SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Has to be integrated into the requirements of every software application's design.
Encryption key management
Applying the proper classification to the data
Encryption of the hard disks
Consensus on risks and controls
2. Responsible for securing the information.
Risk management and the requirements of the organization
The data custodian
Protective switch covers
Cracker
3. Occurs when the electrical supply drops
Patch management process
Cyber terrorist
OBusiness case development
Undervoltage (brownout)
4. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Biometric access control systems
The board of directors and senior management
Aligned with organizational goals
Cracker
5. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Examples of containment defenses
Platform security - intrusion detection and antivirus controls
Trusted source
Countermeasure cost-benefit analysis
6. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Cyber extortionist
Confidentiality
People
Information security manager
7. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
The information security officer
Role-based policy
Risk appetite
Overall organizational structure
8. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
SWOT analysis
Phishing
Countermeasure cost-benefit analysis
Single sign-on (SSO) product
9. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Owner of the information asset
Retention of business records
Defining and ratifying the classification structure of information assets
Consensus on risks and controls
10. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Intrusion detection system (IDS)
Security risk
A network vulnerability assessment
The authentication process is broken
11. All within the responsibility of the information security manager.
Platform security - intrusion detection and antivirus controls
Safeguards over keys
Residual risk would be reduced by a greater amount
0-day vulnerabilities
12. Provides strong online authentication.
Public key infrastructure (PKI)
Calculating the value of the information or asset
Conduct a risk assessment
Protective switch covers
13. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Security code reviews for the entire software application
Skills inventory
Inherent risk
Data classification
14. The best measure for preventing the unauthorized disclosure of confidential information.
Regular review of access control lists
Continuous analysis - monitoring and feedback
Tailgating
Acceptable use policies
15. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Is willing to accept
Countermeasure cost-benefit analysis
Data classification
The data owner
16. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
MAL wear
Consensus on risks and controls
Cross-site scripting attacks
Applying the proper classification to the data
17. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Information contained on the equipment
Worm
All personnel
Asset classification
18. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Alignment with business strategy
SWOT analysis
Normalization
19. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Trusted source
Encryption
Tailgating
Tie security risks to key business objectives
20. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Defining and ratifying the classification structure of information assets
Protective switch covers
Return on security investment (ROSI)
21. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Certificate authority (CA)
Properly aligned with business goals and objectives
Retention of business records
Knowledge management
22. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Strategic alignment of security with business objectives
Logon banners
Key risk indicator (KRI) setup
Cracker
23. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Process of introducing changes to systems
Detection defenses
Trusted source
24. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Risk assessment - evaluation and impact analysis
include security responsibilities in a job description
Virus
Requirements of the data owners
25. To identify known vulnerabilities based on common misconfigurations and missing updates.
Worm
Role-based access control
Applying the proper classification to the data
A network vulnerability assessment
26. Occurs when the incoming level
Residual risk
Process of introducing changes to systems
Power surge/over voltage (spike)
Transferred risk
27. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Comparison of cost of achievement
Transmit e-mail messages
SWOT analysis
28. Uses security metrics to measure the performance of the information security program.
Transmit e-mail messages
Information security manager
Risk management and the requirements of the organization
Risk assessment - evaluation and impact analysis
29. Occurs after the risk assessment process - it does not measure it.
Regular review of access control lists
Use of security metrics
MAL wear
Developing an information security baseline
30. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Cyber extortionist
Developing an information security baseline
Decentralization
Stress testing
31. Utility program that detects and protects a personal computer from unauthorized intrusions
Classification of assets needs
Annually or whenever there is a significant change
Undervoltage (brownout)
Personal firewall
32. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Virus
Key risk indicator (KRI) setup
Notifications and opt-out provisions
Compliance with the organization's information security requirements
33. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Regulatory compliance
The balanced scorecard
Cyber extortionist
Trusted source
34. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
What happened and how the breach was resolved
Defining high-level business security requirements
Residual risk would be reduced by a greater amount
Encryption
35. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Malicious software and spyware
Tie security risks to key business objectives
Its ability to reduce or eliminate business risks
Notifications and opt-out provisions
36. The MOST important element of an information security strategy.
Total cost of ownership (TCO)
Defined objectives
Role-based policy
Resource dependency assessment
37. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Countermeasure cost-benefit analysis
Security awareness training for all employees
Two-factor authentication
Requirements of the data owners
38. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Risk assessment - evaluation and impact analysis
The database administrator
Risk management and the requirements of the organization
SWOT analysis
39. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Internal risk assessment
Fault-tolerant computer
Return on security investment (ROSI)
Regulatory compliance
40. Carries out the technical administration.
Regulatory compliance
The database administrator
The awareness and agreement of the data subjects
Properly aligned with business goals and objectives
41. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Audit objectives
Reduce risk to an acceptable level
Background check
Certificate authority (CA)
42. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Background checks of prospective employees
Cracker
Control risk
Certificate authority (CA)
43. A notice that guarantees a user or a web site is legitimate
Applying the proper classification to the data
Digital certificate
Worm
Tailgating
44. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Worm
Patch management process
Increase business value and confidence
Centralized structure
45. Ensures that there are no scalability problems.
Intrusion detection system (IDS)
Centralization of information security management
Encryption of the hard disks
Stress testing
46. A risk assessment should be conducted _________________.
Annually or whenever there is a significant change
Residual risk
Regulatory compliance
Return on security investment (ROSI)
47. S small warehouse - designed for the end-user needs in a strategic business unit
Security awareness training for all employees
Data mart
Encryption key management
Continuous analysis - monitoring and feedback
48. A repository of historical data organized by subject to support decision makers in the org
Examples of containment defenses
Data warehouse
Negotiating a local version of the organization standards
Calculating the value of the information or asset
49. When the ________________ is more than the cost of the risk - the risk should be accepted.
Cost of control
Patch management
Negotiating a local version of the organization standards
Information security manager
50. Ensure that transmitted information can be attributed to the named sender.
Fault-tolerant computer
SWOT analysis
Continuous monitoring control initiatives
Digital signatures
