SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Provide metrics to which outsourcing firms can be held accountable.
Service level agreements (SLAs)
Its ability to reduce or eliminate business risks
The balanced scorecard
Attributes and characteristics of the 'desired state'
2. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Methodology used in the assessment
Return on security investment (ROSI)
Patch management
Do with the information it collects
3. A function of the session keys distributed by the PKI.
Countermeasure cost-benefit analysis
Equal error rate (EER)
Confidentiality
Cryptographic secure sockets layer (SSL) implementations and short key lengths
4. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Annual loss expectancy (ALE)calculations
Get senior management onboard
Control effectiveness
BIA (Business Impact Assessment
5. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Breakeven point of risk reduction and cost
Knowledge management
Risk management and the requirements of the organization
Defining and ratifying the classification structure of information assets
6. A method for analyzing and reducing a relational database to its most streamlined form
Threat assessment
Conduct a risk assessment
Applying the proper classification to the data
Normalization
7. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Cracker
Internal risk assessment
Two-factor authentication
Security risk
8. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
The authentication process is broken
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Creation of a business continuity plan
Risk appetite
9. Oversees the overall classification management of the information.
The awareness and agreement of the data subjects
The information security officer
Breakeven point of risk reduction and cost
0-day vulnerabilities
10. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Malicious software and spyware
Role-based access control
Applying the proper classification to the data
Defined objectives
11. Focuses on identifying vulnerabilities.
Data mart
Deeper level of analysis
Penetration testing
Well-defined roles and responsibilities
12. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Threat assessment
Two-factor authentication
People
Multinational organization
13. Company or person you believe will not send a virus-infect file knowingly
Stress testing
Data owners
Trusted source
0-day vulnerabilities
14. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
Increase business value and confidence
Overall organizational structure
Prioritization
15. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Continuous analysis - monitoring and feedback
Data classification
Exceptions to policy
Asset classification
16. The data owner is responsible for _______________________.
Breakeven point of risk reduction and cost
Personal firewall
Continuous analysis - monitoring and feedback
Applying the proper classification to the data
17. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Vulnerability assessment
Impractical and is often cost-prohibitive
Monitoring processes
Tie security risks to key business objectives
18. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Increase business value and confidence
The board of directors and senior management
Cryptographic secure sockets layer (SSL) implementations and short key lengths
19. Most effective for evaluating the degree to which information security objectives are being met.
Deeper level of analysis
Script kiddie
The balanced scorecard
Compliance with the organization's information security requirements
20. Culture has a significant impact on how information security will be implemented in a ______________________.
Multinational organization
Assess the risks to the business operation
Public key infrastructure (PKI)
Rule-based access control
21. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
The board of directors and senior management
Regular review of access control lists
Risk management and the requirements of the organization
Security risk
22. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Impractical and is often cost-prohibitive
Reduce risk to an acceptable level
Countermeasure cost-benefit analysis
OBusiness case development
23. Risk should be reduced to a level that an organization _____________.
Security baselines
Attributes and characteristics of the 'desired state'
Gain unauthorized access to applications
Is willing to accept
24. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Process of introducing changes to systems
Get senior management onboard
Annually or whenever there is a significant change
Security baselines
25. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
Single sign-on (SSO) product
Security risk
Continuous analysis - monitoring and feedback
26. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Security baselines
Information security manager
Creation of a business continuity plan
Biometric access control systems
27. Carries out the technical administration.
Certificate authority (CA)
The database administrator
Malicious software and spyware
Methodology used in the assessment
28. Normally addressed through antivirus and antispyware policies.
Equal error rate (EER)
Single sign-on (SSO) product
Transmit e-mail messages
Malicious software and spyware
29. New security ulnerabilities should be managed through a ________________.
People
Access control matrix
Patch management process
Countermeasure cost-benefit analysis
30. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Stress testing
Audit objectives
Information security manager
Notifications and opt-out provisions
31. Utility program that detects and protects a personal computer from unauthorized intrusions
Residual risk
Consensus on risks and controls
Strategic alignment of security with business objectives
Personal firewall
32. Reducing risk to a level too small to measure is _______________.
Multinational organization
Nondisclosure agreement (NDA)
Impractical and is often cost-prohibitive
What happened and how the breach was resolved
33. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Regulatory compliance
Impractical and is often cost-prohibitive
Assess the risks to the business operation
Control risk
34. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Developing an information security baseline
Classification of assets needs
Role-based policy
Return on security investment (ROSI)
35. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Malicious software and spyware
Do with the information it collects
The authentication process is broken
0-day vulnerabilities
36. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
The balanced scorecard
Equal error rate (EER)
Countermeasure cost-benefit analysis
Total cost of ownership (TCO)
37. A key indicator of performance measurement.
Malicious software and spyware
Data warehouse
Protective switch covers
Strategic alignment of security with business objectives
38. The job of the information security officer on a management team is to ___________________.
Platform security - intrusion detection and antivirus controls
Assess the risks to the business operation
Performing a risk assessment
Penetration testing
39. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Security awareness training for all employees
SWOT analysis
Trojan horse
Lack of change management
40. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Alignment with business strategy
Background checks of prospective employees
Virus
include security responsibilities in a job description
41. Has to be integrated into the requirements of every software application's design.
Spoofing attacks
Encryption key management
Examples of containment defenses
Cost of control
42. provides the most effective protection of data on mobile devices.
Detection defenses
Encryption
BIA (Business Impact Assessment
Acceptable use policies
43. Responsible for securing the information.
Equal error rate (EER)
Knowledge management
Overall organizational structure
The data custodian
44. Should be performed to identify the risk and determine needed controls.
Internal risk assessment
Encryption key management
Notifications and opt-out provisions
Gap analysis
45. BEST option to improve accountability for a system administrator is to _____________________.
Residual risk would be reduced by a greater amount
include security responsibilities in a job description
Background check
Digital certificate
46. The MOST important element of an information security strategy.
All personnel
Overall organizational structure
SWOT analysis
Defined objectives
47. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Tailgating
Creation of a business continuity plan
Confidentiality
Asset classification
48. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Security baselines
Threat assessment
Get senior management onboard
Logon banners
49. Identification and _______________ of business risk enables project managers to address areas with most significance.
The data owner
Prioritization
Centralization of information security management
Waterfall chart
50. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Transferred risk
Security code reviews for the entire software application
Rule-based access control
Nondisclosure agreement (NDA)
