CIST 1601 Chapter 4
________often function as standards or procedures to be used when configuring or maintaining systems. a. ESSPs b. ISSPs c. EISPs d. SysSPs
SysSPs
NIST 800-14's Principles for Securing Information Technology Systems can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture. True False
True
The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees. a. accidental b. external c. intentional d. physical
accidental
A(n) _________ is a document containing contact information for the people to be notified in the event of an incident. a. emergency notification system b. alert roster c. call register d. phone list
alert roster
The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________." a. management b. accreditation c. implementation d. certification
management
A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology. True False
False
The complete details of ISO/IEC 27002 are widely available to everyone. True False
False
The security framework is a more detailed version of the security blueprint. True False
False
__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information. a. Hosting b. Redundancy c. Firewalling d. Domaining
Redundancy
A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes __________. a. controls have been bypassed b. controls have failed c. controls have proven ineffective d. All of the above
All of the above
According to NIST SP 800-14's security principles, security should ________. a. support the mission of the organization b. require a comprehensive and integrated approach c. be cost-effective d. All of the above
All of the above
When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems? a. The standard lacked the measurement precision associated with a technical standard. b. It was not as complete as other frameworks. c. The standard was hurriedly prepared, given the tremendous impact its adoption could have on industry information security controls. d. The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
You can create a single, comprehensive ISSP document covering all information security issues. True False
True
Standards may be published, scrutinized, and ratified by a group, as in formal or ________ standards. a. de jure b. de public c. de formale d. de facto
de jure
Security __________ are the areas of trust within which users can freely communicate. a. perimeters b. domains c. layers d. rectangles
domains
