Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. If the firewall allows source routing - any outsider can carry out _________________ by stealing the internal (private) IP addresses of the organization.
Creation of a business continuity plan
Spoofing attacks
Cyber terrorist
Lack of change management

2. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Data isolation
Role-based policy
Access control matrix
Data owners

3. Utility program that detects and protects a personal computer from unauthorized intrusions
Personal firewall
Single sign-on (SSO) product
Security code reviews for the entire software application
Exceptions to policy

4. When the ________________ is more than the cost of the risk - the risk should be accepted.
Cost of control
Platform security - intrusion detection and antivirus controls
Residual risk would be reduced by a greater amount
Stress testing

5. A Successful risk management should lead to a ________________.
Exceptions to policy
Breakeven point of risk reduction and cost
Identify the relevant systems and processes
Retention of business records

6. Using public key infrastructure (PKI) is currently accepted as the most secure method to _____________.
BIA (Business Impact Assessment
Transmit e-mail messages
Confidentiality
Audit objectives

7. Uses security metrics to measure the performance of the information security program.
Risk management and the requirements of the organization
Cyber terrorist
Breakeven point of risk reduction and cost
Information security manager

8. Only valid if assets have first been identified and appropriately valued.
Trusted source
Annual loss expectancy (ALE)calculations
Confidentiality
Lack of change management

9. Can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Trusted source
Vulnerability assessment
Intrusion detection system (IDS)
Background check

10. Should be performed to identify the risk and determine needed controls.
Access control matrix
Audit objectives
Exceptions to policy
Internal risk assessment

11. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Residual risk would be reduced by a greater amount
Virus detection
Alignment with business strategy
Risk appetite

12. Oversees the overall classification management of the information.
Continuous monitoring control initiatives
Continuous analysis - monitoring and feedback
The information security officer
Power surge/over voltage (spike)

13. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Negotiating a local version of the organization standards
Protective switch covers
Consensus on risks and controls
Stress testing

14. When defining the information classification policy - the ___________________ need to be identified.
Encryption key management
Resource dependency assessment
Requirements of the data owners
Rule-based access control

15. By definition are not previously known and therefore are undetectable.
Two-factor authentication
include security responsibilities in a job description
0-day vulnerabilities
Waterfall chart

16. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Power surge/over voltage (spike)
Access control matrix
Trojan horse
Multinational organization

17. Information security governance models are highly dependent on the _____________________.
Data mart
Inherent risk
Overall organizational structure
Use of security metrics

18. Program that hides within or looks like a legit program
Cryptographic secure sockets layer (SSL) implementations and short key lengths
Normalization
Trojan horse
Role-based policy

19. Allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. It allows security administrators to be more responsive.
Encryption
Decentralization
Trojan horse
Regular review of access control lists

20. To identify known vulnerabilities based on common misconfigurations and missing updates.
Skills inventory
Aligned with organizational goals
A network vulnerability assessment
Risk management and the requirements of the organization

21. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
Audit objectives
The database administrator
Properly aligned with business goals and objectives
Transmit e-mail messages

22. Can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements.
Return on security investment (ROSI)
Regulatory compliance
Continuous analysis - monitoring and feedback
Properly aligned with business goals and objectives

23. Culture has a significant impact on how information security will be implemented in a ______________________.
Multinational organization
Safeguards over keys
Waterfall chart
Defined objectives

24. A risk assessment should be conducted _________________.
Hacker
Annually or whenever there is a significant change
Do with the information it collects
Background check

25. To determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented.
Alignment with business strategy
Breakeven point of risk reduction and cost
Classification of assets needs
Encryption

26. Used to understand the flow of one process into another.
Waterfall chart
Phishing
Security baselines
Continuous analysis - monitoring and feedback

27. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Control effectiveness
Risk appetite
Decentralization
Do with the information it collects

28. Someone who uses the internet or network to destroy or damage computers for political reasons
Single sign-on (SSO) product
Rule-based access control
Security baselines
Cyber terrorist

29. When reporting an incident to senior management - the initial information to be communicated should include an explanation of _____________________ A summary of security logs would be too technical to report to senior management. An analysis of the i
Knowledge management
Data warehouse
Fault-tolerant computer
What happened and how the breach was resolved

30. Normally addressed through antivirus and antispyware policies.
Exceptions to policy
Confidentiality
Role-based policy
Malicious software and spyware

31. The job of the information security officer on a management team is to ___________________.
Transferred risk
Assess the risks to the business operation
Skills inventory
Resource dependency assessment

32. provides the most effective protection of data on mobile devices.
The awareness and agreement of the data subjects
Two-factor authentication
0-day vulnerabilities
Encryption

33. Ensure that transmitted information can be attributed to the named sender.
Cryptographic secure sockets layer (SSL) implementations and short key lengths
include security responsibilities in a job description
Virus detection
Digital signatures

34. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Identify the vulnerable systems and apply compensating controls
Information contained on the equipment
Risk assessment - evaluation and impact analysis
Negotiating a local version of the organization standards

35. An information security manager has to impress upon the human resources department the need for _____________________.
Platform security - intrusion detection and antivirus controls
Access control matrix
Annually or whenever there is a significant change
Security awareness training for all employees

36. The MOST useful way to describe the objectives in the information security strategy is through ______________________.

37. A notice that guarantees a user or a web site is legitimate
Logon banners
0-day vulnerabilities
Breakeven point of risk reduction and cost
Digital certificate

38. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Properly aligned with business goals and objectives
Virus detection
Defining high-level business security requirements
Its ability to reduce or eliminate business risks

39. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Gain unauthorized access to applications
Internal risk assessment
Developing an information security baseline
Centralized structure

40. Accesses a computer or network illegally
Personal firewall
Cracker
Centralization of information security management
Support the business objectives of the organization

41. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Conduct a risk assessment
Developing an information security baseline
Inherent risk
Cyber terrorist

42. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Aligned with organizational goals
Worm
Continuous monitoring control initiatives
Biometric access control systems

43. Provides process needs but not impact.
Creation of a business continuity plan
Resource dependency assessment
Single sign-on (SSO) product
Residual risk would be reduced by a greater amount

44. Risk should be reduced to a level that an organization _____________.
The board of directors and senior management
Is willing to accept
Regulatory compliance
Key risk indicator (KRI) setup

45. When developing an information security program _________________ would help identify the available resources - any gaps and the training requirements for developing resources.
Process of introducing changes to systems
Negotiating a local version of the organization standards
Cross-site scripting attacks
Skills inventory

46. Someone who accesses a computer or network illegally
Role-based policy
Impractical and is often cost-prohibitive
Hacker
Identify the vulnerable systems and apply compensating controls

47. Program that copies itself repeatedly - using up resources and possibly shutting down the computer or network
Threat assessment
Worm
Public key infrastructure (PKI)
Risk assessment - evaluation and impact analysis

48. From a security standpoint - _______________________ is one of the most important topics that should be included in the contract with third-party service provider.

49. Inject malformed input.
Aligned with organizational goals
Defining high-level business security requirements
Logon banners
Cross-site scripting attacks

50. A tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
Key risk indicator (KRI) setup
Identify the relevant systems and processes
Two-factor authentication
Increase business value and confidence