Mgt. of Information Security - FINAL
In the area of risk management, process communications is the necessary information flow within and between all of the following EXCEPT: - the governance group - the corporate change control officer - the RM framework team - the RM process team during implementation
- the corporate change control officer
To maintain optimal performance, one typical recommendation suggests that when the memory usage associated with a particular CPU-based system averages __________% or more over prolonged periods, you should consider adding more memory. - 40 - 60 - 10 - 100
60
A primary mailing list for new vulnerabilities, called simply __________, provides time-sensitive coverage of emerging vulnerabilities, documenting how they are exploited and reporting on how to remediate them. Individuals can register for the flagship mailing list or any one of the entire family of its mailing lists. - Bugs - Bugfix - Buglist - Bugtrac
Bugtrac
The Information Security __________ is a managerial model provided by an industry working group, National Cyber Security Partnership, which provides guidance in the development and implementation of organizational InfoSec structures and recommends the responsibilities that various members should have in an organization. - Governance Framework - Security Blueprint - Risk Model - Compliance Architecture
Governance Framework
The COSO framework is built on five interrelated components. Which of the following is NOT one of them? - control environment - risk assessment - control activities - InfoSec governance
InfoSec governance
Which of the following is true about a hot site? - It is an empty room with standard heating, air conditioning, and electrical service. - It includes computing equipment and peripherals with servers but not client workstations. - It duplicates computing resources, peripherals, phone systems, applications, and workstations. - All communications services must be installed after the site is occupied.
It duplicates computing resources, peripherals, phone systems, applications, and workstations.
When the ISO 27002 standard was first proposed, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems; which of the following is NOT one of them? - It was not as complete as other frameworks. - The standard lacked the measurement precision associated with a technical standard. - The standard was hurriedly prepared. - It was feared it would lead to government intrusion into business matters.
It was feared it would lead to government intrusion into business matters .
__________ is used to respond to network change requests and network architectural design proposals. - Network connectivity RA - Dialed modem RA - Application RA - Vulnerability RA
Network connectivity RA
The __________ commercial site focuses on current security tool resources. - Nmap-hackerz - Packet Storm - Security Laser - Snort-SIGs
Packet Storm
__________, a level beyond vulnerability testing, is a set of security tests and evaluations that simulate attacks by a malicious external source (hacker). - Penetration simulation - Attack testing - Penetration testing - Attack simulation
Penetration testing
__________ allows for major security control components to be reviewed on a periodic basis to ensure that they are current, accurate, and appropriate. - System review - Project review - Program review - Application review
Program review
If a temporary worker (temp) violates a policy or causes a problem, what is the strongest action that the host organization can usually take, depending on the SLA? - Nothing, the organization has no control over temps. - Terminate the relationship with the individual and request that he or she be censured. - Fine the temp or force the temp to take unpaid leave, like permanent employees. - Sue the temp agency for cause, demanding reparations for the actions of the temp.
Terminate the relationship with the individual and request that he or she be censured.
Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT: - The organization's governance structure - The organization's culture - The maturity of the organization's information security program - The threat environment—threats, known vulnerabilities, attack vectors
The threat environment—threats, known vulnerabilities, attack vectors
Which of the following is NOT one of the methods noted for selecting the best risk management model? - Use the methodology most similar to what is currently in use. - Study known approaches and adapt one to the specifics of the organization. - Hire a consulting firm to provide a proprietary model. - Hire a consulting firm to develop a proprietary model.
Use the methodology most similar to what is currently in use.
Which of the following is NOT a question a CISO should be prepared to answer before beginning the process of designing, collecting, and using performance measurements, according to Kovacich? - Why should these measurements be collected? - Where will these measurements be collected? - What affect will measurement collection have on efficiency? - Who will collect these measurements?
What affect will measurement collection have on efficiency?
All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT: - When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. - When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. - When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls. - When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls.
__________ penetration testing is usually used when a specific system or network segment is suspect and the organization wants the pen tester to focus on a particular aspect of the target. - Black box - White box - Green box - Grey box
White box
You are do amazing!
You got this
Treating risk begins with which of the following? - applying controls and safeguards that eliminate risk - an understanding of risk treatment strategies - understanding the consequences of choosing to ignore certain risks - rethinking how services are offered
an understanding of risk treatment strategies
Which of the following is not a step in the FAIR risk management framework? - identify scenario components - evaluate loss event frequency - assess control impact - derive and articulate risk
assess control impact
The process of assigning financial value or worth to each information asset is known as __________. - probability estimate - cost estimation - risk acceptance premium - asset valuation
asset valuation
Which of the following activities is part of the risk identification process? - determining the likelihood that vulnerable systems will be attacked by specific threats - calculating the severity of risks to which assets are exposed in their current setting - assigning a value to each information asset - documenting and reporting the findings of risk analysis
assigning a value to each information asset
When hiring security personnel, which of the following should be conducted before the organization extends an offer to any candidate, regardless of job level? - new hire orientation - covert surveillance - organizational tour - background check
background check
To evaluate the performance of a security system, administrators must establish system performance __________. - profiles - baselines - maxima - means
baselines
Which of the following activities is part of the risk evaluation process? - creating an inventory of information assets - classifying and organizing information assets into meaningful groups - assigning a value to each information asset - calculating the severity of risks to which assets are exposed in their current setting
calculating the severity of risks to which assets are exposed in their current setting
An ATM that limits what kinds of transactions a user can perform is an example of which type of access control? - content-dependent - constrained user interface - temporal isolation - nondiscretionary
constrained user interface
The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster are known as __________. - risk management - contingency planning - business impact - disaster readiness
contingency planning
The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________. - probability estimate - cost avoidance - risk assessment premium - asset valuation
cost avoidance
What is the result of subtracting the postcontrol annualized loss expectancy and the annualized cost of the safeguard from the precontrol annualized loss expectancy? - cost-benefit analysis - exposure factor - single loss expectancy - annualized rate of occurence
cost-benefit analysis
Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________. Correct answer: - create a subjective ranking based on anticipated recovery costs - estimate cost from past experience - leave the value empty until later in the process - leave the value empty until later in the process
create a subjective ranking based on anticipated recovery costs
Application of training and education among other approach elements is a common method of which risk treatment strategy? - mitigation - defense - acceptance - transferral
defense
The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following? - determined the level of risk posed to the information asset - performed a thorough cost-benefit analysis - determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset - assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
Which control category discourages an incipient incident—e.g., video monitoring? - preventative - detrrant - remitting - compensating
detrrant
One approach that can improve the situational awareness of the information security function is to use a process known as __________ to quickly identify changes to the internal environment. - baselining - difference analysis - differentials - revision
difference analysis
Strategies to reestablish operations at the primary site after an adverse event threatens continuity of business operations are covered by which of the following plans in the mitigation control approach? - incident response plan - business continuity plan - disaster recovery plan - damage control plan
disaster recovery plan
What do you call the legal requirements that an organization must adopt a standard based on what a prudent organization should do, and then maintain that standard? - certification and accreditation - best practices - due care and due diligence - baselining and benchmarking
due care and due diligence
An information attack that involves searching through a target organization's trash and recycling bins for sensitive information is known as __________. - rubbish surfing - social engineering - dumpster diving - trash trolling
dumpster diving
One of the fundamental challenges in InfoSec performance measurement is defining what? - interested stakeholders - effective security - appropriate performance measures - the proper assessment schedule
effective security
The Microsoft Risk Management Approach includes four phases; which of the following is NOT one of them? - conducting decision support - implementing controls - evaluating alternative strategies - measuring program effectiveness
evaluating alternative strategies
Each of the following is a recommendation from the FDIC when creating a successful SLA EXCEPT: - determining objectives - forecasting costs - defining requirements - setting measurements
forecasting costs
Which of the following is NOT a task that must be performed if an employee is terminated? - former employee must return all media - former employee's home computer must be audited - former employee's office computer must be secured - former employee should be escorted from the premises
former employee's home computer must be audited
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a __________. - blueprint - security plan - security standard - framework
framework
Which of the following is a generic model for a security program? - framework - methodology - security standard - blueprint
framework
Although COBIT was designed to be an IT __________ and management structure, it includes a framework to support InfoSec requirements and assessment needs. - governance - policy - auditiing - awareness
governance
Which of the following is NOT a factor critical to the success of an information security performance program? - strong upper-level management support - high level of employee buy-in - quantifiable performance measurements - results-oriented measurement analysis
high level of employee buy-in
The InfoSec measurement development process recommended by NIST is divided into two major activities. Which of the following is one of them? - development and selection of qualified personnel to gauge the implementation, effectiveness, efficiency, and impact of the security controls - identification and definition of the current InfoSec program - maintenance of the vulnerability management program - comparison of organizational practices against similar organizations
identification and definition of the current InfoSec program
Which of the following is a part of the incident recovery process? - identifying the vulnerabilities that allowed the incident to occur and spread - determining the event's impact on normal business operations and, if necessary, making a disaster declaration - supporting personnel and their loved ones during the crisis - keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise
identifying the vulnerabilities that allowed the incident to occur and spread
The benefits of ISO certification to organizations include all of the following EXCEPT: - increased opportunities for government contracts - reduced costs associated with incidents - smoother operations resulting from more clearly defined processes and responsibilities - improved public image of the organization, as certification implies increased trustworthiness
increased opportunities for government contracts
The __________ Web site is home to the leading free network exploration tool, Nmap. - Snort-sigs - Packet Storm - Security Focus - insecure.org
insecure.org
Detailed __________ on the highest risk warnings can include identifying which vendor updates apply to which vulnerabilities as well as which types of defenses have been found to work against the specific vulnerabilities reported. - escalation - intelligence - monitoring - elimination
intelligence
Which of the following is a responsibility of the crisis management team? - restoring the data from backups - evaluating monitoring capabilities - keeping the public informed about the event and the actions being taken - restoring the services and processes in use
keeping the public informed about the event and the actions being taken
The organization can perform risk determination using certain risk elements, including all but which of the following? - legacy cost of recovery - impact (consequence) - likelihood of threat event (attack) - element of uncertainty
legacy cost of recovery
Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence? - baselining - legal liability - competitive disadvantage - certification revocation
legal liability
Which of the following is not a role of managers within the communities of interest in controlling risk? - general management must structure the IT and InfoSec functions - IT management must serve the IT needs of the broader organization - legal management must develop corporate-wide standards - InfoSec management must lead the way with skill, professionalism, and flexibility
legal management must develop corporate-wide standards
The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices primarily for __________. - managing the development and operation of IT infrastructures - operation of IT control systems to improve security - managing the security infrastructure - developing secure Web applications
managing the development and operation of IT infrastructures
The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption, including all impact considerations, is known as __________. - maximum tolerable downtime (MTD) - recovery point objective (RPO) - work recovery time (WRT) - recovery time objective (RTO)
maximum tolerable downtime (MTD)
Which of the following is NOT a category of access control? - preventative - mitigating - deterrant - compensating
mitigating
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine its effectiveness and to estimate the remaining risk? - analysis and adjustment - review and reapplication - monitoring and measurement - evaluation and funding
monitoring and measurement
Which access control principle limits a user's access to the specific information required to perform the currently assigned task? - need-to-know - eyes only - least privilege - separation of duties
need-to-know
Which of the following determines how well the proposed InfoSec treatment alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization? - organizational feasibility - political feasibility - technical feasibility - behavioral feasibility
organizational feasibility
The Hartford insurance company estimates that, on average, __________ businesses that don't have a disaster plan go out of business after a major loss like a fire, a break-in, or a storm. - over 40% of - at least 60% of - about 20% of - 2 % of
over 40% of
Control __________ baselines are established for network traffic and for firewall performance and IDPS performance. - system - application - performance - environment
performance
Employees pay close attention to job __________, and including InfoSec tasks in them will motivate employees to take more care when performing these tasks. - performance evaluations - descriptions - quarterly reports - vacation requests
performance evaluations
Contingency planning is primarily focused on developing __________. - policies for normal operation - plans for normal operations - policies for breach notifications - plans for unexpected adverse events
plans for unexpected adverse events
Which of the following is an organizational CP philosophy for overall approach to contingency planning reactions? - protect and forget - pre-action review - transfer to local/state/federal law enforcement - track, hack and prosecute
protect and forget
What is the final step in the risk identification process? - assessing values for information assets - classifying and categorizing assets - identifying and inventorying assets - ranking assets in order of importance
ranking assets in order of importance
Which of the following refers to the backup of data to an off-site facility in close to real time based on transactions as they occur? - remote journaling - electronic vaulting - database shadowing - timesharing
remote journaling
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? - residual risk - risk appetite - risk assurance - risk termination
risk appetite
The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts. - enterprise information security policy - risk control implementation policy - risk management board directive - risk management policy
risk management policy
__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty. - information asset value weighted table analysis - risk ranking worksheet - threat severity weighted table analysis - TVA controls worksheet
risk ranking worksheet
Which of the following is NOT a consideration when selecting recommended best practices? - threat environment is similar - resource expenditures are practical - organization structure is similar - same certification and accreditation agency or standard
same certification and accreditation agency or standard
A step commonly used for Internet vulnerability assessment includes __________, which occurs when the penetration test engine is unleashed at the scheduled time using the planned target list and test selection. - targeting - scanning - delegation - subrogation
scanning
Which of the following specifies the authorization level that each user of an information asset is permitted to access, subject to the need-to-know principle? - discretionary access controls - task-based access controls - security clearances - sensitivity levels
security clearances
26. What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them? - need to know - eyes only - least privilege - separation of duties
separation of duties
In which contingency plan testing strategy do individuals participate in a role-playing exercise in which the CP team is presented with a scenario of an actual incident or disaster and expected to react as if it had occurred? - desk check - simulation - structured walk-through - parallel testing
simulation
Which of the following is NOT among the three types of authentication mechanisms? - something a person knows - something a person has - something a person says - something a person can produce
something a person says
Which of the following is NOT a task performed by the governance group during the framework design phase, in cooperation with the framework team? - ensuring compliance with all legal and regulatory statutes and mandates - guiding the development of, and formally approving, the RM policy - recommending performance measures for the RM effort and ensuring that they are compatible with other performance measures in the organization - specifying who will supervise and perform the RM process
specifying who will supervise and perform the RM process
The steps in IR are designed to: - stop the incident, mitigate incident effects, provide information for recovery from the incident - control legal exposure, avoid unfavorable media attention, and minimize impact on stock prices - delay the incident progress, backtrack the attack to its source IP, and apprehend the intruder - stop the incident, inventory affected systems, and determine appropriate losses for insurance settlement
stop the incident, mitigate incident effects, provide information for recovery from the incident
A time-release safe is an example of which type of access control? - content-dependent - constrained user interface - temporal isolation - nondiscretionary
temporal isolation
Factors that affect the external context and impact the RM process, its goals, and its objectives include the following EXCEPT: - the organization's governance structure - the legal/regulatory/compliance environment—laws, regulations, industry standards - the business environment—customers, suppliers, competitors - the threat environment—threats, known vulnerabilities, attack vectors
the organization's governance structure
NIST recommends the documentation of performance measurements in a standardized format to ensure ____________. - the suitability of performance measure selection - the effectiveness of performance measure corporate reporting - the repeatability of measurement development, customization, collection, and reporting activities - the acceptability of the performance measurement program by upper management
the repeatability of measurement development, customization, collection, and reporting activities
Which of the following is NOT a major component of contingency planning? - disaster recovery - business continuity - incident response - threat assessment
threat assessment
The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization. - information asset value weighted table analysis - risk ranking worksheet - threat severity weighted table analysis - TVA controls worksheet
threat severity weighted table analysis
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? - risk exposure report - threats-vulnerabilities-assets worksheet - costs-risks-prevention database - threat assessment catalog
threats-vulnerabilities-assets worksheet
A process called __________ examines the traffic that flows through a system and its associated devices to identify the most frequently used devices. - difference analysis - traffic analysis - schema analysis - data flow assessment
traffic analysis
Which of the following policies requires that two individuals review and approve each other's work before the task is considered complete? - task rotation - two person control - separation of duties - job rotation
two person control
The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes, is known as __________. - impact - likelihood - uncertainty - tolerance
uncertainty
Which of the following is a "possible" indicator of an actual incident, according to Donald Pipkin? - activities at unexpected times - unusual consumption of computing resources - presence of hacker tools - reported attacks
unusual consumption of computing resources
Which of the following is a definite indicator of an actual incident, according to Donald Pipkin? - unusual system crashes - reported attack - presence of new accounts - use of dormant accounts
use of dormant accounts
A useful tool for resolving the issue of what business function is the most critical, based on criteria selected by the organization, is the __________. - weighted table analysis or weighted factor analysis - threats-vulnerability-assets worksheet or TVA - business impact assessment or BIA - critical patch method assessment or CPMA
weighted table analysis or weighted factor analysis
The __________ vulnerability assessment is designed to find and document vulnerabilities that may be present in the organization's wireless local area networks. - phone-in - wireless - battle-dialling - network
wireless
