SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Do with the information it collects
Gain unauthorized access to applications
Key controls
2. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Key risk indicator (KRI) setup
Background check
Well-defined roles and responsibilities
Role-based access control
3. Occurs when the incoming level
Power surge/over voltage (spike)
Biometric access control systems
Spoofing attacks
Data classification
4. Needs to define the access rules - which is troublesome and error prone in large organizations.
Service level agreements (SLAs)
Rule-based access control
Gap analysis
Certificate authority (CA)
5. Occurs when the electrical supply drops
Risk appetite
Centralization of information security management
Undervoltage (brownout)
Breakeven point of risk reduction and cost
6. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Protective switch covers
Resource dependency assessment
Worm
Continuous monitoring control initiatives
7. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Virus detection
MAL wear
Data owners
8. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Virus detection
Its ability to reduce or eliminate business risks
Threat assessment
Prioritization
9. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Cross-site scripting attacks
Regular review of access control lists
Gain unauthorized access to applications
The balanced scorecard
10. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Requirements of the data owners
Breakeven point of risk reduction and cost
Data owners
Detection defenses
11. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Get senior management onboard
A network vulnerability assessment
Detection defenses
12. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Well-defined roles and responsibilities
Calculating the value of the information or asset
Retention of business records
Platform security - intrusion detection and antivirus controls
13. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Negotiating a local version of the organization standards
Strategic alignment of security with business objectives
Developing an information security baseline
Key risk indicator (KRI) setup
14. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Do with the information it collects
Phishing
Intrusion detection system (IDS)
Fault-tolerant computer
15. Program that hides within or looks like a legit program
Audit objectives
Trojan horse
Cyber extortionist
Encryption
16. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Deeper level of analysis
Normalization
Nondisclosure agreement (NDA)
Security risk
17. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Strategic alignment of security with business objectives
Cracker
Phishing
18. Useful but only with regard to specific technical skills.
Information security manager
Service level agreements (SLAs)
Proficiency testing
Virus detection
19. Risk should be reduced to a level that an organization _____________.
Is willing to accept
Security risk
Personal firewall
BIA (Business Impact Assessment
20. The data owner is responsible for _______________________.
Worm
Threat assessment
Comparison of cost of achievement
Applying the proper classification to the data
21. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
The data owner
Intrusion detection system (IDS)
Countermeasure cost-benefit analysis
Defined objectives
22. Cannot be minimized
Transmit e-mail messages
Inherent risk
Information contained on the equipment
Classification of assets needs
23. Normally addressed through antivirus and antispyware policies.
Identify the vulnerable systems and apply compensating controls
Assess the risks to the business operation
Digital certificate
Malicious software and spyware
24. Culture has a significant impact on how information security will be implemented in a ______________________.
Patch management
Encryption key management
Multinational organization
Certificate authority (CA)
25. Used to understand the flow of one process into another.
Waterfall chart
Gap analysis
Increase business value and confidence
Information security manager
26. Should be determined from the risk assessment results.
Encryption
Waterfall chart
Biometric access control systems
Audit objectives
27. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Notifications and opt-out provisions
Stress testing
Cyber terrorist
Applying the proper classification to the data
28. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Compliance with the organization's information security requirements
Classification of assets needs
Virus
MAL wear
29. A Successful risk management should lead to a ________________.
Properly aligned with business goals and objectives
Patch management process
Defined objectives
Breakeven point of risk reduction and cost
30. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Retention of business records
Penetration testing
Security code reviews for the entire software application
Two-factor authentication
31. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Methodology used in the assessment
Malicious software and spyware
Security code reviews for the entire software application
Background checks of prospective employees
32. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
People
The awareness and agreement of the data subjects
Baseline standard and then develop additional standards
Asset classification
33. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Creation of a business continuity plan
Total cost of ownership (TCO)
The data custodian
Trusted source
34. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Skills inventory
Logon banners
Properly aligned with business goals and objectives
Two-factor authentication
35. Reducing risk to a level too small to measure is _______________.
Risk appetite
Negotiating a local version of the organization standards
Impractical and is often cost-prohibitive
Two-factor authentication
36. The information security manager needs to prioritize the controls based on ________________________.
Applying the proper classification to the data
Encryption
Risk management and the requirements of the organization
People
37. Accesses a computer or network illegally
Creation of a business continuity plan
Cracker
Use of security metrics
Defining and ratifying the classification structure of information assets
38. Same intent as a cracker but does not have the technical skills and knowledge
Strategic alignment of security with business objectives
Script kiddie
Encryption of the hard disks
Owner of the information asset
39. provides the most effective protection of data on mobile devices.
Penetration testing
Risk assessment - evaluation and impact analysis
Encryption
include security responsibilities in a job description
40. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Baseline standard and then develop additional standards
Calculating the value of the information or asset
Worm
41. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Continuous analysis - monitoring and feedback
Patch management process
Comparison of cost of achievement
Identify the relevant systems and processes
42. Most effective for evaluating the degree to which information security objectives are being met.
Single sign-on (SSO) product
Encryption key management
The balanced scorecard
A network vulnerability assessment
43. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Properly aligned with business goals and objectives
Data warehouse
Logon banners
Asset classification
44. Company or person you believe will not send a virus-infect file knowingly
Performing a risk assessment
Compliance with the organization's information security requirements
Trusted source
The board of directors and senior management
45. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Certificate authority (CA)
Is willing to accept
Continuous analysis - monitoring and feedback
Increase business value and confidence
46. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Data warehouse
Cyber terrorist
Consensus on risks and controls
Certificate authority (CA)
47. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
Intrusion detection system (IDS)
Virus detection
Residual risk
48. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Cyber extortionist
Patch management process
Conduct a risk assessment
What happened and how the breach was resolved
49. Computer that has duplicate components so it can continue to operate when one of its main components fail
Control effectiveness
Fault-tolerant computer
Confidentiality
Gap analysis
50. Ensure that transmitted information can be attributed to the named sender.
What happened and how the breach was resolved
Data owners
Role-based access control
Digital signatures