midterm
__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. a. Governance b. Controlling c. Leading d. Strategy
a. Governance
According to the C.I.A. triad, which of the following is the most desirable characteristic for privacy? a. confidentiality b. availability c. integrity d. accountability
a. confidentiality
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________. a. data owners b. data custodians c. data users d. data generators
a. data owners
The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints. a. investigation b. analysis c. implementation d. justification
a. investigation
Once the members of the RM framework team have been identified, the governance group should communicate all of the following for the overall RM program EXCEPT: a. its personnel structure b. its desired outcomes c. its priorities d. its intent
a. its personnel structure
The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics? a. market b. budget c. size d. culture
a. market
The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts. a. risk management policy b. enterprise information security policy c. risk control implementation policy d. risk management board directive
a. risk management policy
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________. a. threat b. attack c. exploit d. vulnerability
a. threat
- governances
all the activities, methods, practices that provide strategic direction, objective and accountability for info sec; everything we do to manage compliance/ good security; most effective when led by senior management
As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted factor ___ worksheet.
analysis table
An organization carries out a risk ___ function to evaluate risks present in IT initiatives and/or systems.
assessment
ISACA is a professional association with a focus on ___, control, and security.
auditing
- CIA triad components
availability, integrity, confidentiality
Which law extends protection to intellectual property, which includes words published in electronic formats? a. Freedom of Information Act b. U.S. Copyright Law c. Security and Freedom through Encryption Act d. Sarbanes-Oxley Act
b. U.S. Copyright Law
A process that defines what the user is permitted to do is known as __________. a. identification b. authorization c. accountability d. authentication
b. authorization
The purpose of SETA is to enhance security in all but which of the following ways? a. by building in-depth knowledge b. by adding barriers c. by developing skills d. by improving awareness
b. by adding barriers
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? a. policy administration b. due diligence c. adequate security measures d. certification and accreditation
b. due diligence
Which of the following functions of information security management seeks to dictate certain behavior within the organization through a set of organizational guidelines? a. planning b. policy c. programs d. people
b. policy
An attack that uses phishing techniques along with specialized forms of malware to encrypt the victim's data files is known as __________. a. crypto locking b. ransomware c. jailbreaking d. spam
b. ransomware
Human error or failure often can be prevented with training and awareness programs, policy, and __________. a. outsourcing b. technical controls c. hugs d. ISO 27000
b. technical controls
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? a. risk exposure report b. threats-vulnerabilities-assets worksheet c. costs-risks-prevention database d. threat assessment catalog
b. threats-vulnerabilities-assets worksheet
One form of e-mail attack that is also a DoS attack is called a mail ___, in which an attacker overwhelms the receiver with excessive quantities of e-mail
bomb
Which law addresses privacy and security concerns associated with the electronic transmission of PHI? a. USA PATRIOT Act of 2001 b. American Recovery and Reinvestment Act c. Health Information Technology for Economic and Clinical Health Act d. National Information Infrastructure Protection Act of 1996
c. Health Information Technology for Economic and Clinical Health Act
org focused on ethics
- SANS
What do audit logs that track user activity on an information system provide? a. identification b. authorization c. accountability d. authentication
c. accountability
There are a number of methods for customizing training for users; two of the most common involve customizing by __________ and by __________. a. skill level; employee rank b. department; seniority c. functional background; skill level d. educational level; organizational need
c. functional background; skill level
Which subset of civil law regulates the relationships among individuals and among individuals and organizations? a. tort b. criminal c. private d. public
c. private
The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization. a. information asset value weighted table analysis b. risk ranking worksheet c. threat severity weighted table analysis d. TVA controls worksheet
c. threat severity weighted table analysis
Which of the following is a key advantage of the bottom-up approach to security implementation? a. strong upper-management support b. a clear planning and implementation process c. utilizing the technical expertise of the individual administrators d. coordinated planning from upper management
c. utilizing the technical expertise of the individual administrators
- Tort
civil matter; when there is personal/ financial injury
- Difference between civil & criminal law;
civil= resolve disputes between "individuals" and criminal= maintain social order
Some information gathering techniques are quite legal—for example, using a Web browser to perform market research. These legal techniques are called, collectively
competitive intelligence
The process of integrating the governance of physical security and information security efforts is known in the industry as
convergence
- 3 kinds of public law
criminal, civil (broken into administrative and constitutional law)
- computer fraud and abuse act of 1986
1st federal attempt to regulate how computers/ ntwks could be used in lawful way
Which of the following should be included in an InfoSec governance program? a. An InfoSec maintenance methodology b. An InfoSec risk management methodology c. An InfoSec project management assessment d. All of these are components of the InfoSec governance program.
d. All of these are components of the InfoSec governance program.
Which of the following is the result of a U.S. led international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures? a. U.S. Copyright Law b. PCI DSS c. European Council Cybercrime Convention d. DMCA
d. DMCA
- which org is the oldest
ACM- association for computing machinery
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system? a. The Telecommunications Deregulation and Competition Act b. National Information Infrastructure Protection Act c. Computer Fraud and Abuse Act d. The Computer Security Act
d. The Computer Security Act
Access control lists regulate who, what, when, where, and why authorized users can access a system.
F
The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.
F
Threats from insiders are more likely in a small organization than in a large one.
F
Which of the following activities is part of the risk evaluation process? a. creating an inventory of information assets b. classifying and organizing information assets into meaningful groups c. assigning a value to each information asset d. calculating the severity of risks to which assets are exposed in their current setting
d. calculating the severity of risks to which assets are exposed in their current setting
The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response. a. investigation b. analysis c. implementation d. design
d. design
Which phase of the SDLC should see clear articulation of goals? a. design b. analysis c. implementation d. investigation
d. investigation
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives? a. strategic b. operational c. organizational d. tactical
d. tactical
In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it? a. spiral b. evolutionary prototyping c. agile d. waterfall
d. waterfall
A(n)___ law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information
data breach
- best way to stop bad things from happening
deterrence
The evaluation and reaction to risk to the entire organization is known as ___
enterprise risk management (ERM).
The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as
ethics
Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex.
f
Legal assessment for the implementation of the information security program is almost always done by the information security or IT department.
f
MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.
f
The security education, training, and awareness (SETA) program is designed to reduce the occurrence of external security attacks.
f
Using complex project management tools may result in a complication where the project manager creates project diagrams with insufficient detail for the implementation of the project.
f
- 1997 law about encryption-
freedom through encryption- made lawful the ability to encrypt communication
- 1999 law that governs who can see what info in banks
graham leach
- 3 communities of org
info sec people, IT guys, end users
Risk ___ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
management
Establishing performance measures and creating project ___ simplifies project monitoring.
milestones
Ethics are based on ___________________, which are the relatively fixed moral attitudes or customs of a societal group.
morals/ cultural norms
- CNSS Model
more granular view o fCIA triad— 24 topics/ areas of interest
- kennedy- kasenbaum act
ordered HIPPA to be made/ enforced
A ___ is simply a manager's or other governing body's statement of intent regarding employee behavior with respect to the workplace.
policy
The champion and manager of the information security policy is called the ___
policy administrator.
- info sec
protection of any system, that process, store, transmit, etc.
- Privacy
rights of indiv.'s info from unauthorized use
The ___ program is designed to reduce the occurrence of accidental security breaches by members of the organization.
security education, training, and awareness SETA
- stakeholders
someone who can suffer a loss as the result of an orgs action—not necessarily an owner
- Three levels of planning-- highest
strategic; comes from upper management to plan the organization's future, pretty general/ not specific
Shoulder ___ is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance
surfing
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
t
Small organizations spend more per user on security than medium- and large-sized organizations.
t
- Three levels of planning-- 2nd highest
tactical; 1-3 year planning—the more specifics of the strategic planning
The assessment of the amount of risk an organization is willing to accept for a particular information asset is known as risk
tolerance
A(n) __________ is a potential weakness in an asset or its defensive control(s).
vulnerability
- DOS vs DDS
• DOS= denial of service- overwhelms systems to keep it from doing anything productive—easier to defend than DDS • DDS= coordinated attack from many locations
- 3 types of infosec policy
• EISP- enterprise; highest level • ISSP- issue specific • SISSP- system specific... most technical like "configure the firewall in this way"
- Objectives (steps) of infosec sdlc
• Investigation • Analysis • Logical design & physical design • implementation • maintenance
identification vs authorization vs authentication
• identification- how we know who you are— passwords • authorization- not a technical step... its a management/ control activity granting an individual to certain access w/in a system • authentication— where ID and authorization come together; matches identification w/ your authorization privileges
- Three levels of planning-- lowest
• lowest= operational; day to day, short term (like a few months), very focused and objective; done by the 1st level managers
- value, vision, and mission
• mission= what org does and who do it for—most explicit • vision- idealistic expression of what org wants to become • value- core values of the company
- 3 guidelines for sound policy
• relevant; contribute to success of org • comprehensive sharing of responsibility • policy making should be inclusive
___ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.
Projectitis