MIS 515

¡Supera tus tareas y exámenes ahora con Quizwiz!

As organizations grew in size, they become more efficient with information security and its governance

False

Backup technology and the media used to store backups is reliable enough that periodic testing of backups is really unnecessary

False

Both public and private companies are responsible for Sarbanes-Oxley compliance.

False

Business Disruption is actually viewed as a higher external consequence cost of cybercrime than information loss.

False

By industry, the retail sector currently suffers the highest cost per data breach record.

False

By industry, the retail sector currently suffers the highest cost per data breech record.

False

Carpets are a nice addition to equipment rooms because they lower the noise levels.

False

Cloud sourcing and Crowdsourcing are the same thing.

False

Cloud sourcing is a term that applies solely to public cloud providers

False

Cloud sourcing is not good for quick deployment of resources

False

Confidentiality, integrity and availability apply only to the storage and transmission of data

False

Containment of a cybercrime incident is seen as the most costly activity for an organization

False

Corporate governance is only concerned with internal issues of the corporation

False

Corporate technology operations do not have supply chains

False

Corporations and government agencies are required to comply with FISMA requirements

False

Countries that invest in infrastructure and IT and more likely to be candidates for insourcing

False

IT governance is more about making and implementing decisions than who makes the decisions

False

If IT at higher education institutions is centralized, the number of necessary governance groups would drop significantly

False

In the European Union, when the European Council issues a Decision, it is considered directly applicable and "binding" to all Member States

False

Increased C-level support is considered the highest driving factor for improving information security posture.

False

Information Assurance is not concerned with provisions for restoration of information systems only the protection of them.

False

Information Security is rarely at odds with Information Technology within a corporation and is the primary reason why it is often positioned under Information Technology

False

It is estimated that only 25% of the U.S. critical infrastructure is covered by the private sector.

False

It is not important that front-line help desk employees have security awareness. They can always route the call to one who does.

False

It is not possible to taint computer hardware technology

False

Large organizations tend to spend more, per capita, on security than smaller organizations

False

MLS provides for storing and processing of information with a single level of sensitivity

False

MLS provides for storing and processing of information with a single level of sensitivity.

False

Mandatory Access Control gives users the flexibility to create policy and assign security attributes.

False

Most organizations are not required by law to take special precautions with personnel or customer information

False

Most organizations outsource their Information Security

False

Newly purchased systems must be sanitized before configuring and deploying.

False

Non-repudiation's goal is to provide disputable evidence that the source and the target of a process, transaction, or communication are validated and verified.

False

Most corporations allocate Information Security budgets as:

% of IT Budget

The inability to hire and retain expert staff is a significant problem in the area of Cybersecurity

True

The main difference between laws and ethics is that ethics does not carry the sanction of a governing authority

True

The majority of physical supply chain threats incidents have internal company connections

True

Two benefits of improved information security governance are increased strategic alliance with organizational goals and improved risk managment

True

Vibration based sensors are not good on fences because they create many false positives.

True

The majority of data breaches are caused by outsiders or third parties.

Ture

Which of the following would not be considered an administrative function of operational security?

Upgrading the firmware of a network switch

Discretionary Access Control is managed centrally by a security policy administrator and users do not have the ability to override security settings.

False

Operational security staff generally never concern themselves with malfunctioning HVAC, lighting or cipher locks. These are viewed as facilities issues.

False

Outsource arrangements should produce a net benefit for the organization but it is not possible to select one whose capabilities compliment the organization's capabilities

False

Public Law regulates the relationship among individuals and among individuals and organizations and encompasses family law, commercial law, and labor law.

False

Recovery, Containment and Business Disruptions are representative of internal cost activities of an organization following a breach.

False

SSAE stands for Safeguarding Supply chains for Attestation Engagements

False

Scheduled and unscheduled downtime are not considered potential problems with availability from an information assurance perspective.

False

Security CPR refers to an emphasis on common algorithms, proactivity, and reactive perimeter controls

False

Security metrics and future planning are minimally affected by poor operations security

False

Social networking forums, like Face Book, do not represent problems for organizations so long as the employee does not engage in their usage while at work.

False

Sourcing is an old business concept of using temp agencies and is rarely done today

False

Space under raised floors can and should be used for power, data, cables, and important or applicable storage or magnetic tapes.

False

System and media declassification and downgrading is not an issue since there is little-to-no chance that someone might extract sensitive information from an old system or drive.

False

The Biba access control model defines protection focused on confidentiality of information where-as the Bell-La Padula access control model defines protection of information integrity.

False

The USA Patriot Act stands for the United States of America Protection Against Terrorist, Retaliation, Interception and Obstruction of Technology.

False

The concept of "least privilege" is only applied to new employees

False

The cyber attack known as Titan Rain was carried out in 2007 when Russia used cyber technology to cripple elements of Estonia's technology infrastructure

False

The cyber attack known as Titan Rain was carried out in 2007 when Russia used cyber technology to cripple elements of Estonia's technology infrastructure.

False

The definition of "personal information" is much more narrow in the European Union that is in the United States.

False

The main feature of Advanced Persistent Threats (or APT) is the constant denial of service attacks they incur.

False

The most alarming trend in SCADA systems is the continued use of older control and collection systems based on DOS, VMS and UNIX.

False

Today's backup media is robust and does not require special environmental controls.

False

Under the Eu "Cookie Law" providers are NOT generally required to secure viewers consent prior to forming and storing an internet browser cookie.

False

Unethical behavior is best handled solely through deterrence consisting of education and policies without direct consequences.

False

Unethical behavior is best handled through deterrence consisting of education and policies.

False

If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable.

True

In the European Union, when the European Council issues a Regulation, it is considered directly applicable and "binding" to all Member States/

True

Information Assurance attempts to infuse greater accountability, training and awareness into information security practices.

True

Information Security budgets are often-times a percentage of the Information Technology budget.

True

Insourcing is generally considered the opposite of outsourcing

True

Integration of 3rd parties into internal networks and applications is seen as a growing organizational risk.

True

It is advisable to systematically startup a series of servers so as to avoid a high surge of current known as an in-rush current

True

Job rotation is a tool that requires every employee to be able to perform the work of at least one other employee

True

Low humidity in an area with electronic devices can cause static electricity which could damage components if discharged. Excessive humidity could cause corrosion.

True

Malicious code insertion into a software or firmware product is an example of tainting.

True

Many companies are still untrusting with the security of cloud service providers.

True

On a per record basis, indirect costs of a data breach incident are greater than direct costs.

True

Operational Security is focused more on the daily security tasks rather than actual evaluation of security metrics or security planning activates.

True

Owing a data center in a foreign land is an example of offshoring

True

PDD-63 was the first presidential directive to recognize critical infrastructure as both physical and cyber-based

True

Positive air flow pressurization keeps the air flowing outward when doors are opened, from an area, so that unwanted air does not flow back into the area.

True

Power flow can be disrupted by electromagnetic and radio frequency emissions.

True

Private clouds can be hosted on premise or off premise.

True

Residual risk is what is a potential risk (or loss) after threats and vulnerabilities are matched with controls to reduce risk.

True

Security awareness and security related issues should be reflected as a component of an employee's performance appraisal to raise their awareness and reflect the seriousness of security issues.

True

Security is all about the management and control of risk.

True

Separation of duties was an important part of early castle layered defense mechanisms.

True

Site accessibility is important with regards to the ability and expectations of assistance from law enforcement, ambulances, or fire truck response times.

True

Software can contain undocumented back door access.

True

Supply chains encompass the processes necessary to get a good or service from the supplier to the customer.

True

The Common Criteria is a framework by which users can specify security requirements and have vendors implement the requirements. The validation of a vendor meeting these requirements is derived after extensive testing and, if successful, certification.

True

The EU Data Retention legislation (Directive 2006/24/EC) is intended to help provide law enforcement and authorized investigative institutions with access to internet service provider logs and records.

True

The EU E-Privacy Directive 2002/58/EC deals only with public communication service providers.

True

Excessive humidity in an area with electronic devices can cause static electricity which could damage components if discharged.

False

Executive Order 13636 is primarily concerned with the creation of a situational awareness capability for only the cyber aspects of critical infrastructure.

False

What is a mantrap?

A double-door facility used for physical access control

Which of the following are valid reasons for an information security professional to posses a rudimentary grasp on IS related laws?

All of the above (1. More effectively plan organizational security, 2. Help mitigate an organization's legal risks, 3. Assist in planning awareness training, 4. Help the organization avoid embarrassing security situations

The department of homeland security C3 program focuses on which of the following areas of critical infrastructure participants?

All of the above (Convergence, Connection, Coordination)

Which of the following presents constant challenges to the success of operational security?

All of the above (High level Support, Documented Procedures, Size of Security Staff, Degree of staff overlap)

Organizations must deal efficiently with which of the following Information Assurance issues

All of the above (IT and Security Governance, Disaster recovery, Compliance, Business Continuity)

Organizations must deal efficiently with which of the following Information Assurance issues:

All of the above (IT and Security Governance, Disaster recovery, Compliance, Business Continuity)

Which of the following is not an item of importance for IS governance?

All of the above (Reduce liability, policy compliance, Optimize security resources, safeguard information)

Which of the following is NOT a step of the Department of Defense Information Assurance certification and Accreditation Process?

All of the above are steps of DIACAP: Security Process Initialization, Security certification, Security Accreditation, Monitoring

Which of the following is an example of the manifestation of the espionage threat in supply chains?

All of the above: (Alteration of software to allow unauthorized control, The use of intellectual property for monetary gain, The unauthorized duplication of a finished good)

Which of the following would be a surrounding area influence in site selection?

All of the above: (Crime rate, Proximity to medical or hospital facilities, Riots or terrorism, Potentially hazardous neighboring facilities)

Which of the following is not an element of concern for desktop configuration managment?

All of the above: (Disk drive sanitization before redeployment, End user machine backup before sanitization, Ensuring the machine is installed with the correct software, Limiting administrative privileges)

Which of the following would not represent an event type that would indicate an incident is occurring?

All of the above: (Loss of integrity, Loss of availability, Loss of confidentiality, Violation of Law)

Which of the following is an important question to ask regarding infrastructure backups?

All of the above: (Where are the backups stored?, Who has access to the backups?, Who is responsible for the backups?, Are the backups procedures and schedules well documented?)

An equipment fan becomes clogged with dust and lint. Although the room is cool, the machine overheats internally and fails. What information assurance pillar is involved in the failure?

Availability

Which of the following information security characteristics MOST applies to SCADA systems?

Availability

For potential employees its generally a good idea to reflect security access information on job descriptions, in interviews and in site tours.

False

Which of the following are among the top 3 current spending priorities for organizations with regards to technology and security?

Application Security, Cloud Security, Data Security

When a company rents the use of an application to a customer, this is:

Application Service Provider

Which of the following is most representative of the INFOSEC process?

Assess, Plan, Implement, Monitor, Update

Which of the following is not a pillar of Information Assurance

Authorization

High security controls are designed to impede, detect, assess, and neutralize.

False

Match the governance style with its description:

Business Monarchy -- Executive leadership has decision rights IT Monarchy -- IT executive have decision rights Federal -- Rights shared by "C-level" executives and at least one other group Feudal -- Unit leaders have decision rights locally IT Duopoly -- IT executive and other business leaders share rights Anarchy -- Individual process owners have decision rights

An outsourced customer call center is an example of which type of outsourcing?

Business Process

Hiring qualified information security personnel is not a major concern of organizations since there is an abundance of those possessing the skill sets.

False

Which of the following directives was instrumental in instructing all Federal Agencies to fund, develop and implement information Assurance training and awareness?

CNSS Directive 500

Which of the following most accurately depicts the traditional government path to INFOSEC?

COMSEC+COMPUSEC+TEMPEST=INFOSEC

In theory, which of the following acquisition types offers lower cost and quicker deployment YET offers the least control and higher risk of potential vulnerabilities

COTS

Which of the following is not a drawback of intrusion detection and monitoring systems?

Cannot be penetrated

Which of the following would not be possible incident indicator?

Changes to logs; Log changes are an example of a definite indicator

Which of the following would NOT be consistent with a computer being incidental to a crime?

Computer was used to attack another computer

From the Policy Pyramid, correctly match the entities with the things they create.

Congress--Public Law Executive--Federal Government Policy Government Agencies--Guidelines, Publications, and Standards Department of Defense--Military/Defense Policy and Directives Army, navy, USMC, AF--Agency-specific, Policy and Directives

Which of the following would not be considered a cybercrime category as discussed in this module?

Criminal activities against animals

Human error accounts for the majority of data breach causes.

False

Which of the following would not be considered a crime targeting a computer device or network?

Cyber stalking

According to the Ponemon, Web-based attacks are by far the most costly attack type.

False

All unethical behavior is conducted with intent.

False

Match the following designations with their descriptions

Definers -- Provide policies, guidelines, and standards Builders -- Provide and install the technical solutions Operators -- Provide operational and monitoring support

Which of the following represent the highest internal cost activity of a breach?

Discovery, Containment

How does Halon suppress a fire?

Disrupts the chemical reaction of a fire

Which of the following is intended to provide individual's protection and privacy when personal information is collected and held by Member State institutions?

EU Regulation 45/2001

A computer is the object of a crime when it is used to conduct online gambling

False

A system high security mode is more restrictive than a dedicated security mode

False

Vendors or maintenance contractors can always be trusted since they are under contractual obligation. Accounts setup for vendors diagnostic access should remain open so the vendor can assist, at any time, with problems.

False

While malicious insider abuse may happen with great frequency, the cost borne by an organization for such cybercrime is relatively low.

False

Without a question, the larger the organization, the larger the percentage of revenues allocated to the IT budget.

False

Which is not an example of a digital operational supply chain?

Fed-X delivery service

Which of the following is NOT true regarding NSDD 145?

First large-scale national security policy enacted by Congress.

Match the statements with the corresponding laws:

Identity Theft Enforcement and Resolution Act -- Considers threats to steal information as a crime USA Patriot Act -- Laundering actions to defend against terrorism Computer Security Act -- Required mandatory security awareness training at the federal level Federal Information Security Management Act -- Requires government agencies to assess the information security risks of their computer systems. Computer Fraud and Abuse Act -- Considers unauthorized access to national security data as a crime.

Which of the following is not a recommended secure way to dispose of the disk drives?

Format the disk drive prior to disposal or redeployment

Match the following legislation with the description:

Freedom of Information Act -- Allows citizens to see what personal information government agencies are maintaining on them Electronic Communications Privacy Act -- Regulates unauthorized interception of electronic and oral communications Federal Privacy Act -- Regulates government's use of private information U.S. Copyright Law -- Protects intellectual property

Match the instrument with its description:

G8 Points of Contact: Attempts to provide 24x7 POCs to assist in cyber crime issues Security Freedom through Encryption Act -- Prohibits federal government from requiring the use of encryption on official documents Letter Rogatory -- A diplomatic letter of request for assistance to another country Mutual Legal Assistance Treaty -- Bilateral treaties that establish crime investigation cooperation Digital Millennium Copyright Act -- Attempts to protect private or trademark information internationally

Which of the following types of software acquisitions typically involve the development, by a technical staff, from a government agency?

GOTS

The common Criteria is a framework by which users can specify security requirements and have vendors implement the requirements. The validation of a vendor meeting these requirements is derived after extensive testing and, if successful, certification.

True

Which of the following industries has the highest customer churn rate caused by data breaches?

Health

Which of the following is NOT true regarding the Gramm-Leach-Bliley Act?

Holds organization CEO's personally responsible

Which of the following is a coordinated effort, between government and private sector, to establish a knowledge base for information sharing related to critical concerns

INFRAGARD

Which of the following is not a reason why IT governance is important?

IT value is all about technology

The Help desk and customer support function should be tied closely to which of the following?

Incident Response Plans

Which of the following best describes a closed-loop HVAC system?

Inside air is re-circulated and re-filtered constantly to keep outside air contaminants out as much as possible.

If an access control has a fail-safe characteristic but not a fail-safe characteristic, what does it mean?

It defaults to being unlocked

Which of the following is the most pressing problem with FISMA?

It is a trailing indicator and not a leading indicator and thus does not help with real-time security issues

Which of the following would be considered a breach of integrity?

John used SQL Injection techniques to change values in the database

Why is it important to clean keypad based locks from a security perspective?

Keeps intruders from discovering code patterns

Which of the following is NOT a human factor of concern to information security professionals

Lack of business knowledgeable leadership

What over overarching concept does the castle example provide with regards to information security?

Layered defenses

Which of the following security models of operation require minimum clearance level of not-cleared and a maximum data classification level of unclassified but sensitive?

Limited

Which of the following is not a claim of Cloud sourcing?

Moderate availability

Which of the following are applicable to a hostile departure for a terminated employee?

Obtain all keys, key cards, and other organizational assets before individual leaves the premise Terminate or disable access codes and logins prior to giving the employee termination notice Inventory and monitor access logs surrounding the termination time Conduct an exit interview with the employee

FISMA requires Federal government agencies to provide security protection proportionate to the risk

True

Match the following regarding the 6 - P's of information security

People - SETA Programs - Entities managed in Information Security domain Protection - Risk assessment Project management - Resource control Planning - Support, design, create and implement Policy - behavior guidelines

Which of the following fire suppression systems is more appropriate for use in a data center?

Pre-Action sprinkler systems

Which of the following is not an information security spending priority area?

Projection

Which of the following are true with respect to HIPAA.

Protects the confidentiality of health care data, Establishes standards for electronic interchange and handling of health care data, Requires organizations to conduct comprehensive assessments of information protection mechanisms.

Which of the following is not a goal of IS governance

Provide specific security equipment purchase information

Which of the following is NOT true regarding the Computer Fraud and Abuse Act of 1986?

Provided roving surveillance authority

Which of the following is not specific requirement of FISMA as covered in this module?

Required to coordinate all security activity with the Department of Defense

Which of the following laws deal mostly with financial reporting and disclosure concerns?

Sarbanes-Oxley Act and Gramm-Leach-Bliley Act

For contract employees, service level agreements or contracts should explicitly address issues of visit or cancellation notice as well as any background checks required.

True

Which of the following is not true of SaaS, Cloud Computing, and outsourcing?

Since the function is outsourced, the security issues are not important.

HSPD-7 instructed government sectors agencies to reach out to the private sector for help with critical infrastructure security issues.

True

Match the suppression method with how it works:

Soda, acid -- Removes fuel from fire Gas, halon or substitute -- Interferes with chemical reaction of elements of fire CO2 -- Removes oxygen from fire Water -- Reduces temperature of fire

Which of the following is not true regarding National Security Presidential Directive 54?

Supersedes OMB Circular A-130

SCADA stands for:

Supervisory Control and Data Acquisition

Which of the following are safeguards mentioned in the CNSS Security Model (also know as the McCumber model)?

Technology, Policy, Education

What three fundamental high-level countermeasures of Defense in depth are all people-centric?

Technology, operation, and people

Which of the following would not be determining factor in the design of a company's physical security program?

The value of real-estate prices in the surrounding areas

From a security perspective, Call Tracking or incident tracking systems are important because:

They keep the user appraised of the status and measures taken to resolve a problem

Hidden supply chains are those that exist behind a supplier that are not readily visible or obvious.

True

Which of the following would not be an important metric for measuring an organization's physical security risk?

Total number of times facilities was notified of burnt out lights.

A company outsourced a call center function but later brought it back in-house. This is an example of back sourcing.

True

A computer is the object of a crime if its integrity, confidentiality or availability is affected by a criminal activity.

True

A concern of an outsourced arrangements is that you can never be absolutely sure that are managing their business according to best practices or even maintain good security.

True

Access to restricted areas should be designed so that they are not easy to enter and are not obvious.

True

An electrical ground acts as a conduit for any excess current on a power line and helps ensure that devices are not negatively affected by a spike in electrical current.

True

An incident candidate is an event that is a possible security incident and is identified through a process of incident classification.

True

Approximately 80% of all spam mail is generated by botnets.

True

Background checks should be conducted before extending, an offer to a potential employee despite the job level.

True

Backup tapes and media should be located in a separate area apart from normal IT operations

True

Buffer overflow attacks are the most targeted attack method for SCADA systems

True

CCTVs are best used in conjunction with other monitoring and intrusion alert methods.

True

Convergence is a results-oriented effort of cooperation between previously disjointed security functions

True

Convergence trends advocate creation a single point of contact responsible for security issues. This is typically a CSO.

True

Critical Infrastructures are the technical structures, physical and cyber, that support a society

True

Executive Order 13231 superseded NSDD 145 and was responsible for the creation of the President's Critical Infrastructure Protection Board as well as the formalization of CNSS.

True

The cost and value of lost or stolen information represents the highest consequence cost for most organizations.

True

Which of the following would be a type of backup performed by the operations infrastructure support function?

User desktop backups

When should a Class C fire extinguisher be used instead of a Class A fir extinguisher?

When electrical equipment is on fire

Which best describes the act of bringing IT services back in-house?

back sourcing

Which of the following word combination best describe IT governance?

decision rights, accountability, behavior

Producing a counterfeit product that is intended to fail and produce delays or irrecoverable events is an example of:

disruption

The European Union organization which provides information security guidance to Member States is:

enisa

What is the first step in identifying complex supply chain risks?

identify ecosystems

Which of the following is not a main component of CPTED?

target hardening


Conjuntos de estudio relacionados

AP World History Ch. 7-12 Period 2

View Set

Econ 353 Chapter 5 Exam Second Half

View Set

Intro to Business Unit Three Test

View Set

CH'S 6-11 terms to know for Test 2

View Set

Parasitology Quiz Questions (Part I)

View Set