CSS Midterm

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Smaller organizations tend to spend approximately __________ percent of the total IT budget on security

20

Larger organizations tend to spend approximately __________ percent of the total IT budget on security

5

Which of the following is NOT a part of an information security program?

All of these are part of an information security program

Which of the following should be included in an InfoSec governance program?

An InfoSec risk management methodology

When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, and so that it selects key stakeholders as well as the ____________.

Board Risk Committee

Which of the following is NOT a step in the problem-solving process?

Build support among management for the candidate solution.

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)?

Deontological ethics

The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons ?

For political advantage

__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly.

Governance

The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?

Hold regular meetings with the CIO to discuss tactical InfoSec planning

According to Wood, which of the following is a reason the InfoSec department should report directly to top management?

It fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole

Which of the following is an information security governance responsibility of the chief information security officer ?

Set security policy, procedures, programs, and training.

Which of the following describes the primary reason the InfoSec department should NOT fall under the IT function?

There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information.

The basic outcomes of InfoSec governance should include all but which of the following?

Time management by aligning resources with personnel schedules and organizational objectives

Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infractions?

Violations of Policy

What are the two general approaches for controlling user authorization for the use of a technology?

access control lists and capability tables

What do audit logs that track user activity on an information system provide?

accountability

In which phase of the SecSDLC does the risk management task occur?

analysis

Force majeure includes all of the following EXCEPT:

armed robbery

Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?

bulls-eye model

A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs.

business mission

The purpose of SETA is to enhance security in all but which of the following ways?

by adding barriers

Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?

can suffer from poor policy dissemination, enforcement, and review

Which of the following is NOT one of the three general causes of unethical and illegal behavior?

carelessness

Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?

centralized authentication

A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.

champion

Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community ?

common good

Which of the following is a C.I.A. triad characteristic that ensures only those with sufficient privileges and a demonstrated need may access certain information?

confidentiality

Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.

data owners

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past?

descriptive ethics

The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response.

design

Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis are known as _________.

digital forensics

A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time

distributed denial of service

A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________.

e-discovery

Which of the following is the most cost-effective method for disseminating security information and news to employees?

e-mailed security newsletter

Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________.

evidentiary material

Writing a policy is not always as easy as it seems. However, the prudent security manager always scours available resources for __________ that may be adapted to the organization.

examples

The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________.

forensics

Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?

frequency of review

ISO 27014:2013 is the ISO 27000 series standard for ____________.

governance of information security

Which of the following is NOT a step in the process of implementing training?

hire expert consultants

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus __________.

hoaxes

In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________.

identifying relevant items of evidentiary value

Which of the following is a common element of the enterprise information security policy?

information on the structure of the InfoSec organization

The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints

investigation

What is the first phase of the SecSDLC?

investigation

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?

issue-specific

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?

malice

Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP.

management guidance, technical specifications

The protection of voice and data components, connections, and content is known as __________ security

network

Which of the following variables is the most influential in determining how to structure an information security program?

organizational culture

Which function of InfoSec management encompasses security personnel as well as aspects of the SETA program

people

According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?

policy administrator

Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected?

privacy

Which subset of civil law regulates the relationships among individuals and among individuals and organizations?

private

Which of the following is NOT a primary function of information security management?

projects

Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT __________.

proper conception

The hash values for a wide variety of passwords can be stored in a database known as a(n) __________, which can be indexed and quickly searched using the hash value, allowing the corresponding plaintext password to be determined.

rainbow table

What is the SETA program designed to do?

reduce the occurrence of accidental security breaches

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________.

search warrant

This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.

security manager

The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property, is called __________.

software piracy

Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?

systems testing

Human error or failure often can be prevented with training and awareness programs, policy, and __________.

technical controls

When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________.

the type of crime committed

Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer?

theft

Digital forensics can be used for two key purposes: ________ or _________.

to investigate allegations of digital malfeasance; to perform root cause analysis

The final component of the design and implementation of effective policies is __________.

uniform and impartial enforcement

Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?

user-specific security policies

Which of the following is an advantage of the user support group form of training?

usually conducted in an informal social setting

Which of the following is a key advantage of the bottom-up approach to security implementation?

utilizing the technical expertise of the individual administrators

In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it?

waterfall

Which of the following is NOT an aspect of access regulated by ACLs?

where the system is located

As noted by Kosutic, options for placing the CISO (and his or her security group) in the organization are generally driven by organizational size and include all of the following EXCEPT:

within a division/department with a conflict of interest


Ensembles d'études connexes

Security Policies and Governance Final (Ch. 8 - 14)

View Set

Sadlier-Oxford: Level F; Unit 14 Vocabulary

View Set

Chapter 1-6 exam Leadership and stratigic management

View Set

Delmars Unit 20 Capacitance in AC Circuits

View Set

Anatomy and Physiology Chapter 28

View Set

6.3 Indigenous Responses to State Expansion

View Set

Chapter 2: The Key Principles of Economics

View Set

Grounding and bounding lvl1 test

View Set