SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Cost of control
Assess the risks to the business operation
Spoofing attacks
Knowledge management
2. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Developing an information security baseline
Risk appetite
Prioritization
Data isolation
3. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Trojan horse
Virus detection
Total cost of ownership (TCO)
Strategic alignment of security with business objectives
4. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Increase business value and confidence
Alignment with business strategy
Resource dependency assessment
Threat assessment
5. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
Get senior management onboard
Prioritization
Identify the relevant systems and processes
6. The best measure for preventing the unauthorized disclosure of confidential information.
Attributes and characteristics of the 'desired state'
Acceptable use policies
Overall organizational structure
Equal error rate (EER)
7. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
include security responsibilities in a job description
Data warehouse
Continuous analysis - monitoring and feedback
Detection defenses
8. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
9. When the ________________ is more than the cost of the risk - the risk should be accepted.
Data classification
Certificate authority (CA)
Methodology used in the assessment
Cost of control
10. Provides strong online authentication.
Public key infrastructure (PKI)
The board of directors and senior management
Digital certificate
Residual risk
11. Needs to define the access rules - which is troublesome and error prone in large organizations.
Encryption of the hard disks
Rule-based access control
Total cost of ownership (TCO)
Key risk indicator (KRI) setup
12. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Security code reviews for the entire software application
Classification of assets needs
Role-based policy
Detection defenses
13. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Reduce risk to an acceptable level
Alignment with business strategy
Security baselines
Asset classification
14. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Prioritization
The board of directors and senior management
Centralized structure
Cost of control
15. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Increase business value and confidence
Safeguards over keys
Tie security risks to key business objectives
Prioritization
16. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
The database administrator
Safeguards over keys
Security code reviews for the entire software application
SWOT analysis
17. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Tie security risks to key business objectives
Worm
Properly aligned with business goals and objectives
Regular review of access control lists
18. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Performing a risk assessment
Nondisclosure agreement (NDA)
Digital certificate
Equal error rate (EER)
19. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Total cost of ownership (TCO)
Risk appetite
IP address packet filtering
Asset classification
20. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
BIA (Business Impact Assessment
Security code reviews for the entire software application
Access control matrix
Information security manager
21. Only valid if assets have first been identified and appropriately valued.
SWOT analysis
Annual loss expectancy (ALE)calculations
Asset classification
Spoofing attacks
22. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Increase business value and confidence
Risk assessment - evaluation and impact analysis
Examples of containment defenses
Regulatory compliance
23. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
24. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Owner of the information asset
Security code reviews for the entire software application
Overall organizational structure
Notifications and opt-out provisions
25. Has to be integrated into the requirements of every software application's design.
Tailgating
Owner of the information asset
Consensus on risks and controls
Encryption key management
26. Computer that has duplicate components so it can continue to operate when one of its main components fail
Consensus on risks and controls
Fault-tolerant computer
Security code reviews for the entire software application
Security risk
27. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Developing an information security baseline
Undervoltage (brownout)
People
Continuous monitoring control initiatives
28. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Protective switch covers
Security baselines
Calculating the value of the information or asset
Methodology used in the assessment
29. Programs that act without a user's knowledge and deliberately alter a computer's operations
MAL wear
Detection defenses
The database administrator
Residual risk would be reduced by a greater amount
30. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Risk assessment - evaluation and impact analysis
Information contained on the equipment
0-day vulnerabilities
People
31. A notice that guarantees a user or a web site is legitimate
Exceptions to policy
Centralization of information security management
Identify the relevant systems and processes
Digital certificate
32. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Total cost of ownership (TCO)
Residual risk would be reduced by a greater amount
Gap analysis
The authentication process is broken
33. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Penetration testing
Encryption
Audit objectives
Properly aligned with business goals and objectives
34. Without _____________________ - there cannot be accountability.
The board of directors and senior management
Alignment with business strategy
Well-defined roles and responsibilities
Countermeasure cost-benefit analysis
35. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Power surge/over voltage (spike)
Stress testing
Threat assessment
Use of security metrics
36. Focuses on identifying vulnerabilities.
Penetration testing
Data warehouse
The authentication process is broken
Decentralization
37. All within the responsibility of the information security manager.
Acceptable use policies
Platform security - intrusion detection and antivirus controls
Hacker
Identify the relevant systems and processes
38. Culture has a significant impact on how information security will be implemented in a ______________________.
Multinational organization
Undervoltage (brownout)
Regular review of access control lists
Prioritization
39. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Confidentiality
Negotiating a local version of the organization standards
Exceptions to policy
All personnel
40. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Access control matrix
Retention of business records
Total cost of ownership (TCO)
Power surge/over voltage (spike)
41. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Identify the vulnerable systems and apply compensating controls
Creation of a business continuity plan
The balanced scorecard
Normalization
42. Normally addressed through antivirus and antispyware policies.
Lack of change management
Malicious software and spyware
Continuous analysis - monitoring and feedback
Audit objectives
43. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Data owners
Security risk
All personnel
People
44. The risk that remains after putting into place an effective risk management program; therefore - acceptable risk is achieved when this amount is minimized.
Gain unauthorized access to applications
Asset classification
Acceptable use policies
Residual risk
45. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Exceptions to policy
Equal error rate (EER)
Transferred risk
46. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Residual risk would be reduced by a greater amount
Acceptable use policies
Regular review of access control lists
Penetration testing
47. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Single sign-on (SSO) product
Gap analysis
Total cost of ownership (TCO)
Patch management process
48. Carries out the technical administration.
Information security manager
Countermeasure cost-benefit analysis
Baseline standard and then develop additional standards
The database administrator
49. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Defining and ratifying the classification structure of information assets
Security baselines
Process of introducing changes to systems
Properly aligned with business goals and objectives
50. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Do with the information it collects
Protective switch covers
Normalization
Role-based policy