Chapter 6
The term "data owner" refers to the person or group that manages an IT infrastructure. A. True B. False
B. False The term "system owner" refers to the person or group that manages the infrastructure. The data owner is the person who owns the data or of someone the owner assigns.
With proactive change management, management initiates the change to achieve a desired goal. A. True B. False
A. True
Procedures do NOT reduce mistakes in a crisis. A. True B. False
B. False Procedures reduce mistakes in a crisis, ensure you don't miss important steps, provide for places within the process to conduct assurance checks, and are mandatory requirements.
Policies that cover data management should cover transitions throughout the data life cycle. A. True B. False
A. True
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions? A. Value B. Sensitivity C. Criticality D. Threat
D. Threat The three characteristics normally used to make classification decisions are value, sensitivity, and criticality.
A remediation liaison makes sure all personnel are aware of and comply with an organization's policies. A. True B. False
B. False A compliance liaison makes sure all personnel are aware of and comply with an organization's policies. Remediation involves fixing something that is broken or defective.
One advantage of using a security management firm for security monitoring and is that it has a high level of expertise. A. True B. False
A. True
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create? A. Baseline B. Policy C. Guideline D. Procedure
A. Baseline Baselines provide basic configurations for specific types of computers or devices. Baselines are the benchmarks that help make sure a minimum level of security exists across multiple systems and across different products.
A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing. A. True B. False
A. True
Which agreement type is typically less formal than other agreements and expresses areas of common interest? A. Service level agreement (SLA) B. Blanket purchase agreement (BPA) C. Memorandum of understanding (MOU) D. Interconnection security agreement (ISA)
C. Memorandum of understanding (MOU) An MOU, also called a letter of intent, is an agreement between two or more parties that expresses areas of common interest that result in shared actions. MOUs are generally less enforceable than a formal agreement.
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of? A. Intimidation B. Name dropping C. Appeal for help D. Phishing
D. Phishing Phishing attacks use email messages and/or webpages that resemble the work of a reputable organization. They attempt to deceive users into revealing sensitive information, such as passwords.
Which activity manages the baseline settings for a system or device? A. Configuration control B. Reactive change management C. Proactive change management D. Change control
A. Configuration control Configuration control is the management of the baseline settings for a system device. The baseline settings are designed to meet security requirements.
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data? A. Formatting B. Degaussing C. Physical destruction D. Overwriting
A. Formatting Formatting a disk does not remove the data stored on it and is not a reliable data destruction technique. Physically destroying the media, overwriting the data multiple times, and degaussing with a magnetic field are all acceptable means for data destruction.
Which of the following would NOT be considered in the scope of organizational compliance efforts? A. Laws B. Company policy C. Internal audit D. Corporate culture
A. Laws Organizational compliance efforts include compliance with an organization's own policies, audits, culture, and standards. Legal compliance falls under the realm of regulatory compliance, not organizational compliance.
Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking? A. Project initiation and planning B. Functional requirements and definition C. System design specification D. Operations and maintenance
A. Project initiation and planning The project initiation and planning phase includes developing project budgets, system design, maintenance, and the project timeline.
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type? A. Service level agreement (SLA) B. Blanket purchase agreement (BPA) C. Memorandum of understanding (MOU) D. Interconnection security agreement (ISA)
A. Service level agreement (SLA) SLAs are formal contracts that detail the specific services a vendor will provide. Notification of security breaches is a common requirement found in SLAs.
A successful change control program should include the following elements to ensure the quality of the change control process: peer review, documentation, and back-out plans. A. True B. False
A. True
Classification scope determines what data you should classify; classification process determines how you handle classified data. A. True B. False
A. True
Company-related classifications are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies. A. True B. False
A. True
Social engineering is deceiving or using people to get around security controls. A. True B. False
A. True
Standards are used when an organization has selected a solution to fulfill a policy goal. A. True B. False
A. True
The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege. A. True B. False
A. True
Written security policies document management's goals and objectives. A. True B. False
A. True
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve? A. Reduced operating costs B. Access to a high level of expertise C. Developing in-house talent D. Building internal knowledge
B. Access to a high level of expertise In this scenario, Mark is most likely to achieve access to a high level of expertise because security vendors focus exclusively on providing advanced security services. Mark's costs are likely to increase rather than decrease with outsourcing, and this decision will inhibit developing internal knowledge and talent.
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)? A. An organization should collect only what it needs. B. An organization should share its information. C. An organization should keep its information up to date. D. An organization should properly destroy its information when it is no longer needed.
B. An organization should share its information. The OECD guidelines state that an organization should NOT share its information. Other principles in those guidelines state that organizations should collect only what they need, keep information up-to-date, properly destroy information, and use information only for the purpose for which it was collected.
In an accreditation process, who has the authority to approve a system for implementation? A. Certifier B. Authorizing official (AO) C. System owner D. System administrator
B. Authorizing official (AO) The authorizing official (AO) is a senior manager who reviews the certification report and makes the decision to approve a system for implementation. The AO officially acknowledges and accepts the risk that the system may pose to agency mission, assets, or individuals.
A hardware configuration chart should NOT include copies of software configurations. A. True B. False
B. False A hardware configuration chart should include copies of all software configurations so that you can examine changes and updates planned for one device in terms of their impact on other devices.
Certification is the formal agreement by an authorizing official to accept the risk of implementing a system. A. True B. False
B. False Accreditation is the formal agreement by an authorizing official to accept the risk of implementing a system. Certification is the process of reviewing a system throughout its life cycle to ensure that it meets its specified security requirements.
Change doesn't create risk for a business. A. True B. False
B. False Change creates risk for a business. It might circumvent established security features and it could result in outage or system failure. It might require extensive retraining for employees to learn how to use the new systems.
Configuration changes can be made at any time during a system life cycle and no process is required. A. True B. False
B. False It's important that all configuration changes occur only within a controlled process. Uncontrolled configuration changes often result in conflicts and even new security vulnerabilities.
Mandatory vacations minimize risk by rotating employees among various systems or duties. A. True B. False
B. False Job rotation minimizes risk by rotating employees among various systems or duties. Mandatory vacations give you the opportunity to detect fraud. When users are on vacation, you should suspend their access to your environment.
Often an extension of a memorandum of understanding (MOU), the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets. A. True B. False
B. False The interconnection service agreement (ISA) serves as an agreement that documents the technical requirements of interconnected assets, and is often an extension of a MOU. A BPA creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services.
What is the correct order of steps in the change control process? A. Request, approval, impact assessment, build/test, monitor, implement B. Request, impact assessment, approval, build/test, implement, monitor C. Request, approval, impact assessment, build/test, implement, monitor D. Request, impact assessment, approval, build/test, monitor, implement
B. Request, impact assessment, approval, build/test, implement, monitor The sequence of events during the change control process is request, impact assessment, approval, build/test, implement, and monitor.
In what type of attack does the attacker send unauthorized commands directly to a database? A. Cross-site scripting B. SQL injection C. Cross-site request forgery D. Database dumping
B. SQL injection In an SQL injection attack, the attacker executes malicious SQL statements against a database that provide unauthorized access to data or allow other unauthorized database activities.
What is NOT a good practice for developing strong professional ethics? A. Set the example by demonstrating ethics in daily activities B. Encourage adopting ethical guidelines and standards C. Assume that information should be free D. Inform users through security awareness training
C. Assume that information should be free Users should not assume that information is free and respect intellectual property rights. Assuming that information should be free is one of the common fallacies about ethics.
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)? A. Seeking to gain unauthorized access to resources B. Disrupting intended use of the Internet C. Enforcing the integrity of computer-based information D. Compromising the privacy of users
C. Enforcing the integrity of computer-based information RFC 1087 outlines six categories of unethical activity. IAB considers unethical and unacceptable any activity that purposely (1) seeks to gain unauthorized access to the resources of the Internet, (2) disrupts the intended use of the Internet, (3) wastes resources (people, capacity, computer) through such actions, (4) destroys the integrity of computer-based information, (5) compromises the privacy of users, or (6) involves negligence in the conduct of Internet-wide experiments.
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing? A. Identification B. Authentication C. Accountability D. Authorization
D. Authorization Authorization determines the permissions that a user or process has in an access control scheme. In this case, Janet is determining those permissions, so she is performing an authorization function.
What is NOT a goal of information security awareness programs? A. Teach users about security objectives B. Inform users about trends and threats in security C. Motivate users to comply with security policy D. Punish users who violate policy
D. Punish users who violate policy : Security awareness programs should teach, inform, and motivate users. Although users who intentionally violate policies may be punished for their actions, this is a disciplinary issue that should be handled outside of the awareness program.
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing? A. Job rotation B. Least privilege C. Need-to-know D. Separation of duties
D. Separation of duties The principles of separation of duties breaks a task into subtasks that different users must carry out. This means that a single user cannot carry out a critical task without the help or approval of another user.
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete? A. Spiral B. Agile C. Lean D. Waterfall
D. Waterfall The waterfall model is a sequential process for developing software. The essence of the waterfall model is that no phase begins until the previous phase is complete.