SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Process of introducing changes to systems
Overall organizational structure
Is willing to accept
Spoofing attacks
2. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
0-day vulnerabilities
Virus
Service level agreements (SLAs)
Encryption key management
3. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Key controls
Negotiating a local version of the organization standards
Reduce risk to an acceptable level
Resource dependency assessment
4. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
The awareness and agreement of the data subjects
Continuous analysis - monitoring and feedback
Assess the risks to the business operation
Continuous monitoring control initiatives
5. Provide metrics to which outsourcing firms can be held accountable.
Regulatory compliance
Service level agreements (SLAs)
Baseline standard and then develop additional standards
Cyber terrorist
6. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
All personnel
Key controls
The information security officer
Information contained on the equipment
7. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Trusted source
Classification of assets needs
Security code reviews for the entire software application
BIA (Business Impact Assessment
8. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Protective switch covers
Return on security investment (ROSI)
Methodology used in the assessment
MAL wear
9. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Gap analysis
Residual risk
Cracker
Owner of the information asset
10. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Patch management
The balanced scorecard
Undervoltage (brownout)
Cyber extortionist
11. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Detection defenses
All personnel
Phishing
Single sign-on (SSO) product
12. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Retention of business records
Identify the vulnerable systems and apply compensating controls
People
Data mart
13. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Compliance with the organization's information security requirements
Requirements of the data owners
Centralization of information security management
Cracker
14. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Annually or whenever there is a significant change
Regular review of access control lists
Continuous monitoring control initiatives
Script kiddie
15. Carries out the technical administration.
The database administrator
Data classification
Is willing to accept
Biometric access control systems
16. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
A network vulnerability assessment
Security baselines
Patch management process
Safeguards over keys
17. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Data isolation
Decentralization
include security responsibilities in a job description
18. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Return on security investment (ROSI)
Equal error rate (EER)
Regulatory compliance
Classification of assets needs
19. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Use of security metrics
SWOT analysis
Risk management and the requirements of the organization
Increase business value and confidence
20. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Alignment with business strategy
Resource dependency assessment
Data classification
Security baselines
21. Primarily reduce risk and are most effective for the protection of information assets.
Multinational organization
Key controls
Negotiating a local version of the organization standards
Worm
22. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
include security responsibilities in a job description
Certificate authority (CA)
Encryption key management
Threat assessment
23. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Reduce risk to an acceptable level
Detection defenses
Tie security risks to key business objectives
Alignment with business strategy
24. New security ulnerabilities should be managed through a ________________.
Vulnerability assessment
Patch management process
A network vulnerability assessment
Continuous monitoring control initiatives
25. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Baseline standard and then develop additional standards
BIA (Business Impact Assessment
Gap analysis
Total cost of ownership (TCO)
26. When the ________________ is more than the cost of the risk - the risk should be accepted.
Identify the vulnerable systems and apply compensating controls
Cost of control
Transmit e-mail messages
Intrusion detection system (IDS)
27. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Consensus on risks and controls
The board of directors and senior management
Encryption
28. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Its ability to reduce or eliminate business risks
Well-defined roles and responsibilities
IP address packet filtering
Examples of containment defenses
29. The job of the information security officer on a management team is to ___________________.
Detection defenses
Assess the risks to the business operation
Patch management
Consensus on risks and controls
30. Focuses on identifying vulnerabilities.
Risk assessment - evaluation and impact analysis
Trusted source
Penetration testing
Deeper level of analysis
31. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Patch management
Logon banners
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Detection defenses
32. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Encryption of the hard disks
The data owner
A network vulnerability assessment
Tailgating
33. Should PRIMARILY be based on regulatory and legal requirements.
What happened and how the breach was resolved
Residual risk
Do with the information it collects
Retention of business records
34. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Exceptions to policy
Virus
Aligned with organizational goals
Properly aligned with business goals and objectives
35. By definition are not previously known and therefore are undetectable.
0-day vulnerabilities
Patch management
Phishing
Proficiency testing
36. Provides process needs but not impact.
Control risk
IP address packet filtering
Properly aligned with business goals and objectives
Resource dependency assessment
37. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Defining high-level business security requirements
Risk assessment - evaluation and impact analysis
Trusted source
Requirements of the data owners
38. Utility program that detects and protects a personal computer from unauthorized intrusions
Personal firewall
Hacker
Applying the proper classification to the data
Intrusion detection system (IDS)
39. Someone who uses the internet or network to destroy or damage computers for political reasons
Vulnerability assessment
Cyber terrorist
Digital certificate
Virus detection
40. Responsible for securing the information.
Multinational organization
Script kiddie
Biometric access control systems
The data custodian
41. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Digital signatures
Impractical and is often cost-prohibitive
All personnel
42. ecurity design flaws require a ____________________.
Transmit e-mail messages
Its ability to reduce or eliminate business risks
Virus
Deeper level of analysis
43. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Cost of control
Negotiating a local version of the organization standards
Residual risk would be reduced by a greater amount
Intrusion detection system (IDS)
44. A method for analyzing and reducing a relational database to its most streamlined form
Retention of business records
Increase business value and confidence
Knowledge management
Normalization
45. A notice that guarantees a user or a web site is legitimate
Digital certificate
Monitoring processes
BIA (Business Impact Assessment
Properly aligned with business goals and objectives
46. Should be performed to identify the risk and determine needed controls.
Internal risk assessment
Two-factor authentication
Skills inventory
include security responsibilities in a job description
47. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Key controls
Impractical and is often cost-prohibitive
Vulnerability assessment
Detection defenses
48. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Inherent risk
Annually or whenever there is a significant change
Equal error rate (EER)
Identify the relevant systems and processes
49. When defining the information classification policy - the ___________________ need to be identified.
Requirements of the data owners
Regulatory compliance
Assess the risks to the business operation
The board of directors and senior management
50. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Monitoring processes
Compliance with the organization's information security requirements
Transferred risk