SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. New security ulnerabilities should be managed through a ________________.
Intrusion detection system (IDS)
Patch management process
Risk assessment - evaluation and impact analysis
Tie security risks to key business objectives
2. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Phishing
Identify the vulnerable systems and apply compensating controls
Key controls
Data owners
3. Awareness - training and physical security defenses.
Cost of control
Methodology used in the assessment
Examples of containment defenses
Transmit e-mail messages
4. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Residual risk would be reduced by a greater amount
Access control matrix
Platform security - intrusion detection and antivirus controls
Control risk
5. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
People
Logon banners
Public key infrastructure (PKI)
6. Carries out the technical administration.
Audit objectives
Examples of containment defenses
Total cost of ownership (TCO)
The database administrator
7. Inject malformed input.
Cross-site scripting attacks
Centralization of information security management
Exceptions to policy
Identify the vulnerable systems and apply compensating controls
8. Only valid if assets have first been identified and appropriately valued.
The information security officer
Role-based policy
Cross-site scripting attacks
Annual loss expectancy (ALE)calculations
9. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Key controls
Strategic alignment of security with business objectives
Deeper level of analysis
Control effectiveness
10. The most important characteristic of good security policies is that they be ____________________.
Tie security risks to key business objectives
Virus detection
Aligned with organizational goals
Script kiddie
11. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Access control matrix
Control risk
What happened and how the breach was resolved
The board of directors and senior management
12. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Requirements of the data owners
Multinational organization
Proficiency testing
Worm
13. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Information contained on the equipment
Negotiating a local version of the organization standards
Power surge/over voltage (spike)
Creation of a business continuity plan
14. Focuses on identifying vulnerabilities.
Reduce risk to an acceptable level
Penetration testing
Risk assessment - evaluation and impact analysis
Decentralization
15. Accesses a computer or network illegally
Data classification
People
Public key infrastructure (PKI)
Cracker
16. Occurs after the risk assessment process - it does not measure it.
Defined objectives
Use of security metrics
Increase business value and confidence
Creation of a business continuity plan
17. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Power surge/over voltage (spike)
Annually or whenever there is a significant change
Single sign-on (SSO) product
OBusiness case development
18. All within the responsibility of the information security manager.
Strategic alignment of security with business objectives
Regular review of access control lists
Examples of containment defenses
Platform security - intrusion detection and antivirus controls
19. provides the most effective protection of data on mobile devices.
Skills inventory
The balanced scorecard
Encryption
Confidentiality
20. A notice that guarantees a user or a web site is legitimate
The information security officer
Creation of a business continuity plan
Digital certificate
Waterfall chart
21. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Breakeven point of risk reduction and cost
Internal risk assessment
Resource dependency assessment
22. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Key controls
Power surge/over voltage (spike)
The data custodian
Tailgating
23. Culture has a significant impact on how information security will be implemented in a ______________________.
Virus detection
Spoofing attacks
Inherent risk
Multinational organization
24. ecurity design flaws require a ____________________.
Virus detection
Exceptions to policy
Resource dependency assessment
Deeper level of analysis
25. Should be performed to identify the risk and determine needed controls.
Information contained on the equipment
Detection defenses
Internal risk assessment
Defined objectives
26. BEST option to improve accountability for a system administrator is to _____________________.
Virus
include security responsibilities in a job description
Defining and ratifying the classification structure of information assets
Aligned with organizational goals
27. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Consensus on risks and controls
Information contained on the equipment
Detection defenses
Logon banners
28. Computer that has duplicate components so it can continue to operate when one of its main components fail
Waterfall chart
Risk management and the requirements of the organization
Fault-tolerant computer
The data custodian
29. Utility program that detects and protects a personal computer from unauthorized intrusions
Patch management
Proficiency testing
Personal firewall
Inherent risk
30. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Well-defined roles and responsibilities
MAL wear
The authentication process is broken
31. Occurs when the electrical supply drops
Undervoltage (brownout)
Control effectiveness
Platform security - intrusion detection and antivirus controls
Identify the relevant systems and processes
32. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Background checks of prospective employees
Assess the risks to the business operation
Confidentiality
Prioritization
33. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Applying the proper classification to the data
Patch management process
Examples of containment defenses
34. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Key risk indicator (KRI) setup
Increase business value and confidence
Cracker
Service level agreements (SLAs)
35. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Control effectiveness
Hacker
SWOT analysis
Baseline standard and then develop additional standards
36. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
The board of directors and senior management
Skills inventory
Certificate authority (CA)
Countermeasure cost-benefit analysis
37. Oversees the overall classification management of the information.
Cyber extortionist
The information security officer
Hacker
Risk assessment - evaluation and impact analysis
38. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Assess the risks to the business operation
Continuous analysis - monitoring and feedback
IP address packet filtering
Virus detection
39. The primary role of the information security manager in the process of information classification within the organization.
include security responsibilities in a job description
Proficiency testing
IP address packet filtering
Defining and ratifying the classification structure of information assets
40. The data owner is responsible for _______________________.
IP address packet filtering
The awareness and agreement of the data subjects
Decentralization
Applying the proper classification to the data
41. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Tie security risks to key business objectives
BIA (Business Impact Assessment
Creation of a business continuity plan
Compliance with the organization's information security requirements
42. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
A network vulnerability assessment
All personnel
Exceptions to policy
Gap analysis
43. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
Logon banners
Safeguards over keys
Data isolation
44. The information security manager needs to prioritize the controls based on ________________________.
Requirements of the data owners
Compliance with the organization's information security requirements
Risk management and the requirements of the organization
Digital signatures
45. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Use of security metrics
Risk assessment - evaluation and impact analysis
Well-defined roles and responsibilities
Virus
46. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Protective switch covers
Defining high-level business security requirements
include security responsibilities in a job description
Decentralization
47. S small warehouse - designed for the end-user needs in a strategic business unit
Comparison of cost of achievement
Data mart
Compliance with the organization's information security requirements
Two-factor authentication
48. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Role-based policy
Key risk indicator (KRI) setup
Alignment with business strategy
Virus
49. Needs to define the access rules - which is troublesome and error prone in large organizations.
Rule-based access control
Information contained on the equipment
Classification of assets needs
IP address packet filtering
50. An information security manager has to impress upon the human resources department the need for _____________________.
Use of security metrics
Penetration testing
Baseline standard and then develop additional standards
Security awareness training for all employees