Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. S small warehouse - designed for the end-user needs in a strategic business unit
Undervoltage (brownout)
Digital certificate
Power surge/over voltage (spike)
Data mart

2. Carries out the technical administration.
Residual risk would be reduced by a greater amount
Use of security metrics
Malicious software and spyware
The database administrator

3. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Examples of containment defenses
Baseline standard and then develop additional standards
Owner of the information asset
Negotiating a local version of the organization standards

4. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Comparison of cost of achievement
Equal error rate (EER)
Script kiddie
Aligned with organizational goals

5. Should be performed to identify the risk and determine needed controls.
Key controls
Internal risk assessment
Patch management process
Worm

6. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
What happened and how the breach was resolved
Platform security - intrusion detection and antivirus controls
Continuous monitoring control initiatives
Virus

7. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Virus detection
Role-based access control
A network vulnerability assessment
Its ability to reduce or eliminate business risks

8. Occurs when the electrical supply drops
Certificate authority (CA)
Exceptions to policy
Undervoltage (brownout)
Applying the proper classification to the data

9. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Process of introducing changes to systems
Virus detection
Creation of a business continuity plan
Intrusion detection system (IDS)

10. Normally addressed through antivirus and antispyware policies.
Access control matrix
Malicious software and spyware
BIA (Business Impact Assessment
Equal error rate (EER)

11. Same intent as a cracker but does not have the technical skills and knowledge
Trojan horse
BIA (Business Impact Assessment
Exceptions to policy
Script kiddie

12. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Examples of containment defenses
Cracker
Information contained on the equipment
Background check

13. Provide metrics to which outsourcing firms can be held accountable.
Monitoring processes
OBusiness case development
Service level agreements (SLAs)
Alignment with business strategy

14. Computer that has duplicate components so it can continue to operate when one of its main components fail
The information security officer
Fault-tolerant computer
Worm
Undervoltage (brownout)

15. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Is willing to accept
Personal firewall
Applying the proper classification to the data
Countermeasure cost-benefit analysis

16. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Role-based policy
Power surge/over voltage (spike)
Risk assessment - evaluation and impact analysis
Residual risk would be reduced by a greater amount

17. The information security manager needs to prioritize the controls based on ________________________.
Risk management and the requirements of the organization
Information contained on the equipment
Alignment with business strategy
Examples of containment defenses

18. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
Logon banners
Hacker
OBusiness case development
Decentralization

19. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Encryption key management
Total cost of ownership (TCO)
Control effectiveness
Identify the relevant systems and processes

20. provides the most effective protection of data on mobile devices.
Protective switch covers
Is willing to accept
Encryption
The balanced scorecard

21. The primary role of the information security manager in the process of information classification within the organization.
Reduce risk to an acceptable level
Cracker
Defining and ratifying the classification structure of information assets
Conduct a risk assessment

22. Would protect against spoofing an internal address but would not provide strong authentication.
Defining high-level business security requirements
Defining and ratifying the classification structure of information assets
IP address packet filtering
SWOT analysis

23. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Public key infrastructure (PKI)
Internal risk assessment
Safeguards over keys
Personal firewall

24. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Internal risk assessment
Key controls
The board of directors and senior management
Support the business objectives of the organization

25. Identification and _______________ of business risk enables project managers to address areas with most significance.
Defining and ratifying the classification structure of information assets
Reduce risk to an acceptable level
Prioritization
Trojan horse

26. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Countermeasure cost-benefit analysis
Malicious software and spyware
Methodology used in the assessment
People

27. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Identify the vulnerable systems and apply compensating controls
Continuous monitoring control initiatives
Audit objectives
Background checks of prospective employees

28. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Regular review of access control lists
People
Notifications and opt-out provisions
Defined objectives

29. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
SWOT analysis
Platform security - intrusion detection and antivirus controls
Certificate authority (CA)
Background check

30. New security ulnerabilities should be managed through a ________________.
IP address packet filtering
The board of directors and senior management
Vulnerability assessment
Patch management process

31. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Platform security - intrusion detection and antivirus controls
Negotiating a local version of the organization standards
Nondisclosure agreement (NDA)
Aligned with organizational goals

32. When the ________________ is more than the cost of the risk - the risk should be accepted.
Countermeasure cost-benefit analysis
Cost of control
include security responsibilities in a job description
Skills inventory

33. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Information contained on the equipment
Residual risk
Virus
BIA (Business Impact Assessment

34. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Inherent risk
Protective switch covers
Support the business objectives of the organization
Continuous analysis - monitoring and feedback

35. Company or person you believe will not send a virus-infect file knowingly
Safeguards over keys
Detection defenses
Alignment with business strategy
Trusted source

36. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
BIA (Business Impact Assessment
Defined objectives
Role-based policy
Conduct a risk assessment

37. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Data mart
Background checks of prospective employees
Identify the relevant systems and processes

38. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Lack of change management
Creation of a business continuity plan
Waterfall chart
Cross-site scripting attacks

39. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Cyber extortionist
Knowledge management
Inherent risk
Alignment with business strategy

40. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Inherent risk
Tailgating
Skills inventory
Continuous monitoring control initiatives

41. The PRIMARY goal in developing an information security strategy is to: _________________________.
0-day vulnerabilities
Support the business objectives of the organization
Worm
Identify the vulnerable systems and apply compensating controls

42. By definition are not previously known and therefore are undetectable.
Data isolation
0-day vulnerabilities
Background checks of prospective employees
Strategic alignment of security with business objectives

43. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Compliance with the organization's information security requirements
Return on security investment (ROSI)
Countermeasure cost-benefit analysis

44. Accesses a computer or network illegally
Encryption of the hard disks
Cracker
Security baselines
Owner of the information asset

45. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Tailgating
Role-based policy
Spoofing attacks
Asset classification

46. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Process of introducing changes to systems
SWOT analysis
Data owners
Nondisclosure agreement (NDA)

47. Programs that act without a user's knowledge and deliberately alter a computer's operations
Requirements of the data owners
Cross-site scripting attacks
The board of directors and senior management
MAL wear

48. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Role-based policy
Developing an information security baseline
Control effectiveness
Security risk

49. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
The balanced scorecard
Phishing
Data warehouse

50. A notice that guarantees a user or a web site is legitimate
Digital certificate
Data owners
Virus
The balanced scorecard