ISM 4323 Sample/Quiz Questions

Common vulnerability assessment processes include: Internet VA Wireless VA Intranet VA All of these

All of these

Which type of IDPS is also known as a behavior-based intrusion detection system? Network-based Anomaly-based Host-based Signature-based

Anomaly-based

Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area? Identification Authentication Authorization Accountability

Authentication

In the event of an incident or disaster, which planning element is used to guide off-site operations? Project management Business Continuity Disaster recovery Incident response

Business Continuity

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? COBIT COSO NIST ISO

COBIT

Which of the following is a commonly used criteria used to compare and evaluate biometric technologies? False accept rate Crossover error rate False reject rate Valid accept rate

Crossover error rate

The intermediate area between trusted and untrusted networks is referred to as which of the following? Unfiltered area Semi-trusted area Demilitarized zone Proxy zone

Demilitarized zone

Which of the following is a study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as a duty or obligation-based ethics? Applied ethics Metaethics Normative ethics Deontological Ethics

Deontological Ethics

One approach that can improve the situational awareness of the information security function uses a process known as ____ to quickly identify changes to the internal environment. Baselining Difference analysis Differentials Revision

Difference analysis

Which of the following InfoSec measurement specifications makes it possible to define success in the security program? Development approach Establishing targets Prioritization and selection Measurements templates

Establishing targets

Which of the following is an example of a rapid onset disaster? Flood Pest infestation Famine Environmental degradation

Flood

The optimum approach for escalation is based on a thorough integration of the monitoring process into the _________. IDE CERT ERP IRP

IRP

Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident? Incident classification Incident identification Incident registration Incident verification

Incident classification

Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in mitigation control approach? Incident response plan Business continuity plan Disaster recovery plan Damage control plan

Incident response plan

The NIST risk management approach includes all but which of the following elements? Inform Assess Frame Respond

Inform

Blackmail threat of informational disclosure is an example of which threat category? Espionage or Trespass Information Extortion Sabotage of Vandalism Compromises of Intellectual Property

Information Extortion

Which of the following is an element of the enterprise information security policy? Access control lists Information on the structure of the InfoSec organization Articulation of the organizations SDLC methodology Indemnification of the organization against liability

Information on the structure of the InfoSec organization

Detailed ____ on the highest risk warnings can include identifying which vendor updates apply to which vulnerabilities as well as which types of defenses have been found to work against the specific vulnerabilities reported. Escalation Intelligence Monitoring Elimination

Intelligence

The ________ vulnerability assessment us a process designed to find and document selected vulnerabilities that are likely to be present on the organizations internal network. Intranet Internet LAN WAN

Intranet

Which of the following is used in conjunction with an algorithm to make computer data secure from anybody except the intended recipient of the data? Key Plaintext Cipher Cryptosystem

Key

Which of the following is the final step in the risk identification process of information assets? Assessing relative risk Listing by order of importance Preparing deliverables Identifying and categorizing

Listing by order of importance

When determining the relative importance of each asset, refer to the organization's ____________ or statement of objectives. From this source, determine which assets are essential for meeting the organization's objectives, which assets are supporting the objectives, and which are mere adjuncts. Mission statement Security plan Values statement Security policy

Mission statement

Reducing the impact of a successful attack on an organizations system falls under the __________ risk control strategy. Acceptance Mitigation Transference Avoidance

Mitigation

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine its effectiveness and to estimate the remaining risk? Analysis and adjustment Review and reapplication Monitoring and measurement Evaluation and funding

Monitoring and measurement

Which access control principle limits a user's access to the specific information required to perform the currently assigned task? Need-to-know Eyes only Least privilege Separation of duties

Need-to-know

Which of the following is NOT a change principle of the Clark-Wilson model? No changes by unauthorized subjects No unauthorized changes by authorized subjects No changes by authorized subjects without external validation The maintenance of internal and external consistency

No changes by authorized subjects without external validation

InfoSec measurements collected from production statistics depend greatly on which of the following factors? Types of performance measures developed Number of systems and users of those systems Number of monitored threats and attacks Activities and goals implemented by the business unit

Number of systems and users of those systems

The typical security staff in a small organization consists of ___________. One person One to two people One to three people Two to five people

One person

Which type of planning is used to organize the ongoing, day-to-day performance of tasks? Strategic Tactical Organizational Operational

Operational

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives? Organization Planning Controlling Leading

Organization

_________, a level beyond vulnerability testing, is a set of security tests and evaluations that simulate attacks by a malicious external source (hacker). Penetration testing Penetration simulation Attack simulation Attack testing

Penetration testing

Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program? Performance management Baselining Best practices Standards of due care/diligence

Performance management

Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans? Compliance Policy Planning Systems security administration

Planning

Which section of the ISSP should outline a specific methodology for the review and modification of the ISSP? Policy Review and Modification Limitations of Liability Systems Management Statement of Purpose

Policy Review and Modification

Which of the following determines acceptable practices based on consensus relationships among the communities of interest? Organizational feasibility Political feasibility Technical feasibility Operational feasibility

Political feasibility

Which of the following biometric authentication systems is considered to be the most secure? Fingerprint recognition Signature recognition Voice pattern recognition Retina pattern recognition

Retina pattern recognition

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of ________. Vulnerability mitigation controls Risk assessment estimate factors Exploit likelihood equation Attack analysis calculation

Risk assessment estimate factors

A step commonly used for internet vulnerability assessment includes _________, which occurs when the penetration test engine is unleashed at the scheduled time using the planned target list and test selection. Scanning Subrogation Delegation Targeting

Scanning

Which of the following biometric authentication systems is the most accepted by users? Keystroke pattern recognition Fingerprint recognition Signature recognition Retina pattern recognition

Signature Recognition

"4-1-9" is an example of a _____________ attack. Social Engineering Virus Worm Spam

Social Engineering

Which type of firewall keeps track of each network connection established between internal and external systems? Packet filtering Stateful packet inspection Application layer Cache server

Stateful packet inspection

What type of planning is the primary tool in determining the long-term direction taken by an organization? Strategic Tactical Operational Managerial

Strategic

Which of the following is true about planning? Strategic plans are used to create tactical plans Tactical plans are used to create strategic plans Operational plans are used to create tactical plans Operational plans are used to create strategic plans

Strategic plans are used to create tactical plans

Which of the following function needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness? Systems testing Risk assessment Incident response Systems security administration

Systems testing

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"? Bell-LaPadula TCSEC ITSEC Common criteria

TCSEC

Which of the following are the two general groups into which SysSPs can be separated? Technical specifications and managerial guidance Business guidance and network guidance User specifications and managerial guidance Technical specifications and business guidance

Technical specifications and managerial guidance

A time-release safe is an example of which type of access control? Content-dependent Constrained user interface Temporal isolation Nondiscretionary

Temporal isolation

Which of the following is true about security staffing, budget, and needs of a medium-sized organization? They have a larger security staff than a small organization They have a larger security budget (as a percent of IT budget) than a small organization They have a smaller security budget (as a percent of IT budget) than a large organization They have larger information security needs than a small organization

They have larger information security needs than a small organization

Which of the following is NOT one of the three types of performance measures used by organizations? Those that determine the effectiveness of the execution of InfoSec policy Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy Those that assess the impact of an incident or other security event on the organization or its mission

Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? Risk exposure report Threats-vulnerabilities-assets worksheet Costs-risks-prevention database Threat assessment catalog

Threats-vulnerabilities-assets worksheet

Which of the following is the primary purpose of ISO/IEC 27001:2005? Use within an organization to formulate security requirements and objectives Implementation of business-enabling information security Use within an organization to ensure compliance with laws and regulations To enable organizations that adopt it to obtain certification

To enable organizations that adopt it to obtain certification

The ability to restrict specific services is a common practice in most modern routers, and is invisible to the user. True False

True

Which law extends protection to intellectual property, which includes words published in electronic formats? Freedom of Information Act U.S. Copyright Law Security and Freedom through Encryption Act Sarbanes-Oxley Act

U.S. Copyright Law

Which of the following is a definite indicator of an actual incident? Unusual system crashes Reported attack Presence of new accounts Use of dormant accounts

Use of dormant accounts

Which of the following is true about symmetric encryption? Uses a secret key to encrypt and decrypt Uses a private and public key It is also known as public key encryption It requires four keys to hold a conversation

Uses a secret key to encrypt and decrypt

Risk is the likelihood of the occurrence of a(n) ________ multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability. Attack Vulnerability Exploit Assessment

Vulnerability

_________ penetration testing is usually used when a specific system or network segment is suspect and the organization wants the pen tester to focus on a particular aspect of the target. White box Black box Gray box Green box

White box

The _________ vulnerability assessment is designed to find and document vulnerabilities that may be present in he organization's wireless local area networks. Wireless Phone-in Battle-dialing Network

Wireless

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certificates? The code includes the canon: Provide diligent and competent service to principles. (ISC)^2 ACM SANS ISACA

(ISC)^2

In a TVA worksheet, along one asset lies the prioritized set of _________, along the other the prioritized set of ________. Controls, vulnerabilities Assets, threats Risks, expenditures Assessments, classifications

Assets, threats

Two of the activities in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process? Determining the likelihood that vulnerable systems will be attacked by specific threats Calculating the severity of risks to which assets are exposed in their current setting Assigning a value to each information asset Documenting and reporting the findings of risk identification and assessment

Assigning a value to each information asset

According to the CIA triad, which of the following is a desirable characteristic for computer security? Accountability Availability Authorization Authentication

Availability

To evaluate the performance of a security system, administrators must establish system performance ___________. Baselines Profiles Maxima Means

Baselines

Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following? Benchmarking Best practices Baselining Due diligence

Benchmarking

Problems with benchmarking include all but which of the following? Organizations don't often share information o successful attacks Organizations being benchmarked are seldom identical Recommend practices change and evolve, thus past performance is no indicator of future success Benchmarking doesn't help in determining the desired outcome of the security process

Benchmarking doesn't help in determining the desired outcome of the security process

Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones? Clark-Wilson Bell-LaPadula Common Criteria Biba

Biba

Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed? Framework Security model Security Standard Both A&B are correct

Both A&B are correct

Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? On target model Woods model Bullseye model Bergeron and Berube model

Bullseye model

When a disaster renders the current business location unusable, which plan is put into action? Business continuity Crisis management Incident response Business impact analysis

Business continuity

Which is the first step in the contingency planning process among the options listed here? Business continuity training Disaster recovery planning Business impact analysis Incident response planning

Business impact analysis

Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________. Data owners Data custodians Data users Data generators

Data owners

Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as _____________. Data owners Data custodians Data users Data generators

Data users

Which type of attack involves sending a large number of connection or information requests to a target? Malicious Code Denial-pf-Service (DoS) Brute Force Spear Fishing

Denial-of-Service (DoS)

Which of the following is the best method for preventing am illegal or unethical activity? Examples include laws, policies, and technical controls. Remediation Deterrence Persecution Rehabilitation

Deterrence

A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. Denial-of-Service Distributed Denial-of-Service Virus Spam

Distributed Denial-of-Service

What are the legal requirements that an organization adopt a standard based on what a prudent organization should do, and then maintain the standard? Certification Best practices Due care and due diligence Baselining and benchmarking

Due care and due diligence

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? Policy administration Due diligence Adequate security measures Certification and accreditation

Due diligence

Which policy is the highest level of policy and is usually created first? SysSP USSP ISSP EISP

EISP

Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the __________ consequences of the vulnerability. Cost avoidance Risk Economic and non-economic Feasibility

Economic and non-economic

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them? Conducting decision support Implementing controls Evaluating alternative strategies Measuring program effectiveness

Evaluating alternative strategies

A standard of due process is a legal standard that requires an organization and its employees to act as a "reasonable and prudent" individual or organization would under similar circumstances True False

False

The need for effective policy management has let to the emergence of a class of HARDWARE tools that supports policy development, implementation, and maintenance. True False

False

What are the two general methods for implementing technical controls? Profile lists and configuration filters Firewall rules and access filters User profiles and access filters Access control lists and configuration rules

Access control lists and configuration rules

A cost benefit analysis is calculated by subtracting the post control annualized loss expectancy and the __________ from the pre control loss expectancy. Annualized cost of the safeguard Exposure factor n Annualized rate of occurrence Asset value

Annualized cost of the safeguard

A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC? Design Analysis Implementation Investigation

Investigation

Which of the following is true about a hot site? It is an empty room with standard heating, air conditioning, and electrical service It includes computing equipment and peripherals with servers but not client workstations It duplicates computing resources, peripherals, phone systems, applications, and workstations All communications services must be installed after the site is occupied

It duplicates computing resources, peripherals, phone systems, applications, and workstations

Which of the following is a responsibility of the crisis management team? Restoring the data from backups Evaluating monitoring capabilities Keeping the public informed about the event and the actions being taken Restoring the services and processes in use

Keeping the public informed about the event and the actions being taken

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following? General management must structure the IT and InfoSec functions IT management must serve the IT needs of the broader organization Legal management must develop corporate-wide standards InfoSec management must lead the way with skill, professionalism, and flexibility

Legal management must develop corporate-wide standards

The identification and assessment of levels of risk in an organization describes which of the following? Risk analysis Risk identification Risk Management Risk reduction

Risk analysis

Which of the following should be included in an InfoSec governance program? An InfoSec development methodology An InfoSec risk management methodology An InfoSec project management assessment from an outside consultant All of these are components of an InfoSec governance program

An InfoSec risk management methodology

The purpose of SETA is to enhance security in all but which of the following ways? By building in-depth knowledge By adding barriers By developing skills By improving awareness

By adding barriers

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process? Creating an inventory of information assets Classifying and organizing information assets into meaningful groups Assigning a value to each information asset Calculating the severity of risks to which assets are exposed in their current setting

Calculating the severity of risks to which assets are exposed in their current setting

The individual responsible for the assessment, ,management, and implementation of information protection activities in the organization is known as a(n) _______________. Chief Information Security Officer Security Technician Security Manager Chief Technology Officer

Chief Information Security Officer

Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to the community? Utilitarian Virtue Fairness or justice Common good

Common good

Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information? Integrity Availability Authentication Confidentiality

Confidentiality

Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an adverse event? Risk management Contingency planning Business response Disaster readiness

Contingency planning

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following? Preventive Deterrent Corrective Compensating

Corrective

The penalty for offenses related to the National Information Protection Act of 1996 depends on whether the offense is judged to have been committed for one of the following reasons except which of the following? For purpose of commercial advantage For private financial gain For political advantage In furtherance of a criminal act

For political advantage

Which of the following allows investigators to determine what happened by examining the results of an event - criminal, natural, intentional, or accidental Digital malfeasance E-discovery Forensics Evidentiary measures

Forensics

Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them? ECPA Sarbanes-Oxley HIPAA Gramm-Leach-Bliley

HIPAA

Which law addresses privacy and security concerns associated with the electronic transmission of PHI? USA Patriot Act of 2001 American Recovery and Reinvestment Act Health Information Technology for Economic and Clinical Health Act National Information Infrastructure Protection Act of 1996

Health Information Technology for Economic and Clinical Health Act

Which of the following is a part of incident recovery process? Identifying the vulnerabilities that allowed the incident to occur and spread Determining the event's impact on normal business operations and, if necessary, making a disaster declaration Supporting personnel and their loved ones during the crisis Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise

Identifying the vulnerabilities that allowed the incident to occur and spread

In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies? Design Implementation Investigation Analysis

Implementation

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is not one of them? Ignorance Malice Accident Intent

Malice

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? System controls Technical controls Operational controls Managerial controls

Managerial controls

Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program? Measurements must yield quantifiable information Data that supports the measures needs to be readily obtainable Only repeatable InfoSec processes should be considered for measurement Measurements must be useful for tracking non-compliance by internal personnel

Measurements must be useful for tracking non-compliance by internal personnel

Which type of access controls can be role-based or task-based? Constrained Content-dependent Nondiscretionary Discretionary

Nondiscretionary

Which of the following variables is the most influential in determining how to structure an information security program? Security capital budget Organizational size Security personnel budget Organizational culture

Organizational culture

Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program? Protection People Projects Policy

People

Which of the following is not a primary function of Information Security Management? Planning Protection Projects Performance

Performance

The Annualized Loss Expectancy in the CBA formula is determined as __________. ALE * ARO SLE * ARO ACS - SLE(post) AV * EF

SLE * ARO

A SETA program consists of three elements: security education, security training, and _____________. Security accountability Security authentication Security awareness Security authorization

Security awareness

____________ are accountable for the day-to-day operation of the information security program. Security administrators Security managers Security technicians Security analysts

Security managers

Which of the following is an information security governance responsibility of the Chief Security Officer? Communicate policies and the program Set security policy, procedures, programs, and training Brief the board, customers, and the public Implement policy, report security vulnerabilities, and breaches

Set security policy, procedures, programs, and training

A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ______________. Champion End-user Team leader Policy developer

Team leader

An organization that choses to outsource its risk management practice to independent consultants is taking the _________ control approach. Avoidance Mitigation Transference Acceptance

Transference

Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter. Bypass Theft Trespass Security

Trespass

Recommended practices are those security efforts that seek to provide a superior level of performance in the protection of information True False

True

___________ is a simple project management planning tool. RFP WBS ISO 17799 SDLC

WBS