Ch. 6 Quiz & Assessment
Which of the following is an example of social engineering?
A. An emotional appeal for help B. A phishing attack C. Intimidation D. Name-dropping
Which activity manages the baseline settings for a system or device?
Configuration Control
What is the correct order of steps in the change control process? (RIAABIM)
Request, impact assessment, approval, build/test, implement, monitor
When developing software, you should ensure the application does which of the following?
A. Has edit checks, range checks, validity checks, and other similar controls B. Checks user authorization C. Checks user authentication to the application D. Has procedures for recovering database integrity in the event of system failure
The objectives of classifying information include which of the following?
A. To identify data value in accordance with organization policy B. To identify information protection requirements C. To standardize classification labeling throughout the organization D. To comply with privacy law, regulations, and so on
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?
An organization should share its information.
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
Baseline
An organization does not have to comply with both regulatory standards and organizational standards.
False
Certification is the formal agreement by an authorizing official to accept the risk of implementing a system.
False
Often an extension of a memorandum of understanding (MOU) , the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets.
False
Which software testing method provides random input to see how software handles unexpected data?
Fuzzing
Which of the following would NOT be considered in the scope of organizational compliance efforts?
Laws
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Memorandum of understanding (MOU)
________ is the concept that users should be granted only the levels of permissions they need in order to perform their duties.
Principle of least privilege
In 1989, the IAB issued a statement of policy about Internet ethics. This document is known as ________.
RFC 1087
In what type of attack does the attacker send unauthorized commands directly to a database?
SQL Injection
A(n) ________ is a formal contract between your organization and an outside firm that details the specific services the firm will provide.
Service-level agreement (SLA)
________ involve the standardization of the hardware and software solutions used to address a security risk throughout the organization.
Standards
More and more organizations use the term ________ to describe the entire change and maintenance process for applications.
System development life cycle (SDLC)
Which of the following is true of procedures?
They provide for places within the process to conduct assurance checks.
A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing.
True
Classification scope determines what data you should classify; classification process determines how you handle classified data.
True
Company-related classifications are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies.
True
Configuration management is the management of modifications made to the hardware, software, firmware, documentation, test plans, and test documentation of an automated system throughout the system life cycle.
True
Data classification is the responsibility of the person who owns the data.
True
Policy sets the tone and culture of the organization.
True
Security administration is the group of individuals responsible for the planning, design, implementation, and monitoring of an organization's security plan.
True
There are several types of software development methods, but most traditional methods are based on the ________ model.
Waterfall
In an accreditation process, who has the authority to approve a system for implementation?
Authorizing official (AO)
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
Authorization
Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?
Project initiation and planning
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?
Separation of duties
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type.
Service level agreement (SLA)
The security program requires documentation of:
The security process B. The policies, procedures, and guidelines adopted by the organization C. The authority of the persons responsible for security
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?
Threat
The change management process includes ________ control and ________ control.
Configuration; Change
A successful change control program should include the following elements to ensure the quality of the change control process: peer review, documentation and back-out plans.
True
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?
Waterfall