Test your basic knowledge |

CISM: Certified Information Security Manager

Subjects : certifications, cism, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Risk assessment is a very important process for the ___________________. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures - but not in the prioritization.
Creation of a business continuity plan
0-day vulnerabilities
What happened and how the breach was resolved
Spoofing attacks

2. The _____________________ should be the person with the decision-making power in the department deriving the most benefit from the asset.
Internal risk assessment
Penetration testing
What happened and how the breach was resolved
Owner of the information asset

3. ecurity design flaws require a ____________________.
Breakeven point of risk reduction and cost
Encryption of the hard disks
Regulatory compliance
Deeper level of analysis

4. Program that hides within or looks like a legit program
Security awareness training for all employees
Annual loss expectancy (ALE)calculations
Protective switch covers
Trojan horse

5. Whenever personal data are transferred across national boundaries; ________________________ are required.
Detection defenses
The awareness and agreement of the data subjects
Compliance with the organization's information security requirements
Performing a risk assessment

6. An organization without any formal information security program should start with _______________________ because the implementation should be based on those security requirements.
Defining high-level business security requirements
Role-based policy
Asset classification
Applying the proper classification to the data

7. The MOST important component of a privacy policy is: A Privacy policies must contain _______________; they are a high-level management statement of direction. They do not necessarily address warranties - liabilities or geographic coverage - which are
Two-factor authentication
Trusted source
OBusiness case development
Notifications and opt-out provisions

8. When mobile equipment is lost or stolen - the ______________________ matters most in determining the impact of the loss.
Classification of assets needs
Information contained on the equipment
Public key infrastructure (PKI)
Two-factor authentication

9. Ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management
Encryption
Use of security metrics
Cross-site scripting attacks

10. The MOST important element of the request for proposal (RFP) ro assess the maturity level of the organization's information security management is _______________________.
Data warehouse
Certificate authority (CA)
Lack of change management
Methodology used in the assessment

11. A function of the session keys distributed by the PKI.
Do with the information it collects
Tie security risks to key business objectives
Confidentiality
Consensus on risks and controls

12. Ensure that transmitted information can be attributed to the named sender.
A network vulnerability assessment
Support the business objectives of the organization
Is willing to accept
Digital signatures

13. Requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Control effectiveness
All personnel
Safeguards over keys
Information security manager

14. The most fundamental evaluation criteria for the appropriate selection of any security technology is ________________________.
Strategic alignment of security with business objectives
Assess the risks to the business operation
Its ability to reduce or eliminate business risks
Breakeven point of risk reduction and cost

15. Awareness training would most likely result in any attempted ____________ being challenged by the authorized employee
Tailgating
Reduce risk to an acceptable level
Script kiddie
Security code reviews for the entire software application

16. Occurs when the incoming level
Developing an information security baseline
Defined objectives
Overall organizational structure
Power surge/over voltage (spike)

17. Responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Data owners
Patch management
Audit objectives
Undervoltage (brownout)

18. There is a time lag between the time when a security vulnerability is first published - and the time when a patch is delivered. - The best protection is to _____________________ until a patch is installed.
Encryption key management
Assess the risks to the business operation
Identify the vulnerable systems and apply compensating controls
Equal error rate (EER)

19. Lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Worm
Normalization
Security code reviews for the entire software application
Vulnerability assessment

20. New security ulnerabilities should be managed through a ________________.
Use of security metrics
Patch management process
Tailgating
include security responsibilities in a job description

21. All within the responsibility of the information security manager.
Internal risk assessment
Platform security - intrusion detection and antivirus controls
Knowledge management
Defining high-level business security requirements

22. Lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
include security responsibilities in a job description
Threat assessment
Data warehouse
Identify the vulnerable systems and apply compensating controls

23. The best indicator of the level of compliance with the service level agreement ( SLA ) data confidentiality clauses.
Confidentiality
Transferred risk
Intrusion detection system (IDS)
Access control matrix

24. Will associate data access with the role performed by an individual - thus restricting access to data required to perform the individual's tasks.
Tie security risks to key business objectives
Role-based policy
Encryption of the hard disks
Data classification

25. The BEST way to justify the implementation of a _____________________ is to use a business case. Return on investment (ROI) would only provide the costs needed to preclude specific risks - and would not provide other indirect benefits such as process
Single sign-on (SSO) product
Requirements of the data owners
All personnel
Personal firewall

26. Also required to guarantee fulfillment of laws and regulations of the organization and - therefore - the information security manager will be obligated to comply with the law.
Support the business objectives of the organization
Total cost of ownership (TCO)
Monitoring processes
Personal firewall

27. Primarily reduce risk and are most effective for the protection of information assets.
Continuous monitoring control initiatives
The authentication process is broken
Developing an information security baseline
Key controls

28. While useful for identifying the difference between the current state and the desired future state - e.g. organization has to comply with recently published industry regulatory requirements compliance that potentially has high implementation costs -
Countermeasure cost-benefit analysis
BIA (Business Impact Assessment
Patch management process
Gap analysis

29. The best strategy for risk management is to ___________________- as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Negotiating a local version of the organization standards
Reduce risk to an acceptable level
Role-based policy
Properly aligned with business goals and objectives

30. Adherence to local regulations must always be the priority. _______________________ is the most effective compromise in this situation.
Patch management process
Phishing
Negotiating a local version of the organization standards
Conduct a risk assessment

31. Ensures that there are no scalability problems.
Stress testing
Cross-site scripting attacks
Nondisclosure agreement (NDA)
Data classification

32. Awareness - training and physical security defenses.
Detection defenses
Continuous monitoring control initiatives
Developing an information security baseline
Examples of containment defenses

33. Provides process needs but not impact.
Regular review of access control lists
Encryption of the hard disks
Resource dependency assessment
Decentralization

34. Uses security metrics to measure the performance of the information security program.
Information security manager
Classification of assets needs
Cyber extortionist
Gap analysis

35. Residual risk is unmanaged - i.e. - inherent risk which remains uncontrolled. This is key to the organization's _____________ and is the amount of residual risk that a business is living with that affects its viability.
Risk appetite
Role-based policy
Methodology used in the assessment
Alignment with business strategy

36. Helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Developing an information security baseline
Data mart
Data warehouse
Tie security risks to key business objectives

37. Information security architecture should always be _______________________. Alignment with IT plans or industry and security best practices is secondary by comparison.
The authentication process is broken
Residual risk
Negotiating a local version of the organization standards
Properly aligned with business goals and objectives

38. A notice that guarantees a user or a web site is legitimate
Cross-site scripting attacks
Digital certificate
Transmit e-mail messages
Script kiddie

39. _________________________ will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management.
Logon banners
Performing a risk assessment
Acceptable use policies
Countermeasure cost-benefit analysis

40. The starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Risk assessment - evaluation and impact analysis
Do with the information it collects
Security awareness training for all employees
Security code reviews for the entire software application

41. By definition are not previously known and therefore are undetectable.
Conduct a risk assessment
Control risk
0-day vulnerabilities
Owner of the information asset

42. A repository of historical data organized by subject to support decision makers in the org
Data warehouse
Data owners
include security responsibilities in a job description
Threat assessment

43. Determined by the business risk - i.e. - the potential impact on the business of the loss - corruption or disclosure of information. It must be applied to information in all forms - both electronic and physical (paper) - and should be applied by the
Data classification
Single sign-on (SSO) product
Undervoltage (brownout)
Attributes and characteristics of the 'desired state'

44. Someone who uses email as a vehicle for extortion; send company threatening emails indicating they will expose confidential information - exploit security launch - etc.
Cost of control
Calculating the value of the information or asset
Cyber extortionist
Owner of the information asset

45. Most effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices.
Multinational organization
Power surge/over voltage (spike)
Regular review of access control lists
Key controls

46. In biometric systems where the possibility of false rejects is a problem - it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
Equal error rate (EER)
Malicious software and spyware
Access control matrix
The balanced scorecard

47. Potentially damaging computer program that affects - or infects a computer negatively by altering the way the computer works
Undervoltage (brownout)
Virus
Decentralization
Certificate authority (CA)

48. Attackers who exploit weak application authentication controls can ___________________ and this has little to do with cross-site scripting vulnerabilities.
Internal risk assessment
Cross-site scripting attacks
A network vulnerability assessment
Gain unauthorized access to applications

49. Any event or action that could cause a loss of or damage to computer hardware - software - data - information - or processing capability
Regular review of access control lists
Security risk
Single sign-on (SSO) product
Key risk indicator (KRI) setup

50. Are not infallible. When tuning the solution - one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing
Biometric access control systems
Patch management
Spoofing attacks
OBusiness case development