Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Company or person you believe will not send a virus-infect file knowingly
Baseline standard and then develop additional standards
Spoofing attacks
Single sign-on (SSO) product
Trusted source

2. A risk assessment should be conducted _________________.
Rule-based access control
Annually or whenever there is a significant change
Alignment with business strategy
Properly aligned with business goals and objectives

3. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Encryption of the hard disks
Transmit e-mail messages
Background checks of prospective employees
Impractical and is often cost-prohibitive

4. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Defined objectives
Virus detection
Access control matrix
The awareness and agreement of the data subjects

5. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Access control matrix
Impractical and is often cost-prohibitive
Cyber terrorist
Spoofing attacks

6. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Assess the risks to the business operation
Alignment with business strategy
Encryption key management
Tailgating

7. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Access control matrix
Data classification
Script kiddie
Role-based policy

8. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Proficiency testing
Gap analysis
Cost of control
Annually or whenever there is a significant change

9. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Certificate authority (CA)
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Residual risk would be reduced by a greater amount
Monitoring processes

10. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Key controls
Identify the vulnerable systems and apply compensating controls
Role-based access control
Prioritization

11. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
The database administrator
Virus detection
Lack of change management
Defining high-level business security requirements

12. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Access control matrix
What happened and how the breach was resolved
Negotiating a local version of the organization standards
Use of security metrics

13. The job of the information security officer on a management team is to ___________________.
Assess the risks to the business operation
Acceptable use policies
The balanced scorecard
Deeper level of analysis

14. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Audit objectives
Information security manager
Do with the information it collects
Data isolation

15. Would protect against spoofing an internal address but would not provide strong authentication.
IP address packet filtering
Confidentiality
Encryption of the hard disks
Phishing

16. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Security awareness training for all employees
Service level agreements (SLAs)
Single sign-on (SSO) product

17. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Transmit e-mail messages
Classification of assets needs
Virus
Platform security - intrusion detection and antivirus controls

18. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Digital signatures
Spoofing attacks
Asset classification
The data owner

19. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Normalization
Security risk
SWOT analysis
Security awareness training for all employees

20. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Skills inventory
Monitoring processes
Logon banners
Owner of the information asset

21. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
Transferred risk
Risk assessment - evaluation and impact analysis
Personal firewall

22. Provides process needs but not impact.
Exceptions to policy
Resource dependency assessment
Access control matrix
Attributes and characteristics of the 'desired state'

23. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Strategic alignment of security with business objectives
Support the business objectives of the organization
Trusted source
Classification of assets needs

24. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Annually or whenever there is a significant change
Owner of the information asset
Control risk
Cross-site scripting attacks

25. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Defining and ratifying the classification structure of information assets
Threat assessment
Compliance with the organization's information security requirements
Identify the relevant systems and processes

26. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Calculating the value of the information or asset
Audit objectives
Baseline standard and then develop additional standards
Virus detection

27. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
SWOT analysis
Hacker
Virus
Security code reviews for the entire software application

28. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
People
Return on security investment (ROSI)
Waterfall chart
Biometric access control systems

29. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Access control matrix
Defining high-level business security requirements
Nondisclosure agreement (NDA)
Security code reviews for the entire software application

30. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Waterfall chart
Calculating the value of the information or asset
Biometric access control systems
Logon banners

31. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Aligned with organizational goals
Risk assessment - evaluation and impact analysis
Continuous analysis - monitoring and feedback
Cost of control

32. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Data isolation
The information security officer
Skills inventory
Calculating the value of the information or asset

33. Occurs when the electrical supply drops
Overall organizational structure
Proficiency testing
Skills inventory
Undervoltage (brownout)

34. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
0-day vulnerabilities
SWOT analysis
Encryption of the hard disks
Properly aligned with business goals and objectives

35. The primary role of the information security manager in the process of information classification within the organization.
Malicious software and spyware
Annually or whenever there is a significant change
Defining and ratifying the classification structure of information assets
Centralized structure

36. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Use of security metrics
Calculating the value of the information or asset
include security responsibilities in a job description

37. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Personal firewall
Tie security risks to key business objectives
Data isolation
Identify the vulnerable systems and apply compensating controls

38. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
The awareness and agreement of the data subjects
Security baselines
Applying the proper classification to the data

39. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Negotiating a local version of the organization standards
Worm
Two-factor authentication
Risk management and the requirements of the organization

40. By definition are not previously known and therefore are undetectable.
Return on security investment (ROSI)
Continuous monitoring control initiatives
Phishing
0-day vulnerabilities

41. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Equal error rate (EER)
Continuous monitoring control initiatives
Cracker

42. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Transmit e-mail messages
Breakeven point of risk reduction and cost
Creation of a business continuity plan
Proficiency testing

43. An information security manager has to impress upon the human resources department the need for _____________________.
Reduce risk to an acceptable level
Information security manager
Calculating the value of the information or asset
Security awareness training for all employees

44. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
Control effectiveness
Decentralization
Aligned with organizational goals

45. Cannot be minimized
Inherent risk
Performing a risk assessment
Virus detection
Equal error rate (EER)

46. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Cost of control
IP address packet filtering
Undervoltage (brownout)

47. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Role-based policy
Comparison of cost of achievement
Do with the information it collects
Countermeasure cost-benefit analysis

48. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Consensus on risks and controls
Nondisclosure agreement (NDA)
Residual risk
Methodology used in the assessment

49. Carries out the technical administration.
Properly aligned with business goals and objectives
Control effectiveness
Compliance with the organization's information security requirements
The database administrator

50. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Logon banners
Encryption key management
Get senior management onboard
Access control matrix