EOM 5 Quiz (missed 2)

_________ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty. Loss magnitude Risk Loss frequency Loss

Risk

The Security Education Training and Awareness (SETA) program is a control measure designed to reduce the instances of __________ security breaches by employees. intentional external accidental physical

accidental

A(n) _________ is a document containing contact information for the people to be notified in the event of an incident. (p. 229) emergency notification system alert roster phone list call register

alert roster

The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____. (p. 242) off-site storage remote journaling electronic vaulting database shadowing

electronic vaulting

The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________." (p. 195) implementation certification management accreditation

management

The __________ is the difference between an organization's observed and desired performance. (p. 307) performance gap objective issue delta risk assessment

performance gap

The transfer of transaction data in real time to an off-site facility is called ____. (p. 242) off-site storage remote journaling electronic vaulting database shadowing

remote journaling

The first phase of risk management is _________. (p. 256) risk identification design risk control risk evaluation

risk identification

A _________ assigns a status level to employees to designate the maximum level of classified data they may access. (p. 268) security clearance scheme data recovery scheme risk management scheme data classification scheme

security clearance scheme

When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as __________. (p. 308) baselining best practices benchmarking standards of due care

standards of due care

A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years. (p.172) standard operational tactical strategic

strategic

The __________ control strategy attempts to shift risk to other assets, other processes, or other organizations. (p. 296) transference defense acceptance mitigation

transference

_________ is the rapid determination of the scope of the breach in the confidentiality, integrity, and availability of information and information assets during or just following an incident. Damage assessment Containment development Incident response Disaster assessment

Incident response

_________ addresses are sometimes called electronic serial numbers or hardware addresses. HTTP IP DHCP MAC

MAC

________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization. (p. 207) Managerial Technical Operational Informational

Managerial

__________ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures. (p. 306) Qualitative assessment A metric-centric model Quantitative assessment A value-specific constant

Qualitative assessment

__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information. (p. 209) Firewalling Hosting Redundancy Domaining

Redundancy

__________ is simply how often you expect a specific type of attack to occur. (p. 301) ARO - Annualized Rate of Occurrence CBA - Cost Benefit Analysis ALE - Annualized Loss Expectancy SLE - Single Loss Expectance

ARO - Annualized Rate of Occurrence

A fundamental difference between a Business Impact Analysis (BIA) and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes __________. (p. 220) controls have been bypassed controls have proven ineffective controls have failed All of the above

All of the above

According to NIST SP 800-14's security principles, security should ________. (p. 201-2) support the mission of the organization require a comprehensive and integrated approach be cost-effective All of the above

All of the above

Management of classified data includes its storage and _________. distribution portability destruction All of the above

All of the above

Redundancy can be implemented at a number of points throughout the security architecture, such as in ________. (p. 209) firewalls proxy servers access controls All of the above

All of the above

__________ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the flood waters recede. IR - incident response DR - disaster recovery BC - business continuity BR

DR - disaster recovery

__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. (p. 207) Networking Proxy Defense in depth Best-effort

Defense in depth

The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range is called the __________. loss frequency annualized loss expectancy likelihood benefit of loss

annualized loss expectancy

A(n) _________ is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it. (p. 266) security clearance scheme data recovery scheme risk management scheme data classification scheme

data classification scheme

Standards may be published, scrutinized, and ratified by a group, as in formal or ________ standards. (p. 177) de formale de public de jure de facto

de jure

The _________ control strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. (p. 295) termination defense transference acceptance

defense

Security __________ are the areas of trust within which users can freely communicate. (p. 210) ​perimeters ​domains​ rectangles​ layers

domains

Some people search trash and recycling bins—a practice known as _________—to retrieve information that could embarrass a company or compromise information security. shoulder surfing dumpster diving pretexting corporate espionage

dumpster diving