SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Awareness - training and physical security defenses.
Risk appetite
Overall organizational structure
Examples of containment defenses
Fault-tolerant computer
2. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Monitoring processes
Deeper level of analysis
Access control matrix
3. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Encryption key management
Process of introducing changes to systems
Personal firewall
4. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Asset classification
Breakeven point of risk reduction and cost
Worm
Do with the information it collects
5. Provide metrics to which outsourcing firms can be held accountable.
Support the business objectives of the organization
Performing a risk assessment
Regular review of access control lists
Service level agreements (SLAs)
6. It is easier to manage and control a _________________.
Centralized structure
Power surge/over voltage (spike)
Decentralization
Security risk
7. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Data classification
Threat assessment
Background checks of prospective employees
Protective switch covers
8. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Its ability to reduce or eliminate business risks
Regular review of access control lists
0-day vulnerabilities
9. Uses security metrics to measure the performance of the information security program.
Monitoring processes
Information security manager
Audit objectives
All personnel
10. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Data classification
Process of introducing changes to systems
Gain unauthorized access to applications
Protective switch covers
11. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Baseline standard and then develop additional standards
Strategic alignment of security with business objectives
Tailgating
Security risk
12. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Certificate authority (CA)
Alignment with business strategy
Data isolation
The data owner
13. Normally addressed through antivirus and antispyware policies.
Developing an information security baseline
Defining high-level business security requirements
Malicious software and spyware
Role-based access control
14. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Owner of the information asset
Control effectiveness
Conduct a risk assessment
Overall organizational structure
15. Only valid if assets have first been identified and appropriately valued.
The data custodian
Annual loss expectancy (ALE)calculations
Resource dependency assessment
Is willing to accept
16. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Safeguards over keys
All personnel
The information security officer
Comparison of cost of achievement
17. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Countermeasure cost-benefit analysis
Data owners
IP address packet filtering
Do with the information it collects
18. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Role-based access control
Control effectiveness
The data custodian
Digital signatures
19. All within the responsibility of the information security manager.
Process of introducing changes to systems
Security awareness training for all employees
Platform security - intrusion detection and antivirus controls
The authentication process is broken
20. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Cost of control
Tailgating
Calculating the value of the information or asset
All personnel
21. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Baseline standard and then develop additional standards
Single sign-on (SSO) product
Risk management and the requirements of the organization
Data warehouse
22. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Decentralization
Calculating the value of the information or asset
Knowledge management
Well-defined roles and responsibilities
23. Applications cannot access data associated with other apps
Data isolation
OBusiness case development
Script kiddie
Risk assessment - evaluation and impact analysis
24. Should be a standard requirement for the service provider.
Cost of control
Methodology used in the assessment
Background check
Safeguards over keys
25. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Performing a risk assessment
Aligned with organizational goals
Threat assessment
Key risk indicator (KRI) setup
26. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Spoofing attacks
The authentication process is broken
Gap analysis
include security responsibilities in a job description
27. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
Baseline standard and then develop additional standards
Annually or whenever there is a significant change
Risk appetite
28. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Centralization of information security management
Risk management and the requirements of the organization
Continuous monitoring control initiatives
Lack of change management
29. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Baseline standard and then develop additional standards
Continuous analysis - monitoring and feedback
Data mart
Data isolation
30. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Malicious software and spyware
Properly aligned with business goals and objectives
Information security manager
Equal error rate (EER)
31. Occurs when the incoming level
Annually or whenever there is a significant change
Power surge/over voltage (spike)
Rule-based access control
Detection defenses
32. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Centralization of information security management
Defining and ratifying the classification structure of information assets
Control risk
BIA (Business Impact Assessment
33. By definition are not previously known and therefore are undetectable.
Negotiating a local version of the organization standards
0-day vulnerabilities
Gap analysis
Data owners
34. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Defined objectives
Tie security risks to key business objectives
The information security officer
Continuous analysis - monitoring and feedback
35. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Transmit e-mail messages
Identify the vulnerable systems and apply compensating controls
Nondisclosure agreement (NDA)
Audit objectives
36. Involves the correction of software weaknesses and would necessarily follow change management procedures.
OBusiness case development
Continuous monitoring control initiatives
Patch management
Role-based access control
37. Without _____________________ - there cannot be accountability.
Annually or whenever there is a significant change
Well-defined roles and responsibilities
Trusted source
Knowledge management
38. Most effective for evaluating the degree to which information security objectives are being met.
Access control matrix
Role-based access control
Prioritization
The balanced scorecard
39. Has full responsibility over data.
What happened and how the breach was resolved
The data owner
BIA (Business Impact Assessment
include security responsibilities in a job description
40. Programs that act without a user's knowledge and deliberately alter a computer's operations
Continuous monitoring control initiatives
MAL wear
include security responsibilities in a job description
Control risk
41. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Classification of assets needs
Get senior management onboard
Trojan horse
Spoofing attacks
42. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Resource dependency assessment
Risk appetite
Well-defined roles and responsibilities
43. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Control effectiveness
Information contained on the equipment
Control risk
Total cost of ownership (TCO)
44. The job of the information security officer on a management team is to ___________________.
Assess the risks to the business operation
A network vulnerability assessment
Continuous monitoring control initiatives
Is willing to accept
45. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
Support the business objectives of the organization
Gap analysis
Use of security metrics
46. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
Information contained on the equipment
Annually or whenever there is a significant change
Prioritization
47. Useful but only with regard to specific technical skills.
The data owner
Normalization
Detection defenses
Proficiency testing
48. Utility program that detects and protects a personal computer from unauthorized intrusions
Malicious software and spyware
Personal firewall
Encryption key management
The awareness and agreement of the data subjects
49. Should be determined from the risk assessment results.
Intrusion detection system (IDS)
Equal error rate (EER)
Audit objectives
Notifications and opt-out provisions
50. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Classification of assets needs
Equal error rate (EER)
Confidentiality
Lack of change management