calvert midterm
1. Which of the following is an information security governance responsibility of the Chief Security Officer?
Set security policy, procedures, programs and training
1. Which of the following is true about planning?
Strategic plans are used to create tactical plans
1. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
Systems testing
1. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
Threats-vulnerabilities-assets worksheet
1. ____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
Trojan Horses
1. A clearly directed strategy flows from top to bottom rather than from bottom to top.
True
1. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________
True
1. Deterrence is the best method for preventing an illegal or unethical activity. ____________
True
1. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
True
1. Small organizations spend more per user on security than medium- and large-sized organizations.
True
1. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________
True
1. Which law extends protection to intellectual property, which includes words published in electronic formats?
U.S. Copyright Law
1. Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
User-specific security policies
1. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?
Violations of Policy
1. What are the two general methods for implementing technical controls?
access control lists and configuration rules
1. In which phase of the SecSDLC does the risk management task occur?
analysis
1. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
centralized authentication
1. A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
champion
1. The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
chief information security officer
1. Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
confidentiality
1. What is the first phase of the SecSDLC?
investigation
1. Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
issue-specific
1. Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?
joint application design
1. Any court can impose its authority over an individual or organization if it can establish which of the following?
jurisdiction
1. There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
malice
1. Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
managerial controls
1. Which of the following explicitly declares the business of the organization and its intended areas of operations?
mission statement
1. Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
organization
1. An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.
penetration tester
1. A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.
penetration testing
1. Which type of document is a more detailed statement of what must be done to comply with a policy?
standard
1. Which type of planning is the primary tool in determining the long-term direction taken by an organization?
strategic
1. Which of the following are the two general groups into which SysSPs can be separated?
technical specifications and managerial guidance
1. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
they have larger information security needs than a small organization
1. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected
true
1. Which of the following is a key advantage of the bottom-up approach to security implementation?
utilizes the technical expertise of the individual administrators
1. According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?
Availability
1. Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
Back Door
1. Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
Bull's-eye model
1. Which type of attack involves sending a large number of connection or information requests to a target?
Denial of service
1. Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
Deterrence
1. Which policy is the highest level of policy and is usually created first?
EISP
1. ISACA is a professional association with a focus on authorization, control, and security. ___________
FALSE
1. A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.
False
1. A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________
False
1. Corruption of information can occur only while information is being stored.
False
1. DoS attacks cannot be launched against routers.
False
1. Having an established risk management program means that an organization's assets are completely protected.
False
1. InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals. ___________
False
1. It is the responsibility of InfoSec professionals to understand state laws and standards. ____________
False
1. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.
False
1. MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.
False
1. Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex.
False
1. The authorization process takes place before the authentication process.
False
1. The first step in solving problems is to gather facts and make assumptions.
False
1. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.
False
1. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.
False
1. To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________
False
1. Values statements should therefore be ambitous; after all, they are meant to express the aspirations of the organization.
False
1. The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
For political advantage
1. Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
HIPAA
1. Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
IP address
1. What is the final step in the risk identification process?
Listing assets in order of importance
1. Which of the following is an attribute of a network device is physically tied to the network interface?
MAC address
1. Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
Operational
1. Which of the following variables is the most influential in determining how to structure an information security program?
Organizational culture
1. Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
People
1. Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
Policy
1. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
Policy Review and Modification
1. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
Risk assessment