Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Uses security metrics to measure the performance of the information security program.
Security awareness training for all employees
Undervoltage (brownout)
MAL wear
Information security manager

2. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Platform security - intrusion detection and antivirus controls
Notifications and opt-out provisions
Script kiddie
Retention of business records

3. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
Prioritization
Data warehouse
Classification of assets needs

4. Someone who uses the internet or network to destroy or damage computers for political reasons
Attributes and characteristics of the 'desired state'
Transferred risk
Cyber terrorist
Encryption

5. The best measure for preventing the unauthorized disclosure of confidential information.
Continuous analysis - monitoring and feedback
Detection defenses
Acceptable use policies
Control risk

6. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Trojan horse
Continuous monitoring control initiatives
Nondisclosure agreement (NDA)
Risk appetite

7. Responsible for securing the information.
The data custodian
The awareness and agreement of the data subjects
Risk management and the requirements of the organization
Aligned with organizational goals

8. Program that hides within or looks like a legit program
Continuous analysis - monitoring and feedback
Total cost of ownership (TCO)
Background checks of prospective employees
Trojan horse

9. Used to understand the flow of one process into another.
Access control matrix
Virus detection
Lack of change management
Waterfall chart

10. When the ________________ is more than the cost of the risk - the risk should be accepted.
Annually or whenever there is a significant change
Cost of control
Public key infrastructure (PKI)
Detection defenses

11. Ensures that there are no scalability problems.
Data classification
Risk appetite
Stress testing
Threat assessment

12. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Comparison of cost of achievement
Alignment with business strategy
Encryption key management
Identify the relevant systems and processes

13. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
OBusiness case development
Identify the relevant systems and processes
Key risk indicator (KRI) setup
Lack of change management

14. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Get senior management onboard
Lack of change management
Role-based policy
Defining high-level business security requirements

15. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Lack of change management
Security code reviews for the entire software application
Increase business value and confidence
Tie security risks to key business objectives

16. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Biometric access control systems
Annual loss expectancy (ALE)calculations
Reduce risk to an acceptable level
Deeper level of analysis

17. By definition are not previously known and therefore are undetectable.
Platform security - intrusion detection and antivirus controls
Countermeasure cost-benefit analysis
0-day vulnerabilities
Gap analysis

18. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Identify the vulnerable systems and apply compensating controls
All personnel
The board of directors and senior management
Undervoltage (brownout)

19. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Control risk
Data classification
Defining high-level business security requirements
Lack of change management

20. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Inherent risk
Examples of containment defenses
Strategic alignment of security with business objectives

21. All within the responsibility of the information security manager.
Hacker
Platform security - intrusion detection and antivirus controls
Audit objectives
Lack of change management

22. A function of the session keys distributed by the PKI.
Notifications and opt-out provisions
Confidentiality
The data owner
Control effectiveness

23. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
All personnel
Worm
Background checks of prospective employees
Information security manager

24. Same intent as a cracker but does not have the technical skills and knowledge
Compliance with the organization's information security requirements
Residual risk would be reduced by a greater amount
Script kiddie
Access control matrix

25. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Information contained on the equipment
Increase business value and confidence
The information security officer
Data owners

26. New security ulnerabilities should be managed through a ________________.
The data owner
Security awareness training for all employees
Inherent risk
Patch management process

27. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Threat assessment
Data classification
Key risk indicator (KRI) setup
Nondisclosure agreement (NDA)

28. S small warehouse - designed for the end-user needs in a strategic business unit
Data mart
Stress testing
Information security manager
Worm

29. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Spoofing attacks
Performing a risk assessment
Data owners
Process of introducing changes to systems

30. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Stress testing
Cyber extortionist
Aligned with organizational goals
Intrusion detection system (IDS)

31. Someone who accesses a computer or network illegally
Return on security investment (ROSI)
Penetration testing
Single sign-on (SSO) product
Hacker

32. A key indicator of performance measurement.
Lack of change management
Decentralization
Strategic alignment of security with business objectives
Hacker

33. A repository of historical data organized by subject to support decision makers in the org
Multinational organization
Data warehouse
Identify the vulnerable systems and apply compensating controls
Cost of control

34. Has full responsibility over data.
BIA (Business Impact Assessment
Virus detection
Patch management process
The data owner

35. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Cyber terrorist
Its ability to reduce or eliminate business risks
Return on security investment (ROSI)
Centralization of information security management

36. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Increase business value and confidence
OBusiness case development
Transmit e-mail messages
Control risk

37. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Biometric access control systems
Control effectiveness
Multinational organization
Risk appetite

38. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Cracker
Equal error rate (EER)
SWOT analysis
Return on security investment (ROSI)

39. The data owner is responsible for _______________________.
Applying the proper classification to the data
Total cost of ownership (TCO)
Impractical and is often cost-prohibitive
Security baselines

40. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Virus detection
Data classification
Inherent risk
Residual risk

41. Reducing risk to a level too small to measure is _______________.
Nondisclosure agreement (NDA)
Impractical and is often cost-prohibitive
Virus
Resource dependency assessment

42. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Calculating the value of the information or asset
Audit objectives
Decentralization
Monitoring processes

43. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Gap analysis
Spoofing attacks
Multinational organization
Security baselines

44. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Information security manager
Residual risk
Attributes and characteristics of the 'desired state'
Consensus on risks and controls

45. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Aligned with organizational goals
Impractical and is often cost-prohibitive
Spoofing attacks
Certificate authority (CA)

46. Whenever personal data are transferred across national boundaries; ________________________ are required.
Data isolation
The awareness and agreement of the data subjects
All personnel
Residual risk would be reduced by a greater amount

47. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Creation of a business continuity plan
Undervoltage (brownout)
Safeguards over keys

48. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Access control matrix
Risk appetite
Developing an information security baseline
Identify the vulnerable systems and apply compensating controls

49. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Patch management process
Skills inventory
Risk appetite
Exceptions to policy

50. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Script kiddie
Spoofing attacks
Continuous analysis - monitoring and feedback
Hacker