Cybersecurity Fundamentals Part 1

Which of the following is a method used for risk treatment? a. All of the answers b. Risk avoidance c. Risk mitigation d. Risk acceptance

a. All of the answers

The process of verifying the identity of a user, system, or entity is known as: a. Authentication b. Accounting c. Non-repudiation d. Authorization

a. Authentication

Incident Response actions can be broadly categorized into which three phases? a. Detection, Reaction, and Recovery b. Alerting, Containment, and Eradication c. Detection, Analysis, and Post-Incident Handling d. Preparation, Mitigation, and Documentation

a. Detection, Reaction, and Recovery

Risk identification in risk management involves: a. Enumerating and documenting potential risks to information assets b. Calculating the financial impact of potential risks c. Transferring risk to insurance companies d. Applying controls to mitigate risks

a. Enumerating and documenting potential risks to information assets

A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company will provide for the employee's legal defense. a. False b. True

a. False

All incidents require the same level of response and follow-up. a. False b. True

a. False

All risks identified during the risk assessment process must be completely eliminated to ensure organizational security. a. False b. True

a. False

An advance-fee fraud attack involves the interception of cryptographic elements to determine keys and encryption algorithms. a. False b. True

a. False

An effective security education, training, and awareness (SETA) program is optional for implementing a robust information security policy. a. False b. True

a. False

Attacks conducted by scripts are usually unpredictable. a. False b. True

a. False

Digital forensics is used only after an incident has occurred, to prosecute those responsible for the attack. a. False b. True

a. False

Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization, which is known as a threat prioritization . a. False b. True

a. False

Pervasive risk is the amount of risk that remains to an information asset even after the organization has applied its desired level of controls. a. False b. True

a. False

The Incident Response Plan (IRP) is activated only for major cybersecurity incidents that affect critical infrastructure. a. False b. True

a. False

The security framework is a more detailed version of the security blueprint. a. False b. True

a. False

In the context of information security, which of the following best describes the concept of "integrity"? a. Maintaining the accuracy and completeness of data b. Ensuring that data is accessible to authorized users c. Allowing for the recovery of data after a breach d. Protecting data from unauthorized disclosure

a. Maintaining the accuracy and completeness of data

_____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization. a. Managerial b. Informational c. Operational d. Technical

a. Managerial

The primary goal of information security management is to: a. Protect the confidentiality, integrity, and availability of information b. Reduce the organization's reliance on technology c. Increase the profitability of the organization d. Enhance the speed of organizational information processing

a. Protect the confidentiality, integrity, and availability of information

Which of the following is a primary goal of cryptography? a. Protecting information confidentiality and integrity b. Reducing organizational overhead c. Increasing system performance d. Simplifying user authentication processes

a. Protecting information confidentiality and integrity

Which of the following is not a component of the risk management framework? a. Risk insurance b. Risk analysis c. Risk evaluation d. Risk monitoring

a. Risk insurance

Which of the following roles is primarily responsible for the implementation and management of an organization's security tools? a. System administrator b. End user c. Data user d. Data owner

a. System administrator

Risk appetite refers to: a. The amount and type of risk an organization is willing to pursue or retain b. The total amount of risk an organization can handle c. The maximum risk that an organization is willing to accept without action d. The process of transferring risk to another party

a. The amount and type of risk an organization is willing to pursue or retain

A risk assessment is a process that identifies vulnerabilities in an organization's information systems and the threats to those systems, to determine the potential impact. a. True b. False

a. True

A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. a. True b. False

a. True

NIST responded to a mandate and created a voluntary Risk Management Framework that provides an effective approach to manage cybersecurity risks. a. True b. False

a. True

Residual risk is the risk that remains after all risk treatment measures have been applied. a. True b. False

a. True

Risk appetite defines the total amount of risk an organization is willing to accept in pursuit of its objectives. a. True b. False

a. True

Risk management is a process aimed at identifying, assessing, and mitigating risks to an organization's information assets. a. True b. False

a. True

Tactical planning in information security management involves actions taken to specify the short-term goals and objectives of the organization. a. True b. False

a. True

The Department of Defenses Advanced Research Projects Agency (ARPA) was instrumental in creating the foundation for what would become the Internet. a. True b. False

a. True

The development, dissemination, review, comprehension, compliance, and enforcement are all critical tasks for the effective management and legal defensibility of information security policies. a. True b. False

a. True

The enterprise information security policy (EISP) sets the strategic direction, scope, and tone for all security efforts within the organization. a. True b. False

a. True

The use of social engineering techniques, such as phishing, is considered a serious threat to information security. a. True b. False

a. True

The value of information to the organization's competition should influence the asset's valuation. a. True b. False

a. True

The _____ risk treatment strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. a. acceptance b. transference c. mitigation d. defense

a. acceptance

A threat _____ is an evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack. a. assessment b. review c. search d. investigation

a. assessment

An organizational resource that is being protected is sometimes logical, such as a Web site, software information, or data. Sometimes the resource is physical, such as a person, computer system, hardware, or other tangible object. Either way, the resource is known as a(n) ___________. a. asset b. risk c. access method d. exploit

a. asset

Understanding the _____ context means understanding the impact of elements such as the business environment, the legal/regulatory/compliance environment, as well as the threat environment. a. external b. design c. risk evaluation d. internal

a. external

The _____ risk treatment strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. a. mitigation b. transference c. termination d. acceptance

a. mitigation

As each information asset is identified, categorized, and classified, a(n) _____ value must be assigned to it. a. relative b. secondary c. positional d. significant

a. relative

Risk _____ is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization's overall risk appetite. a. tolerance b. baseline c. residual d. benefit

a. tolerance

​Security _____ are the areas of trust within which users can freely communicate. a. ​domains ​b. perimeters ​c. layers ​d. rectangles

a. ​domains

asdfasdf

asfdasdf

__________ is a network project that preceded the Internet. a. NIST b. ARPANET c. FIPS d. DES

b. ARPANET

Continuous improvement in the risk management framework is essential for: a. Reducing the cost of risk management activities b. Adapting to new threats and vulnerabilities c. Maintaining an unchanged risk posture d. Keeping the same security controls indefinitely

b. Adapting to new threats and vulnerabilities

According to NIST SP 800-14's security principles, security should _____. a. support the mission of the organization b. All of the above c. be cost-effective d. require a comprehensive and integrated approach

b. All of the above

Which of these is not one of the general categories of security policy? a. Issue-specific security policy (ISSP) b. Category-specific policy (CSP) c. Systems-specific policy (SysSP) d. Enterprise information security policy (EISP)

b. Category-specific policy (CSP)

What is the first phase of the Contingency Planning process? a. Identifying preventive controls b. Conducting the business impact analysis c. Forming the Contingency Planning Management Team (CPMT) d. Developing the contingency plan

b. Conducting the business impact analysis

Which of the following is not a purpose of a security policy? a. Identifying what assets need to be protected b. Detailing specific technical solutions for security issues c. Defining the organizations stance on security d. Assigning responsibilities for various aspects of the security program

b. Detailing specific technical solutions for security issues

A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior. a. True b. False

b. False

Continuous improvement is not a stage in the risk management framework. a. True b. False

b. False

Guidelines are detailed statements of what must be done to comply with policy. a. True b. False

b. False

Network security focuses on the protection of physical items, objects, or areas from unauthorized access and misuse. a. True b. False

b. False

Risk management's primary goal is to eliminate all risks associated with an organization's information assets. a. True b. False

b. False

The complete details of ISO/IEC 27002 are widely available to everyone. a. True b. False

b. False

Which of the following encryption methods does not provide confidentiality for a message itself? a. Symmetric encryption b. Hashing c. Asymmetric encryption d. Public key infrastructure (PKI)

b. Hashing

The primary purpose of a Denial of Service (DoS) attack is to: a. Encrypt user data for ransom b. Make a service unavailable to its intended users c. Steal user credentials d. Gain unauthorized access to systems

b. Make a service unavailable to its intended users

The use of encryption is primarily intended to: a. Prevent denial of service attacks b. Protect the confidentiality of information c. Allow anonymous web browsing d. Increase system performance

b. Protect the confidentiality of information

Which of the following best describes the role of data custodians in an organization? a. They determine the level of data classification and changes to that classification. b. They oversee data storage and backups, implementing specific security policies and procedures. c. They are responsible for the security and use of a particular set of information. d. They manage the use of information sets and coordinate their protection, storage, and use.

b. They oversee data storage and backups, implementing specific security policies and procedures.

A security policy serves as a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide. a. False b. True

b. True

Access control systems are designed to restrict access to resources only to authorized users, services, or systems. a. False b. True

b. True

Encryption is used to enhance the confidentiality of information by making it unreadable to unauthorized individuals. a. False b. True

b. True

Ensuring the availability of data to authorized users is a key objective of information security. a. False b. True

b. True

Good security programs begin and end with policy. a. False b. True

b. True

Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. a. False b. True

b. True

Information security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction for information security. a. False b. True

b. True

Managerial controls set the direction and scope of the security process and provide detailed instructions for its conduct. a. False b. True

b. True

NIST 800-14's Principles for Securing Information Technology Systems can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture. a. False b. True

b. True

Ransomware is a type of malware that encrypts files on the victim's system, demanding payment for decryption keys. a. False b. True

b. True

Some information security experts argue that it is virtually impossible to determine the true value of information and information-bearing assets. a. False b. True

b. True

Some policies may also need a(n) sunset clause indicating their expiration date. a. False b. True

b. True

The identification, analysis, and evaluation of risk as initial parts of risk management is called risk assessment. a. False b. True

b. True

The threats-vulnerabilities-assets (TVA) worksheet is a document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings. a. False b. True

b. True

To achieve balance—that is, to operate an information system that satisfies the user and the security professional—the security level must allow reasonable access, yet protect against threats. a. False b. True

b. True

The concept of competitive _____ refers to falling behind the competition. a. failure b. disadvantage c. drawback d. shortcoming

b. disadvantage

Nonmandatory recommendations the employee may use as a reference is known as a _____. a. procedure b. guideline c. standard d. practice

b. guideline

The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures, is known as ______. a. mean time to diagnose (MTTD) b. mean time between failure (MTBF) c. mean time to repair (MTTR) dmean time to failure (MTTF)

b. mean time between failure (MTBF)

Hackers can be generalized into two skill groups: expert and ______. a. journeyman b. novice c. professional d. packet monkey

b. novice

The primary role of a Chief Information Security Officer (CISO) within an organization is to ensure the security of its information technology and data from cyber threats. a. False b. True

b. true

Which of the following best describes the role of an information security policy? a. Outlines the technical specifications of the organization's IT infrastructure b. Provides step-by-step instructions for system operations c. Dictates certain behaviors within an organization regarding the use of information d. Lists the hardware and software approved for use within the organization

c. Dictates certain behaviors within an organization regarding the use of information

The primary goal of Business Continuity Planning (BCP) is to: a. Prevent cybersecurity incidents from occurring b. Prosecute attackers in the event of a cybersecurity incident c. Ensure that critical business functions continue during and after a disaster d. Recover lost data after a cybersecurity breach

c. Ensure that critical business functions continue during and after a disaster

Social engineering attacks exploit: a. Encryption algorithms b. Software vulnerabilities c. Human psychology d. Network infrastructure

c. Human psychology

What role does the communication plan play in incident response and contingency planning? a. It documents the IT infrastructure. b. It outlines the technical steps for recovery. c. It specifies how information about incidents is communicated within and outside the organization. d. It lists potential threats to the organization.

c. It specifies how information about incidents is communicated within and outside the organization. question 9 week 4 prac app

A systems-specific security policy (SysSP) is: a. A high-level overview of the organization's security philosophy b. General guidelines for user behavior on social media c. Organizational policies that function as standards or procedures for configuring or maintaining systems d. Nonmandatory recommendations for policy compliance

c. Organizational policies that function as standards or procedures for configuring or maintaining systems

Which of the following is not a fundamental concept of information security? a. Privacy b. Integrity c. Redundancy d. Confidentiality

c. Redundancy

The first step in the risk management process is: a. Risk control b. Risk treatment c. Risk identification d. Risk assessment

c. Risk identification

In the context of risk management, residual risk refers to: a. The risk transferred to third parties b. The total risk before any controls are applied c. The risk that remains after controls are applied d. The initial risk identified before assessment

c. The risk that remains after controls are applied

In incident response, what is the significance of the "preparation" phase? a. To analyze incidents after they occur b. To recover from incidents c. To ensure readiness for responding to incidents d. To review and update security policies

c. To ensure readiness for responding to incidents

Phishing attacks typically aim to: a. Damage system hardware b. Steal sensitive information c. Trick individuals into revealing personal information d. Create a denial-of-service condition

c. Trick individuals into revealing personal information

A subject or object's ability to use, manipulate, modify, or affect another subject or object is known as ___________. a. assets b. risk c. access d. exploits

c. access

Which of these is NOT a unique function of information security management? a. planning b. policy c. hardware d. programs

c. hardware

Advance-Fee fraud is an example of a ______ attack. a. virus b. worm c. social engineering d. spam

c. social engineering

The actions taken by management to specify the intermediate goals and objectives of the organization are _____. a. operational planning b. strategic planning c. tactical planning d. contingency planning

c. tactical planning

Which of the following is a valid type of role when it comes to data ownership? a. Data custodians b. Data users c. Data owners d. All of the above

d. All of the above

Risk treatment involves: a. Ignoring identified risks b. Accepting all risks without action c. Transferring all risks to insurance d. Applying controls to mitigate risks

d. Applying controls to mitigate risks

A comprehensive information security program includes measures to protect against unauthorized access but also ensures that: a. Data can be modified by anyone for accuracy. b. Data is permanently stored without the possibility of deletion. c. Users have unrestricted access to all organizational data. d. Data is available to authorized users when needed.

d. Data is available to authorized users when needed.

A risk assessment's purpose is to: a. Assess the organization's profit margins b. Transfer risk to third parties c. Eliminate all organizational risks d. Determine the impact and likelihood of identified risks

d. Determine the impact and likelihood of identified risks

An incident response plan (IRP) is essential for: a. Defining the organization's security policy b. Guiding the organization through the recovery after a disaster c. Encrypting sensitive information d. Managing the aftermath of security breaches or attacks

d. Managing the aftermath of security breaches or attacks

Which of the following is not a component of governance, risk management, and compliance (GRC)? a. Information security governance b. Regulatory compliance c. Risk management d. Physical security enforcement

d. Physical security enforcement

A disaster recovery plan (DRP) primarily focuses on: a. Conducting regular security audits b. Monitoring network traffic c. Preventing security breaches d. Restoring an organizations IT operations after a disaster

d. Restoring an organizations IT operations after a disaster

The process of determining the impact and likelihood of identified risks is known as: a. Risk communication b. Risk identification c. Risk control d. Risk assessment

d. Risk assessment

Which of the following is not a stage in the risk management framework? a. Risk evaluation b. Framework design c. Framework implementation d. Risk monetization

d. Risk monetization

Risk _____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. a. residual b. benefit c. acceptance d. appetite

d. appetite

The risk management (RM) _____ is the overall structure of the strategic planning and design for the entirety of the organization's RM efforts. a. assessment b. treatment c. acceptance d. framework

d. framework

A detailed statement of what must be done to comply with management intent is known as a _____. a. procedure b. practice c. guideline d. standard

d. standard

Spear phishing differs from regular phishing by: a. using malware instead of deceptive links b. being less sophisticated and easier to detect c. aiming to disrupt services rather than steal information d. targeting a specific individual or organization

d. targeting a specific individual or organization

Flaws or weaknesses in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to breach security are known as _____. a. threats b. exploits c. events d. vulnerabilities

d. vulnerabilities