SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
All personnel
Defining high-level business security requirements
Public key infrastructure (PKI)
Residual risk would be reduced by a greater amount
2. Primarily reduce risk and are most effective for the protection of information assets.
Security code reviews for the entire software application
The balanced scorecard
Key controls
Power surge/over voltage (spike)
3. Provide metrics to which outsourcing firms can be held accountable.
IP address packet filtering
Stress testing
Classification of assets needs
Service level agreements (SLAs)
4. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Equal error rate (EER)
Is willing to accept
Protective switch covers
Residual risk
5. Useful but only with regard to specific technical skills.
Proficiency testing
Deeper level of analysis
Residual risk would be reduced by a greater amount
Owner of the information asset
6. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Access control matrix
Examples of containment defenses
Data classification
BIA (Business Impact Assessment
7. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Cost of control
Malicious software and spyware
Nondisclosure agreement (NDA)
8. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Annual loss expectancy (ALE)calculations
Public key infrastructure (PKI)
Notifications and opt-out provisions
All personnel
9. Inject malformed input.
Centralization of information security management
Cross-site scripting attacks
Performing a risk assessment
Logon banners
10. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Nondisclosure agreement (NDA)
Do with the information it collects
Requirements of the data owners
Risk assessment - evaluation and impact analysis
11. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Gap analysis
Reduce risk to an acceptable level
Regulatory compliance
Owner of the information asset
12. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Spoofing attacks
Well-defined roles and responsibilities
Two-factor authentication
Skills inventory
13. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Total cost of ownership (TCO)
Detection defenses
Trusted source
Acceptable use policies
14. The information security manager needs to prioritize the controls based on ________________________.
Defined objectives
Risk management and the requirements of the organization
OBusiness case development
Cyber extortionist
15. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Comparison of cost of achievement
Trojan horse
Control effectiveness
Inherent risk
16. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Trusted source
Process of introducing changes to systems
Role-based access control
Tie security risks to key business objectives
17. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Encryption key management
The board of directors and senior management
Identify the vulnerable systems and apply compensating controls
Is willing to accept
18. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Protective switch covers
Virus
Malicious software and spyware
19. Utility program that detects and protects a personal computer from unauthorized intrusions
Process of introducing changes to systems
Calculating the value of the information or asset
Centralized structure
Personal firewall
20. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Get senior management onboard
Gap analysis
Cyber terrorist
Prioritization
21. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Centralization of information security management
Countermeasure cost-benefit analysis
Background check
Impractical and is often cost-prohibitive
22. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Well-defined roles and responsibilities
Security awareness training for all employees
Performing a risk assessment
Methodology used in the assessment
23. Has full responsibility over data.
Security awareness training for all employees
Performing a risk assessment
The data owner
Multinational organization
24. Carries out the technical administration.
Spoofing attacks
Personal firewall
The database administrator
Security awareness training for all employees
25. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Proficiency testing
Cyber extortionist
Lack of change management
Control risk
26. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Cost of control
Script kiddie
The authentication process is broken
27. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Control risk
Risk assessment - evaluation and impact analysis
Intrusion detection system (IDS)
The awareness and agreement of the data subjects
28. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Detection defenses
Patch management process
Do with the information it collects
Skills inventory
29. Accesses a computer or network illegally
Risk management and the requirements of the organization
Resource dependency assessment
Cracker
Examples of containment defenses
30. A repository of historical data organized by subject to support decision makers in the org
Data warehouse
Lack of change management
Use of security metrics
Tie security risks to key business objectives
31. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Confidentiality
Regulatory compliance
Decentralization
Tie security risks to key business objectives
32. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
What happened and how the breach was resolved
Cross-site scripting attacks
Compliance with the organization's information security requirements
Acceptable use policies
33. By definition are not previously known and therefore are undetectable.
Transferred risk
Total cost of ownership (TCO)
0-day vulnerabilities
Use of security metrics
34. Would protect against spoofing an internal address but would not provide strong authentication.
BIA (Business Impact Assessment
Role-based access control
IP address packet filtering
The database administrator
35. A key indicator of performance measurement.
What happened and how the breach was resolved
Strategic alignment of security with business objectives
Certificate authority (CA)
Digital certificate
36. Needs to define the access rules - which is troublesome and error prone in large organizations.
Annual loss expectancy (ALE)calculations
Rule-based access control
Exceptions to policy
MAL wear
37. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Methodology used in the assessment
Fault-tolerant computer
Script kiddie
Key risk indicator (KRI) setup
38. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
include security responsibilities in a job description
Role-based policy
Spoofing attacks
Key risk indicator (KRI) setup
39. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Knowledge management
The database administrator
Applying the proper classification to the data
Safeguards over keys
40. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
0-day vulnerabilities
Identify the vulnerable systems and apply compensating controls
Biometric access control systems
Undervoltage (brownout)
41. Should PRIMARILY be based on regulatory and legal requirements.
Monitoring processes
Script kiddie
Retention of business records
Process of introducing changes to systems
42. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Return on security investment (ROSI)
IP address packet filtering
Data isolation
Continuous analysis - monitoring and feedback
43. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Gain unauthorized access to applications
Public key infrastructure (PKI)
The authentication process is broken
Power surge/over voltage (spike)
44. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Asset classification
Safeguards over keys
Prioritization
Virus
45. Ensures that there are no scalability problems.
Stress testing
Audit objectives
Platform security - intrusion detection and antivirus controls
Detection defenses
46. The PRIMARY goal in developing an information security strategy is to: _________________________.
The board of directors and senior management
Intrusion detection system (IDS)
Risk management and the requirements of the organization
Support the business objectives of the organization
47. The MOST important element of an information security strategy.
Is willing to accept
Rule-based access control
Defined objectives
The balanced scorecard
48. Occurs after the risk assessment process - it does not measure it.
Power surge/over voltage (spike)
Security risk
Use of security metrics
People
49. Provides strong online authentication.
Patch management
The data owner
Public key infrastructure (PKI)
The awareness and agreement of the data subjects
50. Applications cannot access data associated with other apps
Data isolation
Centralized structure
People
Transmit e-mail messages
