MIS 418 Midterm T/F
2. Corruption of information can occur only while information is being stored. a. True b. False
False
Chapter 2 1. Ethics carry the sanction of a governing authority. a. True b. False
False
9. Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy. _________________________
False - aggregation
7. A benchmark is derived by comparing measured actual performance against established standards for the measured category. ____________
False - baseline
14. One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________
False - bomb
8. The macro virus infects the key operating system files located in a computer's start up sector. _________________________
False - boot
11. A signaling law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________
False - breach
9. The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. _________________________
False - brute force
11. A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________
False - classification
10. The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. _________________________
False - cracker
2. The InfoSec community often takes on the leadership role in addressing risk. a. True b. False
True
5. On-the-job training can result in substandard work performance while the trainee gets up to speed. a. True b. False
True
6. The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________
True
3. The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for. a. True b. False
False
3. The authorization process takes place before the authentication process. a. True b. False
False
3. The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses. a. True b. False
False
6. Values statements should therefore be ambiguous; after all, they are meant to express the aspirations of the organization.
False - Vision, vision
7. An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________
False - analysis
13. The information technology management community of interest often takes on the leadership role in addressing risk. ____________
False - infosec, information security
12. The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ____________
False - likelihood
3. Deterrence is the best method for preventing an illegal or unethical activity. ____________
True
4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack. a. True b. False
True
9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.
True
1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. a. True b. False
True
12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________
True
12. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________
True
13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.
True
14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________
True
2. A clearly directed strategy flows from top to bottom rather than from bottom to top. a. True b. False
True
2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system. a. True b. False
True
2. The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes. a. True b. False
True
3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. a. True b. False
True
4. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. a. True b. False
True
4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. a. True b. False
True
5. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________
True
5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. a. True b. False
True
5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. a. True b. False
True
7. Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________
True
8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________
True
9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________
True
Chapter 4 1. Policies must specify penalties for unacceptable behavior and define an appeals process. a. True b. False
True
Chapter 5 1. Small organizations spend more per user on security than medium- and large-sized organizations. a. True b. False
True
Chapter 1 1. The first step in solving problems is to gather facts and make assumptions. a. True b. False
False
6. "Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. _________________________
False - surfing
11. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________
True
1. Having an established risk management program means that an organization's assets are completely protected. a. True b. False
False
2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments. a. True b. False
False
2. The defense risk control strategy may be accomplished by outsourcing to other organizations. a. True b. False
False
3. MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof. a. True b. False
False
3. Threats from insiders are more likely in a small organization than in a large one. a. True b. False
False
4. A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems. a. True b. False
False
4. Rule-based policies are less specific to the operation of a system than access control lists. a. True b. False
False
4. The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks. a. True b. False
False
5. DoS attacks cannot be launched against routers. a. True b. False
False
5. Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex. a. True b. False
False
6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables. a. True b. False
False
8. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application. a. True b. False
False
Chapter 3 1. Because it sets out general business intentions, a mission statement does not need to be concise. a. True b. False
False
10. To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________
False - Economic
6. The secretarial community often takes on the leadership role in addressing risk. ____________
False - InfoSec, infosec, Information Security, information security
6. Technology is the essential foundation of an effective information security program. _____________
False - Policy
11. The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.
False - acceptance
4. ISACA is a professional association with a focus on authorization, control, and security. ___________
False - auditing
5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams. a. True b. False
True
7. Planners need to estimate the effort required to complete each task, subtask, or action step. a. True b. False
True
13. A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. _________________________
False - packet
9. Examples of actions that illustrate compliance with policies are known as laws.
False - practices
15. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________
False - qualitative
15. In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as the annualized risk of occurrence. ____________
False - rate
7. It is the responsibility of InfoSec professionals to understand state laws and standards. ____________
False - regulations
10. The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.
False - software
7. When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. _________________________
False - spike
7. A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.
False - stakeholder
6. The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. ____________
False - defense
8. The ISA 27014:2013 standard promotes five risk management processes, which should be adopted by the organization's executive management and its governing board.
False - governance
8. Non mandatory recommendations that the employee may use as a reference in complying with a policy.are known as regulations. ____________
False - guidelines
9. The recognition, enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________
False - identification
12. Most information security projects require a trained project developer. _________________________
False - manager
12. Most information security projects require a trained project developer. _________________________
False - manager Chapter 5 1. Small organizations spend more per user on security than medium- and large-sized organizations. a. True b. False ANSWER: True
11. In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________
False - milestones
10. An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility. ____________
False - technical
8. InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals. ___________
False - technology
10. An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment. ____________
False - threat
9. The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy. ___________
False - transference
14. A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________
False - vulnerabilities
8. Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. ____________
False - vulnerabilities
10. Each organization has to determine its own project management methodology for IT and information security projects. a. True b. False
True