SPM401
1. Because it sets out general business intentions, a mission statement does not need to be concise.
False
1. Ethics carry the sanction of a governing authority.
False
1. Having an established risk management program means that an organization's assets are completely protected.
False
1. The first step in solving problems is to gather facts and make assumptions.
False
2. Corruption of information can occur only while information is being stored.
False
2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.
False
2. The defense risk control strategy may be accomplished by outsourcing to other organizations.
False
3. MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.
False
3. The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for.
False
3. The authorization process takes place before the authentication process.
False
3. The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.
False
3. Threats from insiders are more likely in a small organization than in a large one.
False
4. A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
False
4. Rule-based policies are less specific to the operation of a system than access control lists.
False
4. The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks.
False
5. DoS attacks cannot be launched against routers.
False
5. Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex.
False
6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.
False
8. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.
False
10. To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________
False - Economic
6. The secretarial community often takes on the leadership role in addressing risk. ____________
False - InfoSec, infosec, Information Security, information security
6. Technology is the essential foundation of an effective information security program. _____________
False - Policy
6. Values statements should therefore be ambiguous; after all, they are meant to express the aspirations of the organization.
False - Vision, vision
11. The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.
False - acceptance
9. Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy. _________________________
False - aggregation
7. An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________
False - analysis
4. ISACA is a professional association with a focus on authorization, control, and security. ___________
False - auditing
7. A benchmark is derived by comparing measured actual performance against established standards for the measured category. ____________
False - baseline
14. One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________
False - bomb
8. The macro virus infects the key operating system files located in a computer's start up sector. _________________________
False - boot
11. A signaling law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________
False - breach
9. The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. _________________________
False - brute force
11. A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________
False - classification
2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
True
2. The InfoSec community often takes on the leadership role in addressing risk.
True
2. The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.
True
3. Deterrence is the best method for preventing an illegal or unethical activity. ____________
True
3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
True
4. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.
True
4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.
True
4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
True
5. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________
True
5. On-the-job training can result in substandard work performance while the trainee gets up to speed.
True
5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.
True
5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
True
5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.
True
6. The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________
True
7. Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________
True
7. Planners need to estimate the effort required to complete each task, subtask, or action step.
True
10. The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. _________________________
False - cracker
13. A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. _________________________
False - packet
9. Examples of actions that illustrate compliance with policies are known as laws.
False - practices
15. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________
False - qualitative
15. In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as the annualized risk of occurrence. ____________
False - rate
7. It is the responsibility of InfoSec professionals to understand state laws and standards. ____________
False - regulations
10. The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.
False - software
7. When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. _________________________
False - spike
7. A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.
False - stakeholder
18. Which of the following should be included in an InfoSec governance program?
b. An InfoSec risk management methodology
21. Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?
b. Descriptive ethics
20. According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
b. Establishing
36. Blackmail threat of informational disclosure is an example of which threat category?
b. Information extortion
21. Which of the following is an attribute of a network device is physically tied to the network interface?
b. MAC address
27. Once an information asset is identified, categorized, and classified, what must also be assigned to it?
b. Relative value
15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
b. Risk assessment
33. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.
b. Risk assessment estimate factors
35. Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.
b. SLA
24. Data classification schemes should categorize information assets based on which of the following?
b. Sensitivity and security needs
21. Which of the following is an information security governance responsibility of the Chief Security Officer?
b. Set security policy, procedures, programs and training
32. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
b. Threats-vulnerabilities-assets worksheet
18. Which law extends protection to intellectual property, which includes words published in electronic formats?
b. U.S. Copyright Law
13. Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
b. User-specific security policies
31. __________ is a simple project management planning tool.
b. WBS
28. A risk assessment is performed during which phase of the SecSDLC?
b. analysis
16. According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?
b. availability
23. The purpose of SETA is to enhance security in all but which of the following ways?
b. by adding barriers
18. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
b. centralized authentication
16. Application of training and education is a common method of which risk control strategy?
b. defense
33. Which type of attack involves sending a large number of connection or information requests to a target?
b. denial-of-service (DoS)
24. Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
b. deterrence
38. A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
b. distributed denial-of-service
31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
b. documented control strategy
30. When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
b. due diligence
31. Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.
b. education
30. Which of the following is NOT a step in the process of implementing training?
b. hire expert consultants
17. Which of the following is an element of the enterprise information security policy?
b. information on the structure of the InfoSec organization
27. What is the first phase of the SecSDLC?
b. investigation
24. Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?
b. joint application design
27. Any court can impose its authority over an individual or organization if it can establish which of the following?
b. jurisdiction
23. There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
b. malice
35. A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.
b. penetration testing
27. Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
b. people
26. Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
b. policy
25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
b. political feasibility
26. Which of the following is compensation for a wrong committed by an employee acting with or without authorization?
b. restitution
20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
b. risk appetite
23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
b. single loss expectancy
16. Which type of document is a more detailed statement of what must be done to comply with a policy?
b. standard
30. An example of a stakeholder of a company includes all of the following except:
b. the general public
35. Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
a. Uncertainty percentage
29. Which of the following is an advantage of the user support group form of training?
a. Usually conducted in an informal social setting
20. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?
a. Violations of Policy
21. Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
a. can suffer from poor policy dissemintation, enforcement, and review
19. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
c. Assigning a value to each information asset
24. Which of the following is NOT a step in the problem-solving process?
c. Build support among management for the candidate solution
12. Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
c. Bull's-eye model
25. Classification categories must be mutually exclusive and which of the following?
c. Comprehensive
26. Which of the following is an advantage of the one-on-one method of training?
c. Customized
18. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
d. authentication
33. A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
a. champion
28. The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
a. chief information security officer
24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis
26. Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
a. data owners
27. In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
a. design
38. A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.
a. enterprise risk management.
40. A short-term interruption in electrical power availability is known as a ____.
a. fault
37. One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
a. hacktivist
18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan
35. The NIST risk management approach includes all but which of the following elements?
a. inform
29. In which phase of the SecSDLC does the risk management task occur?
d. analysis
6. The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. ____________
False - defense
8. The ISA 27014:2013 standard promotes five risk management processes, which should be adopted by the organization's executive management and its governing board.
False - governance
8. Non mandatory recommendations that the employee may use as a reference in complying with a policy.are known as regulations. ____________
False - guidelines
9. The recognition, enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________
False - identification
13. The information technology management community of interest often takes on the leadership role in addressing risk. ____________
False - infosec, information security
12. The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ____________
False - likelihood
12. Most information security projects require a trained project developer. _________________________
False - manager
11. In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________
False - milestones
6. "Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. _________________________
False - surfing
10. An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility. ____________
False - technical
8. InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals. ___________
False - technology
10. An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment. ____________
False - threat
9. The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy. ___________
False - transference
14. A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________
False - vulnerabilities
8. Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. ____________
False - vulnerabilities
1. Policies must specify penalties for unacceptable behavior and define an appeals process.
True
1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
True
1. Small organizations spend more per user on security than medium- and large-sized organizations.
True
10. Each organization has to determine its own project management methodology for IT and information security projects.
True
11. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________
True
12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________
True
12. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________
True
13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.
True
14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________
True
2. A clearly directed strategy flows from top to bottom rather than from bottom to top.
True
8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________
True
9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________
True
9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.
True
25. Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
a. (ISC)2
19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
a. A security technician
34. When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.
a. Board Risk Committee
30. Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
a. Cost of prevention
34. Which of the following is not among the 'deadly sins of software security'?
a. Extortion sins
22. ISO 27014:2013 is the ISO 27000 series standard for ____________.
a. Governance of Information Security
17. The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
a. Hold regular meetings with the CIO to discuss tactical InfoSec planning
19. According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
a. Initiating
19. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
a. Policy Review and Modification
28. What should you be armed with to adequately assess potential weaknesses in each information asset?
a. Properly classified inventory
17. The identification and assessment of levels of risk in an organization describes which of the following?
a. Risk analysis
12. Which of the following is true about planning?
a. Strategic plans are used to create tactical plans
16. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
a. Systems testing
16. Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
a. The Electronic Communications Privacy Act of 1986
18. Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
a. issue-specific
21. Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
a. organization
36. An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.
a. penetration tester
27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components
32. "4-1-9" fraud is an example of a ____________________ attack.
a. social engineering
11. Which type of planning is the primary tool in determining the long-term direction taken by an organization?
a. strategic
22. Which of the following are the two general groups into which SysSPs can be separated?
a. technical specifications and managerial guidance
37. The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.
a. vulnerability assessment
24. Which of the following is NOT an aspect of access regulated by ACLs?
b. where the system is located
19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
14. The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
c. For political advantage
17. Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
c. HIPAA
13. Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
c. Health Information Technology for Economic and Clinical Health Act
25. Which of the following is the first step in the process of implementing training?
c. Identify program scope, goals, and objectives
16. Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
c. Legal management must develop corporate-wide standards
29. Which of the following is an example of a technological obsolescence threat?
c. Outdated servers
23. Which of the following is the first step in the problem-solving process?
c. Recognize and define the problem
15. The basic outcomes of InfoSec governance should include all but which of the following?
c. Time management by aligning resources with personnel schedules and organizational objectives
31. What is defined as specific avenues that threat agents can exploit to attack an information asset?
c. Vulnerabilities
21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
19. What do audit logs that track user activity on an information system provide?
c. accountability
30. Which of the following is not a step in the FAIR risk management framework?
c. assess control impact
39. Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
c. back door
25. Which of the following are instructional codes that guide the execution of the system when information is passing through it?
c. configuration rules
32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
c. cost avoidance
16. Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
c. data users
26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
c. evaluating alternative strategies
30. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.
c. hoaxes
10. Which of the following explicitly declares the business of the organization and its intended areas of operations?
c. mission statement
29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
c. monitoring and measurement
20. GGG security is commonly used to describe which aspect of security?
c. physical
17. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
c. planning
11. Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
c. policy should be agreed upon by all employees and management
12. Which subset of civil law regulates the relationships among individuals and among individuals and organizations?
c. private
21. What is the SETA program designed to do?
c. reduce the occurence of accidental security breaches
22. A SETA program consists of three elements: security education, security training, and which of the following?.
c. security awareness
32. The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.
c. security manager
33. Which of the following is NOT an alternative to using CBA to justify risk controls?
c. selective risk avoidance
31. A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
c. team leader
24. Advanced technical training can be selected or developed based on which of the following?
c. technology product
28. Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
c. trespass
23. Which of the following is a key advantage of the bottom-up approach to security implementation?
c. utilizes the technical expertise of the individual administrators
18. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
d. Calculating the severity of risks to which assets are exposed in their current setting
17. Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
d. Confidentiality
20. Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?
d. DMCA
28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
d. Delphi
19. Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
d. Deontological ethics
15. Which policy is the highest level of policy and is usually created first?
d. EISP
20. Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
d. IP address
28. Which of the following is an advantage of the formal class method of training?
d. Interaction with trainer is possible
26. What is the final step in the risk identification process?
d. Listing assets in order of importance
23. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
d. Manufacturer's model or part number
14. Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
d. Operational
13. Which of the following variables is the most influential in determining how to structure an information security program?
d. Organizational culture
22. Which of the following attributes does NOT apply to software information assets?
d. Product dimensions
27. Which of the following is a disadvantage of the one-on-one training method?
d. Resource intensive, to the point of being inefficient
15. Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?
d. The Computer Security Act
29. ____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
d. Trojan horses
34. An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
d. Uncertainty
23. What are the two general methods for implementing technical controls?
d. access control lists and configuration rules
22. Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
d. common good
26. A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?
d. investigation
33. Which of the following is true about a company's InfoSec awareness Web site?
d. it should be tested with multiple browsers
22. Which of the following affects the cost of a control?
d. maintenance
22. In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
d. man-in-the-middle
39. Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
d. managerial controls
15. Communications security involves the protection of which of the following?.
d. media, technology, and content
17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
d. mitigation
25. Which of the following is NOT a primary function of Information Security Management?
d. performance
20. Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives?
d. planning
29. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
d. policy administrator
34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
d. risk determination
32. Which of the following is the most cost-effective method for disseminating security information and news to employees?
d. security newsletter
13. Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
d. tactical
14. In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?
d. the proper operation of equipment
14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
d. they have larger information security needs than a small organization
25. Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?
d. traditional waterfall