ISS Final
c. security awareness
A SETA program consists of three elements: security education, security training, and which of the following?. a. security accountability b. security authentication c. security awareness d. security authorization
b. collusion
A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions? a. job rotation b. collusion c. collision d. two-person control
b. analysis
A gathering of key reference materials is performed during which phase of the SDLC? a. implementation b. analysis c. design d. investigation
a. standard of due care
A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances. a. standard of due care b. due diligence c. duty of loyalty c. duty of obedience
d. vulnerability
A potential weakness in an asset or its defensive control systems is known as a a. threat b. attack c. exploit d. vulnerability
b. analysis
A risk assessment is performed during which phase of the SecSDLC? a. implementation b. analysis c. design d. investigation
c. exploit
A technique used to compromise a system is known as a(n) a. threat b. attack c. exploit d. vulnerability
a. weighted table analysis or weighted factor analysis
A useful tool for resolving the issue of what business function is the most critical, based on criteria selected by the organization, is the __________. a. weighted table analysis or weighted factor analysis b. threats-vulnerability-assets worksheet or TVA c. business impact assessment or BIA d. critical patch method assessment or CPMA
b. baseline
A______________ is derived by comparing measured actual performance against established standards for the measured category. a. benchmark b. baseline
c. trespass
Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access. a. bypass b. theft c. trespass d. Security
b. defense
Application of training and education is a common method of which risk control strategy? a. transference b. defense c. mitigation d. acceptance
c. hoaxes
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________. a. false alarms b. polymorphisms c. hoaxes d. urban legends
b. single loss expectancy
By multiplying the asset value by the exposure factor, you can calculate which of the following? a. annual loss expectancy b. single loss expectancy c. risk appetite
b. wander freely in and out of facilities
Contract employees—or simply contractors—should not be allowed to do what? a. Work on the premises. b. Wander freely in and out of facilities. c.Visit the facility without an escort. d. Be compensated based on hourly rates.
c. cost and replacement value
Data classification schemes should categorize info assets based on which of the following? a. value and uniqueness b. sensitivity and security needs c. cost and replacement value d. ease of reproduction and fragility
a. control
In the COSO framework, ___________ activities include those policies and procedures that support management directives. a. control b. frame c. respond d. inform
a. design
In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies? a. design b. implementation c. investigation d. analysis
a. accept or ignore
Reserves and contingency plans would be used in which risk strategy ? a. accept or ignore b. avoidance c. mitigation d. transfer e. none of the above
a. incident response plan
Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach? a. incident response plan b. business continuity plan c. termination
d. InfoSec Governance
The COSO framework is built on five interrelated components. Which of the following is NOT one of them? a. Control environment b. Risk assessment c. Control activities d. InfoSec Governance
a. inform
The NIST risk management approach includes all but which of the following? a. inform b. assess c. frame d. respond
b. risk tolerance
The assessment of the amount of risk an organization is willing to accept for a particular info asset a. residual risk b. risk tolerance
performance measurements
The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization.
d. CBA
The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization. a. SLE b. ALE c. ARO d. CBA
c. determined that the costs to control risk to an information asset are much lower than the benefit gained from the information asset
The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following? a. determined the level of risk posed to the information asset b. performed a thorough cost-benefit analysis c. determined that the costs to control risk to an information asset are much lower than the benefit gained from the information asset d. assessed the probability of an attack and the likelihood of a successful exploitation of a vulnerability
a. vulnerability assessment
The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________. a. vulnerability assessment b. penetration testing c. exploit identification d. safeguard neutralization
a. convergence
The process of integrating the governance of the physical security and information security efforts is known in the industry as______ a. convergence b. combination c. intimation d. optimization
b. by adding barriers
The purpose of SETA is to enhance security in all but which of the following ways? a. by building in-depth knowledge b. by adding barriers c. by developing skills d. by improving awareness
c. cryptanalysis
The science of cryptology includes both cryptography and a. algorithms b. ciphers c. cryptanalysis d. encryption
d. authentication
The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process? a. accountability b. authorization c. identification d. authentication
b. packet sniffer
This is used to provide a network admin with valuable information to help diagnose and resolve networking issues. In the wrong hands, it can be used to eavesdrop on network traffic. a. proxy server b. packet sniffer c. trap and trace
a. VPN
This keeps the contents of the network messages hidden from those who may have access to public traffic. It is a private secure network operated over a public and insecure network. a. VPN b. NIST c. CIST d. Kerberos
a. asymmetric
This type of encryption require one key to encrpyt and another to decrypt. Most valuable when one key is public and the other is private. a. asymmetric b. symmetric c. substitution d. transportation
a. 40
What % of businesses that do not have a disaster plan go out of business after a major loss? a. 40 b. 50 c. 20 d. 35
c. accountability
What do audit logs that track user activity on an information system provide? a. identification b. authorization c. accountability d. authentication
a. qualitative risk assessment
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? a. qualitative risk assessment b. Delphi c. NIST
c. vulnerabilities
What is defined as specific avenues that threat agents can exploit to attack an information asset? a. Liabilities b. Defenses c. Vulnerabilities d. Weaknesses
c. reduce the occurrence of accidental security breaches
What is the SETA program designed to do? a. reduce the occurrence of external attacks b. improve operations c. reduce the occurrence of accidental security breaches d. increase the efficiency of InfoSec staff
d. ranking assets in order of importance
What is the final step in the risk identification process? a. assessing values for information assets b. classifying and categorizing assets c. identifying and inventorying assets d. ranking assets in order of importance
a. retina scan
What is the most effective biometric authorization technology? a. retina scan b. fingerprint c. photo ID d. key card
c. photo ID
What is the most widely accepted biometric authorization technology? a. retina scan b. fingerprint c. photo ID d. key card
c. performance targets
What makes it possible to define success in the security program? a. performance measurements b. performance metrics c. performance targets d. performance tests
a. business continuity
When a disaster renders the current business location unusable, which plan is put into action? a.business continuity b.crisis management c.incident response d. business impact analysis
d. evaluated how the new technology will enhance employee skills
When an information security team is faced with a new technology, which of the following is NOT a recommended approach? a. Determine if the benefits of the proposed technology justify the expected costs. b. Include costs for any additional risk control requirements that are mandated by the new technology. c. Consider how the proposed solution will affect the organization's risk exposure. d. Evaluate how the new technology will enhance employee skills.
c. planning
Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans? a. compliance b. policy c. planning d. systems security administration
b. authentication
Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area? a. identification b. authentication c. authorization d. accountability
e. all of the above
Which of the following affects an organization's info security environment? a. formation of new partnerships b. dissolution of old partnerships c. hiring of new personnel d. shifting business priorities e. all of the above
d. mitigation
Which of the following describes an organization's efforts to reduce damages caused by a realized incident or disaster? a. defense b. termination c. acceptance d. mitigation
b. risk assessment
Which of the following functions include identifying the sources of risk and may include offering advice on controls that can reduce risk? a. risk management b. risk assessment c. systems testing d. vulnerability assessment
b. mitigating
Which of the following is NOT a category of access control? a. preventative b. mitigating c. deterrent d. compensating
d. same certification and accreditation agency or standard
Which of the following is NOT a consideration when selecting recommended best practices? a.threat environment is similar b. resource expenditures are practical c.organization structure is similar d. same certification and accreditation agency or standard
d. react
Which of the following is NOT a stage in the NIST Cybersecurity Framework (CSF)? a.Identify b.Detect c.Recover d.React
b. former employee's home computer must be audited
Which of the following is NOT a task that must be performed if an employee is terminated? a.former employee must return all media b.former employee's home computer must be audited c.former employee's office computer must be secured d.former employee should be escorted from the premises
c. replacement
Which of the following is NOT one of the administrative challenges to the operation of firewalls? a.training b.uniqueness c.replacement d. responsibility
d. for official use only
Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information? a. confidential b. secret c. top secret d. for official use only
d. inform
Which of the following is NOT part of the Incident Response Plan? a. detection b. reaction c. recovery d. inform
d. resource intensive, to the point of being inefficient
Which of the following is a disadvantage of the one-on-one training method? a. inflexible scheduling b. may not be responsive to the needs of all the trainees c. content may not be customized to the needs of the organization d. resource intensive, to the point of being inefficient
a. framework
Which of the following is a generic model for a security program? a. framework b. methodology c. security standard d. blueprint
d. interaction with trainer is possible
Which of the following is an advantage of the formal class method of training? a. Personal b.Self-paced, can go as fast or as slow as the trainee needs c.Can be scheduled to fit the needs of the trainee d.Interaction with trainer is possible
a. usually conducted in an informal social setting
Which of the following is an advantage of the user support group form of training? a. Usually conducted in an informal social setting b. Formal training plan c. Can be live, or can be archived and viewed at the trainee's convenience d. Can be customized to the needs of the trainee
b. information on the structure of the InfoSec organization
Which of the following is an element of the enterprise information security policy? a. access control lists b. information on the structure of the InfoSec organization c. articulation of the organization's SDLC methodology d. indemnification of the organization against liability
e. all of the above
Which of the following is included in an InfoSec performance program? a. Strong upper-level management b. practical InfoSec policies and procedures c. quantifiable performance measurements d. results-oriented measurement analysis e. all of the above
c. identify program scope, goals, and objectives
Which of the following is the first step in the process of implementing training? a. identify training staff b. identify target audiences c. identify program scope, goals, and objectives d. motivate management and employees
c. separation of duties
Which of the following policies makes it difficult for an individual to violate InfoSec and is quite useful in monitoring financial affairs? a. task rotation b. mandatory vacations c. separation of duties d. job rotation
a. COBIT
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? a. COBIT b. COSO c. NIST d. ISO
a. security technician
Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems? a. security technician b. security analyst c. security consultant d. security manager
d. EISP
Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP
d. EISP
Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP
a. Policy Review and Modification
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? a. Policy Review and Modification b. Limitations of Liability c. Systems Management d. Statement of Purpose
b. proxy server
Which type of device exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server? a.dynamic packet filtering firewall b.proxy server c.intrusion detection system d.application layer firewall
b. standard
Which type of document is a more detailed statement of what must be done to comply with a policy? a. procedure b. standard c. guideline d. practice
a. issue-specific
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? a. issue-specific b. enterprise information c. system-specific d. user-specific
a. temporary workers
Workers brought in to fill positions temporarily or to supplement the existing workforce. a. temporary workers b. contract employees c. consultants
c. consultants
Workers hired for a specific task or project. a. temporary workers b. contract employees c. consultants
c. contract employees
Workers typically hired to perform specific services for the organization and hired via a third-party organization are known as __________. a. temporary workers b. Consultants c. contract employees d. business partners
C. Least privilege
_____________ ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary. a. long arm b. mandatory access control c. least privilege
d. Trojan horses
___________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated. a. Viruses b. Worms c. Spam d. Trojan horses
a. benchmarking
_______________is the process of comparing other organizations' activities against the practices used in one's own organization to produce results it would like to duplicate. a. benchmarking b. baselining
c. temporal isolation
time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary