3044 Exam 2
Dumpster exploitation is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. ____________
False
MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.
False
Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.
False
The IT community often takes on the leadership role in addressing risk.
False
A well-defined risk appetite should have the following characteristics EXCEPT
It is not limited by stakeholder expectations.
What does it mean to "know the enemy" with respect to risk management?
Know the enemy refers to knowing the possible threats assosicated with the information assets to any given organization. Knowing the enemy gives an organization an upper hand or advantage to protect the organization valuable information asset.
NIST's Risk Management Framework follows a three-tiered approach, with most organizations working from the top down, focusing first on aspects that affect the entire organization, such as
governance
The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk
identification
Which of the following is the first step in the process of implementing training?
identify program scope, goals, and objectives
Which of the following affects the cost of a control?
maintenance
Which access control principle limits a user's access to the specific information required to perform the currently assigned task?
need-to-know
Which type of access controls can be role-based or task-based?
nondiscretionary
Medium-sized organizations tend to spend approximately __________ percent of the total IT budget on security
11
Smaller organizations tend to spend approximately ______________ percent of the total IT budget on security.
20%
The ________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.
?
Which of the following is NOT a part of an information security program? technologies used by an organization to manage the risks to its information assets activities used by an organization to manage the risks to its information assets personnel used by an organization to manage the risks to its information assets
All of these are part of an information security program.
In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack (impact) is known as _____. It is the product of the asset's value and the exposure factor
SLE
Access controls are built on three key principles. List and briefly define them.
Separation of duties: This principle divides the role of the member so that they have specific set of task to accomplish with specific set of data Least privilage: The least privilage principle is based on the fact that people are not allowed to view data simply because it falls within their level of clearance Need-to-know: The need-to-know principle limits a user's access to the specific information required to perform the currently assigned task.
Describe operational feasibility
Solving problems with new systems
Explain the conflict between the goals and objectives of the CIO and the CISO
The goal of the CIO is the implementation of IT and ensure the secure operation of it whereas the goal of the CISO is to ensure the security of the information asset of the company and taking steps to protect them.
Due care and due diligence occur when an organization adopts a certain minimum level of security-that is, what any prudent organization would do in similar circumstances.
True
On-the-job training can result in substandard work performance while the trainee gets up to speed.
True
Projectitis is a phenomenon in which the project manager spends more time documenting project tasks than in accomplishing meaningful project work
True
Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
True
All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT When a vulnerability exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being exploited. When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. When the potential loss is substantial, apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss. When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.
When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.
Which of the following activities is part of the risk identification process?
assigning a value to each information asset
The goal of a security ____________ program is to keep information security at the forefront of users' minds on a daily basis.
awareness
Classification categories must be and mutually exclusive.
comprehensive
Classification categories must be mutually exclusive and which of the following?
comprehensive
An ATM that limits what kinds of transactions a user can perform is an example of which type of access control?
constrained user interface
is the financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident.
cost avoidance
____ channels are unauthorized or unintended methods of communications hidden inside a computer system, including storage and timing channels
covert
An information attack that involves searching through a target organization's trash and recycling bins for sensitive information is known as __________.
dumpster diving
is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.
projectitis
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
qualitative assessment of many risk components
What is the risk to information assets that remains even after current controls have been applied?
residual risk
The identification, analysis, and evaluation of risk in an organization describes which of the following?
risk assessment
A SETA program consists of three elements: security education, security training, and which of the following?
security awareness
Which of the following is NOT an alternative to using CBA to justify risk controls?
selective risk avoidance
A time-release safe is an example of which type of access control?
temporal isolation
