Chapter 1 - ITSY 1300, Chapter 2 - ITSY 1300, Chapter 3 - ITSY 1300, Chapter 4 - ITSY 1300
Laws, policies and their associated penalties only provide deterrence if offenders fear the penalty, expect to be caught, and expect the penalty to be applied if they are caught. Select one: True False
True
Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied. _________________________ Select one: True False
True
Many industry observers claim that ISO/IEC 17799, the precursor to ISO/IEC 27001, is not as complete as other frameworks. Select one: True False
True
Many states have implemented legislation making certain computer-related activities illegal. Select one: True False
True
Much human error or failure can be prevented with effective training and ongoing awareness activities. Select one: True False
True
NIST 800-14's Principles for Securing Information Technology Systems, can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture. Select one: True False
True
NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans, and provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size. Select one: True False
True
Of the two approaches to information security implementation, the top-down approach has a higher probability of success. _________________________ Select one: True False
True
Organizations can use dictionaries to regulate password selection during the reset process and thus guard against easy-to-guess passwords. Select one: True False
True
Privacy is the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality._________________________ Select one: True False
True
Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely. Select one: True False
True
Since it was established in January 2001, every FBI field office has established an InfraGard program to collaborate with public and private organizations and the academic community. Select one: True False
True
Software code known as a(n) cookie can allow an attacker to track a victim's activity on Web sites. _________________________ Select one: True False
True
Some policies may also need a(n) sunset clause indicating their expiration date. _________________________ Select one: True False
True
Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality's ethical behavior violates the ethics of another national group. Select one: True False
True
Technical controls are the tactical and technical implementations of security in the organization. _________________________ Select one: True False
True
The Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area. _________________________ Select one: True False
True
The Department of Homeland Security (DHS) works with academic campuses nationally, focusing on resilience, recruitment, internationalization, growing academic maturity and academic research. Select one: True False
True
The Digital Millennium Copyright Act is the American law created in response to Directive 95/46/EC, adopted in 1995 by the European Union. _________________________ Select one: True False
True
The Economic Espionage Act of 1996 protects American ingenuity, intellectual property, and competitive advantage. _________________________ Select one: True False
True
Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) which is longer than ____________________ characters in Internet Explorer 4.0, the browser will crash. Select one: a. 256 b. 64 c. 128 d. 512
a. 256
__________ is a network project that preceded the Internet. Select one: a. ARPANET b. DES c. NIST d. FIPS
a. ARPANET
According to NIST SP 800-14's security principles, security should ________. Select one: a. All of the above b. support the mission of the organization c. require a comprehensive and integrated approach d. be cost-effective
a. All of the above
Redundancy can be implemented at a number of points throughout the security architecture, such as in ________ Select one: a. All of the above b. proxy servers c. access controls d. firewalls
a. All of the above
Which of the following is a valid type of role when it comes to data ownership? Select one: a. All of the above b. Data owners c. Data custodians d. Data users
a. All of the above
hich of the following functions does information security perform for an organization? Select one: a. All of the above. b. Enabling the safe operation of applications implemented on the organization's IT systems. c. Protecting the organization's ability to function. d. Protecting the data the organization collects and uses.
a. All of the above.
__________ law comprises a wide variety of laws that govern a nation or state. Select one: a. Civil b. Private c. Criminal d. Public
a. Civil
Which of the following acts defines and formalizes laws to counter threats from computer related acts and offenses? Select one: a. Computer Fraud and Abuse Act of 1986 b. Freedom of Information Act (FOIA) of 1966 c. Electronic Communications Privacy Act of 1986 d. Federal Privacy Act of 1974
a. Computer Fraud and Abuse Act of 1986
Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications? Select one: a. Electronic Communications Privacy Act b. Financial Services Modernization Ac c. Sarbanes-Oxley Act d. Economic Espionage Act
a. Electronic Communications Privacy Act
Which of the following is an example of a Trojan horse program? Select one: a. Happy99.exe b. MyDoom c. Netsky d. Klez
a. Happy99.exe
_________ was the first operating system to integrate security as its core functions. Select one: a. MULTICS b. ARPANET c. DOS d. UNIX
a. MULTICS
__________ has become a widely accepted evaluation standard for training and education related to the security of information systems. Select one: a. NSTISSI No. 4011 b. ISO 17788 c. NIST SP 800-12 d. IEEE 802.11(g)
a. NSTISSI No. 4011 b.
__________ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Select one: a. Public b. Civil c. Criminal d. Private
a. Public
The ____________________ data file contains the hashed representation of the user's password. Select one: a. SAM b. FBI c. SNMP d. SLA
a. SAM
____ is any technology that aids in gathering information about a person or organization without their knowledge. Select one: a. Spyware b. A bot c. Trojan d. Worm
a. Spyware
The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees. Select one: a. accidental b. physical c. intentional d. external
a. accidental
A(n) _________ is a document containing contact information for the people to be notified in the event of an incident. Select one: a. alert roster b. emergency notification system c. call register d. phone list
a. alert roster
In a ____________________ attack, the attacker sends a large number of connection or information requests to disrupt a target from a small number of sources. Select one: a. denial-of-service b. virus c. distributed denial-of-service d. spam
a. denial-of-service
Criminal or unethical __________ goes to the state of mind of the individual performing the act. Select one: a. intent b. attitude c. ignorance d. accident
a. intent
The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________." Select one: a. management b. implementation c. accreditation d. certification
a. management
Hackers can be generalized into two skill groups: expert and ____________________. Select one: a. novice b. journeyman c. packet monkey d. professional
a. novice
"4-1-9" fraud is an example of a ____________________ attack. Select one: a. social engineering b. spam c. virus d. worm
a. social engineering
A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years. Select one: a. strategic b. operational c. standard d. tactical
a. strategic
_______ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization. Select one: a. Operational b. Technical c. Managerial d. Informational
c. Managerial
__________ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse. Select one: a. Object b. Personal c. Physical d. Standard
c. Physical
Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____. Select one: a. MIN b. MSL c. SLA d. SSL
c. SLA
The __________ of 1999 provides guidance on the use of encryption and provides protection from government intervention. Select one: a. Economic Espionage Act b. USA PATRIOT Act c. Security and Freedom through Encryption Act d. Prepper Act
c. Security and Freedom through Encryption Act
A fundamental difference between a BIA and risk management is that risk management focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can protect the information, while the BIA assumes __________. Select one: a. controls have proven ineffective b. controls have failed c. controls have been bypassed d. All of the above
d. All of the above
"Shoulder spying" is used in public or semipublic settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. _________________________ Select one: True False
False
A breach of possession always results in a breach of confidentiality. Select one: True False
False
A champion is a project manager, who may be a departmental line manager or staff unit manager, and has expertise in project management and information security technical requirements. Select one: True False
False
A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffers. _________________________ Select one: True False
False
Confidentiality ensures that only those with the rights and privileges to access information are able to do so. _________________________ Select one: True False
True
Criminal laws addresses activities and conduct harmful to society and is categorized as private or public. Select one: True False
True
Cyberterrorists hack systems to conduct terrorist activities via network or Internet pathways. _________________________ Select one: True False
True
Due care and due diligence require that an organization make a valid effort to protect others and continually maintain this level of effort, ensuring these actions are effective. Select one: True False
True
During the early years of computing, the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage. Select one: True False
True
Expert hackers are extremely talented individuals who usually devote lots of time and energy to attempting to break into other people's information systems. Select one: True False
True
Forces of nature, force majeure, or acts of God can present some of the most dangerous threats, because they are usually occur with very little warning and are beyond the control of people. Select one: True False
True
Hackers are "persons who access systems and information without authorization and often illegally." _________________________ Select one: True False
True
Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. _________________________ Select one: True False
True
Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident. Select one: True False
True
Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems, often referred to as the bottom-up approach. _________________________ Select one: True False
True
Information security safeguards the technology assets in use at the organization. Select one: True False
True
A worm requires that another program is running before it can begin functioning. Select one: True False
False
According to the CNSS, networking is "the protection of information and its critical elements." _________________________ Select one: True False
False
An act of theft performed by a hacker falls into the category of "theft," but is also often accompanied by defacement actions to delay discovery and thus may also be placed within the category of "forces of nature." Select one: True False
False
An advance-fee fraud attack involves the interception of cryptographic elements to determine keys and encryption algorithms. Select one: True False
False
An e-mail virus involves sending an e-mail message with a modified field. Select one: True False
False
Applications systems developed within the framework of the traditional SDLC are designed to anticipate a software attack that requires some degree of application reconstruction. Select one: True False
False
Attacks conducted by scripts are usually unpredictable. Select one: True False
False
Civil law addresses activities and conduct harmful to society and is actively enforced by the state. _________________________ Select one: True False
False
Compared to Web site defacement, vandalism within a network is less malicious in intent and more public. Select one: True False
False
Cultural differences can make it difficulty to determine what is ethical and is not ethical between cultures, except when it comes to the use of computers, where ethics are considered universal. Select one: True False
False
Direct attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat. _________________________ Select one: True False
False
DoS attacks cannot be launched against routers. Select one: True False
False
Employees are not deterred by the potential loss of certification or professional accreditation resulting from a breach of a code of conduct as this loss has no effect on employees' marketability and earning power. Select one: True False
False
Ethics are the moral attitudes or customs of a particular group. _________________________ Select one: True False
False
For policy to become enforceable it only needs to be distributed, read, understood, and agreed to. Select one: True False
False
Hardware is often the most valuable asset possessed by an organization and it is the main target of intentional attacks. Select one: True False
False
In a study on software license infringement, those from United States were significantly more permissive than those from the Netherlands and other countries. _________________________ Select one: True False
False
In the context of information security, confidentiality is the right of the individual or group to protect themselves and their information from unauthorized access. Select one: True False
False
Information has redundancy when it is free from mistakes or errors and it has the value that the end user expects. _________________________ Select one: True False
False
Information security can be an absolute. Select one: True False
False
Information security's primary mission is to ensure that systems and their contents retain their confidentiality at any cost. Select one: True False
False
Intellectual privacy is recognized as a protected asset in the United States. _________________________ Select one: True False
False
Key end users should be assigned to a developmental team, known as the united application development team. _________________________ Select one: True False
False
Key studies reveal that legal penalties are the overriding factor in leveling ethical perceptions within a small population. Select one: True False
False
MULTICS stands for Multiple Information and Computing Service. _________________________ Select one: True False
False
Network security focuses on the protection of the details of a particular operation or series of activities. Select one: True False
False
Once a(n) back door has infected a computer, it can redistribute itself to all e-mail addresses found on the infected system. _________________________ Select one: True False
False
One form of e-mail attack that is also a DoS is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________ Select one: True False
False
One of the basic tenets of security architectures is the layered implementation of security, which is called defense in redundancy. _________________________ Select one: True False
False
Packet munchkins use automated exploits to engage in distributed denial-of-service attacks. _________________________ Select one: True False
False
Policies are detailed written instructions for accomplishing a specific task. _________________________ Select one: True False
False
Risk evaluation is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization's security and to the information stored and processed by the organization. _________________________ Select one: True False
False
Systems-specific security policies, commonly referred to as a fair and responsible use policy, are used to control constituents' use of a particular resource, asset, or activity. _________________________ Select one: True False
False
The Analysis phase of the SecSDLC begins the methodology initiated by a directive from upper management. _________________________ Select one: True False
False
The Computer Security Act of 1987 is the cornerstone of many computer-related federal laws and enforcement efforts; it was originally written as an extension and clarification of the Comprehensive Crime Control Act of 1984, Select one: True False
False
The Council of Europe Convention on Cyber-Crime has not been well received by advocates of intellectual property rights because it de-emphasizes prosecution for copyright infringement, but has been well received by supporters of individual rights in the U.S. Select one: True False
False
The Department of Homeland Security is the only U.S. federal agency charged with the protection of American information resources and the investigation of threats to, or attacks on, the resources. Select one: True False
False
The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002. _________________________ Select one: True False
False
The Federal Privacy Act of 1974 regulates government agencies and holds them accountable if they release information about national security without permission. _________________________ Select one: True False
False
Intellectual property is defined as "the creation, ownership, and control of ideas as well as the representation of those ideas." _________________________ Select one: True False
True
The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms. _________________________ Select one: True False
False
The ISSP sets out the requirements that must be met by the information security blueprint or framework. Select one: True False
False
The Security Development Life Cycle (SDLC) is a general methodology for the design and implementation of an information system. _________________________ Select one: True False
False
The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. _________________________ Select one: True False
False
The bottom-up approach to information security has a higher probability of success than the top-down approach. Select one: True False
False
The difference between a policy and a law is that ignorance of a law is an acceptable defense. Select one: True False
False
The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799. Select one: True False
False
The implementation phase is the longest and most expensive phase of the systems development life cycle (SDLC). Select one: True False
False
The key components of the security perimeter include firewalls, DMZs (demilitarized zones), Web servers, and IDPSs. _________________________ Select one: True False
False
The macro virus infects the key operating system files located in a computer's boot sector. _________________________ Select one: True False
False
The operational plan documents the organization's intended long-term direction and efforts for the next several years. _________________________ Select one: True False
False
The physical design is the blueprint for the desired solution. Select one: True False
False
The possession of information is the quality or state of having value for some purpose or end. Select one: True False
False
The security framework is a more detailed version of the security blueprint. Select one: True False
False
The security model is the basis for the design, selection, and implementation of all security program elements including such things as policy implementation and ongoing policy and program management. _________________________ Select one: True False
False
Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _________________________ Select one: True False
False
An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement. Select one: True False
False
A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information. Select one: True False
True
A mail bomb is a form of DoS attack. Select one: True False
True
A number of technical mechanisms-digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media-have been used to deter or prevent the theft of software intellectual property. Select one: True False
True
A sniffer program can reveal data transmitted on a network segment including passwords, the embedded and attached files-such as word-processing documents-and sensitive data transmitted to or from applications. Select one: True False
True
A worm can deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. Select one: True False
True
A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures. _________________________ Select one: True False
True
A(n) project team should consist of a number of individuals who are experienced in one or multiple facets of the technical and nontechnical areas. _________________________ Select one: True False
True
As an organization grows it must often use more robust technology to replace the security technologies it may have outgrown. Select one: True False
True
The Federal Bureau of Investigation's National InfraGard Program serves its members in four basic ways: Maintains an intrusion alert network using encrypted e-mail; Maintains a secure Web site for communication about suspicious activity or intrusions; Sponsors local chapter activities; Operates a help desk for questions. _________________________ Select one: True False
True
The code of ethics put forth by (ISC)2 focuses on four mandatory canons: "Protect society, the commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.". _________________________ Select one: True False
True
The communications networks of the United States carry more funds than all of the armored cars in the world combined. _________________________ Select one: True False
True
The investigation phase of the SecSDLC begins with a directive from upper management. Select one: True False
True
The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________ Select one: True False
True
The policy administrator is responsible for the creation, revision, distribution, and storage of the policy. Select one: True False
True
The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification. _________________________ Select one: True False
True
The recovery point objective (RPO) is the point in time prior to a disruption or system outage to which mission/business process data can be recovered after an outage. _________________________ Select one: True False
True
The roles of information security professionals are almost always aligned with the goals and mission of the information security community of interest. Select one: True False
True
The stated purpose of ISO/IEC 27002, as derived from its ISO/IEC 17799 origins, is to offer guidelines and voluntary directions for information security management. _________________________ Select one: True False
True
To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards. Select one: True False
True
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date. Select one: True False
True
To remain viable, security policies must have a responsible manager, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and revision date.. _________________________ Select one: True False
True
You can create a single comprehensive ISSP document covering all information security issues. Select one: True False
True
aws and policies and their associated penalties only deter if which of the following conditions is present? Select one: a. Probability of penalty being administered b. All of the above c. Fear of penalty d. Probability of being caught
b. All of the above
The __________ attempts to prevent trade secrets from being illegally shared. Select one: a. Electronic Communications Privacy Act b. Economic Espionage Act c. Sarbanes-Oxley Act d. Financial Services Modernization Act
b. Economic Espionage Act
The Health Insurance Portability and Accountability Act Of 1996, also known as the __________ Act, protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange. Select one: a. HITECH b. Kennedy-Kessebaum c. Privacy d. Gramm-Leach-Bliley
b. Kennedy-Kessebaum
_________ controls address personnel security, physical security, and the protection of production inputs and outputs. Select one: a. Managerial b. Operational c. Technical d. Informational
b. Operational
__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information. Select one: a. Domaining b. Redundancy c. Firewalling d. Hosting
b. Redundancy
A variation of n SDLC that can be used to implement information security solutions in an organizations with little or no formal security in place is the __________. Select one: a. CLSecD b. SecSDLC c. LCSecD d. SecDSLC
b. SecSDLC
Which of the following countries reported the least tolerant attitudes toward personal use of organizational computing resources? Select one: a. United States b. Singapore c. Australia d. Sweden
b. Singapore
_______often function as standards or procedures to be used when configuring or maintaining systems. Select one: a. ISSPs b. SysSPs c. ESSPs d. EISPs
b. SysSPs
When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems Select one: a. It was not as complete as other frameworks. b. The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799. c. The standard lacked the measurement precision associated with a technical standard. d. The standard was hurriedly prepared given the tremendous impact its adoption could have on industry information security controls.
b. The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
A methodology for the design and implementation of an information system that is a formal development strategy is referred to as a __________. Select one: a. development life project b. systems development life cycle c. systems design d. systems schema
b. systems development life cycle
____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated. Select one: a. Worms b. Trojan horses c. Spam d. Viruses
b. Trojan horses
Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage __________. Select one: a. with malice b. by accident c. with negligence d. with intent
b. by accident
A ____ site provides only rudimentary services and facilities. Select one: a. commercial b. cold c. warm d. hot
b. cold
Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________. Select one: a. threats b. controls c. hugs d. paperwork
b. controls
____________________ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents. Select one: a. infoterrorism b. cyberterrorism c. hacking d. cracking
b. cyberterrorism
Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident. Select one: a. containment strategy b. damage assessment c. incident response d. disaster assessment
b. damage assessment
Standards may be published, scrutinized, and ratified by a group, as in formal or ________standards. Select one: a. de facto b. de jure c. de formale d. de public
b. de jure
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____. Select one: a. remote journaling b. electronic vaulting c. off-site storage d. database shadowing
b. electronic vaulting
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________. Select one: a. false alarms b. hoaxes c. polymorphisms d. urban legends
b. hoaxes
During the __________ phase, specific technologies are selected to support the alternatives identified and evaluated in the prior phases. Select one: a. investigation b. physical design c. analysis d. implementation
b. physical design
Organizations are moving toward more __________-focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product. Select one: a. accessibility b. security c. availability d. reliability
b. security
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________. Select one: a. blueprint b. standard c. policy d. plan
b. standard
According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depends on the value of the information obtained and whether the offense is judged to have been committed for each of the following except __________. Select one: a. for purposes of commercial advantage b. to harass c. for private financial gain d. in furtherance of a criminal act
b. to harass
Security __________ are the areas of trust within which users can freely communicate. Select one: a. layers b. domains c. rectangles d. perimeters
b. domains
Complete loss of power for a moment is known as a ____. Select one: a. brownout b. fault c. lag d. blackout
b. fault
The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages? Select one: a. Determine mission/business processes and recovery criticality b. Identify recovery priorities for system resources c. All of these are BIA stages d. Identify resource requirements
c. All of these are BIA stages
The National Information Infrastructure Protection Act of 1996 modified which Act? Select one: a. Computer Security Act b. USA PATRIOT Improvement and Reauthorization Act c. Computer Fraud and Abuse Act d. USA PATRIOT Act
c. Computer Fraud and Abuse Act
__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. Select one: a. Best-effort b. Proxy c. Defense in depth d. Networking
c. Defense in depth
What is the subject of the Sarbanes-Oxley Act? Select one: a. Trade secrets b. Privacy c. Financial Reporting d. Banking
c. Financial Reporting
The Computer __________ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts. Select one: a. Violence b. Usage c. Fraud d. Theft
c. Fraud
The Council of Europe adopted the Convention of CyberCrime in 2001 to oversee a range of security functions associated with __________ activities. Select one: a. electronic commerce b. online terrorist c. Internet d. cyberactivist
c. Internet
People with the primary responsibility for administering the systems that house the information used by the organization perform the ____ role. Select one: a. Security professionals b. Security policy developers c. System administrators d. End users
c. System administrators
The ____________________ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network. Select one: a. WWW b. FTP c. TCP d. HTTP
c. TCP
____________________ are compromised systems that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack. Select one: a. Drones b. Servants c. Zombies d. Helpers
c. Zombies
A server would experience a __________ attack when a hacker compromises it to acquire information from it from a remote location using a network connection. Select one: a. hardware b. software c. direct d. indirect
c. direct
One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. Select one: a. hackcyber b. cyberhack c. hacktivist d. phreak
c. hacktivist
In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single number called the __________ value. Select one: a. smashing b. result c. hash d. code
c. hash
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to __________. Select one: a. assess progress toward a recommended target state b. communicate among local, state and national agencies about cybersecurity risk c. identify and prioritize opportunities for improvement within the context of a continuous and repeatable process d. None of these
c. identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization. Select one: a. operational b. Internet c. people d. technology
c. people
Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter. Select one: a. theft b. security c. trespass d. bypass
c. trespass
A type of SDLC where each phase has results that flow into the next phase is called the __________ model. Select one: a. Method 7 b. pitfall c. waterfall d. SA&D
c. waterfall
An information system is the entire set of __________, people, procedures, and networks that make possible the use of information resources in the organization. Select one: a. data b. software c. hardware d. All of the above
d. All of the above
__________ of information is the quality or state of being genuine or original. Select one: a. Confidentiality b. Authorization c. Spoofing d. Authenticity
d. Authenticity
The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization. Select one: a. CIO b. CTO c. ISO d. CISO
d. CISO
The ________is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts. Select one: a. ISSP b. GSP c. SysSP d. EISP
d. EISP
What is the subject of the Computer Security Act? Select one: a. Telecommunications Common Carriers b. Cryptography Software Vendors c. Banking Industry d. Federal Agency Information Security
d. Federal Agency Information Security
Which of the following acts is also widely known as the Gramm-Leach-Bliley Act? Select one: a. Computer Security Act b. Communications Act c. Health Insurance Portability and Accountability Act d. Financial Services Modernization Act
d. Financial Services Modernization Act
Part of the logical design phase of the SecSDLC is planning for partial or catastrophic loss. ____ dictates what immediate steps are taken when an attack occurs. Select one: a. Security response b. Continuity planning c. Disaster recovery d. Incident response
d. Incident response
The __________ defines stiffer penalties for prosecution of terrorist crimes. Select one: a. Gramm-Leach-Bliley Act b. Economic Espionage Act c. Sarbanes-Oxley Act d. USA PATRIOT Act
d. USA PATRIOT Act
The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security. Select one: a. Bugs b. Maintenance hooks c. Malware d. Vulnerabilities
d. Vulnerabilities
A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. Select one: a. virus b. spam c. denial-of-service d. distributed denial-of-service
d. distributed denial-of-service
A security ________ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization. Select one: a. model b. plan c. policy d. framework
d. framework
Which of the following phases is often considered the longest and most expensive phase of the systems development life cycle? Select one: a. investigation b. implementation c. logical design d. maintenance and change
d. maintenance and change
In the well-known ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. Select one: a. server-in-the-middle b. zombie-in-the-middle c. sniff-in-the-middle d. man-in-the-middle
d. man-in-the-middle
The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any __________ purposes. Select one: a. customer service b. billing c. troubleshooting d. marketing
d. marketing
RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure. Select one: a. resistant b. replicated c. random d. redundant
d. redundant
A computer is the __________ of an attack when it is used to conduct an attack against another computer. Select one: a. object b. target c. facilitator d. subject
d. subject
