SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Virus
Asset classification
Examples of containment defenses
Proficiency testing
2. Provides process needs but not impact.
include security responsibilities in a job description
Risk appetite
Resource dependency assessment
Calculating the value of the information or asset
3. Cannot be minimized
Performing a risk assessment
Information security manager
Inherent risk
Information contained on the equipment
4. Identification and _______________ of business risk enables project managers to address areas with most significance.
Cyber terrorist
Increase business value and confidence
Prioritization
Negotiating a local version of the organization standards
5. A Successful risk management should lead to a ________________.
Transferred risk
Breakeven point of risk reduction and cost
The information security officer
Logon banners
6. New security ulnerabilities should be managed through a ________________.
0-day vulnerabilities
Alignment with business strategy
Patch management process
Trojan horse
7. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Gap analysis
Control effectiveness
Skills inventory
Digital certificate
8. The information security manager needs to prioritize the controls based on ________________________.
The authentication process is broken
Information contained on the equipment
Risk management and the requirements of the organization
Acceptable use policies
9. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Negotiating a local version of the organization standards
Patch management
Continuous monitoring control initiatives
The board of directors and senior management
10. To identify known vulnerabilities based on common misconfigurations and missing updates.
Tie security risks to key business objectives
Regulatory compliance
A network vulnerability assessment
The data custodian
11. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
The information security officer
Control effectiveness
Its ability to reduce or eliminate business risks
People
12. Company or person you believe will not send a virus-infect file knowingly
The balanced scorecard
Worm
Patch management process
Trusted source
13. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Risk appetite
Retention of business records
Penetration testing
Worm
14. Scam in which a perpetrator sends an official looking email message that attempts to obtain your personal and financial information
Role-based access control
Phishing
Negotiating a local version of the organization standards
Cyber extortionist
15. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Conduct a risk assessment
Security baselines
The data owner
Defined objectives
16. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Negotiating a local version of the organization standards
Creation of a business continuity plan
Reduce risk to an acceptable level
Consensus on risks and controls
17. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Information security manager
Overall organizational structure
Identify the vulnerable systems and apply compensating controls
Methodology used in the assessment
18. Accesses a computer or network illegally
Methodology used in the assessment
Attributes and characteristics of the 'desired state'
Overall organizational structure
Cracker
19. The best measure for preventing the unauthorized disclosure of confidential information.
Inherent risk
Acceptable use policies
Information security manager
Control effectiveness
20. A risk assessment should be conducted _________________.
Use of security metrics
Access control matrix
Annually or whenever there is a significant change
Creation of a business continuity plan
21. provides the most effective protection of data on mobile devices.
Encryption
Regulatory compliance
Security baselines
Access control matrix
22. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Increase business value and confidence
Patch management
Developing an information security baseline
Cost of control
23. By definition are not previously known and therefore are undetectable.
0-day vulnerabilities
Resource dependency assessment
Patch management
What happened and how the breach was resolved
24. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Security risk
Logon banners
Increase business value and confidence
25. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Consensus on risks and controls
Public key infrastructure (PKI)
Protective switch covers
Defining and ratifying the classification structure of information assets
26. The MOST effective approach to address issues that arise between IT management - business units and security management when implementing a new security strategy is for the information security manager to ____________________ with any security recomm
Get senior management onboard
Proficiency testing
Cyber extortionist
Security baselines
27. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Process of introducing changes to systems
Asset classification
Biometric access control systems
Spoofing attacks
28. Warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
Role-based policy
Two-factor authentication
The awareness and agreement of the data subjects
Exceptions to policy
29. n a _________________________ - the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure.
Countermeasure cost-benefit analysis
Performing a risk assessment
Normalization
Deeper level of analysis
30. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Asset classification
Certificate authority (CA)
The data owner
Transferred risk
31. Addresses strengths - weaknesses - opportunities and threats. Although useful - a SWOT analysis is not as effective a tool.
Data classification
SWOT analysis
Examples of containment defenses
Tie security risks to key business objectives
32. Should be performed to identify the risk and determine needed controls.
Applying the proper classification to the data
Identify the vulnerable systems and apply compensating controls
Security baselines
Internal risk assessment
33. A function of the session keys distributed by the PKI.
Encryption
Confidentiality
Phishing
Spoofing attacks
34. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
Digital signatures
Risk appetite
Transmit e-mail messages
Attributes and characteristics of the 'desired state'
35. BEST option to improve accountability for a system administrator is to _____________________.
Compliance with the organization's information security requirements
The data owner
Examples of containment defenses
include security responsibilities in a job description
36. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Logon banners
Cracker
Transmit e-mail messages
Control effectiveness
37. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Personal firewall
Skills inventory
Cross-site scripting attacks
Asset classification
38. The best measure and will involve reviewing the entire source code to detect all instances of back doors.
Security code reviews for the entire software application
Residual risk would be reduced by a greater amount
The data custodian
Cryptographic secure sockets layer (SSL) implementations and short key lengths
39. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Identify the vulnerable systems and apply compensating controls
Continuous monitoring control initiatives
Calculating the value of the information or asset
A network vulnerability assessment
40. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Decentralization
Gap analysis
Two-factor authentication
Comparison of cost of achievement
41. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Safeguards over keys
Resource dependency assessment
Patch management process
Access control matrix
42. Should be determined from the risk assessment results.
Stress testing
Calculating the value of the information or asset
Compliance with the organization's information security requirements
Audit objectives
43. Someone who accesses a computer or network illegally
Security baselines
Intrusion detection system (IDS)
Prioritization
Hacker
44. A method for analyzing and reducing a relational database to its most streamlined form
Identify the relevant systems and processes
Normalization
Control risk
Increase business value and confidence
45. ecurity design flaws require a ____________________.
Acceptable use policies
Worm
Tie security risks to key business objectives
Deeper level of analysis
46. An information security manager has to impress upon the human resources department the need for _____________________.
Security awareness training for all employees
Two-factor authentication
Data warehouse
Security code reviews for the entire software application
47. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. It means _____________.
The authentication process is broken
Acceptable use policies
Hacker
Residual risk
48. The BEST justification to convince management to invest in an information security program is that doing so would _________________.
Virus
Compliance with the organization's information security requirements
Regulatory compliance
Increase business value and confidence
49. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Proficiency testing
Continuous monitoring control initiatives
Compliance with the organization's information security requirements
Exceptions to policy
50. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Reduce risk to an acceptable level
The balanced scorecard
The data custodian
Control risk