ISM 4323 Sample/Quiz Questions
Common vulnerability assessment processes include: Internet VA Wireless VA Intranet VA All of these
All of these
Which type of IDPS is also known as a behavior-based intrusion detection system? Network-based Anomaly-based Host-based Signature-based
Anomaly-based
Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area? Identification Authentication Authorization Accountability
Authentication
In the event of an incident or disaster, which planning element is used to guide off-site operations? Project management Business Continuity Disaster recovery Incident response
Business Continuity
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? COBIT COSO NIST ISO
COBIT
Which of the following is a commonly used criteria used to compare and evaluate biometric technologies? False accept rate Crossover error rate False reject rate Valid accept rate
Crossover error rate
The intermediate area between trusted and untrusted networks is referred to as which of the following? Unfiltered area Semi-trusted area Demilitarized zone Proxy zone
Demilitarized zone
Which of the following is a study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as a duty or obligation-based ethics? Applied ethics Metaethics Normative ethics Deontological Ethics
Deontological Ethics
One approach that can improve the situational awareness of the information security function uses a process known as ____ to quickly identify changes to the internal environment. Baselining Difference analysis Differentials Revision
Difference analysis
Which of the following InfoSec measurement specifications makes it possible to define success in the security program? Development approach Establishing targets Prioritization and selection Measurements templates
Establishing targets
Which of the following is an example of a rapid onset disaster? Flood Pest infestation Famine Environmental degradation
Flood
The optimum approach for escalation is based on a thorough integration of the monitoring process into the _________. IDE CERT ERP IRP
IRP
Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident? Incident classification Incident identification Incident registration Incident verification
Incident classification
Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in mitigation control approach? Incident response plan Business continuity plan Disaster recovery plan Damage control plan
Incident response plan
The NIST risk management approach includes all but which of the following elements? Inform Assess Frame Respond
Inform
Blackmail threat of informational disclosure is an example of which threat category? Espionage or Trespass Information Extortion Sabotage of Vandalism Compromises of Intellectual Property
Information Extortion
Which of the following is an element of the enterprise information security policy? Access control lists Information on the structure of the InfoSec organization Articulation of the organizations SDLC methodology Indemnification of the organization against liability
Information on the structure of the InfoSec organization
Detailed ____ on the highest risk warnings can include identifying which vendor updates apply to which vulnerabilities as well as which types of defenses have been found to work against the specific vulnerabilities reported. Escalation Intelligence Monitoring Elimination
Intelligence
The ________ vulnerability assessment us a process designed to find and document selected vulnerabilities that are likely to be present on the organizations internal network. Intranet Internet LAN WAN
Intranet
Which of the following is used in conjunction with an algorithm to make computer data secure from anybody except the intended recipient of the data? Key Plaintext Cipher Cryptosystem
Key
Which of the following is the final step in the risk identification process of information assets? Assessing relative risk Listing by order of importance Preparing deliverables Identifying and categorizing
Listing by order of importance
When determining the relative importance of each asset, refer to the organization's ____________ or statement of objectives. From this source, determine which assets are essential for meeting the organization's objectives, which assets are supporting the objectives, and which are mere adjuncts. Mission statement Security plan Values statement Security policy
Mission statement
Reducing the impact of a successful attack on an organizations system falls under the __________ risk control strategy. Acceptance Mitigation Transference Avoidance
Mitigation
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine its effectiveness and to estimate the remaining risk? Analysis and adjustment Review and reapplication Monitoring and measurement Evaluation and funding
Monitoring and measurement
Which access control principle limits a user's access to the specific information required to perform the currently assigned task? Need-to-know Eyes only Least privilege Separation of duties
Need-to-know
Which of the following is NOT a change principle of the Clark-Wilson model? No changes by unauthorized subjects No unauthorized changes by authorized subjects No changes by authorized subjects without external validation The maintenance of internal and external consistency
No changes by authorized subjects without external validation
InfoSec measurements collected from production statistics depend greatly on which of the following factors? Types of performance measures developed Number of systems and users of those systems Number of monitored threats and attacks Activities and goals implemented by the business unit
Number of systems and users of those systems
The typical security staff in a small organization consists of ___________. One person One to two people One to three people Two to five people
One person
Which type of planning is used to organize the ongoing, day-to-day performance of tasks? Strategic Tactical Organizational Operational
Operational
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives? Organization Planning Controlling Leading
Organization
_________, a level beyond vulnerability testing, is a set of security tests and evaluations that simulate attacks by a malicious external source (hacker). Penetration testing Penetration simulation Attack simulation Attack testing
Penetration testing
Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program? Performance management Baselining Best practices Standards of due care/diligence
Performance management
Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans? Compliance Policy Planning Systems security administration
Planning
Which section of the ISSP should outline a specific methodology for the review and modification of the ISSP? Policy Review and Modification Limitations of Liability Systems Management Statement of Purpose
Policy Review and Modification
Which of the following determines acceptable practices based on consensus relationships among the communities of interest? Organizational feasibility Political feasibility Technical feasibility Operational feasibility
Political feasibility
Which of the following biometric authentication systems is considered to be the most secure? Fingerprint recognition Signature recognition Voice pattern recognition Retina pattern recognition
Retina pattern recognition
The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of ________. Vulnerability mitigation controls Risk assessment estimate factors Exploit likelihood equation Attack analysis calculation
Risk assessment estimate factors
A step commonly used for internet vulnerability assessment includes _________, which occurs when the penetration test engine is unleashed at the scheduled time using the planned target list and test selection. Scanning Subrogation Delegation Targeting
Scanning
Which of the following biometric authentication systems is the most accepted by users? Keystroke pattern recognition Fingerprint recognition Signature recognition Retina pattern recognition
Signature Recognition
"4-1-9" is an example of a _____________ attack. Social Engineering Virus Worm Spam
Social Engineering
Which type of firewall keeps track of each network connection established between internal and external systems? Packet filtering Stateful packet inspection Application layer Cache server
Stateful packet inspection
What type of planning is the primary tool in determining the long-term direction taken by an organization? Strategic Tactical Operational Managerial
Strategic
Which of the following is true about planning? Strategic plans are used to create tactical plans Tactical plans are used to create strategic plans Operational plans are used to create tactical plans Operational plans are used to create strategic plans
Strategic plans are used to create tactical plans
Which of the following function needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness? Systems testing Risk assessment Incident response Systems security administration
Systems testing
Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"? Bell-LaPadula TCSEC ITSEC Common criteria
TCSEC
Which of the following are the two general groups into which SysSPs can be separated? Technical specifications and managerial guidance Business guidance and network guidance User specifications and managerial guidance Technical specifications and business guidance
Technical specifications and managerial guidance
A time-release safe is an example of which type of access control? Content-dependent Constrained user interface Temporal isolation Nondiscretionary
Temporal isolation
Which of the following is true about security staffing, budget, and needs of a medium-sized organization? They have a larger security staff than a small organization They have a larger security budget (as a percent of IT budget) than a small organization They have a smaller security budget (as a percent of IT budget) than a large organization They have larger information security needs than a small organization
They have larger information security needs than a small organization
Which of the following is NOT one of the three types of performance measures used by organizations? Those that determine the effectiveness of the execution of InfoSec policy Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy Those that assess the impact of an incident or other security event on the organization or its mission
Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? Risk exposure report Threats-vulnerabilities-assets worksheet Costs-risks-prevention database Threat assessment catalog
Threats-vulnerabilities-assets worksheet
Which of the following is the primary purpose of ISO/IEC 27001:2005? Use within an organization to formulate security requirements and objectives Implementation of business-enabling information security Use within an organization to ensure compliance with laws and regulations To enable organizations that adopt it to obtain certification
To enable organizations that adopt it to obtain certification
The ability to restrict specific services is a common practice in most modern routers, and is invisible to the user. True False
True
Which law extends protection to intellectual property, which includes words published in electronic formats? Freedom of Information Act U.S. Copyright Law Security and Freedom through Encryption Act Sarbanes-Oxley Act
U.S. Copyright Law
Which of the following is a definite indicator of an actual incident? Unusual system crashes Reported attack Presence of new accounts Use of dormant accounts
Use of dormant accounts
Which of the following is true about symmetric encryption? Uses a secret key to encrypt and decrypt Uses a private and public key It is also known as public key encryption It requires four keys to hold a conversation
Uses a secret key to encrypt and decrypt
Risk is the likelihood of the occurrence of a(n) ________ multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability. Attack Vulnerability Exploit Assessment
Vulnerability
_________ penetration testing is usually used when a specific system or network segment is suspect and the organization wants the pen tester to focus on a particular aspect of the target. White box Black box Gray box Green box
White box
The _________ vulnerability assessment is designed to find and document vulnerabilities that may be present in he organization's wireless local area networks. Wireless Phone-in Battle-dialing Network
Wireless
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certificates? The code includes the canon: Provide diligent and competent service to principles. (ISC)^2 ACM SANS ISACA
(ISC)^2
In a TVA worksheet, along one asset lies the prioritized set of _________, along the other the prioritized set of ________. Controls, vulnerabilities Assets, threats Risks, expenditures Assessments, classifications
Assets, threats
Two of the activities in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process? Determining the likelihood that vulnerable systems will be attacked by specific threats Calculating the severity of risks to which assets are exposed in their current setting Assigning a value to each information asset Documenting and reporting the findings of risk identification and assessment
Assigning a value to each information asset
According to the CIA triad, which of the following is a desirable characteristic for computer security? Accountability Availability Authorization Authentication
Availability
To evaluate the performance of a security system, administrators must establish system performance ___________. Baselines Profiles Maxima Means
Baselines
Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following? Benchmarking Best practices Baselining Due diligence
Benchmarking
Problems with benchmarking include all but which of the following? Organizations don't often share information o successful attacks Organizations being benchmarked are seldom identical Recommend practices change and evolve, thus past performance is no indicator of future success Benchmarking doesn't help in determining the desired outcome of the security process
Benchmarking doesn't help in determining the desired outcome of the security process
Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones? Clark-Wilson Bell-LaPadula Common Criteria Biba
Biba
Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed? Framework Security model Security Standard Both A&B are correct
Both A&B are correct
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? On target model Woods model Bullseye model Bergeron and Berube model
Bullseye model
When a disaster renders the current business location unusable, which plan is put into action? Business continuity Crisis management Incident response Business impact analysis
Business continuity
Which is the first step in the contingency planning process among the options listed here? Business continuity training Disaster recovery planning Business impact analysis Incident response planning
Business impact analysis
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________. Data owners Data custodians Data users Data generators
Data owners
Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as _____________. Data owners Data custodians Data users Data generators
Data users
Which type of attack involves sending a large number of connection or information requests to a target? Malicious Code Denial-pf-Service (DoS) Brute Force Spear Fishing
Denial-of-Service (DoS)
Which of the following is the best method for preventing am illegal or unethical activity? Examples include laws, policies, and technical controls. Remediation Deterrence Persecution Rehabilitation
Deterrence
A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. Denial-of-Service Distributed Denial-of-Service Virus Spam
Distributed Denial-of-Service
What are the legal requirements that an organization adopt a standard based on what a prudent organization should do, and then maintain the standard? Certification Best practices Due care and due diligence Baselining and benchmarking
Due care and due diligence
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? Policy administration Due diligence Adequate security measures Certification and accreditation
Due diligence
Which policy is the highest level of policy and is usually created first? SysSP USSP ISSP EISP
EISP
Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the __________ consequences of the vulnerability. Cost avoidance Risk Economic and non-economic Feasibility
Economic and non-economic
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them? Conducting decision support Implementing controls Evaluating alternative strategies Measuring program effectiveness
Evaluating alternative strategies
A standard of due process is a legal standard that requires an organization and its employees to act as a "reasonable and prudent" individual or organization would under similar circumstances True False
False
The need for effective policy management has let to the emergence of a class of HARDWARE tools that supports policy development, implementation, and maintenance. True False
False
What are the two general methods for implementing technical controls? Profile lists and configuration filters Firewall rules and access filters User profiles and access filters Access control lists and configuration rules
Access control lists and configuration rules
A cost benefit analysis is calculated by subtracting the post control annualized loss expectancy and the __________ from the pre control loss expectancy. Annualized cost of the safeguard Exposure factor n Annualized rate of occurrence Asset value
Annualized cost of the safeguard
A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC? Design Analysis Implementation Investigation
Investigation
Which of the following is true about a hot site? It is an empty room with standard heating, air conditioning, and electrical service It includes computing equipment and peripherals with servers but not client workstations It duplicates computing resources, peripherals, phone systems, applications, and workstations All communications services must be installed after the site is occupied
It duplicates computing resources, peripherals, phone systems, applications, and workstations
Which of the following is a responsibility of the crisis management team? Restoring the data from backups Evaluating monitoring capabilities Keeping the public informed about the event and the actions being taken Restoring the services and processes in use
Keeping the public informed about the event and the actions being taken
Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following? General management must structure the IT and InfoSec functions IT management must serve the IT needs of the broader organization Legal management must develop corporate-wide standards InfoSec management must lead the way with skill, professionalism, and flexibility
Legal management must develop corporate-wide standards
The identification and assessment of levels of risk in an organization describes which of the following? Risk analysis Risk identification Risk Management Risk reduction
Risk analysis
Which of the following should be included in an InfoSec governance program? An InfoSec development methodology An InfoSec risk management methodology An InfoSec project management assessment from an outside consultant All of these are components of an InfoSec governance program
An InfoSec risk management methodology
The purpose of SETA is to enhance security in all but which of the following ways? By building in-depth knowledge By adding barriers By developing skills By improving awareness
By adding barriers
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process? Creating an inventory of information assets Classifying and organizing information assets into meaningful groups Assigning a value to each information asset Calculating the severity of risks to which assets are exposed in their current setting
Calculating the severity of risks to which assets are exposed in their current setting
The individual responsible for the assessment, ,management, and implementation of information protection activities in the organization is known as a(n) _______________. Chief Information Security Officer Security Technician Security Manager Chief Technology Officer
Chief Information Security Officer
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to the community? Utilitarian Virtue Fairness or justice Common good
Common good
Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information? Integrity Availability Authentication Confidentiality
Confidentiality
Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an adverse event? Risk management Contingency planning Business response Disaster readiness
Contingency planning
Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following? Preventive Deterrent Corrective Compensating
Corrective
The penalty for offenses related to the National Information Protection Act of 1996 depends on whether the offense is judged to have been committed for one of the following reasons except which of the following? For purpose of commercial advantage For private financial gain For political advantage In furtherance of a criminal act
For political advantage
Which of the following allows investigators to determine what happened by examining the results of an event - criminal, natural, intentional, or accidental Digital malfeasance E-discovery Forensics Evidentiary measures
Forensics
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them? ECPA Sarbanes-Oxley HIPAA Gramm-Leach-Bliley
HIPAA
Which law addresses privacy and security concerns associated with the electronic transmission of PHI? USA Patriot Act of 2001 American Recovery and Reinvestment Act Health Information Technology for Economic and Clinical Health Act National Information Infrastructure Protection Act of 1996
Health Information Technology for Economic and Clinical Health Act
Which of the following is a part of incident recovery process? Identifying the vulnerabilities that allowed the incident to occur and spread Determining the event's impact on normal business operations and, if necessary, making a disaster declaration Supporting personnel and their loved ones during the crisis Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise
Identifying the vulnerabilities that allowed the incident to occur and spread
In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies? Design Implementation Investigation Analysis
Implementation
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is not one of them? Ignorance Malice Accident Intent
Malice
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? System controls Technical controls Operational controls Managerial controls
Managerial controls
Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program? Measurements must yield quantifiable information Data that supports the measures needs to be readily obtainable Only repeatable InfoSec processes should be considered for measurement Measurements must be useful for tracking non-compliance by internal personnel
Measurements must be useful for tracking non-compliance by internal personnel
Which type of access controls can be role-based or task-based? Constrained Content-dependent Nondiscretionary Discretionary
Nondiscretionary
Which of the following variables is the most influential in determining how to structure an information security program? Security capital budget Organizational size Security personnel budget Organizational culture
Organizational culture
Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program? Protection People Projects Policy
People
Which of the following is not a primary function of Information Security Management? Planning Protection Projects Performance
Performance
The Annualized Loss Expectancy in the CBA formula is determined as __________. ALE * ARO SLE * ARO ACS - SLE(post) AV * EF
SLE * ARO
A SETA program consists of three elements: security education, security training, and _____________. Security accountability Security authentication Security awareness Security authorization
Security awareness
____________ are accountable for the day-to-day operation of the information security program. Security administrators Security managers Security technicians Security analysts
Security managers
Which of the following is an information security governance responsibility of the Chief Security Officer? Communicate policies and the program Set security policy, procedures, programs, and training Brief the board, customers, and the public Implement policy, report security vulnerabilities, and breaches
Set security policy, procedures, programs, and training
A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ______________. Champion End-user Team leader Policy developer
Team leader
An organization that choses to outsource its risk management practice to independent consultants is taking the _________ control approach. Avoidance Mitigation Transference Acceptance
Transference
Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter. Bypass Theft Trespass Security
Trespass
Recommended practices are those security efforts that seek to provide a superior level of performance in the protection of information True False
True
___________ is a simple project management planning tool. RFP WBS ISO 17799 SDLC
WBS