SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Someone who accesses a computer or network illegally
Is willing to accept
Control risk
Skills inventory
Hacker
2. Needs to define the access rules - which is troublesome and error prone in large organizations.
Cross-site scripting attacks
Cyber terrorist
Digital signatures
Rule-based access control
3. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Virus detection
Asset classification
Defining and ratifying the classification structure of information assets
Role-based access control
4. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Reduce risk to an acceptable level
Encryption of the hard disks
Risk appetite
Requirements of the data owners
5. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Annual loss expectancy (ALE)calculations
Intrusion detection system (IDS)
Information contained on the equipment
The balanced scorecard
6. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Script kiddie
The data owner
Cyber extortionist
Use of security metrics
7. All within the responsibility of the information security manager.
Public key infrastructure (PKI)
The board of directors and senior management
Inherent risk
Platform security - intrusion detection and antivirus controls
8. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
The data owner
Owner of the information asset
Script kiddie
9. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Resource dependency assessment
Risk assessment - evaluation and impact analysis
The information security officer
Identify the relevant systems and processes
10. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Creation of a business continuity plan
include security responsibilities in a job description
Conduct a risk assessment
Tailgating
11. Carries out the technical administration.
The database administrator
Access control matrix
Control effectiveness
Requirements of the data owners
12. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Defining high-level business security requirements
Malicious software and spyware
Undervoltage (brownout)
Cyber terrorist
13. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
Confidentiality
Breakeven point of risk reduction and cost
Alignment with business strategy
14. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Residual risk
People
Alignment with business strategy
Applying the proper classification to the data
15. Information security governance models are highly dependent on the _____________________.
Overall organizational structure
A network vulnerability assessment
Security risk
Exceptions to policy
16. The data owner is responsible for _______________________.
BIA (Business Impact Assessment
All personnel
Use of security metrics
Applying the proper classification to the data
17. Culture has a significant impact on how information security will be implemented in a ______________________.
Multinational organization
Classification of assets needs
Role-based policy
Two-factor authentication
18. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Gain unauthorized access to applications
Total cost of ownership (TCO)
Intrusion detection system (IDS)
Retention of business records
19. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Identify the vulnerable systems and apply compensating controls
Certificate authority (CA)
Baseline standard and then develop additional standards
20. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Regulatory compliance
Do with the information it collects
Trojan horse
21. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Identify the vulnerable systems and apply compensating controls
Alignment with business strategy
Security risk
Breakeven point of risk reduction and cost
22. Useful but only with regard to specific technical skills.
Security awareness training for all employees
Proficiency testing
Well-defined roles and responsibilities
Security risk
23. Only valid if assets have first been identified and appropriately valued.
Transferred risk
Annual loss expectancy (ALE)calculations
Digital signatures
Logon banners
24. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Tailgating
People
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Regulatory compliance
25. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Resource dependency assessment
Gain unauthorized access to applications
Patch management
26. A repository of historical data organized by subject to support decision makers in the org
Residual risk would be reduced by a greater amount
Encryption of the hard disks
Support the business objectives of the organization
Data warehouse
27. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Intrusion detection system (IDS)
Regulatory compliance
Gap analysis
The data custodian
28. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Stress testing
Risk appetite
Get senior management onboard
The authentication process is broken
29. ecurity design flaws require a ____________________.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Aligned with organizational goals
Cross-site scripting attacks
Deeper level of analysis
30. Identification and _______________ of business risk enables project managers to address areas with most significance.
Prioritization
Strategic alignment of security with business objectives
Methodology used in the assessment
Single sign-on (SSO) product
31. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Reduce risk to an acceptable level
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Worm
Resource dependency assessment
32. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Trojan horse
Internal risk assessment
Centralization of information security management
OBusiness case development
33. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Baseline standard and then develop additional standards
BIA (Business Impact Assessment
Compliance with the organization's information security requirements
Lack of change management
34. Should be determined from the risk assessment results.
Audit objectives
IP address packet filtering
The authentication process is broken
Regulatory compliance
35. Program that hides within or looks like a legit program
Total cost of ownership (TCO)
Developing an information security baseline
Trojan horse
Risk appetite
36. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Breakeven point of risk reduction and cost
Classification of assets needs
Nondisclosure agreement (NDA)
Risk management and the requirements of the organization
37. Provides process needs but not impact.
Resource dependency assessment
Cross-site scripting attacks
Do with the information it collects
Background checks of prospective employees
38. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Risk assessment - evaluation and impact analysis
Properly aligned with business goals and objectives
Security awareness training for all employees
Classification of assets needs
39. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Nondisclosure agreement (NDA)
Data owners
Breakeven point of risk reduction and cost
Two-factor authentication
40. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Role-based policy
Data classification
Security baselines
Skills inventory
41. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Spoofing attacks
Biometric access control systems
Tailgating
Patch management
42. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Encryption of the hard disks
Information contained on the equipment
Confidentiality
Cyber terrorist
43. BEST option to improve accountability for a system administrator is to _____________________.
Key risk indicator (KRI) setup
include security responsibilities in a job description
The data owner
The information security officer
44. A Successful risk management should lead to a ________________.
Breakeven point of risk reduction and cost
Worm
Centralization of information security management
Overall organizational structure
45. Focuses on identifying vulnerabilities.
Reduce risk to an acceptable level
Lack of change management
Waterfall chart
Penetration testing
46. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Asset classification
Annual loss expectancy (ALE)calculations
Defining and ratifying the classification structure of information assets
Single sign-on (SSO) product
47. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Retention of business records
Logon banners
Methodology used in the assessment
Acceptable use policies
48. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
IP address packet filtering
Virus
Role-based policy
Virus detection
49. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Centralization of information security management
include security responsibilities in a job description
Skills inventory
The board of directors and senior management
50. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Increase business value and confidence
Gain unauthorized access to applications
Patch management process
OBusiness case development