipment
Security awareness training for all employees
Centralization of information security management

5. provides the most effective protection of data on mobile devices.
The information security officer
Encryption
Exceptions to policy
Knowledge management

6. Same intent as a cracker but does not have the technical skills and knowledge
Acceptable use policies
Key controls
Data classification
Script kiddie

7. Awareness - training and physical security defenses.
Consensus on risks and controls
Examples of containment defenses
Fault-tolerant computer
Encryption of the hard disks

8. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key risk indicator (KRI) setup
Data warehouse
Gain unauthorized access to applications
Defined objectives

9. An information security manager has to impress upon the human resources department the need for _____________________.
The board of directors and senior management
Two-factor authentication
Security awareness training for all employees
Cross-site scripting attacks

10. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Nondisclosure agreement (NDA)
Worm
Total cost of ownership (TCO)
Alignment with business strategy

11. Focuses on identifying vulnerabilities.
Methodology used in the assessment
The information security officer
Data warehouse
Penetration testing

12. Provide metrics to which outsourcing firms can be held accountable.
Developing an information security baseline
The data custodian
SWOT analysis
Service level agreements (SLAs)

13. Someone who accesses a computer or network illegally
Transmit e-mail messages
Compliance with the organization's information security requirements
Hacker
Notifications and opt-out provisions

14. A function of the session keys distributed by the PKI.
Safeguards over keys
Confidentiality
Penetration testing
Equal error rate (EER)

15. A key indicator of performance measurement.
Strategic alignment of security with business objectives
Regulatory compliance
Defined objectives
Information contained on the equipment

16. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Residual risk would be reduced by a greater amount
Cross-site scripting attacks
Decentralization
Data warehouse

17. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Encryption key management
Vulnerability assessment
Residual risk
Security baselines

18. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Data owners
Total cost of ownership (TCO)
Access control matrix
Gain unauthorized access to applications

19. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Annually or whenever there is a significant change
0-day vulnerabilities
Consensus on risks and controls
Notifications and opt-out provisions

20. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
OBusiness case development
Spoofing attacks
Worm

21. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Control effectiveness
Power surge/over voltage (spike)
Developing an information security baseline
Biometric access control systems

22. Ensure that transmitted information can be attributed to the named sender.
Countermeasure cost-benefit analysis
The data owner
Internal risk assessment
Digital signatures

23. Someone who uses the internet or network to destroy or damage computers for political reasons
SWOT analysis
Cross-site scripting attacks
Cyber terrorist
Total cost of ownership (TCO)

24. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
The data owner
Annual loss expectancy (ALE)calculations
Internal risk assessment

25. Culture has a significant impact on how information security will be implemented in a ______________________.
Threat assessment
Multinational organization
MAL wear
Risk management and the requirements of the organization

26. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Overall organizational structure
Detection defenses
Power surge/over voltage (spike)
Risk assessment - evaluation and impact analysis

27. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Continuous analysis - monitoring and feedback
Patch management process
Gain unauthorized access to applications
BIA (Business Impact Assessment

28. Should be performed to identify the risk and determine needed controls.
Nondisclosure agreement (NDA)
Internal risk assessment
Comparison of cost of achievement
Its ability to reduce or eliminate business risks

29. Should PRIMARILY be based on regulatory and legal requirements.
Hacker
Virus detection
Data isolation
Retention of business records

30. By definition are not previously known and therefore are undetectable.
Virus
0-day vulnerabilities
Intrusion detection system (IDS)
Multinational organization

31. The best measure for preventing the unauthorized disclosure of confidential information.
Annually or whenever there is a significant change
Encryption of the hard disks
Phishing
Acceptable use policies

32. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Countermeasure cost-benefit analysis
Control risk
Skills inventory
Digital certificate

33. A notice that guarantees a user or a web site is legitimate
Digital signatures
Skills inventory
Digital certificate
Continuous monitoring control initiatives

34. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Risk assessment - evaluation and impact analysis
Cyber extortionist
Well-defined roles and responsibilities
Patch management

35. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Continuous monitoring control initiatives
Comparison of cost of achievement
Negotiating a local version of the organization standards
Security baselines

36. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Identify the vulnerable systems and apply compensating controls
Patch management
Encryption
Role-based policy

37. To identify known vulnerabilities based on common misconfigurations and missing updates.
Get senior management onboard
Encryption of the hard disks
Assess the risks to the business operation
A network vulnerability assessment

38. Risk should be reduced to a level that an organization _____________.
Background checks of prospective employees
Audit objectives
Is willing to accept
What happened and how the breach was resolved

39. A Successful risk management should lead to a ________________.
Process of introducing changes to systems
Exceptions to policy
Background checks of prospective employees
Breakeven point of risk reduction and cost

40. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
The information security officer
Tailgating
Fault-tolerant computer
Conduct a risk assessment

41. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Cross-site scripting attacks
Baseline standard and then develop additional standards
Exceptions to policy

42. Useful but only with regard to specific technical skills.
Phishing
Identify the relevant systems and processes
Proficiency testing
Tie security risks to key business objectives

43. Normally addressed through antivirus and antispyware policies.
Power surge/over voltage (spike)
Malicious software and spyware
The authentication process is broken
Total cost of ownership (TCO)

44. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Penetration testing
Defining and ratifying the classification structure of information assets
Single sign-on (SSO) product
Regular review of access control lists

45. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Notifications and opt-out provisions
Worm
Continuous monitoring control initiatives
Data mart

46. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Virus
Get senior management onboard
Nondisclosure agreement (NDA)
Biometric access control systems

47. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
People
Data isolation
Lack of change management
Security baselines

48. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Control effectiveness
Owner of the information asset
Tailgating
Audit objectives

49. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Support the business objectives of the organization
Examples of containment defenses
The data owner
Process of introducing changes to systems

50. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Reduce risk to an acceptable level
Access control matrix
Residual risk would be reduced by a greater amount
Data owners