DEVELOPING AND IMPLEMENTING SECURITY POLICIES
True or False? An organization can set up a sound policy framework that can prevent any issues from occurring in information systems security (ISS).
False
True or False? As leaders across the organization, security committee members review business processes and determines possible risks and threats. The team works closely with the business to understand any existing threats of fraud.
False
True or False? As part of an incident response team (IRT), the information security representative has intimate knowledge of the systems and configurations.
False
True or False? Bandwidth within a local area network (LAN) increases as new services such as voice over Internet Protocol (VoIP) and video are offered.
False
True or False? Basic security awareness training is sufficient for chief information officers (CIOs).
False
True or False? Beyond computer workstation usage, email usage is the only employee action subject to monitoring.
False
True or False? COSO is an international governance and controls framework and a widely accepted standard for assessing, governing, and managing IT security and risks.
False
True or False? Change management logs should be maintained off-system.
False
True or False? Control partner network access should be highly prohibiting, allowing access to specific functions.
False
True or False? Created by NIST, the Security Content Automation Protocol (SCAP) is a commercial vulnerability scanner.
False
True or False? Data classification sensitivity refers to how important the information is to achieving the organization's mission, where criticality refers to the impact associated with unauthorized disclosure of information.
False
True or False? Discovery management systems extract logs from a device and typically move logs to a central repository.
False
True or False? Encryption ensures integrity as well as availability.
False
True or False? Executive management offers its support of information security policy solely in the form of mandates and budgets.
False
True or False? Hacking is attractive because of the ease with which data can be obtained compared with social engineering.
False
True or False? The dollars spent for security measures to control or contain losses should never be less than the estimated dollar loss if something goes wrong.
False
True or False? The incident response team (IRT) is activated for all incidents.
False
True or False? The main difference between a policy or standard revision and an update is that the former consists of minor edits, whereas the latter may require changes of major or minor significance.
False
True or False? The primary goal of the General Data Protection Regulation (GDPR) is to outline goals, activities, tasks, inputs, and outputs for service management.
False
True or False? The process of authentication, in which an identity is verified, explicitly applies to human users.
False
True or False? The public sector and private sector share the same definition of data privacy.
False
True or False? The purpose of a consequence model is to track policy violations in employee records.
False
True or False? The recovery point objective (RPO) is the length of time within which a business process should be recovered after an outage or downtime.
False
True or False? The term "digital asset" is interchangeable with "intellectual property."
False
True or False? Though security awareness is widely recommended, the only federal mandate that requires an organization to have a security awareness programs is the Gramm-Leach-Bliley Act.
False
True or False? A privileged-level access agreement (PAA) is designed to heighten the awareness and accountability of users who have administrative rights.
True
True or False? A procedure is a written instruction on how to comply with a standard.
True
True or False? A project committee is a type of gateway committee that approves project funding, phases, and base requirements.
True
True or False? A risk assessment defines threats and vulnerabilities and determines control recommendations.
True
True or False? A risk exposure is the impact to the organization when an event occurs.
True
True or False? A risk-aware culture means the people in an organization share a common set of values, beliefs, and knowledge about the importance of managing risks.
True
True or False? A router is a network device that connects LANs, or a LAN and a WAN.
True
True or False? A security awareness policy should inform workers of how to deal with unexpected risk.
True
True or False? A security awareness program should teach an employee where to go for help.
True
True or False? A security token is either a software code or hardware device that produces a "token" during the logon stage, which is usually represented as a series of numbers.
True
True or False? A significant objective in telecommunication standards is the need to identify the devices and protocols to be used and then determine how to handle data on those devices.
True
True or False? A stateful firewall watches the traffic for a given connection and inspects the packets containing the data, looking for patterns and sequences that do not make sense.
True
True or False? A system account that is noninteractive is one to which a person cannot log on.
True
True or False? A town hall meeting is a community-building effort comprised of different teams for the purpose of sharing new developments and discussing topics of concern in an open setting.
True
True or False? A trusted timestamp is a LAN control standard that explains the need for trusted timestamps and timeservers for audit record production.
True
True or False? A well-defined governance and compliance framework provides a structured approach to governance and compliance.
True
True or False? An acceptable use policy (AUP) is a formal written policy describing employee behavior when using company computer and network systems.
True
True or False? An audit record retention procedure is a LAN Domain control procedure for preserving audit records.
True
True or False? An enterprise view allows senior leaders to understand how risk affects the entire organization.
True
True or False? An operating model can help you understand how security controls are to be implemented.
True
True or False? An organization should prioritize the inventory of assets, starting with the most sensitive.
True
True or False? An organization should put in place both disciplinary actions for not following policies and recognition for adhering to policies.
True
True or False? An over classification of data might indicate an unnecessarily costly means of securing data that is not as vital, whereas under classification suggests that the most vital data may not be sufficiently secured.
True
True or False? Antivirus software is an example of a technical control.
True
True or False? As the people responsible for ensuring data quality within the business unit, data stewards are the owners of the data.
True
True or False? Automated controls can validate that an access request is complete and does not violate any policy requirements such as segregation of duties.
True
True or False? Automated controls should be used in the enforcement of policies whenever possible.
True
True or False? Availability ensures information is available to authorized users and devices.
True
True or False? Because incidents can eventually become court cases, it is necessary that the actions of the incident response team (IRT) demonstrate due care, which requires that steps or actions are taken to mitigate harm to another party.
True
True or False? Because some security work is heavily reliant on human judgment, not all controls are subjected to automation.
True
True or False? Best practices are typically the common practices and the professional care expected for an industry.
True
True or False? Business liability insurance lowers the financial loss to an organization in the event of an incident.
True
True or False? Business process reengineering (BPR) should include information systems security concerns and updated those policies and procedures as needed.
True
True or False? Business requirements lead to controls, which lead to reduced risk.
True
True or False? Business risks, compliance, and threat vectors are considered when developing security policies.
True
True or False? C-level executives, such as CIOs and CEOs, are often the target of social engineering.
True
True or False? Change management reviews must consider regulatory and compliance matters because a change could result in compliance violations.
True
True or False? Changes made to a network are recorded in change management logs that create an audit trail.
True
True or False? Charters are formal documents that outline the committee's goals and mission.
True
True or False? Companies seek to monitor employee email usage to safeguard against malware, viruses, sensitive information, and data leakage protection (DLP).
True
True or False? Compliance can be defined as the ability to reasonably ensure conformity and adherence to both internal and external policies, standards, procedures, laws, and regulations.
True
True or False? Components, such as a database server, are defined during the business impact analysis (BIA) as well as their impact on the business.
True
True or False? Control Objectives for Information and related Technology (COBIT) is a widely accepted international best practices framework.
True
True or False? Data exists generally in one of two states: data at rest, such as on a backup tape, or data in transit, such as when traveling across a network.
True
True or False? Data owners ensure that only the access needed to perform day-to-day operations is granted and that duties are separated adequately to mitigate the risk of errors and fraud.
True
True or False? The main intent of a business impact analysis (BIA) is to identify which assets are required for the business to recover and continue doing business.
True
True or False? The majority of U.S. states have privacy laws that include encryption requirements.
True
True or False? The phrase "tone at the top" refers to the ways that a company's leaders express their commitment to security policies and make sure every employee knows the priorities.
True
True or False? The process known as "lessons learned" seeks to guarantee that mistakes are only made once and not repeated.
True
True or False? The reliability of a virtual private network (VPN) depends on the Internet service provider (ISP).
True
True or False? The risk and control self-assessment (RCSA) is utilized to construct plans for risk management, which can include the location of where to implement the procedures for quality assurance and quality control.
True
True or False? The speed and reliability with which mobile devices access and exchange data depend on location and carrier.
True
True or False? The term "compliance" refers to how well an individual or business adheres to a set of rules.
True
True or False? The term "entitlement" is related to restricting the type of access a user has.
True
True or False? The use of user IDs and passwords as authentication methods remains a minimum standard for many organizations.
True
True or False? There are two reasons that an industry prefers self-regulation to government regulation: cost and flexibility.
True
True or False? Three common ways to organize collections of security policies are by functional area, layers of security, or domain.
True
Which of the following is most commonly found in the WAN Domain and the Remote Access Domain of a typical IT infrastructure? - Router - Switch - Firewall - Virtual private network
Virtual private network
Security controls define __________you protect information. Security policies should define __________you set the goal. - how, why - why, how - whether, if - where, when
how, why
True or False? An important policy in the System/Application Domain is how to filter traffic between the Internet and the internal network.
False
True or False? A person with vendor status directly reports to the vendor company, and that company often manages their access.
True
True or False? An acceptable use policy provides guidance to employees on posting the organization's information online.
False
True or False? An agent of change in an organization should be a leader who follows the pack.
False
True or False? An auditor acts as an advocate for information security and helps its specific departments or groups answer questions related to their obligations for compliance.
False
True or False? An automated control is best described as a common control that is used across a significant population of systems, applications, and operations.
False
True or False? A physical control refers to some physical device that prevents or deters access.
True
Which of the following is an example of "limited use of personal data"? - A bank that just approved your credit card purchase of a surfboard cannot share that information with a company that sells beach vacations. - A form you must sign states "I have read and I understand the provided information and have had the opportunity to ask questions." - A written document from a company describes how it plans to use your personal information. - A real estate company that, after selling your home, asks permission to share your information with a moving company.
A bank that just approved your credit card purchase of a surfboard cannot share that information with a company that sells beach vacations.
An important principle in information security is the concept of layered security, which is also called defense in depth. Which of the following is not an example of a layer of security? - Secure code in an application - A baseline standard - Storage security - A firewall
A baseline standard
Which of the following statement states the difference between business liability and a business's legal obligation? - A business liability emerges when an organization fails to meet its obligation or duty. A business's legal obligation is an action that it is required to take in compliance with the law. - Business obligation occurs when an organization cannot meet its business liability. - A business's liability is an action the business is required to take in compliance with the law, whereas a business obligation occurs when a company fails to meet the standards established by its employees and community. - Business liability is a legal commitment, whereas business obligation is a subset of an organization's overall risk exposure.
A business liability emerges when an organization fails to meet its obligation or duty. A business's legal obligation is an action that it is required to take in compliance with the law.
The struggle between how to manage a business versus how to "grow" has significant implications for security policies that must reflect the core values of the business. Which of the following statements reflects one of the security policy approaches often taken by entrepreneurs growing a business? - A company in its startup stages often hires professional managers and defers to their judgment about how to create the business culture. - A company in its early startup stages focuses on stability and seeks to avoid risk. - A company in high-growth mode focuses on agility and innovation and tends to have a greater acceptance of risk. - A company starts growing its bureaucracy as early in its development as possible.
A company in high-growth mode focuses on agility and innovation and tends to have a greater acceptance of risk.
Depending on the organization, the control procedure of the Domain Name System (DNS) might be built into the WAN standard. This standard identifies the criteria securing a domain name. Which of the following is not one of the types of approvals that is typically used to track domains? - An explanation of how the domain will be used - A description of when and how web services may be used - The server name and Internet Protocol (IP) address where the DNS will be registered - A justification for using a new domain name
A description of when and how web services may be used
Which of the following scenarios demonstrates consideration of building consensus on policy intent? - A manager seeks the expertise of technical staff with specific technical knowledge in the area about a particular policy area. - A manager calls a meeting with employees to discuss the drivers for the change in terms of the architecture operating model and principles. - A manager shares policy documents with employees to gain feedback for revision before implementation. - A manager calls a meeting with employees to announce when new security policies will be implemented in the organization.
A manager calls a meeting with employees to discuss the drivers for the change in terms of the architecture operating model and principles.
Which of the following situations best illustrates the process of authentication?
A website that requires use of a strong password
_________are formal written policies describing employee behavior when using company computer and network systems. - Waiver requests - Nondisclosure agreements - Confidentiality agreements - Acceptable use policies
Acceptable use policies
There are many different types of automated controls that are configured into devices for the purpose of enforcing a security policy. Which of the following is not an automated control?
Access rights review
If a security policy clearly distinguishes the responsibilities of computer services providers from those of the managers of applications who use the computer services, which of the following goals is served? - Availability - Accountability - Compliance - Confidentiality
Accountability
Principles for Policy and Standard Development
Accountability principle - The personal responsibility of information systems security should be explicit. Some roles in the organization are accountable only for the work they perform daily. Other roles are accountable for their own work, plus all the work performed by their team of employees. Accountability helps to ensure that people understand they are solely responsible for actions they take while using organization resources. You can think of accountability as a deterrent control. Awareness principle - Owners, providers, and users of information systems, as well as other parties, should be informed of the existence and general context of policies, responsibilities, practices, procedures, and organization for security of information systems. Put more simply, it is unlikely that stakeholders will comply with policies they are not aware of. Ethics principle - The way information systems are designed, and the level of access to data reflected in the security controls, should operate in accordance with the organization's ethical standards. This includes the level of disclosure and access to customer data. This also needs to be entrenched in the organizational culture in order to be effective. Multidisciplinary principle - Policy and standards library documents should be written to consider everyone affected ncluding technical, administrative, organizational, operational, commercial, educational, and legal personnel. Proportionality principle -Security levels, costs, practices, and procedures should be appropriate and proportionate to the value of the data and the degree of reliance on the system. They should also be proportional to the potential severity, probability, and extent of harm to the system or loss of the data. In other words, don't spend $1000 to protect $500 worth of assets
Which of the following is a security control classification that relies on a human to take some action? - Detective - Physical - Administrative - Corrective
Administrative
Which of the following outcomes is one of the benefits of a risk management approach to security policies?
Alternative courses of action are offered that might not be obvious to leaders.
Assume your organization has 200 computers. You could configure a tool to run every Saturday night. It would query each of the systems to determine their configuration and verify compliance. When the scans are complete, the tool would provide a report listing all systems that are out of compliance, including specific issues. What type of tool is being described?
An automated configuration scanner with scheduling abilities
An efficient organization requires the proper alignment of people, processes, and technology. One of the ways good security policies can mitigate this risk is through enforcement. Which of the following situations is an example of enforcement? - An employee is required to submit weekly project updates to a manager. - An employee is given a commendation for a successfully complying with polices in an annual review. - An employee is given the authority to request a wire transfer, and a manager is required to approve the transfer. - An employee completes a one-day orientation on security policies.
An employee is given the authority to request a wire transfer, and a manager is required to approve the transfer.
A class of software that supports policy management and publication is called Governance, Risk, and Compliance (GRC). Which of the following explanations fits the "governance" category of the software? - Tracking exceptions to security regulations and policies - Supporting quantification, analysis, and mitigation of risk within the organization - Authoring, distribution, and policy and controls mapping to the governing regulation - Assessing the proper technical and non-technical operation of controls and mitigating/remediating areas where controls are lacking or not operating properly
Assessing the proper technical and non-technical operation of controls and mitigating/remediating areas where controls are lacking or not operating properly
Which of the following is not one of the five pillars of the information assurance (IA) model?
Assurance
_______________ is a measurement that quantifies how much information can be transmitted over the network. - DMZ - Cloud storage - Memory - Bandwidth
Bandwidth
Which of the following standards focuses on the secure configuration of a specific system, device, operating system, or application? - Baseline standard - Industry-specific standard - Statement of an issue standard - Issue-specific standard
Baseline standard
A procedure document should accompany every baseline standard document. Which of the following is a true statement about the circumstances for when a procedure document needs to be created? - Because many configuration processes reuse the same procedure, there does not need to be a new procedure document for every configuration. - Every device configuration requires a specific procedure, so there needs to be a related procedure document. - Because monitoring software detects when devices are not compliant with the baseline, a procedure document is needed for every configuration. - Because the tools and methods for all configurations are unique, a new procedure document always needs to be generated.
Because many configuration processes reuse the same procedure, there does not need to be a new procedure document for every configuration.
Bill is promoted to a position that has an elevated level of trust. He started with the organization in an entry-level position, and then moved to a supervisory position and finally to a managerial role. This role entails that the employee trains other employees and has a deep understanding of how the department functions. Which of the following actions should be taken that provide adequate access for Bill without making him a target of suspicious activity? - Bill should be granted access based on his current and past roles. - Bill should have prior access removed to ensure separation of duties and avoid future instances of security risk. - Because Bill needs to train other employees, he should have the access granted in his previous roles. - Bill should request that his access be downgraded.
Bill should have prior access removed to ensure separation of duties and avoid future instances of security risk.
Although it is impossible to eliminate all business risks, a good policy can reduce the likelihood of risk occurring or reduce its impact. A business must find a way to balance a number of competing drivers. Which of the following is not one of these drivers? - Cost - Customer satisfaction - Compliance - Breaches
Breaches
During the COBIT __________domain phase, the service level agreement (SLA) plays a significant role because it determines the type of solutions that will be selected. Additionally, change management is critical to this phase.
Build, Acquire, and Implement
Policy and standards often change as a result of business drivers. Which of the following drivers is most closely associated with shifts in business and the introduction of new systems or processes? - Strategic change - Regulatory change - Business exception - Legal change
Business exception
Business Drivers for Policy and Standard Changes
Business exceptions- As the business changes, new systems or processes are introduced. They may vary from what a policy or standard requires. Business innovations- New opportunities for revenue growth or cost reduction can lead to innovative changes that were previously not considered. Standards may need to adapt to these innovations or be adjusted to permit innovations. Business technology innovations- New technology often comes with unknowable risks until you gain experience using it. Standards may need revisions to allow for the use of the new technology or for use in new ways that were not envisioned when the standards were developed. Strategic changes- An organization may change its business model and come under new regulatory requirements. For example, an organization might purchase a bank to reduce the costs of credit card processing. In this case, changes to an existing standard are far-reaching and may affect every standard in place. Legal changes- There can be new laws or changes to existing laws that require business policy to change. The most obvious recent example of this is the GDPR in Europe. Any organization that does business in Europe must implement policies to adhere to GDPR. Regulatory changes— If an organization's operations require compliance with some regulation, then any change in that regulation will likely lead to an update or change to organizational policies. Payment Card Industry Data Security Standard (PCI-DSS) is a good example. If an organization processes credit card data, then when PCI-DSS is updated or changed, the organization must make relevant changes to its own policies.
While these two approaches have similarities in terms of the topics they address, __________ covers broad IT management topics and specifies which security controls and management need to be in place, while __________ goes into more detail on how to implement controls but is less specific about the broader IT management over the controls. - COSO, ITIL - ITIL, COSO - ISO, COBIT - COBIT, ISO
COBIT, ISO
Which of the following is an approach to handheld device use that presents users with a list of approved devices, and if the user purchases one of those, they can connect it to the company network? - CYOD - VoIP - COPE - BYOD
CYOD
In order for an IT security framework to meet information assurance needs, the framework needs to include policies for several areas. Which of the following is not one of the areas? - Implementation of appropriate accounting and other integrity controls - Assurance of a level of uptime of all systems - Automation of security controls, where possible - Calculations for risk appetite and risk tolerance
Calculations for risk appetite and risk tolerance
The __________ is a law that tells schools and libraries that receive federal funding that they must block pornographic and explicit sexual material on their computers. - Family Educational Rights and Privacy Act (FERPA) - Children's Internet Protection Act (CIPA) - Federal Communications Commission (FCC) - Health Insurance Portability and Accountability Act (HIPAA)
Children's Internet Protection Act (CIPA)
Classifying all data in an organization may be impossible. There has been an explosion in the amount of unstructured data, logs, and other data retained in recent years. Trying to individually inspect and label terabytes of data is expensive, time consuming, and not productive. Different approaches can be employed to reduce this challenge. Which of the following is not one these approaches?
Classify all forms of data no matter the risk to the organization.
One of the six specifications for entities that implement Security Content Automation Protocol (SCAP) calls for providing specific names for security software configurations. This specification provides a standard naming convention used by different SCAP products. Which of the following specifications fits this description?
Common Configuration Enumeration (CCE)
In most organizations, it is impractical to forbid personal devices. However, these devices pose substantial security risks. Which of the following approaches gives the organization a high degree of control over the device's security, but parsing the employee's personal data from organization's data can be problematic when the employee leaves? - Network access control (NAC) - Bring your own device (BYOD) - Choose your own device (CYOD) - Company-owned and personally enabled (COPE)
Company-owned and personally enabled (COPE)
No mandatory data classification scheme exists for private industry. However, there are four classifications used most frequently. Which of the following is not one of the four?
Competitive
Composed of the Federal Information Processing Standards (FIPS), the NIST framework is a shared set of security standards required by: - ISO. - FISMA. - COBIT. - PCI DSS.
FISMA.
__________ controls the processes associated with monitoring and changing configuration throughout the life of a system. This includes the original baseline configuration.
Configuration management
Isabelle is a network engineer. Her organization recently experienced a security breach due to a wrongly configured system. She is looking for a solution that stores information about hardware and software assets throughout their life cycle. Her goal is to be able to identify the accurate configuration of any system at any moment. The solution should store security settings as well. Which of the following is the best solution?
Configuration management database
__________ in e-commerce broadly deal with creating rules on how to handle a consumer's transaction and other information. - Security controls - Shareholder rights - Personal privacy - Consumer rights
Consumer rights
Which of the following user groups consists of temporary workers that can be assigned to any role and are directly managed by the organization in the same manner as employees? - Control partners - Contractors - Vendors - Guests and general public
Contractors
Which of the following policy frameworks is a widely accepted set of documents that is commonly used as the basis for an information security program and is an ISACA initiative? - NIST SP 800-53 - Control Objectives for Information and related Technology (COBIT) - ISO/IEC 30105 - ISO/IEC 27002
Control Objectives for Information and related Technology (COBIT)
__________is a widely accepted international best practices framework for implementing information systems security.
Control Objectives for Information and related Technology (COBIT)
Of the following user types, which is responsible for evaluating an organization's controls for design and effectiveness? - Security personnel - Control partner - System administrator - Vendor
Control partner
Aditya is a security professional. He is beginning the process of implementing a new security policy. He has gathered information on business risks, compliance, and threat vectors. What is the next thing he should address?
Control target state
Security controls are measures taken to protect systems from attacks on the integrity, confidentiality, and availability of the system. Closing a firewall port is an example of which of the following? - Preventive security control - Recovery security control - Corrective control - Physical security control
Corrective control
Carl is a security professional. He needs to ensure the confidentiality of his company's emails. Which of the following would be least helpful in ensuring confidentiality? - Require that all emails containing sensitive information be encrypted. - Create an objective of ensuring that all sensitive information be protected against eavesdropping. - Ensure that only authorized individuals have access to the decryption key for encrypted emails. - Create a procedure that describes how to back up stored emails.
Create a procedure that describes how to back up stored emails.
When publishing a policy and standards library, it is necessary to evaluate the communications tools that are available in your organization. Which of the following statements is a best practice for publishing documents? - Documents should only be made available on drives that are accessible to one user at a time. - Create a separate webpage for each document and provide a link to the document itself on that webpage. - Word processing documents should always be used because they are convenient and user-friendly. - After a document is published, it should not be revised in order to maintain consistency.
Create a separate webpage for each document and provide a link to the document itself on that webpage.
__________ refers to an attempt to cause fear or major disruptions in a society through hacking computers. Such attacks target government computers, major companies, or key areas of the economy. - Globalization - Sovereign war - Cyberterrorism - Nation-state policy
Cyberterrorism
Which of the following is not one of the consequences of an unmotivated employee?
Fails to report a control weakness
There are many barriers to policy acceptance and enforcement. Which of the following is not one the challenges to policy acceptance?
Failure to report infractions
In order to build a coalition, it's the responsibility of the information security officer (ISO) to reach out to stakeholders, explain the policy change, and listen to concerns. Many organizations have what are called control partners, who give input before a policy change can be made. Which of the following is not an example of control partners found in many large organizations? - Internal auditors - Legal professionals - Data custodians - Operational risk managers
Data custodians
During the COBIT __________domain phase, you analyze data from the prior phase and compare it with day-to-day operations, and then apply lessons learned to improve operations.
Deliver, Service, and Support
Which of the following is a security incident for which the incident response team (IRT) must be activated?
Duplicating customer information derived from a database
Security policies that clarify and explain how rights are assigned and approved among employees can ensure that people have only the access needed for their jobs. Which of the following is not accomplished when prior access is removed? - Reduction of overall security risk to the organization - Maintenance of separation of duties - Elimination of future instances of human error - Simplification of incident investigation
Elimination of future instances of human error
The goal of employee awareness and training is to ensure that individuals are equipped with the tools necessary for the implementation of security policies. Which of the following is one of the other benefits of a successfully enacted training and awareness program?
Employees will have more opportunities to acquire new skills.
A security baseline is deployed in your organization. You discover that one system is regularly being reconfigured. The security tool fixes it, and then the next scan shows it has changed again. You want to know who or what is making this change. Which is the best first step to resolve the issue?
Enable auditing and then view the audit trail.
There must be security policies in place to set core standards and requirements when it comes to encrypted data. Which of the following is not one of these standards or requirements?
Encryption keys must be located on the same server as the encrypted data.
Which of the following is not one of the four domains that collectively represents a conceptual information systems security management life cycle?
Evaluate, Assess, and Recover
The Family Educational Rights and Privacy Act (FERPA) requires several key elements in a security policy for compliance. Which of the following is a key element that states that schools can share information without permission for legitimate education evaluation reasons as well as for health and safety reasons? - Awareness - Exclusions - Unblocking - Permission
Exclusions
The Family Educational Rights and Privacy Act (FERPA) requires several key elements in a security policy for compliance. Which of the following is a key element that states that schools can share information without permission for legitimate education evaluation reasons as well as for health and safety reasons? - Awareness - Unblocking - Permission - Exclusions
Exclusions
The information security program charter is the capstone document for the information security program. This required document establishes the information security program and its framework. Which of the following components is not defined by this high-level policy? - Explanation of penalties and disciplinary actions for specific infractions - The program's scope within the organization - The program's purpose and mission - Assignment of responsibilities for program implementation
Explanation of penalties and disciplinary actions for specific infractions
Which of the following gateway committees defines how data is transmitted outside the organization? This includes how and what data is sent and received.
External connection committee
True or False? A "gold set" refers to the original computer image that is duplicated for deployment.
False
True or False? A benefit to giving system administrators enhanced access rights is that it significantly increases security to the organization.
False
True or False? A best practice for creating a data classification scheme is to classify data in the most effective manner that classifies the lowest-risk data first.
False
True or False? A best practice for policies and standards maintenance is to establish a one-time review process for documents in draft form.
False
True or False? A confidentiality agreement (CA) is a non-legal agreement between human resources and employees.
False
True or False? A digital signature is a value that identifies a file's destination.
False
True or False? A firecall system is a tool that automatically shuts down a system when a threat is detected.
False
True or False? A flat network limits what and how computers are able to talk to each other.
False
True or False? A lack of standardization within an infrastructure is a significant technical challenge that is directly caused by inconsistent configurations.
False
True or False? A mitigating control achieves the desired outcome and policy intent.
False
True or False? A policy is a process or a method for implementing a solution.
False
True or False? A procedure document is a policy document that explains core security control requirements.
False
True or False? A procedure is a high-level statement, belief, goal, or objective.
False
True or False? A security expert, such as a chief information security officer (CISO), would be a good security awareness trainer because of their depth of knowledge.
False
True or False? A threat vector is an item of code on a distributed device that reports the condition of the device to a central server.
False
True or False? A vulnerability is a human-caused or natural event that could impact a system.
False
True or False? All members of the core incident response team (IRT) are activated for every security event.
False
True or False? Although automated controls can eliminate human error in many cases, the controls cannot be configured to log and track activity.
False
True or False? Among the ways that one's privilege status can be raised for the sake of solving a security access problem is to provide a trouble ticket, which issues non-permanent, enhanced access to previously unprivileged users.
False
True or False? In Information Technology Infrastructure Library (ITIL), service strategy relates to ongoing support of a service, and service operation relates to how to define the governance and portfolio of services.
False
True or False? In U.S. compliance laws, the intended objective of the concept of "limited use of personal data" is the practice of asking permission for how personal information can be used beyond its original purpose.
False
True or False? In an attribute-based access control (ABAC) model, roles assigned are static, whereas in a role-based access control (RBAC), roles are built more dynamically.
False
True or False? In an organizational structure, the stakeholders in the line of business are focused on effective comprehensive assurance policies.
False
True or False? In many cases, vulnerability scanning involves a group of people posing as hackers who deploy social engineering and other techniques to try to hack the systems or network.
False
True or False? In the three-lines-of-defense model of risk management, the enterprise risk management program is responsible for controlling risk on a daily basis.
False
True or False? Integrity broadly means limiting disclosure of information to authorized individuals.
False
True or False? Integrity ensures that only authorized individuals are able to access information.
False
True or False? It is generally recommended that security policies focus on specific products rather than broader capabilities.
False
True or False? It is possible to discover a potential threat in the Risk Governance domain of the ISACA Risk IT framework and quickly assess its impact using theRisk Evaluation domain.
False
True or False? It is rare that technology outages occur apart from a security breach.
False
True or False? Leasing private lines for wide area networks (WANs) is typically less expensive than using virtual private network (VPN) tunnels.
False
True or False? Motivated employees are more likely to embrace the implementation of security policies, but this does not correlate to more risks being identified and mitigated for the organization.
False
True or False? Network access control (NAC) is an approach to mobile device management that allows devices to connect to only a guest network, not the corporate network.
False
True or False? No circumstances should allow for operational deviation from security policies.
False
True or False? Of the different risks that can occur in an IT security framework, events that transpire outside an organization's domain of control and impact IT operations fall under the category of operational risks.
False
True or False? Of the people working in concert with security teams to ensure data quality and protection, the head of information management is responsible for executing policies and procedures, such as backup, versioning, uploading, and downloading.
False
True or False? Organizations should retain information forever to satisfy the purposes of legal obligations and business operations.
False
True or False? Policies and standards are a collection of comprehensive definitions and should contain a significant level of detail and description.
False
True or False? Preemployment screening of personnel is an example of a corrective security control.
False
True or False? President Theodore Roosevelt's "speak softly and carry a big stick" is considered to be a poor approach to implementing security policies.
False
True or False? Public interest is the practice of telling individuals how their personal information will be protected.
False
True or False? RADIUS is an organizational model that focuses on the design, integration, security, distribution, and management of data across the enterprise.
False
True or False? Random audits negatively impact an organization's overall security posture.
False
True or False? Regarding policy framework documents, a policy is optional.
False
True or False? Regarding policy violations, a consequence model is intended to be punitive for individuals.
False
True or False? Regarding security policies, the term "granularity" indicates how specific the policy is regarding resources or rules. The less granular the policy, the easier it is to enforce and to detect violations.
False
True or False? Risk tolerance is often expressed in terms of a dollar amount.
False
True or False? System administrators are typically responsible for audit coordination and response, physical security and building operations, and disaster recovery and contingency planning.
False
True or False? The Committee of Sponsoring Organizations (COSO) is an endorsed framework that companies commonly use to meet SOX 404 requirements.
False
True or False? The MITRE Corporation Framework was created to ensure a company's financial reports were free from fraud and accurately represented.
False
True or False? The Sarbanes-Oxley (SOX) Act was meant to repeal existing laws so that banks, investment companies, and other financial services companies could merge.
False
True or False? The acceptable use policy (AUP) is a document dedicated to the safeguarding of passwords.
False
True or False? The central role of the security compliance committee is to approve risk tolerance and oversee risk appetite to the business.
False
True or False? Under the adversary principle, a common core security principle, security increases when it is implemented as a series of overlapping layers of controls and countermeasures that provide prevention, detection, and response to secure assets.
False
True or False? Users are ultimately accountable for protecting information.
False
True or False? When creating a company's security policy, it is not necessary that the scope align with the company's annual information security budget.
False
True or False? When handling data, the process of data creation must ensure that data is encrypted, protected, and tracked upon arrival at its destination.
False
True or False? When writing policies, it is best practice to be intentionally vague regarding the accountability of roles.
False
True or False? Where governance, risk management, and compliance (GRC) takes a broad look at risk, enterprise risk management (ERM) is technology-focused.
False
True or False? Whereas a governance committee deals with the details for maintaining daily business operations, a management committee establishes strategic direction.
False
True or False? Whereas a guideline is a required control, a standard is a recommendation.
False
True or False? Whereas service standardization generally refers to how much shared data is used across a business, service integration refers to how much control the business has in setting up its solutions and processes.
False
True or False? While incident response procedures should be tested, incident response policies cannot be tested.
False
True or False? Within IT, a protocol provides a standard focused on a specific technology used within an organization.
False
Successful security policy implementation in the workplace depends on people understanding key concepts and embracing the material. Thus, people need to be motivated to succeed if they are going to implement such policies. Which of the following sources of motivation is generally not recommended? - Desire - Fear - Self-interest - Pride
Fear
The ultimate goal of the review and approval processes is to gain senior executive approval of the policy or standard by the chief information security officer (CISO). To gain this approval, the CISO requires all parties to sign off on the document. Which of the following is not among the suggested list of people who should become a second or third layer of review? - Technical personnel - Legal - Audit and compliance - Finance
Finance
Which of the following provides temporary elevated access to unprivileged users? - Firecall-ID - Whaling - Trouble ticket - Best fit access
Firecall-ID
Many factors must be considered to ensure security policies and controls align with regulations. Which of the following is not one of the common factors? - Business requirements - Flexibility of controls - Security framework - Inventory
Flexibility of controls
Which of the following is not one of the similarities shared by an enterprise risk management (ERM) framework and a governance, risk management, and compliance (GRC) framework? - Proactively enforce policy - Eliminate redundant controls, policies, and efforts - Focus on value delivery - Define risks in terms of business threats
Focus on value delivery
True or False? A policy is a means of implementing a control, such as a way to prevent or detect a specific type of security breach.
True
Implementing security policies is easier if you manage it from a change model perspective. Which of the following change model steps requires leadership to back you and to establish a tone at the top for the need for the security policy? - Create urgency. - Form a powerful coalition. - Remove obstacles. - Create a vision for change.
Form a powerful coalition.
Multiple layers in an organization enforce security policies. Everyone has a role to play in identifying and managing risks. Which of the following enforces security policies at the employee level?
Front-line managers/supervisors
Privacy regulations involve two important principles. __________ gives the consumer an understanding of what and how data is collected and used. __________ provides a standard for handling consumer information. - Business liability, Legal obligation - Acceptable use policies, Data encryption - Full disclosure, Legal obligation - Full disclosure, Data encryption
Full disclosure, Data encryption
Many IT security policy frameworks can often be combined to draw upon each of their strengths. Which of the following is not one of the frameworks? - COBIT for IT controls, governance, and risk management - ITIL for IT services management - COSO for financial controls and enterprise risk management structure - GRC for IT operations, governance, risk management, and compliance
GRC for IT operations, governance, risk management, and compliance
Which of the following is instituted by executive management, is responsible for enforcing policies by reviewing technology activity, and greenlights new projects and activities? This committee is the basis of the other committees.
Gateway committee
__________ are more likely to monitor security policy activity after the fact and in the aggregate to assess whether goals are being achieved, whereas __________ are likely to monitor activities before, during, and after as part of running the operations.
Governance committees, management committees
Which of the following statements best describes the function of guidelines in an IT security framework? - Guidelines provide those who implement standards or baselines more detailed information such as hints, tips, and processes to ensure compliance. - Guidelines are generally mandatory; failing to follow them explicitly can lead to compliance issues. - Guidelines may present conventional thinking on a specific topic and seldom require revision. - Guidelines assist people in creating unique and distinct procedures or processes that are specific to the needs of a particular company's IT security needs.
Guidelines provide those who implement standards or baselines more detailed information such as hints, tips, and processes to ensure compliance.
Hajar is an IT auditor. She needs to perform a regulatory compliance audit of an IT infrastructure. Which of the following is the least useful resource for this situation? - Internal security policies - ISO 27007 - Control Objectives for Information and related Technology (COBIT) - HR policies
HR policies
The term "intellectual property" (IP) is applied broadly to any company information that is thought to bring an advantage. Protecting IP through security policies starts with human resources. Which of the following is a challenge concerning human resources (HR) policies about IP? - HR policies are not legally permitted to establish a code of conduct regarding IP; they can only recommend best practices. - Due to confidentiality, HR policies are prohibited from giving employees clear direction as to what the organization owns with respect to IP. - HR policies and employment agreements about IP may or may not be enforceable, depending on current law and location. - HR employment agreements never enforce the confidentiality of IP after an employee leaves the organization.
HR policies and employment agreements about IP may or may not be enforceable, depending on current law and location.
All of the following are true of human resources (HR) policies, except: - HR policies must be applied consistently across individuals. - HR policies can be used against an organization in a lawsuit. - HR policies state core business values and what is expected. - HR policy language must be precise.
HR policy language must be precise.
__________ is designed to eliminate as many security risks as possible. It limits access credentials to the minimum required to conduct any activity and ensures that access is authenticated to particular individuals. - An integrated audit - Escalating - Hardening - Social engineering
Hardening
True or False? A preventive control limits the impact to the business by correcting a vulnerability.
True
Arturo is working with intellectual property (IP) documents. One document is labeled as "Sensitive IP." He cuts and pastes portions of that document into two new documents, and then merges nonsensitive information into those documents. Using a generally accepted approach, how should Arturo treat the two new documents? - He does not need to label any content in the new documents as "Sensitive IP" nor ensure access to them is restricted. - He should treat the new documents containing portions of the original IP with the same restrictions placed on the original material. - He should label the new documents as "Sensitive IP" but does not need to ensure the documents have restricted access. - He does not need to label any content in the new documents as "Sensitive IP" but he does need to ensure the documented have restricted access.
He should treat the new documents containing portions of the original IP with the same restrictions placed on the original material.
Which of the following is a network security device that acts as a decoy for hackers?
Honeypot
Which of the following types of baseline documents is most likely created to serve the demands of the Workstation Domain? - Proxy server configuration standard - Intrusion detection and prevention tools configuration standard - Host hardening standards - Content-blocking tools configuration standard
Host hardening standards
An organization mandates that all attempts by traders to use the Internet should be logged, and that each trader's log should be reviewed by a manager at least monthly to ensure compliance. Which of the following questions concerning security is being addressed? - How will information be protected? - Why is the security goal being set? - What type of protection will be achieved? - How do you measure whether both the policy and the right processes were followed?
How do you measure whether both the policy and the right processes were followed?
Most organizations add security awareness training to the list of items the __________ provides to new employees.
Human Resources department
Which of the following is least likely to protect digital assets? - Human resources policies - Security policies - Inventory tools - Data labeling and classification
Human resources policies
Of the many tools that can be used in training to connect with an audience of employees, which of the following can best capture an individual's attention and elicit cooperation?
Humor
All of the following are true of intellectual property (IP), except:
IP is limited to patents, copyrights, and trademarks.
Incident response teams (IRTs) have various roles. The __________ role is the team lead, whereas the __________ role keeps track of all activity during an incident.
IRT manager, IRT coordinator
In order to form an incident response team (IRT), an organization is required to create a charter. This document identifies the mission, goals, and authority of a committee or team. The first step in writing a charter is to determine the type of IRT model to adopt. There are several different types of IRT models. Which of the following is an IRT model that provides technical assistance to local teams on how to contain the breach?
IRT that acts in a support role
Which of the following is a popular industry standard for establishing and managing an IT security program, and which outlines 15 main areas that compose the framework? - ISO/IEC 27002 - Control Objectives for Information and related Technology (COBIT) - NIST SP 800-53 - ISO/IEC 30105
ISO/IEC 27002
Which of the following helps you disseminate security policy messages and can help you rationalize a policy implementation strategy?
IT security plan
At Stanford University, data is labeled according to a classification scheme that identifies information in the following way: prohibited, restricted, confidential, and unrestricted. Which of the following schemes has Stanford adopted?
Legal classification
Two methods of authorization are role-based access control (RBAC) and attribute-based access control (ABAC). Although RBAC and ABAC can provide the same access, which of the following is an advantage of ABAC? - In an ABAC model, the roles are static and thus more sustainable. - In ABAC, roles are expressed more in business terms and thus may be more understandable. - An organization can implement ABAC much faster than RBAC. - ABAC requires an application to use a central rules engineer at run time.
In ABAC, roles are expressed more in business terms and thus may be more understandable.
Which of the following has the responsibilities of directing policies and procedures designed to protect information resources, identifying vulnerabilities, and developing a security awareness program? - Information resources security officer - Control partner - Information resources manager - Chief information security officer (CISO)
Information resources security officer
Which of the following statements best captures the role of information security teams in ensuring compliance with laws and regulations? - Information security personnel work with their organizations' compliance and legal teams to determine whether an organization is violating a law. - Information security personnel create the process for reporting major violations to compliance and/or legal departments. - Some information security personnel must be trained lawyers, and as such they must work with their organizations' compliance and legal teams to gain an understanding of legal requirements. - Information security personnel work with their organizations' compliance and legal teams to determine violations of an organization's security policy.
Information security personnel work with their organizations' compliance and legal teams to determine violations of an organization's security policy.
__________is the act of protecting information and the systems that store and process it.
Information systems security
Multiple layers in an organization enforce security policies. Everyone has a role to play in identifying and managing risks. Which of the following enforces security policies at the program level?
Information systems security organization
In a business impact analysis (BIA), the phase of defining the business's components and the component priorities has several objectives. Which of the following is not one of the objectives?
Institute recovery time frames for the components with the highest priority only.
A major government agency experiences a data breach, exposing more than 100,000 personal records. The chief information security officer (CISO) announced a few prior warnings that the system was at risk, but no actions were taken to locate the system vulnerability. Which of the following is most likely the root cause of the breach?
Insufficient management or governance processes
A company recently purchased a sizeable amount of equipment for its manufacturing process. It needs to properly report these expenditures so the financial statements are accurate. It calls upon the services of financial auditors. While financial auditors might consider the completeness of the data, the company might also involve IT auditors to examine the underlying technology that captures, records, and calculates the financial results. What process is this company using to address its concerns? - Contingent accounting - Controls design - Access management - Integrated audit
Integrated audit
Principles for Policy and Standard Development
Integration principle - Your documents should be coordinated and integrated with each other. They should also integrate with other relevant measures, practices, and procedures for a coherent system of security. Defense-in-depth principle - Security increases when it is implemented as a series of overlapping layers of controls and countermeasures that provide three elements to secure assets: prevention, detection, and response. This is referred to as defense in depth. It is both a military concept and an information security concept. Defense in depth dictates that security mechanisms be layered so that the weaknesses of one mechanism are countered by the strengths of two or more other mechanisms. This is a core security concept. Timeliness principle - All personnel, assigned agents, and third-party providers should act in a timely and coordinated manner to prevent and to respond to breaches of the security. Reassessment principle - The security of information systems should be periodically reassessed. Risks to technology change daily, and periodic reassessments are needed to ensure that security requirements and practices are kept current with these changes. Standards also need reassessments, at least annually, to ensure they represent the current state of affairs Privacy principle - The security of an information system should include secure private information of users of the system. In other words, consider your users or partners when requiring information that could place their privacy rights at risk. Least privilege principle - People should be granted only enough privilege to accomplish assigned tasks and no more.This is another core principle of security.
An acceptable use policy (AUP) defines the intended uses of computers and networks. This policy delimits unacceptable uses and the consequences for policy violation. Which of the following is not likely to be found in an AUP? - Level of privacy an individual should expect - Managing intellectual property - Managing passwords - Level of upward mobility an individual should expect
Level of upward mobility an individual should expect
Principles for Policy and Standard Development
Internal control principle - Information security forms the core of an organization's information internal control systems. Regulations mandate that internal control systems be in place and operating correctly. Organizations rely on technology to maintain business records. It's essential that such technology include internal control mechanisms. These maintain the integrity of the information and represent a true picture of the organization's activities Adversary principle - Controls, security strategies, architectures, and policy library documents should be developed and implemented in anticipation of attack from intelligent, rational, and irrational adversaries who may intend harm. This is also the case with threat assessment. Separation of duty principle - Responsibilities and privileges should be divided to prevent a person or a small group of collaborating people from inappropriately controlling multiple key aspects of a process and causing harm or loss. For example, in an accounting department, the person preparing invoices for payment should not be the same person writing the checks for payment. Continuity principle - Identify your organization's needs for disaster recovery and continuity of operations. Prepare the organization and its information systems accordingly
Which of the following is a type of baseline standard that is often created to serve the demands of the LAN-to-WAN Domain? - Intrusion detection and prevention tools configuration standard - VPN gateway options and requirements standard - Developer coding standard - Virus scanner configuration standards
Intrusion detection and prevention tools configuration standard
Which of the following is not commonly part of the System/Application Domain of a typical IT infrastructure? - Inventory management - Workstations - Application software - Server
Inventory management
After management has created and agreed upon its policies, it must then determine how these policies will be implemented. Which of the following is not one the processes that front-line management follows to make new policies operational?
It ensures that users with the most sensitive security access adhere to policies.
Which of the following is the most useful reason to solicit feedback from people who have completed security awareness training?
It helps discern that attendees can demonstrate knowledge gained through training.
Which of the following best describes inventory management? - It tracks devices as they connect to the local area network (LAN), which devices are on the network, and how often they connect to the LAN. - It ensures that current patches are installed on devices. - It provides support to end users through a help desk. - It extracts logs from a device.
It tracks devices as they connect to the local area network (LAN), which devices are on the network, and how often they connect to the LAN.
A switch, router, and firewall are most commonly part of which domain of a typical IT infrastructure? - Workstation - WAN - Remote Access - LAN
LAN
Susan is a corporate trainer. She is teaching IT employees about techniques for safely connecting computers to the Internet. Which domain of a typical IT infrastructure is she most likely referring to? - User - LAN-to-WAN - WAN - System/Application
LAN-to-WAN
Regarding the Target breach in 2013, significant weaknesses in the information security framework and its related controls were present. Which of the following likely did not play a role in the Target breach? - Lack of a dedicated chief security officer - Lack of vendor access management - Lack of network point-of-sale (POS) controls - Lack of complete inventory of IT assets and their configurations
Lack of complete inventory of IT assets and their configurations
It is important to create an IT security program structure that aligns with program and organizational goals and describes the operating and risk environment. Which of the following is one of the important issues for the structure of the information security program? - Human resources security - Asset management - Access control - Management and coordination of security-related resources
Management and coordination of security-related resources
__________ allows an administrator to configure a setting once, and it will automatically apply to multiple systems or users.
Microsoft Group Policy
Internal and external audits are most likely to take place during the COBIT __________domain phase.
Monitor, Evaluate, and Assess
Organizations can use common core security principles recommended as industry best practices when developing policies, standards, baselines, procedures, and guidelines. Which principle states that policy and standards library documents should be written to consider everyone affected, including technical, administrative, organizational, operational, commercial, educational, and legal personnel? - Least privilege principle - Multidisciplinary principle - Proportionality principle - Separation of duty principle
Multidisciplinary principle
Devaki is a human resources (HR) professional. She is revising a document her company requires all new hires to sign and abide by. The document states that the employee promises not to divulge any information described in the document to a third party. What kind of document is Devaki revising? - Waiver request - Nondisclosure agreement - Security policy - Acceptable use policy
Nondisclosure agreement
To assess policy compliance, many organizations use a report card. Report cards can be generated from multiple sources, such as a quality assurance program. Which of the following is not one the elements that would typically appear on a report card?
Number of random audits performed
You can implement a security awareness program in many ways. Which of the following is a generally accepted principle of security awareness that is most often associated with new hires? - Repetition - Onboarding - Relevance - Metrics
Onboarding
Which of the following is not true of acceptance of security awareness?
Organizational culture must change in order for wide acceptance of security policies to occur.
Organizations seek to create a coherent set of documents that are stable and immune to the need for regular adjustments. However, the types of policy documents can differ, depending on the organization. Which of the following is not one the reasons why these documents might vary from one organization to the next? - Organizations use distinctive sets of hardware and technical tools. - Risk management practices are often created specifically for the organization. - IT department size differs based on the needs of the business. - Organizations seldom have both baseline standards and control standards; it is more common to have or one the other.
Organizations seldom have both baseline standards and control standards; it is more common to have or one the other.
Policies related to the handling and use of customer data should include the concept of transparency. Organizations should be transparent regarding the distribution, use, collection, and maintenance of personally identifiable information (PII). Which of the following does not help to achieve transparency? - Organizations should specifically describe the authority that permits the collection of PII and articulate the purpose or purposes for which they intend to use data. - Organizations should use PII solely for the purpose(s) specified. - Organizations should not involve the individual in the process of using PII and assume consent. - Organizations should collect only PII that is directly relevant and necessary to accomplish the specified purpose(s).
Organizations should not involve the individual in the process of using PII and assume consent.
__________ is a security framework for any organization that accepts, stores, or processes credit cards. - COSO - COBIT - ISO - PCI DSS
PCI DSS
A baseline is a point of departure that guarantees that systems comply with security requirements when they are enacted. However, it is not an uncommon occurrence that systems are changed in a way that means they are no longer in compliance. Thus, it is necessary to use an accepted method to verify that settings have not changed. Which of the following is not one of these methods?
Patch management
Aditya is a security professional. He needs to inform employees of recent changes to the organization's security policy, but is short on time, so Alice is helping him temporarily. Alice is a trainer but is not familiar with messaging. Which of the following would be bad advice for Alice?
People tend to learn in different ways, and you can't address all of those ways, so select one method of messaging that is easiest for you.
During which phase of business process reengineering (BPR) are new policies written or current ones are updated?
Phase 4: Develop the future process
ISO/IEC 27002, "Information Technology - Physical and environmental security - Asset management - Access control - Operations security
Physical and environmental security
Which of the following types of control standards in the System/Application Domain maintains control of visitors as well as power equipment and cabling? - Separation of environments - Physical security control standards - Developer-related standards - Authentication
Physical security control standards
Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
Planning Phase Creation or mod of the process baseline Research Develops new policies Adds to governance routines
Which of the following statements most clearly contrasts the difference between policies and procedures?
Policies are requirements placed on processes, whereas procedures are the technical steps taken to achieve those policy goals.
Carl is a security professional. He is reviewing his organization's security policies and related documents. One document contains general rules, a description of the organizations' core values, as well as a description of areas in which there is zero tolerance for transgressions. What type of document is Carl reviewing?
Policy principles
Maria is a security professional. She has been looking for ways to streamline some processes in the IT environment. She recently determined the most efficient way to spin up a new server. She is documenting the steps that should be taken by anyone spinning up a server in the future. What kind of document is Maria creating?
Procedure
For leaders, implementing security policies is about working through others to gain their support and adhere to policies. Which of the following is not one of the widely accepted leadership rules that apply to security policies? - Values - Productivity - Training - Support
Productivity
Which of the following gateway committees reviews concepts, designs, and testing phases of new initiatives, as well as approves when a project can go into production?
Project committee
The SOX Act created the __________, which sets accounting and auditing standards. - Family Educational Rights and Privacy Act (FERPA) - Public Company Accounting Oversight Board (PCAOB) - Committee of Sponsoring Organizations (COSO) - Control Objectives for Information and related Technology (COBIT)
Public Company Accounting Oversight Board (PCAOB)
To be accountable means to face consequences for failure to act. Some organizations find it difficult to apply consequences to top leadership. Worse yet are organizations that identify so many leaders as accountable that, for all practical purposes, no one is accountable. Accountability can come from external forces. Which of the following, when it turns against a company, can lead to a loss of trust that damages or even destroys the company's reputation?
Public opinion
Which of the following departments plays a significant role in communicating with news media regarding an incident?
Public relations (PR)
In May 2013, a National Security Agency (NSA) contractor named Edward Snowden leaked thousands of documents to a journalist detailing how the United States implements intelligence surveillance across the Internet. In which of the following sectors did this breach occur? - Private sector - Public sector - Technology sector - Critical infrastructure
Public sector
The term "critical infrastructure" refers to key elements of the country's transportation, energy, communications, and banking systems. Which of the following is not an example of critical infrastructure? - Large banks - Public universities - Oil and gas pipelines - Power companies
Public universities
The term "critical infrastructure" refers to key elements of the country's transportation, energy, communications, and banking systems. Which of the following is not an example of critical infrastructure? - Oil and gas pipelines - Public universities - Large banks - Power companies
Public universities
What is the main difference between a law and a regulation?
Regulations have authority that derives from the original law.
Consider this control statement: "VPN users will be automatically disconnected from the organization's network after 30 minutes of inactivity." With which domain of a typical IT infrastructure is this control statement mostly likely associated? - Workstation Domain - Remote Access Domain - LAN-to-WAN Domain - LAN Domain
Remote Access Domain
The __________ domain of the ISACA Risk IT framework provides the business view and context for a risk evaluation. The __________ domain ensures that technology risks are identified and presented to leadership in business terms. - Risk Evaluation, Risk Governance - Risk Response, Risk Evaluation - Risk Governance, Risk Evaluation - Risk Governance, Risk Response
Risk Governance, Risk Evaluation
__________ is a domain of the ISACA Risk IT framework that ensures that IT-related risk issues, opportunities, and events are addressed in a cost-effective manner and in line with business priorities. - Risk Response - Risk Acceptance - Risk Governance - Risk Evaluation
Risk Response
__________ is typically produced annually by the business and describes its top risks, controls, and barriers to their objectives.
Risk and control self-assessment (RCSA)
Isabelle is a security professional. Her organization is considering a major network upgrade, which could result in the network being down occasionally while new features go live. She is evaluating how much risk her organization is willing to accept to achieve its goal. She is determining the impact on the organization versus the likelihood of a network outage. Which of the following is she attempting to determine? - Compliance with internal policies - Availability - Risk tolerance - Risk appetite
Risk appetite
Regarding the risk management three-lines-of-defense model, which of the following dominates the second line of defense? - Business unit (BU) - IT governance - Audit - Risk management
Risk management
Several U.S. compliance laws provide confidence in the financial markets. __________ are the primary beneficiaries of these laws. - Public interest groups - National security organizations - Consumers - Shareholders
Shareholders
There are many factors one must consider to ensure security policies and controls align with regulations. Which of the following is important to demonstrate coverage of regulatory requirements because it shows the importance of each security control? - Evidence - Testing - Security control mappings - Inventory
Security control mappings
__________ is a term used to indicate any unwanted event that takes place outside normal daily security operations. This type of event relates to a breakdown in controls as identified by the security policies. - Financial risk - Security event - Strategic event - Operational risk
Security event
Organizations can use common core security principles recommended as industry best practices when developing policies, standards, baselines, procedures, and guidelines. Which principle specifies that responsibilities and privileges should be divided to prevent a person or a small group of collaborating people from inappropriately controlling multiple key aspects of a process and causing harm or loss? - Separation of duty principle - Least privilege principle - Ethics principle - Internal control principle
Separation of duty principle
The Information Technology Infrastructure Library (ITIL) is a series of books that describe IT practices and procedures. Which ITIL volume includes validation testing, release management, and change management? - Service Transition - Continual Service Improvement - Service Strategy - Service Operation
Service Transition
When reporting incidents, the process of incident classification is known as triage. When triage is set in motion, the severity of the threat is assessed. Which of the following severity levels applies when limited disruptions to business as usual (BAU) operations are detected, automated controls failed to prevent the event, and no unauthorized activity is detected?
Severity 2
To measure the effectiveness of the incident response team (IRT), which of the following does not need to be evaluated?
Tests provided to employees to gauge their response to incidents
Principles for Policy and Standard Development
Simplicity principle - Try to favor small and simple safeguards over large and complex ones. Security is improved when it's made simpler. Obviously, security should not be oversimplified but instead made as simple as practically possible Policy-centered security principle - Policies, standards, and procedures should be established as the formal basis for managing the planning, control, and evaluation of all information security activitiesIn addition to these principles, there are some specific steps that should be taken when developing security policies: Risk identification- Always begin by identifying the risks that the policies are trying to mitigate Legal compliance- Make certain that policies comply with any legal or regulatory requirements. Practicality- Make sure the policy is something you can implement and enforce
__________ is a term that refers to a user's capability to authenticate once to access the network and then have automatic authentication on different applications and devices afterward. - Single sign-on - Distributed environment - Session unlock - Access control
Single sign-on
__________ refers to the use of human interactions to gain access. Typically, this term involves exploiting personal relationships by manipulating an individual into granting access to something a person should not have access to. - Tone at the top - Value delivery - Social engineering - Strategic risk
Social engineering
Which of the following is not a type of control partner? - Software engineer - Auditor - Regulator - Operational risk and compliance processional
Software engineer
Remote access is a concern because the person is coming from a public network. For stronger security, many organizations require two-factor authentication for remote access. Which of the following is not one of the commonly accepted types of authentication credentials? - Something you know - Something you want to know - Something you have - Something you are
Something you want to know
In an issue-specific standard, the __________ section defines a security issue and any relevant terms, distinctions, and conditions. - Statement of an Issue - Definition of Roles and Responsibilities - Statement of Applicability - Statement of the Organization's Position
Statement of an Issue
Policy and standards often change as a result of business drivers. Which of the following drivers is most closely related to the organization that changes its business model and comes under new regulatory requirements? - Business exception - Legal change - Strategic change - Business technology innovation
Strategic change
Microsoft offers automated tools that can be used to verify compliance. Once such tool is __________, which queries systems for vulnerabilities, deploys updates, and deploys operating system images to clients.
System Center Configuration Manager (SCCM)
The NIST SP 800-53, "Recommended Security Controls for Federal Information Systems," was written using a popular risk management approach. Which of the following control areas best fits this description: "This is the area in which information and information system flaws are identified, reported, and corrected in a timely manner"? - System and Services Acquisition - System and Information Integrity - System and Communications Protection - Maintenance
System and Information Integrity
The __________ Domain of a typical IT infrastructure refers to the technologies needed to collect, process, and store information. This domain includes hardware and software. - System/Application - User - Remote Access - Workstation
System/Application
A chief information security officer (CISO) seeks to raise employee awareness of the dangers of malware in the organization. Which of the following is the best approach? - The CISO should talk about how malware could prevent the service desk from helping a customer. - The CISO should explain the technical way in which malware can infect a machine. - The CISO should distribute a written explanation of how malware works to each employee. - The CISO should arrange for an IT expert on malware to give a presentation to employees.
The CISO should talk about how malware could prevent the service desk from helping a customer.
__________ is a law that requires the digital, rather than manual, exchange of records between entities such as an insurance company and a doctor's office. - The Health Insurance Portability and Accountability Act (HIPAA) - The Gramm-Leach-Bliley Act (GLBA) - The Federal Information Security Management Act (FISMA) - The Sarbanes-Oxley (SOX) A
The Health Insurance Portability and Accountability Act (HIPAA)
A sales organization with an onsite IT staff experiences a major outage due to a minor change to a printer. Though systems were working successfully, the printer stopped working when a new server was added to the network. The new server that was added to the network shared the same Internet Protocol (IP) address as the printer. Which of the following statements captures a contributing cause of the problem?
The IP address conflict demonstrates that the organization failed to comply with change management policies.
A company is notified that its servers have been compromised to be a jumping-off point to attack a host of other companies. The company quickly activates an incident response team (IRT), which is unable to locate the breach. The company then seeks the services of an outside firm that specializes in forensic analysis and intrusions. The outside firm locates the source of the breach and wants to monitor the actions of the intruder. However, the outside firm is informed by the client's legal counsel that the company does not agree with this course of action. Which of the following statements best captures the effectiveness of the company's IRT policies?
The IRT policy is moderately effective because the IRT was activated quickly and had cross-functionality with its legal department, but the IRT did not locate the breach.
Which of the following is an agency that is responsible for developing information security standards and procedures that adhere to the Federal Information Security Management Act (FISMA)? - Public Company Accounting Oversight Board (PCAOB) - The National Institute of Standards and Technology (NIST) - Office of Management and Budget (OMB) - Federal Financial Institutions Examination Council (FFIEC)
The National Institute of Standards and Technology (NIST)
The Gramm-Leach-Bliley Act (GLBA) was created to protect confidentiality and security of customer information. Thus, under GLBA, organizations are required to inform regulators quickly if any unauthorized access or breach has occurred. Consider this scenario: A bank teller accesses a customer account out of curiosity. What is best course of action following this event?
The bank should notify the regulator based on the threshold set for the how many records can be subject to unauthorized access.
When an incident occurs, several options can be pursued. Which of the following actions is recommended when assets of a low value are being attacked?
The breach may be permitted to proceed so that information on the attacker can be gathered, but doing so depends on the goals of the business.
A good security awareness program makes employees aware of the behaviors expected of them. All security awareness programs have two enforcement components: the carrot and the stick. Which of the following best captures the relationship of the two components?
The carrot aims to educate the employee about the importance of security policies, and the stick reminds the employees of the consequences of not following policy.
A major software company finds that code has been executed on an infected machine in its operating system. As a result, the company begins working to manage the risk and eliminates the vulnerability 12 days later. Which of the following statements best describes the company's approach?
The company effectively implemented patch management.
Which of the following describes the concept of "full disclosure"? - The concept that an organization has an obligation to the general public beyond its self-interest - The idea that a company can use information collected only for the immediate service provided, or transaction made, such as a purchase - The concept that individuals should know what information about them is being collected - The practice of asking permission as to how personal information can be used beyond its original purpose
The concept that individuals should know what information about them is being collected
Assume that the governance committee states that all projects costing more than $70,000 must be reviewed and approved by the chief information officer (CIO) and the IT senior leadership team (SLT). At this point, the CIO has the responsibility to ensure that management processes observe governance rules. For example, the project team might present the proposed project in an SLT meeting for a vote of approval. What does this scenario illustrate about organizational structure? - The difference between governance and management oversight - That management is more important than governance - The importance of organizational roles - That individuals do not work in isolation
The difference between governance and management oversight
Arturo works for a product-testing company. He spends many hours testing the optimal settings for a piece of safety equipment used in factories. One day, the company experiences a power surge that alters the data stored in the testing database. As a result, the company uses incorrect data to recommend equipment settings and jeopardizes the safety of factory workers. Which of the following is most closely related to this scenario? - The importance of confidentiality controls - The impact of data backups - The importance of baseline standards - The impact of database availability
The importance of confidentiality controls
True or False? A mitigating control limits the damage caused by not having a control in place.
True
True or False? A more detailed written procedure produces a more error-free result.
True
Which of the following statements best captures the reason why U.S. compliance laws came about? - The misuse and abuse of information has a major impact on the lives of individuals and their privacy. - Compliance laws hold an organization accountable when breaches occur. - When most organizations have to follow the same rules, the playing field is level. - Compliance laws recognize the power of information.
The misuse and abuse of information has a major impact on the lives of individuals and their privacy.
An organization implements a baseline of security systems. This action causes a mission-critical application that had previously worked to suddenly fail. Which of the following solutions best addresses the problem although it requires time and patience?
The organization could seek an alternative method that does not bypass the initial baseline settings and permits the application to work.
Imagine a scenario in which an employee feels compelled by management to regularly shirk the organization's established security policies in favor of convenience. What does this employee's continued violation suggest about the culture of risk management in the organization? - The organization does not terminate employees when needed. - The organization lacks a good risk culture wherein employees and managers have "bought in." - The organization does not see its employees as risks. - The organization does not believe security policy training is valuable.
The organization lacks a good risk culture wherein employees and managers have "bought in."
Which of the following scenarios illustrates an ideal time to implement security policies to gain the maximum level of organizational commitment?
The policies should be implemented following a new product launch.
A laptop that contained personal data of more than 1.6 million customers was stolen from a health insurer. The laptop was not encrypted and employees lacked security awareness training. The health insurer eventually settled a class-action lawsuit because of the incident. Which of the following statements most likely captures the root cause of this breach?
The thorough implementation of security policies was not a priority for executive management.
In the financial services sector, some organizations have implemented a three-lines-of defense model. What does the use of this model suggest about an organization's structure? - The organization has an effective training model in place. - Management has a good understanding of organizational culture. - Management is out of step with the organizational culture. - This organization uses a layered approach that creates a separation of duties.
This organization uses a layered approach that creates a separation of duties.
Organizations can use common core security principles recommended as industry best practices when developing policies, standards, baselines, procedures, and guidelines. Which principle specifies that all personnel, assigned agents, and third-party providers should act in a timely manner to prevent and to respond to security breaches? - Awareness principle - Adversary principle - Defense-in-depth principle - Timeliness principle
Timeliness principle
In order to promote continued learning and development among staff, a security newsletter can be created to offer interesting and captivating ways of comprehending the points outlined in the policy and standards library. Which of the following is not a likely article topic? - Timesheet due dates - The role of employees in the protection of the organization - Acceptable Internet use - Password security
Timesheet due dates
Executive management has the responsibility of connecting many lines of business to bring resolution to strategic business issues. Of the following, what is the primary responsibility of executive management?
To control risks
Which of the following is not one of the foundational reasons for using and enforcing security policies?
To enable continuous improvement of systems
The National Security Information document EO 12356 explains the U.S. military classification scheme of Top Secret, Secret, Confidential, Sensitive but Unclassified, and Unclassified. Which of the following would be reasonably expected to cause grave damage to national security in the event of unauthorized disclosure?
Top Secret
Of all the needs that an organization might have to classify data, there are three that are most prevalent. Which of the following is the least common?
Transfer information
True or False? A number of U.S. laws are designed to provide confidence in the financial markets.
True
True or False? "Control environment" is a term for the overall way in which the organization's controls are governed and executed, including how effectively the controls are implemented.
True
True or False? "Privilege creep" refers to individuals who retain access privileges within an organization based on their previous jobs within the organization.
True
True or False? A WAN control standard might include the following type of statement: "All access points to the WAN shall be approved by the IS department."
True
True or False? A best practice for creating a data classification scheme is to keep the classification simple; create no more than three to five data classes.
True
True or False? A best practice is to encrypt the hard drive of a portable device.
True
True or False? A best practice is to require all users who access information to use unique credentials that identify who they are.
True
True or False? A brown bag session provides a nonthreatening forum for the chief information security officer (CISO) to connect with various levels within the organization.
True
True or False? A chain of custody for a user ID maintains a record of the ID when it is assigned, reassigned, or deleted.
True
True or False? A charter is an organizational document that outlines the mission, goals, and authority of a team or committee.
True
True or False? A collection of computers infected by malware loaded onto them by hackers without the knowledge of the computers' owners is known as a botnet.
True
True or False? A configuration management database (CMDB) holds the configuration information for systems throughout a system's life cycle.
True
True or False? A data custodian has daily operational control over the use of resources and data.
True
True or False? A data leakage protection (DLP) program refers to a formal program that reduces the likelihood of accidental or malicious loss of data.
True
True or False? A dictionary is a type of policy document that specifies common taxonomy used in the policies and that defines the scope and meaning of terms used.
True
True or False? A failure in one COBIT phase (or domain) can lead to a weakness or vulnerability downstream.
True
True or False? A key measurement of an organization's risk appetite is its ability to dispose of risk.
True
True or False? A law that requires any type of information protection also requires proper security controls.
True
True or False? Despite the different levels of accountability that exist in the layers of an organization, the chief information security officer (CISO) has the main responsibility of establishing and escalating noncompliance to senior leadership.
True
True or False? Disposal of risk demands either adding a control so risk is diffused or accepting the risk.
True
True or False? Enforcing security policies changes habits and thus the culture.
True
True or False? Examples of strategic risk include a change in the customer or a change in the industry.
True
True or False? Executive management is ultimately accountable for controlling an organization's risks.
True
True or False? Executive management sponsorship typically motivates users to willingly engage in awareness training.
True
True or False? Following an outage or disruption of services, the business continuity plan (BCP) serves as a road map for establishing business operations.
True
True or False? For the sake of protection during a lawsuit, it is advised that an organization create a retention policy that delineates how data is regularly classified, deleted, and retained.
True
True or False? From the point where a vulnerability becomes known to the point where a security fix can be distributed is called the vulnerability window.
True
True or False? Front-line managers and supervisors are directly accountable to ensure that employees implement policies consistently.
True
True or False? Guidelines assist people in developing procedures or processes with best practices that other people have found useful.
True
True or False? ISO 38500 provides guidance for managing IT governance.
True
True or False? ISO/IEC 27002 covers the three aspects of the information security management program: managerial, operational, and technical activities.
True
True or False? In a large organization, the vendor management team manages security concerns with vendors and third parties.
True
True or False? In most organizations, the chief information security officer (CISO) reports to one or more leaders at the top.
True
True or False? Incident classification is used to assess the severity of an incident.
True
True or False? Information overload is a real concern when implementing security policies.
True
True or False? Insiders breaching security can affect an organization's reputation and viability.
True
True or False? It is important to test automated tools to determine their effectiveness.
True
True or False? It is standard practice for organizations to use imaging techniques to establish baselines. Images can include all the desired configuration and security settings for a system, applications, system settings, and the full operating system.
True
True or False? LAN security policies focus on connectivity, such as defining how devices attach to the network.
True
True or False? Management sets the tone within an organization through how it enforces its policies.
True
True or False? Network segmentation involves isolating parts of the network from other parts.
True
True or False? Of the eight classic personality types in the workplace, Avoiders tend to do what's asked of them but not much more.
True
True or False? One approach for deciding whether a patch is critical is to determine its risk score. You can look at the likelihood and impact to the organization if an attack were to happen without the patch having been applied.
True
True or False? One example of granularity is a policy that requires an email server to have a specific configuration in order to be considered secure.
True
True or False? One objective of a policy change control board/committee is to ensure that changes to existing policies and standards support the organization's mission and goals.
True
True or False? One obstacle to security policy implementation is lack of budget.
True
True or False? One of the basic measurements for assessing whether or not individuals are being held accountable for adherence to security policies is the reported number of security violations by employees.
True
True or False? One of the foundational reasons for using and enforcing security policies is to protect systems from insider threats.
True
True or False? One of the ways to verify a computer's identity is by using certificates.
True
True or False? Ongoing security awareness training is a critical aspect of policy implementation.
True
True or False? Operational risk includes any event that disrupts the activities an organization undertakes daily.
True
True or False? Organizations should create a governance policy committee to monitor policy adoption and effectiveness.
True
True or False? Policies that advocate for a mutually agreed-upon target state should be clear and flexible.
True
True or False? Policy change control board/committee members are often senior leaders who represent both the technology and the business interests.
True
True or False? Quality assurance is a real-time preventive control.
True
True or False? Regarding Federal Information Security Management Act (FISMA), certification and accreditation is a process that occurs after a system is documented, controls tested, and risk assessment completed.
True
True or False? Regarding data classification, the data owner is accountable for defining all data handling requirements with the business.
True
True or False? Regarding incidents, a list of critical systems, applications, and user access requirements is in the business impact analysis (BIA).
True
True or False? Regarding policy development, it is desirable to have a consensus on at least the purpose of a policy.
True
True or False? Regarding privacy, full disclosure is the idea that an individual should know what information is being collected.
True
True or False? Regarding security policies, an early adopter implements the security policy ahead of rollout as a type of pilot.
True
True or False? Risk appetite is often expressed by the impact on the organization and the likelihood of something bad happening.
True
True or False? Security control mappings align security controls with related policies.
True
True or False? Security controls are the means of enforcing security policies that reflect an organization's business requirements.
True
True or False? Security frameworks define policy and set behavior expectations.
True
True or False? Security policies define how patches should be implemented and tracked.
True
True or False? Security policies reduce the risk of malware by limiting access to workstations.
True
True or False? Security standards provide guidance towards achieving specific security policies.
True
True or False? Success is measured as the perception of how well you perform your work.
True
True or False? System accounts often need elevated privileges to start, stop, and manage system services.
True
True or False? Telecommunications generally encompasses any service, technology, or system that facilitates transmission of information and data delivered electronically.
True
True or False? The COBIT Monitor, Evaluate, and Assess domain phase looks at specific business requirements and strategic direction and determines if the system still meets these objectives.
True
True or False? The Electronic Communication Privacy Act (ECPA) gives employers the right to monitor employees in the ordinary course of business.
True
True or False? The Federal Information Security Management Act (FISMA) requires government agencies to adopt a common set of information security standards.
True
True or False? The Gramm-Leach-Bliley Act uses the term nonpublic personal information (NPI) to denote any personally identifiable financial information that a consumer discloses to a financial institution.
True
True or False? The Information Technology Infrastructure Library (ITIL) Service Transition book relates to the transition of services into production.
True
True or False? The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard that describes how to protect credit card information.
True
True or False? The Sarbanes-Oxley (SOX) Act requires publicly traded companies to maintain internal controls that ensure the integrity of financial statements to the Securities and Exchange Commission (SEC) and shareholders.
True
True or False? The ability to measure the enterprise against a fixed set of standards and controls assures regulators of compliance and helps reduce uncertainty.
True
True or False? The authority to conduct audits differs from one organization to another. Whereas government agencies are subject to audits through legal statutes and directives, a private company might be subject to audit requirements as determined by its board of directors.
True
True or False? The better an organization can inventory and map its controls to policies and regulation, the lower its costs to demonstrate compliance.
True
True or False? The business impact analysis (BIA) contains the requirements for the business continuity plan (BCP) and the recovery time objective (RTO).
True
True or False? The charter establishes the information security program and its framework.
True
True or False? The chief information security officer (CISO) is responsible for the development of the framework for IT security policies, standards, and guidelines.
True
True or False? The concept of independent audits (or assessments) is that the further one is away from the actual transaction, the more unbiased and independent the opinion that can be obtained.
True
True or False? The disaster recovery plan (DRP) provides the documentation and policies necessary for an organization to gain recovery of its IT assets following a significant outage.
True
True or False? The lack of a consistent configuration is a problem that arises when similar technologies are used in different ways by different lines of business.
True
True or False? The legal concept of nonrepudiation provides assurance that an individual cannot deny having digitally signed a document or been party to a transaction.
True
True or False? The legal department should be called upon for insight into the policy development process.
True
True or False? To build a frame work for security policies and controls, one can use the following approach: (1) document the concepts and principles you will adopt, (2) apply them to security policies and standards, and (3) develop security controls and procedures.
True
True or False? To move data from an unsecure wide area network (WAN) to a secure local area network (LAN), you begin by segmenting a piece of the LAN into a demilitarized zone (DMZ).
True
True or False? To reduce malware attacks, it can be useful to implement a content filtering standard.
True
True or False? Under the proportionality principle, a common core security principle, security levels, costs, practices, and procedures are appropriate and proportionate to the degree of reliance on the system and the value of the data.
True
True or False? Version control tracks changes to security policies.
True
True or False? Vulnerability scanners are only as good as their testing approach and scripts.
True
True or False? Web-Based Enterprise Management (WBEM) is a set of Internet and management standard technologies.
True
True or False? Well-defined policies that govern user behavior ensure key risks are controlled in a consistent manner.
True
True or False? When an organization accepts a risk, it needs to monitor the risk and create a detective control.
True
True or False? When an organization implements a division of labor, the result is that the organization grows, along with operating costs.
True
True or False? When developing baseline standards, organizations should use industry best practices.
True
True or False? When implementing a patch, it is recommended that there be a back-out strategy in place in case the patch creates complications.
True
True or False? When parts of an organization are not supporting or reacting quickly enough during an incident, it is management's responsibility to remove barriers.
True
True or False? When situations arise in which an organization cannot meet one or more standards immediately, it is important to recognize an exception to standards to determine where problems may exist.
True
True or False? When writing policies and standards, avoid using terms like "should" when you mean "must" or "need to."
True
True or False? When you implement security policies, you sometimes implement culture change as much as security controls.
True
True or False? Whereas least privileges customize access to the individual, best fit privileges typically customize access to groups or classes of users.
True
True or False? While procedures and standards describe the "how" of configuring security devices to implement the policy, security policies provide the "what" and "why" of security measures.
True
True or False? While shareholders are chiefly concerned with maximizing profit and maintaining a healthy stock price as a business concern, the government is concerned with consumer protection, promoting a stable economy, and maintaining a reliable source of tax revenue.
True
True or False? Workstation Domain policies relate to any computing device used by an end user.
True
True or False? Workstation control standards institute security requirements to harden end user devices.
True
True or False? You cannot design effective security controls without good security policies.
True
In April 2018, an attacker gained access to the NASA Jet Propulsion Laboratory by targeting an unauthorized Raspberry Pi. The Raspberry Pi attack went undetected for 10 months. The perpetrator stole approximately 500 megabytes of data. To which of the following causes was this successful attack attributed? - Unauthorized devices on the network - Poor risk assessment - Lack of access management - Lack of separation of duties
Unauthorized devices on the network
Human factors, in addition to technical challenges, can delay security policies from being implemented. Which of the following is associated with different parts of an organization having different views of risk, and this diverse set of leaders delaying security policy implementation?
Unclear accountability
Which of the following domains of a typical IT infrastructure involves security awareness, acceptable use policies, onboarding, and authentication? - Workstation - System/Application - Remote Access - User
User
Role-based access control (RBAC) and attribute-based access control (ABAC) are most commonly part of the __________ of a typical IT infrastructure. - System/Application Domain - User Domain - WAN Domain - LAN-to-WAN Domain
User Domain
A typical data leakage protection program provides several layers of defense to prevent confidential data from leaving the organization. Which of the following is not one of the layers of defense? - Perimeter - User reward - Inventory - Device management
User reward
Within the User Domain of a typical IT infrastructure is a range of user types. Each type has specific and distinct access needs. Which of the following types of users are external to the organization, provide services to the organization, and are not directly managed by the organization? - Contractors - Vendors - Systems administrators - Control partners
Vendors
In general, WAN-specific standards identify specific security requirements for WAN devices. For example, the __________ explains the family of controls needed to secure the connection from the internal network to the WAN router, whereas the__________ identifies which controls are vital for use of web services provided by suppliers and external partnerships. - WAN router security standard, web services standard - web services standard, WAN router security standard - Web services standard, Domain Name System standard - WAN router security standard, Domain Name System standard
WAN router security standard, web services standard
Which of the following is a tailored, highly targeted attack usually delivered via email to high-ranking employees in organizations? - Whaling - Phishing - Pretexting - Spear phishing
Whaling
The COBIT Align, Plan, and Organize domain includes basic details of an organization's requirements and goals. This domain answers which of the following questions?
What do you want to do?
When is the best time to implement security policies to help developers diminish the number of vulnerabilities in an application? - After application development is completed - While the application is being developed - After the first prototype of the application is completed and has been submitted for stakeholder review - While the application is used by end users
While the application is being developed
The incident response team (IRT) report that is ultimately generated for executive management must educate all stakeholders regarding exploited risks. Which of the following is least likely to be addressed in the report?
Who failed to detect the incident, if applicable
Which of the following is a type of LAN Domain document that provides information on Wi-Fi systems architectures and types and when they should be used? - Controls over media standard - Wi-Fi security guideline - Monitoring Wi-Fi APs procedure - Security assessments guideline
Wi-Fi security guideline
A best practice for User Domain policies is to employ __________ as the preferred means of mitigating threats. - a layered defense - patch management - an unique identity - encryption
a layered defense
In order to ensure that policy is implemented in a thoughtful manner, it is recommended that the security manager form __________. It should include people from compliance, information security, HR, audit, leadership from other business units, and project managers (PMs). Doing so will ensure that policies are implemented using an integrated approach. - a unified operating model - a diversified operating model - a policy change control board or committee - an organizational culture
a policy change control board or committee
An event that affects the entire organization operates, such as a merger or an acquisition, is best described as: - a strategic risk. - disposal of risk. - risk governance. - a compliance risk.
a strategic risk.
A(n) __________ is a device that has the ability and permission to reach out and connect to distributed devices to push changes to the devices.
agentless central management tool
All of the following are true of IT policy frameworks, except: - you can measure success by how well the framework helps reduce risk to the organization. - an IT policy framework includes policies, standards, baselines, procedures, guidelines, and a taxonomy. - an IT policy framework should be fully accessible by executives and managers, with relevant highlights shared with general employees. - the framework must define the business as usual (BAU) activities and accountabilities needed to ensure information security policies are maintained.
an IT policy framework should be fully accessible by executives and managers, with relevant highlights shared with general employees.
If a vulnerability is not fixed at the root cause, there is a possibility that another avenue of attack can emerge. This avenue is known as the:
attack vector.
The following are all true of governance, except:
generally, the more confidence regulators have that a company has strong governance, the more regulatory oversight is used.
One of the manual controls necessary for managing risk is __________, a type of formal management verification. In the process, management confirms that a condition is present and that security controls and policies are in place.
attestation
The act of recording relevant security events that occur on a network or computing device is known as a(n): - control standard. - audit. - trusted timestamp. - security assessment.
audit.
Whereas__________ is the process used to prove the identity of an individual, ____________ ____________is the process used to enable a person's access privileges.
authentication, authorization
In addition to compiling the list of user access requirements, applications, and systems, the business impact analysis (BIA) also includes processes that are __________. These processes safeguard against any risks that might occur due to key staff being unavailable or distracted.
automated
A security __________ defines a set of basic configurations to achieve specific security objectives.
baseline
Regarding Workstation Domain policies, __________ provide the specific technology requirements for each device. - procedures - guidelines - control standards - baseline standards
baseline standards
A(n)__________is a confirmed event that compromises the confidentiality, integrity, or availability of information. - breach - residual risk - operational deviation - threat
breach
It is necessary to retain information for two significant reasons: legal obligation and business needs. Data that occupies the class of __________ is comprised of records that are required to support operations, such as customer and vendor records.
business
The initial step in creating a business continuity and security response plan is a __________, which can be used to assemble the business and security responses in order to diminish losses.
business impact analysis
An incident response team (IRT) utilizes particular tools and techniques to gather forensic evidence. A__________ articulates the manner used to document and protect evidence.
chain of custody
In information security, the person primarily responsible for setting goals in security should be the:
chief information security officer (CISO).
In recent years, __________ has emerged as a major technology. It provides a way of buying software, infrastructure, and platform services on someone else's network. - network access control (NAC) - social networking - cloud computing - VoIP
cloud computing
At some point, __________ accounts become a type of user account and must be managed appropriately. - system - service - contingent - sensitive
contingent
A(n) __________ sets expectations on the use and security of mobile devices, whereas a(n) __________ establishes a broad set of rules for approved conduct when a user accesses information on company-owned devices. - acceptable use policy, system access policy - social networking policy, acceptable use policy - corporate mobility policy, acceptable use policy - system access policy, social networking policy
corporate mobility policy, acceptable use policy
Regarding data handling, classifying and labeling data is most significant during:
creation and use.
The term __________ denotes data that is being stored on devices like a universal serial bus (USB) thumb drive, laptop, server, DVD, CD, or server. The term __________ denotes data that exists in a mobile state on the network, such as data on the Internet, wireless networks, or a private network.
data at rest, data in transit
The concept of __________ comes from the acknowledgment that data changes form and often gets copied, moved, and stored in many places. Sensitive data often leaves the protection of application databases and ends up in emails, spreadsheets, and personal workstation files. - file transfers - data loss protection - security management - patch management
data loss protection
Business leaders rely on technology roles to be accountable for implementing security policies, monitoring their adherence, and managing day-to-day activities. The role of the __________, for example, is to establish procedures on how data should be handled and ensure data is properly classified. - data owner - data custodian - data manager - data user
data manager
In order to move data from an unsecure WAN to a secure LAN, you typically begin by segmenting a piece of your LAN into a __________, which sits on the outside of your private network facing the public Internet. Servers in this area provide public-facing access to the organization, such as public websites. - botnet - segment - demilitarized zone (DMZ) - virtual private network (VPN)
demilitarized zone (DMZ)
In policies regarding the __________ of data, standards must make sure that the data cannot be reconstructed.
destruction
The following are common security control classifications, except: - physical. - detective. - administrative. - technical.
detective.
If an organization is developing a customized data classification scheme, it is important to keep accepted guidelines in mind. All of the following are accepted guidelines, except:
determine if auditing is required.
In the System/Application Domain, __________ describe how to write and test the security of applications. - web services standards - developer coding standards - physical security baseline standards - content-blocking tools configuration standards
developer coding standards
LAN Domain security policies center on issues concerning connectivity. Among the types of LAN control standards are __________, which describes the security requirements for identifying LAN-attached devices, and __________, which defines when and how a network is to be partitioned. - security assessments, controls over media - device identification and authentication, segmentation - controls over media, segmentation - controls over media, trusted timestamps
device identification and authentication, segmentation
A policy definitions document is most similar to a:
dictionary
A __________ is a string of data associated with a file that identifies a file's origin.
digital signature
The __________ outlines the process by which the business continuity plan or the disaster recovery plan is activated.
disaster declaration policy
Many organizations have a(n) __________, which is composed of end user devices (including tablets, laptops, and smartphones) on a shared network and that use distributed system software.
distributed infrastructure
Four basic business models align with how businesses choose to integrate and standardize with an enterprise solution. In the __________ operating model, the technology solution has a low level of integration and standardization with the enterprise. - replicated - diversified - unified - coordinated
diversified
During a disaster, having realistic estimates of __________ is important for customer relations. Overly optimistic estimates often lead to loss of credibility.
downtime
All of the following are true of insiders, except: - employees, consultants, contractors, and vendors may be insiders. - due to the nature of their positions, IT technical staff cannot be considered insiders. - an insider may have a sense of entitlement, "taking" rewards he or she feels have been earned. - an insider may be motivated by money.
due to the nature of their positions, IT technical staff cannot be considered insiders.
Susan is a chief information security officer (CISO). She is seeking executive buy-in for implementing security policies with respect to a target state. In her discussion with the executives, she should address each of the following, except:
how the policy language has changed in each of the policies.
A(n) __________ aligns strategic goals, operations effectiveness, reporting, and compliance objectives. - data security administrator - governance, risk management, and compliance framework - enterprise risk management framework - layered security approach
enterprise risk management framework
The members of the __________ committee help create priorities, remove roadblocks, secure funding, and act as a source of authority. Members of the __________ committee provide important information on the risk appetite of the organization. - executive, operational risk - executive, security - audit, operational risk - security, executive
executive, operational risk
Of the six specific business risks, __________ risk is the potential impact when the business fails to have adequate liquidity to meet its obligations. - compliance - operational - financial - reputational
financial
An organization's __________ is a specialized group of people whose purpose is to respond to major security incidents.
incident response team (IRT)
In general, the incident response team (IRT) is composed of a team with individuals that have different specialties. One such individual is the __________ who has intimate knowledge of the systems and configurations. This individual is typically a developer, systems administrator, or a network administrator.
information technology subject matter expert (SME)
Baseline LAN Domain standards are concerned with network traffic monitoring because no matter how good firewalls and routers can be, they are still not 100 percent effective. Thus, __________ offer a wide range of protection because they seek out patterns of attack. - intrusion systems - intrusion detection and prevention system guidelines - demilitarized zone (DMZ) guidelines - audits
intrusion systems
Once an organization clearly defines its intellectual property (IP), the security policies should specify how to ___________ documents with marks or comments and how to ____________ the data, which determines in what location the sensitive file should be placed. - label, classify - restrict, filter - label, filter - classify, restrict
label, classify
A risk exposure is defined as the impact to the organization when a situation transpires. The widely accepted formula for calculating exposure is as follows: Risk exposure= __________ the event will occur + __________ if the event occurs
likelihood, impact
It is recommended that systems administrators analyze logs to determine if the logs have been altered because monitoring can deter risk. To serve this goal, a __________ can be used to assemble logs from platforms throughout a network. - log server - log chain - chain of custody - trouble ticket system
log server
In a hierarchical organization, there are a large number of touch points and personalities that must be engaged to successfully implement a security policy. As the number of touch points increases, the number of complex __________ also increases between stakeholders. - matrix relationships - executives - control partners - security liaisons
matrix relationships
All of the following are true of measuring the effectiveness of security policies, except: - measuring accountability is easier than measuring effectiveness. - the best measurement of whether employees are following policies is the actual reduction in risk that occurs. - you can get a basic understanding if individuals are being held accountable for adherence to security policies by examining policy violations, incidents, and security awareness. - to ensure accountability, you need to measure if employees are following the policies.
measuring accountability is easier than measuring effectiveness.
In order to build security policy implementation awareness across the organization, there should be __________ who partner with other team and departments to promote IT security through different communication channels.
multiple executive supporters
If a business wants to sell a product or service on the Internet for the first time, the __________ would need to understand the wide-ranging risks involved as well as the organization's security capability. - operational risk committee - security committee - executive committee - compliance committee
operational risk committee
The shared belief system of employees in an organization is known as the: - operating model. - diversified operating model. - coordinated operating model. - organizational culture.
organizational culture.
One of the many roles of the security compliance committee is to focus on controls that are widely used across a significant population of applications, systems, and operations. These types of controls are known as __________ controls.
pervasive
There are many ways that people can be manipulated to disclose knowledge that can be used to jeopardize security. One of these ways is to call someone under the false pretense of being from the IT department. This is an example of: - phishing. - spear phishing. - pretexting. - whaling.
pretexting.
A policy framework includes different types of documents that capture the domain security control requirements. One document is known as a __________, which explains processes used to implement control and baseline standards. - procedure document - guidelines document - control standard document - dictionary
procedure document
The goal of conducting an incident analysis is to ascertain weakness. Because each incident is unique and might necessitate a distinct set of approaches, a range of steps can be pursued to aid the analysis. One of these steps is to __________, which entails mapping network traffic according to the time of day and looking for trends.
profile the network
One of the methods that an organization can use to determine compliance is to perform:
random audits.
In order to be thoughtful about the implementation of security policies and controls, leaders must balance the need to reduce __________ with the impact to the business operations. Doing so could mean phasing security controls in over time or be as simple as aligning security implementation with the business's training events. - staff count - productivity - costs - risk
risk
The security posture of an organization is usually expressed in terms of __________, which generally refers to how much risk an organization is willing to accept to achieve its goal, and __________, which relates how much variance in the process an organization will accept. - risk appetite, risk tolerance - risk tolerance, risk appetite - risk assessment, risk manageability - risk awareness, risk reduction
risk appetite, risk tolerance
Of the risk management strategies, __________ refers to sharing the risk with an outside party, whereas __________ refers to reducing or eliminating the risk by applying controls.
risk transference, risk mitigation
In 2018, a British Airways breach captured customers' personal and payment data, impacting about 500,000 customers. In 2019, Capital One experienced a large data breach in which an attacker gained access to more than 100 million accounts and credit card applications. Both cases resulted, at least in part, from a(n)__________failure. - security policy - regulation - availability - physical control
security policy
Using switches, routers, internal firewalls, and other devices, you can create a __________, which restricts network traffic and limits what and how computers are able to talk to each other. - flat network - segmented network - demilitarized zone - gateway
segmented network
The scope of security awareness training must be customized based on the type of user assigned to each role in an organization. For instance, it is important that __________ receives training on strategic security and policy, but not necessarily basic security concepts.
senior management
A good example of __________ is a real estate business that shares data on new home purchases between the unit that sells insurance for the home and the business unit that sold the home. - service standardization - service integration - a replicated operating model - a diversified operating model
service integration
When writing a __________, one could state how often a supplier will provide a service or how quickly a firm will respond. For managed services, this document often covers system availability and acceptable performance measures.
service level agreement
In order to be compliant with Payment Card Industry Data Security Standard (PCI DSS), one of the control objectives that should be included in one's security policies and controls is maintaining a vulnerability management program. This control objective: - specifies how to maintain secure systems and applications, including the required use of antivirus software. - requires that security policies reflect the PCI DSS requirements, and that these policies are kept current and an awareness program is implemented. - requires monitoring access to cardholder and periodic penetration testing of the network. - refers to having a specific firewall, system password, and other security network layer controls.
specifies how to maintain secure systems and applications, including the required use of antivirus software.
Mergers and acquisitions commonly introduce __________ risk, which may change how an organization operates.
strategic
Many organizations have a(n) __________ policy in place that addresses rules of conduct for logging in to networks, computers, and applications. This policy covers credentials like IDs and passwords. - clean desk - system access - acceptable use - corporate mobility
system access
Aside from human user types, there are nonhuman user groups. Known as account types, __________ are implemented by the system to support automated services, and __________ are accounts that remain nonhuman until individuals are assigned access and can use them to recover a system following a major outage. - control partners, system accounts - contingent IDs, system accounts - systems administrator accounts, contingent IDs - system accounts, contingent IDs
system accounts, contingent IDs
Aside from human user types, there are nonhuman user groups. Known as account types, __________ are implemented by the system to support automated services, and __________ are accounts that remain nonhuman until individuals are assigned access and can use them to recover a system following a major outage. - systems administrator accounts, contingent IDs - contingent IDs, system accounts - control partners, system accounts - system accounts, contingent IDs
system accounts, contingent IDs
A(n) __________ is a general term used in technology to describe a future state in which specific goals and objectives have been achieved.
target state
All of the following are true of business continuity plans (BCPs) and BCP policies, except:
the BCP is the initial step in the business impact analysis (BIA) process.
All of the following are true of a computer-based training (CBT) approach to security awareness training, except:
the CBT approach is typically more expensive then classroom training.
All of the following are true of disaster recovery plans (DRPs) and DRP policies, except:
the DRP consists of the policies and documentation needed for an organization to partially recover from an incident.
In any event in which customer data is involved, it is necessary to check with __________ on the legal requirements related to handling and use of that data. - the human resources department - the compliance team - senior management - the chief information security officer (CISO)
the compliance team
All of the following are true of the Sarbanes-Oxley (SOX) Act, amended in 2007, except: - the law describes how a company should report earnings, valuations, corporate responsibilities, and executive compensation. - the law was enacted in reaction to a series of accusations of corporate fraud. - the law requires companies to test all of their security controls. - the law was enacted to restore confidence in the markets.
the law was enacted to restore confidence in the markets.
All of the following statements are true of the LAN-to-WAN Domain, except: - the LAN needs to establish a secure connection to the WAN to ensure that traffic is thoroughly inspected and carefully filtered. - the LAN-to-WAN Domain is many organizations' connection to the Internet. - the significance of the LAN is that it controls network traffic to the private network, which is the WAN. - LAN-to-WAN security standards often focus on how to configure devices to maintain message and transaction integrity.
the significance of the LAN is that it controls network traffic to the private network, which is the WAN.
As part of the National Institute of Standards and Technology (NIST) program, the Security Content Automation Protocol (SCAP) identifies protocols and standards implemented used to create a variety of automated scanners and compliance tools. One of the tools is the __________, which scans the system over the network to determine the presence of known vulnerabilities. It does not use a system account to scan the system.
unauthenticated vulnerability scanner
There are several different best practices for IT security policy monitoring. One such practice is to create a baseline based on a security policy, which entails:
using images whenever possible to deploy new operating systems.
To enhance the security awareness training experience and emphasize the core security goals and mission, it is recommended that the executives:
video record a message from one the leaders in a senior role to share with new employees.
The __________ window is the gap between when a new vulnerability is discovered and when software developers write a patch.
vulnerability
A __________would be a misconfiguration of a system that allows the hacker to gain unauthorized access, whereas a __________is a combination of the likelihood that such a misconfiguration could happen, a hacker's exploitation of it, and the impact if the event occurred.
vulnerability, risk
All of the following are true of baselines, except:
when applied to security policies, the baseline represents the maximum security settings that must be applied.
All of the following are general rules and guidelines for handling privacy data, except: - organizations should protect customers' personal information even when a law does not explicitly call for privacy controls. - an organization should remember that it has both a legal and an ethical responsibility to its customers. - well-written policies, rather than focusing on one law, will tend to satisfy regulatory requirements by fostering sound security practices across the enterprise. - whenever an organization handles personal information, the organization should be sure its security policies and controls protect senior management.
whenever an organization handles personal information, the organization should be sure its security policies and controls protect senior management.
Policies and standards are a collection of concrete definitions that describe acceptable and unacceptable human behavior. The questions related to __________ are more appropriate for procedures or guidelines than policies or standards, which require detail that is more at the level of _________. - where, when and how; what and why - where and when; what, who and why - where, when, and how; what, who, and why - how; what
where, when, and how; what, who, and why
All of the following are commonly identified from a risk and control self-assessment (RCSA), except:
who caused the risks.
