Test your basic knowledge |

CISM: Certified Information Security Manager

Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.






2. Ensures that there are no scalability problems.






3. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing






4. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.






5. Whenever personal data are transferred across national boundaries; ________________________ are required.






6. The PRIMARY goal in developing an information security strategy is to: _________________________.






7. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.






8. A key indicator of performance measurement.






9. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.






10. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network






11. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.






12. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.






13. Utility program that detects and protects a personal computer from unauthorized intrusions






14. Occurs when the incoming level






15. Only valid if assets have first been identified and appropriately valued.






16. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.






17. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are






18. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.


19. Most effective for evaluating the degree to which information security objectives are being met.






20. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.






21. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.






22. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.






23. To identify known vulnerabilities based on common misconfigurations and missing updates.






24. Useful but only with regard to specific technical skills.






25. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.






26. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.






27. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.






28. Should PRIMARILY be based on regulatory and legal requirements.






29. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.






30. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.






31. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works






32. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.






33. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.






34. Provide metrics to which outsourcing firms can be held accountable.






35. Uses security metrics to measure the performance of the information security program.






36. The best measure for preventing the unauthorized disclosure of confidential information.






37. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.






38. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.






39. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.






40. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -






41. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but






42. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.






43. New security ulnerabilities should be managed through a ________________.






44. Occurs after the risk assessment process - it does not measure it.






45. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.






46. The primary role of the information security manager in the process of information classification within the organization.






47. An information security manager has to impress upon the human resources department the need for _____________________.






48. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.






49. ecurity design flaws require a ____________________.






50. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.