IA Midterm
What is OECD?
Organization of Economic Cooperation and Development \
What are the three elements of the CIA triad?
Confidentiality, Integrity, Availability
True or False: In deciding among certifications - typically it is not necessary to consider if the certifications actually span specific industry and government boundaries.
False
What does AT&E stand for?
Awareness, Training, and Education
According to the readings - the activities such as systems scanning, application of software update patches and secure configuration enforcement are [BLANK] for cybersecurity personnel.
Common Foci
E. Felton observes, — ...Given a choice between [blank] and [blank] , [blank ] will pick dancing pigs —every time? OPTIONS: security specialists, processes, measures, tools, authenticated users, IA professionals, people, uses and users, Security policy, Users, Dancing pigs
Dancing pigs, Security policy, Users
An organization has always kept a decentralized information technology infrastructure, which has led to servers under desks, coat closets arbitrarily being turned into wiring closets, and numerous portable hard drives floating around the organization. What could happen if the organization needed to institute a reduction in force because of changing market conditions? What can an organization do to prevent the risk of these changes?
Decentralized IT is often controlled at the whim of whoever possesses it. Therefore, if a rumor is started that a layoff is coming, some employees may be inclined to start copying organizational information to external drives so it can be taken for use at their next job. Worse, employees could start thinking about how to sabotage the organization should they get fired. Any information technology under their control is a possible target. Without understanding the assets of the organization, the controls in place, or how to gracefully remove employees, the organization is at risk of data exfiltration and sabotage. To prevent these actions, the organization should consider centralizing at least the data managed by the organization with tight controls around the access. The organization may also want to ensure any nondisclosure agreements (if any) are enforced during the transition period. Finally, before making any announcements, the organization may want to consider implementing a data loss prevention tool to help reduce the amount of data lost. The best way to avoid loss is to start with an environment that can withstand a layoff. This means a centralized IT infrastructure with tight controls around administrative access and production systems. It also means logging and strong IAAA to ensure accountability for actions. Finally, employees should be screened prior to hire and be required to sign nondisclosure agreements.
What are the six OECD principles?
Ensuring the basis of an effective corporate governance framework, The rights of shareholders and key ownership functions, The equitable treatment of shareholders, The role of stakeholders in corporate governance, Disclosure and transparency, The responsibilities of the board
True or False: Information assurance involves only the IT and IA organizations and other specialized technical employees.
False
True or False: A common model and understanding of information assurance is not either necessary or sufficient - if an organization intends to speak a common risk language and understand common objectives related to IA.
False
True or False: According to the readings the term of art — process — constitutes a series of linked steps necessary in order to accomplish work. The process does not seeks to turn input such as information or raw materials into a set of outputs such as products, services and reports.
False
True or False: An example of the concept— policy follows -all sensitive information must not be handled with due care and in accordance with its impact categorization.
False
True or False: Certification and accreditation do not represent risk management tools that examines and reports on the effectiveness of control in managing risks
False
True or False: Certification and accreditation have not been staples in the US government and other high assurance industries for a long time.
False
True or False: Cybersecurity is a relatively old term that has largely replaced the term computer security, which is often confused with information assurance and information security, used to describe the measures taken to protect electronic information systems against unauthorized access or attack.
False
True or False: Improperly performed, certification and accreditation provide a level of assurance to higher levels of management that lead to satisfaction and improved relations with stakeholders.
False
True or False: Personal information, is not described in US as either personally identifiable information (PII), or sensitive personal information (SPI) as used IA and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
False
True or False: The chief information security officer (CISO) is the organizational official who has executive responsibility for serving as the primary liaison the chief information officer - to the organization's accreditation officials, information systems owners, common controls providers, and information systems security officers. The CISO maintains his/her information assurance duties as a secondary — not primary responsibility.
False
True or False: The following are not salient considerations for outsourcing IA services —(1) maintaining security controls,(2) performance of necessary due diligence, (3) the conduct of proper audit processes and facilities prior to the execution of agreements and regular inspections thereafter.
False
True or False: The readings note that ethical environments within the organization serves to not limit the occurrence of unethical conduct within the organization.
False
True or False: When performing work tasks - it is not necessary for security professionals and to retain information that conceivably could be used for personal benefit or to be released to inappropriate parties.
False
True or False: the following are not the correct components for the PDCA Model •Plan — establish the IAMS •Do — Implement, operate, and maintain the IAMS •Check —Monitor and review the IAMS •Act — Execute, maintain and improve the IAMS
False
True or False:According to our readings - users play a significant role and possess specific responsibilities for implementing information assurance. Based on these readings, there are two types of users - these types do not include (1) users of information and (2) users of systems.
False
True or False:In information systems, integrity is not a service that assures that the information in a system has not been altered — except by authorized individuals and processes.
False
True or False:Organization processes rarely ever change and are not distinguished by the formation of autonomous workgroups or teams.
False
True or False:Since information should be secured throughout its life-cycle, securing information assets against the full spectrum of threats requires an event — oriented approach.
False
True or False:The CNSS defines several standards, which include standards on training in IT security. Current CNSS standards do not include: NSTISSI-4011 National Training Standard for Information Systems Security (INFOSEC) Professionals CNSSI-4012 National Information Assurance Training Standard for Senior Systems Managers CNSSI-4013 National Information Assurance Training Standard For System Administrators CNSSI-4014 Information Assurance Training Standard for Information Systems Security Officers NSTISSI-4015 National Training Standard for Systems Certifiers CNSSI-4016 National Information Assurance Training Standard For Risk Analysts
False
True or False:Threats do not generally originate with Humans, Technologies, and Environmental conditions.
False
The term of art - defense in depth - means an [blank] that integrates [blank], in order to establish [blank][blank]. Options: defective controls, defense the layers, "people technology, and operational capabilities", CIA triad, IA strategy, multiple layers and dimensions of networks, information security, "confidentiality, integrity, and assurance", intractable barriers controlling, viable barriers across
IA strategy, "people, technology, and operational capabilities", viable barriers across, multiple layers and dimensions of networks
A member of your team informs you that the organization can purchase insurance for breaches of personally identifiable information (PII) and financial data such as credit card information. The insurance will cost less than the information assurance program proposed by the CISO. Would you purchase the insurance at the expense of an information assurance program?
If you would purchase the insurance, it is important to understand the insurance will cover only monetary exposure. Often, this covers only the expenses related to credit monitoring or identity theft mitigation. However, this will never cover the loss of reputation, the damage caused to an individual whose identity has been stolen, or business partners who are now sullied by a breach. While cybersecurity or breach insurance can be an important part of any risk management program, it cannot be relied upon to protect your organization in the same manner as an information assurance program can. Additionally, breach insurance providers require a functioning information assurance program before providing coverage.
An organization's web site has been collecting the actions of users for several years now. The web site was a social media overnight success, and the organization never got around to completing a privacy statement or terms of service. The organization has been selling the demographic information to advertisers and market researchers as part of its core business for more than a year now. The organization receives a legal summons related to privacy concerns of the site. What could have been done in the beginning to prevent the legal exposure?
In the United States, the terms of service and a privacy policy are commonly used with web sites such as social media and other sites that collect personally identifiable information (PII). These agreements explain how an organization will use the information and what, if any, expectation of privacy the end user has. While not completely bullet-proof, these documents when used properly can substantially reduce the amount of legal exposure because there is not a perception of deception. In other countries, such as the EU, the Data Protection Directive drives the requirements for collecting and handling PII. Organizations must understand the environments they operate in and the legal jurisdictions they must comply with. A list of privacy laws by state and country is available in Appendix F.
[BLANK] is a subdomain of [Blank] which focuses on the [Blank]. Choices are [information security],[information assurance],[CIA triad],[MSR Model],[information integrity],[information confidentiality]
Information security, information assurance, CIA triad
The Committee on National Security Systems (CNSS) is a United States [blank] that [blank] for the [blank] of the US security systems containing government data. Options: Gives Ruling, Sets Policy, Security, Intergovernmental organization, Makes laws, Non-government
Intergovernmental organization, sets policy, security
Information Assurance
Is the overarching approach for identifying, understanding, and managing risk through an organizations use of information and information systems
Organizations may merge the PDCA, OODA, and [blank] approaches in order to help determine the [blank] for the organization and therefore the [blank] approach. Options: model, Kill chain, best security architecture, best defense in depth, PDCA, construct, CIA triad, OODA, framework
Kill chain, best security architecture, best defense in depth
What assets or services do you think your organization considers critical for success? What is your organization's responsibility for those assets or services and how are they are currently protected? How do you know an appropriate level of due diligence and due care is being practiced in relation to your organization's use of information systems and data?
Occasionally, organizations overlook the exposure that may come from lax or negligent information assurance practices. Significant fines may be levied on organizations that do not protect sensitive information such as personally identifiable information or sensitive financial information. As information technology is becoming more ambiguous, a material finding in an information system is almost certainly going to relate to an internal control failure in a financial or management system. If your organization has not considered an industry-specific information assurance framework, why not? Consider the laws, regulations, and agreements that govern the work performed and determine whether frameworks exist. These frameworks can provide a starting point for determining the assurance of your organization's use of information technology.
[BLANK] - A high-level statement an organizations [BLANK] and the [BLANK] for their attainment of a [BLANK]. Options: Values, needs, Policy, "beliefs,goals,objectives","general means","specified subject area",intentions,requirements,specific measures
Policy,"beliefs,goals,objectives",general means, specified subject area
SOC stands for
Security Operations Center
A breach has occurred, and according to the organization's web site privacy policy and terms of service, your customers agreed to whatever level of security the organization deemed sufficient and reasonable. Is the organization protected from retaliation from customers or other entities?
Several legal cases in the past several years have shown courts look at information assurance from a due diligence and due care standpoint. Customers have an expectation of protection and privacy from online retailers and therefore even though they may agree to the terms of service, courts can determine the organization is not meeting a common "reasonable" industry safeguard.
An organization has decided they need a chief security officer to help determine the best way to implement the information assurance strategy
The (ISC)2 CISSP and the ISACA CISM are the best certifications to review. While the certification is no guarantee of success, it is a statement of accomplishment and minimum knowledge acquired by the individual.
A chief information security officer (CISO) continuously reports issues of risk to senior management even though they continue to deny requests for resources to mitigate the risk. The CISO holds a CISSP. Why is the CISO continuing to report the risk if the board has not done anything about it in the past?
The CISO has an ethical responsibility. In accordance with the ISC2 ethics, he must "ensure all stakeholders are well-informed on the status of assignments and advise cautiously when required." Additionally, the CISO is bound by the following: "Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence."
An organization's medical information site is tracking individuals and using information about searches and personal information entered to develop individual profiles for marketing. The web site does not inform visitors they are being tracked and their information is being collected. Which OECD principle has been violated, and what can the organization do to remedy the situation?
The Purpose Specification Principle has been violated. It states the following: "Personal data should be collected for purposes specified not later than at the time of data collection. Subsequent use is limited to the fulfillment of the stated purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose." The organization should explicitly inform each user how their information will be used and give the user an opportunity to opt in to the process.
Why is the planning phase extremely important for an organization?
The planning phase will determine control selection, implementation, and ultimately resource costs. Improper planning can lead to substantial rework, which can increase the cost and delay the schedule of implementing effective security for an organization.
An organization's board of directors has recently experienced a substantial change in leadership. The new members of the board have demanded an external audit for internal control and information assurance. What should the president or leader of the organization be prepared to provide to ensure the board is comfortable with the audit results?
The president should understand the organization and the business or mission of the organization and how it relates to information assurance. The audit will most likely focus on internal controls that include regulatory requirements and separation of duties to prevent fraud. The audit will also cover how well the organization has identified its critical assets, services, and vulnerabilities. An organization that has not considered information assurance as part of its core culture and operations will experience a difficult audit.
The senior leadership of a large organization has never considered the need for information assurance in the organization's operations. After a series of attacks have crippled similar competitors, senior leadership is now concerned about information assurance. The information technology staff (both in-house and outsourced) has assured senior leadership repeatedly that there is nothing to worry about. Are they right?
The senior leaders of the organization should demand an information assurance function be developed and a permanent information assurance program be established. The information assurance program's primary responsibility will be to enable the mission of the organization while bringing visibility into the risk the organization is assuming. The information assurance program will be authorized to perform risk assessments against both in-house and outsourced IT to provide unbiased risk information to senior leadership and the board of directors if necessary.
An organization is considering placing all its policies, procedures, standards, and guidance in a single handbook so executive management has to sign off only once. What are the advantages and disadvantages to this approach?
The sole advantage is found in only needing the senior leadership approval once for the entire handbook. The issue is that as soon as a single part of the handbook is outdated, the entire handbook is outdated. Keeping a comprehensive handbook updated is also challenging because every version changes the entire context of the handbook. A better approach is to use a modular approach with tiered approvals. For example, policies are approved only by senior leadership, but they are scoped and written to last five years or longer. Standards and procedures may be approved by relevant experts such as IT standards by the CIO. Guidance could be developed and approved by almost any line manager throughout the organization. If a cohesive and modular naming framework is designed and implemented, this delegated approach of governance can be quite effective.
Your organization has a web site used for advertising your products or services around the world. The site is used only for disseminating information about your organization and its mission. What requirements (if any) should be in place regarding confidentiality, integrity, and availability?
There are various ways to approach this exercise. One example response from the text states, "Some would say there are no security requirements because "it is just a web site." However, they would be mistaken. What happens if the web site goes down when a large prospective client is searching for information about your products or services? What happens if an attacker defaces your web page or changes information about your products or services pricing and the same prospective client is reviewing the information? Clearly, there are impacts associated with integrity and availability that must be addressed. How about confidentiality? Well, since the entire purpose of the web presence is to spread information, there isn't one in this specific case. Executives and senior leadership must be aware that just because something isn't confidential doesn't mean it doesn't impact the organization and therefore require information assurance." A second possible response from the text raises another question stating, "The prospective client places a large order over the phone. When the person arrives to deliver the product or service, the client states they never placed the order, and they must have been the victim of identity fraud. They then demand a full refund, and you end up assuming the wasted costs of the order. What could the organization do in the future to help ensure this doesn't happen again?" Lastly, according to the text, "The concept of trust leads organizations to take unwarranted risks that can have lasting impacts. In this scenario, the order process lacked any form of identification and nonrepudiation. Organizations cannot be expected to perform a full background check on every customer, but in this case the organization could have performed more due diligence because of the size of the order. Implementing a nonrepudiation process as part of the process for ordering a certain size or volume would have given the organization a chance to prove the client placed the order and was therefore responsible and accountable to pay for it."
What laws, regulations, or standards does your organization need to comply with?
This is a complex answer since it depends largely on the country, industry, and, in some cases, the local laws of the organization. For example, social media companies have discovered that while they may have started in one country, they are now subject to several differing national and international laws because they have allowed people from those countries to join their services. Senior leaders and executives must ensure their information technology activities are consistent with the requirements of international law and local law. Engaging legal counsel early in the process helps ensure compliance.
An executive receives an e-mail from a known colleague with an urgent message about the financial state of their organization attached in a PDF. What should the executive do? The executive is unaware of any financial problems with the organization, and the executive didn't request this information.
This may be a spear phishing e-mail. Opening the attachment or following links in the e-mail may lead the executive to compromise their system. Once compromised, that system can be used to launch further attacks against the organization and business partners. The prudent approach is to ensure end-point protection by making sure that your antivirus, anti-malware, and operating system patches are up-to-date. The organization should use security awareness training that includes content related to phishing and spear phishing. Next, the executive should ensure they are logged into their system only with a limited user account. If the executive constantly uses an administrator account, they are opening themselves up for attack because every action performed, including opening the e-mail, is performed at the administrator level of access, which can modify the system. Finally, the executive should call the party with a known good phone number to ensure they did send this information. If they did not, the executive may want to contact local law enforcement and determine whether they can assist in determining who is targeting the organization. The willingness and ability of law enforcement varies greatly by country and district In almost all cases, the cost of determining who launched the attack greatly exceeds the costs associated with preventing successful spear phishing attacks.
The Three states of information described in the MSR model are (from top to bottom)
Transmission, Storage, and Processing
True or False: According to FISMA, US agencies must use Federal Information Processing Standard (FIPS) 199 - in order to to determine the proper categorization of human resources information.
True
True or False: According to our class discussion - we can think about finding trust in IE environments as - Trust is the confident reliance by one party on the behavior of other parties....
True
True or False: According to the readings and organization should seek to limit reliance on key employees.
True
True or False: Accreditation is the formal declaration of the adequacy of a system security to conform to operational requirements within an acceptable level of risk.
True
True or False: Accreditation is the official decision made by management to operate a system or a system of systems.
True
True or False: An employment contract or contract of employment is a kind of contract used in labor law to attribute rights and responsibilities between parties to a bargain. The contract is between an "employee" and an "employer"
True
True or False: An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.
True
True or False: As an information assurance professional, it is important that you have the ability to describe human threats in terms of their particular relationships to the organization. Internal or insider threats are individuals within the organization.
True
True or False: As part of an information assurance program, affirmation assurance professionals should consider controls that can be implemented to minimize human risks.. Examples of these controls include hiring the most qualified individuals, performing background screening, using detailed job scope and descriptions, enforcing reasonably strict access controls, providing IA awareness and training programs and defining a clear disciplinary process for sanctions that involve violation of IA policies.
True
True or False: Considering IA staffing— once employees are hired, management should consider regularly providing all employees with appropriate levels of job-related training— concerning policies and practices about IT, information security and information assurance.
True
True or False: Despite the ever increasing utilization of advanced technologies, changes in work life settings and the challenges of maintaining high levels of economic growth — human resources largely determine organizational successes and failures.
True
True or False: Examples of integrity controls may be watermarks, bar codes, hashing, checksums, and cyclic redundancy checks (CRC).
True
True or False: IA may act as an essential barrier to prevent the adoption of unsafe business practices, rather than as an enabler for better business or governance
True
True or False: In order to minimize IA risks, grant employees minimal or restricted access to information systems prior to the awareness and training programs being conducted
True
True or False: Organizations differ in size, complexity, and culture, and there is no single structure to effectively manage IA programs.
True
True or False: Organizations should establish policy and procedures or secure offboarding by defining actions to be taken to handle absences and departure. These actions should include temporary or permanent closure of systems accounts, steps for forwarding emails, changes of critical passwords, phone numbers and disabling both local and remote access to all systems.
True
True or False: Policy,in IA contacts can construed as a set of formal rules of conduct, that is controlled by some authority — who has coercive capacities.
True
True or False: Related to the term of art separation of duties — the practice of job division, as an IA HR control may serve to minimize collusion as a component of potential fraud, sabotage, misuse of information, theft and other information assurance compromises related to human resources.
True
True or False: Security is no stronger than its weakest link - Cybersecurity is the result of many elements that interact to build the appropriate levels of defense.
True
True or False: Senior leadership commitment to IA serves to establish a level of due diligence within the particular organization that serves to promote a positive climate mission and business or governance success.
True
True or False: Separation of duties — constitutes the organized division of roles and responsibilities so that a single individual cannot sabotage a critical process.
True
True or False: Social engineering attacks typically rely on human trust. These attacks are usually performed over the phone or electronic means after sufficient background information has been obtained concerning the potential target.
True
True or False: The increasingly popular phrase — information assurance is a process and not a one-off event is - true.
True
True or False: The probability of a particular risk occurring is known as likelihood.
True
True or False: The risk management process model includes these listed main elements — Background planning, Asset analysis, Threat analysis, Vulnerability analysis, Risk identification, Risk analysis, Risk treatment, and Risk monitoring
True
True or False: The term of art procedure — means that the process or steps are typically mandatory
True
True or False: The term of art—standard —means mandatory activities, actions, rules, or regulations designed to provide policies with the support structure and specific direction they require in order to be meaningful and effective
True
True or False: There are three controls that are required for ensuring proper management of assets. These controls include documentation concerning acceptable uses for assets, establishment that each asset has an assigned owner and the conduct of categorical inventories to serve as the core for asset management
True
True or False: Trust in IA contexts is both essential and overarching - when we recognize that our observed environment - is both risk-laden and uncertain. Human recognition facilitates our decision-making based on prior knowledge, skills and experiences. We should recognize that trust is both subjective and evolves over time.
True
True or False: Usually, the IA organizational structure is influenced by the organization's culture, the current business processes, and the particular IT services and functions within the particular organization.
True
True or False: With the development in international politics and security, it has become the norm for authorities in some countries to monitor personal information..
True
True or False:According the readings there should be a general policy of openness about developments, practices, and policies with particular respect to personal data.
True
True or False:Big Data — As described by Gartner Corporation big data being "high-volume, high-velocity, and high-variety information assets" - demand cost-effective, innovative forms of information processing for enhanced insight and decision making".
True
True or False:Due care can be defined as the responsibility that managers and their organizations have a duty to provide for information assurance to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the systems being managed.
True
True or False:In some countries, employees of private organizations have no expectation of privacy while using organizational equipment.
True
True or False:The US Government operating Agency for CNSS appears to be the National Security Agency (NSA), which serves as primary contact for public inquiries.
True
True or False:The concept of tactical management examines business continuity, classification of data, process management, personnel security, and risk management.
True
True or False:The four characteristics of a professional certification standards follow: 1. Agreement on certification criteria or common body of knowledge, 2. Professionally supervised, 3.An acceptable level of work experience to qualify an individual for certification 4.Examination to demonstrate some quantifiable level of knowledge.
True
True or False:The importance of intellectual property law to the profession of information assurance is clearly obvious, since it is directly related to ideas or information.
True
True or False:The term of art information owner means an official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination and disposal.
True
True or False:The term—white hat hackers are people who elect to use their cybersecurity skills to determine whether systems are in fact - secure and operate their security tests — within strict rules of engagement and with the explicit permission of a system's owner.
True
True or False:Trust is the confident reliance by one party on the behavior of other parties....
True
An organization is considering developing an encryption policy in its organization. The penetration tester from the team starts documenting specific products and configurations to put into the policy. Should the policy contain these details?
Typically not. A policy is an overarching governance document developed to reflect senior management's position on a topic. While an encryption standard may include specific products and configurations, a policy would merely mention that the organization will follow organizational encryption standards. This helps ensure the policies remain enforceable while allowing the agility to change products or configurations if needed.
What information does your organization use, and what requirements must be met to ensure the confidentiality, integrity, and availability of the information? What drives these requirements for your organization?
While some information may seem clear, like PII, other information, such as an executive's calendar, may not. What requirements does the CEO of a business have for his calendar? Is there an expectation of confidentiality, or could it be made public with no recourse? How about the integrity of the calendar? Does it need to be 100 percent correct every time, and is it okay if anyone can make changes to it without permission? What about availability? Can it go down for a week at a time without notice and not have an impact on the organization? This is a simple example of something that may seem trivial (a calendar), but upon further analysis can have a substantial impact on how an organization operates.
Should all controls be subject to the ongoing Check phase?
Yes, however they do not need to be subject at the same frequency. Some controls, such as, policy may need to be reviewed only on an annual basis or even longer. Controls such as patch management and IT network inventory should be conducted on a more frequent basis such as daily or weekly. Finally, some controls, such as the network intrusion system, should be monitored in as near real time as possible.
Trust in IA context [blank] - when we recognize that our observed environment - is [blank]. Human recognition facilitates our decision-making base on [blank]. We should recognize that trust is [blank]. Options: invisible, objective and non-evolutionary, apparent, not apparent, foundational and objective, risk-free and certain, both essential and overarching, both risk-laden and uncertain, "prior knowledge, skills, and experiences", both subjective and evolves over time, privacy and rights, subjective and fixed
both essential and overarching, both risk-laden and uncertain, prior knowledge, skills and experiences, both subjective and evolves over time
IA professionals recognize that temporal, environmental, organizationally defined events - [blank] - will typically trigger a review and require updates to [blank]. OPTIONS: hacking, CNN, CIA triad, coupled with expected incidents or breaches, PDCA model, certification and accreditation (C&A)
coupled with expected incidents or breaches, certification and accreditation (C&A)
Information protection
is best viewed as a subset of information security and is often defined in terms of protecting the confidentiality and integrity of information through a variety of means such as policy, standards, physical controls, technical controls, monitoring, and information classification or categorization.
Providing adequate IA is [blank] -it is and will probably remain a collection of [blank] , policy development, implementation and [blank ]. OPTIONS: policy development, MSR Model, a one time even, implementations, never a one time event, forensics, sanctions, responses to incidents
never a one time event, sanctions, responses to incidents
...Security constitutes is a war between [ blank ]. On one side, the security designers and practitioners defend assets. On the other, collections of cyber attackers attempt to steal, impair, or destroy these [blank ]. OPTIONS: security designer, liabilities, cyber-hackers, opponents, assets, MSR Model
opponents, assets
[blank] describes the control people have to regulate the flow of information about themselves selectively. Options: integrity, prolix tools, proximity mechanisms, personal sanctions, privacy
privacy
Professional Certifications - is a [BLANK] to identify [BLANK] who have a [BLANK], and who demonstrate some quantifiable level of [BLANK], and who subscribe to a code of professional ethics. Items include policies, procedure, individuals, common education and experience, knowledge and skills, guidelines, body of laws, code of political policies, code of professional ethics
procedure, individuals,common education and experience, knowledge and skills
Due Care
the development and implementation of policies and procedures to aid in performing the ongoing maintenance necessary to keep the IA processes operating properly - in order to protect assets and people from threats.