SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Access control matrix
Identify the vulnerable systems and apply compensating controls
Patch management
Key risk indicator (KRI) setup
2. Occurs when the incoming level
Defining and ratifying the classification structure of information assets
Power surge/over voltage (spike)
Cyber extortionist
include security responsibilities in a job description
3. Has full responsibility over data.
Process of introducing changes to systems
Baseline standard and then develop additional standards
The data owner
Public key infrastructure (PKI)
4. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Certificate authority (CA)
Risk assessment - evaluation and impact analysis
Knowledge management
Asset classification
5. Ensures that there are no scalability problems.
Stress testing
Worm
Conduct a risk assessment
Is willing to accept
6. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Data classification
Regulatory compliance
Information contained on the equipment
Cryptographic secure sockets layer (SSL) implementations and short key lengths
7. The information security manager needs to prioritize the controls based on ________________________.
Risk management and the requirements of the organization
MAL wear
Consensus on risks and controls
The authentication process is broken
8. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Requirements of the data owners
Acceptable use policies
Intrusion detection system (IDS)
Skills inventory
9. Applications cannot access data associated with other apps
Patch management
Classification of assets needs
Data isolation
Applying the proper classification to the data
10. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Creation of a business continuity plan
People
Asset classification
Properly aligned with business goals and objectives
11. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Access control matrix
Tailgating
Power surge/over voltage (spike)
Gap analysis
12. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Rule-based access control
Key controls
Safeguards over keys
13. BEST option to improve accountability for a system administrator is to _____________________.
include security responsibilities in a job description
Decentralization
Applying the proper classification to the data
Increase business value and confidence
14. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Role-based access control
Certificate authority (CA)
Lack of change management
Risk appetite
15. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Identify the vulnerable systems and apply compensating controls
Power surge/over voltage (spike)
Classification of assets needs
Platform security - intrusion detection and antivirus controls
16. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Digital signatures
Classification of assets needs
Protective switch covers
Assess the risks to the business operation
17. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Annually or whenever there is a significant change
Key risk indicator (KRI) setup
Rule-based access control
The authentication process is broken
18. Useful but only with regard to specific technical skills.
Process of introducing changes to systems
Platform security - intrusion detection and antivirus controls
Proficiency testing
Hacker
19. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Lack of change management
Requirements of the data owners
Public key infrastructure (PKI)
Monitoring processes
20. Reducing risk to a level too small to measure is _______________.
Patch management process
Power surge/over voltage (spike)
Information contained on the equipment
Impractical and is often cost-prohibitive
21. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Reduce risk to an acceptable level
Knowledge management
Data owners
Identify the relevant systems and processes
22. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Residual risk
Encryption of the hard disks
Is willing to accept
Data owners
23. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Methodology used in the assessment
Overall organizational structure
Equal error rate (EER)
Waterfall chart
24. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Lack of change management
Two-factor authentication
Rule-based access control
Protective switch covers
25. A method for analyzing and reducing a relational database to its most streamlined form
The information security officer
Normalization
Deeper level of analysis
Internal risk assessment
26. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Regulatory compliance
Two-factor authentication
Security risk
People
27. Identification and _______________ of business risk enables project managers to address areas with most significance.
Baseline standard and then develop additional standards
Prioritization
Use of security metrics
Cyber extortionist
28. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Access control matrix
Biometric access control systems
Tie security risks to key business objectives
Virus detection
29. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Centralized structure
Threat assessment
All personnel
Equal error rate (EER)
30. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
IP address packet filtering
Control effectiveness
Cracker
31. When defining the information classification policy - the ___________________ need to be identified.
Gain unauthorized access to applications
Requirements of the data owners
Internal risk assessment
Cyber terrorist
32. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Patch management
The information security officer
Virus
Defining high-level business security requirements
33. Provide metrics to which outsourcing firms can be held accountable.
Service level agreements (SLAs)
Security code reviews for the entire software application
Support the business objectives of the organization
All personnel
34. Effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Security awareness training for all employees
Role-based access control
Malicious software and spyware
Gap analysis
35. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Breakeven point of risk reduction and cost
Logon banners
Nondisclosure agreement (NDA)
Trojan horse
36. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Owner of the information asset
Access control matrix
Attributes and characteristics of the 'desired state'
Cyber extortionist
37. The MOST important element of an information security strategy.
Digital certificate
Defined objectives
Comparison of cost of achievement
Compliance with the organization's information security requirements
38. ecurity design flaws require a ____________________.
Deeper level of analysis
Virus detection
Safeguards over keys
Security awareness training for all employees
39. The PRIMARY goal in developing an information security strategy is to: _________________________.
Penetration testing
Data isolation
Support the business objectives of the organization
Data warehouse
40. Focuses on identifying vulnerabilities.
Its ability to reduce or eliminate business risks
The data owner
Support the business objectives of the organization
Penetration testing
41. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Acceptable use policies
Detection defenses
Developing an information security baseline
Audit objectives
42. A notice that guarantees a user or a web site is legitimate
The data custodian
Digital certificate
Comparison of cost of achievement
Key controls
43. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Owner of the information asset
Properly aligned with business goals and objectives
Increase business value and confidence
Role-based policy
44. The data owner is responsible for _______________________.
Properly aligned with business goals and objectives
Applying the proper classification to the data
Monitoring processes
Penetration testing
45. A Successful risk management should lead to a ________________.
Calculating the value of the information or asset
Resource dependency assessment
Asset classification
Breakeven point of risk reduction and cost
46. Provides strong online authentication.
Public key infrastructure (PKI)
Biometric access control systems
Assess the risks to the business operation
Use of security metrics
47. Inject malformed input.
Data classification
Penetration testing
Cross-site scripting attacks
Encryption
48. Someone who accesses a computer or network illegally
Encryption of the hard disks
Inherent risk
Hacker
Equal error rate (EER)
49. Programs that act without a user's knowledge and deliberately alter a computer's operations
Two-factor authentication
Residual risk
Protective switch covers
MAL wear
50. Without _____________________ - there cannot be accountability.
Do with the information it collects
Annually or whenever there is a significant change
Well-defined roles and responsibilities
Risk assessment - evaluation and impact analysis
