SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Focuses on identifying vulnerabilities.
Attributes and characteristics of the 'desired state'
Penetration testing
Normalization
Centralized structure
2. Ensure that transmitted information can be attributed to the named sender.
Cyber terrorist
Compliance with the organization's information security requirements
What happened and how the breach was resolved
Digital signatures
3. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Residual risk
Continuous analysis - monitoring and feedback
Internal risk assessment
Encryption of the hard disks
4. When the ________________ is more than the cost of the risk - the risk should be accepted.
Cost of control
Notifications and opt-out provisions
Gain unauthorized access to applications
Trusted source
5. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Tailgating
Skills inventory
Role-based access control
Security baselines
6. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Service level agreements (SLAs)
Data owners
Increase business value and confidence
Safeguards over keys
7. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Trusted source
Classification of assets needs
Methodology used in the assessment
Cyber extortionist
8. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Reduce risk to an acceptable level
Intrusion detection system (IDS)
Phishing
Decentralization
9. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Detection defenses
Defining high-level business security requirements
Virus
All personnel
10. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
MAL wear
Owner of the information asset
Biometric access control systems
Conduct a risk assessment
11. The best measure for preventing the unauthorized disclosure of confidential information.
Acceptable use policies
Threat assessment
Safeguards over keys
Role-based access control
12. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Audit objectives
Exceptions to policy
Properly aligned with business goals and objectives
Notifications and opt-out provisions
13. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Consensus on risks and controls
Examples of containment defenses
Virus
Impractical and is often cost-prohibitive
14. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
SWOT analysis
Role-based access control
Countermeasure cost-benefit analysis
Virus detection
15. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Do with the information it collects
Lack of change management
Safeguards over keys
Performing a risk assessment
16. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Knowledge management
Virus detection
Calculating the value of the information or asset
BIA (Business Impact Assessment
17. Provides process needs but not impact.
Resource dependency assessment
Is willing to accept
Access control matrix
Data owners
18. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
SWOT analysis
Performing a risk assessment
Data owners
Alignment with business strategy
19. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
MAL wear
Comparison of cost of achievement
Equal error rate (EER)
Control risk
20. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Consensus on risks and controls
Defining high-level business security requirements
Key risk indicator (KRI) setup
Gain unauthorized access to applications
21. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Proficiency testing
Conduct a risk assessment
Breakeven point of risk reduction and cost
Trojan horse
22. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Consensus on risks and controls
Data classification
Cyber terrorist
Safeguards over keys
23. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Resource dependency assessment
Return on security investment (ROSI)
Fault-tolerant computer
Malicious software and spyware
24. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Phishing
Tailgating
Performing a risk assessment
Lack of change management
25. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Control risk
Key controls
Regular review of access control lists
Encryption key management
26. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Use of security metrics
Public key infrastructure (PKI)
Role-based access control
The board of directors and senior management
27. Responsible for securing the information.
Worm
Logon banners
Identify the relevant systems and processes
The data custodian
28. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
People
Regular review of access control lists
Prioritization
Encryption of the hard disks
29. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Cyber terrorist
Well-defined roles and responsibilities
OBusiness case development
Attributes and characteristics of the 'desired state'
30. Culture has a significant impact on how information security will be implemented in a ______________________.
Fault-tolerant computer
Multinational organization
Rule-based access control
Process of introducing changes to systems
31. Provide metrics to which outsourcing firms can be held accountable.
Impractical and is often cost-prohibitive
Service level agreements (SLAs)
Gain unauthorized access to applications
Risk management and the requirements of the organization
32. Only valid if assets have first been identified and appropriately valued.
Residual risk would be reduced by a greater amount
Annual loss expectancy (ALE)calculations
Encryption
Developing an information security baseline
33. New security ulnerabilities should be managed through a ________________.
Security code reviews for the entire software application
Virus
Patch management process
Cyber extortionist
34. Programs that act without a user's knowledge and deliberately alter a computer's operations
Residual risk
Retention of business records
Conduct a risk assessment
MAL wear
35. The PRIMARY goal in developing an information security strategy is to: _________________________.
Detection defenses
Gain unauthorized access to applications
Support the business objectives of the organization
Cost of control
36. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Role-based policy
Patch management
Classification of assets needs
Encryption key management
37. An information security manager has to impress upon the human resources department the need for _____________________.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Is willing to accept
Regular review of access control lists
Security awareness training for all employees
38. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Examples of containment defenses
Centralized structure
Regular review of access control lists
Information security manager
39. Should be performed to identify the risk and determine needed controls.
Decentralization
Internal risk assessment
Risk assessment - evaluation and impact analysis
Proficiency testing
40. Company or person you believe will not send a virus-infect file knowingly
Trusted source
Cross-site scripting attacks
Alignment with business strategy
Compliance with the organization's information security requirements
41. provides the most effective protection of data on mobile devices.
The authentication process is broken
Encryption
The information security officer
Increase business value and confidence
42. A risk assessment should be conducted _________________.
Service level agreements (SLAs)
Breakeven point of risk reduction and cost
Annually or whenever there is a significant change
Proficiency testing
43. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Control effectiveness
People
Public key infrastructure (PKI)
Baseline standard and then develop additional standards
44. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Assess the risks to the business operation
Increase business value and confidence
BIA (Business Impact Assessment
Security risk
45. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Regulatory compliance
Safeguards over keys
Key risk indicator (KRI) setup
Total cost of ownership (TCO)
46. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Developing an information security baseline
Rule-based access control
Tailgating
Assess the risks to the business operation
47. The primary role of the information security manager in the process of information classification within the organization.
Defining and ratifying the classification structure of information assets
Centralized structure
Information security manager
Breakeven point of risk reduction and cost
48. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Continuous monitoring control initiatives
Equal error rate (EER)
Requirements of the data owners
Exceptions to policy
49. BEST option to improve accountability for a system administrator is to _____________________.
0-day vulnerabilities
Threat assessment
Regulatory compliance
include security responsibilities in a job description
50. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Fault-tolerant computer
Increase business value and confidence
Its ability to reduce or eliminate business risks
The database administrator