Chapter 1-9 Quizzes
Fill in the blank: _____________________ is a system by which an organization directs and controls its overall security, thereby meeting all strategic needs of the organization. A. Security Management. B. Security Governance. C. Security Classfication. D. Security Detection.
B
An action to stop a potential threat from causing damage and is specific to the threat and thus needs to be chosen judiciously because this choice has major impacts on cost, functionality, and continuity of the system is known as: A. Threat management. B. Risk management. C. Control D. None of the above.
A
Define the level of a cybersecurity learning continuum that has a set of activities that explains and promotes security, establishes, accountability, and informed the workforce of security news. A. Awareness. B. Education. C. Training. D. None of the above.
A
Fill in the blank: Any trapdoor or unintended weak point of a system is a ________________________. A. Vulnerability. B. Exposure. C. Weakness. D. Susceptibility.
A
Fill in the blank: Anything that has a monetary value is a (an) ____________________ of an organization. A. Asset. B. Property. C. Resource. D. Benefit.
A
Fill in the blank: ________________________ holds overall responsibility for the management of all aspects of information security. A. Information Custodians. B. Information Security Manager. C. Business Owners. D. Chief Information Security Officer.
B
In the ______________________ and ___________________ phase the practices of continuous monitoring, customer feedback, and optimization to monitor how applications are performing, allowing business to adapt their requirements as needed. A. Interrogation; testing B. Monitoring; optimization C. Developing; testing D. Releasing; optimization
B
In which best practice for managing SDLC do you ensure that management discuss and agree on a set of performance metrics that can be defined, tracked, and analyzed to assess progress in the system development? A. Data centralization B. Metrics C. Terminology D. Ownership
B
The development and the appropriation of activities needed for the maintenance of plans for resilience and for restoration of capabilities or service impaired due to cybersecurity event is known as: A. Response. B. Recovery. C. Detection. D. Identification.
B
The weakest link in an information security chain is (are) the _______________________________ by or associated with the organization. A. System used. B. People employed. C. Neither of the above. D. Both the above.
B
Under the RACI acronym: the stakeholder that has the decision-making authority and is expected to ensure that successful completion of the activity is __________________. A. Responsible. B. Accountable. C. Consulted. D. Informed.
B
When individuals at an organization are given separate tasks so that there will be no inappropriate use or penetration of such inappropriate use it is known as: A. Separation of responsibilities. B. Separation of duties. C. Separation of tasks. D. None of the above.
B
Which of the following is NOT a possible type of threat in the information collection process? A. Surveillance. B. Investigation. C. Interrogation. D. None of the above.
B
Fill in the blank: The last stage of the information risk management involves continues ____________ and ______________ of all risk information obtained from risk management activities. A. Monitoring; review. B. Assessment; motoring. C. Review; evaluation. D. None of the above.
A
Fill in the blank: ___________________ includes intangible assets, such as the reputation of the organization. A. Business Assets. B. Software Assets. C. Information Assets. D. None of the above.
A
Fill in the blank: _______________________ is the most crucial component for the success of any cybersecurity program. A. Information Protection. B. Executive Management Support. C. Business and Information Relationship. D. None of the above.
A
Fill in the blank: ______________________________ is concerned with making decisions to mitigate risks by using the information as input and then applying it in the risk management processes. A. Security Management. B. Security Governance. C. Security Classification. D. Security Detection.
A
In which best practice for managing SDLC do you strive to make any and all system development management data clear to all other appropriate stakeholders? A. Transparency B. Terminology C. Metrics D. None of the above
A
One of the challenges with BYOD is personal devices are vulnerable to malware app. Further, an organization needs to be concerned about unauthorized access to corporate data via mobile apps. This challenge is known as: A. Malicious applications. B. Hacking issues. C. Virus risk. D. None of the above.
A
Personal data collected for one purpose should not be used for a new, incompatible purpose. This is known as: A. Purpose limitation. B. Limited use. C. Limited purpose. D. None of the above.
A
The development of implementation of appropriate activities for taking action regarding a detected cybersecurity event is also known as: A. Response. B. Detection. C. Identification. D. Protection.
A
The use of a person's identity or personality for the purpose of another is known as: A. Identity theft B. Appropriation C. Exposure D. None of the above.
A
This stage of obtaining the hardware includes contract negotiations and contract execution. A. Acquisition B. Vendor relationships C. Contract negotiations D. None of the above
A
Watching, listening to, or recording of an individual's activities without his or her consent or knowledge is one of the threats in the information collection process. It is also known as: A. Surveillance. B. Observation. C. Stalking. D. Inspection.
A
What is a threat classification system developed by Microsoft to categorize deliberately planned attacks? A. STRIDE. B. TRIDE. C. None of the above. D. All of the above.
A
When the applications is tested to ensure that it works with existing applications and systems, is known as: A. System integration testing. B. System modification testing. C. System recognition testing. D. None of the above.
A
Which of the following is NOT a role or structure of COBIT? A. Executive Management Support. B. Information Security Manager. C. Business Owners. D. Information Custodians.
A
Which of the following is a best practice for managing SDLC according to the International Foundation for Information Technology? A. Sanitation B. Inventory C. Research D. Integration
A
Which of the following is a key principles of the EU's GDPR? A. Purpose limitation. B. Data maximization. C. Data maintenance. D. All of the above.
A
Which of the is NOT a key challenge in developing an effective cybersecurity system? A. Assessment of security. B. Nature of threat. C. Scale of complexity of cyber security. D. All of the above are key challenges in developing an effective cybersecurity.
A
Who actively runs the management of the company? A. Primary stakeholders. B. Board of directors. C. Executive officers. D. None of the above.
A
Who acts as intermediaries between the business and IS functions? A. Information custodians and business owners. B. Enterprise risk management committee. C. Information Security Officer. D. Information Security Manager.
A
___________________ gives each person the minimum access necessary to do his or her job. A. Limited privilege. B. Limited access. C. Limited resources. D. None of the above.
A
Fill in the blanks: ___________________ specifies the accontability framework and provides oversight; meanwhile ____________________ ensures that controls are implemented to mitigate risks. A. Governance; users. B. Management; governance. C. Governance; management. D. Management; user.
C
If sensitive information is to be sent by a 3rd party, such as a courier or shipping service, policies, and procedures must be in place to ensure that this is done securely. This is known as: A. Identify and document B. Label C. Secure transport D. Storage
C
In the _________________ and _______________ phase the focus is on the collaborative development continuous integration of new code, and continues testing of the system. A. Developing; testing B. Interrogation; testing C. Interrogation; developing D. Developing; implementing
C
Limited reliance on key employees means: A. No more than 3 irreplaceable employees. B. Limited number of irreplaceable employees. C. No one in an organization is irreplaceable. D. None of the above.
C
The RACI acronyn stands for: A. Reasonable, Attainable, Consulted, Informed. B. Responsible, Attainable, Consulted, Informed. C. Responsible, Accountable, Consulted, Informed. D. Responsible, Accountable, Consulted, Informational.
C
The main decision-making body of the COBIT is: A. CISO B. ISO C. ISM D. None of the above
C
What is a focused reference guide for enterprises to identify and manage information security risks in their operations and supply chains? A. ISF B. ISMS C. NIST D. CISO
C
What is a strategy adopted by an organization that allows employees, business partners, and other users to utilize a personally selected and purchased client devices? A. Clients device management. B. Personal device management. C. Bring your own device. D. None of the above.
C
When the application is made available to users and feedback is captured by monitoring the application's availability and functionality is known as: A. User acceptance testing. B. Production. C. System integration testing. D. None of the above.
C
When the application is tested to ensure that it provides the required features for end users, it is known as ____________________. A. User recognition testing B. User friendliness testing C. User acceptance testing D. User approval testing
C
Which of the following is NOT one of the steps used to acquire any hardware assets? A. Request and approval B. Vendor relationships C. Manufacture D. Receipt
C
Which of the following is not a goal for a security awareness program? A. Help minimize the number and extent of information security branches. B. Communicate key recommended guidelines. C. Data management issues. D. Help enhance the consistency and effectiveness of existing IS.
C
______________________ includes planning, assurance, and control of keys to ensuring minimal defects in and proper execution of the information system. A. Security testing B. Secure environment C. Quality management D. Standards and processes
C
According to SP 800-14, major security concerns include the which of the following? A. Lack of physical security controls. B. Use of untrusted mobile devices. C. Interactions with other systems. D. All of the above.
D
All of the following are levels of cybersecurity learning continuum EXCEPT: A. Aware. B. Certification. C. Education. D. All of the above.
D
All of the following are major stages in the life cycle of an application/system EXCEPT: A. Development B. Production C. Implementation D. All of the above
D
All of the following are phases of the DevOps reference architecture EXCEPT for: A. Plan and measure B. Develop and test C. Implement and improve D. All of the above.
D
An ideal cybersecurity program should include which of the following points? A. Online video tutorials. B. A separate security website. C. Role-based training. D. Intrusion, types of intruders, techniques and motivation.
D
A (an) _______________________ receives an electronic signal from a controller and responds by interacting with its environment to induce a change in behavior of a physical, chemical, or biological entity. A. Sensor B. Actuator C. Radar D. Detector
B
A (an) ______________________________ is a set of policies and procedures for systematically managing an organization's sensitive data. A. Information systems. B. Information security management system. C. Cybersecurity management. D. None of the above.
B
All of the following are key security considerations that exist throughout the SDLC except: A. Secure environment B. Quality management C. Standards and processes D. Security testing
B
Any risk that has the potential to damage an asset is know as: A. Risk. B. Weakness. C. Threat. D. None of the above.
B
Fill in the blank: The 2 key pillars on which IT strategy planning should be based are mission ____________ and _________________________. A. Purpose and enterprise maturity. B. Necessity and enterprise maturity. C. None of the above. D. All of the above.
B
Fill in the blank: The most significant activity of the ISF is the ongoing development of the ________________________________. A. Assessment of security. B. Standard of Good Practice for Information Security. C. Planning for cybersecurity. D. Managing of trade-off between user needs and implementation.
B
Fill in the blank: _______________ refers to the public release of authentic personal information about an individuals. A. Blackmail. B. Disclosure. C. Expose. D. Release.
B
Fill in the blank: _____________________ implies development of organizational understanding of management of cybersecurity risk to systems, assets, data, and capabilities. A. Protection. B. Identification. C. Detection. D. Response.
B
Which of the following is a goal for a security awareness program? A. Motivate individuals to adopt recommended guidelines. B. Create a stronger culture of security with individual commitment to information security. C. Help enhance the consistency and effectiveness of existing information security controls. D. All of the above.
D
Which of the following is a key activity for information security according to the SGP? A. Planning for cybersecurity. B. Managing the cybersecurity. C. Assessment of security. D. All of the above.
D
Which of the following is a supporting technology that can be used to protect sensitive physical information? A. Access control. B. Vaulting. C. Time locks. D. All of the above.
D
Which of the following is not a major security concern for mobile devices according to SP 800-14? A. Use of location services. B. Use of untrusted mobile devices. C. Interaction with other systems. D. Mobile OS
D
__________________ holds overall responsibility for the management of all aspects of information security. A. Information custodians. B. Information Security Manager. C. Business Owners. D. Chief Information Security Officer.
B
All of the following are best practices for managing SDLC according to the International Foundation for Information Technology EXCEPT? A. Ownership B. Simplicity C. Transparency D. Terminology
C
All of the following are privacy threats EXCEPT: A. Disclosure. B. Breach of confidentiality. C. Information mismanagement. D. Blackmail.
C
All of the following are supported technologies that can be used to protect sensitive physical information EXCEPT: A. Locks B. Alarms C. Inactive D. Intelligence reports
C
Define the level of cybersecurity learning continuum that is intended to provide knowledge and skill-specfic to an individual's roles and responsibilities relative to the information systems. A. Education B. Role-based training. C. Training D. Cybersecurity essentials
C
FAIR defines the which key terms as follows: Any data, device, or other components of the environment that involves information and that can be illicitly accessed used, disclosed, altered, destroyed, and/or stolen, resulting in loss. A. Risk. B. Threat. C. Asset. D. Vulnerability.
C
Fill in the blank: A (an) ________________ assessment prioritizes the identified risks using a predefined rating scale. A. Risk Identification. B. Vulnerability Risk. C. Qualitative Risk. D. Control Risk.
C
Fill in the blank: _________________ is concerned with the perverseness and strength of IS mechanisms. A. Executive Management Support. B. Business and Information Relationship. C. Information Protection. D. None of the above.
C
Fill in the blank: _____________________ is the remaining portion of a threat after all efforts to identify and eliminate risk has been made. A. Fair Risk. B. Accurate Risk. C. Residual Risk. D. None of the above.
C
Fill in the blank: _________________________ is where you set the basic criteria necessary for information security risk management, define the scope and boundaries, and established an appropriate organization operating the information security risk management. A. Identifying Scope. B. Risk Analysis. C. Risk Establishment. D. Risk Assessment.
C
Any organization should adopt a well-drafted hardware life cycle management policy, considering the following reasons: A. Organizations not following any hardware asset management are often frustrated by the communication gaps that allow assets to be lost, acquisitions to be made when spares are in the warehouse, or upgrades failing due to incomplete information. B. Every hardware asset its own set of threats. An organization can reduce risk by having and using the tools to properly track and manage its hardware. C. Hardware life cycles are vendor dependent. D. All of the above.
D
Big organization employ a mix of many technologies such as: A. Cryptography. B. Network security protocols. C. Firewalls. D. All of the above.
D
Fill in the blank: During the risk treatment stage of information security management where is where you mitigate risk by either stopping/removing the source of risk or, _________________. A. Change the probability of happening. B. Change its possible impact. C. Hedge the risk with a 3rd party. D. All of the above.
D
Fill in the blank: _______________________ committee ensures constant monitoring and review to ensure the good practices in information security are applied effectively and consistently. A. Information Security Officer. B. Information Security Management. C. Information Custodian. D. Information Security Steering.
D
Fill in the blank: _______________________ is assessed according to a matrix. A. Impact. B. Risk tolerance. C. Control priorities. D. Risk level.
D
In which control gate do you determine if there have been changes in the planned level of effort and evaluate costs and benefits? A. Financial tests B. Cost-benefits analysis C. Performance review D. None of the above
D
Regarding risk assessment, all of the following are types of assets EXCEPT: A. Hardware Assets. B. Information Assets. C. Business Assets. D. All of the above.
D
The key challenges in developing an effective cybersecurity system are: A. Scale and complexity of cyberspace. B. Nature of threat. C. Trade-off between user needs and security implementation. D. All of the above.
D
The manipulation of the way a person is perceived and judged by others and involves the victim being inaccurately exposed to the public is known as: A. Blackmail B. Exposure C. Appropriation D. Distortion
D
What are some challenges in implementing a BYOD strategy? A. Data management issues. B. Data compliance issues. C. Lost or stolen devices. D. All of the above.
D
What are the 3 supplemental factors that are all part of the success of any security management system? A. Internal incident and global vulnerability reports. B. Standards and best practices. C. User feedback. D. All of the above.
D
Which of the following is NOT a common security threat to an ICS? A. Disrupting of service due to blocked or delayed flow of information through ICS networks. B. Financial losses due to interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment. C. Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment. D. Initiating payment of invoices and creating an incident to configure and deliver to the correct individual/location.
D
Which of the following is NOT a control gate at development/acquisition phase? A. Risk management review B. Performance review C. Functional test review D. All of the above
D
Which of the following is NOT a key ingredient of a sample risk analysis worksheet? A. Risk level. B. Control priorities. C. Impact. D. Risk tolerance.
D
Which of the following is NOT a key principle of the EU's GDPR? A. Fair, lawful, and transparent processing. B. Accuracy C. Accountability D. All of the above.
D
Which of the following is NOT a supporting technology that can be used to protect sensitive physical information? A. Identify and document B. Use limitation C. None are supporting technologies D. Fist responder interfaces
D
Which of the following is NOT one of the four risk-related standard documents that are published by Open Group? A. The Open Group Standard; Risk Taxonomy (2013). B. The Open Group Technical Guide; Requirements for Risk Assessment Methodologies (2009). C. The Open Group Technical Guide; FAIR-ISO/IEC 27005 Cookbook (2010). D. All of the above.
D
Which of the following is a common cybersecurity threat form? A. Malware. B. Virus. C. Worm. D. All of the above.
D
Which of the following is a common security threat to ICS? A. Disruption of service due to blocked or delay flow of information through ICS networks. B. Inaccurate information sent to system operators. C. ICS software or configuration settings modified. D. All of the above.
D
Which of the following is not a point for an ideal cybersecurity program? A. Social engineering and its implications to cybersecurity. B. Fundamental security design principles and their role in limiting points of vulnerability. C. Common cyber attack mechanisms, their consequences, and motivations behind them. D. Email advisories issued by industry-hosted news groups, academic institutions, or the organization's IT security office.
D
Which of the following is not a principle used to ensure personal security? A. Least privilege. B. Separation of duties. C. Limited reliance on key employees. D. All of the above.
D
_________________ includes workstations, servers, network device, and code repositories. A. Secure concept B. Standards and processes C. Secure code D. Secure environment
D
Which of the following are elements of an ICS? A. Sensor B. Actuator C. Controller D. Human-machine interface E. All of the above
E
T or F: Some key issues that can help secure physical information throughout its life cycle are time locks, inactive and transparency.
F
T or F: One of the reasons that must be considered for any organization to adopt a well-drafted hardware life include hardware life cycles are vendor dependent.
T
T or F: Some challenges in implementing a BYOD strategy include: data management issues, data compliance issues, malicious applications and lost or stolen devices.
T
T or F: Some supporting technologies that can be used to protect sensitive physical information are physical access solutions, time locks, fire protection systems and vaulting.
T