Information Security Chapter
Systems-specific security policies are formalized as written documents readily identifiable as policy.
False
The SETA program is the responsibility of the ____ and is a control measure designed to reduce the incidences of accidental security breaches by employees.
CISO
The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.
False
The security blueprint is the basis for the design, selection, and implementation of all security program elements including such things as policy implementation and ongoing policy management.
True
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date.
True
You can create a single comprehensive ISSP document covering all information security issues.
True
Some policies may need a(n) ____________________ indicating their expiration date.
Sunset Clause
____ often function as standards or procedures to be used when configuring or maintaining systems.
SysSPs
____________________-specific security policies often function as standards or procedures to be used when configuring or maintaining systems.
Systems
Technical controls are the tactical and technical implementations of security in the organization.
True
The Federal Agency Security Practices (FASP) site is a popular place to look up best practices.
True
The Federal Bureau of Investigation deals with many computer crimes that are categorized as felonies.
True
Strategic planning is the process of moving the organization towards its ____.
Vision
The ____________________ of an organization is a written statement about the organization's goals answering the question of where the organization will be in five years.
Vision
A(n) ____________________ message is a scripted description of an incident, usually just enough information so that each individual knows what portion of the IR plan to implement, and not enough to slow down the notification process.
Alert
The first phase in the development of the contingency planning process is the ____.
BIA
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ____.
Blueprint
What country adopted ISO/IEC 17799?
Britain
A(n) _________________________ plan ensures that critical business functions continue if a catastrophic incident or disaster occurs.
Business Continuity
Incident ____________________ is the process of examining a potential incident, or incident candidate, and determining whether or not the candidate constitutes an actual incident.
Classification
A ____ site provides only rudimentary services and facilities.
Cold
A cold site provides many of the same services and options of a hot site.
False
A firewall can be a single device or a firewall extranet, which consists of multiple firewalls creating a buffer between the outside and inside networks.
False
A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.
False
A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee's actions.
False
Disaster recovery personnel must know their roles without supporting documentation.
True
Each policy should contain procedures and a timetable for periodic review.
True
Evidence is the physical object or documented information that proves an action occurred or identifies the intent of a perpetrator.
True
A(n) IR plan ensures that critical business functions continue if a catastrophic incident or disaster occurs.
False
A(n) full backup only archives the files that have been modified that day, and thus requires less space and time than the differential.
False
Database shadowing only processes a duplicate in real-time data storage but does not duplicate the databases at the remote site.
False
Proxy servers can temporarily store a frequently visited Web page, and thus are sometimes called demilitarized servers.
False
The ISSP sets out the requirements that must be met by the information security blueprint or framework.
False
The Security Area Working Group endorses ISO/IEC 17799.
False
The security framework is a more detailed version of the security blueprint.
False
The standard should begin with a clear statement of purpose.
False
The vision of an organization is a written statement of an organization's purpose.
False
Within security perimeters the organization can establish security circles.
False
A(n) ____________________ is a device that selectively discriminates against information flowing into or out of the organization.
Firewall
Computer ____________________ is the process of collecting, analyzing, and preserving computer-related evidence.
Forensics
A security ____ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
Framework
The security ____________________ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
Framework
A(n) ____________________ site is a fully configured computer facility, with all services, communications links, and physical plant operations including heating and air conditioning.
Hot
____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
Managerial
____________________ controls are security processes that are designed by strategic planners and implemented by the security administration of the organization.
Managerial
RAID Level 1 is commonly called disk ____________________.
Mirroring
A(n) ____________________ is a contract between two or more organizations that specifies how each will assist the other in the event of a disaster.
Mutual Agreement
A(n) ____________________ server performs actions on behalf of another system.
Proxy
The transfer of live transactions to an off-site facility is called ____________________.
Remote Journaling
Incident ____________________ is the set of activities taken to plan for, detect, and correct the impact of an incident on information assets.
Response
RAID ____ drives can be hot swapped.
5
A(n) ____________________ is a detailed examination of the events that occurred from first detection to final recovery.
AAR or After- Action Review
Redundancy can be implemented at a number of points throughout the security architecture, such as in ____.
Access Controls Firewalls and Proxy servers
The policy champion and manager is called the policy ____________________.
Administrator
Incident damage ____ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.
Assessment
Effective management includes planning and ____.
Controlling Organizing and Leading
The actions taken during and after a disaster are referred to as ____________________ management.
Crisis
A buffer against outside attacks is frequently referred to as a(n) ____.
DMZ
Standards may be published, scrutinized, and ratified by a group, as in formal or ____ standards.
De jure
A(n) ____________________ backup is the storage of all files that have changed or been added since the last full backup.
Differential
Security ____ are the areas of trust within which users can freely communicate.
Domains
The ____ is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
EISP
The transfer of large batches of data to an off-site facility is called ____.
Electronic Vaulting
A standard is a plan or course of action that conveys instructions from an organization's senior management to those who make decisions, take actions, and perform other duties.
False
A(n) honeynet is usually a computing device or a specially configured computer that allows or prevents access to a defined area based on a set of rules.
False
A(n) integrated information security policy is also known as a general security policy.
False
A(n) sequential roster is activated as the first person calls a few people on the roster, who in turn call a few other people.
False
ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.
False
Every member of the organization needs a formal degree or certificate in information security.
False
ISO/IEC 17799 is more useful than any other information security management approach.
False
Information security safeguards provide two levels of control: managerial and remedial.
False
Informational controls guide the development of education, training, and awareness programs for users, administrators, and management.
False
Laws are more detailed statements of what must be done to comply with policy.
False
NIST 800-14, The Principles for Securing Information Technology Systems, provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size.
False
One of the basic tenets of security architectures is the layered implementation of security, which is called defense in layers.
False
The Security Area Working Group acts as an advisory board for the protocols and areas developed and promoted by the Internet Society and the ____.
IETF
A(n) ____ plan deals with the identification, classification, response, and recovery from an incident.
IR
The stated purpose of ____ is to "give recommendations for information security management for use by those who are responsible for initiating, implementing, or maintaining security in their organization."
ISO/IEC 27002
A(n) ____________________ is any clearly identified attack on the organization's information assets that would threaten the assets' confidentiality, integrity, or availability.
Incident
Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.
True
____-based IDPSs look at patterns of network traffic and attempt to detect unusual activity based on previous baselines.
Network
____ controls address personnel security, physical security, and the protection of production inputs and outputs.
Operational
A security ____________________ defines the boundary between the outer limit of an organization's security and the beginning of the outside world.
Perimeter
A(n) ____________________ is a plan or course of action that conveys instructions from an organization's senior management to those who make decisions, take actions, and perform other duties.
Policy
Some policies may also need a(n) sunset clause indicating their expiration date.
True
An attack ____________________ is a detailed description of the activities that occur during an attack.
Profile
Implementing multiple types of technology and thereby precluding that the failure of one system will compromise the security of information is referred to as ____________________.
Redundancy
An alert ____ is a document containing contact information for the people to be notified in the event of an incident.
Roster
The spheres of ____ are the foundation of the security framework and illustrate how information is under attack from a variety of sources.
Security
The gateway router can be used as the front-line defense against attacks, as it can be configured to allow only set types of protocols to enter.
True
The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.
True
A disaster recovery plan addresses the preparation for and recovery from a disaster, whether natural or man-made.
True
A service bureau is an agency that provides a service for a fee.
True
A(n) capability table specifies which subjects and objects users or groups can access.
True
A(n) contingency plan is prepared by the organization to anticipate, react to, and recover from events that threaten the security of information and information assets in the organization, and, subsequently, to restore the organization to normal modes of business operations.
True
Additional redundancy to RAID can be provided by mirroring entire servers called redundant servers or server fault tolerance.
True
Failure to develop an information security system based on the organization's mission, vision, and culture guarantees the failure of the information security program.
True
Host-based IDPSs are usually installed on the machines they protect to monitor the status of various files stored on those machines.
True
Management controls address the design and implementation of the security planning process and security program management.
True
Many industry observers claim that ISO/IEC 17799 is not as complete as other frameworks.
True
NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans.
True
NIST documents can assist in the design of a security framework.
True
Policies are living documents that must be managed.
True
Quality security programs begin and end with policy.
True
SP 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, must be customized to fit the particular needs of a(n) organization.
True