SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. ecurity design flaws require a ____________________.
Transferred risk
Get senior management onboard
Conduct a risk assessment
Deeper level of analysis
2. Carries out the technical administration.
The database administrator
Identify the vulnerable systems and apply compensating controls
MAL wear
Virus detection
3. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Detection defenses
People
0-day vulnerabilities
include security responsibilities in a job description
4. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Transferred risk
Phishing
Centralized structure
Certificate authority (CA)
5. Has to be integrated into the requirements of every software application's design.
Annual loss expectancy (ALE)calculations
Classification of assets needs
Encryption key management
Inherent risk
6. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Owner of the information asset
Gap analysis
Conduct a risk assessment
What happened and how the breach was resolved
7. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Access control matrix
Patch management
Reduce risk to an acceptable level
8. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Normalization
Security risk
Security baselines
Decentralization
9. Program that hides within or looks like a legit program
Trojan horse
What happened and how the breach was resolved
All personnel
Breakeven point of risk reduction and cost
10. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Negotiating a local version of the organization standards
Security code reviews for the entire software application
Service level agreements (SLAs)
11. The job of the information security officer on a management team is to ___________________.
Digital certificate
Cross-site scripting attacks
Detection defenses
Assess the risks to the business operation
12. Provide metrics to which outsourcing firms can be held accountable.
Virus
Service level agreements (SLAs)
Defining and ratifying the classification structure of information assets
Decentralization
13. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Data classification
Detection defenses
Properly aligned with business goals and objectives
Information contained on the equipment
14. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Trusted source
Fault-tolerant computer
Alignment with business strategy
Public key infrastructure (PKI)
15. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Notifications and opt-out provisions
Gap analysis
Certificate authority (CA)
16. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
The board of directors and senior management
Proficiency testing
Threat assessment
Nondisclosure agreement (NDA)
17. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Annually or whenever there is a significant change
Support the business objectives of the organization
Skills inventory
The data custodian
18. The most important characteristic of good security policies is that they be ____________________.
Equal error rate (EER)
Aligned with organizational goals
Support the business objectives of the organization
Phishing
19. The data owner is responsible for _______________________.
Service level agreements (SLAs)
Applying the proper classification to the data
Retention of business records
Impractical and is often cost-prohibitive
20. Only valid if assets have first been identified and appropriately valued.
Digital certificate
Safeguards over keys
Annual loss expectancy (ALE)calculations
Virus detection
21. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Security risk
Public key infrastructure (PKI)
The board of directors and senior management
Information security manager
22. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Attributes and characteristics of the 'desired state'
Biometric access control systems
Encryption of the hard disks
Transferred risk
23. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Access control matrix
Regular review of access control lists
Baseline standard and then develop additional standards
Trusted source
24. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Single sign-on (SSO) product
Performing a risk assessment
Threat assessment
Trojan horse
25. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Tie security risks to key business objectives
Security baselines
Security risk
26. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
Continuous analysis - monitoring and feedback
Rule-based access control
Strategic alignment of security with business objectives
27. Should be performed to identify the risk and determine needed controls.
Continuous analysis - monitoring and feedback
Patch management
Regulatory compliance
Internal risk assessment
28. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Retention of business records
Trusted source
Detection defenses
Creation of a business continuity plan
29. Used to understand the flow of one process into another.
Notifications and opt-out provisions
Logon banners
Resource dependency assessment
Waterfall chart
30. Ensure that transmitted information can be attributed to the named sender.
Digital signatures
Breakeven point of risk reduction and cost
Methodology used in the assessment
Compliance with the organization's information security requirements
31. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Is willing to accept
Two-factor authentication
Rule-based access control
Key risk indicator (KRI) setup
32. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Exceptions to policy
Classification of assets needs
Transferred risk
Baseline standard and then develop additional standards
33. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Service level agreements (SLAs)
Control risk
Key controls
Conduct a risk assessment
34. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
Information contained on the equipment
Strategic alignment of security with business objectives
Defining and ratifying the classification structure of information assets
35. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Examples of containment defenses
Aligned with organizational goals
Cross-site scripting attacks
Worm
36. When defining the information classification policy - the ___________________ need to be identified.
Reduce risk to an acceptable level
Trojan horse
Requirements of the data owners
Power surge/over voltage (spike)
37. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Control effectiveness
Residual risk
Access control matrix
Logon banners
38. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Comparison of cost of achievement
Script kiddie
Spoofing attacks
Encryption key management
39. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Properly aligned with business goals and objectives
Stress testing
Cracker
Gain unauthorized access to applications
40. An information security manager has to impress upon the human resources department the need for _____________________.
Digital signatures
Security awareness training for all employees
Cyber extortionist
Countermeasure cost-benefit analysis
41. A function of the session keys distributed by the PKI.
Confidentiality
Notifications and opt-out provisions
Knowledge management
Calculating the value of the information or asset
42. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Is willing to accept
Control effectiveness
Safeguards over keys
Comparison of cost of achievement
43. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Personal firewall
Alignment with business strategy
Monitoring processes
44. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Virus
Multinational organization
Knowledge management
Data owners
45. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Data isolation
Data mart
Continuous analysis - monitoring and feedback
Breakeven point of risk reduction and cost
46. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Biometric access control systems
Key controls
Cryptographic secure sockets layer (SSL) implementations and short key lengths
All personnel
47. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Baseline standard and then develop additional standards
Background checks of prospective employees
Stress testing
Conduct a risk assessment
48. Should be determined from the risk assessment results.
Audit objectives
Undervoltage (brownout)
Residual risk would be reduced by a greater amount
What happened and how the breach was resolved
49. Provides strong online authentication.
The database administrator
Public key infrastructure (PKI)
Single sign-on (SSO) product
Attributes and characteristics of the 'desired state'
50. A notice that guarantees a user or a web site is legitimate
OBusiness case development
Undervoltage (brownout)
Digital certificate
Single sign-on (SSO) product
