midterm

¡Supera tus tareas y exámenes ahora con Quizwiz!

__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. a. Governance b. Controlling c. Leading d. Strategy

a. Governance

According to the C.I.A. triad, which of the following is the most desirable characteristic for privacy? a. confidentiality b. availability c. integrity d. accountability

a. confidentiality

Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________. a. data owners b. data custodians c. data users d. data generators

a. data owners

The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints. a. investigation b. analysis c. implementation d. justification

a. investigation

Once the members of the RM framework team have been identified, the governance group should communicate all of the following for the overall RM program EXCEPT: a. its personnel structure b. its desired outcomes c. its priorities d. its intent

a. its personnel structure

The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics? a. market b. budget c. size d. culture

a. market

The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts. a. risk management policy b. enterprise information security policy c. risk control implementation policy d. risk management board directive

a. risk management policy

Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________. a. threat b. attack c. exploit d. vulnerability

a. threat

- governances

all the activities, methods, practices that provide strategic direction, objective and accountability for info sec; everything we do to manage compliance/ good security; most effective when led by senior management

As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted factor ___ worksheet.

analysis table

An organization carries out a risk ___ function to evaluate risks present in IT initiatives and/or systems.

assessment

ISACA is a professional association with a focus on ___, control, and security.

auditing

- CIA triad components

availability, integrity, confidentiality

Which law extends protection to intellectual property, which includes words published in electronic formats? a. Freedom of Information Act b. U.S. Copyright Law c. Security and Freedom through Encryption Act d. Sarbanes-Oxley Act

b. U.S. Copyright Law

A process that defines what the user is permitted to do is known as __________. a. identification b. authorization c. accountability d. authentication

b. authorization

The purpose of SETA is to enhance security in all but which of the following ways? a. by building in-depth knowledge b. by adding barriers c. by developing skills d. by improving awareness

b. by adding barriers

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? a. policy administration b. due diligence c. adequate security measures d. certification and accreditation

b. due diligence

Which of the following functions of information security management seeks to dictate certain behavior within the organization through a set of organizational guidelines? a. planning b. policy c. programs d. people

b. policy

An attack that uses phishing techniques along with specialized forms of malware to encrypt the victim's data files is known as __________. a. crypto locking b. ransomware c. jailbreaking d. spam

b. ransomware

Human error or failure often can be prevented with training and awareness programs, policy, and __________. a. outsourcing b. technical controls c. hugs d. ISO 27000

b. technical controls

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? a. risk exposure report b. threats-vulnerabilities-assets worksheet c. costs-risks-prevention database d. threat assessment catalog

b. threats-vulnerabilities-assets worksheet

One form of e-mail attack that is also a DoS attack is called a mail ___, in which an attacker overwhelms the receiver with excessive quantities of e-mail

bomb

Which law addresses privacy and security concerns associated with the electronic transmission of PHI? a. USA PATRIOT Act of 2001 b. American Recovery and Reinvestment Act c. Health Information Technology for Economic and Clinical Health Act d. National Information Infrastructure Protection Act of 1996

c. Health Information Technology for Economic and Clinical Health Act

org focused on ethics

- SANS

What do audit logs that track user activity on an information system provide? a. identification b. authorization c. accountability d. authentication

c. accountability

There are a number of methods for customizing training for users; two of the most common involve customizing by __________ and by __________. a. skill level; employee rank b. department; seniority c. functional background; skill level d. educational level; organizational need

c. functional background; skill level

Which subset of civil law regulates the relationships among individuals and among individuals and organizations? a. tort b. criminal c. private d. public

c. private

The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization. a. information asset value weighted table analysis b. risk ranking worksheet c. threat severity weighted table analysis d. TVA controls worksheet

c. threat severity weighted table analysis

Which of the following is a key advantage of the bottom-up approach to security implementation? a. strong upper-management support b. a clear planning and implementation process c. utilizing the technical expertise of the individual administrators d. coordinated planning from upper management

c. utilizing the technical expertise of the individual administrators

- Tort

civil matter; when there is personal/ financial injury

- Difference between civil & criminal law;

civil= resolve disputes between "individuals" and criminal= maintain social order

Some information gathering techniques are quite legal—for example, using a Web browser to perform market research. These legal techniques are called, collectively

competitive intelligence

The process of integrating the governance of physical security and information security efforts is known in the industry as

convergence

- 3 kinds of public law

criminal, civil (broken into administrative and constitutional law)

- computer fraud and abuse act of 1986

1st federal attempt to regulate how computers/ ntwks could be used in lawful way

Which of the following should be included in an InfoSec governance program? a. An InfoSec maintenance methodology b. An InfoSec risk management methodology c. An InfoSec project management assessment d. All of these are components of the InfoSec governance program.

d. All of these are components of the InfoSec governance program.

Which of the following is the result of a U.S. led international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures? a. U.S. Copyright Law b. PCI DSS c. European Council Cybercrime Convention d. DMCA

d. DMCA

- which org is the oldest

ACM- association for computing machinery

Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system? a. The Telecommunications Deregulation and Competition Act b. National Information Infrastructure Protection Act c. Computer Fraud and Abuse Act d. The Computer Security Act

d. The Computer Security Act

Access control lists regulate who, what, when, where, and why authorized users can access a system.

F

The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.

F

Threats from insiders are more likely in a small organization than in a large one.

F

Which of the following activities is part of the risk evaluation process? a. creating an inventory of information assets b. classifying and organizing information assets into meaningful groups c. assigning a value to each information asset d. calculating the severity of risks to which assets are exposed in their current setting

d. calculating the severity of risks to which assets are exposed in their current setting

The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response. a. investigation b. analysis c. implementation d. design

d. design

Which phase of the SDLC should see clear articulation of goals? a. design b. analysis c. implementation d. investigation

d. investigation

Which level of planning breaks down each applicable strategic goal into a series of incremental objectives? a. strategic b. operational c. organizational d. tactical

d. tactical

In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it? a. spiral b. evolutionary prototyping c. agile d. waterfall

d. waterfall

A(n)___ law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information

data breach

- best way to stop bad things from happening

deterrence

The evaluation and reaction to risk to the entire organization is known as ___

enterprise risk management (ERM).

The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as

ethics

Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex.

f

Legal assessment for the implementation of the information security program is almost always done by the information security or IT department.

f

MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.

f

The security education, training, and awareness (SETA) program is designed to reduce the occurrence of external security attacks.

f

Using complex project management tools may result in a complication where the project manager creates project diagrams with insufficient detail for the implementation of the project.

f

- 1997 law about encryption-

freedom through encryption- made lawful the ability to encrypt communication

- 1999 law that governs who can see what info in banks

graham leach

- 3 communities of org

info sec people, IT guys, end users

Risk ___ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

management

Establishing performance measures and creating project ___ simplifies project monitoring.

milestones

Ethics are based on ___________________, which are the relatively fixed moral attitudes or customs of a societal group.

morals/ cultural norms

- CNSS Model

more granular view o fCIA triad— 24 topics/ areas of interest

- kennedy- kasenbaum act

ordered HIPPA to be made/ enforced

A ___ is simply a manager's or other governing body's statement of intent regarding employee behavior with respect to the workplace.

policy

The champion and manager of the information security policy is called the ___

policy administrator.

- info sec

protection of any system, that process, store, transmit, etc.

- Privacy

rights of indiv.'s info from unauthorized use

The ___ program is designed to reduce the occurrence of accidental security breaches by members of the organization.

security education, training, and awareness SETA

- stakeholders

someone who can suffer a loss as the result of an orgs action—not necessarily an owner

- Three levels of planning-- highest

strategic; comes from upper management to plan the organization's future, pretty general/ not specific

Shoulder ___ is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance

surfing

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

t

Small organizations spend more per user on security than medium- and large-sized organizations.

t

- Three levels of planning-- 2nd highest

tactical; 1-3 year planning—the more specifics of the strategic planning

The assessment of the amount of risk an organization is willing to accept for a particular information asset is known as risk

tolerance

A(n) __________ is a potential weakness in an asset or its defensive control(s).

vulnerability

- DOS vs DDS

• DOS= denial of service- overwhelms systems to keep it from doing anything productive—easier to defend than DDS • DDS= coordinated attack from many locations

- 3 types of infosec policy

• EISP- enterprise; highest level • ISSP- issue specific • SISSP- system specific... most technical like "configure the firewall in this way"

- Objectives (steps) of infosec sdlc

• Investigation • Analysis • Logical design & physical design • implementation • maintenance

identification vs authorization vs authentication

• identification- how we know who you are— passwords • authorization- not a technical step... its a management/ control activity granting an individual to certain access w/in a system • authentication— where ID and authorization come together; matches identification w/ your authorization privileges

- Three levels of planning-- lowest

• lowest= operational; day to day, short term (like a few months), very focused and objective; done by the 1st level managers

- value, vision, and mission

• mission= what org does and who do it for—most explicit • vision- idealistic expression of what org wants to become • value- core values of the company

- 3 guidelines for sound policy

• relevant; contribute to success of org • comprehensive sharing of responsibility • policy making should be inclusive

___ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.

Projectitis


Conjuntos de estudio relacionados

MedTerm Chapter 4 Self Test: Integrated Medicine

View Set

CCENT Chapter 8: Configuring Basic Switch Management

View Set

Chapter 37: Drugs Therapy for Peptic Ulcer Disease and Hyperacidity

View Set

chapter 34 male reproductive disorders prepu

View Set

Interpersonal communication Midterm

View Set

CE150 Chapter 4: The Network Layer

View Set