SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. When the ________________ is more than the cost of the risk - the risk should be accepted.
Breakeven point of risk reduction and cost
Residual risk
Cost of control
Attributes and characteristics of the 'desired state'
2. Occurs when the incoming level
Skills inventory
Power surge/over voltage (spike)
Risk appetite
Malicious software and spyware
3. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Get senior management onboard
Defining high-level business security requirements
Deeper level of analysis
Consensus on risks and controls
4. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Methodology used in the assessment
Background check
Nondisclosure agreement (NDA)
Inherent risk
5. Responsible for securing the information.
Risk appetite
The data custodian
Phishing
All personnel
6. The PRIMARY goal in developing an information security strategy is to: _________________________.
All personnel
Transferred risk
Script kiddie
Support the business objectives of the organization
7. Primarily reduce risk and are most effective for the protection of information assets.
MAL wear
Residual risk
Key controls
Risk appetite
8. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Notifications and opt-out provisions
Data mart
Digital signatures
Residual risk
9. Has full responsibility over data.
The data owner
Fault-tolerant computer
Retention of business records
Defining and ratifying the classification structure of information assets
10. Programs that act without a user's knowledge and deliberately alter a computer's operations
Tailgating
Encryption key management
Comparison of cost of achievement
MAL wear
11. Without _____________________ - there cannot be accountability.
Well-defined roles and responsibilities
Role-based policy
Encryption
Identify the vulnerable systems and apply compensating controls
12. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Impractical and is often cost-prohibitive
Performing a risk assessment
Tie security risks to key business objectives
Security baselines
13. Most effective for evaluating the degree to which information security objectives are being met.
Defining and ratifying the classification structure of information assets
The balanced scorecard
Risk appetite
Fault-tolerant computer
14. An information security manager has to impress upon the human resources department the need for _____________________.
Return on security investment (ROSI)
Data mart
Single sign-on (SSO) product
Security awareness training for all employees
15. Applications cannot access data associated with other apps
Return on security investment (ROSI)
Breakeven point of risk reduction and cost
Residual risk would be reduced by a greater amount
Data isolation
16. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Centralization of information security management
Script kiddie
Aligned with organizational goals
Data owners
17. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Tie security risks to key business objectives
Owner of the information asset
Key controls
Cross-site scripting attacks
18. Senior management commitment and support for information security can BEST be obtained through presentations that ____________________.
Cost of control
Tie security risks to key business objectives
SWOT analysis
Its ability to reduce or eliminate business risks
19. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Digital signatures
Strategic alignment of security with business objectives
Script kiddie
Exceptions to policy
20. The weakest link in security implementation - and awareness would reduce this risk. Through security awareness and training programs - individual employees can be informed and sensitized on various security policies and other security topics - thus e
Creation of a business continuity plan
Patch management process
People
Cost of control
21. The primary role of the information security manager in the process of information classification within the organization.
Risk management and the requirements of the organization
SWOT analysis
Defining and ratifying the classification structure of information assets
Its ability to reduce or eliminate business risks
22. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Background checks of prospective employees
Its ability to reduce or eliminate business risks
Encryption
Certificate authority (CA)
23. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Worm
BIA (Business Impact Assessment
Centralized structure
Single sign-on (SSO) product
24. Provides strong online authentication.
Role-based policy
Public key infrastructure (PKI)
Gain unauthorized access to applications
Use of security metrics
25. The best measure for preventing the unauthorized disclosure of confidential information.
Acceptable use policies
Applying the proper classification to the data
Its ability to reduce or eliminate business risks
Intrusion detection system (IDS)
26. The data owner is responsible for _______________________.
Data owners
Applying the proper classification to the data
Knowledge management
Defined objectives
27. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Do with the information it collects
Conduct a risk assessment
What happened and how the breach was resolved
The database administrator
28. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Continuous monitoring control initiatives
Get senior management onboard
The authentication process is broken
Residual risk would be reduced by a greater amount
29. A function of the session keys distributed by the PKI.
Audit objectives
Residual risk would be reduced by a greater amount
The data custodian
Confidentiality
30. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Centralization of information security management
Logon banners
Single sign-on (SSO) product
Fault-tolerant computer
31. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
Increase business value and confidence
Security code reviews for the entire software application
Encryption of the hard disks
The authentication process is broken
32. Identification and _______________ of business risk enables project managers to address areas with most significance.
Prioritization
Internal risk assessment
Virus detection
Identify the relevant systems and processes
33. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Residual risk would be reduced by a greater amount
Patch management
Centralized structure
Residual risk
34. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Use of security metrics
Malicious software and spyware
Residual risk would be reduced by a greater amount
Methodology used in the assessment
35. Has to be integrated into the requirements of every software application's design.
Performing a risk assessment
Negotiating a local version of the organization standards
Centralization of information security management
Encryption key management
36. Whenever personal data are transferred across national boundaries; ________________________ are required.
Centralization of information security management
Negotiating a local version of the organization standards
Role-based policy
The awareness and agreement of the data subjects
37. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Defining and ratifying the classification structure of information assets
Prioritization
Skills inventory
Reduce risk to an acceptable level
38. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Public key infrastructure (PKI)
Vulnerability assessment
Data mart
Worm
39. Provides process needs but not impact.
Cracker
Key controls
Resource dependency assessment
Applying the proper classification to the data
40. Should PRIMARILY be based on regulatory and legal requirements.
Retention of business records
Biometric access control systems
Vulnerability assessment
Multinational organization
41. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Tailgating
Residual risk
Virus
Return on security investment (ROSI)
42. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Breakeven point of risk reduction and cost
SWOT analysis
The balanced scorecard
Gain unauthorized access to applications
43. Someone who uses the internet or network to destroy or damage computers for political reasons
Cyber terrorist
Cross-site scripting attacks
0-day vulnerabilities
Transferred risk
44. It is easier to manage and control a _________________.
Tailgating
Multinational organization
Centralized structure
Control effectiveness
45. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Skills inventory
Role-based policy
Attributes and characteristics of the 'desired state'
Data owners
46. To identify known vulnerabilities based on common misconfigurations and missing updates.
A network vulnerability assessment
Transferred risk
Background check
The information security officer
47. Uses security metrics to measure the performance of the information security program.
Protective switch covers
What happened and how the breach was resolved
Asset classification
Information security manager
48. Same intent as a cracker but does not have the technical skills and knowledge
Script kiddie
Attributes and characteristics of the 'desired state'
Breakeven point of risk reduction and cost
Control risk
49. The information security manager needs to prioritize the controls based on ________________________.
Undervoltage (brownout)
Prioritization
Risk management and the requirements of the organization
Safeguards over keys
50. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Decentralization
Residual risk
The data owner
Risk assessment - evaluation and impact analysis
