1602 Module 3 Chapter 5&6

¡Supera tus tareas y exámenes ahora con Quizwiz!

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?

Cost of prevention

Which of the following is an advantage of the one-on-one method of training?

Customized

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________

False

An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment. ____________

False

In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________

False

Which of the following is an advantage of the formal class method of training?

Interaction with trainer is possible

What is the final step in the risk identification process?

Listing assets in order of importance

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?

IP address

Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?

centralized authentication

Labels that must be comprehensive and mutually exclusive.

classification categories

A diagramming technique designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project.

critical path method

The purpose of SETA is to enhance security in all but which of the following ways?

by adding barriers

Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?

they have larger information security needs than a small organization

An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization.

threat assessment

On-the-job training can result in substandard work performance while the trainee gets up to speed.

true

Typically considered the top information security officer in an organization.

CISO

__________ is a simple project management planning tool.

WBS

Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?

A security technician

Classification categories must be mutually exclusive and which of the following?

Comprehensive

A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________

False

An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________

False

An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________

False

MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.

False

Most information security projects require a trained project developer. _________________________

False

The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.

False

The information technology management community of interest often takes on the leadership role in addressing risk. ____________

False

The secretarial community often takes on the leadership role in addressing risk. ____________

False

The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks.

False

The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.

False

Threats from insiders are more likely in a small organization than in a large one.

False

Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.

Field change order

Which of the following is the first step in the process of implementing training?

Identify program scope, goals, and objectives

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?

Legal management must develop corporate-wide standards

Which of the following is an attribute of a network device is physically tied to the network interface?

Mac address

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

Manufacturer's model or part number

Which of the following variables is the most influential in determining how to structure an information security program?

Organizational culture

Which of the following is an example of a technological obsolescence threat?

Outdated servers

List the stages in the risk identification process in order of occurrence.

Plan and Organize Process Create System Component Categories Develop Inventory of Assets Identify Threats Specify Vulnerable Assets Assign Value or Impact Rating to Assets Assess Likelihood for Vulnerabilities Calculate Relative Risk Factor for Assets Preliminary Review of Possible Controls Document Findings

Which of the following attributes does NOT apply to software information assets?

Product dimensions

What should you be armed with to adequately assess potential weaknesses in each information asset?

Properly classified inventory

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

Relative value

Which of the following is a disadvantage of the one-on-one training method?

Resource intensive, to the point of being inefficient

The identification and assessment of levels of risk in an organization describes which of the following?

Risk analysis

Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

Risk assessment

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.

Risk assessment estimate factors

A program designed to improve the security of information assets by providing targeted information, skills, and guidance for organizational employees.

SETA

Data classification schemes should categorize information assets based on which of the following?

Sensitivity and security needs

List the steps of the seven-step methodology for implementing training.

The seven-step methodology for implementing training is as follows: Step 1: Identify program scope, goals, and objectives. Step 2: Identify training staff. Step 3: Identify target audiences. Step 4: Motivate management and employees. Step 5: Administer the program. Step 6: Maintain the program. Step 7: Evaluate the program

Describe the use of an IP address when deciding which attributes to track for each information asset.

This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a relational database and track software instances on specific servers or networking devices. Many larger organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification process very difficult.

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

Threats-vulnerabilities-assets worksheet

A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________

True

Each organization has to determine its own project management methodology for IT and information security projects.

True

Planners need to estimate the effort required to complete each task, subtask, or action step.

True

Small organizations spend more per user on security than medium- and large-sized organizations.

True

Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.

True

The InfoSec community often takes on the leadership role in addressing risk.

True

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?

Uncertainty

Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?

Uncertainty percentage

What is defined as specific avenues that threat agents can exploit to attack an information asset?

Vulnerabilities

Having an established risk management program means that an organization's assets are completely protected.

false

Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.

false

Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. ____________

false

The recognition, enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________

false

Which of the following is NOT a step in the process of implementing training?

hire expert consultants

Is a set of strategies for managing the processes, tools, and policies necessary to prevent, detect, document and counter threats to digital and non-digital information.Many large enterprises employ a dedicated security group to implement and maintain.

infosec program

Which of the following is true about a company's InfoSec awareness Web site?

it should be tested with multiple browsers

GGG security is commonly used to describe which aspect of security?

physical

Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?

planning

Occurs when a project manager spends more time working in the project management software than accomplishing meaningful project work.

projectitis

An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.

qualitative assessment

Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.

ranked vulnerability risk worksheet

What is the SETA program designed to do?

reduce the occurence of accidental security breaches

Remains even after current control has been applied.

residual risk

An approach to combining risk identification, risk assessment, and risk appetite into a single strategy.

risk analysis

The quantity and nature of risk that organizations are willing to accept.

risk appetite

The recognition, enumeration, and documentation of risks to an organization's information assets.

risk identification

The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

risk management

The expansion of the quantity or quality of project deliverable from the original project plan.

scope creep

A SETA program consists of three elements: security education, security training, and which of the following?.

security awareness

​Formal process educating employees about computer security.

security awareness program

In larger organizations, responsible for some aspect of information security; in smaller organizations, this title may be assigned to the only or senior security administrator.

security manager

Which of the following is the most cost-effective method for disseminating security information and news to employees?

security newsletter

These individuals oversee the day to day operations of plans put forth by CISO and CSO. Typically a person going into Cybersecurity would apply for this as a first job.

security technicians

Entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec technology.

seucirty watchstander

Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?

system testing


Conjuntos de estudio relacionados

Portales 1 Lección 6.1 Saber y Conocer

View Set

Biblical Financial decision making (pie diagram)

View Set