SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
CISM: Certified Information Security Manager
Start Test
Study First
Subjects
:
certifications
,
cism
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Security baselines
Gap analysis
Retention of business records
Service level agreements (SLAs)
2. All within the responsibility of the information security manager.
Platform security - intrusion detection and antivirus controls
Encryption of the hard disks
Asset classification
Intrusion detection system (IDS)
3. Should be determined from the risk assessment results.
OBusiness case development
Audit objectives
Examples of containment defenses
0-day vulnerabilities
4. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Identify the relevant systems and processes
Access control matrix
Annually or whenever there is a significant change
Vulnerability assessment
5. A key indicator of performance measurement.
Logon banners
Strategic alignment of security with business objectives
Cyber extortionist
Consensus on risks and controls
6. Would reduce the possibility of an individual accidentally pressing the power button on a device - thereby turning off the device.
Control effectiveness
Detection defenses
Deeper level of analysis
Protective switch covers
7. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Notifications and opt-out provisions
What happened and how the breach was resolved
Data warehouse
Creation of a business continuity plan
8. Has full responsibility over data.
The data owner
Security risk
Its ability to reduce or eliminate business risks
The awareness and agreement of the data subjects
9. When the ________________ is more than the cost of the risk - the risk should be accepted.
Breakeven point of risk reduction and cost
Cost of control
Notifications and opt-out provisions
Do with the information it collects
10. Inject malformed input.
Risk management and the requirements of the organization
Cross-site scripting attacks
Risk appetite
Residual risk
11. The most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.It provides results - such as impact from a security incident and required response times.
Fault-tolerant computer
BIA (Business Impact Assessment
Risk management and the requirements of the organization
Regular review of access control lists
12. Applications cannot access data associated with other apps
Biometric access control systems
Data isolation
Compliance with the organization's information security requirements
Cracker
13. A notice that guarantees a user or a web site is legitimate
Defining and ratifying the classification structure of information assets
Digital certificate
Key controls
Digital signatures
14. Program that hides within or looks like a legit program
Trojan horse
Centralization of information security management
The information security officer
Cross-site scripting attacks
15. Same intent as a cracker but does not have the technical skills and knowledge
include security responsibilities in a job description
Risk appetite
Retention of business records
Script kiddie
16. __________________________ is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
SWOT analysis
Defined objectives
Alignment with business strategy
Penetration testing
17. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Annual loss expectancy (ALE)calculations
People
Classification of assets needs
Encryption
18. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Personal firewall
Key controls
Notifications and opt-out provisions
Access control matrix
19. A Successful risk management should lead to a ________________.
Is willing to accept
Breakeven point of risk reduction and cost
Lack of change management
The balanced scorecard
20. Are expensive - so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Strategic alignment of security with business objectives
Owner of the information asset
Continuous monitoring control initiatives
People
21. The MOST important element of an information security strategy.
Use of security metrics
Two-factor authentication
Defined objectives
Patch management process
22. Occurs when the incoming level
Information contained on the equipment
Overall organizational structure
Inherent risk
Power surge/over voltage (spike)
23. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Control risk
Decentralization
Continuous monitoring control initiatives
Identify the vulnerable systems and apply compensating controls
24. Results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However - turnaround can be slower due to the lack of alignment with business units.
Centralization of information security management
Rule-based access control
Trojan horse
Get senior management onboard
25. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Script kiddie
Reduce risk to an acceptable level
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Data owners
26. The risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk.
Risk management and the requirements of the organization
Owner of the information asset
Service level agreements (SLAs)
Transferred risk
27. It is important to achieve ____________________ - and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Support the business objectives of the organization
Consensus on risks and controls
MAL wear
Tie security risks to key business objectives
28. Needs to define the access rules - which is troublesome and error prone in large organizations.
Key controls
Rule-based access control
Undervoltage (brownout)
Tailgating
29. The information security manager needs to prioritize the controls based on ________________________.
Digital certificate
Safeguards over keys
Information contained on the equipment
Risk management and the requirements of the organization
30. Awareness - training and physical security defenses.
Power surge/over voltage (spike)
Examples of containment defenses
Regulatory compliance
Rule-based access control
31. S small warehouse - designed for the end-user needs in a strategic business unit
Developing an information security baseline
Baseline standard and then develop additional standards
Data mart
The balanced scorecard
32. Reducing risk to a level too small to measure is _______________.
Protective switch covers
Normalization
What happened and how the breach was resolved
Impractical and is often cost-prohibitive
33. An effective tool but primarily focuses on malicious code from external sources - and only for those applications that are online.
Support the business objectives of the organization
Baseline standard and then develop additional standards
Virus detection
Monitoring processes
34. Carries out the technical administration.
Two-factor authentication
Multinational organization
Patch management
The database administrator
35. Provides strong online authentication.
The information security officer
Countermeasure cost-benefit analysis
Background checks of prospective employees
Public key infrastructure (PKI)
36. A risk assessment should be conducted _________________.
Annually or whenever there is a significant change
Tie security risks to key business objectives
Return on security investment (ROSI)
Impractical and is often cost-prohibitive
37. The security manager would be most concerned with whether _____________________ than the cost of adding additional controls.
Defining and ratifying the classification structure of information assets
Attributes and characteristics of the 'desired state'
A network vulnerability assessment
Residual risk would be reduced by a greater amount
38. Whenever personal data are transferred across national boundaries; ________________________ are required.
Developing an information security baseline
Continuous monitoring control initiatives
Risk appetite
The awareness and agreement of the data subjects
39. Focuses on identifying vulnerabilities.
Nondisclosure agreement (NDA)
Penetration testing
Its ability to reduce or eliminate business risks
Regular review of access control lists
40. Computer that has duplicate components so it can continue to operate when one of its main components fail
Fault-tolerant computer
Data owners
Security code reviews for the entire software application
Transmit e-mail messages
41. Primarily reduce risk and are most effective for the protection of information assets.
Cross-site scripting attacks
Tie security risks to key business objectives
Key controls
Encryption
42. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Safeguards over keys
Methodology used in the assessment
Detection defenses
Equal error rate (EER)
43. Because past performance is a strong predictor of future performance - _______________________ best prevents attacks from originating within an organization.
Security awareness training for all employees
Role-based access control
Background checks of prospective employees
Personal firewall
44. When defining the information classification policy - the ___________________ need to be identified.
Risk assessment - evaluation and impact analysis
Examples of containment defenses
Requirements of the data owners
Equal error rate (EER)
45. Logging as well as monitoring - measuring - auditing - detecting viruses and intrusion.
Detection defenses
A network vulnerability assessment
0-day vulnerabilities
Penetration testing
46. The most important characteristic of good security policies is that they be ____________________.
Equal error rate (EER)
Aligned with organizational goals
Internal risk assessment
Data owners
47. The PRIMARY goal in developing an information security strategy is to: _________________________.
Stress testing
Identify the relevant systems and processes
Support the business objectives of the organization
Risk assessment - evaluation and impact analysis
48. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Encryption
Regular review of access control lists
Well-defined roles and responsibilities
Patch management process
49. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Encryption key management
Exceptions to policy
Vulnerability assessment
Performing a risk assessment
50. The primary role of the information security manager in the process of information classification within the organization.
Multinational organization
Defining and ratifying the classification structure of information assets
Logon banners
Gap analysis