IS Exam 2

Risk Management Process

1. Risk Identification 2. Risk Assessment 3. Risk Response 4. Implement risk responses 5. Monitor and control risk responses

Risk Methodology

A description of how you will manage overall risk. It includes the approach, required information, and techniques to address each risk.

Business Impact Analysis

A formal analysis of an organization's functions and activities that classifies them as critical or noncritical. Arranges critical activities based on importance and helps an organization determine which functions to restore in what order.

Risk Register

A list of identified risks that results from the risk-identification process.

Advantages of Biometrics

A person must be physically present to authenticate there is nothing to remember biometrics are hard to fake lost IDs or forgotten passwords are not problems

An audit examines whether security controls are appropriate, installed correctly, and _____ current addressing their purpose authorized cost effective

Addressing their purpose

The incident-handling process includes which of the following? Documentation Response Notification Recovery and followup All of the above

All of the above

What is the primary purpose of a business impact analysis? (BIA) a. to identify, categorize, and prioritize mission-critical business functions to provide a road map for business continuity and disaster recovery planning c. to assist organizations with risk management d. to assist organizations with incident response planning e. all of the above

All of the above

the objectives of classifying information include which of the following? to identify data value in accordance with organization policy to identify information protection requirements to standardize classification labeling throughout the organization to comply with privacy law, regulations, and so on all of the above

All of the above

Single Sign On

Allows users to sign on to a computer or network once and have their identification and authorization credentials allow them into all computers and systems where they are authorized.

Elements of Risk

Assets Vulnerabilities Threats

Which answer best describes the authentication component of access control? Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access authentication is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited authentication is the process of determining who is approved for access and what resources they are approved for authentication is the method a subject uses to request access to a system

Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access

Authentication vs Identification

Authentication is verifying someone's identify to ensure you are giving access to the right person. Identification is identifying that user when they try to request access

Which answer best describes the authorization component of access control? authorization is the method a subject uses to request access to a system authorization is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited. authorization is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access authorization is the process of determining who is approved for access and what resources they are approved for.

Authorization is the process of determining who is approved for access and what resources they are approved for

A _____ is a standard used to measure how effective your system is as it relates to industry expectations Control objective Configuration Benchmark Policy

Benchmark

A plan that contains the actions needed to keep critical business processes running after a disruption is called a ____. Disaster recovery plan (DRP) Business impact analysis (BIA) Business continuity plan (BCP) None of the above

Business Continuity plan

An algorithm used for cryptographic purposes is known as a ____ Hash Private Key Public Key Cipher

Cipher

The recovery point objective defines the last point in time for _____ recovery that can be enabled back into production. a. system b. application c. production d. data

Data

A plan that details the steps to recover from a major disruption and restore the infrastructure necessary for normal business operations is a ______. Disaster recovery plan (DRP) Business impact analysis (BIA) Business continuity plan (BCP) None of the above

Disaster Recovery Plan

When the owner of the resource determines the access and changes permissions as needed, it's known as ______. Mandatory access control Discretionary access control Non discretionary access control content dependent access control Role based access control

Discretionary access control

what law governs the release of student information? HIPAA SOX FERPA CIPA none of the above

FERPA

Which software testing method provides random input to see how software handles unexpected data? Injection Fuzzing Valid error input Boundary input

Fuzzing

Policy Enforcement Phase

Grants or rejects requests for access based on authorizations defined in the first phase.

Any event that either violates or threatens to violate your security policy is known as a ___. Countermeasure Impact Risk Incident

Incident

Authentication Types

Knowledge Ownership Characteristics Location Action

Data Retention

Laws outline the right ways to handle, store, and dispose of data

When you log on to a network, you are presented with some combination of username, password, token, smart card, or biometrics. You are then authorized or denied access by the system. This is an example of ____. Physical access controls Logical access controls Group membership policy The Biba integrity model None of the above

Logical access controls

Configuration Management

Managing the baseline settings of a system or device.

______ is the limit of time that a business can survive without a particular critical system. Recovery time objective (RTO) Critical business function (CBF) Maximum tolerable downtime (MTD) None of the above

Maximum tolerable downtime (MTD)

Types of Access Controls

Physical Logical

change management

Process of managing changes to computer/device configuration or application software

Which term indicates the maximum amount of data loss over a time period? a. RAI b. ROI c. RTO d. RPO e. none of the above

RPO

Log Files

Records that detail who logged onto the system, when they logged on, and what information and resources they used.

a common platform for capturing and analyzing log entries is _____. intrusion detection system honeypot security information and event management (SIEM) HIPAA All of the above

SIEM

Media Disposal

Shredding, burning, grinding of CDs and other forms of media to dispose of private information.

In ____ methods, the IDS compares current traffic with activity patterns consistent with those of a known network intrusion via pattern matching and stateful matching Signature based Anomaly based Heuristic Scanning All of the above

Signature based

Monitoring and Reviews

Software that monitors your activity logs and generates alerts when it finds suspicious activity

_____ involve the standardization of the hardware and software solutions used to address a security risk throughout the organization

Standards

Which of the following is an example of a formal model of access control? a. discretionary access control (DAC) mandatory access control (MAC) non discretionary access control the clark and wilson integrity model all of the above

The clark and wilson integrity model

Risk Management is responding to a negative event when it occurs. a. True b. False

True

With respect to IT security, a risk can result in either a positive or negative effect a. True b. False

True

Four Central Components of Access Control

Users Resources Actions Relationships

There are several types of software development methods, but most traditional methods are based on the ____ model. Modification Waterfall Developer Integration

Waterfall

Policy Definition Phase

Who has access and what systems or resources can they use

Business Continuity Plan

a written plan for a structured response to any events that result in an interruption to critical business functions or activities.

What elements must a written GLBA information security program include? technical safeguards physical safeguards administrative safeguards a designated employee to run the program all of the above

all of the above

Which of the following business drivers are impacting businesses' and organization's security requirements and implementations? a. Mobility b. Regulatory compliance c. Productivity enhancements d. Always on connectivity e. All of the above

all of the above

Which of the following is one of the four basic forms of a cryptographic attack? ciphertext only attack known plaintext attack chosen plaintext attack chosen ciphertext attack all of the above

all of the above

Single Point of Failure (SPOF)

any component that if it fails, could interrupt business processing

Vulnerability

any exposure that could allow a threat to be realized

A _____ is used to detect forgeries hash function checksum hash vlue KDC

checksum

Gap Analysis

comparison of the security controls you have in place and control you need

what is a main goal of the PCI security council? define a standardized approach for protecting cardholder data recommend firewall solutions define how to process credit cards mandate organizations follow a standard to protect cardholder data

define a standardized approach for protecting cardholder data

Technical Recovery Requirements

define the technical prerequisites that are needed to support each critical business function

Security Policy

defines a risk mitigating definition or solution for your organization

a ________ signature is a representation of a physical signature stored in digital format. digital digitized private key public key

digital

Disaster Recovery Plan

directs the actions necessary to recover resources after a disaster

Poliies

document management's goals and objectives (short summary of key facts and stated at a high level)

GPS

install a GPS that uses satellite and cellular communications to pinpoint the physical location of the device

Remote Wiping

install software that will enable organizations to initiate remote wiping of data or email in the event of loss or theft of the device

Standards

mandated requirements for hardware and software solutions used to address security risk throughout an organization

____ corroborates the identity of an entity, whether the sender, the senders computer, some device, or some information. nonrepudiation confidentiality integrity authentication

nonrepudiation

Disadvantages of Biometrics

physical characteristics might change physically disabled persons

_____ is the concept that users should be granted only the levels of permissions they need in order to perform their duties Mandatory vacations Separation of duties Job rotation Principle of least privilege None of the above

principle of least privilege

Guidelines

provide structure to a security program. actions that the organization recommends.

What types of companies must follow all sarbanes-oxley act provisions? public private nonprofit governmantal none of the above

public

The review of the system to learn as much as possible about the organization, its systems, and networks is known as _____ penetration testing vulnerability testing network mapping reconnaissance

reconnaissance

Which of the following terms defines the amount of time it takes to recover a production IT system, application, and access to data? a. recovery point objective b. recovery time objective c. risk exposure time d. production recovery time

recovery time objective

Impact

refers to the amount of harm a threat exploiting a vulnerability can cause

Asset Tracking

require that all IT assets that are connected to the IT infrastructure to be tracked as IT assets by the organization

Device Access Control

require that all personally owned devices conform to the BYOD policy

Full Device Encryption

require that laptops, tablets, and smartphones are equipped with data encryption

Removable Storage

require the use of removable storage or data backups as defined in the BYOD policy

Business Recovery Requirements

requirements identify any other business functions that must already be in place for the recovery function to occur.

Threat

something that might happen

Procedures

step by step systematic actions to accomplish a security requirement process

Security Gap

the difference between the security controls you have in place and the controls you need in order to address all vulnerabilities

Risk

the likelihood that a particular threat will be realized against a specific vulnerability

Recovery Time Objective

the maximum allowable time to recovery the function.

Recovery Point Objective (RPO)

the maximum amount of data loss that is acceptable.

Emergency Operations Center (EOC)

the place where the recovery team will meet and work during a disruption

Risk Management

the process of identifying, assessing, prioritizing, and addressing risks