Fundamentals of Information Security

threat

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?

Baseline

Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?

Identification

Assertions made by users about who they are

Service Level Agreement (SLA)

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

waterfall

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

SQL Injection

In what type of attack does the attacker send unauthorized commands directly to a database?

Authorization

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

Separation of Duties

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

Project Initiation and Planning

Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?

Access to a high level of expertise

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?

Phishing

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Accountability

Tracking or logging what authentication and unauthenticated users do while accessing the system

Punish users who violate policy

What is NOT a goal of information security awareness programs?

Assume that information should be free

What is NOT a good practice for developing strong professional ethics?

Request, impact assessment, approval, build/test, implement, monitor

What is the correct order of steps in the change control process?

Memorandum of Understanding (MOU)

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Authentication

the proving of that assertion