Software Security Ch4

¡Supera tus tareas y exámenes ahora con Quizwiz!

________often function as standards or procedures to be used when configuring or maintaining systems.

SysSPs

[___________]-specific security policies often function as standards or procedures to be used when configuring or maintaining systems.

Systems

[_____________] controls are information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets..

Technical

When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems

The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.

The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees.

accidental

It is good practice, however, for policy [___________] to solicit input both from technically adept information security experts and from business-focused managers in each community of interest when making revisions to security policies.

administrator

A(n) [__________] is a detailed examination of the events that occurred from first detection to final recovery.

after-action review (AAR)

A(n) _________ is a document containing contact information for the people to be notified in the event of an incident.

alert roster

[___________]management is the set of actions taken by an organization in response to an emergency to minimize injury or loss of life, preserve the organization's image and market share, and complement its disaster recovery and business continuity processes.

crisis

The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____.

electronic vaulting

A security ________ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.

framework

A(n) [____________] site is a fully configured computer facility, with all services, communications links, and physical plant operations including heating and air conditioning.

hot

The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________."

management

The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.

people

RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure.

redundant

A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years.

strategic

A fundamental difference between a BIA and risk management is that risk management focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can protect the information, while the BIA assumes __________.

All of the above

The ________is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.

EISP

________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.

Managerial

A(n) [________] is a contract between two or more organizations that specifies how each will assist the other in the event of a disaster.

Mutual agreement

[___________] controls are information security safeguards focusing on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning.

Operational

_________ controls address personnel security, physical security, and the protection of production inputs and outputs.

Operational

__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information.

Redundancy

​The goals of information security governance include all but which of the following?

Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care

According to NIST SP 800-14's security principles, security should ________.

All of the above

Redundancy can be implemented at a number of points throughout the security architecture, such as in ________

All of the above

The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages?

All of these are BIA stages

__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.

Defense in depth

SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________.

blueprint

A ____ site provides only rudimentary services and facilities.

cold

Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.

damage assessment

Standards may be published, scrutinized, and ratified by a group, as in formal or ________standards.

de jure

Security __________ are the areas of trust within which users can freely communicate.

domains

In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to __________.

identify and prioritize opportunities for improvement within the context of a continuous and repeatable process

A(n) [_________] is an adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization.

incident


Conjuntos de estudio relacionados

PSM 1 - SCRUM, PSM 1, PSM 1, PSM 1, PSM 1, PSM 1, PSM 1, PSM 1, PSM

View Set

Unit 6: Learning Take Home Review

View Set

303 Hinkle PrepU Chapter 42: Management of Patients With Musculoskeletal Trauma

View Set

Cell Signaling AP Biology Midterm Review

View Set