SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Program that hides within or looks like a legit program
Applying the proper classification to the data
Regulatory compliance
Trojan horse
Gain unauthorized access to applications
2. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Comparison of cost of achievement
Encryption of the hard disks
Identify the vulnerable systems and apply compensating controls
Patch management process
3. The most important characteristic of good security policies is that they be ____________________.
Malicious software and spyware
Aligned with organizational goals
Nondisclosure agreement (NDA)
The data custodian
4. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Support the business objectives of the organization
Cyber extortionist
Centralized structure
5. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Public key infrastructure (PKI)
Performing a risk assessment
Virus detection
Calculating the value of the information or asset
6. provides the most effective protection of data on mobile devices.
Encryption
Access control matrix
Script kiddie
All personnel
7. Has to be integrated into the requirements of every software application's design.
Encryption key management
Residual risk
Trusted source
Continuous analysis - monitoring and feedback
8. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Consensus on risks and controls
Calculating the value of the information or asset
Public key infrastructure (PKI)
Regular review of access control lists
9. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Security risk
A network vulnerability assessment
Data warehouse
Transmit e-mail messages
10. Programs that act without a user's knowledge and deliberately alter a computer's operations
Control effectiveness
MAL wear
The awareness and agreement of the data subjects
Role-based access control
11. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Cracker
Classification of assets needs
OBusiness case development
Multinational organization
12. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Cracker
Trusted source
Conduct a risk assessment
Intrusion detection system (IDS)
13. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Intrusion detection system (IDS)
Requirements of the data owners
Data mart
14. All within the responsibility of the information security manager.
Information security manager
Platform security - intrusion detection and antivirus controls
Transmit e-mail messages
Methodology used in the assessment
15. Computer that has duplicate components so it can continue to operate when one of its main components fail
Trojan horse
The data custodian
Fault-tolerant computer
Information security manager
16. Cannot be minimized
Continuous analysis - monitoring and feedback
Tie security risks to key business objectives
Inherent risk
Equal error rate (EER)
17. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Risk appetite
The database administrator
Residual risk would be reduced by a greater amount
All personnel
18. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Background checks of prospective employees
Logon banners
Classification of assets needs
MAL wear
19. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Decentralization
Security baselines
The data custodian
Annual loss expectancy (ALE)calculations
20. It is easier to manage and control a _________________.
Public key infrastructure (PKI)
Centralized structure
Risk assessment - evaluation and impact analysis
Worm
21. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Knowledge management
Calculating the value of the information or asset
Continuous analysis - monitoring and feedback
Data isolation
22. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Detection defenses
Applying the proper classification to the data
Cross-site scripting attacks
Control effectiveness
23. Used to understand the flow of one process into another.
Stress testing
Residual risk would be reduced by a greater amount
Public key infrastructure (PKI)
Waterfall chart
24. Someone who uses the internet or network to destroy or damage computers for political reasons
Virus
The board of directors and senior management
Cyber terrorist
Methodology used in the assessment
25. Should be performed to identify the risk and determine needed controls.
Trusted source
Internal risk assessment
Regulatory compliance
Digital certificate
26. A Successful risk management should lead to a ________________.
Background check
Breakeven point of risk reduction and cost
Regulatory compliance
Risk management and the requirements of the organization
27. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Retention of business records
Centralization of information security management
Spoofing attacks
Calculating the value of the information or asset
28. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Use of security metrics
Encryption
Performing a risk assessment
Skills inventory
29. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Applying the proper classification to the data
Performing a risk assessment
Classification of assets needs
Its ability to reduce or eliminate business risks
30. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key risk indicator (KRI) setup
Trusted source
Personal firewall
Gain unauthorized access to applications
31. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Skills inventory
Platform security - intrusion detection and antivirus controls
Two-factor authentication
Data warehouse
32. Without _____________________ - there cannot be accountability.
Background checks of prospective employees
Patch management
Well-defined roles and responsibilities
Consensus on risks and controls
33. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Hacker
Tailgating
Return on security investment (ROSI)
Examples of containment defenses
34. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
0-day vulnerabilities
Key risk indicator (KRI) setup
A network vulnerability assessment
Regulatory compliance
35. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Worm
The data custodian
Phishing
Defining and ratifying the classification structure of information assets
36. An information security manager has to impress upon the human resources department the need for _____________________.
Security awareness training for all employees
Attributes and characteristics of the 'desired state'
Centralized structure
Cost of control
37. ecurity design flaws require a ____________________.
Stress testing
Deeper level of analysis
The board of directors and senior management
Defining high-level business security requirements
38. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Compliance with the organization's information security requirements
Normalization
Gap analysis
Countermeasure cost-benefit analysis
39. The primary role of the information security manager in the process of information classification within the organization.
Consensus on risks and controls
Defining and ratifying the classification structure of information assets
Patch management process
Equal error rate (EER)
40. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
MAL wear
Digital signatures
Cryptographic secure sockets layer (SSL) implementations and short key lengths
41. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Data classification
Protective switch covers
Risk appetite
Breakeven point of risk reduction and cost
42. Whenever personal data are transferred across national boundaries; ________________________ are required.
SWOT analysis
Retention of business records
Protective switch covers
The awareness and agreement of the data subjects
43. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Security awareness training for all employees
Use of security metrics
Get senior management onboard
Logon banners
44. A repository of historical data organized by subject to support decision makers in the org
Data warehouse
The awareness and agreement of the data subjects
Properly aligned with business goals and objectives
Cross-site scripting attacks
45. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Malicious software and spyware
Methodology used in the assessment
Baseline standard and then develop additional standards
Key controls
46. Normally addressed through antivirus and antispyware policies.
Access control matrix
Reduce risk to an acceptable level
Confidentiality
Malicious software and spyware
47. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Confidentiality
The board of directors and senior management
Vulnerability assessment
Trojan horse
48. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Resource dependency assessment
Data warehouse
Power surge/over voltage (spike)
Cryptographic secure sockets layer (SSL) implementations and short key lengths
49. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Certificate authority (CA)
Alignment with business strategy
Monitoring processes
Properly aligned with business goals and objectives
50. Useful but only with regard to specific technical skills.
Security risk
Proficiency testing
Attributes and characteristics of the 'desired state'
Two-factor authentication
