ITM 350 chapter 9 quiz study guide

true or false? often an extension of a memorandum of understanding (MOU), the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assts

false

true or false: a remediation liaison makes sure all personnel are aware of comply with an organization's policies

false - a compliance liaison makes sure all personnel are aware of comply with an organization policies

true or false? certification is the formal agreement by an authorizing official to accept the risk of implementing a system

false - accreditation is the formal agreement by an authorizing official to accept the risk of implementing a system

true or false? the term "data owner" refers to the person or group that manages an IT infrastructure

false - the term "system owner" refers to the person or group that manages the infrastructure

Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?

formatting

Sets direction for the management of an organization pertaining to security in such specific functionaries such as email, remote access, and international interaction

functional policy

actions that the organization recommends?

guidelines

a strategy to minimize risk by rotating employees between various systems of duties

job rotation

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

service level agreement (SLA)

true or false? the idea that users should be granted inly the levels of permission they need in order to preform their duties is called the principle of lease privilege.

true

in what software development model does activity progress in a lock- step sequential process where no phase begins until the previous phase is complete?

waterfall

what is the correct order of steps in the change control process

1. request 2. impact assessment 3. approval 4. build/test 5. implement 6. monitor

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?

Access to a higher level of expertise

True or False? The waterfall software development model works well in very dynamic environments where requirements change and are often revisited.

False

what 9 examples of functional policies?

1. Acceptable use 2. Antivirus 3. interconnection 4. email use 5. firewall 6. host security 7. wireless use 8. extranet 9. other policies

what is the total of number of data classification standards criteria?

3

What is not a privacy principle created by the Organisation for Economic Co-operation and Development (OECD)?

An organization should share its information.

Lin is creating a template for the configuration of Windows servers in her organization. The configuration includes the basic security settings that should apply to all systems. What type of document should she create?

Baseline

Rylie is a newly hired cybersecurity expert for a government agency. Rylie used to work in the private sector. She has discovered that, whereas private sector companies often had confusing hierarchies for data classification, the government's classifications are well known and standardized. As part of her training, she is researching data that requires special authorization beyond normal classification. What is this type of data called?

Compartmentalized

Donnelly is an IT specialist. He is in charge of the server and network appliances inventory. The infrastructure roadmap calls for a network systems reconfiguration in the next six months. Adina, the security expert, asks Donnelly to prepare a standardized list of all current and proposed equipment and then to present it to her in a hardware configuration chart. What does Adina tell Donnelly that the chart should include?

Copies of all software configurations for routers and switches

what is XSRF?

Cross Site request forgery - causes users to perform action son web sites such as making purchases without their knowledge

Applications represent the most common avenue for users, customers, and attackers to access data, which means you must build the software to enforce the security policy and to ensure compliance with regulations, including the privacy and integrity of both data and system processes. Regardless of the development model, the application must validate all input. Certain attacks can take advantage of weak validation. One such attack provides script code that causes a trusted user who views the input script to send malicious commands to a web server. What is this called?

Cross-site request forgery (XSRF)

Omar is an infrastructure security professional. After reviewing a set of professional ethics issued by his company, he is learning and adopting ethical boundaries in an attempt to demonstrate them to others. What is this called?

Encouraging the adoption of ethical guidelines and standards

True or False? Regulatory compliance means complying with an organization's own policies, audits, culture, and standards.

False

True or False? The process of remediation makes sure all personnel are aware of and comply with an organization's policies.

False

Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is not a good approach for destroying data?

Formatting

Antivirus, firewall, and email use policies belong to what part of a security policy hierarchy?

Functional policies in support of organization policy

Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking?

Project initiation and planning

What is the least likely goal of an information security awareness program?

Punish users who violate policy

What is the correct order of change control procedures regarding changes to systems and networks?

Request, impact assessment, approval, build/test, implement, monitor

______ is an attack technique in which an attacker provides malicious SQL statements to access unauthorized data or carry out unauthorized commands

SQL injection

in what type of attack dies the attacker send unauthorized commands directly to database?

SQL injection

Mia is her company's network security professional. She is developing access policies based on personnel security principles. As part of this effort, she is devising a method of taking high-security tasks and splitting them among several different employees so that no one person is responsible for knowing and performing the entire task. What practice is she developing?

Separation of duties

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is not normally used to make these types of classification decisions?

Threat

True or False? Using the names of superiors to convince another person that a higher authority has allowed access to information is a form of social engineering.

True

True or False? A blanket purchase agreement (BPA) creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services.

True

____ is an attack in which an attacker inputs client-side script code to a web allocation. the code would then be viewed by other users, and their client software would execute the script instructions. exploits the trust users have in a server

XSS

what is NOT a good practice for developing strong professional ethics?

assume that information should be free

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. which phase of access control process is she performing?

authorization

in an accreditation process, who has the authority to approve a system fir implementation?

authorizing official (AO)

Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?

baseline

basic configuration documents ?

baseline

which activity manages the baseline settings for a system or device?

configuration control

_____ is the measure of the importance of the information to the mission of organization

criticality

which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?

enforcing the integrity of computer base information

what are cords of actions that organization's operating systems or application software relates, showing witch user or system accessed stat or a resource and when

event logs

compulsory time during which workers must step away from their work responsibilities, often used as a time to audit critical functions

mandatory vacation

A property that indicuates a specific subject needs access to a specific object. This is necessary to access the object in addition to processing the proper clearance for the object's classification

need to know

specifies to consumers how an organization collects, uses , and disposes of their personal information

privacy policy

step-by-step systematic actions taken to accomplish a security requirement, process or objective

procedures

Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?

project initiation and planning

what is NOT a goal of information security awareness programs?

punish users who violate policy

which is an advantage of outsourcing?

reaching out to high level expertise that the organization may have not

helps all employees understand the assets and principles the organization values

security policy

what are the criteria for classifying information?

value

True or False? Configuration changes can be made at any time during a system life cycle, and no process is required.

False

what is XSS?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.

True or False? Change does not create risk for a business.

False

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Memorandum of understanding (MOU)

True or False? A security awareness program should address the requirements and expectations of an organization's security policy.

True

True or False? Classification scope determines what data to classify; the classification process determines how to handle classified data.

True

True or False? Company-related classifications are not standard; therefore, there may be some differences of meaning between the terms "private" and "confidential" in different companies.

True

True or False? Procedures help enforce the intent of a policy.

True

true or false? one advantage of using a security management firm for security monitoring is that it has a high level of expertise

true

Biyu is a network administrator. She is developing the compliance aspect of her company's security policy. Currently, she is focused on the records of actions that the organization's operating system or application software creates. What aspect of compliance is Biyu focusing on?

Event logs

Rodrigo has just received an email at work from an unknown person. The sender claims to have incriminating evidence against Rodrigo and threatens to release it to his employer and his family unless he discloses certain confidential information about his employer's company. Rodrigo does not know that several other people in the organization received the same email. What form of social engineering has occurred?

Intimidation

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?

Threat

True or False? A functional policy declares an organization's management direction for security in such specific functional areas as email use, remote access, and Internet interaction (including social media).

True

what kind of attack provides a script code that causes a trusted user who views the input script to send malicious commands to web server?

XSRF

true or false? a hardware configuration chart should NOT include copies of software configurations

false

True or False? The term "data owner" refers to the person or group that manages an IT infrastructure.

False

True or False? Mandatory vacations minimize risk by rotating employees among various systems or duties.

False

which of the following would NOT be considered in the scope of organizational compliance efforts?

laws

_____ is the measure of the effect that a breach of integrity or the disclosure of the information would have on the organization

sensitivity

The process of dividing a task into a series of uqniue activities performed by diferrent people, each of who is allowed to execute only one part of the overall task

separation of duties

the ____ to the organization, to the competitor, the cost of replacement or less, the _____ to the organizations reputation

value

Hajar is a network engineer. She is creating a system of access involving clearance and classification based on users and the objects they need in a secure network. She is restricting access to secure objects by users based on least privilege and which of the following?

Need to know

Janette is the director of her company's network infrastructure group. She is explaining to the business owners the advantages and disadvantages of outsourcing network security. One consideration she presents is the question of who would be responsible for the data, media, and infrastructure. What consideration is she describing?

Ownership

True or False? Policies that cover data management should cover transitions throughout the data's life cycle.

True

True or False? The Common Criteria is a set of system procurement standards used by several countries.

True

True or False? The idea that users should be granted only the levels of permissions they need to perform their duties is called the principle of least privilege.

True

True or false? configuration changes can be made at any time during a system life cycle and no process is required

false - all configuration changes occur only within a controlled process

True or False? Change control is the management of changes to the configuration of a system.

True

In an accreditation process, who has the authority to approve a system for implementation?

Authorizing official (AO)

True or False? Standards are mandated requirements for hardware and software solutions used to address security risk throughout an organization.

True

a type of social engineering that uses threats or harassment to bully another person for information

intimidation

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

separation of duties

_____ is a streamlined methos of meeting recurring needs for supplies if services, creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services

blanket purchase agreement