SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. A risk assessment should be conducted _________________.
Penetration testing
Safeguards over keys
Cross-site scripting attacks
Annually or whenever there is a significant change
2. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Reduce risk to an acceptable level
Key risk indicator (KRI) setup
Identify the vulnerable systems and apply compensating controls
Well-defined roles and responsibilities
3. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
What happened and how the breach was resolved
Aligned with organizational goals
Alignment with business strategy
include security responsibilities in a job description
4. Accesses a computer or network illegally
Methodology used in the assessment
Virus detection
Multinational organization
Cracker
5. Occurs when the incoming level
Security baselines
Detection defenses
Certificate authority (CA)
Power surge/over voltage (spike)
6. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Security risk
Transferred risk
Annually or whenever there is a significant change
Penetration testing
7. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Regular review of access control lists
Do with the information it collects
The data owner
Trojan horse
8. The most important characteristic of good security policies is that they be ____________________.
Return on security investment (ROSI)
Aligned with organizational goals
Support the business objectives of the organization
Defined objectives
9. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Monitoring processes
Annually or whenever there is a significant change
Malicious software and spyware
10. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Risk management and the requirements of the organization
Creation of a business continuity plan
Defined objectives
Service level agreements (SLAs)
11. Needs to define the access rules - which is troublesome and error prone in large organizations.
Annually or whenever there is a significant change
Data mart
Overall organizational structure
Rule-based access control
12. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Spoofing attacks
Key controls
Virus
Identify the vulnerable systems and apply compensating controls
13. Provides strong online authentication.
Rule-based access control
Cyber extortionist
Trojan horse
Public key infrastructure (PKI)
14. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
Cracker
Get senior management onboard
Cryptographic secure sockets layer (SSL) implementations and short key lengths
15. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Get senior management onboard
Conduct a risk assessment
Equal error rate (EER)
Retention of business records
16. Used to understand the flow of one process into another.
Waterfall chart
Support the business objectives of the organization
Equal error rate (EER)
Encryption key management
17. Awareness - training and physical security defenses.
Regulatory compliance
Undervoltage (brownout)
Virus
Examples of containment defenses
18. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Decentralization
Acceptable use policies
Tailgating
Consensus on risks and controls
19. Provide metrics to which outsourcing firms can be held accountable.
Examples of containment defenses
Waterfall chart
Service level agreements (SLAs)
Virus detection
20. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
The awareness and agreement of the data subjects
Consensus on risks and controls
Intrusion detection system (IDS)
Transmit e-mail messages
21. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Normalization
Performing a risk assessment
Virus detection
Rule-based access control
22. By definition are not previously known and therefore are undetectable.
Annual loss expectancy (ALE)calculations
Public key infrastructure (PKI)
0-day vulnerabilities
Conduct a risk assessment
23. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Attributes and characteristics of the 'desired state'
Exceptions to policy
Spoofing attacks
Continuous analysis - monitoring and feedback
24. Would protect against spoofing an internal address but would not provide strong authentication.
Residual risk would be reduced by a greater amount
Overall organizational structure
IP address packet filtering
Public key infrastructure (PKI)
25. S small warehouse - designed for the end-user needs in a strategic business unit
Data mart
Power surge/over voltage (spike)
Transmit e-mail messages
Certificate authority (CA)
26. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Creation of a business continuity plan
Owner of the information asset
Residual risk would be reduced by a greater amount
Service level agreements (SLAs)
27. A method for analyzing and reducing a relational database to its most streamlined form
Intrusion detection system (IDS)
Spoofing attacks
Normalization
Attributes and characteristics of the 'desired state'
28. Occurs when the electrical supply drops
Comparison of cost of achievement
Undervoltage (brownout)
Key risk indicator (KRI) setup
Reduce risk to an acceptable level
29. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Resource dependency assessment
Multinational organization
Performing a risk assessment
Residual risk
30. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Total cost of ownership (TCO)
Assess the risks to the business operation
OBusiness case development
Intrusion detection system (IDS)
31. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Undervoltage (brownout)
Decentralization
Developing an information security baseline
Malicious software and spyware
32. Normally addressed through antivirus and antispyware policies.
Performing a risk assessment
People
Malicious software and spyware
BIA (Business Impact Assessment
33. Most effective for evaluating the degree to which information security objectives are being met.
Monitoring processes
Transferred risk
The balanced scorecard
Two-factor authentication
34. Occurs after the risk assessment process - it does not measure it.
Use of security metrics
Patch management
Resource dependency assessment
People
35. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Stress testing
Trusted source
Biometric access control systems
Background checks of prospective employees
36. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Encryption of the hard disks
Control risk
Process of introducing changes to systems
Gain unauthorized access to applications
37. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Access control matrix
Internal risk assessment
People
IP address packet filtering
38. Primarily reduce risk and are most effective for the protection of information assets.
Defined objectives
Control risk
Biometric access control systems
Key controls
39. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Data mart
Consensus on risks and controls
Residual risk would be reduced by a greater amount
Digital certificate
40. Should PRIMARILY be based on regulatory and legal requirements.
Aligned with organizational goals
Retention of business records
SWOT analysis
Proficiency testing
41. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
42. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Security risk
Gap analysis
Stress testing
Support the business objectives of the organization
43. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Skills inventory
Reduce risk to an acceptable level
Total cost of ownership (TCO)
Countermeasure cost-benefit analysis
44. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Undervoltage (brownout)
Safeguards over keys
The information security officer
The board of directors and senior management
45. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Detection defenses
Hacker
Safeguards over keys
The awareness and agreement of the data subjects
46. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Security risk
Defined objectives
Residual risk would be reduced by a greater amount
Risk appetite
47. Provides process needs but not impact.
Owner of the information asset
Methodology used in the assessment
Resource dependency assessment
Skills inventory
48. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Skills inventory
Virus detection
Two-factor authentication
49. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
Detection defenses
Identify the relevant systems and processes
Certificate authority (CA)
The authentication process is broken
50. The data owner is responsible for _______________________.
Centralization of information security management
Hacker
Internal risk assessment
Applying the proper classification to the data