SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. provides the most effective protection of data on mobile devices.
Encryption
Audit objectives
Applying the proper classification to the data
Virus detection
2. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Role-based policy
Phishing
Detection defenses
Trojan horse
3. A key indicator of performance measurement.
Strategic alignment of security with business objectives
Equal error rate (EER)
Vulnerability assessment
SWOT analysis
4. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
MAL wear
Regular review of access control lists
SWOT analysis
Normalization
5. The primary role of the information security manager in the process of information classification within the organization.
Consensus on risks and controls
Defining and ratifying the classification structure of information assets
Control effectiveness
Cracker
6. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Classification of assets needs
0-day vulnerabilities
Trojan horse
Continuous monitoring control initiatives
7. Occurs after the risk assessment process - it does not measure it.
Developing an information security baseline
Script kiddie
The data owner
Use of security metrics
8. Utility program that detects and protects a personal computer from unauthorized intrusions
Power surge/over voltage (spike)
Skills inventory
Control risk
Personal firewall
9. Computer that has duplicate components so it can continue to operate when one of its main components fail
Total cost of ownership (TCO)
Encryption
Information security manager
Fault-tolerant computer
10. Oversees the overall classification management of the information.
Identify the relevant systems and processes
A network vulnerability assessment
Residual risk would be reduced by a greater amount
The information security officer
11. A function of the session keys distributed by the PKI.
Digital certificate
Decentralization
Confidentiality
The authentication process is broken
12. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Control risk
Consensus on risks and controls
Negotiating a local version of the organization standards
Background check
13. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Patch management process
Process of introducing changes to systems
Stress testing
Service level agreements (SLAs)
14. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Continuous monitoring control initiatives
Control effectiveness
Control risk
Centralization of information security management
15. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Tailgating
The data custodian
Use of security metrics
Safeguards over keys
16. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Public key infrastructure (PKI)
Well-defined roles and responsibilities
Normalization
Key risk indicator (KRI) setup
17. Provide metrics to which outsourcing firms can be held accountable.
Hacker
Service level agreements (SLAs)
Exceptions to policy
Identify the relevant systems and processes
18. Risk should be reduced to a level that an organization _____________.
Is willing to accept
Acceptable use policies
Spoofing attacks
Risk management and the requirements of the organization
19. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Cross-site scripting attacks
Owner of the information asset
Use of security metrics
Security risk
20. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Spoofing attacks
BIA (Business Impact Assessment
Centralization of information security management
Data classification
21. A repository of historical data organized by subject to support decision makers in the org
The data custodian
Resource dependency assessment
Data warehouse
Assess the risks to the business operation
22. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Regulatory compliance
Patch management
Background checks of prospective employees
Role-based access control
23. The most important characteristic of good security policies is that they be ____________________.
Multinational organization
Aligned with organizational goals
Alignment with business strategy
Tie security risks to key business objectives
24. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Examples of containment defenses
Properly aligned with business goals and objectives
Knowledge management
Get senior management onboard
25. Same intent as a cracker but does not have the technical skills and knowledge
Digital certificate
Background check
Script kiddie
Applying the proper classification to the data
26. Whenever personal data are transferred across national boundaries; ________________________ are required.
Audit objectives
Trusted source
The awareness and agreement of the data subjects
Do with the information it collects
27. The PRIMARY goal in developing an information security strategy is to: _________________________.
The authentication process is broken
Notifications and opt-out provisions
Support the business objectives of the organization
Single sign-on (SSO) product
28. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Creation of a business continuity plan
Regular review of access control lists
Key controls
Monitoring processes
29. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Defining high-level business security requirements
Biometric access control systems
Skills inventory
All personnel
30. Without _____________________ - there cannot be accountability.
Audit objectives
Well-defined roles and responsibilities
Security awareness training for all employees
Security baselines
31. Focuses on identifying vulnerabilities.
Virus detection
Penetration testing
Control effectiveness
Data mart
32. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Skills inventory
Security awareness training for all employees
Attributes and characteristics of the 'desired state'
Knowledge management
33. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
Risk assessment - evaluation and impact analysis
Detection defenses
What happened and how the breach was resolved
34. The best measure for preventing the unauthorized disclosure of confidential information.
Properly aligned with business goals and objectives
Cyber terrorist
Acceptable use policies
Deeper level of analysis
35. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Certificate authority (CA)
Logon banners
Multinational organization
Annually or whenever there is a significant change
36. The MOST important element of an information security strategy.
Increase business value and confidence
Trusted source
Defined objectives
Key controls
37. Accesses a computer or network illegally
Control risk
Regulatory compliance
Cracker
The authentication process is broken
38. Normally addressed through antivirus and antispyware policies.
Owner of the information asset
Malicious software and spyware
Countermeasure cost-benefit analysis
Attributes and characteristics of the 'desired state'
39. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Virus
Platform security - intrusion detection and antivirus controls
Multinational organization
The data custodian
40. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Safeguards over keys
Single sign-on (SSO) product
Control risk
OBusiness case development
41. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
The database administrator
Equal error rate (EER)
Residual risk would be reduced by a greater amount
Protective switch covers
42. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Centralized structure
Security baselines
Calculating the value of the information or asset
What happened and how the breach was resolved
43. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Information security manager
Lack of change management
Detection defenses
Skills inventory
44. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Centralization of information security management
What happened and how the breach was resolved
Countermeasure cost-benefit analysis
Comparison of cost of achievement
45. Needs to define the access rules - which is troublesome and error prone in large organizations.
Properly aligned with business goals and objectives
Stress testing
Encryption key management
Rule-based access control
46. Should be performed to identify the risk and determine needed controls.
Confidentiality
Asset classification
Cyber terrorist
Internal risk assessment
47. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Cross-site scripting attacks
The database administrator
Regular review of access control lists
Knowledge management
48. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Detection defenses
Phishing
Consensus on risks and controls
Threat assessment
49. Useful but only with regard to specific technical skills.
Virus
Proficiency testing
Service level agreements (SLAs)
Detection defenses
50. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Data warehouse
Penetration testing
Decentralization
Return on security investment (ROSI)