Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Responsible for securing the information.
Acceptable use policies
The data custodian
Lack of change management
Do with the information it collects

2. The data owner is responsible for _______________________.
Its ability to reduce or eliminate business risks
Applying the proper classification to the data
Role-based policy
Alignment with business strategy

3. Only valid if assets have first been identified and appropriately valued.
Annual loss expectancy (ALE)calculations
Security baselines
Security risk
Well-defined roles and responsibilities

4. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Its ability to reduce or eliminate business risks
Virus detection
Logon banners
Public key infrastructure (PKI)

5. Applications cannot access data associated with other apps
Data owners
What happened and how the breach was resolved
Data isolation
Transmit e-mail messages

6. S small warehouse - designed for the end-user needs in a strategic business unit
The data custodian
All personnel
Conduct a risk assessment
Data mart

7. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Confidentiality
Process of introducing changes to systems
Single sign-on (SSO) product
Return on security investment (ROSI)

8. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Lack of change management
Cross-site scripting attacks
Biometric access control systems
Virus

9. Cannot be minimized
Digital certificate
Role-based policy
Inherent risk
Cross-site scripting attacks

10. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Do with the information it collects
MAL wear
Virus detection
Digital signatures

11. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Data warehouse
Security code reviews for the entire software application
Continuous analysis - monitoring and feedback
Role-based policy

12. Someone who uses the internet or network to destroy or damage computers for political reasons
Data owners
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Security awareness training for all employees
Cyber terrorist

13. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Power surge/over voltage (spike)
Continuous monitoring control initiatives
Cyber terrorist
Residual risk would be reduced by a greater amount

14. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Requirements of the data owners
Transferred risk
Overall organizational structure
Consensus on risks and controls

15. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Consensus on risks and controls
Multinational organization
Information contained on the equipment
Examples of containment defenses

16. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
All personnel
Regulatory compliance
Classification of assets needs
Alignment with business strategy

17. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Risk appetite
Regulatory compliance
Notifications and opt-out provisions
Trojan horse

18. A method for analyzing and reducing a relational database to its most streamlined form
The board of directors and senior management
Tie security risks to key business objectives
Normalization
Attributes and characteristics of the 'desired state'

19. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Detection defenses
Cross-site scripting attacks
Methodology used in the assessment
Calculating the value of the information or asset

20. Needs to define the access rules - which is troublesome and error prone in large organizations.
Risk assessment - evaluation and impact analysis
Trusted source
The database administrator
Rule-based access control

21. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Logon banners
Transmit e-mail messages
Strategic alignment of security with business objectives
Threat assessment

22. A function of the session keys distributed by the PKI.
Knowledge management
Impractical and is often cost-prohibitive
Confidentiality
Centralization of information security management

23. Provides strong online authentication.
Baseline standard and then develop additional standards
Internal risk assessment
Control risk
Public key infrastructure (PKI)

24. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Data isolation
Nondisclosure agreement (NDA)
IP address packet filtering
Asset classification

25. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Acceptable use policies
Threat assessment
Confidentiality

26. Focuses on identifying vulnerabilities.
The balanced scorecard
Information security manager
Information contained on the equipment
Penetration testing

27. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Consensus on risks and controls
Threat assessment
Retention of business records

28. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
0-day vulnerabilities
The awareness and agreement of the data subjects
include security responsibilities in a job description
Data classification

29. Computer that has duplicate components so it can continue to operate when one of its main components fail
Total cost of ownership (TCO)
Encryption of the hard disks
People
Fault-tolerant computer

30. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Retention of business records
Security baselines
Digital signatures
Decentralization

31. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Cracker
Encryption of the hard disks
The authentication process is broken
SWOT analysis

32. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Security baselines
Exceptions to policy
Defining high-level business security requirements
Negotiating a local version of the organization standards

33. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Information security manager
Its ability to reduce or eliminate business risks
Control risk
Script kiddie

34. Has full responsibility over data.
The data owner
Certificate authority (CA)
Gain unauthorized access to applications
Tie security risks to key business objectives

35. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Baseline standard and then develop additional standards
Platform security - intrusion detection and antivirus controls
Alignment with business strategy
Undervoltage (brownout)

36. Reducing risk to a level too small to measure is _______________.
A network vulnerability assessment
Aligned with organizational goals
Impractical and is often cost-prohibitive
Security awareness training for all employees

37. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Patch management
Stress testing
Control effectiveness
Personal firewall

38. Without _____________________ - there cannot be accountability.
Owner of the information asset
Well-defined roles and responsibilities
Logon banners
Spoofing attacks

39. Carries out the technical administration.
Centralization of information security management
Baseline standard and then develop additional standards
The database administrator
Data mart

40. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Access control matrix
Process of introducing changes to systems
Normalization
Spoofing attacks

41. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Performing a risk assessment
Well-defined roles and responsibilities
Risk appetite
Information security manager

42. Should be determined from the risk assessment results.
Inherent risk
SWOT analysis
Audit objectives
Increase business value and confidence

43. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Data owners
Data isolation
Data classification
Risk management and the requirements of the organization

44. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Control effectiveness
Penetration testing
Its ability to reduce or eliminate business risks
Cryptographic secure sockets layer (SSL) implementations and short key lengths

45. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Tie security risks to key business objectives
People
Risk assessment - evaluation and impact analysis
Reduce risk to an acceptable level

46. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Comparison of cost of achievement
Background check
Control effectiveness
Overall organizational structure

47. Occurs when the incoming level
Gap analysis
Skills inventory
Asset classification
Power surge/over voltage (spike)

48. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Identify the vulnerable systems and apply compensating controls
SWOT analysis
Owner of the information asset
Nondisclosure agreement (NDA)

49. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Normalization
Cyber extortionist
Total cost of ownership (TCO)
Is willing to accept

50. Someone who accesses a computer or network illegally
Security risk
Trojan horse
Use of security metrics
Hacker