Cybersecurity Management I - Strategic - C727 UCertify Practice Test (A)

Question 23 :Which component of a computer use policy should state that the data stored on a company computer is not guaranteed to remain confidential?

no expectation of privacy

You have developed the information security policy for your organization. Which step should precede the adoption of this policy?

obtaining management approval

Question 18 :You have been asked to identify organizational goals for use in developing an organizational security model. Which type of goals are daily goals?

operational goals

Your organization has asked the security team to add terrorist attacks to the organization's business continuity plan. Which type of threat does this represent?

politically motivated threat

Question 50 :When configuring a new network, you decide to use routers and encryption to improve security. Of which type of technical control is this an example?

preventative

Your company's security policy includes system testing and security awareness training guidelines. Which control type is this considered?

preventative administrative control

Question 67 :Which term is used when some risk is leftover even after implementing countermeasures?

residual risk

Question 60 :You are analyzing risks for your organization. You must ensure that senior management provides the risk management components that you needed. All of the following components are provided by senior management, EXCEPT:

risk mitigation procedures

__________is implemented to secure physical access to an object, such as a building, a room, or a computer. These controls include badges, locks, guards, network segregation, perimeter security, computer controls, work area separation, backups, and cabling.

. A physical control

Question 35 :Your organization's Web site follows the Platform for Privacy Preferences Project (P3P) guidelines for user privacy on its public Web site. Which organization developed P3P?

World Wide Web Consortium (W3C)

Which role is a strategic role that helps to develop policies, standards, and guidelines and ensures the security elements are implemented properly?

Security analyst

When developing a security management program, which development will be the result of following a life cycle structure?

Written policies are mapped to and supported by security activities.

Question 62 :What is NOT an example of an operational control?

a business continuity plan

Question 56 :Management has expressed an interest in implementing deterrents to discourage security violations. Which control is an example of this strategy?

a fence

Question 65 :While completing the business impact analysis, the committee discovers that a human resources application relies on the following two servers: a human resources server managed by the human resources department in San Antonio, Texas a database server managed by the IT department in San Antonio, Texas At the suggestion of the business continuity plan committee, management decides to implement redundant servers for both of these servers and place the redundant servers in the branch office in Seattle, Washington. What are the two new servers an example of?

a preventative control . During the business impact analysis, the business continuity committee will determine the threats to the organization. As part of this process, the committee will need to understand dependencies between the systems. Preventative controls may be suggested by the committee to prevent certain threats.

Question 47 :Which business continuity plan (BCP) element exists to alleviate the risk of certain threats by providing monetary compensation in the event those threats occur?

insurance

Which option is NOT an element of detective physical control?

motion generator

8) You have been hired as a security contractor for a small manufacturing company. The company currently uses a discretionary access control (DAC) model. What individual is primarily responsible for determining access control in this company?

8) data owner

___________ occurs when the IT department has to implement a security program without top management's initiation or support. This approach is less effective than the top-down approach.

A bottom-up approach

___________is a technical preventive control that regulates network traffic between different zones in accordance with an organization's network security policy. A firewall prevents unauthorized access to the network.

A firewall

Which statement(s) regarding security policy are correct?

A security policy lays down the broad security objectives of an organization. AND A security policy establishes the authority and the responsibilities of individuals and is strategic in nature.

Question 20 :Which statements regarding system security policy are correct?

A system security policy specifies the list of approved hardware and software. AND A system security policy specifies the steps undertaken for the protection of infrastructure equipment.

_____________ put into place to restrict access. These controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols.

A technical control is

Question 68 :Which controls are integral parts of informational security administration?

Administrative, technical, and physical

_________ is developed to dictate how security policies are implemented to fulfill the company's security goals. These controls include policies and procedures, personnel controls, supervisory structure, security training, and testing

An administrative

___________ defines the sensitivity of a company's data. In part, a security policy defines separation of duties, which determines who needs access to certain company information

An information policy

Question 46 :Your organization has developed and implemented new security strategies for the network. What should you do next?

Assess the effectiveness of the new security strategies.

Question 43 :A typical termination procedure policy often includes which of the following elements?

At least one witness is present during the exit interview. Account access is disabled during the interview. Employee identification badges and other physical credentials such as smartcards are collected during or immediately after the interview. The employee is escorted off the premises immediately after the interview.

Question 40 :Your company is establishing new employment candidate screening processes. Which of the following should be included?

Check all references. Verify all education. Review military records and experience. Perform a background check

Question 52 :Management is concerned that you cannot implement some access controls because they are too expensive to implement. You have been asked to provide less expensive alternatives to the expensive access controls. Which type of access control will you be providing?

Compensative

Question 30 :Your company has recently announced a partnership with a third party. This third-party organization needs access to several file servers owned by your organization. You need to ensure that the third party is able to access the appropriate resources. What should you do FIRST?

Conduct a risk assessment for the third-party organization. You should establish a written IT security policy for the relationship only AFTER the risk assessment has been completed. You should provide minimal access for third-party users to the appropriate resources AFTER the written security policy for the relationship is established. You should monitor third-party user access to the resources AFTER the access has been allowed. If possible, you should restrict third-party user access to specific days/times.

You are your organization's security administrator. You need to ensure that your organization's data is accurate and secure. Which security objective should you implement?

Confidentiality and integrity

What are the core security objectives for the protection of information assets?

Confidentiality, integrity, and availability

Question 12 :Which role is delegated to personnel of the IT department and is responsible for maintaining the integrity and security of the data?

Data custodian BECAUSE they are responsible for the following: Maintaining records of activity Verifying the accuracy and reliability of the data Backing up and restoring data on a regular basis

Question 5 :What is the designation of an employee who is responsible for maintaining and protecting information?

Data custodian BECAUSE they do the following: Maintaining activity records Verifying data accuracy and reliability Backing up and restoring data regularly

Question 9 :Which term indicates that a company has taken reasonable measures to protect its confidential information and employees?

Due care Due care implies that a company assumes responsibility for the actions taking place within the organization by taking reasonable measures to prevent security breaches and to protect information assets and employees. Due care also ensures minimum damage and loss of information and individuals in the event of an intrusion because the countermeasures are already in place

____________ is performed by the company before the standards for due care are set. Due diligence implies that the company investigates and determines the possible vulnerabilities and risks associated with the information assets and employee network of the company.

Due diligence

___________ is the percentage of loss that would result should a certain threat occur. Annualized loss expectancy (ALE) is calculated using the following formula: (SLE) x (annualized rate of occurrence)

Exposure factor (EF)

Question 64 :The business continuity team has determined that a demilitarized zone (DMZ) should be implemented to ensure that public users only access certain servers. Which step of the business continuity process is the team completing?

Identify preventative controls.

Question 26 :You are performing asset identification and change control blueprints. In which phase of the security management life cycle are you engaged?

Implement

Question 49 :Which statement correctly describes information security?

Information security is a continuous process.

_____________________is a standard that provides recommendations on enterprise security. The domains covered in ISO 17799 are as follows: Information security policy for the organization Creation of information security infrastructure Asset classification and control Personnel security Physical and environmental security Communications and operations management Access control System development and maintenance Business continuity management Compliance

International Standards Organization (ISO) 17799

Question 10 :What should be the role of the management in developing an information security program?

It is mandatory.

Question 36 :Which statement is true of Tripwire?

It monitors the change in the baseline configuration of a system.

__________ include unauthorized access, explosions, disgruntled employee incidents, employee errors, accidents, vandalism, fraud, and theft.

Manmade threats

___________ ensure that confidentiality, integrity, and availability of the data stored on the storage media is properly adhered to and is not compromised. Media controls define appropriate controls for labeling, handling, storage, and disposal of storage media.

Media controls

Question 71 :As your organization's security administrator, you are reviewing the audit results to assess if your organization's security baselines are maintained. In which phase of the security management life cycle are you engaged?

Monitor and Evaluate BECAUSE it is responsible for the following: Review logs, audit results, metrics, and service level agreements. Assess accomplishments. Complete quarterly steering committee meetings. Develop improvement steps for integration into Plan and Organize phase. Reviewing audits is not part of any of the other phases.

Which term is used to describe the dependability and accessibility of a network and its resources?

Network availability

Which of the following was developed to meet information resource management requirements for the federal government?

OMB Circular A-130

__________ are a generic term used to address all of the goals of an organization. Each goal of the organization is classified as operational, tactical, or strategic in nature.

Organizational goals

_____________Formulated by the management, this security policy defines the procedure used to set up a security program and its goals. It identifies the major functional areas of information and defines all relevant terms. The management assigns the roles and responsibilities and defines the procedure used to enforce the security policy. A security policy is developed prior to the implementation of standard operating procedures. The organizational polices are strategically developed for a long term.

Organizational security policy:

The three access control categories provide seven different functionalities or purposes:

Preventative - A preventative control prevents security breaches and avoids risks. Detective - A detective control detects security breaches as they occur. Corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a security breach. Deterrent - A deterrent control deters potentials violations. Recovery - A recovery control restores resources. Compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. Directive - A directive control provides mandatory controls based on regulations or environmental requirements.

Question 66 :You are attempting to predict the likelihood a threat will occur, and assigning monetary values in the event a loss occurs. Which technique are you using?

Quantitative risk analysis

Question 3 :What does sending data across an insecure network, such as the Internet, primarily affect?

Question 3 :Confidentiality and integrity

Question 32 :Which security principle identifies sensitive data and ensures that unauthorized entities cannot access it?

Question 32: Confidentiality

Question 42 :Which statement is true of the staff members of an organization in the context of information security?

Question 42 They pose more threat than external hackers.

Question 8 :Which security framework acts as a model for IT governance and focuses more on operational goals?

Question 8 : COBIT

__________are examples of preventative technical controls because they are used to prevent security breaches. They are also examples of compensative technical controls. Audit logs are detective technical controls and compensative technical controls.

Routers and smart cards

During a recent security audit, auditors note that the network administrator also acts as the company's security administrator. They suggest that the security administrator duties be given to another individual. Which task should NOT be transferred to the new security administrator?

Software upgrade deployment

____________ are long-term goals. They look farther into the future than operational and tactical goals, and take much longer to plan and implement.T

Strategic goals

___________ include power outages, communications interruptions, and water and gas interruption.

Supply system threats

Question 70 :Which statement is true of physical access controls?

Surveillance devices offer more protection than fences in the facility.

_________ are midterm goals. They take more time and effort than operational goals, but less time and effort than strategic goals.

Tactical goals

The access control types should be matched with the examples in the following manner:

Technical - Encryption protocols Administrative - Security policies Physical - Locks

___________include all authentication mechanisms, including password, two-factor, Kerberos, biometrics, smart cards, and RADIUS authentication. Network segmentation is accomplished by using logical controls.

Technical or logical controls

___________________ is a security framework that acts as a model for corporate governance and focuses more on strategic goals. The COSO framework is made up of the following components: Control Environment Risk Assessment Control Activities Information and Communication Monitoring

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

__________ was developed to ensure that financial institutions protect customer information and provide customers with a privacy notice.

The Gramm-Leach-Bliley Act (GLBA) of 1999

_______________ coordinates Internet design, engineering, and management. It oversees the Internet Engineering Task Force (IETF). The IAB issues ethics-related Internet usage guidelines.

The Internet Architecture Board (IAB)

_________was developed to ensure that financial information on publicly traded companies is accurate.

The Sarbanes-Oxley Act (SOX)

____________ is typically part of management. The data owner controls the process of defining IT service levels, provides information during the review of controls, and is responsible for authorizing the enforcement of security controls to protect the information assets of the organization

The data owner

______________approves data classes and alters the classes as needs arise. This role must ensure that appropriate security controls and user access rights are in place.

The data owner

__________ creates new user accounts and passwords, implements security software, and tests patches and software components. This role is more functional in nature as compared to the security analyst role.

The security administrator

__________ is responsible for maintaining and protecting one or more data processing systems. The role primarily includes integration of the required security features into the applications and a purchase decision of the applications. This person also ensures that the remote access control, password management, and operation system configurations provide the necessary security

The system owner

Question 28 :Which statement is true of the staff members of an organization in the context of information security?

They pose more threat than external hackers.

Which statement is true of the chief security officer's (CSO's) role in an organization?

This role should be self-governing and independent of all the other departments in the organization.

Question 27 :When Microsoft uses a Security Development Lifecycle (SDL) process to consider and implement security at each stage of a product's development, which of the following goals it has in mind with this process?

To reduce the number of security-related design defects To reduce the number of coding defects To reduce the severity of any remaining defects

You have been asked to design a security program. Which approach should you use?

Top-down approach

Question 22 :As part of the new security initiative, you must ensure that users in your organization do not install unauthorized software. Which user agreement should include this restriction?

acceptable use policy

Question 53 :You are working with management and the human resources department to put a security policy and several personnel controls into place. To which access control category do the controls belong?

administrative

Which control provides continuous management of hardware, software, and information assets?

an operational control

During a meeting, you present management with a list of the access controls used on your network. You explain that these controls include preventative, detective, and corrective controls. Which control is an example of a corrective control?

antivirus software

Question 48 :During business continuity planning, you need to obtain the single loss expectancy (SLE) of the company's file server. Which formula should you use to determine this?

asset value x exposure factor (EF)

Question 44 :Which operations security triples component is used to group all hardware, software, and informational resources?

assets

Question 57 :Management asks you to provide a list of all access controls that will detect when a security issue occurs. Which control is an example of this?

audit log

As the security auditor, you are examining the user accounts in your single sign-on network. You discover that a long-term employee has more access permissions than he needs to complete his job. You determine that this issue has occurred over time as a result of changing jobs within the organization. Which term is used to describe the condition that has occurred?

authorization creep

For which security objective(s) should system owners and data owners be accountable?

availability, integrity, and confidentiality

Which business role must ensure that all operations fit within the business goals?

business/mission owner

Question 74 :Which type of control is an example of a detective control?

closed-circuit television (CCTV)

Question 72 :Which control is best used to identify authorized users involved in unauthorized activities?

detective control

Question 34 :You are designing the user management policies for your organization. What is typically part of these policies?

employee termination

The physical access controls can include the following as security measures:

guards to protect the perimeter of the facility fences around the facility to prevent unauthorized access by the intruders badges for the employees for easy identification locks (combination, cipher, mechanical and others) within the facility to deter intruders surveillance devices, such as CCTVs, to continuously monitor the facility for suspicious activity and record each activity for future use

Question 31 :Which of the following factors do you need to consider during the merger?Each correct answer represents a complete solution. Choose all that apply.

hardware minimum security requirements services third-party governance

Question 19 :What is defined in an acceptable use policy?

how users are allowed to employ company hardware

Question 59 :Management of your company has recently become increasingly concerned with security. You have been asked to provide examples of controls that will help to prevent security breaches. Which control is an example of this?

security policy

You are designing employee termination process guidelines. Which activity is NOT included in the employee termination process?

signing a non-disclosure agreement

Question 63 :To which category of controls does system auditing and monitoring belong?

technical control

Question 54 :You have implemented several software controls in your organization. Which category of access controls have you implemented?

technical controls

There are three categories of access control:

technical, administrative, and physical controls.

Question 61 :What is the purpose of quantitative risk analysis?

to analyze the already prioritized risks in such a way as to give each a numerical rating

Question 38 :When are exigent circumstances used?

when evidence might be destroyed