Management of Information Security Chapter 8

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

False

A security clearance is an access control model in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. __________

temporal isolation

A time-release safe is an example of which type of access control?

rule-based access controls

Access is granted based on a set of rules specified by the central authority.

governance

Although COBIT was designed to be an IT __________ and management structure, it includes a framework to support InfoSec requirements and assessment needs.

constrained user interface

An ATM that limits what kinds of transactions a user can perform is an example of which type of access control?

dumpster diving

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information is known as __________.

content-dependent access controls

Controls access to a specific set of information based on its content.

sensitivity levels

Ratings of the security level for a specified collection of information (or user) within a mandatory access control scheme.

separation of duties

Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion.

False

Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.

InfoSec governance

The COSO framework is built on five interrelated components. Which of the following is NOT one of them?

Governance Framework

The Information Security __________ is a managerial model provided by an industry working group, National Cyber Security Partnership, which provides guidance in the development and implementation of organizational InfoSec structures and recommends the responsibilities that various members should have in an organization.

COBIT

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?

security clearances

Which of the following specifies the authorization level that each user of an information asset is permitted to access, subject to the need-to-know principle?

True

The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. __________

timing channel

A TCSEC-defined covert channel, which transmits information by managing the relative timing of events.

task-based controls

A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user.

blueprint

A framework or security model customized to an organization, including implementation details.

True

A security clearance is an access control model in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. __________

False

A security ​monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. __________

DAC

Controls implemented at the discretion or option of the data user.

corrective

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?

False

Dumpster exploitation is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. __________

False

In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user).​ __________

blueprint

In information security, a framework or security model customized to an organization, including implementation details, is a _________.

False

In information security, a framework or security model customized to an organization, including implementation details, is known as a template. __________

True

In information security, a security blueprint is a framework or security model customized to an organization, including implementation details.

framework

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a __________.

False

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. __________

content-dependent access controls

In which form of access control is access to a specific set of information contingent on its subject matter?

True

Lattice-based access control specifies the level of access each subject has to each object, if any.

SP 800-12, Rev. 1: An Introduction to Information Security (2017)

This NIST publication provides information on the elements of InfoSec, key roles and responsibilities, an overview of threats and vulnerabilities, a description of the three NIST security policy categories, and an overview of the NIST RM Framework and its use, among other topics needed for a foundation in InfoSec.

storage channel

One of the TCSEC's covert channels, which communicate by modifying a stored object.

ISO 27002

One of the most widely referenced InfoSec management models, known as Information Technology—Code of Practice for Information Security Management, is also known as __________.

managing the development and operation of IT infrastructures

The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices primarily for __________.

False

The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. __________

False

The Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure.

False

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as required privilege. __________

False

The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolationof duties. __________

SP 800-100: Information Security Handbook: A Guide for Managers (2007)

The managerial tutorial equivalent of NIST SP 800-12, providing overviews of the roles and responsibilities of a security manager in the development, administration, and improvement of a security program, is NIST __________.

False

The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as minimal access.

access control list

Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?

False

Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data at the organization's competitors.

Protection Profile (PP)

Under the Common Criteria, which term describes the user-generated specifications for security requirements?

separation of duties

What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them?

It was feared it would lead to government intrusion into business matters.

When the ISO 27002 standard was first proposed, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems; which of the following is NOT one of them?

SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996)

Which NIST publication describes the philosophical guidelines that the security team should integrate into the entire InfoSec process, beginning with "Security supports the mission of the organization"?

need-to-know

Which access control principle limits a user's access to the specific information required to perform the currently assigned task?

least privilege

Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary?

deterrent

Which control category discourages an incipient incident—e.g., video monitoring?

mitigating

Which of the following is NOT a category of access control?

no changes by authorized subjects without external validation

Which of the following is NOT a change control principle of the Clark-Wilson model?

for official use only

Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information?

framework

Which of the following is a generic model for a security program?

To offer guidance for the management of InfoSec to individuals responsible for their organization's security programs

Which of the following is the original purpose of ISO/IEC 17799?

reference monitor

Which piece of the Trusted Computing Base's security system manages access controls?

Biba

Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones?

TCSEC

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?

nondiscretionary

Which type of access controls can be role-based or task-based?

TCB

Within TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy.


Kaugnay na mga set ng pag-aaral

Introduction to Nutrition HLTH1010 - Final Milestone

View Set