Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Applying the proper classification to the data
Identify the relevant systems and processes
Examples of containment defenses
Return on security investment (ROSI)

2. Someone who accesses a computer or network illegally
Reduce risk to an acceptable level
Hacker
Key risk indicator (KRI) setup
Data warehouse

3. The data owner is responsible for _______________________.
Applying the proper classification to the data
Developing an information security baseline
Support the business objectives of the organization
Baseline standard and then develop additional standards

4. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Waterfall chart
All personnel
Centralization of information security management
Breakeven point of risk reduction and cost

5. The most important characteristic of good security policies is that they be ____________________.
Acceptable use policies
Security code reviews for the entire software application
Centralization of information security management
Aligned with organizational goals

6. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Total cost of ownership (TCO)
Normalization
Gap analysis
Certificate authority (CA)

7. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Multinational organization
Transmit e-mail messages
Key controls
All personnel

8. ecurity design flaws require a ____________________.
Deeper level of analysis
Certificate authority (CA)
Total cost of ownership (TCO)
Patch management process

9. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Intrusion detection system (IDS)
Monitoring processes
Transmit e-mail messages
Waterfall chart

10. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
Conduct a risk assessment
A network vulnerability assessment
Attributes and characteristics of the 'desired state'

11. The best measure for preventing the unauthorized disclosure of confidential information.
Acceptable use policies
Owner of the information asset
Cost of control
Encryption of the hard disks

12. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Requirements of the data owners
Role-based access control
Normalization
Undervoltage (brownout)

13. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
BIA (Business Impact Assessment
The data owner
Trojan horse
Continuous monitoring control initiatives

14. Cannot be minimized
Inherent risk
Monitoring processes
Two-factor authentication
Identify the vulnerable systems and apply compensating controls

15. Focuses on identifying vulnerabilities.
Vulnerability assessment
Deeper level of analysis
Is willing to accept
Penetration testing

16. Uses security metrics to measure the performance of the information security program.
Encryption key management
Do with the information it collects
Annual loss expectancy (ALE)calculations
Information security manager

17. Responsible for securing the information.
The data custodian
Security code reviews for the entire software application
include security responsibilities in a job description
Control risk

18. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Support the business objectives of the organization
Information security manager
include security responsibilities in a job description
OBusiness case development

19. The MOST useful way to describe the objectives in the information security strategy is through ______________________.

20. Should PRIMARILY be based on regulatory and legal requirements.
Access control matrix
Total cost of ownership (TCO)
Role-based policy
Retention of business records

21. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Examples of containment defenses
Retention of business records
Lack of change management

22. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Conduct a risk assessment
Regular review of access control lists
Patch management
Detection defenses

23. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
Continuous analysis - monitoring and feedback
Alignment with business strategy
Risk appetite

24. Awareness - training and physical security defenses.
Examples of containment defenses
Rule-based access control
Attributes and characteristics of the 'desired state'
Resource dependency assessment

25. Same intent as a cracker but does not have the technical skills and knowledge
Well-defined roles and responsibilities
Risk management and the requirements of the organization
Properly aligned with business goals and objectives
Script kiddie

26. Carries out the technical administration.
The database administrator
Do with the information it collects
Script kiddie
include security responsibilities in a job description

27. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Negotiating a local version of the organization standards
Cyber extortionist
Data classification
Patch management

28. Information security governance models are highly dependent on the _____________________.
Conduct a risk assessment
Intrusion detection system (IDS)
Overall organizational structure
Acceptable use policies

29. A key indicator of performance measurement.
Acceptable use policies
The data custodian
Strategic alignment of security with business objectives
Defining high-level business security requirements

30. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
People
The authentication process is broken
The data owner
Vulnerability assessment

31. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Control risk
Attributes and characteristics of the 'desired state'
Annually or whenever there is a significant change
Classification of assets needs

32. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Confidentiality
Cracker
Developing an information security baseline
Public key infrastructure (PKI)

33. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Creation of a business continuity plan
Phishing
Continuous monitoring control initiatives
Aligned with organizational goals

34. A risk assessment should be conducted _________________.
Alignment with business strategy
Annually or whenever there is a significant change
Data classification
Centralization of information security management

35. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Background checks of prospective employees
The balanced scorecard
Defining high-level business security requirements
Conduct a risk assessment

36. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Centralization of information security management
Examples of containment defenses
Residual risk
Owner of the information asset

37. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
Total cost of ownership (TCO)
All personnel
Background check

38. Without _____________________ - there cannot be accountability.
Well-defined roles and responsibilities
People
Information contained on the equipment
Multinational organization

39. Ensures that there are no scalability problems.
Inherent risk
OBusiness case development
Knowledge management
Stress testing

40. Company or person you believe will not send a virus-infect file knowingly
Identify the vulnerable systems and apply compensating controls
Audit objectives
Service level agreements (SLAs)
Trusted source

41. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Gap analysis
Properly aligned with business goals and objectives
Consensus on risks and controls
Defining and ratifying the classification structure of information assets

42. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Acceptable use policies
Cracker
Key risk indicator (KRI) setup
Normalization

43. Computer that has duplicate components so it can continue to operate when one of its main components fail
Personal firewall
Fault-tolerant computer
Exceptions to policy
Data owners

44. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Fault-tolerant computer
Virus detection
Key risk indicator (KRI) setup

45. Ensure that transmitted information can be attributed to the named sender.
Trusted source
Continuous analysis - monitoring and feedback
Worm
Digital signatures

46. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Inherent risk
Gain unauthorized access to applications
Security code reviews for the entire software application
People

47. Someone who uses the internet or network to destroy or damage computers for political reasons
Worm
Control risk
Prioritization
Cyber terrorist

48. Utility program that detects and protects a personal computer from unauthorized intrusions
Performing a risk assessment
Personal firewall
Fault-tolerant computer
Logon banners

49. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Annual loss expectancy (ALE)calculations
Patch management
Classification of assets needs
Background checks of prospective employees

50. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Key risk indicator (KRI) setup
Use of security metrics
Patch management process
Data classification