SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Applications cannot access data associated with other apps
Data owners
Audit objectives
Data isolation
Is willing to accept
2. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
The balanced scorecard
Spoofing attacks
Comparison of cost of achievement
Power surge/over voltage (spike)
3. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Use of security metrics
Security baselines
Do with the information it collects
Get senior management onboard
4. New security ulnerabilities should be managed through a ________________.
Patch management process
Safeguards over keys
Annually or whenever there is a significant change
Digital signatures
5. Accesses a computer or network illegally
Cracker
Key controls
Increase business value and confidence
Digital signatures
6. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
What happened and how the breach was resolved
Defined objectives
BIA (Business Impact Assessment
Patch management
7. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Transmit e-mail messages
Total cost of ownership (TCO)
Lack of change management
Retention of business records
8. Most effective for evaluating the degree to which information security objectives are being met.
The balanced scorecard
What happened and how the breach was resolved
Vulnerability assessment
A network vulnerability assessment
9. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Requirements of the data owners
Residual risk would be reduced by a greater amount
Defining high-level business security requirements
Normalization
10. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
SWOT analysis
Exceptions to policy
The awareness and agreement of the data subjects
Cryptographic secure sockets layer (SSL) implementations and short key lengths
11. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Calculating the value of the information or asset
Identify the vulnerable systems and apply compensating controls
Worm
Alignment with business strategy
12. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Vulnerability assessment
Key risk indicator (KRI) setup
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Centralized structure
13. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Use of security metrics
Security risk
Role-based access control
Requirements of the data owners
14. Information security governance models are highly dependent on the _____________________.
The information security officer
Overall organizational structure
Countermeasure cost-benefit analysis
Properly aligned with business goals and objectives
15. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Patch management process
Cracker
Encryption of the hard disks
Tailgating
16. A function of the session keys distributed by the PKI.
Confidentiality
Role-based policy
Information contained on the equipment
BIA (Business Impact Assessment
17. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Calculating the value of the information or asset
Monitoring processes
Biometric access control systems
Threat assessment
18. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Tie security risks to key business objectives
The awareness and agreement of the data subjects
Well-defined roles and responsibilities
Resource dependency assessment
19. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Resource dependency assessment
Control risk
Residual risk
20. Responsible for securing the information.
Well-defined roles and responsibilities
The data custodian
Owner of the information asset
Threat assessment
21. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
The balanced scorecard
Biometric access control systems
Patch management process
22. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Creation of a business continuity plan
Public key infrastructure (PKI)
Regular review of access control lists
Asset classification
23. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Phishing
Centralization of information security management
Negotiating a local version of the organization standards
Data owners
24. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Return on security investment (ROSI)
Requirements of the data owners
Alignment with business strategy
Worm
25. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Examples of containment defenses
Gain unauthorized access to applications
Waterfall chart
Overall organizational structure
26. Should be a standard requirement for the service provider.
Background check
Calculating the value of the information or asset
Process of introducing changes to systems
Biometric access control systems
27. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
Two-factor authentication
Security risk
0-day vulnerabilities
28. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Attributes and characteristics of the 'desired state'
Control risk
Stress testing
Security risk
29. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
The balanced scorecard
Patch management process
Stress testing
Developing an information security baseline
30. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Compliance with the organization's information security requirements
Patch management
Intrusion detection system (IDS)
Data mart
31. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Key risk indicator (KRI) setup
Impractical and is often cost-prohibitive
Intrusion detection system (IDS)
Regulatory compliance
32. Awareness - training and physical security defenses.
Security awareness training for all employees
Examples of containment defenses
Script kiddie
Malicious software and spyware
33. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Centralization of information security management
Identify the relevant systems and processes
Worm
Virus
34. The PRIMARY goal in developing an information security strategy is to: _________________________.
Confidentiality
Support the business objectives of the organization
Regular review of access control lists
Identify the vulnerable systems and apply compensating controls
35. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Patch management
Consensus on risks and controls
The board of directors and senior management
Is willing to accept
36. Useful but only with regard to specific technical skills.
Resource dependency assessment
Confidentiality
Proficiency testing
Residual risk
37. Ensures that there are no scalability problems.
Patch management
Platform security - intrusion detection and antivirus controls
MAL wear
Stress testing
38. Programs that act without a user's knowledge and deliberately alter a computer's operations
Power surge/over voltage (spike)
Resource dependency assessment
MAL wear
Baseline standard and then develop additional standards
39. A repository of historical data organized by subject to support decision makers in the org
The data custodian
Data warehouse
include security responsibilities in a job description
Data owners
40. Should PRIMARILY be based on regulatory and legal requirements.
Identify the relevant systems and processes
Retention of business records
Control risk
Negotiating a local version of the organization standards
41. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Acceptable use policies
Single sign-on (SSO) product
What happened and how the breach was resolved
Breakeven point of risk reduction and cost
42. A key indicator of performance measurement.
Personal firewall
Strategic alignment of security with business objectives
Public key infrastructure (PKI)
Baseline standard and then develop additional standards
43. Without _____________________ - there cannot be accountability.
Control risk
Well-defined roles and responsibilities
Data mart
Breakeven point of risk reduction and cost
44. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Phishing
Threat assessment
Methodology used in the assessment
45. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
SWOT analysis
Threat assessment
Comparison of cost of achievement
Equal error rate (EER)
46. Occurs when the incoming level
Tie security risks to key business objectives
Continuous monitoring control initiatives
Power surge/over voltage (spike)
Methodology used in the assessment
47. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
The information security officer
Cyber extortionist
Risk management and the requirements of the organization
Background checks of prospective employees
48. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Data owners
Control risk
Normalization
49. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Comparison of cost of achievement
Safeguards over keys
Key controls
Acceptable use policies
50. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Access control matrix
Regular review of access control lists
Data isolation
Continuous analysis - monitoring and feedback
