SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Background checks of prospective employees
Cyber terrorist
Continuous analysis - monitoring and feedback
Attributes and characteristics of the 'desired state'
2. By definition are not previously known and therefore are undetectable.
Security code reviews for the entire software application
Equal error rate (EER)
Virus
0-day vulnerabilities
3. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
The authentication process is broken
Tailgating
Security awareness training for all employees
Return on security investment (ROSI)
4. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Centralization of information security management
Data classification
Classification of assets needs
SWOT analysis
5. Occurs after the risk assessment process - it does not measure it.
Decentralization
Use of security metrics
include security responsibilities in a job description
Intrusion detection system (IDS)
6. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Virus detection
Nondisclosure agreement (NDA)
Gap analysis
Tailgating
7. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Get senior management onboard
Identify the vulnerable systems and apply compensating controls
Risk appetite
Consensus on risks and controls
8. Company or person you believe will not send a virus-infect file knowingly
Access control matrix
The database administrator
Trusted source
Inherent risk
9. It is more efficient to establish a ___________________for locations that must meet specific requirements.
Intrusion detection system (IDS)
Transmit e-mail messages
Developing an information security baseline
Baseline standard and then develop additional standards
10. Reducing risk to a level too small to measure is _______________.
Skills inventory
Reduce risk to an acceptable level
Control risk
Impractical and is often cost-prohibitive
11. Has to be integrated into the requirements of every software application's design.
Overall organizational structure
Transferred risk
Encryption key management
Security risk
12. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Security baselines
MAL wear
Its ability to reduce or eliminate business risks
Residual risk
13. Occurs when the electrical supply drops
Undervoltage (brownout)
include security responsibilities in a job description
A network vulnerability assessment
Data isolation
14. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Defined objectives
Monitoring processes
Tailgating
Risk appetite
15. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Notifications and opt-out provisions
Gain unauthorized access to applications
Developing an information security baseline
Compliance with the organization's information security requirements
16. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Key risk indicator (KRI) setup
BIA (Business Impact Assessment
The data custodian
Process of introducing changes to systems
17. The _____________________is a severe omission and will greatly increase information security risk. Presents the GREATEST information security risk for an organization with multiple - but small - domestic processing locations
Lack of change management
Identify the vulnerable systems and apply compensating controls
Nondisclosure agreement (NDA)
Use of security metrics
18. Attackers who exploit flawed ___________________________________ can sniff network traffic and crack keys to gain unauthorized access to information.
Tailgating
Intrusion detection system (IDS)
Spoofing attacks
Cryptographic secure sockets layer (SSL) implementations and short key lengths
19. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Resource dependency assessment
Logon banners
Role-based policy
Process of introducing changes to systems
20. New security ulnerabilities should be managed through a ________________.
Virus detection
Patch management process
Transferred risk
Alignment with business strategy
21. Program that hides within or looks like a legit program
Annually or whenever there is a significant change
Owner of the information asset
Trojan horse
Cyber terrorist
22. The MOST useful way to describe the objectives in the information security strategy is through ______________________.
23. Involves the correction of software weaknesses and would necessarily follow change management procedures.
Patch management
Creation of a business continuity plan
Logon banners
Key controls
24. Should be a standard requirement for the service provider.
Continuous monitoring control initiatives
Support the business objectives of the organization
Compliance with the organization's information security requirements
Background check
25. The first step in a risk analysis process to determine the impact to the organization - which is the ultimate goal.
Single sign-on (SSO) product
Calculating the value of the information or asset
Resource dependency assessment
Cryptographic secure sockets layer (SSL) implementations and short key lengths
26. On a company's e-commerce web site - a good legal statement regarding data privacy should include a statement regarding what the company will ___________________.
Do with the information it collects
Intrusion detection system (IDS)
Malicious software and spyware
The database administrator
27. Inject malformed input.
Process of introducing changes to systems
Role-based policy
Stress testing
Cross-site scripting attacks
28. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Single sign-on (SSO) product
Detection defenses
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Access control matrix
29. A notice that guarantees a user or a web site is legitimate
Countermeasure cost-benefit analysis
Digital certificate
Undervoltage (brownout)
Threat assessment
30. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Continuous analysis - monitoring and feedback
Virus
Data owners
Breakeven point of risk reduction and cost
31. A risk assessment should be conducted _________________.
Rule-based access control
Applying the proper classification to the data
Annually or whenever there is a significant change
Power surge/over voltage (spike)
32. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Retention of business records
Negotiating a local version of the organization standards
Examples of containment defenses
Audit objectives
33. In assessing the degree to which an organization may be affected by new privacy legislation - information security management should first _____________________.
The awareness and agreement of the data subjects
Detection defenses
Assess the risks to the business operation
Identify the relevant systems and processes
34. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Residual risk would be reduced by a greater amount
Phishing
Impractical and is often cost-prohibitive
Audit objectives
35. Primarily reduce risk and are most effective for the protection of information assets.
Attributes and characteristics of the 'desired state'
Aligned with organizational goals
Key controls
Increase business value and confidence
36. Uses security metrics to measure the performance of the information security program.
Data mart
Waterfall chart
Public key infrastructure (PKI)
Information security manager
37. The most important characteristic of good security policies is that they be ____________________.
Aligned with organizational goals
Annual loss expectancy (ALE)calculations
Data warehouse
Retention of business records
38. ecurity design flaws require a ____________________.
Deeper level of analysis
Transferred risk
Risk appetite
Regular review of access control lists
39. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Is willing to accept
Creation of a business continuity plan
Service level agreements (SLAs)
Continuous analysis - monitoring and feedback
40. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Nondisclosure agreement (NDA)
A network vulnerability assessment
Process of introducing changes to systems
Worm
41. Should be determined from the risk assessment results.
Regular review of access control lists
Audit objectives
Overall organizational structure
0-day vulnerabilities
42. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Virus
Identify the vulnerable systems and apply compensating controls
Conduct a risk assessment
Centralization of information security management
43. Normally addressed through antivirus and antispyware policies.
Defining high-level business security requirements
Malicious software and spyware
Support the business objectives of the organization
Patch management
44. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Phishing
Do with the information it collects
Cyber extortionist
Well-defined roles and responsibilities
45. Cannot be minimized
Two-factor authentication
Inherent risk
Data warehouse
Undervoltage (brownout)
46. An information security manager has to impress upon the human resources department the need for _____________________.
Information contained on the equipment
Security awareness training for all employees
Data owners
Residual risk
47. Will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Impractical and is often cost-prohibitive
Owner of the information asset
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Encryption of the hard disks
48. Only valid if assets have first been identified and appropriately valued.
Data mart
Data owners
Role-based access control
Annual loss expectancy (ALE)calculations
49. A Successful risk management should lead to a ________________.
Examples of containment defenses
Acceptable use policies
Trojan horse
Breakeven point of risk reduction and cost
50. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Its ability to reduce or eliminate business risks
Worm
Data classification
Examples of containment defenses
