ISM 4323

¡Supera tus tareas y exámenes ahora con Quizwiz!

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.

(ISC)2

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?

Assigning a value to each information asset

Problems with benchmarking include all but which of the following?

Benchmarking doesn't help in determining the desired outcome of the security process

Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones.

Biba

Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?

Bull's-eye model

In the event of an incident or disaster, which planning element is used to guide off-site operations?

Business continuity

When a disaster renders the current business location unusable, which plan is put into action?

Business continuity

Which is the first step in the contingency planning process among the options listed here?

Business impact analysis

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?

Deontological ethics

What are the legal requirements that an organization adopt a standard based on what a prudent organization should do, and then maintain that standard?

Due care and due diligence

Which policy is the highest level of policy and is usually created first?

EISP

Which of the following InfoSec measurement specifications makes it possible to define success in the security program?

Establishing targets

A standard of due process is a legal standard that requires an organization and its employees to act as a "reasonable and prudent" individual or organization would under similar circumstances.

False

The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.

False

Which of the following is an example of a rapid-onset disaster?

Flood

​Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.

​data owners

Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________

​data users

A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.

​team leader

Which of the following is true about a hot site?

It duplicates computing resources, peripherals, phone systems, applications, and workstations.

Which of the following is a responsibility of the crisis management team?

Keeping the public informed about the event and the actions being taken

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?

Legal management must develop corporate-wide standards

Which of the following is the final step in the risk identification process of information assets?

Listing by order of importance

The identification and assessment of levels of risk in an organization describes which of the following?

Risk analysis

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.

Risk assessment estimate factors

Which of the following is NOT one of the three types of performance measures used by organizations?

Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

Threats-vulnerabilities-assets worksheet

Which law extends protection to intellectual property, which includes words published in electronic formats?

U.S. Copyright Law

In a TVA worksheet, along one asset lies the prioritized set of ____, along the other the prioritized set of ____.

assets, threats

According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?

availability

Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following?

benchmarking

The purpose of SETA is to enhance security in all but which of the following ways?

by adding barriers

The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.

chief information security officer

Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?

common good

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?

corrective

Which type of attack involves sending a large number of connection or information requests to a target?

denial-of-service (DoS)

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.

deterrence

A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

distributed denial-of-service

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?

due diligence

Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the ____ consequences of the vulnerability.

economic and non-economic

Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.

education

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?

evaluating alternative strategies

Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?

framework & security model

In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?

implementation

Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?

incident response plan

The NIST risk management approach includes all but which of the following elements?

inform

Which of the following is an element of the enterprise information security policy?

information on the structure of the InfoSec organization

A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?

investigation

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?

malice

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?

managerial controls

When determining the relative importance of each information asset, refer to the organization's ____ or statement of objectives. From this source, determine which assets are essential for meeting the organization's objectives, which assets support the objectives, and which are merely adjuncts.

mission statement

Reducing the impact of a successful attack on an organization's system falls under the ____ risk control strategy.

mitigation

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?

monitoring and measurement

Which access control principle limits a user's access to the specific information required to perform the currently assigned task?

need-to-know

Which type of access controls can be role-based or task-based?

nondiscretionary

The typical security staff in a small organization consists of ____.

one person

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?

organization

Which of the following is NOT a primary function of Information Security Management?

performance

Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?

planning

Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.

political feasibility

A SETA program consists of three elements: security education, security training, and ____.

security awareness

Which type of planning is the primary tool in determining the long-term direction taken by an organization?

strategic

Which of the following are the two general groups into which SysSPs can be separated?

technical specifications and managerial guidance

A time-release safe is an example of which type of access control?

temporal isolation

Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?

they have larger information security needs than a small organization

An organization that chooses to outsource its risk management practice to independent consultants is taking the ____ control approach.

transference

Risk is the likelihood of the occurrence of a(n) ____ multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability.

vulnerability

Which of the following is the first step in the problem-solving process?

Recognize and define the problem

Blackmail threat of informational disclosure is an example of which threat category?

Information extortion

Which of the following should be included in an InfoSec governance program?

An InfoSec risk management methodology

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?

COBIT

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?

Calculating the severity of risks to which assets are exposed in their current setting

Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?

Confidentiality

Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an adverse event?

Contingency planning

The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?

For political advantage

Which of the following allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental?

Forensics

Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?

HIPAA

Which law addresses privacy and security concerns associated with the electronic transmission of PHI?

Health Information Technology for Economic and Clinical Health Act

Which of the following is a part of the incident recovery process?

Identifying the vulnerabilities that allowed the incident to occur and spread

Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident?

Incident classification

Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?

Measurements must be useful for tracking non-compliance by internal personnel

Which of the following is NOT a change control principle of the Clark-Wilson model?

No changes by authorized subjects without external validation

InfoSec measurements collected from production statistics depend greatly on which of the following factors?

Number of systems and users of those systems

Which type of planning is used to organize the ongoing, day-to-day performance of tasks?

Operational

Which of the following variables is the most influential in determining how to structure an information security program?

Organizational culture

Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program?

Performance management

Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?

Policy Review and Modification

The Annualized Loss Expectancy in the CBA formula is determined as ____.

SLE * ARO

____ are accountable for the day-to-day operation of the information security program.

Security managers

Which of the following is an information security governance responsibility of the Chief Security Officer?

Set security policy, procedures, programs and training

Which of the following is true about planning?

Strategic plans are used to create tactical plans

Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?

Systems testing

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?

TCSEC

Which of the following is the primary purpose of ISO/IEC 27001:2005?

To enable organizations that adopt it to obtain certification

____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.

Trojan horses

Recommended practices are those security efforts that seek to provide a superior level of performance in the protection of information. ____________

True

Which of the following is a definite indicator of an actual incident?

Use of dormant accounts

__________ is a simple project management planning tool.

WBS

What are the two general methods for implementing technical controls?

access control lists and configuration rules

A cost-benefit analysis is calculated by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy

annualized cost of the safeguard


Conjuntos de estudio relacionados

Accounting 1 T and F semester 1 exam

View Set

Canvas overview quiz - Unit 1 Successful Learning

View Set

AP euro chapter 13/14 multiple choice test

View Set

Chapter 5 Frameworks for Health Promotion, Disease Prevention, and Risk Reduction

View Set

Florida Statutes, Rules, and Regulations Common to All Lines

View Set