SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Needs to define the access rules - which is troublesome and error prone in large organizations.
Worm
Tailgating
Rule-based access control
Inherent risk
2. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
Protective switch covers
Threat assessment
Annually or whenever there is a significant change
3. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Hacker
Worm
The authentication process is broken
Biometric access control systems
4. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Security code reviews for the entire software application
include security responsibilities in a job description
Negotiating a local version of the organization standards
Tailgating
5. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Logon banners
Decentralization
Acceptable use policies
Classification of assets needs
6. Useful but only with regard to specific technical skills.
Its ability to reduce or eliminate business risks
Retention of business records
Proficiency testing
Hacker
7. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Annual loss expectancy (ALE)calculations
Power surge/over voltage (spike)
Consensus on risks and controls
Detection defenses
8. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Is willing to accept
Encryption
Access control matrix
Calculating the value of the information or asset
9. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Continuous monitoring control initiatives
Encryption
BIA (Business Impact Assessment
Owner of the information asset
10. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Audit objectives
Process of introducing changes to systems
Aligned with organizational goals
Residual risk
11. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Vulnerability assessment
Phishing
Skills inventory
Encryption of the hard disks
12. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Cross-site scripting attacks
Transferred risk
The awareness and agreement of the data subjects
BIA (Business Impact Assessment
13. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Stress testing
Proficiency testing
Acceptable use policies
Access control matrix
14. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Defining high-level business security requirements
Regular review of access control lists
Continuous monitoring control initiatives
Control risk
15. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Waterfall chart
The data owner
Centralization of information security management
Properly aligned with business goals and objectives
16. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Digital certificate
Annual loss expectancy (ALE)calculations
Is willing to accept
Increase business value and confidence
17. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Lack of change management
Strategic alignment of security with business objectives
Gap analysis
Continuous monitoring control initiatives
18. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Nondisclosure agreement (NDA)
Is willing to accept
Intrusion detection system (IDS)
Protective switch covers
19. Uses security metrics to measure the performance of the information security program.
Stress testing
Cracker
Defined objectives
Information security manager
20. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Worm
Intrusion detection system (IDS)
Continuous monitoring control initiatives
Spoofing attacks
21. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Transferred risk
Asset classification
Patch management
Defined objectives
22. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Control risk
Information security manager
Assess the risks to the business operation
Platform security - intrusion detection and antivirus controls
23. The best measure for preventing the unauthorized disclosure of confidential information.
Do with the information it collects
Virus detection
Trojan horse
Acceptable use policies
24. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Digital certificate
Normalization
Risk appetite
Risk assessment - evaluation and impact analysis
25. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Comparison of cost of achievement
Reduce risk to an acceptable level
The balanced scorecard
Waterfall chart
26. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Notifications and opt-out provisions
Do with the information it collects
Fault-tolerant computer
Residual risk would be reduced by a greater amount
27. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Protective switch covers
Baseline standard and then develop additional standards
Logon banners
Data warehouse
28. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Classification of assets needs
Virus
Background checks of prospective employees
Risk management and the requirements of the organization
29. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Control effectiveness
Centralization of information security management
Exceptions to policy
30. Has to be integrated into the requirements of every software application's design.
Regular review of access control lists
Service level agreements (SLAs)
Encryption key management
Baseline standard and then develop additional standards
31. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Encryption
Digital signatures
Negotiating a local version of the organization standards
Control effectiveness
32. Most effective for evaluating the degree to which information security objectives are being met.
The balanced scorecard
Notifications and opt-out provisions
All personnel
Certificate authority (CA)
33. Someone who uses the internet or network to destroy or damage computers for political reasons
Cyber terrorist
Methodology used in the assessment
Support the business objectives of the organization
Spoofing attacks
34. Occurs after the risk assessment process - it does not measure it.
Role-based access control
Attributes and characteristics of the 'desired state'
Use of security metrics
Digital certificate
35. Utility program that detects and protects a personal computer from unauthorized intrusions
Virus detection
Patch management
Undervoltage (brownout)
Personal firewall
36. Risk should be reduced to a level that an organization _____________.
Key risk indicator (KRI) setup
Developing an information security baseline
Is willing to accept
Continuous analysis - monitoring and feedback
37. BEST option to improve accountability for a system administrator is to _____________________.
Script kiddie
Impractical and is often cost-prohibitive
Confidentiality
include security responsibilities in a job description
38. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Security risk
SWOT analysis
Skills inventory
Malicious software and spyware
39. When the ________________ is more than the cost of the risk - the risk should be accepted.
Biometric access control systems
Two-factor authentication
Risk assessment - evaluation and impact analysis
Cost of control
40. Programs that act without a user's knowledge and deliberately alter a computer's operations
Exceptions to policy
Alignment with business strategy
MAL wear
Identify the relevant systems and processes
41. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Aligned with organizational goals
Owner of the information asset
Security risk
Is willing to accept
42. Used to understand the flow of one process into another.
The awareness and agreement of the data subjects
Waterfall chart
Phishing
Normalization
43. A risk assessment should be conducted _________________.
Annually or whenever there is a significant change
Service level agreements (SLAs)
Threat assessment
Multinational organization
44. The primary role of the information security manager in the process of information classification within the organization.
Tailgating
Virus
Defining and ratifying the classification structure of information assets
Consensus on risks and controls
45. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
All personnel
Developing an information security baseline
The data owner
Risk appetite
46. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Safeguards over keys
Certificate authority (CA)
Background check
All personnel
47. Occurs when the electrical supply drops
Stress testing
Gain unauthorized access to applications
Security awareness training for all employees
Undervoltage (brownout)
48. Provide metrics to which outsourcing firms can be held accountable.
Identify the relevant systems and processes
Gap analysis
Service level agreements (SLAs)
Protective switch covers
49. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Background checks of prospective employees
Penetration testing
Knowledge management
50. The information security manager needs to prioritize the controls based on ________________________.
Penetration testing
Cross-site scripting attacks
Is willing to accept
Risk management and the requirements of the organization