CPSC 253
A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes _____. a) controls have been bypassed b) controls have proven ineffective c) controls have failed d) All of the above
All of the above
The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization. a) ISO b) CIO c) CISO d) CTO
CISO
__________ law comprises a wide variety of laws that govern a nation or state. a) criminal b) civil c) public d) private
Civil
A business influence analysis (BIA) is an investigation and assessment of adverse events that can affect the organization. T/F
False
A(n) DR plan ensures that critical business functions continue if a catastrophic incident or disaster occurs. _____ T/F
False
According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to be successful in an engagement. T/F
False
Baselining is the comparison of past security activities and events against the organization's current performance. T/F
False
Computer assets are the focus of information security and are the information that has value to the organization, as well as the systems that store, process, and transmit the information. ____________ T/F
False
Cost mitigation is the process of preventing the financial impact of an incident by implementing a control. _________________________ T/F
False
E-mail spoofing involves sending an e-mail message with a harmful attachment. T/F
False
In the context of information security, confidentiality is the right of individuals or groups to protect themselves and their information from unauthorized access. T/F
False
Information security can be an absolute. T/F
False
Information security's primary mission is to ensure that systems and their contents retain their confidentiality at any cost. T/F
False
Knowing yourself means identifying, examining, and understanding the threats facing the organization. T/F
False
Residual risk is the risk that has not been removed, shifted, or planned for after vulnerabilities have been completely resolved.
False
Risk mitigation is the process of assigning a risk rating or score to each information asset. _________________________ T/F
False
Root cause analysis is the coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting.
False
The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002. _________________________ T/F
False
The Security Development Life Cycle (SDLC) is a general methodology for the design and implementation of an information system. _________________________ T/F
False
The U.S. Secret Service is currently within the Department of the Treasury. _________________________ T/F
False
The bottom-up approach to information security has a higher probability of success than the top-down approach. T/F
False
The continuity planning management team (CPMT) is the group of senior managers and project members organized to conduct and lead all contingency planning efforts. T/F
False
The first phase of risk management is _________. T/F
False
Unethical and illegal behavior is generally caused by ignorance (of policy and/or the law), by accident, and by inadequate protection mechanisms. T/F
False
__________ was the first operating system to integrate security as one of its core functions. a) UNIX b) DOS c) MULTICS d) ARPANET
MULTICS
A breach of possession may not always result in a breach of confidentiality. T/F
True
A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information. T/F
True
A mail bomb is a form of DoS attack. T/F
True
Due care and due diligence require that an organization make a valid effort to protect others and continually maintain this level of effort, ensuring these actions are effective. T/F
True
During the early years of computing, the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage. T/F
True
Forces of nature, sometimes called acts of God, can present some of the most dangerous threats because they usually occur with very little warning and are beyond the control of people. T/F
True
Laws, policies, and their associated penalties only provide deterrence if offenders fear the penalty, expect to be caught, and expect the penalty to be applied if they are caught. T/F
True
Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied. T/F
True
Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack. T/F
True
Privacy is the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality. T/F
True
Risk control is the application of controls that reduce the risks to an organization's information assets to an acceptable level. T/F
True
The Department of Homeland Security works with academic campuses nationally, focusing on resilience, recruitment, internationalization, growing academic maturity, and academic research. T/F
True
To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited. T/F
True
An organizational resource that is being protected is sometimes logical, such as a Web site, software information, or data. Sometimes the resource is physical, such as a person, computer system, hardware, or other tangible object. Either way, the resource is known as a(n) ___________. a) access method b) asset c) exploit d) risk
asset
Ideally, the _____, systems administrators, the chief information security officer (CISO), and key IT and business managers should be actively involved during the creation and development of all CP components a) chief information officer (CIO) b) chief executive officer (CEO) c) chief financial officer (CFO) d) senior auditor
chief information officer (CIO)
Incident _____ is the process of examining a potential incident, or incident candidate, and determining whether the candidate constitutes an actual incident. a) classification b) category c) response d) strategy
classification
____________________ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data that result in violence against noncombatant targets by subnational groups or clandestine agents. a) infoterrorism b) cyberterrorism c) hacking d) cracking
cyberterrorism
In a ____________________ attack, the attacker sends a large number of connection or information requests to disrupt a target from a small number of sources. a) denial-of-service b) distributed denial-of-service c) virus d) spam
denial-of-service
Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________. a) threats b) education c) hugs d) paperwork
education
A technique used to compromise a system is known as a(n) ___________. a) access method b) asset c) exploit d) risk
exploit
The Computer __________ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts. a) Violence b) Fraud c) Theft d) Usage
fraud
The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________. a) communications security b) network security c) physical security d) information security
information security
Criminal or unethical __________ goes to the state of mind of the individual performing the act. a) attitude b) intent c) accident d) all the above
intent
In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. a) zombie-in-the-middle b) sniff-in-the-middle c) server-in-the-middle d) man-in-the-middle
man-in-the-middle
Digital forensics involves the _____, identification, extraction, documentation, and interpretation of digital media. a) investigation b) determination c) confiscation d) preservation
preservation
Incident _____ is the set of activities taken to plan for, detect, and correct the impact of an incident on information assets. a) response b) readiness c) mitigation d) recovery
response
Data backup should be based on a(n) ____ policy that specifies how long log data should be maintained . a) replication b) business resumption c) incident response d) retention
retention
"4-1-9" fraud is an example of a ____________________ attack. a) social engineering b) virus c) worm d) spam
social engineering
According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depends on the value of the information obtained and whether the offense is judged to have been committed for each of the following except __________. a) for purposes of commercial advantage b) for private financial gain c) to harass d) in furtherance of a criminal act
to harass
Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter. a) bypass b) theft c) trespass d) security
trespass
