Ball State CIS 410 Hua Exam 1, Test 1 ch 1-4 cis 410

¡Supera tus tareas y exámenes ahora con Quizwiz!

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals. SANS (ISC)2 ACM ISACA

(ISC)2

There are 12 general categories of threat to an organization's people, information, and systems. List at least six of the general categories of threat and identify at least one example of those listed.

1. Compromises to Intellectual Property (Ex. Piracy) 2. Deviations in Quality of Service (Ex. WAN Service Problems) 3. Espionage (Ex. Unauthorized Access or Data Collection) 4. Forces of Nature (Ex. Fire) 5. Human Error (Ex. Employee Mistakes) 6. Information Extortion (Ex. Blackmail)

What are the three distinct groups of decision makers or communities of interest on an information security team?

1. Those in the field of information security 2. Those in the field of IT 3. Those from the rest of the organization

The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons? A. For political advantage B. For private financial gain C. For purposes of commercial advantage D. In furtherance of a criminal act

A. For political advantage

Which of the following is true about planning? A. Strategic plans are used to create tactical plans. B. Tactical plans are used to create strategic plans. C. Operational plans are used to create strategic plans. D. Operational plans are used to create tactical plans.

A. Strategic plans are used to create tactical plans.

Which statement defines the differences between a computer virus and a computer worm? A. Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate. B. Worms can copy themselves to computers and viruses can copy themselves to smartphones. C. Worms can make copies all by themselves on one kind of computer but viruses can make copies all by themselves on any kind of computer. D. Worms and viruses are the same.

A. Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate.

A risk assessment is performed during which phase of the SDLC? A. analysis B. design C. investigation D. implementation

A. analysis

​The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________. A. chief information security officer B. security technician C. ​chief technology officer D. security manager

A. chief information security officer

A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________. A. e-discovery B. indexing C. root cause analysis D. forensics

A. e-discovery

Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity? A. fear of humiliation B. probability of being penalized C. probability of being caught D. fear of penalty

A. fear of humiliation

One form of online vandalism is __________, in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. A. hacktivism B. red teaming C. phreaking D. cyberhacking

A. hacktivism

In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________. A. identifying relevant items of evidentiary value B. acquiring (seizing) the evidence without alteration or damage C. investigating allegations of digital malfeasance D. analyzing the data without risking modification or unauthorized access

A. identifying relevant items of evidentiary value

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? A. malice B. accident C. ignorance D. intent

A. malice

The EISP must directly support the organization's __________. A. mission statement B. financial statement C. values statement D. public announcements

A. mission statement

IT's focus is the efficient and effective delivery of information and administration of information resources, while InfoSec's primary focus is the __________ of all information assets. A. protection B. valuation C. operation D. availability

A. protection

Which type of planning is the primary tool in determining the long-term direction taken by an organization? A. strategic B. tactical C. managerial D. operational

A. strategic

When creating a __________, each level of each division translates its goals into more specific goals for the level below it. A. strategic plan B. maintenance program C. security policy D. security program

A. strategic plan

The final component of the design and implementation of effective policies is __________. A. uniform and impartial enforcement B. universal distribution C. complete distribution D. full comprehension

A. uniform and impartial enforcement

Which of the following is a key advantage of the bottom-up approach to security implementation? A. utilizing the technical expertise of the individual administrators B. strong upper-management support C. a clear planning and implementation process D. coordinated planning from upper management

A. utilizing the technical expertise of the individual administrators

Which of the following should be included in an InfoSec governance program? 1)An InfoSec risk management methodology 2)An InfoSec maintenance methodology 3)An InfoSec project management assessment 4)All of these are components of the InfoSec governance program.

An InfoSec risk management methodology

Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? A. Systems Management B. Policy Review and Modification C. Limitations of Liability D. Statement of Purpose

B. Policy Review and Modification

Which law extends protection to intellectual property, which includes words published in electronic formats? A. Security and Freedom through Encryption Act B. U.S. Copyright Law C. Sarbanes-Oxley Act D. Freedom of Information Act

B. U.S. Copyright Law

In the __________ phase of the SecSDLC, the team studies documents and looks at relevant legal issues that could affect the design of the security solution. A. justification B. analysis C. implementation D. investigation

B. analysis

A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs. A. disaster recovery planning B. business mission C. joint application design D. security policy review

B. business mission

Internal and external stakeholders, such as customers, suppliers, or employees who interact with information in support of their organization's planning and operations, are known as ____________. A. data custodians B. data users C. data owners D. data generators

B. data users

With policy, the most common distribution methods are hard copy and __________. A. final B. electronic C. draft D. published

B. electronic

In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies? A. design B. implementation C. investigation D. analysis

B. implementation

Which phase of the SDLC should see clear articulation of goals? A. analysis B. investigation C. implementation D. design

B. investigation

Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP. A. management guidance, technical directive B. management guidance, technical specifications C. management directive, technical specifications D. management specification, technical directive

B. management guidance, technical specifications

A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________. A. formula B. methodology C. model D. approach

B. methodology

The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________. A. chief technology officer B. security manager C. chief information security officer D. security technician

B. security manager

When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, and so that it selects key stakeholders as well as the ____________. Chairman of the Board Board Finance Committee Board Risk Committee Board Ethics Committee

Board Risk Committee

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past? A. Deontological ethics B. Normative ethics C. Descriptive ethics D. Applied ethics

C. Descriptive ethics

__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. A. Leading B. Controlling C. Governance D. Strategy

C. Governance

Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system? A. Computer Fraud and Abuse Act B. The Telecommunications Deregulation and Competition Act C. The Computer Security Act D. National Information Infrastructure Protection Act

C. The Computer Security Act

Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________. A. forensic finding B. search warrant C. affidavit D. subpoena

C. affidavit

A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use is known as a(n) __________. A. phreaker B. expert hacker C. cracker D. penetration tester

C. cracker

A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. A. denial of service B. spam C. distributed denial of service D. virus

C. distributed denial of service

The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________. A. data imaging B. crime scene investigation C. forensics D. evidentiary material

C. forensics

An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________. A. cracker B. expert hacker C. penetration tester D. phreaker

C. penetration tester

Which of the following is NOT one of the basic rules that must be followed when developing a policy? A. policy must be able to stand up in court if challenged B. policy should never conflict with law C. policy should be focused on protecting the organization from public embarrassment D. policy must be properly supported and administered

C. policy should be focused on protecting the organization from public embarrassment

To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology. A. size B. level of formatting C. reading level D. cost

C. reading level

Which of the following is compensation for a wrong committed by an individual or organization? A. due diligence B. liability C. restitution D. jurisdiction

C. restitution

The first priority of the CISO and the InfoSec management team should be the __________. A. adoption of an incident response plan B. development of a security policy C. structure of a strategic plan D. implementation of a risk management program

C. structure of a strategic plan

Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________. A. exploit B. vulnerability C. threat D. attack

C. threat

Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access. A. theft B. security C. trespass D. bypass

C. trespass

A potential weakness in an asset or its defensive control system(s) is known as a(n) __________. A. attack B. threat C. vulnerability D. exploit

C. vulnerability

One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.

Computer security act

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)? A. Applied ethics B. Meta-ethics C. Normative ethics D. Deontological ethics

D. Deontological ethics

Technology services are usually arranged with an agreement defining minimum service levels known as a(n) __________. A. MIN B. SSL C. MSL D. SLA

D. SLA

Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? A. Wood's model B. on-target model C. Bergeron and Berube model D. bull's-eye model

D. bull's-eye model

A high-level executive such as a CIO or VP-IT, who will provide political support and influence for a specific project, is known as a(n) _________. A. auditor B. sponsor C. overseer D. champion

D. champion

Which of the following is not among the "deadly sins of software security"? A. Web application sins B. implementation sins C. networking sins D. extortion sins

D. extortion sins

According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? A. acting B. learning C. establishing D. initiating

D. initiating

Which of the following is a C.I.A. triad characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state? A. accountability B. authentication C. availability D. integrity

D. integrity

Access control list user privileges include all but which of these? A. write B. execute C. read D. operate

D. operate

Which type of planning is used to organize the ongoing, day-to-day performance of tasks? A. tactical B. organizational C. strategic D. operational

D. operational

Human error or failure often can be prevented with training and awareness programs, policy, and __________. A. hugs B. outsourcing C. ISO 27000 D. technical controls

D. technical controls

Which of the following are the two general groups into which SysSPs can be separated? A. business guidance and network guidance B. user specifications and managerial guidance C. technical specifications and business guidance D. technical specifications and managerial guidance

D. technical specifications and managerial guidance

Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer? A. espionage or trespass B. sabotage or vandalism C. information extortion D. theft

D. theft

What should an effective ISSP accomplish?

Describes the organization's expectations about how its technology-based system should be used. Documents how the technology-based system is controlled and identifies the processes and authorities that provide this control. Indemnifies the organization against liability for an employee's inappropriate or illegal use of the system.

Which policy is the highest level of policy and is usually created first? EISP USSP ISSP SysSP

EISP

ESD is the acronym for __________.

Electrostatic Discharge

T/F: "Technology" is the essential foundation of an effective information security program​

False

T/F: "Values" statements should be ambitious; after all, they are meant to express the aspirations of an organization.

False

T/F: Access control lists regulate who, what, when, where, and "why" authorized users can access a system.

False

T/F: Because it sets out general business intentions, a mission statement does not need to be concise.

False

T/F: Examples of actions that illustrate compliance with policies are known as "laws".

False

T/F: ISACA is a professional association with a focus on "authorization", control, and security. ___________

False

T/F: It is the responsibility of InfoSec professionals to understand state laws and "bills". ____________

False

T/F: The ISO 27014:2013 standard promotes five governance processes, which should be adopted by the organization's executive management and its "consultant".

False

T/F: The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and "decentralization".

False

T/F: To protect intellectual property and competitive advantage, Congress passed the "Entrepreneur" Espionage Act (EEA) in 1996.​

False

The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for.

False

__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. Controlling Strategy Governance Leading

Governance

Discuss the three general categories of unethical behavior that organizations should try to control.

Ignorance Accident Intent Ignorance of the law is not a defense, but a lack of intent can be. Individuals within a business have the highest chance of causing harm or damage by accident.

__________ is the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair edge over them. Dumpster diving Competitive advantage Packet sniffing Industrial espionage

Industrial espionage

What is a key difference between law and ethics?

Laws bear the sanction of a governing authority and ethics do not.

_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present. Portable Desktop computer Satellite transceiver Expansion

Portable

Which of the following is an information security governance responsibility of the chief information security officer? 1)Implement incident response programs to detect security vulnerabilities and breaches. 2)Set security policy, procedures, programs, and training. 3)Develop policies and the program. 4)Brief the board, customers, and the public.

Set security policy, procedures, programs, and training.

Which of the following is true about planning? 1)Tactical plans are used to create strategic plans. 2)Operational plans are used to create strategic plans. 3)Strategic plans are used to create tactical plans. 4)Operational plans are used to create tactical plans.

Strategic plans are used to create tactical plans.

Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?

The Freedom of Information Act (FOIA) allows for the disclosure of previously undisclosed information and documents controlled by the US government. The FOIA applies only to federal agencies and does not affect local state agencies.

Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?

The Freedom of Information act requires all federal agencies to disclose records requested in writing by any person. FOIA only applies to federal agencies. Each state has its own public access laws that should be consulted for access to state and local records.

What should an effective ISSP accomplish?

The ISSP should assure members of the organization that its purpose is not to establish a foundation for administrative enforcement or legal prosecution but rather to provide a common understanding of the purposes for which an employee can and cannot use the resource.

Discuss the planning element of information security.

The planning element of information security is the integration of strategies such as IT strategies to develop information security strategies. The goal is to make plans that support long term achievement of the overall organizational strategy. Information security plans include incident response planning, risk management planning, and security program planning.

What are the three distinct groups of decision makers or communities of interest on an information security team?

Those in the field of information security. Those in the field of IT. Those from the rest of the organization.

Describe the foundations and frameworks of ethics.

Traditional foundations and frameworks of ethics include: 1. Normative ethics- what makes actions right or wrong 2. Meta-ethics- the meaning of ethical judgements and properties 3. Descriptive ethics- the choices that have been made by individuals in the past 4. Applied ethics- applies moral codes to actions drawn from realistic situations 5. Deontological ethics- the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences

T/F: According to the CGTF, the organization should treat InfoSec as an "integral" part of the system life cycle.

True

T/F: Enterprise "risk management" is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.

True

T/F: The Gramm-Leach-Bliley (GLB) Act, also known as the "Financial" Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies.

True

T/F: ​Information security policies are designed to provide structure in the workplace and explain the "will" of the organization's management.

True

Which law extends protection to intellectual property, which includes words published in electronic formats? Freedom of Information Act Security and Freedom through Encryption Act Sarbanes-Oxley Act U.S. Copyright Law

U.S. Copyright Law

Which statement defines the differences between a computer virus and a computer worm? 1)Worms can make copies all by themselves on one kind of computer but viruses can make copies all by themselves on any kind of computer. 2)Worms and viruses are the same. 3)Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate. 4)Worms can copy themselves to computers and viruses can copy themselves to smartphones.

Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate.

What do audit logs that track user activity on an information system provide? authentication authorization accountability identification

accountability

Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________.

affidavit

In the __________ phase of the SecSDLC, the team studies documents and looks at relevant legal issues that could affect the design of the security solution. implementation justification investigation analysis

analysis

The most complex part of an investigation is usually __________. analysis for potential EM preventing the destruction of potential EM protecting potential EM requesting potential EM

analysis for potential EM

An approach that applies moral codes to actions drawn from realistic situations.

applied ethics

A(n) __________ is an act against an asset that could result in a loss.

attack

A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law. breach compromise notification spill

breach

Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs? 1)can suffer from poor policy dissemination, enforcement, and review 2)may skip vulnerabilities otherwise reported 3)implementation can be less difficult to manage 4)may be more expensive than necessary

can suffer from poor policy dissemination, enforcement, and review

​The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________. security technician ​chief technology officer chief information security officer security manager

chief information security officer

Some information gathering techniques are quite legal—for example, using a Web browser to perform market research. These legal techniques are called, collectively, __________.

competitive intelligence

Which of the following are instructional codes that guide the execution of the system when information is passing through it? capability tables access control lists configuration rules user profiles

configuration rules

The process of integrating the governance of the physical security and information security efforts is known in the industry as __________. convergence combination optimization intimation

convergence

Addresses violations harmful to society and is actively enforced and prosecuted by the state.

criminal law

Focuses on enhancing the security of the critical infrastructure in the United States.

cybersecurity act

Internal and external stakeholders, such as customers, suppliers, or employees who interact with information in support of their organization's planning and operations, are known as ____________. data owners data custodians data generators data users

data users

The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response. analysis design implementation investigation

design

An organization increases its liability if it refuses to take the measures a prudent organization should; this is known as the standard of _____________.

due care

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? policy administration due diligence certification and accreditation adequate security measures

due diligence

A collection of statutes that regulates the interception of wire, electronic, and oral communications.

electronic communication privacy act

According to the Corporate Governance Task Force (CGTF), during which phase of the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? initiating learning establishing acting

establishing

Defines socially acceptable behaviors.

ethics

The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as ___________.

ethics

"Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. __________

false

A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of systems.

false

Access control lists regulate who, what, when, where, and why authorized users can access a system.

false

ISACA is a professional association with a focus on authorization, control, and security. ___________

false

Information ambiguation occurs when pieces of nonprivate data are combined to create information that violates privacy. _________________________

false

It is the responsibility of InfoSec professionals to understand state laws and bills. ____________

false

Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations. ____________

false

The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. __________

false

The authorization process takes place before the authentication process.

false

The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization. ____________

false

To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996.​ ___________

false

Values statements should be ambitious; after all, they are meant to express the aspirations of an organization. ____________

false

The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________. forensics evidentiary material data imaging crime scene investigation

forensics

The letters GRC represent an approach to information security strategic guidance from a board of directors or senior management perspective. The letters stand for __________, __________, and __________. 1)governance, risk management, compliance 2)governance, risk control, confidentiality 3)government, regulation, classification 4)generalization, risk assessment, cryptography

governance, risk management, compliance

One form of online vandalism is __________, in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. phreaking hacktivism cyberhacking red teaming

hacktivism

In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies? design investigation implementation analysis

implementation

The protection of confidentiality, integrity, and availability of data regardless of its location is known as __________ security. operational cyber information network

information

According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? establishing acting initiating learning

initiating

A detailed outline of the scope of the policy development project is created during which phase of the SDLC? implementation investigation design analysis

investigation

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? user-specific enterprise information issue-specific system-specific

issue-specific

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? ignorance malice intent accident

malice

Communications security involves the protection of which of the following? media, technology, content radio handsets the IT department people, physical assets

media, technology, content

Which of the following explicitly declares the business of the organization and its intended areas of operations? values statement vision statement business statement mission statement

mission statement

The protection of voice and data components, connections, and content is known as __________ security. national network cyber operational

network

The study of what makes actions right or wrong, also known as moral theory.

normative ethics

The three levels of planning are strategic planning, tactical planning, and __________ planning.

operational

Which type of planning is used to organize the ongoing, day-to-day performance of tasks? operational strategic tactical organizational

operational

resources to support the accomplishment of objectives? planning controlling leading organization

organization

According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy? policy developer policy enforcer policy reviewer policy administrator

policy administrator

Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected? accountability availability confidentiality privacy

privacy

Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT __________. proper development proper conception proper implementation proper design

proper conception

Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

public law

Which of the following is NOT an approach to password cracking? social engineering attacks dictionary attacks brute force ransomware

ransomware

To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology. level of formatting cost reading level size

reading level

A momentary low voltage is called a(n) __________.

sag

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________. search warrant subpoena affidavit forensic clue

search warrant

The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________. chief information security officer security manager security technician chief technology officer

security manager

A qualified individual who is tasked with configuring security technologies and operating other technical control systems is known as a(n) ____________. security manager chief information security officer security technician chief technology officer

security technician

"4-1-9" fraud is an example of a __________ attack. worm spam virus social engineering

social engineering

Which type of document is a more detailed statement of what must be done to comply with a policy? procedure standard practice guideline

standard

Human error or failure often can be prevented with training and awareness programs, policy, and __________. ISO 27000 technical controls outsourcing hugs

technical controls

Which of the following are the two general groups into which SysSPs can be separated? 1)business guidance and network guidance 2)technical specifications and business guidance 3)user specifications and managerial guidance 4)technical specifications and managerial guidance

technical specifications and managerial guidance

An example of a company stakeholder includes all of the following EXCEPT: the general public employees management stockholders

the general public

In addition to specifying acceptable and unacceptable behavior, what else must a policy specify? 1)legal recourse 2)the penalties for violation of the policy 3)appeals process 4)individual responsible for approval

the penalties for violation of the policy

Digital forensics can be used for two 1)key purposes: ________ or _________. to investigate allegations of digital malfeasance; to perform root cause analysis 2)to solicit testimony; to perform root cause analysis 3)to investigate allegations of digital malfeasance; to solicit testimony 4)e-discovery; to perform root cause analysis

to investigate allegations of digital malfeasance; to perform root cause analysis

A maintenance model is intended to focus ongoing maintenance efforts so as to keep systems usable and secure.

true

A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. __________

true

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

true

Policies must specify penalties for unacceptable behavior and define an appeals process.

true

​Deterrence is the best method for preventing an illegal or unethical activity. ____________

true

​Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________

true

Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? issue-specific security policies user-specific security policies enterprise information security policy system-specific security policies

user-specific security policies


Conjuntos de estudio relacionados

PSY 100- Exam 3 Study Guide- Chap. 7, 9, 10

View Set

Prejudice, Discrimination, Stereotyping 1

View Set

Ch. 32 The Challenges of the Twenty-First Century

View Set

Chapter 17: Information Security: Barbarians at the Gateway (and Just About Everywhere Else)

View Set

General Psychology Test 2 Ch.8 Learning Notes

View Set