Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Creation of a business continuity plan
Countermeasure cost-benefit analysis
Retention of business records
The awareness and agreement of the data subjects

2. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
The balanced scorecard
Fault-tolerant computer
Process of introducing changes to systems
Rule-based access control

3. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Service level agreements (SLAs)
The board of directors and senior management
Decentralization
Regulatory compliance

4. Program that hides within or looks like a legit program
Process of introducing changes to systems
Trojan horse
Background check
Defining high-level business security requirements

5. The MOST important element of an information security strategy.
Security risk
Defined objectives
Hacker
Vulnerability assessment

6. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Transmit e-mail messages
Information security manager
Deeper level of analysis
Security baselines

7. Needs to define the access rules - which is troublesome and error prone in large organizations.
Transferred risk
Rule-based access control
Identify the relevant systems and processes
Equal error rate (EER)

8. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Baseline standard and then develop additional standards
Digital certificate
Two-factor authentication
Consensus on risks and controls

9. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Phishing
Skills inventory
Defining and ratifying the classification structure of information assets
Applying the proper classification to the data

10. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Identify the vulnerable systems and apply compensating controls
Use of security metrics
Do with the information it collects
Regulatory compliance

11. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.

Warning: Invalid argument supplied for foreach() in /var/www/html/basicversity.com/show_quiz.php on line 183

12. Occurs when the incoming level
Regulatory compliance
Power surge/over voltage (spike)
Public key infrastructure (PKI)
Impractical and is often cost-prohibitive

13. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Threat assessment
Detection defenses
Trusted source
Do with the information it collects

14. The data owner is responsible for _______________________.
Two-factor authentication
Confidentiality
Applying the proper classification to the data
Phishing

15. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Continuous analysis - monitoring and feedback
Tie security risks to key business objectives
Personal firewall
Requirements of the data owners

16. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Control risk
Classification of assets needs
Information security manager
BIA (Business Impact Assessment

17. Normally addressed through antivirus and antispyware policies.
Malicious software and spyware
Get senior management onboard
Safeguards over keys
Digital certificate

18. Identification and _______________ of business risk enables project managers to address areas with most significance.
Control risk
Digital certificate
Security risk
Prioritization

19. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Role-based access control
Protective switch covers
Access control matrix
Equal error rate (EER)

20. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Residual risk would be reduced by a greater amount
Threat assessment
Control risk
Data owners

21. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
The board of directors and senior management
Security risk
Use of security metrics
Intrusion detection system (IDS)

22. btaining senior management support for establishing a warm site can BEST be accomplished by ____________________ - including a cost-benefit analysis - will be most persuasive to management. A risk assessment may be included in the business case - but
OBusiness case development
Alignment with business strategy
Inherent risk
Public key infrastructure (PKI)

23. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Waterfall chart
Conduct a risk assessment
Exceptions to policy
Biometric access control systems

24. The best measure for preventing the unauthorized disclosure of confidential information.
Data classification
Acceptable use policies
Nondisclosure agreement (NDA)
Single sign-on (SSO) product

25. provides the most effective protection of data on mobile devices.
Patch management
Encryption
All personnel
Patch management process

26. Provides process needs but not impact.
Resource dependency assessment
Requirements of the data owners
Undervoltage (brownout)
Prioritization

27. Has to be integrated into the requirements of every software application's design.
Encryption key management
Biometric access control systems
Do with the information it collects
Defining and ratifying the classification structure of information assets

28. Without _____________________ - there cannot be accountability.
Gain unauthorized access to applications
Platform security - intrusion detection and antivirus controls
Comparison of cost of achievement
Well-defined roles and responsibilities

29. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Two-factor authentication
Virus detection
Continuous monitoring control initiatives
SWOT analysis

30. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Data classification
Penetration testing
The data owner
Data mart

31. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Risk management and the requirements of the organization
Identify the vulnerable systems and apply compensating controls
Increase business value and confidence
Residual risk

32. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Alignment with business strategy
Acceptable use policies
Do with the information it collects
Security awareness training for all employees

33. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Gap analysis
Audit objectives
Total cost of ownership (TCO)
Negotiating a local version of the organization standards

34. Cannot be minimized
Inherent risk
Overall organizational structure
People
The data owner

35. Useful but only with regard to specific technical skills.
Identify the vulnerable systems and apply compensating controls
Proficiency testing
Cost of control
Cross-site scripting attacks

36. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Data owners
Get senior management onboard
Identify the vulnerable systems and apply compensating controls
Virus

37. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Identify the vulnerable systems and apply compensating controls
Information contained on the equipment
Transferred risk
Information security manager

38. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Monitoring processes
Defining high-level business security requirements
Owner of the information asset
Skills inventory

39. Uses security metrics to measure the performance of the information security program.
Is willing to accept
Information security manager
Identify the vulnerable systems and apply compensating controls
include security responsibilities in a job description

40. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Gap analysis
Trusted source
Information contained on the equipment
Exceptions to policy

41. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Transferred risk
Two-factor authentication
Patch management
Trusted source

42. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Gain unauthorized access to applications
Digital certificate
Risk appetite
Skills inventory

43. Has full responsibility over data.
Access control matrix
Role-based policy
The data owner
The information security officer

44. Responsible for securing the information.
What happened and how the breach was resolved
Resource dependency assessment
The data custodian
Fault-tolerant computer

45. The PRIMARY goal in developing an information security strategy is to: _________________________.
Support the business objectives of the organization
Get senior management onboard
The database administrator
include security responsibilities in a job description

46. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Classification of assets needs
Single sign-on (SSO) product
Acceptable use policies
Waterfall chart

47. Used to understand the flow of one process into another.
Security risk
Platform security - intrusion detection and antivirus controls
Waterfall chart
Asset classification

48. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Encryption of the hard disks
Worm
Malicious software and spyware
Tailgating

49. Awareness - training and physical security defenses.
Digital signatures
Examples of containment defenses
Continuous monitoring control initiatives
Attributes and characteristics of the 'desired state'

50. Ensures that there are no scalability problems.
Logon banners
Tailgating
Data warehouse
Stress testing