Ball State CIS 410 Hua Exam 1, Test 1 ch 1-4 cis 410
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals. SANS (ISC)2 ACM ISACA
(ISC)2
There are 12 general categories of threat to an organization's people, information, and systems. List at least six of the general categories of threat and identify at least one example of those listed.
1. Compromises to Intellectual Property (Ex. Piracy) 2. Deviations in Quality of Service (Ex. WAN Service Problems) 3. Espionage (Ex. Unauthorized Access or Data Collection) 4. Forces of Nature (Ex. Fire) 5. Human Error (Ex. Employee Mistakes) 6. Information Extortion (Ex. Blackmail)
What are the three distinct groups of decision makers or communities of interest on an information security team?
1. Those in the field of information security 2. Those in the field of IT 3. Those from the rest of the organization
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons? A. For political advantage B. For private financial gain C. For purposes of commercial advantage D. In furtherance of a criminal act
A. For political advantage
Which of the following is true about planning? A. Strategic plans are used to create tactical plans. B. Tactical plans are used to create strategic plans. C. Operational plans are used to create strategic plans. D. Operational plans are used to create tactical plans.
A. Strategic plans are used to create tactical plans.
Which statement defines the differences between a computer virus and a computer worm? A. Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate. B. Worms can copy themselves to computers and viruses can copy themselves to smartphones. C. Worms can make copies all by themselves on one kind of computer but viruses can make copies all by themselves on any kind of computer. D. Worms and viruses are the same.
A. Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate.
A risk assessment is performed during which phase of the SDLC? A. analysis B. design C. investigation D. implementation
A. analysis
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________. A. chief information security officer B. security technician C. chief technology officer D. security manager
A. chief information security officer
A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________. A. e-discovery B. indexing C. root cause analysis D. forensics
A. e-discovery
Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity? A. fear of humiliation B. probability of being penalized C. probability of being caught D. fear of penalty
A. fear of humiliation
One form of online vandalism is __________, in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. A. hacktivism B. red teaming C. phreaking D. cyberhacking
A. hacktivism
In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________. A. identifying relevant items of evidentiary value B. acquiring (seizing) the evidence without alteration or damage C. investigating allegations of digital malfeasance D. analyzing the data without risking modification or unauthorized access
A. identifying relevant items of evidentiary value
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? A. malice B. accident C. ignorance D. intent
A. malice
The EISP must directly support the organization's __________. A. mission statement B. financial statement C. values statement D. public announcements
A. mission statement
IT's focus is the efficient and effective delivery of information and administration of information resources, while InfoSec's primary focus is the __________ of all information assets. A. protection B. valuation C. operation D. availability
A. protection
Which type of planning is the primary tool in determining the long-term direction taken by an organization? A. strategic B. tactical C. managerial D. operational
A. strategic
When creating a __________, each level of each division translates its goals into more specific goals for the level below it. A. strategic plan B. maintenance program C. security policy D. security program
A. strategic plan
The final component of the design and implementation of effective policies is __________. A. uniform and impartial enforcement B. universal distribution C. complete distribution D. full comprehension
A. uniform and impartial enforcement
Which of the following is a key advantage of the bottom-up approach to security implementation? A. utilizing the technical expertise of the individual administrators B. strong upper-management support C. a clear planning and implementation process D. coordinated planning from upper management
A. utilizing the technical expertise of the individual administrators
Which of the following should be included in an InfoSec governance program? 1)An InfoSec risk management methodology 2)An InfoSec maintenance methodology 3)An InfoSec project management assessment 4)All of these are components of the InfoSec governance program.
An InfoSec risk management methodology
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? A. Systems Management B. Policy Review and Modification C. Limitations of Liability D. Statement of Purpose
B. Policy Review and Modification
Which law extends protection to intellectual property, which includes words published in electronic formats? A. Security and Freedom through Encryption Act B. U.S. Copyright Law C. Sarbanes-Oxley Act D. Freedom of Information Act
B. U.S. Copyright Law
In the __________ phase of the SecSDLC, the team studies documents and looks at relevant legal issues that could affect the design of the security solution. A. justification B. analysis C. implementation D. investigation
B. analysis
A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs. A. disaster recovery planning B. business mission C. joint application design D. security policy review
B. business mission
Internal and external stakeholders, such as customers, suppliers, or employees who interact with information in support of their organization's planning and operations, are known as ____________. A. data custodians B. data users C. data owners D. data generators
B. data users
With policy, the most common distribution methods are hard copy and __________. A. final B. electronic C. draft D. published
B. electronic
In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies? A. design B. implementation C. investigation D. analysis
B. implementation
Which phase of the SDLC should see clear articulation of goals? A. analysis B. investigation C. implementation D. design
B. investigation
Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP. A. management guidance, technical directive B. management guidance, technical specifications C. management directive, technical specifications D. management specification, technical directive
B. management guidance, technical specifications
A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________. A. formula B. methodology C. model D. approach
B. methodology
The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________. A. chief technology officer B. security manager C. chief information security officer D. security technician
B. security manager
When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, and so that it selects key stakeholders as well as the ____________. Chairman of the Board Board Finance Committee Board Risk Committee Board Ethics Committee
Board Risk Committee
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past? A. Deontological ethics B. Normative ethics C. Descriptive ethics D. Applied ethics
C. Descriptive ethics
__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. A. Leading B. Controlling C. Governance D. Strategy
C. Governance
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system? A. Computer Fraud and Abuse Act B. The Telecommunications Deregulation and Competition Act C. The Computer Security Act D. National Information Infrastructure Protection Act
C. The Computer Security Act
Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________. A. forensic finding B. search warrant C. affidavit D. subpoena
C. affidavit
A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use is known as a(n) __________. A. phreaker B. expert hacker C. cracker D. penetration tester
C. cracker
A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. A. denial of service B. spam C. distributed denial of service D. virus
C. distributed denial of service
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________. A. data imaging B. crime scene investigation C. forensics D. evidentiary material
C. forensics
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________. A. cracker B. expert hacker C. penetration tester D. phreaker
C. penetration tester
Which of the following is NOT one of the basic rules that must be followed when developing a policy? A. policy must be able to stand up in court if challenged B. policy should never conflict with law C. policy should be focused on protecting the organization from public embarrassment D. policy must be properly supported and administered
C. policy should be focused on protecting the organization from public embarrassment
To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology. A. size B. level of formatting C. reading level D. cost
C. reading level
Which of the following is compensation for a wrong committed by an individual or organization? A. due diligence B. liability C. restitution D. jurisdiction
C. restitution
The first priority of the CISO and the InfoSec management team should be the __________. A. adoption of an incident response plan B. development of a security policy C. structure of a strategic plan D. implementation of a risk management program
C. structure of a strategic plan
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________. A. exploit B. vulnerability C. threat D. attack
C. threat
Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access. A. theft B. security C. trespass D. bypass
C. trespass
A potential weakness in an asset or its defensive control system(s) is known as a(n) __________. A. attack B. threat C. vulnerability D. exploit
C. vulnerability
One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.
Computer security act
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)? A. Applied ethics B. Meta-ethics C. Normative ethics D. Deontological ethics
D. Deontological ethics
Technology services are usually arranged with an agreement defining minimum service levels known as a(n) __________. A. MIN B. SSL C. MSL D. SLA
D. SLA
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? A. Wood's model B. on-target model C. Bergeron and Berube model D. bull's-eye model
D. bull's-eye model
A high-level executive such as a CIO or VP-IT, who will provide political support and influence for a specific project, is known as a(n) _________. A. auditor B. sponsor C. overseer D. champion
D. champion
Which of the following is not among the "deadly sins of software security"? A. Web application sins B. implementation sins C. networking sins D. extortion sins
D. extortion sins
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? A. acting B. learning C. establishing D. initiating
D. initiating
Which of the following is a C.I.A. triad characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state? A. accountability B. authentication C. availability D. integrity
D. integrity
Access control list user privileges include all but which of these? A. write B. execute C. read D. operate
D. operate
Which type of planning is used to organize the ongoing, day-to-day performance of tasks? A. tactical B. organizational C. strategic D. operational
D. operational
Human error or failure often can be prevented with training and awareness programs, policy, and __________. A. hugs B. outsourcing C. ISO 27000 D. technical controls
D. technical controls
Which of the following are the two general groups into which SysSPs can be separated? A. business guidance and network guidance B. user specifications and managerial guidance C. technical specifications and business guidance D. technical specifications and managerial guidance
D. technical specifications and managerial guidance
Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer? A. espionage or trespass B. sabotage or vandalism C. information extortion D. theft
D. theft
What should an effective ISSP accomplish?
Describes the organization's expectations about how its technology-based system should be used. Documents how the technology-based system is controlled and identifies the processes and authorities that provide this control. Indemnifies the organization against liability for an employee's inappropriate or illegal use of the system.
Which policy is the highest level of policy and is usually created first? EISP USSP ISSP SysSP
EISP
ESD is the acronym for __________.
Electrostatic Discharge
T/F: "Technology" is the essential foundation of an effective information security program
False
T/F: "Values" statements should be ambitious; after all, they are meant to express the aspirations of an organization.
False
T/F: Access control lists regulate who, what, when, where, and "why" authorized users can access a system.
False
T/F: Because it sets out general business intentions, a mission statement does not need to be concise.
False
T/F: Examples of actions that illustrate compliance with policies are known as "laws".
False
T/F: ISACA is a professional association with a focus on "authorization", control, and security. ___________
False
T/F: It is the responsibility of InfoSec professionals to understand state laws and "bills". ____________
False
T/F: The ISO 27014:2013 standard promotes five governance processes, which should be adopted by the organization's executive management and its "consultant".
False
T/F: The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and "decentralization".
False
T/F: To protect intellectual property and competitive advantage, Congress passed the "Entrepreneur" Espionage Act (EEA) in 1996.
False
The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for.
False
__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. Controlling Strategy Governance Leading
Governance
Discuss the three general categories of unethical behavior that organizations should try to control.
Ignorance Accident Intent Ignorance of the law is not a defense, but a lack of intent can be. Individuals within a business have the highest chance of causing harm or damage by accident.
__________ is the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair edge over them. Dumpster diving Competitive advantage Packet sniffing Industrial espionage
Industrial espionage
What is a key difference between law and ethics?
Laws bear the sanction of a governing authority and ethics do not.
_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present. Portable Desktop computer Satellite transceiver Expansion
Portable
Which of the following is an information security governance responsibility of the chief information security officer? 1)Implement incident response programs to detect security vulnerabilities and breaches. 2)Set security policy, procedures, programs, and training. 3)Develop policies and the program. 4)Brief the board, customers, and the public.
Set security policy, procedures, programs, and training.
Which of the following is true about planning? 1)Tactical plans are used to create strategic plans. 2)Operational plans are used to create strategic plans. 3)Strategic plans are used to create tactical plans. 4)Operational plans are used to create tactical plans.
Strategic plans are used to create tactical plans.
Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?
The Freedom of Information Act (FOIA) allows for the disclosure of previously undisclosed information and documents controlled by the US government. The FOIA applies only to federal agencies and does not affect local state agencies.
Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?
The Freedom of Information act requires all federal agencies to disclose records requested in writing by any person. FOIA only applies to federal agencies. Each state has its own public access laws that should be consulted for access to state and local records.
What should an effective ISSP accomplish?
The ISSP should assure members of the organization that its purpose is not to establish a foundation for administrative enforcement or legal prosecution but rather to provide a common understanding of the purposes for which an employee can and cannot use the resource.
Discuss the planning element of information security.
The planning element of information security is the integration of strategies such as IT strategies to develop information security strategies. The goal is to make plans that support long term achievement of the overall organizational strategy. Information security plans include incident response planning, risk management planning, and security program planning.
What are the three distinct groups of decision makers or communities of interest on an information security team?
Those in the field of information security. Those in the field of IT. Those from the rest of the organization.
Describe the foundations and frameworks of ethics.
Traditional foundations and frameworks of ethics include: 1. Normative ethics- what makes actions right or wrong 2. Meta-ethics- the meaning of ethical judgements and properties 3. Descriptive ethics- the choices that have been made by individuals in the past 4. Applied ethics- applies moral codes to actions drawn from realistic situations 5. Deontological ethics- the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences
T/F: According to the CGTF, the organization should treat InfoSec as an "integral" part of the system life cycle.
True
T/F: Enterprise "risk management" is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.
True
T/F: The Gramm-Leach-Bliley (GLB) Act, also known as the "Financial" Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies.
True
T/F: Information security policies are designed to provide structure in the workplace and explain the "will" of the organization's management.
True
Which law extends protection to intellectual property, which includes words published in electronic formats? Freedom of Information Act Security and Freedom through Encryption Act Sarbanes-Oxley Act U.S. Copyright Law
U.S. Copyright Law
Which statement defines the differences between a computer virus and a computer worm? 1)Worms can make copies all by themselves on one kind of computer but viruses can make copies all by themselves on any kind of computer. 2)Worms and viruses are the same. 3)Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate. 4)Worms can copy themselves to computers and viruses can copy themselves to smartphones.
Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate.
What do audit logs that track user activity on an information system provide? authentication authorization accountability identification
accountability
Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________.
affidavit
In the __________ phase of the SecSDLC, the team studies documents and looks at relevant legal issues that could affect the design of the security solution. implementation justification investigation analysis
analysis
The most complex part of an investigation is usually __________. analysis for potential EM preventing the destruction of potential EM protecting potential EM requesting potential EM
analysis for potential EM
An approach that applies moral codes to actions drawn from realistic situations.
applied ethics
A(n) __________ is an act against an asset that could result in a loss.
attack
A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law. breach compromise notification spill
breach
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs? 1)can suffer from poor policy dissemination, enforcement, and review 2)may skip vulnerabilities otherwise reported 3)implementation can be less difficult to manage 4)may be more expensive than necessary
can suffer from poor policy dissemination, enforcement, and review
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________. security technician chief technology officer chief information security officer security manager
chief information security officer
Some information gathering techniques are quite legal—for example, using a Web browser to perform market research. These legal techniques are called, collectively, __________.
competitive intelligence
Which of the following are instructional codes that guide the execution of the system when information is passing through it? capability tables access control lists configuration rules user profiles
configuration rules
The process of integrating the governance of the physical security and information security efforts is known in the industry as __________. convergence combination optimization intimation
convergence
Addresses violations harmful to society and is actively enforced and prosecuted by the state.
criminal law
Focuses on enhancing the security of the critical infrastructure in the United States.
cybersecurity act
Internal and external stakeholders, such as customers, suppliers, or employees who interact with information in support of their organization's planning and operations, are known as ____________. data owners data custodians data generators data users
data users
The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response. analysis design implementation investigation
design
An organization increases its liability if it refuses to take the measures a prudent organization should; this is known as the standard of _____________.
due care
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? policy administration due diligence certification and accreditation adequate security measures
due diligence
A collection of statutes that regulates the interception of wire, electronic, and oral communications.
electronic communication privacy act
According to the Corporate Governance Task Force (CGTF), during which phase of the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? initiating learning establishing acting
establishing
Defines socially acceptable behaviors.
ethics
The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as ___________.
ethics
"Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. __________
false
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of systems.
false
Access control lists regulate who, what, when, where, and why authorized users can access a system.
false
ISACA is a professional association with a focus on authorization, control, and security. ___________
false
Information ambiguation occurs when pieces of nonprivate data are combined to create information that violates privacy. _________________________
false
It is the responsibility of InfoSec professionals to understand state laws and bills. ____________
false
Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations. ____________
false
The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. __________
false
The authorization process takes place before the authentication process.
false
The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization. ____________
false
To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________
false
Values statements should be ambitious; after all, they are meant to express the aspirations of an organization. ____________
false
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________. forensics evidentiary material data imaging crime scene investigation
forensics
The letters GRC represent an approach to information security strategic guidance from a board of directors or senior management perspective. The letters stand for __________, __________, and __________. 1)governance, risk management, compliance 2)governance, risk control, confidentiality 3)government, regulation, classification 4)generalization, risk assessment, cryptography
governance, risk management, compliance
One form of online vandalism is __________, in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. phreaking hacktivism cyberhacking red teaming
hacktivism
In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies? design investigation implementation analysis
implementation
The protection of confidentiality, integrity, and availability of data regardless of its location is known as __________ security. operational cyber information network
information
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? establishing acting initiating learning
initiating
A detailed outline of the scope of the policy development project is created during which phase of the SDLC? implementation investigation design analysis
investigation
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? user-specific enterprise information issue-specific system-specific
issue-specific
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? ignorance malice intent accident
malice
Communications security involves the protection of which of the following? media, technology, content radio handsets the IT department people, physical assets
media, technology, content
Which of the following explicitly declares the business of the organization and its intended areas of operations? values statement vision statement business statement mission statement
mission statement
The protection of voice and data components, connections, and content is known as __________ security. national network cyber operational
network
The study of what makes actions right or wrong, also known as moral theory.
normative ethics
The three levels of planning are strategic planning, tactical planning, and __________ planning.
operational
Which type of planning is used to organize the ongoing, day-to-day performance of tasks? operational strategic tactical organizational
operational
resources to support the accomplishment of objectives? planning controlling leading organization
organization
According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy? policy developer policy enforcer policy reviewer policy administrator
policy administrator
Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected? accountability availability confidentiality privacy
privacy
Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT __________. proper development proper conception proper implementation proper design
proper conception
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.
public law
Which of the following is NOT an approach to password cracking? social engineering attacks dictionary attacks brute force ransomware
ransomware
To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology. level of formatting cost reading level size
reading level
A momentary low voltage is called a(n) __________.
sag
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________. search warrant subpoena affidavit forensic clue
search warrant
The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________. chief information security officer security manager security technician chief technology officer
security manager
A qualified individual who is tasked with configuring security technologies and operating other technical control systems is known as a(n) ____________. security manager chief information security officer security technician chief technology officer
security technician
"4-1-9" fraud is an example of a __________ attack. worm spam virus social engineering
social engineering
Which type of document is a more detailed statement of what must be done to comply with a policy? procedure standard practice guideline
standard
Human error or failure often can be prevented with training and awareness programs, policy, and __________. ISO 27000 technical controls outsourcing hugs
technical controls
Which of the following are the two general groups into which SysSPs can be separated? 1)business guidance and network guidance 2)technical specifications and business guidance 3)user specifications and managerial guidance 4)technical specifications and managerial guidance
technical specifications and managerial guidance
An example of a company stakeholder includes all of the following EXCEPT: the general public employees management stockholders
the general public
In addition to specifying acceptable and unacceptable behavior, what else must a policy specify? 1)legal recourse 2)the penalties for violation of the policy 3)appeals process 4)individual responsible for approval
the penalties for violation of the policy
Digital forensics can be used for two 1)key purposes: ________ or _________. to investigate allegations of digital malfeasance; to perform root cause analysis 2)to solicit testimony; to perform root cause analysis 3)to investigate allegations of digital malfeasance; to solicit testimony 4)e-discovery; to perform root cause analysis
to investigate allegations of digital malfeasance; to perform root cause analysis
A maintenance model is intended to focus ongoing maintenance efforts so as to keep systems usable and secure.
true
A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. __________
true
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
true
Policies must specify penalties for unacceptable behavior and define an appeals process.
true
Deterrence is the best method for preventing an illegal or unethical activity. ____________
true
Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________
true
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? issue-specific security policies user-specific security policies enterprise information security policy system-specific security policies
user-specific security policies