CINS 3044 Test 1

¡Supera tus tareas y exámenes ahora con Quizwiz!

Policy vs Law

Ignorance of a policy is an acceptable defense, whereas ignorance of law is not

•In digital forensics, all investigations follow the same basic methodology:

1.Identify relevant items of evidentiary value (EM) 2.Acquire (seize) the evidence without alteration or damage 3.Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized 4.Analyze the data without risking modification or unauthorized access 5.Report the findings to the proper authority

guidelines

nonmandatory recommendations the employee may use as a reference in complying with a policy

Accountability

the access control mechanism that ensures all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity. Also known as auditability

Digital Forensics

the preservation, identification, extraction, documentation, and interpretation of digital media for evidentiary and/or root cause analysis

3 categories of unethical behavior:

•Ignorance •Accident •Intent

5 foundations and frameworks of ethics:

•Normative ethics •Meta-ethics •Descriptive ethics •Applied ethics •Deontological ethics

Unique functions of Info Sec (The 6 P's)

•Planning •Policy •Programs •Protection •People •Project management

5 ethical standards:

•Utilitarian approach •Rights approach •Fairness or justice approach •Common good approach •Virtue approach

5 Areas of Security

1. Physical Security 2. Operations Security 3. Communications security 4. Cyber Security 5. Network Security

IDEAL model

Initiating - lay the groundwork for a succesful imporvement enviroment, Diagnosing - determine where you are relative to where you want to be, Establishing - plan the specifics of how you will reach your destination, Acting - do the work according to the plan, Learning - learn from the experience

availability

an attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction

Writing a policy is not always as easy as it seems. However, the prudent security manager always scours available resources for __________ that may be adapted to the organization.

examples

practices

examples of actions that illustrate compliance with policies

It is the responsibility of InfoSec professionals to understand state laws and bills. ____________

false

The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for.

false

When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. __________

false

A model of InfoSec that offers a comprehensive view of security for data while being stored, processed, or transmitted is the __________ security model.

CNSS

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past?

Descriptive ethics

Tactical Planning

Has a short term focus of 1-3 years. breaks applicable strategic goals into a series of incremental objectives.

Which law addresses privacy and security concerns associated with the electronic transmission of PHI?

Health Information Technology for Economic and Clinical Health Act

This collaborative support group began as a cooperative effort between the FBI's Cleveland field office and local technology professionals with a focus of protecting critical national infrastructure.

InfraGard

5 Steps to Solving Problems

Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions Step 4: Analyze and Compare Possible Solutions (Feasibility Analyses) Step 5: Select, Implement, and Evaluate a Solution

Force of Nature

Things such as power outages from weather or acts of war.

The basic outcomes of InfoSec governance should include all but which of the following?

Time management by aligning resources with personnel schedules and organizational objectives

What is security?

To be free from danger. To be protected from the risk of loss, damage, unwanted modification, etc.

Espionage

When an unauthorized person gains access to protected information. Inlcudes: brute force attack, dictionary password attack, rainbow tables, social engineering.

standard

a detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance

policy

a set of organizational guidelines that dictate certain behavior within the organization

What are the two general approaches for controlling user authorization for the use of a technology?

access control lists and capability tables

Confidentiality

an attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems

Integrity

an attribute of information that describes how data is whole, complete, and uncorrupted

Vision Statement

an idealistic expression of what the organization wants to become, whereas the mission statement describes how it wants to get there

issue-specific security policy

an organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies

A risk assessment is performed during which phase of the SDLC?

analysis

The most complex part of an investigation is usually __________.

analysis for potential EM

Force majeure includes all of the following EXCEPT:

armed robbery

ethics

as the organized study of how humans ought to act or a set of rules we should live by

Intellectual Property

can be trade secrets, copyrights, trademarks, and patents. Includes 2 primary areas: software piracy and copyright protection.

Which of the following is a C.I.A. triad characteristic that ensures only those with sufficient privileges and a demonstrated need may access certain information?

confidentiality

Information Security focuses on these 3 characteristics (CIA Triad):

confidentiality, integrity, availability

The process of integrating the governance of the physical security and information security efforts is known in the industry as __________.

convergence

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls.

deterrence

A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

distributed denial of service

Ransomware

encrypt the user's data and offer to unlock it for a price

Access control lists regulate who, what, when, where, and why authorized users can access a system.

false

Information ambiguation occurs when pieces of nonprivate data are combined to create information that violates privacy. _________________________

false

The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. __________

false

The first step in solving problems is to gather facts and make assumptions.

false

To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996.​ ___________

false

Values statements should be ambitious; after all, they are meant to express the aspirations of an organization. ____________

false

Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?

frequency of review

One form of online vandalism is __________, in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

hacktivism

Quality of Service

includes powers grids, data networks, parts suppliers, etc. 3 primary areas: Internet issues, communications service, power irregularities

Configuration rules

instructional codes that guide the execution of the system when information is passing through it

Which of the following is a C.I.A. triad characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state?

integrity

A detailed outline of the scope of the policy development project is created during which phase of the SDLC?

investigation

Which phase of the SDLC should get support from senior management?

investigation

Enterprise information security policy

is high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts

Policy

organizational guidelines that dictate certain behavior within the organization, quality info sec program begins and ends with policy.

System-Specific Security Policies

organizational policies that often function as standards or procedures to be used when configuring or maintaining systems

IT's focus is the efficient and effective delivery of information and administration of information resources, while InfoSec's primary focus is the __________ of all information assets.

protection

The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________.

security manager

procedures

step-by-step instructions designed to assist employees in following policies, standards, and guidelines

Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?

tactical

Authorization

the access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels

Authentication

the access control mechanism that requires the validation and verification of an unauthenticated entity's purported identity

Identification

the access control mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system

Strategic planning

the process of defining and specifying the long-term direction (strategy) to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort

Privacy

the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality

Governance

the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly

Digital forensics can be used for two key purposes: ________ or _________.

to investigate allegations of digital malfeasance; to perform root cause analysis

A clearly directed strategy flows from top to bottom rather than from bottom to top.

true

A maintenance model is intended to focus ongoing maintenance efforts so as to keep systems usable and secure.

true

Policies must specify penalties for unacceptable behavior and define an appeals process.

true

The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information.

true

Today's InfoSec systems need constant monitoring, testing, modifying, updating, and repairing.

true

​Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________

true

​Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________

true

Operational planning

used by managers and employees to organize the ongoing, day-to-day performance of tasks

In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it?

waterfall


Conjuntos de estudio relacionados

Nursing Health Alterations: Practice test

View Set

Gray's Anatomy Review Questions: Head and Neck

View Set

chapter 1: welcome to economics homework

View Set

Quadratic Transformations and Word Problems

View Set

Infection Control Chapters 25-28

View Set

ISTQB Foundation Extension Agile Tester Chapter 1: Agile Software Development

View Set

AD Banker life and health comp exam pt. 1

View Set

Learning Study Guide- AP Psychology

View Set

Georgia Real Estate Exam Review Part B

View Set