Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. A risk assessment should be conducted _________________.
The authentication process is broken
Prioritization
Waterfall chart
Annually or whenever there is a significant change

2. Only valid if assets have first been identified and appropriately valued.
Platform security - intrusion detection and antivirus controls
Annual loss expectancy (ALE)calculations
Breakeven point of risk reduction and cost
Calculating the value of the information or asset

3. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
What happened and how the breach was resolved
Comparison of cost of achievement
Process of introducing changes to systems
Cost of control

4. New security ulnerabilities should be managed through a ________________.
Patch management process
Trusted source
Gain unauthorized access to applications
Defined objectives

5. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Total cost of ownership (TCO)
Data classification
Penetration testing
Asset classification

6. Occurs when the incoming level
Power surge/over voltage (spike)
Resource dependency assessment
Nondisclosure agreement (NDA)
Internal risk assessment

7. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Background checks of prospective employees
Encryption key management
Service level agreements (SLAs)
Do with the information it collects

8. Has full responsibility over data.
Digital signatures
Performing a risk assessment
Annually or whenever there is a significant change
The data owner

9. Someone who uses the internet or network to destroy or damage computers for political reasons
Cyber terrorist
The information security officer
Do with the information it collects
Conduct a risk assessment

10. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
The balanced scorecard
Audit objectives
Calculating the value of the information or asset
Monitoring processes

11. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Consensus on risks and controls
Two-factor authentication
Tailgating
Undervoltage (brownout)

12. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Undervoltage (brownout)
Safeguards over keys
Gap analysis
Continuous monitoring control initiatives

13. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Patch management process
Impractical and is often cost-prohibitive
Residual risk would be reduced by a greater amount
Baseline standard and then develop additional standards

14. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Threat assessment
Support the business objectives of the organization
Security awareness training for all employees
Background check

15. To identify known vulnerabilities based on common misconfigurations and missing updates.
The data owner
A network vulnerability assessment
Retention of business records
Tie security risks to key business objectives

16. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Certificate authority (CA)
Retention of business records
Lack of change management
People

17. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Defining high-level business security requirements
Impractical and is often cost-prohibitive
Trusted source
Cross-site scripting attacks

18. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Security risk
The data owner
Stress testing
Methodology used in the assessment

19. The data owner is responsible for _______________________.
Continuous monitoring control initiatives
Applying the proper classification to the data
Defining high-level business security requirements
Methodology used in the assessment

20. Occurs after the risk assessment process - it does not measure it.
Use of security metrics
Digital signatures
Asset classification
Data owners

21. The PRIMARY goal in developing an information security strategy is to: _________________________.
Support the business objectives of the organization
Security risk
Public key infrastructure (PKI)
Certificate authority (CA)

22. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Service level agreements (SLAs)
Certificate authority (CA)
Safeguards over keys
Increase business value and confidence

23. When defining the information classification policy - the ___________________ need to be identified.
Transferred risk
Requirements of the data owners
Digital certificate
Performing a risk assessment

24. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
The data custodian
Centralization of information security management
Requirements of the data owners
BIA (Business Impact Assessment

25. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
OBusiness case development
The data custodian
The board of directors and senior management
Power surge/over voltage (spike)

26. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
The data owner
Is willing to accept
Detection defenses

27. The job of the information security officer on a management team is to ___________________.
Asset classification
Regular review of access control lists
Lack of change management
Assess the risks to the business operation

28. Occurs when the electrical supply drops
Conduct a risk assessment
Undervoltage (brownout)
Identify the relevant systems and processes
Calculating the value of the information or asset

29. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Security code reviews for the entire software application
Risk management and the requirements of the organization
Cross-site scripting attacks
The authentication process is broken

30. Should be a standard requirement for the service provider.
Gain unauthorized access to applications
Acceptable use policies
Background check
BIA (Business Impact Assessment

31. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Assess the risks to the business operation
The balanced scorecard
People

32. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Security awareness training for all employees
Undervoltage (brownout)
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Proficiency testing

33. Has to be integrated into the requirements of every software application's design.
Countermeasure cost-benefit analysis
Equal error rate (EER)
Encryption key management
Its ability to reduce or eliminate business risks

34. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Its ability to reduce or eliminate business risks
Background checks of prospective employees
Multinational organization

35. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
What happened and how the breach was resolved
Service level agreements (SLAs)
BIA (Business Impact Assessment
Data classification

36. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
All personnel
Fault-tolerant computer
What happened and how the breach was resolved
Encryption

37. The primary role of the information security manager in the process of information classification within the organization.
Script kiddie
Skills inventory
Defining and ratifying the classification structure of information assets
Risk assessment - evaluation and impact analysis

38. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key risk indicator (KRI) setup
Annually or whenever there is a significant change
Data warehouse
Trusted source

39. S small warehouse - designed for the end-user needs in a strategic business unit
Data mart
Encryption of the hard disks
Get senior management onboard
include security responsibilities in a job description

40. A repository of historical data organized by subject to support decision makers in the org
Data warehouse
Access control matrix
Retention of business records
Two-factor authentication

41. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Logon banners
The information security officer
Prioritization
Public key infrastructure (PKI)

42. Ensure that transmitted information can be attributed to the named sender.
Digital signatures
Script kiddie
Penetration testing
Intrusion detection system (IDS)

43. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Service level agreements (SLAs)
Classification of assets needs
Properly aligned with business goals and objectives
Vulnerability assessment

44. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Encryption of the hard disks
Script kiddie
Intrusion detection system (IDS)
Strategic alignment of security with business objectives

45. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Continuous analysis - monitoring and feedback
Baseline standard and then develop additional standards
People
Deeper level of analysis

46. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Lack of change management
Residual risk
Creation of a business continuity plan
Cross-site scripting attacks

47. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Background check
Public key infrastructure (PKI)
Information contained on the equipment
Certificate authority (CA)

48. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Return on security investment (ROSI)
Key controls
OBusiness case development
Security risk

49. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Alignment with business strategy
Equal error rate (EER)
Cross-site scripting attacks
BIA (Business Impact Assessment

50. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Encryption of the hard disks
Overall organizational structure
Tailgating
Breakeven point of risk reduction and cost