CSS 1006 Midterm

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

a. When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________. a. Board Risk Committee b. Board Finance Committee c. Board Ethics Committee d. Chairman of the Board

a. Board Risk Committee

A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs. a. business mission b. joint application design c. security policy review d. disaster recovery planning

a. business mission

Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs? a. can suffer from poor policy dissemination, enforcement, and review b. may skip vulnerabilities otherwise reported c. may be more expensive than necessary d. implementation can be less difficult to manage

a. can suffer from poor policy dissemination, enforcement, and review

Which of the following is NOT one of the three general causes of unethical and illegal behavior? a. carelessness b. ignorance c. accident d. intent

a. carelessness

A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) _________ on a development team. a. champion b. project manager c. team leader d. auditor

a. champion

Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as _______. a. data owners b. data custodians c. data users d. data generators

a. data owners

Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis are known as _________. a. digital forensics b. criminal investigation c. crime scene investigation d. e-discovery

a. digital forensics

Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________. a. evidentiary material b. digital forensics c. evidence d. e-discovery

a. evidentiary material

Laws, policies, and their associated penalties only provide deterrence if 3 conditions are present. Which of these is NOT one of them? a. frequency of review b. probability of being apprehended c. fear of the penalty d. probability of penalty being applied

a. frequency of review

__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. a. governance b. controlling c. leading d. strategy

a. governance

ISO 27014:2013 is the ISO 27000 series standard for ________. a. governance of information security b. information security management c. risk management d. policy management

a. governance of information security

The National Association of Corporate Directors (NACD) recommends 4 essential practices for boards of directors. Which of the following is NOT one of these recommended practices? a. hold regular meetings with CIO to discuss tactical InfoSec planning b. assign InfoSec to a key committee and ensure adequate support for that committee c. ensure the effectiveness of the corporation's InfoSec policy through review and approval d. identify InfoSec leaders, hold them accountable, and ensure support for them

a. hold regular meetings with CIO to discuss tactical InfoSec planning

In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________. a. identifying relevant items of evidentiary value b. acquiring (seizing) the evidence without alteration or damage c. analyzing the data without risking modification or unauthorized access d. investigating allegations of digital malfeasance

a. identifying relevant items of evidentiary value

The ______ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints. a. investigation b. analysis c. implementation d. justification

a. investigation

According to Wood, which of the following is a reason the InfoSec department should report directly to top management? a. it fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole b. it allows independence in the InfoSec department, especially if it is needed to audit the IT division c. it prevents InfoSec from becoming a drain on the IT budget d. it allows the InfoSec executive to dictate security requirements with greater authority to the other business divisions

a. it fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a wholeWhich of the following describes the primary reason the InfoSec department should NOT fall under the IT function?

The hash values for a wide variety of passwords can be stored in a database known as a(n) __________, which can be indexed and quickly searched using the hash value, allowing the corresponding plaintext password to be determined. a. rainbow table b. unicorn table c. rainbow matrix d. poison box

a. rainbow table

Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness? a. systems testing b. risk assessment c. incident response d. risk treatment

a. systems testing

When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________. a. the type of crime committed b. how many perpetrators were involved c. the network provider the hacker used d. the kind of computer the hacker used

a. the type of crime committed

As noted by Kosutic, options for placing the CISO (and his or her security group) in the organization are generally driven by organizational size and include all of the following EXCEPT: a. within a division/department with a conflict of interest b. in a separate group reporting directly to the CEO / president c. under a division/department with no conflict of interest d. as an additional duty for an existing manager/executive

a. within a division/department with a conflict of interest

The purpose of SETA is to enhance security in all but which of the following ways? a. by building in-depth knowledge b. by adding barriers c. by developing skills d. by improving awareness

b. by adding barriers

Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation? a. policy b. centralized authentication c. compliance/audit d. risk management

b. centralized authentication

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past? a. applied ethics b. descriptive ethics c. normative ethics d. deontological ethics

b. descriptive ethics

Which of the following is the best method for preventing an illegal or unethical activity? (ex: laws, policies, technical controls) a. remediation b. deterrence c. persecution d. rehabilitation

b. deterrence

A _______ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. a. denial of service b. distributed denial of service c. virus d. spam

b. distributed denial of service

Writing a policy is not always as easy as it seems. However, the prudent security manager always scours available resources for __________ that may be adapted to the organization. a. legal opinions b. examples c. strategic plans d. purchasable policies

b. examples

The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________. a. evidentiary material b. forensics c. crime scene investigation d. data imaging

b. forensics

Which of the following is NOT a step in the process of implementing training? a. administer the program b. hire expert consultants c. motivate management and employees d. identify target audiences

b. hire expert consultants

Which of the following is a common element of the enterprise information security policy? a. access control lists b. information on the structure of the InfoSec organization c. articulation of the organization's SDLC methodology d. indemnification of the organization against liability

b. information on the structure of the InfoSec organization

What is the first phase of the SecSDLC? a. analysis b. investigation c. logical design d. physical design

b. investigation

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? a. enterprise information b. issue-specific c. systems specific d. user-specific

b. issue-specific

Which of the following is an information security governance responsibility of the chief information security officer? a. develop policies and the program b. set security policy, procedures, programs, and training c. brief the board, customers, and the public d. implement incident response programs to detect security vulnerabilities and breaches

b. set security policy, procedures, programs, and training

Human error or failure often can be prevented with training and awareness programs, policy, and ____. a. outsourcing b. technical controls c. hugs d. ISO 27000

b. technical controls

Which of the following describes the primary reason the InfoSec department should NOT fall under the IT function? a. the average salary of the top security executive typically exceeds that of the typical IT executive, creating professional rivalries between the two b. there is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information c. there is a fundamental difference in the mission of the InfoSec department, which seeks to minimize access to information, and the IT function, which seeks to increase accessibility of information d. None of the above are reasons the InfoSec department should NOT fall under the IT function

b. there is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information

Digital forensics can be used for 2 key purposes: a. e-discovery & to perform root cause analysis b. to investigate allegations of digital malfeasance & to perform root cause analysis c. to solicit testimony & to perform root cause analysis d. to investigate allegations of digital malfeasance & to solicit testimony

b. to investigate allegations of digital malfeasance & to perform root cause analysis

The final component of the design and implementation of effective policies is _____. a. full comprehension b. uniform and impartial enforcement c. complete distribution d. universal distribution

b. uniform and impartial enforcement

Which of the following is NOT among the 3 types of InfoSec policies based on NIST's Special Publication 800-14? a. enterprise information security policy b. user-specific security policies c. issue-specific security policies d. system-specific security policies

b. user-specific security policies

Which of the following is NOT an aspect of access regulated by ACLs? a. what authorized users can access b. where the system is located c. how authorized users can access the system d. when authorized users can access the system

b. where the system is located

Which of the following is NOT a step in the problem-solving process? a. select, implement, and evaluate a solution b. analyze and compare possible solutions c. build support among management for the candidate solution d. gather facts and make assumptions

c. build support among management for the candidate solution

The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons? a. for purposes of commercial advantage b. for private financial gain c. for political advantage d. in furtherance of a criminal act

c. for political advantage

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____. a. false alarms b. polymorphisms c. hoaxes d. urban legends

c. hoaxes

Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected? a. accountability b. availability c. privacy d. confidentiality

c. privacy

Which of the following is a key advantage of the bottom-up approach to security implementation? a. strong upper-management support b. a clear planning and implementation process c. utilizing the technical expertise of the individual administrators d. coordinated planning from upper management

c. utilizing the technical expertise of the individual administrators

Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infraction? a. Authorized Access and Usage of Equipment b. Systems Management c. Prohibited Usage of Equipment d. Violations of Policy

d. Violations of Policy

Which of the following is NOT a part of an information security program? a. technologies used by an organization to manage the risks to its information assets b. activities used by an organization to manage the risks to its information assets c. personnel used by an organization to manage the risks to its information assets d. all of these are part of an information security program

d. all of these are part of an information security program

Which of the following is a C.I.A. triad characteristic that ensures only those with sufficient privileges and a demonstrated need may access certain information? a. integrity b. availability c. authentication d. confidentiality

d. confidentiality

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness of wrongness of the consequences (AKA duty based ethics) a. applied ethics b. meta-ethics c. normative ethics d. deontological ethics

d. deontological ethics

Which of the following variables is the most influential in determining how to structure an information security program? a. security capital budget b. competitive environment c. online exposure of organization d. organizational culture

d. organizational culture

According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy? a. policy developer b. policy reviewer c. policy enforcer d. policy administrator

d. policy administrator

This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator . a. security technician b. security analyst c. security consultant d. security manager

d. security manager

In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it? a. spiral b. evolutionary prototyping c. agile d. waterfall

d. waterfall

A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as ______ a. e-discovery b. forensics c. indexing d. root cause analysis

a. e-discovery

The protection of voice and data components, connections, and content is known as __________ security. a. network b. national c. cyber d. operational

a. network

Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT ______. a. proper conception b. proper design c. proper development d. proper implementation

a. proper conception

Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer? a. theft b. espionage/trespass c. sabotage/vandalism d. information extortion

a. theft

Which of the following is an advantage of the user support group form of training? a. usually conducted in an informal social setting b. formal training plan c. can be live, or can be archived and viewed at the trainee's convenience d. can be customized to the needs of the trainee

a. usually conducted in an informal social setting

Larger organizations tend to spend approximately ___ percent of the total IT budget on security. a. 2 b. 5 c. 11 d. 20

b. 5

Which of the following should be included in an InfoSec governance program? a. an InfoSec maintenance methodology b. an InfoSec risk management methodology c. an InfoSec project management assessment d. all of these are components of InfoSec governance program

b. an InfoSec risk management methodology

Force majeure includes all of the following EXCEPT: a. acts of war b. armed robbery c. civil disorder d. forces of nature

b. armed robbery

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? a. ignorance b. malice c. accident d. intent

b. malice

Which function of InfoSec management encompasses security personnel as well as aspects of the SETA program? a. protection b. people c. projects d. policy

b. people

The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property, is called __________. a. copyright infringement b. software piracy c. trademark violation d. data hijacking

b. software piracy

What do audit logs that track user activity on an information system provide? a. identification b. authorization c. accountability d. authentication

c. accountability

Which of the following is a policy implemetnation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? a. on-target model b. Wood's model c. bulls-eye model d. Bergen and Berube model

c. bulls-eye model

Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP. a. management directive & technical specifications b. management guidance & technical directive c. management guidance & technical specifications d. management specification & technical directive

c. management guidance & technical specifications

Which subset of civil law regulates the relationships among individuals and among individuals and organizations? a. tort b. criminal c. private d. public

c. private

Which of the following is NOT a primary function of information security management? a. planning b. protection c. projects d. performance

c. projects

What is the SETA program designed to do? a. rescue the occurrence of external attacks b. improve operations c. reduce the occurrence of accidental security breaches d. increase the efficiency of InfoSec staff

c. reduce the occurrence of accidental security breaches

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________. a. subpoena b. forensic finding c. search warrant d. affidavit

c. search warrant

The basic outcomes of InfoSec governance should include all but which of the following? a. value delivery by optimizing InfoSec investments in support of organizational objectives b. performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved c. time management by aligning resources with personal schedules and organizational objectives d. resource management by utilizing information security knowledge and infrastructure efficiently and effectively

c. time management by aligning resources with personnel schedules and organizational objectives

Smaller organizations tend to spend approximately ___ percent of the total IT budget on security. a. 2 b. 5 c. 11 d. 20

d. 20

What are the 2 general approaches for controlling user authorization for the use of a technology? a. profile lists and configuration tables b. firewall rules and access filters c. user profiles and filters d. access control lists and capability tables

d. access control lists and capability tables

In which phase of the SecSDLC does the risk management task occur? a. physical design b. implementation c. investigation d. analysis

d. analysis

Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community ? a. utilitarian b. virtue c. fairness / justice d. common good

d. common good

The ______ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response. a. investigation b. analysis c. implementation d. design

d. design

Which of the following is the most cost-effective method for disseminating security information and news to employees? a. employee seminars b. security-themed Web site c. conference calls d. e-mailed security newsletter

d. e-mailed security newsletter


Ensembles d'études connexes

Basic Nursing 3rd Edition: Safety - Ch 21, Physical Activity & Immobility - Ch 29

View Set

EMT- Chapter 38 (Vehicle extraction & special rescue)

View Set

(PrepU) Chapter 26: Health Assessment

View Set

(Last day part 2 ) Finals term 1

View Set

KORE 141 1과 인사 Lecture Notes

View Set

Auditing Principles Unit 3 Study Guide

View Set