IS607 M04 Quiz 4 CH9 & CH10
What is NOT a privacy principle created by the Organisation for Economic Co-operation and Development (OECD)? A. An organization should share its information. B. An organization should keep its information up to date. C. An organization should collect only what it needs. D. An organization should properly destroy its information when it is no longer needed.
A. An organization should share its information. The OECD guidelines state that an organization should not share its information. Other principles in those guidelines state that organizations should collect only what they need, keep information up to date, properly destroy information, and use information only for the purpose for which it was collected. Ahead: Professional Ethics Complexity: Easy Subject: Chapter 9 Taxonomy: Remember Title: Security Operations and Administration
Takako is a security engineer for her company's IT department. She has been tasked with developing a security monitoring system for the company's infrastructure to determine when any network activity occurs outside the norm. What essential technique does she start with? A. Baselines B. Covert acts C. Alarms D. Intrusion detection system (IDS)
A. Baselines Baselines are essential in security monitoring. To recognize something as abnormal, you first must know what normal looks like. Ahead: Security Monitoring Complexity: Easy Subject: Chapter 10 Taxonomy: Apply Title: Auditing, Testing, and Monitoring
An effective audit report gets right to the point and often begins with a summary followed by the details. Because the summary may find its way outside the organization's leadership, what should auditors take care not to do? A. Expose security weaknesses B. Establish baselines C. Set a follow-up schedule D. List the timeline for implementation of changes
A. Expose security weaknesses Because the audit report summary may find its way outside the organization's leadership, auditors should take care not to expose security weaknesses in it. Be sure that private or confidential information appears only in the details section of the report, and always label such information appropriately. Ahead: Post-Audit Activities Complexity: Medium Subject: Chapter 10 Taxonomy: Understand Title: Auditing, Testing, and Monitoring
True or False? The Common Criteria is a set of system procurement standards used by several countries. A. True B. False
A. True Ahead: Application Software Security Complexity: Easy Subject: Chapter 9 Title: Security Operations and Administration
True or False? One way to harden a system is to turn off or disable unnecessary services. A. True B. False
A. True Ahead: How to Verify Security Controls Complexity: Easy Subject: Chapter 10 Title: Auditing, Testing, and Monitoring
True or False? Data loss prevention (DLP) uses business rules to classify sensitive information to prevent unauthorized end users from sharing it. A. True B. False
A. True Ahead: Security Monitoring Complexity: Medium Subject: Chapter 10 Title: Auditing, Testing, and Monitoring
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve? A. Developing in-house talent B. Building internal knowledge C. Access to a higher level of expertise D. Higher degree of privacy
C. Access to a higher level of expertise In this scenario, Mark is most likely to achieve access to a high level of expertise because security vendors focus exclusively on providing advanced security services. Ahead: Security Administration Complexity: Medium Subject: Chapter 9 Taxonomy: Understand Title: Security Operations and Administration
Biyu is a network administrator. She is developing the compliance aspect of her company's security policy. Currently, she is focused on the records of actions that the organization's operating system or application software creates. What aspect of compliance is Biyu focusing on? A. Remediation B. Certification C. Event logs D. Professional ethics
C. Event logs Event logs are records of actions that an organization's operating system or application software creates, showing which user or system accessed data or a resource and when. Ahead: Compliance Complexity: Easy Subject: Chapter 9 Taxonomy: Understand Title: Security Operations and Administration
What is the LEAST likely goal of an information security awareness program? A. Teach users about security objectives B. Inform users about trends and threats in security C. Motivate users to comply with security policy D. Punish users who violate policy
D. Punish users who violate policy Security awareness programs should teach, inform, and motivate users. Although users who intentionally violate policies may be punished for their actions, this is a disciplinary issue that should be handled outside of the awareness program. Ahead: Professional Ethics Complexity: Medium Subject: Chapter 9 Taxonomy: Understand Title: Security Operations and Administration
Leola is a cybersecurity consultant hired by a company to test the effectiveness of its network's defenses. She has something in common with the malicious people who would perform the same tasks involved in _________________, except that, unlike Leola, they would not have consent to perform this action against the system. A. network access control B. stateful matching C. system hardening D. penetration testing
D. penetration testing Attackers follow the same steps as penetration testers, with the difference being that the attackers do not have consent to penetrate the system. Ahead: Monitoring and Testing Security Systems Complexity: Medium Subject: Chapter 10 Taxonomy: Apply Title: Auditing, Testing, and Monitoring