SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Return on security investment (ROSI)
Its ability to reduce or eliminate business risks
Impractical and is often cost-prohibitive
Regulatory compliance
2. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Identify the vulnerable systems and apply compensating controls
Applying the proper classification to the data
Performing a risk assessment
Background checks of prospective employees
3. The most relevant piece of information to include in a cost-benefit analysis of a two-factor authentication system - it would establish a cost baseline and it must be considered for the full life cycle of the control. .
Total cost of ownership (TCO)
Data owners
Assess the risks to the business operation
Normalization
4. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Risk management and the requirements of the organization
Annually or whenever there is a significant change
Transferred risk
The authentication process is broken
5. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Countermeasure cost-benefit analysis
Applying the proper classification to the data
Owner of the information asset
Biometric access control systems
6. _______________ of the organization have the responsibility of ensuring information systems security this can include indirect personnel such as physical security personnel.
Risk management and the requirements of the organization
Script kiddie
Information security manager
All personnel
7. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Undervoltage (brownout)
Data warehouse
Digital signatures
Creation of a business continuity plan
8. Occurs when the electrical supply drops
Undervoltage (brownout)
Aligned with organizational goals
Requirements of the data owners
Conduct a risk assessment
9. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Security code reviews for the entire software application
Developing an information security baseline
Information security manager
Centralization of information security management
10. provides the most effective protection of data on mobile devices.
Attributes and characteristics of the 'desired state'
Encryption
Tailgating
MAL wear
11. Inject malformed input.
Data classification
Waterfall chart
Cross-site scripting attacks
Script kiddie
12. Accesses a computer or network illegally
Patch management process
Cracker
Hacker
Transmit e-mail messages
13. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Use of security metrics
The authentication process is broken
Logon banners
Classification of assets needs
14. All within the responsibility of the information security manager.
Developing an information security baseline
Use of security metrics
Platform security - intrusion detection and antivirus controls
Internal risk assessment
15. The data owner is responsible for _______________________.
Decentralization
Applying the proper classification to the data
Public key infrastructure (PKI)
Internal risk assessment
16. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Skills inventory
IP address packet filtering
Countermeasure cost-benefit analysis
Logon banners
17. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Public key infrastructure (PKI)
Aligned with organizational goals
Use of security metrics
Safeguards over keys
18. By definition are not previously known and therefore are undetectable.
0-day vulnerabilities
Overall organizational structure
Creation of a business continuity plan
Undervoltage (brownout)
19. Responsible for securing the information.
The authentication process is broken
The data custodian
Attributes and characteristics of the 'desired state'
Biometric access control systems
20. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Monitoring processes
Proficiency testing
Continuous monitoring control initiatives
Regular review of access control lists
21. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Normalization
Worm
Calculating the value of the information or asset
Performing a risk assessment
22. An information security manager has to impress upon the human resources department the need for _____________________.
Security awareness training for all employees
The authentication process is broken
Negotiating a local version of the organization standards
Background checks of prospective employees
23. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Support the business objectives of the organization
Information contained on the equipment
include security responsibilities in a job description
Information security manager
24. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Safeguards over keys
Encryption key management
Negotiating a local version of the organization standards
People
25. Should be determined from the risk assessment results.
Its ability to reduce or eliminate business risks
Trojan horse
OBusiness case development
Audit objectives
26. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Safeguards over keys
BIA (Business Impact Assessment
Tailgating
Transmit e-mail messages
27. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Intrusion detection system (IDS)
Information contained on the equipment
Script kiddie
Background check
28. Someone who uses the internet or network to destroy or damage computers for political reasons
Conduct a risk assessment
Examples of containment defenses
Use of security metrics
Cyber terrorist
29. The primary role of the information security manager in the process of information classification within the organization.
Safeguards over keys
Impractical and is often cost-prohibitive
Increase business value and confidence
Defining and ratifying the classification structure of information assets
30. Someone who accesses a computer or network illegally
Penetration testing
Data mart
Resource dependency assessment
Hacker
31. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Transmit e-mail messages
Risk assessment - evaluation and impact analysis
Annually or whenever there is a significant change
Key risk indicator (KRI) setup
32. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Deeper level of analysis
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Internal risk assessment
Spoofing attacks
33. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Gap analysis
Retention of business records
Countermeasure cost-benefit analysis
Penetration testing
34. The risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Gap analysis
Control risk
Well-defined roles and responsibilities
Audit objectives
35. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.
Warning
: Invalid argument supplied for foreach() in
/var/www/html/basicversity.com/show_quiz.php
on line
183
36. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Equal error rate (EER)
Annual loss expectancy (ALE)calculations
Proficiency testing
Residual risk would be reduced by a greater amount
37. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Examples of containment defenses
Developing an information security baseline
Risk assessment - evaluation and impact analysis
Equal error rate (EER)
38. New security ulnerabilities should be managed through a ________________.
Background checks of prospective employees
Cost of control
Patch management process
Identify the vulnerable systems and apply compensating controls
39. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Intrusion detection system (IDS)
Performing a risk assessment
Decentralization
Certificate authority (CA)
40. Cannot be minimized
Inherent risk
SWOT analysis
Data isolation
Security baselines
41. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Protective switch covers
Tie security risks to key business objectives
Developing an information security baseline
Centralized structure
42. A Successful risk management should lead to a ________________.
Cyber terrorist
Breakeven point of risk reduction and cost
Equal error rate (EER)
Overall organizational structure
43. Legal document to be signed by all employees - suppliers etc before they 'touch' the organization - to protect the organization's intellectual property.
What happened and how the breach was resolved
Annually or whenever there is a significant change
Nondisclosure agreement (NDA)
Intrusion detection system (IDS)
44. Used to understand the flow of one process into another.
Rule-based access control
Waterfall chart
Normalization
Strategic alignment of security with business objectives
45. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Cyber terrorist
Gain unauthorized access to applications
All personnel
Phishing
46. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Requirements of the data owners
Trojan horse
Risk management and the requirements of the organization
Transmit e-mail messages
47. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Transferred risk
Nondisclosure agreement (NDA)
Acceptable use policies
Return on security investment (ROSI)
48. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
Spoofing attacks
Total cost of ownership (TCO)
Cyber terrorist
49. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
Patch management process
Security code reviews for the entire software application
Return on security investment (ROSI)
50. Provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Regular review of access control lists
Data warehouse
Trojan horse
Two-factor authentication