Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Applications cannot access data associated with other apps
Data isolation
Annually or whenever there is a significant change
Identify the vulnerable systems and apply compensating controls
What happened and how the breach was resolved

2. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Properly aligned with business goals and objectives
A network vulnerability assessment
Access control matrix
Its ability to reduce or eliminate business risks

3. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Detection defenses
Monitoring processes
Assess the risks to the business operation
Exceptions to policy

4. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Control effectiveness
Proficiency testing
Encryption of the hard disks
Patch management

5. The job of the information security officer on a management team is to ___________________.
The database administrator
Data warehouse
The balanced scorecard
Assess the risks to the business operation

6. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
IP address packet filtering
Defined objectives
A network vulnerability assessment

7. Responsible for securing the information.
Examples of containment defenses
Transferred risk
Comparison of cost of achievement
The data custodian

8. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Residual risk
Risk assessment - evaluation and impact analysis
Access control matrix
Annual loss expectancy (ALE)calculations

9. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Total cost of ownership (TCO)
Performing a risk assessment
The awareness and agreement of the data subjects
Public key infrastructure (PKI)

10. provides the most effective protection of data on mobile devices.
Trojan horse
Consensus on risks and controls
Encryption
The data owner

11. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
The information security officer
IP address packet filtering
Strategic alignment of security with business objectives

12. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Risk appetite
What happened and how the breach was resolved
Personal firewall
Alignment with business strategy

13. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
BIA (Business Impact Assessment
Overall organizational structure
Conduct a risk assessment
Gain unauthorized access to applications

14. Should be performed to identify the risk and determine needed controls.
Alignment with business strategy
Background check
Internal risk assessment
Reduce risk to an acceptable level

15. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Background check
Hacker
Detection defenses

16. Needs to define the access rules - which is troublesome and error prone in large organizations.
Safeguards over keys
Data warehouse
Centralization of information security management
Rule-based access control

17. A method for analyzing and reducing a relational database to its most streamlined form
Alignment with business strategy
Acceptable use policies
Normalization
Regulatory compliance

18. Accesses a computer or network illegally
Penetration testing
Single sign-on (SSO) product
Hacker
Cracker

19. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Continuous monitoring control initiatives
Monitoring processes
Key risk indicator (KRI) setup

20. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Compliance with the organization's information security requirements
Properly aligned with business goals and objectives
Background check
The awareness and agreement of the data subjects

21. S small warehouse - designed for the end-user needs in a strategic business unit
Data mart
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Knowledge management
Is willing to accept

22. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Trojan horse
All personnel
Alignment with business strategy
Baseline standard and then develop additional standards

23. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Knowledge management
Applying the proper classification to the data
Encryption of the hard disks
Support the business objectives of the organization

24. Someone who accesses a computer or network illegally
Performing a risk assessment
Asset classification
Cyber terrorist
Hacker

25. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Risk management and the requirements of the organization
The board of directors and senior management
Biometric access control systems
Identify the relevant systems and processes

26. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Information security manager
Acceptable use policies
Resource dependency assessment
Reduce risk to an acceptable level

27. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Return on security investment (ROSI)
Negotiating a local version of the organization standards
Script kiddie
Control risk

28. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Encryption
Transferred risk
Script kiddie
Key risk indicator (KRI) setup

29. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Service level agreements (SLAs)
Worm
Virus
Proficiency testing

30. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Logon banners
Methodology used in the assessment
Risk appetite
Data classification

31. Whenever personal data are transferred across national boundaries; ________________________ are required.
Service level agreements (SLAs)
Single sign-on (SSO) product
The awareness and agreement of the data subjects
Key controls

32. Provides strong online authentication.
Monitoring processes
Internal risk assessment
Public key infrastructure (PKI)
Service level agreements (SLAs)

33. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Conduct a risk assessment
Residual risk would be reduced by a greater amount
Defined objectives
Stress testing

34. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Residual risk would be reduced by a greater amount
Key controls
Spoofing attacks
Strategic alignment of security with business objectives

35. Provides process needs but not impact.
Total cost of ownership (TCO)
Tailgating
Prioritization
Resource dependency assessment

36. Should be a standard requirement for the service provider.
Background check
Role-based policy
Proficiency testing
Do with the information it collects

37. Awareness - training and physical security defenses.
Annual loss expectancy (ALE)calculations
Examples of containment defenses
Script kiddie
Role-based policy

38. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
What happened and how the breach was resolved
Retention of business records
Calculating the value of the information or asset
Control effectiveness

39. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
The data custodian
Consensus on risks and controls
Encryption key management
Skills inventory

40. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Consensus on risks and controls
Cyber terrorist
Patch management
Developing an information security baseline

41. Used to understand the flow of one process into another.
Waterfall chart
Certificate authority (CA)
Strategic alignment of security with business objectives
Script kiddie

42. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Asset classification
Overall organizational structure
Personal firewall

43. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key controls
Transmit e-mail messages
Risk appetite
Key risk indicator (KRI) setup

44. ecurity design flaws require a ____________________.
Spoofing attacks
Security baselines
Deeper level of analysis
Penetration testing

45. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Acceptable use policies
Normalization
Threat assessment

46. When defining the information classification policy - the ___________________ need to be identified.
Compliance with the organization's information security requirements
Gap analysis
Requirements of the data owners
Phishing

47. Reducing risk to a level too small to measure is _______________.
Background checks of prospective employees
Malicious software and spyware
Impractical and is often cost-prohibitive
Assess the risks to the business operation

48. Oversees the overall classification management of the information.
Centralized structure
The information security officer
Exceptions to policy
Defining high-level business security requirements

49. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Role-based policy
Malicious software and spyware
Security baselines
Information contained on the equipment

50. A Successful risk management should lead to a ________________.
The balanced scorecard
Power surge/over voltage (spike)
Fault-tolerant computer
Breakeven point of risk reduction and cost