CIST 1602 Module 1 Chapter 1&2, CIST 1602 Mod2 Chapter3&4, 1602 Module 3 Chapter 5&6, 1602 Module 4 Chapters 7&8, 1602 Module 5 Chapter 9&10, CIST 1602 Chapter 11 & 12
There are six key elements that the CP team must build into the DR Plan. What are three of them?
- Clear delegation of roles and responsibilities - Execution of the alert roster and notification of key personnel - Clear establishment of priorities - Procedures for documentation of the disaster - Action steps to mitigate the impact of the disaster on the operations of the organization - Alternative implementations for the various systems components, should primary versions be unavailable
Briefly describe five different types of laws.
1. Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations. 2. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. 3. Tort law is a subset of civil law which allows individuals to seek recourse against others in the event of personal, physical, or financial injury. 4. Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law. 5. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.
There are 12 general categories of threat to an organization's people, information, and systems. List at least six of the general categories of threat and identify at least one example of those listed.
6 of the 12 general categories of threat to an organization are: Human error. This can be someone deleting important resources accidental Information extortion: This would be hacker blackmailing organizations of there resources Software attacks: Include several such as malware and DoS attacks Theft. Can include someone taking organizations property with out authority Forces of nature. When earthquakes, fire, floods, or event that humans can not control. Hardware failure. Sometimes when equipment are to old there can be equipment failure.
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
(ISC)2
timing channels
A TCSEC-defined covert channel, which transmit information by managing the relative timing of events.
task-based controls
A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user.
blueprint
A framework or security model customized to an organization, including implementation details.
asset valuation
A process of assigning financial value or worth to each information asset.
Which of the following should be included in an InfoSec governance program?
An InfoSec risk management methodology
defense
Application of training and education is a common method of which risk control strategy?
Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people?
Are the user accounts of former employees immediately removed on termination?
When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.
Board Risk Committee
Defense—Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk Transference—Shifting risks to other areas or to outside entities Mitigation—Reducing the impact to information assets should an attacker successfully exploit a vulnerability Acceptance—Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control Termination—Removing or discontinuing the information asset from the organization's operating environment
Briefly describe the five basic strategies to control risk that result from vulnerabilities.
Which of the following is NOT a step in the problem-solving process?
Build support among management for the candidate solution
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
Bull's-eye model
In the event of an incident or disaster, which planning element is used to guide off-site operations?
Business continuity
single loss expectancy
By multiplying the asset value by the exposure factor, you can calculate which of the following?
Typically considered the top information security officer in an organization.
CISO
According to NIST SP 800-37, which of the following is the first step in the security controls selection process?
Categorize the information system and the information processed
Which document must be changed when evidence changes hands or is stored?
Chain of custody
In which type of site are no computer hardware or peripherals provided?
Cold site
Classification categories must be mutually exclusive and which of the following?
Comprehensive
one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices
Computer Security Act (CSA)
After an incident, but before returning to its normal duties, the CSIRT must do which of the following?
Conduct an after-action review
Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an adverse event?
Contingency planning
content-dependent access controls
Controls access to a specific set of information based on its content.
Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
Cost of prevention
What are the legal requirements that an organization adopt a standard based on what a prudent organization should do, and then maintain that standard?
Due care and due diligence
Which policy is the highest level of policy and is usually created first?
EISP
a collection of statutes that regulates the interception of wire, electronic, and oral communications
Electronic Communications Privacy Act
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
Establishing
Which of the following is not among the 'deadly sins of software security'?
Extortion sins
A company striving for 'best security practices' makes every effort to establish security program elements that meet every minimum standard in their industry.
False
A comprehensive assessment of a system's technical and nontechnical protection strategies, as specified by a particular set of requirements is known as accreditation. ____________
False
A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. _________________________
False
Corruption of information can occur only while information is being stored.
False
Data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization are known as program measurements. ____________
False
DoS attacks cannot be launched against routers.
False
Ethics carry the sanction of a governing authority.
False
In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.
False
In most organizations, the COO is responsible for creating the IR plan.
False
In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________
False
Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy. _________________________
False
MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.
False
Most information security projects require a trained project developer. _________________________
False
Performance measurements are seldom required in today's regulated InfoSec environment.
False
Technology is the essential foundation of an effective information security program. _____________
False
The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for.
False
The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.
False
The authorization by an oversight authority of an IT system to process, store, or transmit information is known as certification . ____________
False
The authorization process takes place before the authentication process.
False
The biggest barrier to baselining in InfoSec is the fact that many organizations do not share warnings with other organizations. ____________
False
The macro virus infects the key operating system files located in a computer's start up sector. _________________________
False
The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.
False
The secretarial community often takes on the leadership role in addressing risk. ____________
False
Threats from insiders are more likely in a small organization than in a large one.
False
To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________
False
Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster.
False
Using standard digital forensics methodology, the first step is to analyze the EM data without risking modification or unauthorized access.
False
When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.
False
Examples of actions that illustrate compliance with policies are known as laws.
False
Values statements should therefore be ambitous; after all, they are meant to express the aspirations of the organization.
False
A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.
False
Deterrence is the best method for preventing an illegal or unethical activity. ____________
False
Which of the following is the best example of a rapid-onset disaster?
Flood
In which contingency plan testing strategy do individuals follow each and every IR/DR/BC procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals?
Full-interruption
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
HIPAA
Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
Health Information Technology for Economic and Clinical Health Act
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
IP address
Which of the following is the first step in the process of implementing training?
Identify program scope, goals, and objectives
Is a set of strategies for managing the processes, tools, and policies necessary to prevent, detect, document and counter threats to digital and non-digital information.Many large enterprises employ a dedicated security group to implement and maintain.
infosec program
Any court can impose its authority over an individual or organization if it can establish which of the following?
jurisdiction
In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
man-in-the-middle
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.
penetration tester
Which of the following is NOT a primary function of Information Security Management?
performance
The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization.
performance measurements
GGG security is commonly used to describe which aspect of security?
physical
Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
planning
Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives?
planning
Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
policy
According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
policy administrator
Step-by-step instructions designed to assist employees in following policies, standards and guidelines.
procedures
Occurs when a project manager spends more time working in the project management software than accomplishing meaningful project work.
projectitis
Those procedures that provide a superior level of security for an organization's information.
recommended business practices
What is the SETA program designed to do?
reduce the occurence of accidental security breaches
The quantity and nature of risk that organizations are willing to accept.
risk appetite
The recognition, enumeration, and documentation of risks to an organization's information assets.
risk identification
The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.
risk management
The expansion of the quantity or quality of project deliverable from the original project plan.
scope creep
These individuals oversee the day to day operations of plans put forth by CISO and CSO. Typically a person going into Cybersecurity would apply for this as a first job.
security technicians
Entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec technology.
seucirty watchstander
"4-1-9" fraud is an example of a ____________________ attack.
social engineering
A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance.
standard
Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
system testing
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
tactical
A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
team leader
Which of the following are the two general groups into which SysSPs can be separated?
technical specifications and managerial guidance
On-the-job training can result in substandard work performance while the trainee gets up to speed.
true
Which of the following is a key advantage of the bottom-up approach to security implementation?
utilizes the technical expertise of the individual administrators
Which of the following is NOT an aspect of access regulated by ACLs?
where the system is located
False
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. ____________
False
The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy . ___________
False
The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.
true
A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. ____________
False
A security monitor is a conceptual piece of the system w ithin the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. ____________
True
Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________
False
Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. ____________
A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.
penetration testing
The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.
vulnerability assessment
Defense risk control strategy
A risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards
mitigation risk control strategy
A risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.
termination risk control strategy
A risk control strategy that eliminates all risk associated with an information asset by removing it from service.
Acceptance Risk Control Strategy
A risk control strategy that indicates the organization is willing to accept the current level of risk and that the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.
True
A security blueprint is the outline of the more thorough security framework.
Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
A security technician
rule based access controls
Access is granted based on a set of rules specified by the central authority.
In security management, which of the following is issued by a management official and serves as a means of assuring that systems are of adequate quality?
Accreditation
Compare and contrast accreditation and certification.
Accreditation is a form of security management. Where managers assure that systems that are being used are adequate quality and a method to assure that security is obtained through technical constraints, operational constraints, and mission requirements. Although certification is in relation to accreditation, it typically requires that systems are in accordance to particular sets of requirements.
organizational feasibility
An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.
false
An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility. ____________
Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
Confidentiality
List and explain the critical characteristics of information as defined by the C.I.A. triad.
Confidentiality of information ensures that only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached. Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Availability is the characteristic of information that enables user access to information without interference or obstruction and in a useable format.
DAC
Controls implemented at the discretion or option of the data user.
corrective
Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?
Which of the following is an advantage of the one-on-one method of training?
Customized
focuses on enhancing the security of the critical infrastructure in the United States
Cybersecurity Act
Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures
DMCA
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?
Descriptive ethics
True
Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________
The actions that demonstrate that an organization has made a valid effort to protect others a requirement and that the implemented standards continue to provide the required level of protection.
Due diligence
Which of the following is usually conducted via leased lines or secure Internet connections whereby the receiving server archives the data as it is received?.
Electronic vaulting
Which of the following InfoSec measurement specifications makes it possible to define success in the security program?
Establishing targets
A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________
False
A performance measure is an an assessment of the performance of some action or process against which future performance is assessed. _____________
False
A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________
False
A standard of due process is a legal standard that requires an organization and its employees to act as a "reasonable and prudent" individual or organization would under similar circumstances. ____________
False
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
False
A(n) wrap-up review is a detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery. ____________
False
An alert digest is a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. ____________
False
An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________
False
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________
False
An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment. ____________
False
Attaining certification in security management is a long and difficult process, but once attained, an organization remains certified for the life of the organization.
False
Because it sets out general business intentions, a mission statement does not need to be concise.
False
Non mandatory recommendations that the employee may use as a reference in complying with a policy. are known as regulations. ____________
False
One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________
False
Rule-based policies are less specific to the operation of a system than access control lists.
False
Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex.
False
Standardization is an an attempt to improve information security practices by comparing an organization's efforts against those of a similar organization or an industry-developed standard to produce results it would like to duplicate. ____________
False
The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. _________________________
False
The first step in solving problems is to gather facts and make assumptions.
False
The information technology management community of interest often takes on the leadership role in addressing risk. ____________
False
The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks.
False
The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.
False
False
In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as the annualized risk of occurrence. ____________
False
In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). ____________
False
In information security, a framework or security model customized to an organization, including implementation details is known as a floorplan . _____________
content-dependent access controls
In which form of access control is access to a specific set of information contingent on its subject matter?
List the measures that are commonly used to protect the confidentiality of information.
Information classification Secure document (and data) storage Application of general security policies Education of information custodians and end users Cryptography (encryption)
Blackmail threat of informational disclosure is an example of which threat category?
Information extortion
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
Initiating
Which of the following is an advantage of the formal class method of training?
Interaction with trainer is possible
Which of the following is true about a hot site?
It duplicates computing resources, peripherals, phone systems, applications, and workstations.
Which of the following is a responsibility of the crisis management team?
Keeping the public informed about the event and the actions being taken
True
Lattice-based access control specifies the level of access each subject has to each object, if any.
Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence?
Legal liability
Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
Legal management must develop corporate-wide standards
List the major components of the ISSP.
Limitations of liability Prohibited uses Systems management Statement of purpose Authorized users Policy Review and modification Violations of policy
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
Manufacturer's model or part number
A common approach to a Risk Management Framework (RMF) for InfoSec practice.
NIST SP 800-37
InfoSec measurements collected from production statistics depend greatly on which of the following factors?
Number of systems and users of those systems
monitoring and measurement
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
storage channels
One of the TCSEC's covert channels, which communicate by modifying a stored object.
Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
Operational
Which of the following variables is the most influential in determining how to structure an information security program?
Organizational culture
Which of the following is an example of a technological obsolescence threat?
Outdated servers
Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.
Field change order
Which of the following allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental?
Forensics
A key difference between policy and law is that ignorance of policy is a viable defense. What steps must be taken to assure that an organization has a reasonable expectation that policy violations can be appropriately penalized without fear of legal retribution?
Policies must be: Distributed to all individuals who are expected to comply with them Read by all employees Understood by all employees, with multilingual translations and translations for visually impaired or low-literacy employees Acknowledged by the employee, usually by means of a signed consent form Uniformly enforced, with no special treatment for any group (e.g., executives)
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
Policy Review and Modification
Which of the following is the first phase in the NIST process for performance measurement implementation?
Prepare for data collection
Which of the following attributes does NOT apply to software information assets?
Product dimensions
What should you be armed with to adequately assess potential weaknesses in each information asset?
Properly classified inventory
Which of the following is an approach available to an organization as an overall philosophy for contingency planning reactions?
Protect and forget
sensitivity levels
Ratings of the security level for a specified collection of information (or user) within a mandatory access control scheme.
Which of the following is the first step in the problem-solving process?
Recognize and define the problem
A program designed to improve the security of information assets by providing targeted information, skills, and guidance for organizational employees.
SETA
Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.
SLA
Which type of document grants formal permission for an investigation to occur?
Search Warrent
In which contingency plan testing strategy do individuals participate in a role-playing exercise in which the CP team is presented with a scenario of an actual incident or disaster and expected to react as if it had occurred?
Simulation
A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances.
Standard of due care
Which of the following is true about planning?
Strategic plans are used to create tactical plans
incident response plan
Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.
SysSP
InforSec Governance
The COSO framework is built on five interrelated components. Which of the following is NOT one of them?
Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
The Electronic Communications Privacy Act of 1986
True
The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.
Risk Determination
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?
The Telecommunications Deregulation and Competition Act
single loss expectancy
The calculated value associated with the most likely loss from a single attack.
True
The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
Which of the following is NOT a factor critical to the success of an information security performance program?
High level of employee buy-in
An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.
ISSP
In digital forensics, all investigations follow the same basic methodology. Which of the following should be performed first in a digital forensics investigation?
Identify relevant items of evidentiary value (EM)
Which of the following is a part of the incident recovery process?
Identifying the vulnerabilities that allowed the incident to occur and spread
Discuss the three general categories of unethical behavior that organizations should try to control.
Ignorance: Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education. Organizations must design, publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to abide by them. Reminders, training, and awareness programs support retention, and one hopes, compliance. Accident: Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident. The careful placement of controls can help prevent accidental modification to systems and data. Intent: Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A legal defense can be built upon whether or not the accused acted out of ignorance, by accident, or with the intent to cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution, and technical controls. Intent is only one of several factors to consider when determining whether a computer-related crime has occurred.
cost avoidance
The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.
cost benefit analysis
The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization.
The basic outcomes of InfoSec governance should include all but which of the following?
Time management by aligning resources with personnel schedules and organizational objectives
Delphi
In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident?
Incident classification
The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts
InfoSec policy
____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
Trojan horses
A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________
True
An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official.
True
Disaster classification is the process of examining an adverse event or incident and determining whether it constitutes an actual disaster. ____________
True
Each organization has to determine its own project management methodology for IT and information security projects.
True
One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured. ____________
True
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
True
Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.
True
Planners need to estimate the effort required to complete each task, subtask, or action step.
True
Policies must specify penalties for unacceptable behavior and define an appeals process.
True
Small organizations spend more per user on security than medium- and large-sized organizations.
True
Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
True
The InfoSec community often takes on the leadership role in addressing risk.
True
The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.
True
The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________
True
When performing simlation testing, normal operations of the business are not impacted.
True
Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________
True
Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________
True
The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________
True
Which law extends protection to intellectual property, which includes words published in electronic formats?
U.S. Copyright Law
An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
Uncertainty
Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
Uncertainty percentage
access control list
Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?
Which of the following is a definite indicator of an actual incident?
Use of dormant accounts
At what point in the incident lifecycle is the IR plan initiated?
When an incident is detected that affects it
need to know
Which access control principle limits a user's access to the specific information required to perform the currently assigned task?
deterrent
Which control category discourages an incipient incident?
mitigating
Which of the following is NOT a category of access control?
No changes by authorized subjects without external validation
Which of the following is NOT a change control principle of the Clark-Wilson model?
What are the two general methods for implementing technical controls?
access control lists and configuration rules
A risk assessment is performed during which phase of the SecSDLC?
analysis
In which phase of the SecSDLC does the risk management task occur?
analysis
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
back door
An assessment of the performance of some action or process against which future performance is assessed.
baseline
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
champion
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
chief information security officer
Labels that must be comprehensive and mutually exclusive.
classification categories
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
common good
Which of the following are instructional codes that guide the execution of the system when information is passing through it?
configuration rules
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
data owners
Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
data users
Which type of attack involves sending a large number of connection or information requests to a target?
denial-of-service (DoS)
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
deterrence
A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
distributed denial-of-service
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
due diligence
Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________ .
education
defines socially acceptable behaviors
ethics
Having an established risk management program means that an organization's assets are completely protected.
false
Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.
false
Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. ____________
false
The recognition, enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________
false
Which of the following is NOT a step in the process of implementing training?
hire expert consultants
In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
implementation
What is the first phase of the SecSDLC?
investigation
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
issue-specific
Which of the following is true about a company's InfoSec awareness Web site?
it should be tested with multiple browsers
Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?
joint application design
Communications security involves the protection of which of the following?.
media, technology, and content
the study of what makes actions right or wrong, also known as moral theory
normative ethics
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
organization
Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
policy should be agreed upon by all employees and management
regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments
public law
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.
qualitative assessment
Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.
ranked vulnerability risk worksheet
Remains even after current control has been applied.
residual risk
Which of the following is compensation for a wrong committed by an employee acting with or without authorization?
restitution
An approach to combining risk identification, risk assessment, and risk appetite into a single strategy.
risk analysis
A SETA program consists of three elements: security education, security training, and which of the following?.
security awareness
Formal process educating employees about computer security.
security awareness program
In larger organizations, responsible for some aspect of information security; in smaller organizations, this title may be assigned to the only or senior security administrator.
security manager
The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.
security manager
Which of the following is the most cost-effective method for disseminating security information and news to employees?
security newsletter
A clear declaration that outlines the scope and applicability of a policy.
statement of purpose
Which type of planning is the primary tool in determining the long-term direction taken by an organization?
strategic
A section of policy that should specify users' and systems administrators' responsibilities.
systems management
An example of a stakeholder of a company includes all of the following except :
the general public
Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
they have larger information security needs than a small organization
An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization.
threat assessment
Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?
traditional waterfall
Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
trespass
Recommended practices are those security efforts that seek to provide a superior level of performance in the protection of information. ____________
true
According to the ITGI, what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met?
Inquiring reports from different levels of management for effectiveness and adequacy. Verification of managements investment is properly aligned with organizational strategies and the risk environment the organization faces. Creating and promoting a culture that recognizes the criticality of information and InfoSec to the organization Assuring that a comprehensive program is developed and implemented
Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program?
Performance managment
List the stages in the risk identification process in order of occurrence.
Plan and Organize Process Create System Component Categories Develop Inventory of Assets Identify Threats Specify Vulnerable Assets Assign Value or Impact Rating to Assets Assess Likelihood for Vulnerabilities Calculate Relative Risk Factor for Assets Preliminary Review of Possible Controls Document Findings
Once an information asset is identified, categorized, and classified, what must also be assigned to it?
Relative value
Which of the following is the transfer of live transactions to an off-site facility?
Remote journaling
separation of duties
Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion.
Which of the following is a disadvantage of the one-on-one training method?
Resource intensive, to the point of being inefficient
The identification and assessment of levels of risk in an organization describes which of the following?
Risk analysis
Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
Risk assessment
The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.
Risk assessment estimate factors
True
Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
When undertaking the BIA, what should the organization consider?
Scope Plan Balance Objective Follow-up
Data classification schemes should categorize information assets based on which of the following?
Sensitivity and security needs
False
Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.
Which of the following is an information security governance responsibility of the Chief Security Officer?
Set security policy, procedures, programs and training
False
The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege. ____________
False
The defense risk control strategy may be accomplished by outsourcing to other organizations.
What is the key difference between law an ethics?
The difference between law and ethics is that ethics is behavior that is socially acceptable. Having the sense of knowing whats right from wrong. While law are regulations that are govern by higher authority in which everyone is to abid by.
False
The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. ____________
Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
True
The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. ____________
risk appetite
The quantity and nature of risk that organizations are willing to accept.
True
The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________
True
The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.
List the steps of the seven-step methodology for implementing training.
The seven-step methodology for implementing training is as follows: Step 1: Identify program scope, goals, and objectives. Step 2: Identify training staff. Step 3: Identify target audiences. Step 4: Motivate management and employees. Step 5: Administer the program. Step 6: Maintain the program. Step 7: Evaluate the program
Describe the use of an IP address when deciding which attributes to track for each information asset.
This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a relational database and track software instances on specific servers or networking devices. Many larger organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification process very difficult.
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
Threats-vulnerabilities-assets worksheet
A clearly directed strategy flows from top to bottom rather than from bottom to top.
True
A slow-onset disaster is a disaster that occurs over time and gradually degrade the capacity of an organization to withstand their effects. ____________
True
A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________
True
A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.
True
Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.
True
One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?"
True
Patch and proceed is an organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker's identification and prosecution. ____________
True
False
Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data in the outside world.
Protection Profile (PP)
Under the Common Criteria, which term describes the user-generated specifications for security requirements?
True
Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
Which of the following is a possible indicator of an actual incident?
Unusual consumption of computing resources
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
User-specific security policies
Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?
Violations of Policy
What is defined as specific avenues that threat agents can exploit to attack an information asset?
Vulnerabilities
__________ is a simple project management planning tool.
WBS
Which of the following is a mathematical tool that can be useful in assessing relative importance while resolving the issue of what business function is the most critical?
Weighted analysis
Which of the following is NOT a question a CISO should be prepared to answer, about a performance measures program, according to Kovacich?
What affect will measurement collection have on efficiency?
qualitative assessment of many risk components
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
CBA is the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization. The formula for CBA is CBA=SLA(precontrol)-SLA(postcontrol)-ACS.
What does the result of a CBA determine? What is the formula for the CBA?
cost-benefit analysis
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
documented control strategy
What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly, usually after double signature verification. Documents should be destroyed by means of shredding, burning, or transfer to a service offering authorized document destruction. Policy should ensure that no classified information is inappropriately disposed of in trash or recycling areas. Otherwise, people who engage in dumpster diving, the retrieval of information from refuse or recycling bins, may compromise the security of the organization's information assets.
When copies of classified information are no longer valuable or too many copies exist, what steps should be taken to destroy them properly? Why?
least privilege
Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary?
maintenance
Which of the following affects the cost of a control?
risk appetite
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
mitigation
Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
cost avoidance
Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
political feasibility
Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
Which of the following is NOT a valid rule of thumb on risk control strategy selection?
selective risk avoidance
Which of the following is NOT an alternative to using CBA to justify risk controls?
for official use only
Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information?
framework & Security model
Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?
COBIT
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?
security clearances
Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle?
reference monitor
Which piece of the Trusted Computing Base's security system manages access controls?
Biba
Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones.
TCSEC
Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?
nondiscretionary
Which type of access controls can be role-based or task-based?
TCB
Within TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy.
Specifications of authorization that govern the rights and privileges of users to a particular information asset.
access control lists
What do audit logs that track user activity on an information system provide?
accountability
The authorization of an IT system to process, store, or transmit information.
accreditation
an approach that applies moral codes to actions drawn from realistic situations
applied ethics
The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
authentication
According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?
availability
An attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate.
benchmarking
Those security efforts that are considered among the best in the industry.
best security practices
The purpose of SETA is to enhance security in all but which of the following ways?
by adding barriers
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
can suffer from poor policy dissemintation, enforcement, and review
Specifies which subjects and objects that users or groups can access
capability table
Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
centralized authentication
A comprehensive assessment of a system's technical and nontechnical protection strategies, as specified by a particular set of requirements.
certification
addresses violations harmful to society and is actively enforced and prosecuted by the state
criminal law
A diagramming technique designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project.
critical path method
A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.
enterprise risk management.
One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
hacktivist
Which of the following is an element of the enterprise information security policy?
information on the structure of the InfoSec organization
Which of the following is the last phase in the NIST process for performance measures implementation?
Apply corrective actions
Information security governance yields significant benefits. List five.
Assurance that the decisions are not based off of false/fake information. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved Increase in share values for the organization. Optimization of the allocation of limited security resources. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively
When issues are addressed by moving from the general to the specific, always starting with policy.
Bull's eye model
When a disaster renders the current business location unusable, which plan is put into action?
Business continuity
Which is the first step in the contingency planning process among the options listed here?
Business impact analysis
What is the final step in the risk identification process?
Listing assets in order of importance
Which of the following is an attribute of a network device is physically tied to the network interface?
Mac address