SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
The authentication process is broken
Annual loss expectancy (ALE)calculations
Impractical and is often cost-prohibitive
Two-factor authentication
2. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Methodology used in the assessment
Identify the vulnerable systems and apply compensating controls
Knowledge management
Continuous analysis - monitoring and feedback
3. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Encryption of the hard disks
Tailgating
Information contained on the equipment
The authentication process is broken
4. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
The awareness and agreement of the data subjects
Continuous monitoring control initiatives
Digital signatures
5. New security ulnerabilities should be managed through a ________________.
Background check
Power surge/over voltage (spike)
Patch management process
Applying the proper classification to the data
6. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Threat assessment
Process of introducing changes to systems
Gain unauthorized access to applications
Encryption key management
7. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Annual loss expectancy (ALE)calculations
Skills inventory
Digital signatures
Multinational organization
8. ecurity design flaws require a ____________________.
Continuous monitoring control initiatives
BIA (Business Impact Assessment
Trojan horse
Deeper level of analysis
9. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Residual risk would be reduced by a greater amount
Data mart
Aligned with organizational goals
10. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Certificate authority (CA)
BIA (Business Impact Assessment
What happened and how the breach was resolved
Role-based policy
11. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Control risk
Security baselines
Key risk indicator (KRI) setup
Biometric access control systems
12. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Skills inventory
Centralized structure
Do with the information it collects
13. Has full responsibility over data.
Intrusion detection system (IDS)
The data owner
Transferred risk
Defining high-level business security requirements
14. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Identify the relevant systems and processes
Cyber terrorist
Threat assessment
Compliance with the organization's information security requirements
15. By definition are not previously known and therefore are undetectable.
The data owner
0-day vulnerabilities
Nondisclosure agreement (NDA)
Reduce risk to an acceptable level
16. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Key controls
Spoofing attacks
Risk appetite
Cryptographic secure sockets layer (SSL) implementations and short key lengths
17. It is easier to manage and control a _________________.
Centralized structure
Use of security metrics
Transmit e-mail messages
Confidentiality
18. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Multinational organization
include security responsibilities in a job description
Virus detection
Calculating the value of the information or asset
19. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Virus detection
IP address packet filtering
Equal error rate (EER)
Data warehouse
20. Should PRIMARILY be based on regulatory and legal requirements.
SWOT analysis
Retention of business records
Get senior management onboard
Countermeasure cost-benefit analysis
21. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Patch management
Worm
Classification of assets needs
SWOT analysis
22. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Personal firewall
Get senior management onboard
Control effectiveness
Owner of the information asset
23. Culture has a significant impact on how information security will be implemented in a ______________________.
Trojan horse
Multinational organization
The balanced scorecard
Audit objectives
24. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Cyber extortionist
Reduce risk to an acceptable level
Cost of control
Encryption of the hard disks
25. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Requirements of the data owners
Nondisclosure agreement (NDA)
The balanced scorecard
Spoofing attacks
26. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Power surge/over voltage (spike)
Support the business objectives of the organization
Access control matrix
27. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Exceptions to policy
Patch management process
Well-defined roles and responsibilities
28. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Impractical and is often cost-prohibitive
Defining high-level business security requirements
The awareness and agreement of the data subjects
Increase business value and confidence
29. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Return on security investment (ROSI)
Annually or whenever there is a significant change
Risk assessment - evaluation and impact analysis
Compliance with the organization's information security requirements
30. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Methodology used in the assessment
Identify the relevant systems and processes
Transferred risk
Continuous monitoring control initiatives
31. S small warehouse - designed for the end-user needs in a strategic business unit
Digital certificate
Malicious software and spyware
Tie security risks to key business objectives
Data mart
32. Only valid if assets have first been identified and appropriately valued.
Annual loss expectancy (ALE)calculations
Return on security investment (ROSI)
Cost of control
Virus
33. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Security code reviews for the entire software application
Get senior management onboard
The balanced scorecard
34. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Spoofing attacks
Monitoring processes
Transmit e-mail messages
Well-defined roles and responsibilities
35. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Resource dependency assessment
Encryption key management
Deeper level of analysis
All personnel
36. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Alignment with business strategy
Logon banners
The awareness and agreement of the data subjects
Comparison of cost of achievement
37. Occurs after the risk assessment process - it does not measure it.
Encryption of the hard disks
Virus detection
Support the business objectives of the organization
Use of security metrics
38. Normally addressed through antivirus and antispyware policies.
Malicious software and spyware
Comparison of cost of achievement
Creation of a business continuity plan
Data mart
39. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Access control matrix
A network vulnerability assessment
The board of directors and senior management
Cost of control
40. Provide metrics to which outsourcing firms can be held accountable.
Service level agreements (SLAs)
Regulatory compliance
Exceptions to policy
Role-based access control
41. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Waterfall chart
Its ability to reduce or eliminate business risks
Patch management process
Strategic alignment of security with business objectives
42. Useful but only with regard to specific technical skills.
Confidentiality
Proficiency testing
Digital certificate
Residual risk
43. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Compliance with the organization's information security requirements
OBusiness case development
Centralized structure
44. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Methodology used in the assessment
Reduce risk to an acceptable level
Increase business value and confidence
Tie security risks to key business objectives
45. Focuses on identifying vulnerabilities.
Get senior management onboard
Risk appetite
Penetration testing
Background checks of prospective employees
46. The MOST important element of an information security strategy.
Defined objectives
Key controls
Access control matrix
SWOT analysis
47. Uses security metrics to measure the performance of the information security program.
Annual loss expectancy (ALE)calculations
Information security manager
Inherent risk
Multinational organization
48. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Asset classification
Cross-site scripting attacks
Tie security risks to key business objectives
Audit objectives
49. Cannot be minimized
Inherent risk
Rule-based access control
Stress testing
Control effectiveness
50. A Successful risk management should lead to a ________________.
Power surge/over voltage (spike)
Breakeven point of risk reduction and cost
Security code reviews for the entire software application
Transferred risk
