Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Applications cannot access data associated with other apps
Data isolation
Overall organizational structure
Digital certificate
Cryptographic secure sockets layer (SSL) implementations and short key lengths

2. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
BIA (Business Impact Assessment
Role-based access control
Data isolation
Monitoring processes

3. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Acceptable use policies
Transferred risk
Virus detection
Continuous analysis - monitoring and feedback

4. Occurs when the incoming level
Overall organizational structure
Negotiating a local version of the organization standards
Conduct a risk assessment
Power surge/over voltage (spike)

5. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Gain unauthorized access to applications
A network vulnerability assessment
Security risk

6. Identification and _______________ of business risk enables project managers to address areas with most significance.
Power surge/over voltage (spike)
Transferred risk
Risk management and the requirements of the organization
Prioritization

7. Someone who accesses a computer or network illegally
Hacker
Security awareness training for all employees
Waterfall chart
The balanced scorecard

8. Occurs after the risk assessment process - it does not measure it.
OBusiness case development
Use of security metrics
Owner of the information asset
Public key infrastructure (PKI)

9. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Reduce risk to an acceptable level
Transmit e-mail messages
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Applying the proper classification to the data

10. Has full responsibility over data.
Attributes and characteristics of the 'desired state'
Developing an information security baseline
The data owner
Deeper level of analysis

11. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
All personnel
Control risk
The information security officer
Data mart

12. S small warehouse - designed for the end-user needs in a strategic business unit
Data mart
Inherent risk
Confidentiality
Service level agreements (SLAs)

13. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Annual loss expectancy (ALE)calculations
Inherent risk
Trusted source

14. It is easier to manage and control a _________________.
Creation of a business continuity plan
Centralized structure
Regular review of access control lists
Methodology used in the assessment

15. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Tailgating
MAL wear
Methodology used in the assessment
Support the business objectives of the organization

16. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Background check
People
Transferred risk
Biometric access control systems

17. A Successful risk management should lead to a ________________.
IP address packet filtering
Methodology used in the assessment
Annually or whenever there is a significant change
Breakeven point of risk reduction and cost

18. The PRIMARY goal in developing an information security strategy is to: _________________________.
The board of directors and senior management
People
Support the business objectives of the organization
Security awareness training for all employees

19. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Safeguards over keys
0-day vulnerabilities
Examples of containment defenses

20. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Annual loss expectancy (ALE)calculations
Risk appetite
Tailgating
Fault-tolerant computer

21. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Virus
Stress testing
Risk assessment - evaluation and impact analysis
Personal firewall

22. When defining the information classification policy - the ___________________ need to be identified.
Nondisclosure agreement (NDA)
Calculating the value of the information or asset
Impractical and is often cost-prohibitive
Requirements of the data owners

23. A function of the session keys distributed by the PKI.
Waterfall chart
Encryption key management
Confidentiality
Role-based policy

24. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Data owners
Conduct a risk assessment
Breakeven point of risk reduction and cost
Cross-site scripting attacks

25. Needs to define the access rules - which is troublesome and error prone in large organizations.
Rule-based access control
Control risk
Methodology used in the assessment
Two-factor authentication

26. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Stress testing
Retention of business records
Encryption
OBusiness case development

27. A notice that guarantees a user or a web site is legitimate
Patch management
Lack of change management
Digital certificate
Hacker

28. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Data classification
Countermeasure cost-benefit analysis
Virus detection
Role-based policy

29. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Breakeven point of risk reduction and cost
The board of directors and senior management
Security code reviews for the entire software application

30. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
The authentication process is broken
Virus
Intrusion detection system (IDS)

31. Provide metrics to which outsourcing firms can be held accountable.
Service level agreements (SLAs)
Regulatory compliance
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Regular review of access control lists

32. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Control effectiveness
Asset classification
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Exceptions to policy

33. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Malicious software and spyware
Countermeasure cost-benefit analysis
Virus
Spoofing attacks

34. Provides process needs but not impact.
Proficiency testing
Encryption
Knowledge management
Resource dependency assessment

35. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Encryption of the hard disks
Methodology used in the assessment
Phishing
The authentication process is broken

36. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Service level agreements (SLAs)
Security risk
Audit objectives
Role-based policy

37. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Background checks of prospective employees
Virus
Control effectiveness
Detection defenses

38. A method for analyzing and reducing a relational database to its most streamlined form
Normalization
The board of directors and senior management
Public key infrastructure (PKI)
The authentication process is broken

39. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Fault-tolerant computer
Gain unauthorized access to applications
Countermeasure cost-benefit analysis
Knowledge management

40. Company or person you believe will not send a virus-infect file knowingly
Transmit e-mail messages
Reduce risk to an acceptable level
Trusted source
Prioritization

41. The information security manager needs to prioritize the controls based on ________________________.
Risk management and the requirements of the organization
Security awareness training for all employees
include security responsibilities in a job description
Intrusion detection system (IDS)

42. Uses security metrics to measure the performance of the information security program.
Proficiency testing
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Background check
Information security manager

43. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Rule-based access control
OBusiness case development
Continuous analysis - monitoring and feedback
Security code reviews for the entire software application

44. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Creation of a business continuity plan
The awareness and agreement of the data subjects
All personnel

45. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Two-factor authentication
Negotiating a local version of the organization standards
Identify the vulnerable systems and apply compensating controls
Normalization

46. The data owner is responsible for _______________________.
Personal firewall
Applying the proper classification to the data
Overall organizational structure
Data warehouse

47. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Tie security risks to key business objectives
A network vulnerability assessment
Comparison of cost of achievement
The data owner

48. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Cyber terrorist
Information contained on the equipment
Its ability to reduce or eliminate business risks
Certificate authority (CA)

49. Information security governance models are highly dependent on the _____________________.
Overall organizational structure
Equal error rate (EER)
Identify the vulnerable systems and apply compensating controls
Security risk

50. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Background check
Encryption of the hard disks
Aligned with organizational goals
A network vulnerability assessment