Polling Questions

A potential weakness in an asset or its defensive control system is a __________? a. Vulnerability b. Threat Agent c. Exploit d. Countermeasure

A. Vulnerability

The C.I.A. Triad industry standard for computer security has all of the following characteristics except? a. Confidentiality b. Integrity c. Shareability d. Availability

C. Shareability

When projects are initiated at the highest levels of an organization and then pushed to all levels, they are said to follow which approach? a. Executive-led b. Trickle-down c. Top-down d. Bottom-up

C. top-down

Email is the most private form of communication and it is safe to use with personal information. True/False

False

Notification from an IDPS (Intrusion Detection and Prevention System) always indicates a definite incident is in progress since these tools are easy to configure and operate? True/False

False

Service level agreements (SLA) are considered optional in most cases when an organizations engages a third party for cloud computing services or other outsourced services? True/False

False

The process an organization uses to assign a risk rating or score to each information asset is a risk evaluation? True/False

False

Pretexting to gain confidential information is no longer considered a viable threat as the human element is considered the strongest link in the security chain? True/False

False - Human error is the weakest link

Passwords should only be shared with trusted people and the IT Security Department. True/False

False - never share with anyone

A zero-day attack makes use of the malware that is not yet known the the anti-virus software companies? True/False

True

Cloud-based provisioning can be both a potential continuity option for production systems and a mechanism to manage recovery from disrupted operations? True/False

True

Everyone has responsibility to protect company confidential and sensitive information? True/False

True

SP 800-18, "Guide for Developing Security Plans for Federal Information Systems," is considered the foundation for a comprehensive security blueprint and framework? True/False

True

Strategic planning sets the long-term direction to be taken by the organization and each of its component parts. It should also guide organizational efforts and focus resources toward specific, clearly defined goals? True/False

True

The information technology community of interest must assist in risk management by configuring and operating information systems in a secure fashion? True/False

True

The person responsible for the storage, maintenance, and protection of information is the data custodian? True/False

True

A hacker will typically utilize IP spoofing to install a _________ to monitor data traveling over a network? a. Packet Sniffer b. Mail bomb c. Integer bug d. Denial of service attack

a. Packet Sniffer

A hacker would typically attempt to attain the following in order to gain advanced access and control over the compromised system? a. Privilege Escalation b. Zombie Control c. A Man in the Middle Attack d. Identify of the CEO Through Social Media

a. Privilege Escalation

Before deciding on a treatment strategy for a specific TVA triple, the organization should perform which of the following to determine the merits of the treatment? a. economic feasibility study b. threat assessment only c. risk appetite calculation d. asset valuation only

a. economic feasibility study

As the text describes, the purpose of digital forensics is to preserve? a. evidentiary material (EM) b. database shadowing c. warm sites d. recovery criticality

a. evidentiary material (EM)

In developing information security guidance, which is the hierarchy of development? a. policy, standards, guidelines, procedures b. policy, procedures, standards, guidelines c. standards, procedures, guidelines, policy d. practices, policy, standards, guidelines

a. policy, standards, guidelines, procedures

Which risk control strategy attempts to shift residual risk to other assets, other processes, or other organizations? a. transference b. defense c. acceptance d. mitigation

a. transference

The _______has primary responsibility for the assessment, management, and implementation of information security in the organization? a. Board Chairperson b. CISO c. CIO d. CFO

b. CISO

the following form of social engineering attempts to direct a target to provide personal or confidential information? a. Ransomware b. Phishing c. Adware d. Worm

b. Phishing

Incident Response (IR) actions can be organized into three phases. Which of the following is not an IR phase? a. Detection b. Simulation c. Reaction/Response d. Recovery

b. Simulation

What is the term called which represents actions taken by management specifically the organization's efforts and actions if an adverse event becomes an incident or disaster? a. CSIRT plan (Computer Security Incident Response Team) b. contingency planning c. business continuity planning d. business process

b. contingency planning

Which type of asset might a company take a zero-tolerance risk exposure posture? a. product lists b. research and development c. location addresses d. public analyst call recordings

b. research and development

Risk identification is performed within a larger process of identifying and justifying risk controls that is called which of the following? a. risk assessment b. risk management c. risk control d. risk tolerance

b. risk management

Which of the following defines the edge between the outer limit of an organization's security and the beginning of the outside world? a. framework b. security perimeter c. security domain d. defense in depth

b. security perimeter

In a _____________, the organization creates a role-playing exercise in which the CP (contingency planning) team is present with a scenario of an actual incident or disaster and is expected to react as if it had occured? a. desk check b. simulation c. full-interruption test d. structured walk-through

b. simulation

What type of planning occurs where the actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals are followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives? a. strategic b. tactical c. operational d. financial

b. tactical

Using a known or previously installed access mechanism is known as which of the following? a. Hidden Bomb b. Vector c. Back Door d. Spoof

c. Back Door

Which of the following terms best describes a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls? a. blueprint b. the NIST handbook c. Information security framework d. security plan

c. Information security framework

Which of the following would be considered an attack and penetration tester? a. an expert hacker with bad intentions b. a packet monkey focused on denial of service mischief c. an information security professional with authorization to compromise a system seeking vulnerabilities d. a foreign national focused on industrial espionage

c. an information security professional with authorization to compromise a system seeking vulnerabilities

A ________ is an investigation and assessment of adverse events that can affect the organization; it includes a determination of how critical a system or data are to the organization's core processes and it recovery priorities? a. recovery time objective b. 3-2-1 back-up c. business impact analysis d. alert roster

c. business impact analysis

The probability that a specific vulnerability within an organization will be the target of an attack is known as which of the following? a. probability b. manageability c. likelihood d. practicality

c. likelihood

Providing customer billing as he mentioned in the text is an example of what? a. potential incident that can occur in an organization b. additional resource detail c. mission/business process d. description and estimated cost

c. mission/business process

The ________ process entails the review and assessment of organizational information security performance toward goals and objectives by the governing body? a. evaluate b. direct c. monitor d. assure

c. monitor

The application of controls that reduce the risks to an organization's information assets to an acceptable level is known as which of the following?? a. risk assessment b. risk management c. risk control d. risk identification

c. risk control

According to the text and the information security governance roles and responsibilities graphic, who is responsible for policy implementation, reporting security vulnerabilities, and breaches? a. Chief Executive Officer b. Mid-level managers c. Janitorial staff d. Enterprise staff/employees

d. Enterprise staff/employees

The following is often a main trophy for corporate espionage? a. Key Products b. Names of Board Members c. SEC Reports d. Intellectual Property (IP)

d. Intellectual Property (IP)

Information about a persons history, background, and attributes that can be used to commit identify theft is called? a. Enhanced credentials b. Passwords c. Authenticity d. Personal Identifiable Information (PII)

d. Personal Identifiable Information (PII)

Access control lists (ACL) are a unique form of what kind of policy? a. EISP b. ISSP c. GRC d. SysSP

d. SysSP

In determining recovery critically, which of the following is true? a. as disruption time increases, both cost to recover and cost of disruption go up b. as disruption time increases, both cost to recover and cost disruption go down c. as disruption time increases, cost to recover goes up and cost of disruption goes down d. as disruption time increases, cost to recover goes down and cost of disruption goes up

d. as disruption time increases, cost to recover goes down and cost of disruption goes up

For information security purposes, which of the following terms is used to describe the systems that use, store, and transmit information? a. inventory b. threats c. controls d. assets

d. assets

As indicated earlier, one of the foundations of security architectures is the requirement to implement security in layers. This layered approach is referred to as which of the following? a. framework b. security perimeter c. security domain d. defense in depth

d. defense in depth

Which risk control strategy attempts to reduce the impact of a successful attack through planning and preparation? a. transference b. defense c. acceptance d. mitigation

d. mitigation

which of the following is not a definite indicator of an incident? a. change to logs b. presence of hacker tools c. use of dormant accounts d. presence of unfamiliar files

d. presence of unfamiliar files

Information security performs all of the following functions for an organization except? a. safeguards the organizations technology assets b. protects the organizations' ability to function c. protects the data and information the organization collects and uses the whether physical or electronic d. provides for the broad and easy access of an organization's intellectual property among companies in the same industry

d. provides for the broad and easy access of an organization's intellectual property among companies in the same industry

Which of the following could be considered highly desirable trophies for corporate espionage? a. Customer Information b. Intellectual Property (IP) c. Financial Assets d. Elon Musk Flight Details e. All of the Above

e. All of the Above