SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Accesses a computer or network illegally
Role-based access control
Cyber terrorist
Lack of change management
Cracker
2. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Key risk indicator (KRI) setup
Annually or whenever there is a significant change
Knowledge management
The balanced scorecard
3. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Data isolation
Creation of a business continuity plan
Risk assessment - evaluation and impact analysis
Monitoring processes
4. Uses security metrics to measure the performance of the information security program.
Encryption key management
Encryption of the hard disks
Information security manager
Cracker
5. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Gap analysis
Detection defenses
Lack of change management
Exceptions to policy
6. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Certificate authority (CA)
IP address packet filtering
All personnel
Use of security metrics
7. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
SWOT analysis
Patch management
Control risk
Performing a risk assessment
8. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Cyber extortionist
Applying the proper classification to the data
Strategic alignment of security with business objectives
Vulnerability assessment
9. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Regular review of access control lists
Risk appetite
Return on security investment (ROSI)
Skills inventory
10. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Asset classification
Impractical and is often cost-prohibitive
Methodology used in the assessment
0-day vulnerabilities
11. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
Control risk
include security responsibilities in a job description
Countermeasure cost-benefit analysis
12. Program that hides within or looks like a legit program
Trojan horse
Waterfall chart
Notifications and opt-out provisions
Cracker
13. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Control risk
Transferred risk
Continuous analysis - monitoring and feedback
14. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Trojan horse
Lack of change management
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Tailgating
15. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
Key risk indicator (KRI) setup
Cost of control
Single sign-on (SSO) product
16. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Regulatory compliance
Cost of control
Two-factor authentication
Encryption key management
17. ecurity design flaws require a ____________________.
Resource dependency assessment
Do with the information it collects
Deeper level of analysis
Risk assessment - evaluation and impact analysis
18. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Safeguards over keys
Prioritization
Negotiating a local version of the organization standards
People
19. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
The data custodian
The information security officer
Data owners
Alignment with business strategy
20. Should be determined from the risk assessment results.
Normalization
Regulatory compliance
Audit objectives
Is willing to accept
21. The MOST important element of an information security strategy.
Phishing
Identify the relevant systems and processes
Patch management
Defined objectives
22. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
The board of directors and senior management
Total cost of ownership (TCO)
Risk appetite
Get senior management onboard
23. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Transferred risk
Gain unauthorized access to applications
Public key infrastructure (PKI)
Encryption
24. Company or person you believe will not send a virus-infect file knowingly
Trusted source
Service level agreements (SLAs)
Phishing
0-day vulnerabilities
25. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Decentralization
MAL wear
Monitoring processes
Examples of containment defenses
26. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Owner of the information asset
Is willing to accept
Annual loss expectancy (ALE)calculations
Background checks of prospective employees
27. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Support the business objectives of the organization
Data isolation
The balanced scorecard
What happened and how the breach was resolved
28. Someone who accesses a computer or network illegally
Hacker
Skills inventory
Regular review of access control lists
Its ability to reduce or eliminate business risks
29. Same intent as a cracker but does not have the technical skills and knowledge
Annually or whenever there is a significant change
Defining high-level business security requirements
Script kiddie
Continuous monitoring control initiatives
30. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Cyber extortionist
Detection defenses
The authentication process is broken
31. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Worm
Information security manager
Consensus on risks and controls
Identify the relevant systems and processes
32. Occurs when the incoming level
Requirements of the data owners
The balanced scorecard
Power surge/over voltage (spike)
A network vulnerability assessment
33. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Developing an information security baseline
BIA (Business Impact Assessment
Support the business objectives of the organization
Return on security investment (ROSI)
34. It is easier to manage and control a _________________.
Aligned with organizational goals
Alignment with business strategy
Single sign-on (SSO) product
Centralized structure
35. Identification and _______________ of business risk enables project managers to address areas with most significance.
Support the business objectives of the organization
Defined objectives
Prioritization
Tailgating
36. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
OBusiness case development
Protective switch covers
Transmit e-mail messages
Security awareness training for all employees
37. Responsible for securing the information.
SWOT analysis
The data custodian
Security code reviews for the entire software application
Aligned with organizational goals
38. Primarily reduce risk and are most effective for the protection of information assets.
Applying the proper classification to the data
Key controls
Examples of containment defenses
Intrusion detection system (IDS)
39. The best measure for preventing the unauthorized disclosure of confidential information.
Security baselines
Virus
Conduct a risk assessment
Acceptable use policies
40. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Overall organizational structure
Role-based policy
Cyber terrorist
Prioritization
41. Awareness - training and physical security defenses.
Trusted source
Examples of containment defenses
Audit objectives
The data custodian
42. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Role-based access control
Rule-based access control
Knowledge management
Centralization of information security management
43. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Cyber extortionist
Increase business value and confidence
Encryption
Reduce risk to an acceptable level
44. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Process of introducing changes to systems
Regular review of access control lists
MAL wear
Assess the risks to the business operation
45. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Tie security risks to key business objectives
Knowledge management
Cyber extortionist
Impractical and is often cost-prohibitive
46. Normally addressed through antivirus and antispyware policies.
Information contained on the equipment
Data classification
Monitoring processes
Malicious software and spyware
47. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Risk appetite
Spoofing attacks
Key risk indicator (KRI) setup
Information security manager
48. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
The database administrator
Prioritization
Background checks of prospective employees
49. A method for analyzing and reducing a relational database to its most streamlined form
A network vulnerability assessment
Normalization
Logon banners
Worm
50. Has to be integrated into the requirements of every software application's design.
OBusiness case development
Security code reviews for the entire software application
Centralization of information security management
Encryption key management
