Chapter 4 - ITSY 1300
Many industry observers claim that ISO/IEC 17799, the precursor to ISO/IEC 27001, is not as complete as other frameworks. Select one: True False
True
NIST 800-14's Principles for Securing Information Technology Systems, can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture. Select one: True False
True
NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans, and provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size. Select one: True False
True
Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely. Select one: True False
True
Some policies may also need a(n) sunset clause indicating their expiration date. _________________________ Select one: True False
True
Technical controls are the tactical and technical implementations of security in the organization. _________________________ Select one: True False
True
The Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area. _________________________ Select one: True False
True
According to NIST SP 800-14's security principles, security should ________. Select one: a. All of the above b. support the mission of the organization c. require a comprehensive and integrated approach d. be cost-effective
a. All of the above
Redundancy can be implemented at a number of points throughout the security architecture, such as in ________ Select one: a. All of the above b. proxy servers c. access controls d. firewalls
a. All of the above
The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees. Select one: a. accidental b. physical c. intentional d. external
a. accidental
A(n) _________ is a document containing contact information for the people to be notified in the event of an incident. Select one: a. alert roster b. emergency notification system c. call register d. phone list
a. alert roster
The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________." Select one: a. management b. implementation c. accreditation d. certification
a. management
A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years. Select one: a. strategic b. operational c. standard d. tactical
a. strategic
_______ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization. Select one: a. Operational b. Technical c. Managerial d. Informational
c. Managerial
A fundamental difference between a BIA and risk management is that risk management focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can protect the information, while the BIA assumes __________. Select one: a. controls have proven ineffective b. controls have failed c. controls have been bypassed d. All of the above
d. All of the above
One of the basic tenets of security architectures is the layered implementation of security, which is called defense in redundancy. _________________________ Select one: True False
False
Systems-specific security policies, commonly referred to as a fair and responsible use policy, are used to control constituents' use of a particular resource, asset, or activity. _________________________ Select one: True False
False
The ISSP sets out the requirements that must be met by the information security blueprint or framework. Select one: True False
False
The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799. Select one: True False
False
The key components of the security perimeter include firewalls, DMZs (demilitarized zones), Web servers, and IDPSs. _________________________ Select one: True False
False
The operational plan documents the organization's intended long-term direction and efforts for the next several years. _________________________ Select one: True False
False
The security framework is a more detailed version of the security blueprint. Select one: True False
False
The security model is the basis for the design, selection, and implementation of all security program elements including such things as policy implementation and ongoing policy and program management. _________________________ Select one: True False
False
Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _________________________ Select one: True False
False
An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement. Select one: True False
False
The policy administrator is responsible for the creation, revision, distribution, and storage of the policy. Select one: True False
True
The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification. _________________________ Select one: True False
True
The recovery point objective (RPO) is the point in time prior to a disruption or system outage to which mission/business process data can be recovered after an outage. _________________________ Select one: True False
True
The stated purpose of ISO/IEC 27002, as derived from its ISO/IEC 17799 origins, is to offer guidelines and voluntary directions for information security management. _________________________ Select one: True False
True
To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards. Select one: True False
True
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date. Select one: True False
True
To remain viable, security policies must have a responsible manager, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and revision date.. _________________________ Select one: True False
True
You can create a single comprehensive ISSP document covering all information security issues. Select one: True False
True
_________ controls address personnel security, physical security, and the protection of production inputs and outputs. Select one: a. Managerial b. Operational c. Technical d. Informational
b. Operational
__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information. Select one: a. Domaining b. Redundancy c. Firewalling d. Hosting
b. Redundancy
_______often function as standards or procedures to be used when configuring or maintaining systems. Select one: a. ISSPs b. SysSPs c. ESSPs d. EISPs
b. SysSPs
When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems Select one: a. It was not as complete as other frameworks. b. The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799. c. The standard lacked the measurement precision associated with a technical standard. d. The standard was hurriedly prepared given the tremendous impact its adoption could have on industry information security controls.
b. The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
A ____ site provides only rudimentary services and facilities. Select one: a. commercial b. cold c. warm d. hot
b. cold
Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident. Select one: a. containment strategy b. damage assessment c. incident response d. disaster assessment
b. damage assessment
Standards may be published, scrutinized, and ratified by a group, as in formal or ________standards. Select one: a. de facto b. de jure c. de formale d. de public
b. de jure
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____. Select one: a. remote journaling b. electronic vaulting c. off-site storage d. database shadowing
b. electronic vaulting
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________. Select one: a. blueprint b. standard c. policy d. plan
b. standard
Security __________ are the areas of trust within which users can freely communicate. Select one: a. layers b. domains c. rectangles d. perimeters
b. domains
The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages? Select one: a. Determine mission/business processes and recovery criticality b. Identify recovery priorities for system resources c. All of these are BIA stages d. Identify resource requirements
c. All of these are BIA stages
__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. Select one: a. Best-effort b. Proxy c. Defense in depth d. Networking
c. Defense in depth
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to __________. Select one: a. assess progress toward a recommended target state b. communicate among local, state and national agencies about cybersecurity risk c. identify and prioritize opportunities for improvement within the context of a continuous and repeatable process d. None of these
c. identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization. Select one: a. operational b. Internet c. people d. technology
c. people
The ________is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts. Select one: a. ISSP b. GSP c. SysSP d. EISP
d. EISP
A security ________ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization. Select one: a. model b. plan c. policy d. framework
d. framework
RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure. Select one: a. resistant b. replicated c. random d. redundant
d. redundant