CSS 1006 Midterm
a. When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________. a. Board Risk Committee b. Board Finance Committee c. Board Ethics Committee d. Chairman of the Board
a. Board Risk Committee
A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs. a. business mission b. joint application design c. security policy review d. disaster recovery planning
a. business mission
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs? a. can suffer from poor policy dissemination, enforcement, and review b. may skip vulnerabilities otherwise reported c. may be more expensive than necessary d. implementation can be less difficult to manage
a. can suffer from poor policy dissemination, enforcement, and review
Which of the following is NOT one of the three general causes of unethical and illegal behavior? a. carelessness b. ignorance c. accident d. intent
a. carelessness
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) _________ on a development team. a. champion b. project manager c. team leader d. auditor
a. champion
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as _______. a. data owners b. data custodians c. data users d. data generators
a. data owners
Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis are known as _________. a. digital forensics b. criminal investigation c. crime scene investigation d. e-discovery
a. digital forensics
Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________. a. evidentiary material b. digital forensics c. evidence d. e-discovery
a. evidentiary material
Laws, policies, and their associated penalties only provide deterrence if 3 conditions are present. Which of these is NOT one of them? a. frequency of review b. probability of being apprehended c. fear of the penalty d. probability of penalty being applied
a. frequency of review
__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. a. governance b. controlling c. leading d. strategy
a. governance
ISO 27014:2013 is the ISO 27000 series standard for ________. a. governance of information security b. information security management c. risk management d. policy management
a. governance of information security
The National Association of Corporate Directors (NACD) recommends 4 essential practices for boards of directors. Which of the following is NOT one of these recommended practices? a. hold regular meetings with CIO to discuss tactical InfoSec planning b. assign InfoSec to a key committee and ensure adequate support for that committee c. ensure the effectiveness of the corporation's InfoSec policy through review and approval d. identify InfoSec leaders, hold them accountable, and ensure support for them
a. hold regular meetings with CIO to discuss tactical InfoSec planning
In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________. a. identifying relevant items of evidentiary value b. acquiring (seizing) the evidence without alteration or damage c. analyzing the data without risking modification or unauthorized access d. investigating allegations of digital malfeasance
a. identifying relevant items of evidentiary value
The ______ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints. a. investigation b. analysis c. implementation d. justification
a. investigation
According to Wood, which of the following is a reason the InfoSec department should report directly to top management? a. it fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole b. it allows independence in the InfoSec department, especially if it is needed to audit the IT division c. it prevents InfoSec from becoming a drain on the IT budget d. it allows the InfoSec executive to dictate security requirements with greater authority to the other business divisions
a. it fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a wholeWhich of the following describes the primary reason the InfoSec department should NOT fall under the IT function?
The hash values for a wide variety of passwords can be stored in a database known as a(n) __________, which can be indexed and quickly searched using the hash value, allowing the corresponding plaintext password to be determined. a. rainbow table b. unicorn table c. rainbow matrix d. poison box
a. rainbow table
Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness? a. systems testing b. risk assessment c. incident response d. risk treatment
a. systems testing
When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________. a. the type of crime committed b. how many perpetrators were involved c. the network provider the hacker used d. the kind of computer the hacker used
a. the type of crime committed
As noted by Kosutic, options for placing the CISO (and his or her security group) in the organization are generally driven by organizational size and include all of the following EXCEPT: a. within a division/department with a conflict of interest b. in a separate group reporting directly to the CEO / president c. under a division/department with no conflict of interest d. as an additional duty for an existing manager/executive
a. within a division/department with a conflict of interest
The purpose of SETA is to enhance security in all but which of the following ways? a. by building in-depth knowledge b. by adding barriers c. by developing skills d. by improving awareness
b. by adding barriers
Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation? a. policy b. centralized authentication c. compliance/audit d. risk management
b. centralized authentication
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past? a. applied ethics b. descriptive ethics c. normative ethics d. deontological ethics
b. descriptive ethics
Which of the following is the best method for preventing an illegal or unethical activity? (ex: laws, policies, technical controls) a. remediation b. deterrence c. persecution d. rehabilitation
b. deterrence
A _______ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. a. denial of service b. distributed denial of service c. virus d. spam
b. distributed denial of service
Writing a policy is not always as easy as it seems. However, the prudent security manager always scours available resources for __________ that may be adapted to the organization. a. legal opinions b. examples c. strategic plans d. purchasable policies
b. examples
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________. a. evidentiary material b. forensics c. crime scene investigation d. data imaging
b. forensics
Which of the following is NOT a step in the process of implementing training? a. administer the program b. hire expert consultants c. motivate management and employees d. identify target audiences
b. hire expert consultants
Which of the following is a common element of the enterprise information security policy? a. access control lists b. information on the structure of the InfoSec organization c. articulation of the organization's SDLC methodology d. indemnification of the organization against liability
b. information on the structure of the InfoSec organization
What is the first phase of the SecSDLC? a. analysis b. investigation c. logical design d. physical design
b. investigation
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? a. enterprise information b. issue-specific c. systems specific d. user-specific
b. issue-specific
Which of the following is an information security governance responsibility of the chief information security officer? a. develop policies and the program b. set security policy, procedures, programs, and training c. brief the board, customers, and the public d. implement incident response programs to detect security vulnerabilities and breaches
b. set security policy, procedures, programs, and training
Human error or failure often can be prevented with training and awareness programs, policy, and ____. a. outsourcing b. technical controls c. hugs d. ISO 27000
b. technical controls
Which of the following describes the primary reason the InfoSec department should NOT fall under the IT function? a. the average salary of the top security executive typically exceeds that of the typical IT executive, creating professional rivalries between the two b. there is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information c. there is a fundamental difference in the mission of the InfoSec department, which seeks to minimize access to information, and the IT function, which seeks to increase accessibility of information d. None of the above are reasons the InfoSec department should NOT fall under the IT function
b. there is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information
Digital forensics can be used for 2 key purposes: a. e-discovery & to perform root cause analysis b. to investigate allegations of digital malfeasance & to perform root cause analysis c. to solicit testimony & to perform root cause analysis d. to investigate allegations of digital malfeasance & to solicit testimony
b. to investigate allegations of digital malfeasance & to perform root cause analysis
The final component of the design and implementation of effective policies is _____. a. full comprehension b. uniform and impartial enforcement c. complete distribution d. universal distribution
b. uniform and impartial enforcement
Which of the following is NOT among the 3 types of InfoSec policies based on NIST's Special Publication 800-14? a. enterprise information security policy b. user-specific security policies c. issue-specific security policies d. system-specific security policies
b. user-specific security policies
Which of the following is NOT an aspect of access regulated by ACLs? a. what authorized users can access b. where the system is located c. how authorized users can access the system d. when authorized users can access the system
b. where the system is located
Which of the following is NOT a step in the problem-solving process? a. select, implement, and evaluate a solution b. analyze and compare possible solutions c. build support among management for the candidate solution d. gather facts and make assumptions
c. build support among management for the candidate solution
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons? a. for purposes of commercial advantage b. for private financial gain c. for political advantage d. in furtherance of a criminal act
c. for political advantage
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____. a. false alarms b. polymorphisms c. hoaxes d. urban legends
c. hoaxes
Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected? a. accountability b. availability c. privacy d. confidentiality
c. privacy
Which of the following is a key advantage of the bottom-up approach to security implementation? a. strong upper-management support b. a clear planning and implementation process c. utilizing the technical expertise of the individual administrators d. coordinated planning from upper management
c. utilizing the technical expertise of the individual administrators
Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infraction? a. Authorized Access and Usage of Equipment b. Systems Management c. Prohibited Usage of Equipment d. Violations of Policy
d. Violations of Policy
Which of the following is NOT a part of an information security program? a. technologies used by an organization to manage the risks to its information assets b. activities used by an organization to manage the risks to its information assets c. personnel used by an organization to manage the risks to its information assets d. all of these are part of an information security program
d. all of these are part of an information security program
Which of the following is a C.I.A. triad characteristic that ensures only those with sufficient privileges and a demonstrated need may access certain information? a. integrity b. availability c. authentication d. confidentiality
d. confidentiality
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness of wrongness of the consequences (AKA duty based ethics) a. applied ethics b. meta-ethics c. normative ethics d. deontological ethics
d. deontological ethics
Which of the following variables is the most influential in determining how to structure an information security program? a. security capital budget b. competitive environment c. online exposure of organization d. organizational culture
d. organizational culture
According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy? a. policy developer b. policy reviewer c. policy enforcer d. policy administrator
d. policy administrator
This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator . a. security technician b. security analyst c. security consultant d. security manager
d. security manager
In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it? a. spiral b. evolutionary prototyping c. agile d. waterfall
d. waterfall
A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as ______ a. e-discovery b. forensics c. indexing d. root cause analysis
a. e-discovery
The protection of voice and data components, connections, and content is known as __________ security. a. network b. national c. cyber d. operational
a. network
Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT ______. a. proper conception b. proper design c. proper development d. proper implementation
a. proper conception
Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer? a. theft b. espionage/trespass c. sabotage/vandalism d. information extortion
a. theft
Which of the following is an advantage of the user support group form of training? a. usually conducted in an informal social setting b. formal training plan c. can be live, or can be archived and viewed at the trainee's convenience d. can be customized to the needs of the trainee
a. usually conducted in an informal social setting
Larger organizations tend to spend approximately ___ percent of the total IT budget on security. a. 2 b. 5 c. 11 d. 20
b. 5
Which of the following should be included in an InfoSec governance program? a. an InfoSec maintenance methodology b. an InfoSec risk management methodology c. an InfoSec project management assessment d. all of these are components of InfoSec governance program
b. an InfoSec risk management methodology
Force majeure includes all of the following EXCEPT: a. acts of war b. armed robbery c. civil disorder d. forces of nature
b. armed robbery
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? a. ignorance b. malice c. accident d. intent
b. malice
Which function of InfoSec management encompasses security personnel as well as aspects of the SETA program? a. protection b. people c. projects d. policy
b. people
The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property, is called __________. a. copyright infringement b. software piracy c. trademark violation d. data hijacking
b. software piracy
What do audit logs that track user activity on an information system provide? a. identification b. authorization c. accountability d. authentication
c. accountability
Which of the following is a policy implemetnation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? a. on-target model b. Wood's model c. bulls-eye model d. Bergen and Berube model
c. bulls-eye model
Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP. a. management directive & technical specifications b. management guidance & technical directive c. management guidance & technical specifications d. management specification & technical directive
c. management guidance & technical specifications
Which subset of civil law regulates the relationships among individuals and among individuals and organizations? a. tort b. criminal c. private d. public
c. private
Which of the following is NOT a primary function of information security management? a. planning b. protection c. projects d. performance
c. projects
What is the SETA program designed to do? a. rescue the occurrence of external attacks b. improve operations c. reduce the occurrence of accidental security breaches d. increase the efficiency of InfoSec staff
c. reduce the occurrence of accidental security breaches
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________. a. subpoena b. forensic finding c. search warrant d. affidavit
c. search warrant
The basic outcomes of InfoSec governance should include all but which of the following? a. value delivery by optimizing InfoSec investments in support of organizational objectives b. performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved c. time management by aligning resources with personal schedules and organizational objectives d. resource management by utilizing information security knowledge and infrastructure efficiently and effectively
c. time management by aligning resources with personnel schedules and organizational objectives
Smaller organizations tend to spend approximately ___ percent of the total IT budget on security. a. 2 b. 5 c. 11 d. 20
d. 20
What are the 2 general approaches for controlling user authorization for the use of a technology? a. profile lists and configuration tables b. firewall rules and access filters c. user profiles and filters d. access control lists and capability tables
d. access control lists and capability tables
In which phase of the SecSDLC does the risk management task occur? a. physical design b. implementation c. investigation d. analysis
d. analysis
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community ? a. utilitarian b. virtue c. fairness / justice d. common good
d. common good
The ______ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response. a. investigation b. analysis c. implementation d. design
d. design
Which of the following is the most cost-effective method for disseminating security information and news to employees? a. employee seminars b. security-themed Web site c. conference calls d. e-mailed security newsletter
d. e-mailed security newsletter
