Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. When defining the information classification policy - the ___________________ need to be identified.
Tailgating
Requirements of the data owners
Gain unauthorized access to applications
Decentralization

2. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Public key infrastructure (PKI)
Centralization of information security management
Total cost of ownership (TCO)
Annual loss expectancy (ALE)calculations

3. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Alignment with business strategy
Data warehouse
Penetration testing
Resource dependency assessment

4. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
include security responsibilities in a job description
Reduce risk to an acceptable level
Script kiddie
Compliance with the organization's information security requirements

5. Computer that has duplicate components so it can continue to operate when one of its main components fail
Conduct a risk assessment
Encryption of the hard disks
Personal firewall
Fault-tolerant computer

6. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Aligned with organizational goals
Skills inventory
Notifications and opt-out provisions
Undervoltage (brownout)

7. All within the responsibility of the information security manager.
Gap analysis
Properly aligned with business goals and objectives
Platform security - intrusion detection and antivirus controls
SWOT analysis

8. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
What happened and how the breach was resolved
Centralization of information security management
Deeper level of analysis
Security code reviews for the entire software application

9. A key indicator of performance measurement.
Power surge/over voltage (spike)
Properly aligned with business goals and objectives
Strategic alignment of security with business objectives
Safeguards over keys

10. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Hacker
Worm
Equal error rate (EER)
Assess the risks to the business operation

11. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Tailgating
Threat assessment
Platform security - intrusion detection and antivirus controls
Role-based access control

12. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Regular review of access control lists
Conduct a risk assessment
Control effectiveness
Requirements of the data owners

13. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Data owners
Tailgating
Examples of containment defenses
Cracker

14. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Cost of control
OBusiness case development
Prioritization
All personnel

15. Utility program that detects and protects a personal computer from unauthorized intrusions
Knowledge management
Personal firewall
Encryption of the hard disks
Creation of a business continuity plan

16. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Security risk
Transmit e-mail messages
Equal error rate (EER)
Skills inventory

17. Should be a standard requirement for the service provider.
Background check
Get senior management onboard
Data isolation
Worm

18. Should PRIMARILY be based on regulatory and legal requirements.
Annually or whenever there is a significant change
Increase business value and confidence
Process of introducing changes to systems
Retention of business records

19. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
What happened and how the breach was resolved
Background check
Skills inventory
Do with the information it collects

20. Primarily reduce risk and are most effective for the protection of information assets.
Key controls
The database administrator
Impractical and is often cost-prohibitive
Attributes and characteristics of the 'desired state'

21. The PRIMARY goal in developing an information security strategy is to: _________________________.
Support the business objectives of the organization
Continuous analysis - monitoring and feedback
The board of directors and senior management
Conduct a risk assessment

22. Company or person you believe will not send a virus-infect file knowingly
Developing an information security baseline
Data mart
Tailgating
Trusted source

23. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Intrusion detection system (IDS)
Spoofing attacks
Deeper level of analysis
Transferred risk

24. Program that hides within or looks like a legit program
Inherent risk
Trojan horse
Cracker
Classification of assets needs

25. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Security baselines
Logon banners
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Is willing to accept

26. Ensure that transmitted information can be attributed to the named sender.
Waterfall chart
Patch management
Knowledge management
Digital signatures

27. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Use of security metrics
MAL wear
Methodology used in the assessment
Malicious software and spyware

28. A notice that guarantees a user or a web site is legitimate
Attributes and characteristics of the 'desired state'
Digital certificate
Requirements of the data owners
Defining high-level business security requirements

29. Reducing risk to a level too small to measure is _______________.
Cracker
Single sign-on (SSO) product
Impractical and is often cost-prohibitive
Monitoring processes

30. Awareness - training and physical security defenses.
Examples of containment defenses
Increase business value and confidence
Cross-site scripting attacks
The authentication process is broken

31. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Script kiddie
OBusiness case development
Process of introducing changes to systems
Security risk

32. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
IP address packet filtering
Cross-site scripting attacks
Centralized structure
Background checks of prospective employees

33. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Cracker
Calculating the value of the information or asset
Developing an information security baseline
Proficiency testing

34. Cannot be minimized
Increase business value and confidence
Inherent risk
Centralized structure
Two-factor authentication

35. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Its ability to reduce or eliminate business risks
Continuous monitoring control initiatives
Safeguards over keys
Access control matrix

36. Should be performed to identify the risk and determine needed controls.
Internal risk assessment
Consensus on risks and controls
include security responsibilities in a job description
Increase business value and confidence

37. The job of the information security officer on a management team is to ___________________.
Control risk
Strategic alignment of security with business objectives
Assess the risks to the business operation
Lack of change management

38. To identify known vulnerabilities based on common misconfigurations and missing updates.
Applying the proper classification to the data
Classification of assets needs
Internal risk assessment
A network vulnerability assessment

39. Someone who uses the internet or network to destroy or damage computers for political reasons
The database administrator
Public key infrastructure (PKI)
Data mart
Cyber terrorist

40. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Residual risk would be reduced by a greater amount
Virus detection
Classification of assets needs
Requirements of the data owners

41. The MOST important element of an information security strategy.
Security awareness training for all employees
Encryption of the hard disks
The authentication process is broken
Defined objectives

42. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Public key infrastructure (PKI)
Knowledge management
Exceptions to policy
Regular review of access control lists

43. Normally addressed through antivirus and antispyware policies.
Virus detection
Malicious software and spyware
Rule-based access control
Multinational organization

44. Provides process needs but not impact.
Defining high-level business security requirements
Resource dependency assessment
Waterfall chart
Support the business objectives of the organization

45. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Prioritization
Risk assessment - evaluation and impact analysis
Security awareness training for all employees
Lack of change management

46. Needs to define the access rules - which is troublesome and error prone in large organizations.
Stress testing
Process of introducing changes to systems
Access control matrix
Rule-based access control

47. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Stress testing
The balanced scorecard
Equal error rate (EER)
Risk appetite

48. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Internal risk assessment
Confidentiality
Negotiating a local version of the organization standards
Residual risk

49. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Return on security investment (ROSI)
Access control matrix
include security responsibilities in a job description
Certificate authority (CA)

50. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Audit objectives
Baseline standard and then develop additional standards
Virus detection
Role-based access control