Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Ensures that there are no scalability problems.
Examples of containment defenses
The board of directors and senior management
Annually or whenever there is a significant change
Stress testing

2. provides the most effective protection of data on mobile devices.
Encryption
SWOT analysis
Breakeven point of risk reduction and cost
Consensus on risks and controls

3. The most important characteristic of good security policies is that they be ____________________.
Power surge/over voltage (spike)
Aligned with organizational goals
Two-factor authentication
Data isolation

4. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Single sign-on (SSO) product
Encryption of the hard disks
Phishing
Cross-site scripting attacks

5. A notice that guarantees a user or a web site is legitimate
Power surge/over voltage (spike)
Digital certificate
Cost of control
Regulatory compliance

6. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Biometric access control systems
Control risk
Assess the risks to the business operation
Tie security risks to key business objectives

7. The primary role of the information security manager in the process of information classification within the organization.
Information contained on the equipment
Annually or whenever there is a significant change
Defining and ratifying the classification structure of information assets
Security baselines

8. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security code reviews for the entire software application
Detection defenses
Security baselines
The balanced scorecard

9. Inject malformed input.
Monitoring processes
Risk appetite
Cross-site scripting attacks
Trojan horse

10. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Decentralization
Security risk
All personnel
Encryption of the hard disks

11. Should be determined from the risk assessment results.
Classification of assets needs
The data owner
Breakeven point of risk reduction and cost
Audit objectives

12. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Control risk
Developing an information security baseline
Do with the information it collects
Defined objectives

13. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
Negotiating a local version of the organization standards
Inherent risk
Monitoring processes

14. Focuses on identifying vulnerabilities.
Developing an information security baseline
Penetration testing
Data classification
Safeguards over keys

15. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Get senior management onboard
Skills inventory
Identify the vulnerable systems and apply compensating controls
Role-based access control

16. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Information contained on the equipment
Aligned with organizational goals
BIA (Business Impact Assessment
Its ability to reduce or eliminate business risks

17. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Skills inventory
Overall organizational structure
Regulatory compliance
Hacker

18. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Personal firewall
Properly aligned with business goals and objectives
The authentication process is broken
Knowledge management

19. Would protect against spoofing an internal address but would not provide strong authentication.
OBusiness case development
Biometric access control systems
IP address packet filtering
The authentication process is broken

20. Whenever personal data are transferred across national boundaries; ________________________ are required.
Security baselines
The awareness and agreement of the data subjects
MAL wear
A network vulnerability assessment

21. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Regular review of access control lists
Reduce risk to an acceptable level
Vulnerability assessment
Well-defined roles and responsibilities

22. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
OBusiness case development
Personal firewall
Alignment with business strategy
Skills inventory

23. Carries out the technical administration.
Assess the risks to the business operation
The database administrator
Examples of containment defenses
Requirements of the data owners

24. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Consensus on risks and controls
Is willing to accept
Identify the relevant systems and processes
Information contained on the equipment

25. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Defining and ratifying the classification structure of information assets
Patch management
Trojan horse
Virus detection

26. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Compliance with the organization's information security requirements
Script kiddie
Virus
Tailgating

27. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Requirements of the data owners
Lack of change management
Gap analysis
Cross-site scripting attacks

28. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Reduce risk to an acceptable level
Waterfall chart
Increase business value and confidence
Calculating the value of the information or asset

29. Cannot be minimized
Power surge/over voltage (spike)
Consensus on risks and controls
Key risk indicator (KRI) setup
Inherent risk

30. Accesses a computer or network illegally
What happened and how the breach was resolved
Cracker
Cost of control
MAL wear

31. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Risk assessment - evaluation and impact analysis
Safeguards over keys
Security awareness training for all employees
Defined objectives

32. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Process of introducing changes to systems
Control risk
Alignment with business strategy
OBusiness case development

33. Utility program that detects and protects a personal computer from unauthorized intrusions
Countermeasure cost-benefit analysis
Personal firewall
Performing a risk assessment
Nondisclosure agreement (NDA)

34. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Fault-tolerant computer
Examples of containment defenses
Identify the vulnerable systems and apply compensating controls
Get senior management onboard

35. Should be performed to identify the risk and determine needed controls.
Internal risk assessment
Acceptable use policies
All personnel
Hacker

36. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Knowledge management
Personal firewall
Owner of the information asset
The awareness and agreement of the data subjects

37. Has full responsibility over data.
Identify the vulnerable systems and apply compensating controls
Comparison of cost of achievement
Threat assessment
The data owner

38. Reducing risk to a level too small to measure is _______________.
Properly aligned with business goals and objectives
Impractical and is often cost-prohibitive
Assess the risks to the business operation
Creation of a business continuity plan

39. Computer that has duplicate components so it can continue to operate when one of its main components fail
Inherent risk
Tailgating
Service level agreements (SLAs)
Fault-tolerant computer

40. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Penetration testing
Equal error rate (EER)
The balanced scorecard
Breakeven point of risk reduction and cost

41. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Security code reviews for the entire software application
Support the business objectives of the organization
Breakeven point of risk reduction and cost
Examples of containment defenses

42. Same intent as a cracker but does not have the technical skills and knowledge
Knowledge management
Service level agreements (SLAs)
Script kiddie
Cyber terrorist

43. A risk assessment should be conducted _________________.
Its ability to reduce or eliminate business risks
Penetration testing
Transmit e-mail messages
Annually or whenever there is a significant change

44. S small warehouse - designed for the end-user needs in a strategic business unit
Skills inventory
Data mart
Compliance with the organization's information security requirements
Lack of change management

45. It is easier to manage and control a _________________.
Data isolation
Transferred risk
Centralized structure
Public key infrastructure (PKI)

46. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Spoofing attacks
Control effectiveness
Cyber extortionist
Hacker

47. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Risk management and the requirements of the organization
Penetration testing
Data classification
Comparison of cost of achievement

48. Only valid if assets have first been identified and appropriately valued.
0-day vulnerabilities
Security baselines
Annual loss expectancy (ALE)calculations
Two-factor authentication

49. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Key controls
Baseline standard and then develop additional standards
Trojan horse
Lack of change management

50. An information security manager has to impress upon the human resources department the need for _____________________.
Security awareness training for all employees
Multinational organization
Asset classification
Support the business objectives of the organization