SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
SWOT analysis
Single sign-on (SSO) product
Identify the relevant systems and processes
Certificate authority (CA)
2. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Encryption key management
Control effectiveness
Biometric access control systems
Classification of assets needs
3. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Residual risk
Compliance with the organization's information security requirements
Inherent risk
Defining high-level business security requirements
4. Most effective for evaluating the degree to which information security objectives are being met.
Defining and ratifying the classification structure of information assets
Virus
Confidentiality
The balanced scorecard
5. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Defined objectives
Risk assessment - evaluation and impact analysis
Single sign-on (SSO) product
Continuous analysis - monitoring and feedback
6. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Data isolation
Patch management process
Regulatory compliance
Continuous monitoring control initiatives
7. It is easier to manage and control a _________________.
Prioritization
Information security manager
Alignment with business strategy
Centralized structure
8. Should PRIMARILY be based on regulatory and legal requirements.
Acceptable use policies
Risk appetite
Continuous analysis - monitoring and feedback
Retention of business records
9. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
10. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Notifications and opt-out provisions
Exceptions to policy
Do with the information it collects
Its ability to reduce or eliminate business risks
11. When defining the information classification policy - the ___________________ need to be identified.
The database administrator
Applying the proper classification to the data
Requirements of the data owners
Strategic alignment of security with business objectives
12. Carries out the technical administration.
Security risk
The database administrator
Single sign-on (SSO) product
Equal error rate (EER)
13. Should be a standard requirement for the service provider.
Two-factor authentication
Reduce risk to an acceptable level
Virus
Background check
14. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Cyber extortionist
Centralization of information security management
Encryption key management
15. Reducing risk to a level too small to measure is _______________.
Impractical and is often cost-prohibitive
Residual risk would be reduced by a greater amount
Cyber extortionist
Regular review of access control lists
16. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Acceptable use policies
Applying the proper classification to the data
Data owners
Creation of a business continuity plan
17. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Background check
Owner of the information asset
Countermeasure cost-benefit analysis
Comparison of cost of achievement
18. A notice that guarantees a user or a web site is legitimate
Residual risk would be reduced by a greater amount
Reduce risk to an acceptable level
Digital certificate
Trojan horse
19. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Risk management and the requirements of the organization
Security baselines
Deeper level of analysis
Virus detection
20. The best measure for preventing the unauthorized disclosure of confidential information.
Countermeasure cost-benefit analysis
Acceptable use policies
Undervoltage (brownout)
Gain unauthorized access to applications
21. A repository of historical data organized by subject to support decision makers in the org
Rule-based access control
Data warehouse
The authentication process is broken
Encryption of the hard disks
22. provides the most effective protection of data on mobile devices.
Equal error rate (EER)
Certificate authority (CA)
Encryption
0-day vulnerabilities
23. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Waterfall chart
Impractical and is often cost-prohibitive
Identify the relevant systems and processes
Exceptions to policy
24. In order to highlight to management the importance of network security - the security manager should FIRST _______________.
Conduct a risk assessment
Trusted source
Data isolation
Continuous analysis - monitoring and feedback
25. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Aligned with organizational goals
Developing an information security baseline
Identify the vulnerable systems and apply compensating controls
Alignment with business strategy
26. Occurs after the risk assessment process - it does not measure it.
Use of security metrics
Patch management process
Single sign-on (SSO) product
Centralized structure
27. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Undervoltage (brownout)
Properly aligned with business goals and objectives
Countermeasure cost-benefit analysis
The board of directors and senior management
28. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Role-based access control
Vulnerability assessment
People
Tie security risks to key business objectives
29. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Public key infrastructure (PKI)
Breakeven point of risk reduction and cost
Tailgating
Identify the vulnerable systems and apply compensating controls
30. By definition are not previously known and therefore are undetectable.
Patch management process
The data custodian
Transferred risk
0-day vulnerabilities
31. Only valid if assets have first been identified and appropriately valued.
Process of introducing changes to systems
Digital certificate
Annual loss expectancy (ALE)calculations
Information security manager
32. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Role-based policy
Owner of the information asset
Control risk
Intrusion detection system (IDS)
33. Uses security metrics to measure the performance of the information security program.
Logon banners
Information security manager
Impractical and is often cost-prohibitive
Internal risk assessment
34. The data owner is responsible for _______________________.
Residual risk
Applying the proper classification to the data
Aligned with organizational goals
The board of directors and senior management
35. Whenever personal data are transferred across national boundaries; ________________________ are required.
Classification of assets needs
Return on security investment (ROSI)
Exceptions to policy
The awareness and agreement of the data subjects
36. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Developing an information security baseline
Defined objectives
Risk assessment - evaluation and impact analysis
Consensus on risks and controls
37. When the ________________ is more than the cost of the risk - the risk should be accepted.
Residual risk would be reduced by a greater amount
Cost of control
Lack of change management
Spoofing attacks
38. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
Nondisclosure agreement (NDA)
Gain unauthorized access to applications
Support the business objectives of the organization
Owner of the information asset
39. Provides strong online authentication.
Requirements of the data owners
Public key infrastructure (PKI)
Centralization of information security management
Annually or whenever there is a significant change
40. Should be determined from the risk assessment results.
Transferred risk
Audit objectives
Background check
Proficiency testing
41. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Spoofing attacks
The data owner
Background check
Phishing
42. Culture has a significant impact on how information security will be implemented in a ______________________.
Detection defenses
Script kiddie
Multinational organization
Virus
43. Ensure that transmitted information can be attributed to the named sender.
Digital signatures
Data isolation
Two-factor authentication
Its ability to reduce or eliminate business risks
44. Provide metrics to which outsourcing firms can be held accountable.
Skills inventory
Service level agreements (SLAs)
Tailgating
Deeper level of analysis
45. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Decentralization
Risk assessment - evaluation and impact analysis
Get senior management onboard
Impractical and is often cost-prohibitive
46. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Centralized structure
Security code reviews for the entire software application
Comparison of cost of achievement
Its ability to reduce or eliminate business risks
47. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Logon banners
Threat assessment
Acceptable use policies
48. Program that hides within or looks like a legit program
The authentication process is broken
Consensus on risks and controls
Trojan horse
Cost of control
49. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Virus
Residual risk
Classification of assets needs
Examples of containment defenses
50. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Security risk
Comparison of cost of achievement
Retention of business records
Data isolation