ISDS 3070 Quiz 1 final review
Match the control to the appropriate control type: Motion Detector = Bollard= Backup Tapes= Encryption= Image of a Computer= Guard Dog=
-Detective -Preventive -Recovery -Preventive -Corrective -Deterrent
helps identify an incident's activities and potentially an intruder
Detective
Intended to avoid an incident from occurring
Preventive
intended to bring the environment back to regular operations
Recovery
If you are a government contractor providing IT services to the U.S. military, you should use the following Security Control Framework: a. COBIT-5 b. NISP SP 800-53 c. COSO d. DoDAF e. ITIL
b. NISP SP 800-53
The Sherwood Applied Business Security Architecture (SABSA) Framework is often used to set up an enterprise security architecture. Which of the following correctly describe the SABSA Framework? a. Defines how an Information Security Management System should be built and maintained. b. Provides control objectives for the Federal government c. Serves as both a framework and methodology. d. Can be used to develop four specific architecture types.
c. Serves as both a framework and methodology.
fixes components or systems after an incident has occurred
corrective
If you are an organization and your primary objective is to ensure your IT Department is properly meeting the needs of the different units within the organization, the best standard for your to follow would be: a. DoDAF b. COBIT-5 c. NIST SP 800-53 d. ITIL e. COSO
d. ITIL
The integrity of data is not related to which of the following? a. Unauthorized manipulation or changes to data. b. The intentional or accidental substitution of data. c. The modification of data without authorization. d. The extraction of data to share with unauthorized entities.
d. The extraction of data to share with unauthorized entities.
The likelihood of a threat source exploiting a vulnerability and the corresponding business impact
risk
any potential danger is associated with the exploitation of a vulnerability
threat
Ensures access to data is timely and data is reliable
Availability
Controls that provide an alternative measure of control
Compensating
Prevents unauthorized disclosures of data
Confidentiality
Prevents unauthorized modification of data
Integrity
A social engineer, a hacker, a shoulder surfer, and even an employee making an unintentional mistake that could expose confidential information are all types of what?
Threat agents
Threats can come in many forms and every company should place high importance on identifying all of its potential threats. Which of the answers below is an accurate example of a potential threat? a. All of the other choices b. Unintentional loss of data due to a computer malfunction. c. Unintentional loss of data due to an employee mistake. d. Intentional loss of data due to a disgruntled employee.
a. All of the other choices
Alice is the security manager of a company that makes most of its revenue from its intellectual property. Alice has implemented a process improvement program that has been certified by an outside entity. Her company received a Level 2 during an appraisal process, and she is putting in steps to increase this to a Level 3. Which of the below answers is the criteria Alice's company was most likely certified under? a. Capability Maturity Model Integration b. Information Technology Infrastructure Library c. SABSA d. Zachman
a. Capability Maturity Model Integration
Which organization has been developed to deal with economic, social, and governance issues and with how sensitive data is transported over borders? a. Organization for Economic, Co-Operation and Development b. Safe Harbor c. European Union d. Council of Europe
a. Organization for Economic, Co-Operation and Development
The Organization for Economic Cooperation and Development (OECD) has generated and published a set of 8 principles for personal privacy. Which of the following is NOT one of these 8 principles? a. Right to be Forgotten Principle b. Individual Participation Principle c. Openness Principle d. Data Quality Principle
a. Right to be Forgotten Principle
This Enterprise Architecture Framework provides an approach to design, implementation, and governance for an enterprise information architecture that allows the IT architecture to understand the enterprise from four different architectures: business, data, application and technology. a. TOGAF b. DoDAF c. SABSA d. MoDAF
a. TOGAF
If you are a business that provides financial services, publishes quarterly reports to the Security and Exchange Commission and want to ensure you have the necessary controls to ensure your IT department is meeting all required security controls, you should follow: a. ITIL b. COBIT-5 c. DoDAF d. NIST SP 800-53 e. COS
b. COBIT-5
Which of the following best describes ISO 27001 and BS 7799 a. Nationally recognized Information Security Management Standards that provide high-level, conceptual recommendations on enterprise security. b. ISO 27001 is the internationally recognized Information Security Management Standard that provides high-level, conceptual recommendations on enterprise security. It was derived from BS 7799 c. The most commonly used standard is the BS 7799 which was derived from the de facto standard ISO 27001. It is an internationally recognized Information Security Management Standard that provides high-level conceptual recommendations on enterprise security. d. BS 7799 was derived from ISO 17799 and provides guidance on how to set up and maintain security programs.
b. ISO 27001 is the internationally recognized Information Security Management Standard that provides high-level, conceptual recommendations on enterprise security. It was derived from BS 7799
The Zachman Architecture Framework is often used to set up an enterprise security architecture. Which of the following does not correctly describe the Zachman Framework? a. Used to build a robust enterprise architecture versus a technical security architecture. b. A two-dimensional model that uses communication interrogatives intersecting with different levels. c. A security-oriented model that gives instructions in a modular fashion. d. Uses six perspectives to describe a holistic information infrastructure.
c. A security-oriented model that gives instructions in a modular fashion.
Bob has some data that is extremely valuable. He backs it up from his computer to a flash stick, and he puts the flash stick in a safe deposit box. Which two principles of the CIA triad does this address. a. Backup - Integrity; Safe Deposit Box - Confidentiality b. Backup - Confidentiality; Safe Deposit Box - Integrity c. Backup - Availability; Safe Deposit Box - Confidentiality d. Backup - Integrity; Safe Deposit Box - Availability
c. Backup - Availability; Safe Deposit Box - Confidentiality
Which of the following is the effect of job rotation on organizational security? a. Reassigned personnel will be able to modify their old administrative files b. Privileged personnel will never stay on the job long enough to learn how to bypass security controls c. Privileged personnel involved in violations of security policy cannot be certain that they can always avoid detection d. As personnel rotate through jobs, they will learn how to implement new procedures
c. Privileged personnel involved in violations of security policy cannot be certain that they can always avoid detection
any organization that collects data on EU residents
data controller
any organization that processes data for a data controller
data processor
the individual to whom the data pertains
data subject
intended to discourage a potential attacker
deterrent
a weakness in a system that allow a threat source to compromise its security
vulnerability