SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Cannot be minimized
Inherent risk
Defined objectives
Methodology used in the assessment
Personal firewall
2. Primarily reduce risk and are most effective for the protection of information assets.
include security responsibilities in a job description
Key controls
Do with the information it collects
Script kiddie
3. Should be determined from the risk assessment results.
Power surge/over voltage (spike)
Audit objectives
Rule-based access control
SWOT analysis
4. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Support the business objectives of the organization
Vulnerability assessment
Digital signatures
MAL wear
5. Same intent as a cracker but does not have the technical skills and knowledge
Return on security investment (ROSI)
Script kiddie
Reduce risk to an acceptable level
Deeper level of analysis
6. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Identify the relevant systems and processes
Data warehouse
Use of security metrics
Comparison of cost of achievement
7. provides the most effective protection of data on mobile devices.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Encryption
BIA (Business Impact Assessment
Notifications and opt-out provisions
8. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Calculating the value of the information or asset
Security risk
Multinational organization
The data custodian
9. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Protective switch covers
Centralization of information security management
Control effectiveness
Get senior management onboard
10. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Nondisclosure agreement (NDA)
Encryption key management
Conduct a risk assessment
Key risk indicator (KRI) setup
11. Should be a standard requirement for the service provider.
Is willing to accept
Conduct a risk assessment
Background check
Continuous analysis - monitoring and feedback
12. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Rule-based access control
Phishing
Return on security investment (ROSI)
Retention of business records
13. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Lack of change management
Process of introducing changes to systems
Detection defenses
BIA (Business Impact Assessment
14. A repository of historical data organized by subject to support decision makers in the org
Control effectiveness
Waterfall chart
Data warehouse
Methodology used in the assessment
15. Ensure that transmitted information can be attributed to the named sender.
Strategic alignment of security with business objectives
Nondisclosure agreement (NDA)
Impractical and is often cost-prohibitive
Digital signatures
16. Has to be integrated into the requirements of every software application's design.
Defined objectives
Get senior management onboard
Encryption key management
The board of directors and senior management
17. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
Get senior management onboard
Digital certificate
Data warehouse
18. Uses security metrics to measure the performance of the information security program.
Residual risk would be reduced by a greater amount
Information security manager
Logon banners
The data custodian
19. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Methodology used in the assessment
Compliance with the organization's information security requirements
Data classification
Classification of assets needs
20. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
The data custodian
People
Overall organizational structure
Encryption
21. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Public key infrastructure (PKI)
Process of introducing changes to systems
Aligned with organizational goals
22. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
What happened and how the breach was resolved
Properly aligned with business goals and objectives
Baseline standard and then develop additional standards
Two-factor authentication
23. S small warehouse - designed for the end-user needs in a strategic business unit
Data mart
Phishing
Attributes and characteristics of the 'desired state'
Use of security metrics
24. By definition are not previously known and therefore are undetectable.
0-day vulnerabilities
Trojan horse
Public key infrastructure (PKI)
Cross-site scripting attacks
25. Without _____________________ - there cannot be accountability.
Well-defined roles and responsibilities
Process of introducing changes to systems
Detection defenses
Overall organizational structure
26. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Transmit e-mail messages
Return on security investment (ROSI)
Assess the risks to the business operation
Data classification
27. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
The data custodian
Negotiating a local version of the organization standards
Conduct a risk assessment
Equal error rate (EER)
28. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Performing a risk assessment
Owner of the information asset
Role-based access control
Control effectiveness
29. Focuses on identifying vulnerabilities.
Risk assessment - evaluation and impact analysis
Its ability to reduce or eliminate business risks
Risk appetite
Penetration testing
30. Carries out the technical administration.
Defining high-level business security requirements
Classification of assets needs
Encryption key management
The database administrator
31. Someone who accesses a computer or network illegally
Malicious software and spyware
Hacker
Two-factor authentication
Phishing
32. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Support the business objectives of the organization
Cyber extortionist
Lack of change management
Calculating the value of the information or asset
33. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
0-day vulnerabilities
Security baselines
Resource dependency assessment
Encryption key management
34. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
Comparison of cost of achievement
Creation of a business continuity plan
Its ability to reduce or eliminate business risks
35. The best measure for preventing the unauthorized disclosure of confidential information.
Conduct a risk assessment
Access control matrix
Identify the relevant systems and processes
Acceptable use policies
36. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Threat assessment
Safeguards over keys
Proficiency testing
Examples of containment defenses
37. To identify known vulnerabilities based on common misconfigurations and missing updates.
Security awareness training for all employees
A network vulnerability assessment
All personnel
Role-based policy
38. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Security risk
Data classification
Stress testing
39. Provide metrics to which outsourcing firms can be held accountable.
Creation of a business continuity plan
Cracker
Confidentiality
Service level agreements (SLAs)
40. Used to understand the flow of one process into another.
The board of directors and senior management
Intrusion detection system (IDS)
Waterfall chart
Calculating the value of the information or asset
41. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
0-day vulnerabilities
Audit objectives
Exceptions to policy
Vulnerability assessment
42. Company or person you believe will not send a virus-infect file knowingly
Skills inventory
Patch management process
Trusted source
Data classification
43. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Centralized structure
Well-defined roles and responsibilities
Negotiating a local version of the organization standards
Information contained on the equipment
44. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Return on security investment (ROSI)
Residual risk
Continuous monitoring control initiatives
Alignment with business strategy
45. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
include security responsibilities in a job description
Equal error rate (EER)
Increase business value and confidence
Baseline standard and then develop additional standards
46. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Examples of containment defenses
Transferred risk
Compliance with the organization's information security requirements
Logon banners
47. Inject malformed input.
OBusiness case development
Defined objectives
Attributes and characteristics of the 'desired state'
Cross-site scripting attacks
48. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Knowledge management
Digital signatures
Baseline standard and then develop additional standards
Notifications and opt-out provisions
49. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Process of introducing changes to systems
Role-based access control
Reduce risk to an acceptable level
Two-factor authentication
50. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Calculating the value of the information or asset
MAL wear
Intrusion detection system (IDS)
Public key infrastructure (PKI)
