Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Data mart
Classification of assets needs
Identify the relevant systems and processes
Transmit e-mail messages

2. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Certificate authority (CA)
Patch management
The information security officer
Risk assessment - evaluation and impact analysis

3. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Data classification
SWOT analysis
Exceptions to policy
Single sign-on (SSO) product

4. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Transferred risk
The information security officer
Control effectiveness
Skills inventory

5. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Regulatory compliance
Digital certificate
Transmit e-mail messages
Calculating the value of the information or asset

6. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Digital signatures
Information security manager
Regulatory compliance
Identify the relevant systems and processes

7. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Conduct a risk assessment
People
Single sign-on (SSO) product
Control effectiveness

8. Provides strong online authentication.
Public key infrastructure (PKI)
SWOT analysis
Malicious software and spyware
The data custodian

9. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Encryption
Risk management and the requirements of the organization
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Identify the vulnerable systems and apply compensating controls

10. A function of the session keys distributed by the PKI.
Confidentiality
Applying the proper classification to the data
Virus detection
Negotiating a local version of the organization standards

11. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Logon banners
Overall organizational structure
Conduct a risk assessment
Cross-site scripting attacks

12. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Deeper level of analysis
Certificate authority (CA)
Audit objectives
Background check

13. Responsible for securing the information.
Comparison of cost of achievement
The data custodian
Security code reviews for the entire software application
Data owners

14. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Process of introducing changes to systems
Monitoring processes
Identify the relevant systems and processes
Tailgating

15. Program that hides within or looks like a legit program
Decentralization
Methodology used in the assessment
Acceptable use policies
Trojan horse

16. Occurs when the incoming level
Role-based access control
Hacker
Methodology used in the assessment
Power surge/over voltage (spike)

17. All within the responsibility of the information security manager.
Malicious software and spyware
Security awareness training for all employees
Defining high-level business security requirements
Platform security - intrusion detection and antivirus controls

18. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Digital signatures
Return on security investment (ROSI)
Virus
The balanced scorecard

19. A notice that guarantees a user or a web site is legitimate
Digital certificate
Waterfall chart
Performing a risk assessment
Power surge/over voltage (spike)

20. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Alignment with business strategy
Asset classification
Properly aligned with business goals and objectives
The data custodian

21. When the ________________ is more than the cost of the risk - the risk should be accepted.
Creation of a business continuity plan
Cost of control
Continuous analysis - monitoring and feedback
Use of security metrics

22. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Hacker
Data isolation
Penetration testing
Tailgating

23. Company or person you believe will not send a virus-infect file knowingly
Trusted source
Risk appetite
Process of introducing changes to systems
Examples of containment defenses

24. Focuses on identifying vulnerabilities.
Is willing to accept
Virus
Tie security risks to key business objectives
Penetration testing

25. Accesses a computer or network illegally
Internal risk assessment
Worm
The information security officer
Cracker

26. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Reduce risk to an acceptable level
Encryption key management
Security baselines
The data custodian

27. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Asset classification
Get senior management onboard
Continuous analysis - monitoring and feedback
Methodology used in the assessment

28. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Trusted source
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Requirements of the data owners
Control risk

29. Cannot be minimized
Inherent risk
Decentralization
Waterfall chart
Equal error rate (EER)

30. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Tie security risks to key business objectives
Creation of a business continuity plan
Access control matrix
Residual risk would be reduced by a greater amount

31. Occurs when the electrical supply drops
Aligned with organizational goals
Undervoltage (brownout)
Data warehouse
The data owner

32. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Retention of business records
Information security manager
Lack of change management
Negotiating a local version of the organization standards

33. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
A network vulnerability assessment
Role-based policy
Overall organizational structure
Safeguards over keys

34. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
The information security officer
Deeper level of analysis
Classification of assets needs
Reduce risk to an acceptable level

35. A method for analyzing and reducing a relational database to its most streamlined form
Decentralization
Vulnerability assessment
Normalization
Internal risk assessment

36. Computer that has duplicate components so it can continue to operate when one of its main components fail
Cyber terrorist
Equal error rate (EER)
Fault-tolerant computer
Retention of business records

37. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
The board of directors and senior management
Virus
Multinational organization
Normalization

38. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Two-factor authentication
include security responsibilities in a job description
Trusted source
Undervoltage (brownout)

39. Someone who uses the internet or network to destroy or damage computers for political reasons
Cyber terrorist
Waterfall chart
Gap analysis
People

40. Applications cannot access data associated with other apps
Internal risk assessment
Applying the proper classification to the data
Data isolation
Cyber extortionist

41. Someone who accesses a computer or network illegally
Monitoring processes
0-day vulnerabilities
MAL wear
Hacker

42. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Total cost of ownership (TCO)
Overall organizational structure
Vulnerability assessment
Notifications and opt-out provisions

43. Identification and _______________ of business risk enables project managers to address areas with most significance.
All personnel
Prioritization
Deeper level of analysis
Internal risk assessment

44. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
include security responsibilities in a job description
Owner of the information asset
Detection defenses
Encryption

45. Uses security metrics to measure the performance of the information security program.
Information security manager
Decentralization
Process of introducing changes to systems
Access control matrix

46. The MOST important element of an information security strategy.
Resource dependency assessment
The database administrator
Waterfall chart
Defined objectives

47. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Public key infrastructure (PKI)
Requirements of the data owners
Script kiddie
Role-based access control

48. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Key risk indicator (KRI) setup
What happened and how the breach was resolved
Monitoring processes
Strategic alignment of security with business objectives

49. Should PRIMARILY be based on regulatory and legal requirements.
Increase business value and confidence
Residual risk would be reduced by a greater amount
Overall organizational structure
Retention of business records

50. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Do with the information it collects
Undervoltage (brownout)
Control effectiveness
Annually or whenever there is a significant change