CIST 1602 Module 1 Chapter 1&2, CIST 1602 Mod2 Chapter3&4, 1602 Module 3 Chapter 5&6, 1602 Module 4 Chapters 7&8, 1602 Module 5 Chapter 9&10, CIST 1602 Chapter 11 & 12

¡Supera tus tareas y exámenes ahora con Quizwiz!

There are six key elements that the CP team must build into the DR Plan. What are three of them?

- Clear delegation of roles and responsibilities - Execution of the alert roster and notification of key personnel - Clear establishment of priorities - Procedures for documentation of the disaster - Action steps to mitigate the impact of the disaster on the operations of the organization - Alternative implementations for the various systems components, should primary versions be unavailable

Briefly describe five different types of laws.

1. Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations. 2. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. 3. Tort law is a subset of civil law which allows individuals to seek recourse against others in the event of personal, physical, or financial injury. 4. Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law. 5. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.

There are 12 general categories of threat to an organization's people, information, and systems. List at least six of the general categories of threat and identify at least one example of those listed.

6 of the 12 general categories of threat to an organization are: Human error. This can be someone deleting important resources accidental Information extortion: This would be hacker blackmailing organizations of there resources Software attacks: Include several such as malware and DoS attacks Theft. Can include someone taking organizations property with out authority Forces of nature. When earthquakes, fire, floods, or event that humans can not control. Hardware failure. Sometimes when equipment are to old there can be equipment failure.

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.

(ISC)2

timing channels

A TCSEC-defined covert channel, which transmit information by managing the relative timing of events.

task-based controls

A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user.

blueprint

A framework or security model customized to an organization, including implementation details.

asset valuation

A process of assigning financial value or worth to each information asset.

Which of the following should be included in an InfoSec governance program?

An InfoSec risk management methodology

defense

Application of training and education is a common method of which risk control strategy?

Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people?

Are the user accounts of former employees immediately removed on termination?

​When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.

Board Risk Committee

​ Defense—Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk Transference—Shifting risks to other areas or to outside entities Mitigation—Reducing the impact to information assets should an attacker successfully exploit a vulnerability Acceptance—Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control Termination—Removing or discontinuing the information asset from the organization's operating environment

Briefly describe the five basic strategies to control risk that result from vulnerabilities.

Which of the following is NOT a step in the problem-solving process?

Build support among management for the candidate solution

Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?

Bull's-eye model

In the event of an incident or disaster, which planning element is used to guide off-site operations?

Business continuity

single loss expectancy

By multiplying the asset value by the exposure factor, you can calculate which of the following?

Typically considered the top information security officer in an organization.

CISO

According to NIST SP 800-37, which of the following is the first step in the security controls selection process?

Categorize the information system and the information processed

Which document must be changed when evidence changes hands or is stored?

Chain of custody

In which type of site are no computer hardware or peripherals provided?

Cold site

Classification categories must be mutually exclusive and which of the following?

Comprehensive

one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices

Computer Security Act (CSA)

After an incident, but before returning to its normal duties, the CSIRT must do which of the following?

Conduct an after-action review

Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an adverse event?

Contingency planning

content-dependent access controls

Controls access to a specific set of information based on its content.

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?

Cost of prevention

What are the legal requirements that an organization adopt a standard based on what a prudent organization should do, and then maintain that standard?

Due care and due diligence

Which policy is the highest level of policy and is usually created first?

EISP

a collection of statutes that regulates the interception of wire, electronic, and oral communications

Electronic Communications Privacy Act

According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?

Establishing

​Which of the following is not among the 'deadly sins of software security'?

Extortion sins

A company striving for 'best security practices' makes every effort to establish security program elements that meet every minimum standard in their industry.

False

A comprehensive assessment of a system's technical and nontechnical protection strategies, as specified by a particular set of requirements is known as accreditation. ____________

False

A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. _________________________

False

Corruption of information can occur only while information is being stored.

False

Data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization are known as program measurements. ____________

False

DoS attacks cannot be launched against routers.

False

Ethics carry the sanction of a governing authority.

False

In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.

False

In most organizations, the COO is responsible for creating the IR plan.

False

In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________

False

Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy. _________________________

False

MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.

False

Most information security projects require a trained project developer. _________________________

False

Performance measurements are seldom required in today's regulated InfoSec environment.

False

Technology is the essential foundation of an effective information security program​. _____________

False

The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for.

False

The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.

False

The authorization by an oversight authority of an IT system to process, store, or transmit information is known as certification . ____________

False

The authorization process takes place before the authentication process.

False

The biggest barrier to baselining in InfoSec is the fact that many organizations do not share warnings with other organizations. ____________

False

The macro virus infects the key operating system files located in a computer's start up sector. _________________________

False

The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.​

False

The secretarial community often takes on the leadership role in addressing risk. ____________

False

Threats from insiders are more likely in a small organization than in a large one.

False

To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996.​ ___________

False

Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster.

False

Using standard digital forensics methodology, the first step is to analyze the EM data without risking modification or unauthorized access.

False

When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.

False

​ Examples of actions that illustrate compliance with policies are known as laws.

False

​ Values statements should therefore be ambitous; after all, they are meant to express the aspirations of the organization.

False

​A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.

False

​Deterrence is the best method for preventing an illegal or unethical activity. ____________

False

Which of the following is the best example of a rapid-onset disaster?

Flood

In which contingency plan testing strategy do individuals follow each and every IR/DR/BC procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals?

Full-interruption

Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?

HIPAA

Which law addresses privacy and security concerns associated with the electronic transmission of PHI?

Health Information Technology for Economic and Clinical Health Act

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?

IP address

Which of the following is the first step in the process of implementing training?

Identify program scope, goals, and objectives

Is a set of strategies for managing the processes, tools, and policies necessary to prevent, detect, document and counter threats to digital and non-digital information.Many large enterprises employ a dedicated security group to implement and maintain.

infosec program

Any court can impose its authority over an individual or organization if it can establish which of the following?

jurisdiction

In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.

man-in-the-middle

An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.

penetration tester

Which of the following is NOT a primary function of Information Security Management?

performance

The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization.

performance measurements

GGG security is commonly used to describe which aspect of security?

physical

Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?

planning

Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives?

planning

Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?

policy

According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?

policy administrator

Step-by-step instructions designed to assist employees in following policies, standards and guidelines.

procedures

Occurs when a project manager spends more time working in the project management software than accomplishing meaningful project work.

projectitis

Those procedures that provide a superior level of security for an organization's information.

recommended business practices

What is the SETA program designed to do?

reduce the occurence of accidental security breaches

The quantity and nature of risk that organizations are willing to accept.

risk appetite

The recognition, enumeration, and documentation of risks to an organization's information assets.

risk identification

The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

risk management

The expansion of the quantity or quality of project deliverable from the original project plan.

scope creep

These individuals oversee the day to day operations of plans put forth by CISO and CSO. Typically a person going into Cybersecurity would apply for this as a first job.

security technicians

Entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec technology.

seucirty watchstander

"4-1-9" fraud is an example of a ____________________ attack.

social engineering

A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance.

standard

Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?

system testing

Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?

tactical

A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.

team leader

Which of the following are the two general groups into which SysSPs can be separated?

technical specifications and managerial guidance

On-the-job training can result in substandard work performance while the trainee gets up to speed.

true

Which of the following is a key advantage of the bottom-up approach to security implementation?

utilizes the technical expertise of the individual administrators

Which of the following is NOT an aspect of access regulated by ACLs?

where the system is located

False

​ The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. ____________

False

​ The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy . ___________

False

​ The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.

true

​A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. ____________

False

​A security ​ monitor is a conceptual piece of the system w ithin the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. ____________

True

​Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________

False

​Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. ____________

A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.

​penetration testing

​ The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.

​vulnerability assessment

Defense risk control strategy

A risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards

mitigation risk control strategy

A risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.

termination risk control strategy

A risk control strategy that eliminates all risk associated with an information asset by removing it from service.

Acceptance Risk Control Strategy

A risk control strategy that indicates the organization is willing to accept the current level of risk and that the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.

True

A security blueprint is the outline of the more thorough security framework.

Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?

A security technician

rule based access controls

Access is granted based on a set of rules specified by the central authority.

In security management, which of the following is issued by a management official and serves as a means of assuring that systems are of adequate quality?

Accreditation

Compare and contrast accreditation and certification.

Accreditation is a form of security management. Where managers assure that systems that are being used are adequate quality and a method to assure that security is obtained through technical constraints, operational constraints, and mission requirements. Although certification is in relation to accreditation, it typically requires that systems are in accordance to particular sets of requirements.

organizational feasibility

An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.

false

An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility. ____________

Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?

Confidentiality

List and explain the critical characteristics of information as defined by the C.I.A. triad.

Confidentiality of information ensures that only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached. Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Availability is the characteristic of information that enables user access to information without interference or obstruction and in a useable format.

DAC

Controls implemented at the discretion or option of the data user.

corrective

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?

Which of the following is an advantage of the one-on-one method of training?

Customized

focuses on enhancing the security of the critical infrastructure in the United States

Cybersecurity Act

Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures

DMCA

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?

Descriptive ethics

True

Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________

The actions that demonstrate that an organization has made a valid effort to protect others a requirement and that the implemented standards continue to provide the required level of protection.

Due diligence

Which of the following is usually conducted via leased lines or secure Internet connections whereby the receiving server archives the data as it is received?.

Electronic vaulting

Which of the following InfoSec measurement specifications makes it possible to define success in the security program?

Establishing targets

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________

False

A performance measure is an an assessment of the performance of some action or process against which future performance is assessed. _____________

False

A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________

False

A standard of due process is a legal standard that requires an organization and its employees to act as a "reasonable and prudent" individual or organization would under similar circumstances. ____________

False

A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.

False

A(n) wrap-up review is a detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery. ____________

False

An alert digest is a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. ____________

False

An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________

False

An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________

False

An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment. ____________

False

Attaining certification in security management is a long and difficult process, but once attained, an organization remains certified for the life of the organization.

False

Because it sets out general business intentions, a mission statement does not need to be concise.

False

Non mandatory recommendations that the employee may use as a reference in complying with a policy. are known as regulations. ____________

False

One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________

False

Rule-based policies are less specific to the operation of a system than access control lists.

False

Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex.

False

Standardization is an an attempt to improve information security practices by comparing an organization's efforts against those of a similar organization or an industry-developed standard to produce results it would like to duplicate. ____________

False

The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. _________________________

False

The first step in solving problems is to gather facts and make assumptions.

False

The information technology management community of interest often takes on the leadership role in addressing risk. ____________

False

The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks.

False

The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.

False

False

In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as ​the annualized risk of occurrence. ____________

False

In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user).​ ____________

False

In information security, a framework or security model customized to an organization, including implementation details is known as a floorplan . _____________

content-dependent access controls

In which form of access control is access to a specific set of information contingent on its subject matter?

List the measures that are commonly used to protect the confidentiality of information.

Information classification Secure document (and data) storage Application of general security policies Education of information custodians and end users Cryptography (encryption)

Blackmail threat of informational disclosure is an example of which threat category?

Information extortion

According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?

Initiating

Which of the following is an advantage of the formal class method of training?

Interaction with trainer is possible

Which of the following is true about a hot site?

It duplicates computing resources, peripherals, phone systems, applications, and workstations.

Which of the following is a responsibility of the crisis management team?

Keeping the public informed about the event and the actions being taken

True

Lattice-based access control specifies the level of access each subject has to each object, if any.

Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence?

Legal liability

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?

Legal management must develop corporate-wide standards

List the major components of the ISSP.

Limitations of liability Prohibited uses Systems management Statement of purpose Authorized users Policy Review and modification Violations of policy

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

Manufacturer's model or part number

A common approach to a Risk Management Framework (RMF) for InfoSec practice.

NIST SP 800-37

InfoSec measurements collected from production statistics depend greatly on which of the following factors?

Number of systems and users of those systems

monitoring and measurement

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?

storage channels

One of the TCSEC's covert channels, which communicate by modifying a stored object.

Which type of planning is used to organize the ongoing, day-to-day performance of tasks?

Operational

Which of the following variables is the most influential in determining how to structure an information security program?

Organizational culture

Which of the following is an example of a technological obsolescence threat?

Outdated servers

Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.

Field change order

Which of the following allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental?

Forensics

A key difference between policy and law is that ignorance of policy is a viable defense. What steps must be taken to assure that an organization has a reasonable expectation that policy violations can be appropriately penalized without fear of legal retribution?

Policies must be: ​ Distributed to all individuals who are expected to comply with them Read by all employees Understood by all employees, with multilingual translations and translations for visually impaired or low-literacy employees Acknowledged by the employee, usually by means of a signed consent form Uniformly enforced, with no special treatment for any group (e.g., executives)

Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?

Policy Review and Modification

Which of the following is the first phase in the NIST process for performance measurement implementation?

Prepare for data collection

Which of the following attributes does NOT apply to software information assets?

Product dimensions

What should you be armed with to adequately assess potential weaknesses in each information asset?

Properly classified inventory

Which of the following is an approach available to an organization as an overall philosophy for contingency planning reactions?

Protect and forget

sensitivity levels

Ratings of the security level for a specified collection of information (or user) within a mandatory access control scheme.

Which of the following is the first step in the problem-solving process?

Recognize and define the problem

A program designed to improve the security of information assets by providing targeted information, skills, and guidance for organizational employees.

SETA

Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.

SLA

Which type of document grants formal permission for an investigation to occur?

Search Warrent

In which contingency plan testing strategy do individuals participate in a role-playing exercise in which the CP team is presented with a scenario of an actual incident or disaster and expected to react as if it had occurred?

Simulation

A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances.

Standard of due care

Which of the following is true about planning?

Strategic plans are used to create tactical plans

incident response plan

Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?

Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.

SysSP

InforSec Governance

The COSO framework is built on five interrelated components. Which of the following is NOT one of them?

Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?

The Electronic Communications Privacy Act of 1986

True

The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.

Risk Determination

The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?

Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?

The Telecommunications Deregulation and Competition Act

single loss expectancy

The calculated value associated with the most likely loss from a single attack.

True

The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.

Which of the following is NOT a factor critical to the success of an information security performance program?

High level of employee buy-in

An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.

ISSP

In digital forensics, all investigations follow the same basic methodology. Which of the following should be performed first in a digital forensics investigation?

Identify relevant items of evidentiary value (EM)

Which of the following is a part of the incident recovery process?

Identifying the vulnerabilities that allowed the incident to occur and spread

Discuss the three general categories of unethical behavior that organizations should try to control.

Ignorance: Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education. Organizations must design, publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to abide by them. Reminders, training, and awareness programs support retention, and one hopes, compliance. Accident: Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident. The careful placement of controls can help prevent accidental modification to systems and data. Intent: Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A legal defense can be built upon whether or not the accused acted out of ignorance, by accident, or with the intent to cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution, and technical controls. Intent is only one of several factors to consider when determining whether a computer-related crime has occurred.

cost avoidance

The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.

cost benefit analysis

The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization.

The basic outcomes of InfoSec governance should include all but which of the following?

Time management by aligning resources with personnel schedules and organizational objectives

Delphi

In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?

Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident?

Incident classification

The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts

InfoSec policy

____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.

Trojan horses

A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________

True

An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official.

True

Disaster classification is the process of examining an adverse event or incident and determining whether it constitutes an actual disaster. ____________

True

Each organization has to determine its own project management methodology for IT and information security projects.

True

One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured. ____________

True

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

True

Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.

True

Planners need to estimate the effort required to complete each task, subtask, or action step.

True

Policies must specify penalties for unacceptable behavior and define an appeals process.

True

Small organizations spend more per user on security than medium- and large-sized organizations.

True

Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.

True

The InfoSec community often takes on the leadership role in addressing risk.

True

The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.

True

The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________

True

When performing simlation testing, normal operations of the business are not impacted.

True

​ Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________

True

​ Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________

True

​ The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________

True

Which law extends protection to intellectual property, which includes words published in electronic formats?

U.S. Copyright Law

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?

Uncertainty

Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?

Uncertainty percentage

access control list

Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?

Which of the following is a definite indicator of an actual incident?

Use of dormant accounts

At what point in the incident lifecycle is the IR plan initiated?

When an incident is detected that affects it

need to know

Which access control principle limits a user's access to the specific information required to perform the currently assigned task?

deterrent

Which control category discourages an incipient incident?

mitigating

Which of the following is NOT a category of access control?

No changes by authorized subjects without external validation

Which of the following is NOT a change control principle of the Clark-Wilson model?

What are the two general methods for implementing technical controls?

access control lists and configuration rules

A risk assessment is performed during which phase of the SecSDLC?

analysis

In which phase of the SecSDLC does the risk management task occur?

analysis

Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?

back door

An assessment of the performance of some action or process against which future performance is assessed.

baseline

​A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.

champion

​The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.

chief information security officer

Labels that must be comprehensive and mutually exclusive.

classification categories

Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?

common good

Which of the following are instructional codes that guide the execution of the system when information is passing through it?

configuration rules

​Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.

data owners

Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.

data users

Which type of attack involves sending a large number of connection or information requests to a target?

denial-of-service (DoS)

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.

deterrence

A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

distributed denial-of-service

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?

due diligence

Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________ .

education

defines socially acceptable behaviors

ethics

Having an established risk management program means that an organization's assets are completely protected.

false

Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.

false

Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. ____________

false

The recognition, enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________

false

Which of the following is NOT a step in the process of implementing training?

hire expert consultants

In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?

implementation

What is the first phase of the SecSDLC?

investigation

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?

issue-specific

Which of the following is true about a company's InfoSec awareness Web site?

it should be tested with multiple browsers

Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?

joint application design

Communications security involves the protection of which of the following?.

media, technology, and content

the study of what makes actions right or wrong, also known as moral theory

normative ethics

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?

organization

Which of the following is NOT one of the basic rules that must be followed when shaping a policy?

policy should be agreed upon by all employees and management

regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments

public law

An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.

qualitative assessment

Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.

ranked vulnerability risk worksheet

Remains even after current control has been applied.

residual risk

Which of the following is compensation for a wrong committed by an employee acting with or without authorization?

restitution

An approach to combining risk identification, risk assessment, and risk appetite into a single strategy.

risk analysis

A SETA program consists of three elements: security education, security training, and which of the following?.

security awareness

​Formal process educating employees about computer security.

security awareness program

In larger organizations, responsible for some aspect of information security; in smaller organizations, this title may be assigned to the only or senior security administrator.

security manager

​The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.

security manager

Which of the following is the most cost-effective method for disseminating security information and news to employees?

security newsletter

A clear declaration that outlines the scope and applicability of a policy.

statement of purpose

Which type of planning is the primary tool in determining the long-term direction taken by an organization?

strategic

A section of policy that should specify users' and systems administrators' responsibilities.

systems management

​An example of a stakeholder of a company includes all of the following except :​

the general public

Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?

they have larger information security needs than a small organization

An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization.

threat assessment

Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?

traditional waterfall

Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.

trespass

Recommended practices are those security efforts that seek to provide a superior level of performance in the protection of information. ____________

true

According to the ITGI, what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met?

Inquiring reports from different levels of management for effectiveness and adequacy. Verification of managements investment is properly aligned with organizational strategies and the risk environment the organization faces. Creating and promoting a culture that recognizes the criticality of information and InfoSec to the organization Assuring that a comprehensive program is developed and implemented

Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program?

Performance managment

List the stages in the risk identification process in order of occurrence.

Plan and Organize Process Create System Component Categories Develop Inventory of Assets Identify Threats Specify Vulnerable Assets Assign Value or Impact Rating to Assets Assess Likelihood for Vulnerabilities Calculate Relative Risk Factor for Assets Preliminary Review of Possible Controls Document Findings

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

Relative value

Which of the following is the transfer of live transactions to an off-site facility?

Remote journaling

separation of duties

Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion.

Which of the following is a disadvantage of the one-on-one training method?

Resource intensive, to the point of being inefficient

The identification and assessment of levels of risk in an organization describes which of the following?

Risk analysis

Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

Risk assessment

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.

Risk assessment estimate factors

True

Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.

When undertaking the BIA, what should the organization consider?

Scope Plan Balance Objective Follow-up

Data classification schemes should categorize information assets based on which of the following?

Sensitivity and security needs

False

Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.

Which of the following is an information security governance responsibility of the Chief Security Officer?

Set security policy, procedures, programs and training

False

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege. ____________

False

The defense risk control strategy may be accomplished by outsourcing to other organizations.

What is the key difference between law an ethics?

The difference between law and ethics is that ethics is behavior that is socially acceptable. Having the sense of knowing whats right from wrong. While law are regulations that are govern by higher authority in which everyone is to abid by.

False

The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. ____________

Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset

The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?

True

The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. ____________

risk appetite

The quantity and nature of risk that organizations are willing to accept.

True

The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________

True

The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the ​termination risk control strategy.

List the steps of the seven-step methodology for implementing training.

The seven-step methodology for implementing training is as follows: Step 1: Identify program scope, goals, and objectives. Step 2: Identify training staff. Step 3: Identify target audiences. Step 4: Motivate management and employees. Step 5: Administer the program. Step 6: Maintain the program. Step 7: Evaluate the program

Describe the use of an IP address when deciding which attributes to track for each information asset.

This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a relational database and track software instances on specific servers or networking devices. Many larger organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification process very difficult.

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

Threats-vulnerabilities-assets worksheet

A clearly directed strategy flows from top to bottom rather than from bottom to top.

True

A slow-onset disaster is a disaster that occurs over time and gradually degrade the capacity of an organization to withstand their effects. ____________

True

A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________

True

A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.

True

Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.

True

One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?"

True

Patch and proceed is an organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker's identification and prosecution. ____________

True

False

Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data in the outside world.

Protection Profile (PP)

Under the Common Criteria, which term describes the user-generated specifications for security requirements?

True

Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.

Which of the following is a possible indicator of an actual incident?

Unusual consumption of computing resources

Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?

User-specific security policies

Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?

Violations of Policy

What is defined as specific avenues that threat agents can exploit to attack an information asset?

Vulnerabilities

__________ is a simple project management planning tool.

WBS

Which of the following is a mathematical tool that can be useful in assessing relative importance while resolving the issue of what business function is the most critical?

Weighted analysis

Which of the following is NOT a question a CISO should be prepared to answer, about a performance measures program, according to Kovacich?

What affect will measurement collection have on efficiency?

qualitative assessment of many risk components

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

CBA is the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization. The formula for CBA is CBA=SLA(precontrol)-SLA(postcontrol)-ACS.

What does the result of a CBA determine? What is the formula for the CBA?

cost-benefit analysis

What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?

documented control strategy

What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?

When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly, usually after double signature verification. Documents should be destroyed by means of shredding, burning, or transfer to a service offering authorized document destruction. Policy should ensure that no classified information is inappropriately disposed of in trash or recycling areas. Otherwise, people who engage in dumpster diving, the retrieval of information from refuse or recycling bins, may compromise the security of the organization's information assets.

When copies of classified information are no longer valuable or too many copies exist, what steps should be taken to destroy them properly? Why?

least privilege

Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary?

maintenance

Which of the following affects the cost of a control?

risk appetite

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?

mitigation

Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?

cost avoidance

Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?

political feasibility

Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

Which of the following is NOT a valid rule of thumb on risk control strategy selection?

selective risk avoidance

Which of the following is NOT an alternative to using CBA to justify risk controls?

for official use only

Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information?

framework & Security model

Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?

COBIT

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?

security clearances

Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle?

reference monitor

Which piece of the Trusted Computing Base's security system manages access controls?

Biba

Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones.

TCSEC

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?

nondiscretionary

Which type of access controls can be role-based or task-based?

TCB

Within TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy.

Specifications of authorization that govern the rights and privileges of users to a particular information asset.

access control lists

What do audit logs that track user activity on an information system provide?

accountability

The authorization of an IT system to process, store, or transmit information.

accreditation

an approach that applies moral codes to actions drawn from realistic situations

applied ethics

The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?

authentication

According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?

availability

An attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate.

benchmarking

Those security efforts that are considered among the best in the industry.

best security practices

The purpose of SETA is to enhance security in all but which of the following ways?

by adding barriers

Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?

can suffer from poor policy dissemintation, enforcement, and review

Specifies which subjects and objects that users or groups can access

capability table

Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?

centralized authentication

A comprehensive assessment of a system's technical and nontechnical protection strategies, as specified by a particular set of requirements.

certification

addresses violations harmful to society and is actively enforced and prosecuted by the state

criminal law

A diagramming technique designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project.

critical path method

A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.

enterprise risk management.

One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

hacktivist

Which of the following is an element of the enterprise information security policy?

information on the structure of the InfoSec organization

Which of the following is the last phase in the NIST process for performance measures implementation?

Apply corrective actions

Information security governance yields significant benefits. List five.

Assurance that the decisions are not based off of false/fake information. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved Increase in share values for the organization. Optimization of the allocation of limited security resources. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively

When issues are addressed by moving from the general to the specific, always starting with policy.

Bull's eye model

When a disaster renders the current business location unusable, which plan is put into action?

Business continuity

Which is the first step in the contingency planning process among the options listed here?

Business impact analysis

What is the final step in the risk identification process?

Listing assets in order of importance

Which of the following is an attribute of a network device is physically tied to the network interface?

Mac address


Conjuntos de estudio relacionados

Pharm Ch. 46 Antineoplastic Drugs Part 2

View Set

Allied Real Estate - Escrow - Unit 1

View Set

Quiz: Module 12 Performance and Recovery

View Set

ECON 201- Ch.12 Section 3 Questions

View Set