CS 207
Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) longer than ______ characters in Internet Explorer 4.0, the browser will crash.
256
The _____ is a respected professional society that was established in 1947. Today it is "the world's largest educational and scientific computing society.
Association for Computing Machinery
The formal decision-making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) _____.
CBA
Which of these is not one of the general categories of security policy?
Category-specific policy (CSP)
_____ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
Defense in depth
Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications?
Electronic Communications Privacy Act
A(n) _____ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.
FCO
_____ use allows copyrighted materials to be used to support news reporting, teaching, scholarship, and similar activities, if the use is for educational or library purposes, is not for profit, and is not excessive.
Fair
A(n) sequential roster is activated as the first person calls a few people on the roster, who in turn call a few other people. _____
False
A(n) strategic information security policy is also known as a general security policy, and sets the strategic direction, scope, and tone for all security efforts. _____
False
According to the CNSS, networking is "the protection of information and its critical elements." _______
False
An advance-fee fraud attack involves the interception of cryptographic elements to determine keys and encryption algorithms.
False
An affidavit is permission to search for evidentiary material at a specified location or to seize items to return to an investigator's lab for examination.
False
Information security's primary mission is to ensure that systems and their contents retain their confidentiality at any cost.
False
Media are items of fact collected by an organization and include raw numbers, facts, and words.
False
Media assets are the focus of information security and are the information that has value to the organization, as well as the systems that store, process, and transmit the information. ______
False
Network security focuses on the protection of physical items, objects, or areas from unauthorized access and misuse
False
Root cause analysis is the coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting.
False
The Council of Europe Convention on Cybercrime has not been well received by advocates of intellectual property rights because it de-emphasizes prosecution for copyright infringement.
False
The computer security incident response team is composed solely of technical IT professionals who are prepared to detect, react to, and recover from an incident.
False
The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.
False
The security framework is a more detailed version of the security blueprint.
False
The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. ______
False
Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _____
False
_____ addresses are sometimes called electronic serial numbers or hardware addresses.
MAC
_____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
Managerial
Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.
SLA
The _____ of 1999 provides guidance on the use of encryption and provides protection from government intervention.
Security and Freedom through Encryption Act
In the 1999 study of computer use-ethics, which of the following countries reported the least tolerant attitudes toward misuse of organizational computing resources?
Singapore
____ is any technology that aids in gathering information about a person or organization without their knowledge.
Spyware
Which of these best defines information security governance?
The application of the principles and practices of corporate governance to the information security function.
A breach of possession may not always result in a breach of confidentiality.
True
A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information.
True
A number of technical mechanisms—digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media—have been used to deter or prevent the theft of software intellectual property.
True
As an organization grows, it must often use more robust technology to replace the security technologies it may have outgrown.
True
Disaster classification is the process of examining an adverse event or incident and determining whether it constitutes an actual disaster.
True
Due care and due diligence require that an organization make a valid effort to protect others and continually maintain this level of effort, ensuring these actions are effective.
True
Expert hackers are extremely talented individuals who usually devote lots of time and energy to attempting to break into other people's information systems.
True
Hackers are "persons who access systems and information without authorization and often illegally." ______
True
Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. _______
True
Incident classification is the process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident.
True
NIST responded to a mandate and created a voluntary Risk Management Framework that provides an effective approach to manage cybersecurity risks. _____
True
Organizations can use dictionaries to regulate password selection during the reset process and thus guard against easy-to-guess passwords.
True
RAND Report R-609 was the first widely recognized published document to identify the role of management and policy issues in computer security.
True
Since it was established in January 2001, every FBI field office has started an InfraGard program to collaborate with public and private organizations and the academic community.
True
The Economic Espionage Act of 1996 protects American ingenuity, intellectual property, and competitive advantage. _____
True
The organization must choose one of two philosophies that will affect its approach to IR and DR as well as subsequent involvement of digital forensics and law enforcement: the two approaches are protect and forget, and apprehend and prosecute.
True
The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.
True
Using a service bureau is a BC strategy in which an organization contracts with a service agency to provide a facility for a fee.
True
A subject or object's ability to use, manipulate, modify, or affect another subject or object is known as ___________.
access
According to NIST SP 800-14's security principles, security should _____.
all of the above: require a comprehensive and integrated approach be cost-effective support the mission of the organization
An organizational resource that is being protected is sometimes logical, such as a Web site, software information, or data. Sometimes the resource is physical, such as a person, computer system, hardware, or other tangible object. Either way, the resource is known as a(n) ___________.
asset
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security _____.
blueprint
The detailed documentation of the collection, storage, transfer, and ownership of evidentiary material from the crime scene through its presentation in court and its eventual disposition. is called a(n) _____.
chain of evidence
The CPMT should include a _____ who is a high-level manager to support, promote, and endorse the findings of the project and could be the COO or (ideally) the CEO/president.
champion
The process of maintaining the confidentiality, integrity, and availability of data managed by a DBMS is known as ______ security.
database
A server would experience a(n) __________ attack when a hacker compromises it to acquire information via a remote location using a network connection.
direct
The concept of competitive _____ refers to falling behind the competition.
disadvantage
Most common data backup schemes involve ______.
disk-to-disk-to-cloud RAID
"Know the enemy" means identifying, examining, and understanding the competition facing the organization. _____
false
A cold site provides many of the same services and options of a hot site, but at a lower cost.
false
A recovery time objective (RTO) is the total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption.
false
A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them.
false
A(n) disaster is any adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. _____
false
A(n) hardware system is the entire set of people, procedures, and technology that enable business to use information
false
Cultural differences can make it difficult to determine what is ethical and not ethical between cultures, except when it comes to the use of computers, where ethics are considered universal.
false
Database shadowing duplicates data in real-time data storage, but does not back up the databases at the remote site.
false
Ethics are the moral attitudes or customs of a particular group. _____
false
Every member of the organization's InfoSec department must have a formal degree or certification in information security.
false
Incident response is an organization's set of planning and preparation efforts for detecting, reacting to, and recovering from an incident.
false
Information denigration refers to pieces of nonprivate data that, when combined, may create information that violates privacy. _____
false
Information security can be an absolute
false
Knowing yourself means identifying, examining, and understanding the threats facing the organization's information assets.
false
Pervasive risk is the amount of risk that remains to an information asset even after the organization has applied its desired level of controls. _____
false
Residual risk is the risk that organizations are willing to accept even after current current controls have been applied.
false
Risk analysis is the enumeration and documentation of risks to an organization's information assets. _____
false
Risk perception is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically part of the risk appetite. _____
false
The Computer Security Act of 1987, the cornerstone of many computer-related federal laws and enforcement effort, was originally written as an extension and clarification of the Comprehensive Crime Control Act of 1984.
false
The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002. _____
false
The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms. _____
false
The role of the project manager—typically an executive such as a chief information officer (CIO) or the vice president of information technology (VP-IT)—in this effort cannot be overstated.
false
The security model is the basis for the design, selection, and implementation of all security program elements, including policy implementation and ongoing policy and program management. _____
false
The work response time (WRT) is the amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. _____
false
When an organization depends on IT-based systems to remain viable, InfoSec and the discipline of asset management must become an integral part of the economic basis for making business decisions. _____
false
You cannot use qualitative measures to rank information asset values.
false
Which of the following is NOT one of the categories recommended for categorizing information assets?
firmware
An information security _____ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training.
framework
A resumption location known as a ____ is a fully configured computer facility capable of establishing operations at a moment's notice.
hot site
The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________.
information security
Criminal or unethical _____ goes to the state of mind of the individual performing the act.
intent
In the ______ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
man-in-the-middle
The actions taken by management to specify the short-term goals and objectives of the organization are _____.
operational planning
Information about a person's history, background, and attributes that can be used to commit identity theft is known as _____ information.
personally identifiable
The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information is known as ______.
pharming
security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.
physical
_____ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.
public
Advance-Fee fraud is an example of a ______ attack.
social engineering
A detailed statement of what must be done to comply with management intent is known as a _____.
standard
A(n) _____ plan is a plan for the organization's intended efforts over the next several years (long-term).
strategic
The actions taken by management to specify the intermediate goals and objectives of the organization are _____.
tactical planning
Risk _____ is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization's overall risk appetite.
tolerance
A(n) capability table specifies which subjects and objects users or groups can access. _____
true
Confidentiality ensures that only those with the rights and privileges to access information are able to do so
true
During the early years of computing, the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage.
true
Every organization, whether public or private and regardless of size, has information it wants to protect
true
Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat. _______
true
Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident.
true
Intellectual property is defined as "the creation, ownership, and control of ideas as well as the representation of those ideas." ______
true
Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied. _____
true
Reported attacks are a probable indicator of an actual incident.
true
Software code known as a(n) cookie can allow an attacker to track a victim's activity on Web sites. ______
true
Some information security experts argue that it is virtually impossible to determine the true value of information and information-bearing assets.
true
The business impact analysis is a preparatory activity common to both CP and risk management,
true
The value of information comes from the characteristics it possesses.
true
To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited.
true
When determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts.
true
Flaws or weaknesses in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to breach security are known as _____.
vulnerabilities
In the TVA worksheet, assets are placed into a matrix with threats and then the exposure of the assets to specific threats is explored by documenting _____.
vulnerabilities
The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security.
vulnerabilities
The average amount of time until the next hardware failure is known as ______.
mean time to failure (MTTF)