Management of Information Security (Ch. 5-6)

¡Supera tus tareas y exámenes ahora con Quizwiz!

Each organization has to determine its own project management methodology for IT and information security projects.

True

Planners need to estimate the effort required to complete each task, sub-task, or action step.

True

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?

Assigning a value to each information asset

Classification categories must be mutually exclusive and which of the following?

Comprehensive

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme.

False

An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection.

False

The information technology management community of interest often takes on the leadership role in addressing risk.​

False

Threats from insiders are more likely in a small organization than in a large one.

False

Which of the following is an attribute of a network device is physically tied to the network interface?

MAC address

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

Relative value

Which of the following is a disadvantage of the one-on-one training method?

Resource intensive, to the point of being inefficient

Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

Risk Assessment

The identification and assessment of levels of risk in an organization describes which of the following?

Risk analysis

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.

Risk assessment estimate factors

The ____________________ program is designed to reduce the occurrence of accidental security breaches by members of the organization.

SETA

A task or sub-task becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable.

True

Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.

likelihood

Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

management

GGG security is commonly used to describe which aspect of security?

physical

Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?

planning

As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.

relative

Which of the following is an advantage of the user support group form of training?

Usually conducted in an informal social setting

What is defined as specific avenues that threat agents can exploit to attack an information asset?

Vulnerabilities

An organization carries out a risk ____________________ function to evaluate risks present in IT initiatives and/or systems.

assessment

Project ____________________ is a description of a project's features, capabilities, functions, and quality level, used as the basis of a project plan.

scope

A SETA program consists of three elements: security education, security training, and which of the following?

security awareness

Which of the following is the most cost-effective method for disseminating security information and news to employees?

security newsletter

As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.

table analysis

Advanced technical training can be selected or developed based on which of the following?

technology product

The three methods for selecting or developing advanced technical training are by job category, by job function, and by ____________________.

technology product

Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?

they have larger information security needs than a small organization

What is the final step in the risk identification process?

Listing assets in order of importance

Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?

A security technician

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?

Calculating the severity of risks to which assets are exposed in their current setting

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?

Cost of prevention

​An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment.

False

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?

IP address

Which of the following is an advantage of the formal class method of training?

Interaction with trainer is possible

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?

Legal management must develop corporate-wide standards

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

Manufacturer's model or part number

Which of the following variables is the most influential in determining how to structure an information security program?

Organizational culture

Which of the following is an example of a technological obsolescence threat?

Outdated servers

Which of the following attributes does NOT apply to software information assets?

Product dimensions

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

Threats-vulnerabilities-assets worksheet

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?

Uncertainty

The purpose of SETA is to enhance security in all but which of the following ways?

by adding barriers

The information security ____________________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program.

consultant

Which of the following is true about a company's InfoSec awareness Web site?

it should be tested with multiple browsers

____________________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.

projectitis

What is the SETA program designed to do?

reduce the occurrence of accidental security breaches


Conjuntos de estudio relacionados

Phantom Questions CH. 22-Epilogue

View Set

Representation Key Terms and Definitions

View Set

AP Psychology: Sensation and Perception

View Set

Section 2: Land, Real Property, Real Estate

View Set

Entrepreneurial problem solving chapter 3

View Set