itsy 1300 review
false
A report indicating that a system's disk is 80 percent full is a good indication that something is wrong with that system.
true
After audit activities are completed, auditors perform data analysis.
Acceptability
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?
true
An SOC 1 report is commonly implemented for organizations that must comply with Sarbanes-Oxley (SOX) or the Gramm-Leach-Bliley Act (GLBA).
In an accreditation process, who has the authority to approve a system for implementation? A. Certifier B. Authorizing official (AO) C. System owner D. System administrator
B. Authorizing official (AO) The authorizing official (AO) is a senior manager who reviews the certification report and makes the decision to approve a system for implementation. The AO officially acknowledges and accepts the risk that the system may pose to agency mission, assets, or individuals.
Certification is the formal agreement by an authorizing official to accept the risk of implementing a system. A. True B. False
B. False Accreditation is the formal agreement by an authorizing official to accept the risk of implementing a system. Certification is the process of reviewing a system throughout its life cycle to ensure that it meets its specified security requirements.
false
Committee of Sponsoring Organizations (COSO) is a set of best practices for IT management.
TRUE
Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it.
Forensics and incident response are examples of __________ controls.
Corrective
Does the firewall properly block unsolicited network connection attempts?
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing? A. Identification B. Authentication C. Accountability D. Authorization
D. Authorization Authorization determines the permissions that a user or process has in an access control scheme. In this case, Janet is determining those permissions, so she is performing an authorization function.
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions? A. Value B. Sensitivity C. Criticality D. Threat
D. Threat The three characteristics normally used to make classification decisions are value, sensitivity, and criticality.
true
During the planning and execution phases of an audit, an auditor will most likely review risk analysis output.
false
During the secure phase of a security review, you review and measure all controls to capture actions and changes on the system.
A structured walk-through test is a review of a business continuity plan to ensure that contact numbers are current and that the plan reflects the company's priorities and structure.
False
Risk refers to the amount of harm a threat exploiting a vulnerability can cause.
False
With adequate security controls and defenses, an organization can often reduce its risk to zero.
False
black-box test
Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting?
Which recovery site option provides readiness in minutes to hours?
Hot site
true
In security testing, reconnaissance involves reviewing a system to learn as much as possible about the organization, its systems, and its networks.
Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity?
Incident
Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?
Mantraps
What term describes the longest period of time that a business can survive without a particular critical system?
Maximum Tolerable Downtime
FALSE
Passphrases are less secure than passwords.
TRUE
Single sign-on (SSO) can provide for stronger passwords because with only one password to remember, users are generally willing to use stronger passwords.
security kernel
The _________ is the central part of a computing environments hardware, software, and firmware that enforces access control.
FALSE
The four central components of access control are users, resources, actions, and features.
A personnel safety plan should include an escape plan.
True
A successful business impact analysis (BIA) maps the context, the critical business functions, and the processes on which they rely.
True
Administrative controls develop and ensure compliance with policy and procedures.
True
Any component that, if it fails, could interrupt business processing is called a single point of failure (SPoF).
True
In remote journaling, a system writes a log of online transactions to an offsite location.
True
Organizations should seek a balance between the utility and cost of various risk management options.
True
FALSE
User-based permission levels limit a person to executing certain functions and often enforces mutual exclusivity.
FALSE
Voice pattern biometrics are accurate for authentication because voices can't easily be replicated by computer software.
Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime?
Warm site
Details on major issues
What information should an auditor share with the client during an exit interview?
Security Assertion Markup Language (SAML)
What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?
System integrity monitoring
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?
FALSE
You should use easy-to-remember personal information to create secure passwords.
A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.
disaster
A remediation liaison makes sure all personnel are aware of and comply with an organization's policies. A. True B. False
B. False A compliance liaison makes sure all personnel are aware of and comply with an organization's policies. Remediation involves fixing something that is broken or defective.
The term "data owner" refers to the person or group that manages an IT infrastructure. A. True B. False
B. False The term "system owner" refers to the person or group that manages the infrastructure. The data owner is the person who owns the data or of someone the owner assigns.
Accountability
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?
TRUE
Fingerprints, palm prints, and retina scans are types of biometrics.
true
In security testing data collection, observation is the input used to differentiate between paper procedures and the way the job is really done.
What term describes the risk that exists after an organization has performed all planned countermeasures and controls?
Residual risk
adult
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?
FALSE
Temporal isolation is commonly used in combination with rule-based access control.
FALSE
Terminal Access Controller Access Control System Plus (TACACS+) is an authentication server that uses client and user configuration files.
Separation of duties
Tomahawk industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?
Examples of major disruptions include extreme weather, application failure, and criminal activity.
True
report writing
Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?
Use at least six alphanumeric characters
Which one of the following is NOT a commonly accepted best practice for password security?
Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore?
2
TRUE
A degausser creates a magnetic field that erases data from magnetic storage media.
true
Performing security testing includes vulnerability testing and penetration testing.
A control limits or constrains behavior.
True
Physical characteristics may change.
Which one of the following is NOT an advantage of biometric systems?
Subjects cannot change objects that have a lower integrity level.
Which one of the following principles is NOT a component of the Biba integrity model?
Purchasing an insurance policy is an example of the ____________ risk management strategy.
transfer
TRUE
A Chinese wall security policy defines a barrier and develops a set of rules that makes sure no subject gets to objects on the other side.
Often an extension of a memorandum of understanding (MOU), the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets. A. True B. False
B. False The interconnection service agreement (ISA) serves as an agreement that documents the technical requirements of interconnected assets, and is often an extension of a MOU. A BPA creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services.
Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?
Preventative
While running business operations at an alternate site, you must continue to make backups of data and systems.
True
Redundant Array of Independent Disks (RAID)
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?
Lower dependence on outside vendors
Which of the following is NOT a benefit of cloud computing to organizations?
MAC Filtering
Which of the following is an example of a hardware security control?
TRUE
A smart card is a token shaped like a credit card that contains one or more microprocessor chips that accept, store and send information through a reader.
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)?
$2,000,000
Deterrent controls identify that a threat has landed in your system.
False
Discretionary access control (DAC)
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
Secure Sockets Layer (SSL
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)? A. An organization should collect only what it needs. B. An organization should share its information. C. An organization should keep its information up to date. D. An organization should properly destroy its information when it is no longer needed.
B. An organization should share its information. The OECD guidelines state that an organization should NOT share its information. Other principles in those guidelines state that organizations should collect only what they need, keep information up-to-date, properly destroy information, and use information only for the purpose for which it was collected.
Change doesn't create risk for a business. A. True B. False
B. False Change creates risk for a business. It might circumvent established security features and it could result in outage or system failure. It might require extensive retraining for employees to learn how to use the new systems.
Classification scope determines what data you should classify; classification process determines how you handle classified data. A. True B. False
A. True
Social engineering is deceiving or using people to get around security controls. A. True B. False
A. True
Standards are used when an organization has selected a solution to fulfill a policy goal. A. True B. False
A. True
False positive error
Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?
true
SOC 2 reports are created for internal and other authorized stakeholders and are commonly implemented for service providers, hosted data centers, and managed cloud computing providers.
Implementing and monitoring risk responses are part of the risk management process.
True
In an incremental backup, you start with a full backup when network traffic is light. Then, each night, you back up only that day's changes.
True
TRUE
A trusted operating system (TOS) provides features that satisfy specific government requirements for security.
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create? A. Baseline B. Policy C. Guideline D. Procedure
A. Baseline Baselines provide basic configurations for specific types of computers or devices. Baselines are the benchmarks that help make sure a minimum level of security exists across multiple systems and across different products.
Which activity manages the baseline settings for a system or device? A. Configuration control B. Reactive change management C. Proactive change management D. Change control
A. Configuration control Configuration control is the management of the baseline settings for a system device. The baseline settings are designed to meet security requirements.
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type? A. Service level agreement (SLA) B. Blanket purchase agreement (BPA) C. Memorandum of understanding (MOU) D. Interconnection security agreement (ISA)
A. Service level agreement (SLA) SLAs are formal contracts that detail the specific services a vendor will provide. Notification of security breaches is a common requirement found in SLAs.
A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing. A. True B. False
A. True
A successful change control program should include the following elements to ensure the quality of the change control process: peer review, documentation, and back-out plans. A. True B. False
A. True
Written security policies document management's goals and objectives. A. True B. False
A. True
false
An SOC 1 report primarily focuses on security.
true
An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured.
true
Anomaly-based intrusion detection systems compare current activity with stored profiles of normal (expected) activity.
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve? A. Reduced operating costs B. Access to a high level of expertise C. Developing in-house talent D. Building internal knowledge
B. Access to a high level of expertise In this scenario, Mark is most likely to achieve access to a high level of expertise because security vendors focus exclusively on providing advanced security services. Mark's costs are likely to increase rather than decrease with outsourcing, and this decision will inhibit developing internal knowledge and talent.
A hardware configuration chart should NOT include copies of software configurations. A. True B. False
B. False A hardware configuration chart should include copies of all software configurations so that you can examine changes and updates planned for one device in terms of their impact on other devices.
What is NOT a good practice for developing strong professional ethics? A. Set the example by demonstrating ethics in daily activities B. Encourage adopting ethical guidelines and standards C. Assume that information should be free D. Inform users through security awareness training
C. Assume that information should be free Users should not assume that information is free and respect intellectual property rights. Assuming that information should be free is one of the common fallacies about ethics.
prudent
Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?
What is NOT a goal of information security awareness programs? A. Teach users about security objectives B. Inform users about trends and threats in security C. Motivate users to comply with security policy D. Punish users who violate policy
D. Punish users who violate policy : Security awareness programs should teach, inform, and motivate users. Although users who intentionally violate policies may be punished for their actions, this is a disciplinary issue that should be handled outside of the awareness program.
true
Data loss prevention (DLP) uses business rules to classify sensitive information to prevent unauthorized end users from sharing it.
What is a key principle of risk management programs?
Don't spend more to protect an asset than it is worth.
true
During an audit, an auditor compares the current setting of a computer or device with a benchmark to help identify differences.
Authorization
During which phase of the access control process does the system answer the question, "What can the requestor access?"
soc 3
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?
A business impact analysis (BIA) details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations.
False
Jake has been asked to help test the business continuity plan at an offsite location while the system at the main location is shut down. He is participating in a parallel test.
False
The first step in the risk management process is to monitor and control deployed countermeasures.
False
Security information and event management (SIEM)
Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?
Is the security control effective in addressing the risk it was designed to address?
Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?
True
Many jurisdictions require audits by law.
Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?
Qualitative
Which data source comes first in the order of volatility when conducting a forensic investigation?
RAM
false
Regarding security controls, the four most common permission levels are poor, permissive, prudent, and paranoid.
true
Security information and event management (SIEM)
Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?
Supervisory Control and Data Acquisition (SCADA)
false
The four main types of logs that you need to keep to support security auditing include event, access, user, and security.
FALSE
The number of failed logon attempts that trigger an account action is called an audit logon event.
Fencing and mantraps are examples of physical controls.
True
The recovery point objective (RPO) can come from the business impact analysis or sometimes from a government mandate, such as banking laws.
True
Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?
Vulnerability
Kerberos
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket granting servers (TGSs)?
Checklist
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?
Crossover error rate (CER)
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?
Signature detection
Which intrusion detection system strategy relies upon pattern matching?
Resumes of system administrators
Which item is an auditor least likely to review during a system controls audit?
Smart card and personal identification number (PIN)
Which one of the following is an example of two-factor authentication?
network mapping
Which security testing activity uses tools that scan for services running on systems?
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?
$2,000,000
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?
20 percent
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data? A. Formatting B. Degaussing C. Physical destruction D. Overwriting
A. Formatting Formatting a disk does not remove the data stored on it and is not a reliable data destruction technique. Physically destroying the media, overwriting the data multiple times, and degaussing with a magnetic field are all acceptable means for data destruction.
Which of the following would NOT be considered in the scope of organizational compliance efforts? A. Laws B. Company policy C. Internal audit D. Corporate culture
A. Laws Organizational compliance efforts include compliance with an organization's own policies, audits, culture, and standards. Legal compliance falls under the realm of regulatory compliance, not organizational compliance.
One advantage of using a security management firm for security monitoring and is that it has a high level of expertise. A. True B. False
A. True
Mandatory vacations minimize risk by rotating employees among various systems or duties. A. True B. False
B. False Job rotation minimizes risk by rotating employees among various systems or duties. Mandatory vacations give you the opportunity to detect fraud. When users are on vacation, you should suspend their access to your environment.
Procedures do NOT reduce mistakes in a crisis. A. True B. False
B. False Procedures reduce mistakes in a crisis, ensure you don't miss important steps, provide for places within the process to conduct assurance checks, and are mandatory requirements.
What is the correct order of steps in the change control process? A. Request, approval, impact assessment, build/test, monitor, implement B. Request, impact assessment, approval, build/test, implement, monitor C. Request, approval, impact assessment, build/test, implement, monitor D. Request, impact assessment, approval, build/test, monitor, implement
B. Request, impact assessment, approval, build/test, implement, monitor The sequence of events during the change control process is request, impact assessment, approval, build/test, implement, and monitor.
In what type of attack does the attacker send unauthorized commands directly to a database? A. Cross-site scripting B. SQL injection C. Cross-site request forgery D. Database dumping
B. SQL injection In an SQL injection attack, the attacker executes malicious SQL statements against a database that provide unauthorized access to data or allow other unauthorized database activities.
TRUE
Log files are records that detail who logged on to a system, when they logged on, and what information or resources they used.
System Configuration
What is NOT generally a section in an audit report?
IT Infrastructure Library
What is a set of concepts and policies for managing IT infrastructure, development, and operations?
Managers should include their responses to the draft audit report in the final audit report.
When should an organization's managers have an opportunity to respond to the findings in an audit?
Password
Which one of the following is an example of a logical access control?
Personal Information Protection and Electronic Documents Act (PIPEDA)
Which regulatory standard would NOT require audits of companies in the United States?
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of? A. Intimidation B. Name dropping C. Appeal for help D. Phishing
D. Phishing Phishing attacks use email messages and/or webpages that resemble the work of a reputable organization. They attempt to deceive users into revealing sensitive information, such as passwords.
Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking? A. Project initiation and planning B. Functional requirements and definition C. System design specification D. Operations and maintenance
A. Project initiation and planning The project initiation and planning phase includes developing project budgets, system design, maintenance, and the project timeline.
Company-related classifications are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies. A. True B. False
A. True
Policies that cover data management should cover transitions throughout the data life cycle. A. True B. False
A. True
The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege. A. True B. False
A. True
With proactive change management, management initiates the change to achieve a desired goal. A. True B. False
A. True
Configuration changes can be made at any time during a system life cycle and no process is required. A. True B. False
B. False It's important that all configuration changes occur only within a controlled process. Uncontrolled configuration changes often result in conflicts and even new security vulnerabilities.
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)? A. Seeking to gain unauthorized access to resources B. Disrupting intended use of the Internet C. Enforcing the integrity of computer-based information D. Compromising the privacy of users
C. Enforcing the integrity of computer-based information RFC 1087 outlines six categories of unethical activity. IAB considers unethical and unacceptable any activity that purposely (1) seeks to gain unauthorized access to the resources of the Internet, (2) disrupts the intended use of the Internet, (3) wastes resources (people, capacity, computer) through such actions, (4) destroys the integrity of computer-based information, (5) compromises the privacy of users, or (6) involves negligence in the conduct of Internet-wide experiments.
Which agreement type is typically less formal than other agreements and expresses areas of common interest? A. Service level agreement (SLA) B. Blanket purchase agreement (BPA) C. Memorandum of understanding (MOU) D. Interconnection security agreement (ISA)
C. Memorandum of understanding (MOU) An MOU, also called a letter of intent, is an agreement between two or more parties that expresses areas of common interest that result in shared actions. MOUs are generally less enforceable than a formal agreement.
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing? A. Job rotation B. Least privilege C. Need-to-know D. Separation of duties
D. Separation of duties The principles of separation of duties breaks a task into subtasks that different users must carry out. This means that a single user cannot carry out a critical task without the help or approval of another user.
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete? A. Spiral B. Agile C. Lean D. Waterfall
D. Waterfall The waterfall model is a sequential process for developing software. The essence of the waterfall model is that no phase begins until the previous phase is complete.
FALSE
DIAMETER is a research and development project funded by the European Commission.
Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take?
Reduce
true
Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than justin individual packets.
false
Regarding log monitoring, false negatives are alerts that seem malicious but are not real security events.