CISM Glossary Test Questions And Answers
Verified 100% Correct
Business case - ANSWER- Documentation of the rationale for making a business
investment, used both to support a business decision on whether to proceed with the
investment and as an operational tool to support management of the investment
through its full economic life cycle
Business continuity plan (BCP) - ANSWER- A plan used by an organization to respond
to disruption of critical business processes. Depends on the contingency plan for
restoration of critical systems
Business dependency assessment - ANSWER- A process of identifying resources
critical to the operation of a business process
Business impact - ANSWER- The net effect, positive or negative, on the achievement of
business objectives
Business impact analysis/assessment (BIA) - ANSWER- Evaluating the criticality and
sensitivity of information assets. An exercise that determines the impact of losing the
support of any resource to an organization, establishes the escalation of that loss over
time, identifies the minimum resources needed to recover, and prioritizes the recovery
of processes and supporting system. This process also includes addressing: income
loss, unexpected expense, legal issues (regulatory compliance or contractual),
interdependent processes, and loss of public reputation or public confidence.
Business Model for Information Security (BMIS) - ANSWER- A holistic and business-
oriented model that supports enterprise governance and management information
security, and provides a common language for information security professionals and
business management
Capability Maturity Model (CMM) - ANSWER- Contains the essential elements of
effective processes for one or more disciplines. It also describes an evolutionary
improvement path from ad hoc, immature processes, to disciplined, mature processes,
with improved quality and effectiveness.
Certificate (certification) authority (CA) - ANSWER- A trusted third party that serves
authentication infrastructures or enterprises and registers entities and issues them
certificates
,Certificate revocation list (CRL) - ANSWER- An instrument for checking the continued
validity of the certificates for which the certification authority (CA) has responsibility. The
CRL details digital certificates that are no longer valid. The time gap between two
updates is very critical and is also a risk in digital certificates verification.
Certification practice statement (1 of 2) - ANSWER- A detailed set of rules governing
the certificate authority's operations. It provides an understanding of the value and
trustworthiness of certificates issued by a given certificate authority (CA).
Certification practice statement (2 of 2) - ANSWER- Stated in terms of the controls that
an organization observes, the method it uses to validate the authenticity of certificate
applicants and the CA's expectations of how its certificates may be used
Chain of custody - ANSWER- A legal principle regarding the validity and integrity of
evidence. It requires accountability for anything that will be used as evidence in a legal
proceeding to ensure that it can be accounted for from the time it was collected until the
time it is presented in a court of law. This includes documentation as to who had access
to the evidence and when, as well as the ability to identify evidence as being the exact
item that was recovered or tested. Lack of control over evidence can lead to it being
discredited. Chain of custody depends on the ability to verify that evidence could not
have been tampered with. This is accomplished by sealing off the evidence, so it cannot
be changed, and providing a documentary record of custody to prove that the evidence
was, at all times, under strict control and not subject to tampering.
Chain of evidence - ANSWER- A process and record that shows who obtained the
evidence, where and when the evidence was obtained, who secured the evidence and
who had control or possession of the evidence. The "sequencing" of the chain of
evidence follows this order: collection and identification, analysis, storage, preservation,
presentation in court, return to owner.
Challenge/response token - ANSWER- A method of user authentication that is carried
out through use of the Challenge Handshake Authentication Protocol (CHAP). When a
user tries to log onto the server using CHAP, the server sends the user a "challenge,"
which is a random value. The user enters a password, which is used as an encryption
key to encrypt the "challenge" and return it to the server. The server is aware of the
password. It, therefore, encrypts the "challenge" value and compares it with the value
received from the user. If the values match, the user is authenticated. The
challenge/response activity continues throughout the session and this protects the
session from password sniffing attacks. In addition, CHAP is not vulnerable to "man-in-
the-middle" attacks because the challenge value is a random value that changes on
each access attempt.
,Change management - ANSWER- A holistic and proactive approach to managing the
transition from a current to a desired organizational state
Checksum (1 of 2) - ANSWER- A mathematical value that is assigned to a file and used
to "test" the file at a later date to verify that the data contained in the file have not been
maliciously changed.
Checksum (2 of 2) - ANSWER- A cryptographic checksum is created by performing a
complicated series of mathematical operations (known as a cryptographic algorithm)
that translates the data in the file into a fixed string of digits called a hash value, which is
then used as the checksum. Without knowing which cryptographic algorithm was used
to create the hash value, it is highly unlikely that an unauthorized person would be able
to change data without inadvertently changing the corresponding checksum.
Cryptographic checksums are used in data transmission and data storage.
Cryptographic checksums are also known as message authentication codes, integrity
check values, modification detection codes or message integrity codes.
Chief information officer (CIO) - ANSWER- The most senior official of the enterprise
who is accountable for IT advocacy, aligning IT and business strategies, and planning,
resourcing and managing the delivery of IT services, information and the deployment of
associated human resources. In some cases, the CIO role has been expanded to
become the chief knowledge officer (CKO) who deals in knowledge, not just information.
Also see chief technology officer.
Chief information security officer (CISO) - ANSWER- Responsible for managing
information risk, the information security program, and ensuring appropriate
confidentiality, integrity and availability of information assets
Chief security officer (CSO) - ANSWER- Typically responsible for physical security in
the organization although increasingly the CISO and CSO roles are merged
Chief technology officer (CTO) - ANSWER- The individual who focuses on technical
issues in an organization
Cloud computing - ANSWER- An approach using external services for convenient
ondemand IT operations using a shared pool of configurable computing capability.
Typical capabilities include infrastructure as a service (IaaS), platform as a service
(PaaS) and software as a service (SaaS), e.g., networks, servers, storage, applications
and services, that can be rapidly provisioned and released with minimal management
effort or service provider interaction. This cloud model is composed of five essential
characteristics (on-demand self service, ubiquitous network access, location
independent resource pooling, rapid elasticity, and measured service). It allows users to
access technology-based services from the network cloud without knowledge of,
, expertise with, or control over, the technology infrastructure that supports them and
provides four models for enterprise access (Private cloud, Community cloud, Public
cloud, and Hybrid cloud).
COBIT 5 - ANSWER- Formerly known as Control Objectives for Information and related
Technology (CUBIT); now used only as the acronym in its fifth iteration. A complete,
internationally accepted framework for governing and managing enterprise information
and technology (IT) that supports enterprise executives and management in their
definition and achievement of business goals and related IT goals. CUBIT describes five
principles and seven enablers that support enterprises in the development,
implementation, and continuous improvement and monitoring of goodlT- related
governance and management practices.
... - ANSWER- Earlier versions of CUBIT focused on control objectives related to IT
processes, management and control of IT processes and IT governance aspects.
Adoption and use of the CUBIT framework are supported by guidance from a growing
family of supporting products. (See www.isaca.org/cobit for more information.)
COBIT 4.1 and earlier - ANSWER- Formerly known as Control Objectives for
Information and related Technology (CUBIT). A complete, internationally accepted
process framework for IT that supports business and IT executives and management in
their definition and achievement of business goals and related IT goals by providing a
comprehensive IT governance, management, control and assurance model. COBIT
describes IT processes and associated control objectives, management guidelines
(activities, accountabilities, responsibilities and performance metrics) and maturity
models. CUBIT supports enterprise management in the development, implementation,
continuous improvement and monitoring of good IT-related practices.
Common vulnerabilities and exposures (CVE) - ANSWER- A system that provides a
reference method for publicly known information-security vulnerabilities and exposures.
MITRE Corporation maintains the system, with funding from the National Cyber Security
Division of the United States Department of Homeland Security.
Compensating control - ANSWER- An internal control that reduces the risk of an
existing or potential control weakness resulting in errors and omissions
Computer forensics - ANSWER- The application of the scientific method to digital media
to establish factual information for judicial review. This process often involves
investigating computer systems to determine whether they are or have been used for
illegal or unauthorized activities. As a discipline, it combines elements of law and
computer science to collect and analyze data from information systems (e.g., personal
computers, networks, wireless communication and digital storage devices) in a way that
is admissible as evidence in a court of law.
Verified 100% Correct
Business case - ANSWER- Documentation of the rationale for making a business
investment, used both to support a business decision on whether to proceed with the
investment and as an operational tool to support management of the investment
through its full economic life cycle
Business continuity plan (BCP) - ANSWER- A plan used by an organization to respond
to disruption of critical business processes. Depends on the contingency plan for
restoration of critical systems
Business dependency assessment - ANSWER- A process of identifying resources
critical to the operation of a business process
Business impact - ANSWER- The net effect, positive or negative, on the achievement of
business objectives
Business impact analysis/assessment (BIA) - ANSWER- Evaluating the criticality and
sensitivity of information assets. An exercise that determines the impact of losing the
support of any resource to an organization, establishes the escalation of that loss over
time, identifies the minimum resources needed to recover, and prioritizes the recovery
of processes and supporting system. This process also includes addressing: income
loss, unexpected expense, legal issues (regulatory compliance or contractual),
interdependent processes, and loss of public reputation or public confidence.
Business Model for Information Security (BMIS) - ANSWER- A holistic and business-
oriented model that supports enterprise governance and management information
security, and provides a common language for information security professionals and
business management
Capability Maturity Model (CMM) - ANSWER- Contains the essential elements of
effective processes for one or more disciplines. It also describes an evolutionary
improvement path from ad hoc, immature processes, to disciplined, mature processes,
with improved quality and effectiveness.
Certificate (certification) authority (CA) - ANSWER- A trusted third party that serves
authentication infrastructures or enterprises and registers entities and issues them
certificates
,Certificate revocation list (CRL) - ANSWER- An instrument for checking the continued
validity of the certificates for which the certification authority (CA) has responsibility. The
CRL details digital certificates that are no longer valid. The time gap between two
updates is very critical and is also a risk in digital certificates verification.
Certification practice statement (1 of 2) - ANSWER- A detailed set of rules governing
the certificate authority's operations. It provides an understanding of the value and
trustworthiness of certificates issued by a given certificate authority (CA).
Certification practice statement (2 of 2) - ANSWER- Stated in terms of the controls that
an organization observes, the method it uses to validate the authenticity of certificate
applicants and the CA's expectations of how its certificates may be used
Chain of custody - ANSWER- A legal principle regarding the validity and integrity of
evidence. It requires accountability for anything that will be used as evidence in a legal
proceeding to ensure that it can be accounted for from the time it was collected until the
time it is presented in a court of law. This includes documentation as to who had access
to the evidence and when, as well as the ability to identify evidence as being the exact
item that was recovered or tested. Lack of control over evidence can lead to it being
discredited. Chain of custody depends on the ability to verify that evidence could not
have been tampered with. This is accomplished by sealing off the evidence, so it cannot
be changed, and providing a documentary record of custody to prove that the evidence
was, at all times, under strict control and not subject to tampering.
Chain of evidence - ANSWER- A process and record that shows who obtained the
evidence, where and when the evidence was obtained, who secured the evidence and
who had control or possession of the evidence. The "sequencing" of the chain of
evidence follows this order: collection and identification, analysis, storage, preservation,
presentation in court, return to owner.
Challenge/response token - ANSWER- A method of user authentication that is carried
out through use of the Challenge Handshake Authentication Protocol (CHAP). When a
user tries to log onto the server using CHAP, the server sends the user a "challenge,"
which is a random value. The user enters a password, which is used as an encryption
key to encrypt the "challenge" and return it to the server. The server is aware of the
password. It, therefore, encrypts the "challenge" value and compares it with the value
received from the user. If the values match, the user is authenticated. The
challenge/response activity continues throughout the session and this protects the
session from password sniffing attacks. In addition, CHAP is not vulnerable to "man-in-
the-middle" attacks because the challenge value is a random value that changes on
each access attempt.
,Change management - ANSWER- A holistic and proactive approach to managing the
transition from a current to a desired organizational state
Checksum (1 of 2) - ANSWER- A mathematical value that is assigned to a file and used
to "test" the file at a later date to verify that the data contained in the file have not been
maliciously changed.
Checksum (2 of 2) - ANSWER- A cryptographic checksum is created by performing a
complicated series of mathematical operations (known as a cryptographic algorithm)
that translates the data in the file into a fixed string of digits called a hash value, which is
then used as the checksum. Without knowing which cryptographic algorithm was used
to create the hash value, it is highly unlikely that an unauthorized person would be able
to change data without inadvertently changing the corresponding checksum.
Cryptographic checksums are used in data transmission and data storage.
Cryptographic checksums are also known as message authentication codes, integrity
check values, modification detection codes or message integrity codes.
Chief information officer (CIO) - ANSWER- The most senior official of the enterprise
who is accountable for IT advocacy, aligning IT and business strategies, and planning,
resourcing and managing the delivery of IT services, information and the deployment of
associated human resources. In some cases, the CIO role has been expanded to
become the chief knowledge officer (CKO) who deals in knowledge, not just information.
Also see chief technology officer.
Chief information security officer (CISO) - ANSWER- Responsible for managing
information risk, the information security program, and ensuring appropriate
confidentiality, integrity and availability of information assets
Chief security officer (CSO) - ANSWER- Typically responsible for physical security in
the organization although increasingly the CISO and CSO roles are merged
Chief technology officer (CTO) - ANSWER- The individual who focuses on technical
issues in an organization
Cloud computing - ANSWER- An approach using external services for convenient
ondemand IT operations using a shared pool of configurable computing capability.
Typical capabilities include infrastructure as a service (IaaS), platform as a service
(PaaS) and software as a service (SaaS), e.g., networks, servers, storage, applications
and services, that can be rapidly provisioned and released with minimal management
effort or service provider interaction. This cloud model is composed of five essential
characteristics (on-demand self service, ubiquitous network access, location
independent resource pooling, rapid elasticity, and measured service). It allows users to
access technology-based services from the network cloud without knowledge of,
, expertise with, or control over, the technology infrastructure that supports them and
provides four models for enterprise access (Private cloud, Community cloud, Public
cloud, and Hybrid cloud).
COBIT 5 - ANSWER- Formerly known as Control Objectives for Information and related
Technology (CUBIT); now used only as the acronym in its fifth iteration. A complete,
internationally accepted framework for governing and managing enterprise information
and technology (IT) that supports enterprise executives and management in their
definition and achievement of business goals and related IT goals. CUBIT describes five
principles and seven enablers that support enterprises in the development,
implementation, and continuous improvement and monitoring of goodlT- related
governance and management practices.
... - ANSWER- Earlier versions of CUBIT focused on control objectives related to IT
processes, management and control of IT processes and IT governance aspects.
Adoption and use of the CUBIT framework are supported by guidance from a growing
family of supporting products. (See www.isaca.org/cobit for more information.)
COBIT 4.1 and earlier - ANSWER- Formerly known as Control Objectives for
Information and related Technology (CUBIT). A complete, internationally accepted
process framework for IT that supports business and IT executives and management in
their definition and achievement of business goals and related IT goals by providing a
comprehensive IT governance, management, control and assurance model. COBIT
describes IT processes and associated control objectives, management guidelines
(activities, accountabilities, responsibilities and performance metrics) and maturity
models. CUBIT supports enterprise management in the development, implementation,
continuous improvement and monitoring of good IT-related practices.
Common vulnerabilities and exposures (CVE) - ANSWER- A system that provides a
reference method for publicly known information-security vulnerabilities and exposures.
MITRE Corporation maintains the system, with funding from the National Cyber Security
Division of the United States Department of Homeland Security.
Compensating control - ANSWER- An internal control that reduces the risk of an
existing or potential control weakness resulting in errors and omissions
Computer forensics - ANSWER- The application of the scientific method to digital media
to establish factual information for judicial review. This process often involves
investigating computer systems to determine whether they are or have been used for
illegal or unauthorized activities. As a discipline, it combines elements of law and
computer science to collect and analyze data from information systems (e.g., personal
computers, networks, wireless communication and digital storage devices) in a way that
is admissible as evidence in a court of law.
