SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The job of the information security officer on a management team is to ___________________.
Continuous analysis - monitoring and feedback
Assess the risks to the business operation
Fault-tolerant computer
Lack of change management
2. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Classification of assets needs
Attributes and characteristics of the 'desired state'
Personal firewall
Identify the vulnerable systems and apply compensating controls
3. Program that hides within or looks like a legit program
Conduct a risk assessment
Trojan horse
Countermeasure cost-benefit analysis
A network vulnerability assessment
4. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
The authentication process is broken
Increase business value and confidence
Background checks of prospective employees
Cyber extortionist
5. Normally addressed through antivirus and antispyware policies.
Malicious software and spyware
Safeguards over keys
Annual loss expectancy (ALE)calculations
Equal error rate (EER)
6. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Increase business value and confidence
Cost of control
Identify the relevant systems and processes
Cross-site scripting attacks
7. New security ulnerabilities should be managed through a ________________.
Patch management process
Strategic alignment of security with business objectives
Intrusion detection system (IDS)
Residual risk
8. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Penetration testing
Retention of business records
Data owners
Consensus on risks and controls
9. Accesses a computer or network illegally
The authentication process is broken
Spoofing attacks
Cracker
Data owners
10. Someone who uses the internet or network to destroy or damage computers for political reasons
Compliance with the organization's information security requirements
Cyber terrorist
Virus detection
Control risk
11. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Patch management process
Security baselines
Trojan horse
Reduce risk to an acceptable level
12. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Platform security - intrusion detection and antivirus controls
Confidentiality
Vulnerability assessment
Identify the relevant systems and processes
13. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Internal risk assessment
Personal firewall
Lack of change management
Transmit e-mail messages
14. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Asset classification
The data custodian
Hacker
Security baselines
15. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Residual risk would be reduced by a greater amount
SWOT analysis
Centralized structure
Developing an information security baseline
16. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
BIA (Business Impact Assessment
Monitoring processes
Its ability to reduce or eliminate business risks
Waterfall chart
17. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Trusted source
Exceptions to policy
Two-factor authentication
18. Provides process needs but not impact.
Cost of control
Monitoring processes
Encryption
Resource dependency assessment
19. Ensures that there are no scalability problems.
Tailgating
Stress testing
Baseline standard and then develop additional standards
Single sign-on (SSO) product
20. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Information security manager
Gap analysis
Centralized structure
Intrusion detection system (IDS)
21. Computer that has duplicate components so it can continue to operate when one of its main components fail
The awareness and agreement of the data subjects
Skills inventory
Service level agreements (SLAs)
Fault-tolerant computer
22. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Inherent risk
Worm
Retention of business records
Two-factor authentication
23. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Public key infrastructure (PKI)
Residual risk
Cyber extortionist
Undervoltage (brownout)
24. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Proficiency testing
Monitoring processes
Confidentiality
Script kiddie
25. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Gain unauthorized access to applications
Security code reviews for the entire software application
Virus detection
Personal firewall
26. A risk assessment should be conducted _________________.
Support the business objectives of the organization
IP address packet filtering
Encryption key management
Annually or whenever there is a significant change
27. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Encryption of the hard disks
The authentication process is broken
Increase business value and confidence
Get senior management onboard
28. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Platform security - intrusion detection and antivirus controls
Role-based access control
Tailgating
Transferred risk
29. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Personal firewall
Information security manager
Phishing
30. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Tie security risks to key business objectives
Reduce risk to an acceptable level
Centralization of information security management
The data custodian
31. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
Two-factor authentication
Protective switch covers
Centralized structure
32. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Detection defenses
Identify the vulnerable systems and apply compensating controls
Baseline standard and then develop additional standards
The authentication process is broken
33. Has to be integrated into the requirements of every software application's design.
Calculating the value of the information or asset
All personnel
Defining and ratifying the classification structure of information assets
Encryption key management
34. Should be a standard requirement for the service provider.
Equal error rate (EER)
Background check
MAL wear
Data warehouse
35. Ensure that transmitted information can be attributed to the named sender.
Total cost of ownership (TCO)
Digital signatures
Inherent risk
Retention of business records
36. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Power surge/over voltage (spike)
Deeper level of analysis
OBusiness case development
include security responsibilities in a job description
37. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Transmit e-mail messages
Personal firewall
Exceptions to policy
Intrusion detection system (IDS)
38. All within the responsibility of the information security manager.
include security responsibilities in a job description
Platform security - intrusion detection and antivirus controls
Deeper level of analysis
Countermeasure cost-benefit analysis
39. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Two-factor authentication
Classification of assets needs
Continuous analysis - monitoring and feedback
Worm
40. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Security baselines
Total cost of ownership (TCO)
Digital certificate
Consensus on risks and controls
41. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Role-based policy
Virus detection
Data warehouse
Personal firewall
42. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Intrusion detection system (IDS)
Notifications and opt-out provisions
Access control matrix
Vulnerability assessment
43. Should be determined from the risk assessment results.
Audit objectives
include security responsibilities in a job description
Total cost of ownership (TCO)
The database administrator
44. S small warehouse - designed for the end-user needs in a strategic business unit
Attributes and characteristics of the 'desired state'
Retention of business records
Data mart
People
45. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Calculating the value of the information or asset
Residual risk
The data custodian
Data classification
46. Awareness - training and physical security defenses.
Examples of containment defenses
Total cost of ownership (TCO)
Security code reviews for the entire software application
Alignment with business strategy
47. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Tie security risks to key business objectives
Protective switch covers
Continuous monitoring control initiatives
Return on security investment (ROSI)
48. Primarily reduce risk and are most effective for the protection of information assets.
Spoofing attacks
Defining and ratifying the classification structure of information assets
Key controls
Security code reviews for the entire software application
49. The MOST important element of an information security strategy.
Defined objectives
Retention of business records
What happened and how the breach was resolved
Impractical and is often cost-prohibitive
50. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Risk management and the requirements of the organization
Intrusion detection system (IDS)
Notifications and opt-out provisions
Risk assessment - evaluation and impact analysis