SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Responsible for securing the information.
Biometric access control systems
Defining high-level business security requirements
Compliance with the organization's information security requirements
The data custodian
2. Most effective for evaluating the degree to which information security objectives are being met.
BIA (Business Impact Assessment
IP address packet filtering
Trusted source
The balanced scorecard
3. Provide metrics to which outsourcing firms can be held accountable.
Risk appetite
Service level agreements (SLAs)
Data isolation
BIA (Business Impact Assessment
4. A repository of historical data organized by subject to support decision makers in the org
Get senior management onboard
Security awareness training for all employees
Data warehouse
Asset classification
5. Only valid if assets have first been identified and appropriately valued.
Annual loss expectancy (ALE)calculations
Residual risk would be reduced by a greater amount
Developing an information security baseline
Defining and ratifying the classification structure of information assets
6. Program that hides within or looks like a legit program
Centralization of information security management
Trojan horse
Transmit e-mail messages
Centralized structure
7. Useful but only with regard to specific technical skills.
Encryption
Proficiency testing
Safeguards over keys
include security responsibilities in a job description
8. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
OBusiness case development
Owner of the information asset
The board of directors and senior management
Breakeven point of risk reduction and cost
9. The PRIMARY goal in developing an information security strategy is to: _________________________.
Defining and ratifying the classification structure of information assets
Support the business objectives of the organization
Data owners
Security risk
10. Provides strong online authentication.
Background checks of prospective employees
Trojan horse
Public key infrastructure (PKI)
Use of security metrics
11. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Vulnerability assessment
Logon banners
Comparison of cost of achievement
Regulatory compliance
12. A trusted third party that attests to the identity of the signatory - and reliance will be a function of the level of trust afforded the CA.
Certificate authority (CA)
Confidentiality
Attributes and characteristics of the 'desired state'
Security code reviews for the entire software application
13. Applications cannot access data associated with other apps
Attributes and characteristics of the 'desired state'
Retention of business records
Information security manager
Data isolation
14. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Tailgating
Negotiating a local version of the organization standards
Safeguards over keys
Penetration testing
15. Occurs when the electrical supply drops
Residual risk
Undervoltage (brownout)
Properly aligned with business goals and objectives
Transmit e-mail messages
16. To improve the security governance framework and achieve a higher level of maturity _____________________ is most important.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Continuous analysis - monitoring and feedback
Power surge/over voltage (spike)
Continuous monitoring control initiatives
17. The primary role of the information security manager in the process of information classification within the organization.
Examples of containment defenses
Centralization of information security management
Security risk
Defining and ratifying the classification structure of information assets
18. Provide minimum recommended settings and do not prevent introduction of control weaknesses.'
Consensus on risks and controls
Background checks of prospective employees
Role-based policy
Security baselines
19. A process that helps organizations manipulate important knowledge that is part of the orgs. memory
Impractical and is often cost-prohibitive
Cyber terrorist
Encryption key management
Knowledge management
20. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is - ______________ would appear every time the user logs on - and the user would be required to read and agree
Continuous analysis - monitoring and feedback
Logon banners
Transferred risk
Resource dependency assessment
21. Carries out the technical administration.
Attributes and characteristics of the 'desired state'
The database administrator
Threat assessment
Well-defined roles and responsibilities
22. Same intent as a cracker but does not have the technical skills and knowledge
Vulnerability assessment
Cyber terrorist
Role-based access control
Script kiddie
23. An information security manager has to impress upon the human resources department the need for _____________________.
Security awareness training for all employees
Detection defenses
Prioritization
Hacker
24. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Threat assessment
Performing a risk assessment
Skills inventory
Identify the vulnerable systems and apply compensating controls
25. When the ________________ is more than the cost of the risk - the risk should be accepted.
Cost of control
Identify the relevant systems and processes
People
Annually or whenever there is a significant change
26. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Data owners
Cyber extortionist
Access control matrix
27. When considering the value of assets ______________________ would give the information security manager the MOST objective basis for measurement of value delivery in information security governance
Use of security metrics
Internal risk assessment
Overall organizational structure
Comparison of cost of achievement
28. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Regulatory compliance
Single sign-on (SSO) product
Tailgating
Undervoltage (brownout)
29. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Acceptable use policies
Trusted source
Audit objectives
Intrusion detection system (IDS)
30. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Confidentiality
Resource dependency assessment
Residual risk would be reduced by a greater amount
Equal error rate (EER)
31. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Biometric access control systems
Role-based policy
Notifications and opt-out provisions
Use of security metrics
32. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Strategic alignment of security with business objectives
Skills inventory
Performing a risk assessment
Worm
33. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Threat assessment
Waterfall chart
Cyber extortionist
Risk appetite
34. Occurs when the incoming level
Gain unauthorized access to applications
Regulatory compliance
Centralization of information security management
Power surge/over voltage (spike)
35. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Role-based policy
Risk assessment - evaluation and impact analysis
Logon banners
Developing an information security baseline
36. Change management controls the _____________________. This is often the point at which a weakness will be introduced.
Nondisclosure agreement (NDA)
Process of introducing changes to systems
Fault-tolerant computer
Owner of the information asset
37. May show the performance result of the security related activities; however - the result is interpreted in terms of money and extends to multiple facets of security initiatives.
Rule-based access control
Continuous analysis - monitoring and feedback
Return on security investment (ROSI)
Gain unauthorized access to applications
38. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Regular review of access control lists
Monitoring processes
What happened and how the breach was resolved
Audit objectives
39. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Consensus on risks and controls
Confidentiality
Phishing
Defining high-level business security requirements
40. Most effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network.
Continuous monitoring control initiatives
OBusiness case development
Safeguards over keys
Hacker
41. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
The balanced scorecard
Aligned with organizational goals
Classification of assets needs
Intrusion detection system (IDS)
42. Should be a standard requirement for the service provider.
Continuous analysis - monitoring and feedback
Transmit e-mail messages
Background check
Intrusion detection system (IDS)
43. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Data mart
Background checks of prospective employees
Lack of change management
Support the business objectives of the organization
44. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Cyber terrorist
Spoofing attacks
Single sign-on (SSO) product
Role-based access control
45. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Control effectiveness
Cost of control
Do with the information it collects
Hacker
46. Computer that has duplicate components so it can continue to operate when one of its main components fail
Baseline standard and then develop additional standards
Fault-tolerant computer
Worm
BIA (Business Impact Assessment
47. The MAIN reason why _______________ is important to a successful information security program is because classification determines the appropriate level of protection to the asset.
Asset classification
People
Process of introducing changes to systems
Centralized structure
48. Uses security metrics to measure the performance of the information security program.
Information security manager
Data isolation
Do with the information it collects
The data custodian
49. Has to be integrated into the requirements of every software application's design.
Tie security risks to key business objectives
Encryption key management
Intrusion detection system (IDS)
Get senior management onboard
50. A notice that guarantees a user or a web site is legitimate
Regulatory compliance
Penetration testing
Aligned with organizational goals
Digital certificate