Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. provides the most effective protection of data on mobile devices.






2. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.






3. A key indicator of performance measurement.






4. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.






5. The primary role of the information security manager in the process of information classification within the organization.






6. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.






7. Occurs after the risk assessment process - it does not measure it.






8. Utility program that detects and protects a personal computer from unauthorized intrusions






9. Computer that has duplicate components so it can continue to operate when one of its main components fail






10. Oversees the overall classification management of the information.






11. A function of the session keys distributed by the PKI.






12. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.






13. Change management controls the _____________________. This is often the point at which a weakness will be introduced.






14. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.






15. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.






16. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.






17. Provide metrics to which outsourcing firms can be held accountable.






18. Risk should be reduced to a level that an organization _____________.






19. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.






20. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.






21. A repository of historical data organized by subject to support decision makers in the org






22. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.






23. The most important characteristic of good security policies is that they be ____________________.






24. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.






25. Same intent as a cracker but does not have the technical skills and knowledge






26. Whenever personal data are transferred across national boundaries; ________________________ are required.






27. The PRIMARY goal in developing an information security strategy is to: _________________________.






28. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.






29. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.






30. Without _____________________ - there cannot be accountability.






31. Focuses on identifying vulnerabilities.






32. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.






33. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.






34. The best measure for preventing the unauthorized disclosure of confidential information.






35. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.






36. The MOST important element of an information security strategy.






37. Accesses a computer or network illegally






38. Normally addressed through antivirus and antispyware policies.






39. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works






40. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but






41. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.






42. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.






43. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations






44. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i






45. Needs to define the access rules - which is troublesome and error prone in large organizations.






46. Should be performed to identify the risk and determine needed controls.






47. A process that helps organizations manipulate important knowledge that is part of the orgs. memory






48. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.






49. Useful but only with regard to specific technical skills.






50. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.