Finals (Chapters 4 - 6)
Access control is the process of proving you are the person or entity you claim to be. A. True B. False
B. False
What is the difference between a BCP and a DRP? A. A BCP does not specify how to recover from disasters, just interruptions. B. A DRP directs the actions necessary to recover resources after a disaster. C. A DRP is a part of a BCP. D. All of the above.
D. All of the above.
The recovery point objective (RPO) identifies the amount of _________ that is acceptable. A. support B. time to recover C. risk D. data loss
D. data loss
________ is the process of managing changes to computer/device configuration or application software. A. Sprint B. Procedure control C. Change control D. Proactive change management
C. Change control
The term functional policy describes a statement of an organization's management direction for security in such specific functional areas as e-mail, remote access, and Internet surfing. A. True B. False
A. True
The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks. A. True B. False
A. True
The waterfall model is a software development model that defines how development activities progress from one distinct phase to the next. A. True B. False
A. True
The name given to a group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies, is ________. A. emergency operations group B. security event team C. guideline control D. security administration
A. emergency operations group
Risks apply to specific assets. If you multiply the risk __________ by the cost of the asset, the result is the exposure to a specific risk. A. probability B. damage C. security breach D. threat
A. probability
The process of managing risks starts by identifying __________. A. risks B. business drivers C. exposure factor (EF) D. standards
A. risks
The ____________ is the central part of a computing environment's hardware, software, and firmware that enforces access control for computer systems. A. security kernel B. authentication C. physical access control D. event-based synchronization system
A. security kernel
A method of restricting resource access to specific periods of time is called ________. A. temporal isolation B. classification C. multi-tenancy D. separation of duties
A. temporal isolation
Temporal isolation restricts access to specific _________ and is often used in combination with role-based access control. A. times B. equipment C. people D. all of the above
A. times
An organization's facilities manager might give you a security card programmed with your employee ID number, also known as a ________. A. password B. smart card C. physical access control D. resources
B. smart card
Which of these biometric authentication methods is not as accurate as the rest? A. iris scans B. voice pattern C. retina scan D. facial recognition
B. voice pattern
What is meant by multi-tenancy? A. An authentication method that uses only a single type of authentication credentials. B. A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. C. A database feature that allows different groups of users to access the database without being able to access each other's data. D. A property that indicates that a specific subject needs access to a specific object. This is necessary to access the object in addition to possessing the proper clearance for the object's classification.
C. A database feature that allows different groups of users to access the database without being able to access each other's data.
Which of the following is the definition of guideline? A. A method of developing software that is based on small project iterations, or sprints, instead of long project schedules. B. Recorded information from system events that describes security-related activity. C. A recommendation to purchase or how to use a product or system. D. A senior manager who reviews a certification report and makes the decision to approve the system for implementation.
C. A recommendation to purchase or how to use a product or system.
What is meant by authorizing official (AO)? A. An individual to enact changes in response to reported problems. B. The process of managing changes to computer/device configuration or application software. C. A senior manager who reviews a certification report and makes the decision to approve the system for implementation. D. A mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the organization.
C. A senior manager who reviews a certification report and makes the decision to approve the system for implementation.
The term cloud computing refers to the practice of using computing services that are delivered over a network. A. True B. False
A. True
Your organization's __________ sets the tone for how you approach related activities. A. assets B. security policy C. configuration D. guidelines
B. security policy
What is the Project Management Body of Knowledge (PMBOK)? A. A collection of the knowledge and best practices of the project management profession. B. The collection of components, including people, information, and conditions, that support business objectives. C. A description of how you will manage overall risk. It includes the approach, required information, and techniques to address each risk. D. Any risk that exists but has a defined response.
A. A collection of the knowledge and best practices of the project management profession.
What is meant by risk register? A. A list of identified risks that results from the risk-identification process. B. A comparison of security controls in place and the controls that are needed to address all identified threats. C. The estimated loss due to a specific realized threat. D. The process of identifying, assessing, prioritizing, and addressing risks.
A. A list of identified risks that results from the risk-identification process.
________ is an authorization method in which access to resources is decided by the user's formal status. A. Authority-level policy B. Knowledge C. Physically constrained user interface D. Decentralized access control
A. Authority-level policy
What is meant by annual rate of occurrence (ARO)? A. The annual probability that a stated threat will be realized. B. A comparison of security controls in place and the controls that are needed to address all identified threats. C. The estimated loss due to a specific realized threat. D. A collection of the knowledge and best practices of the project management profession.
A. The annual probability that a stated threat will be realized.
A compliance liaison works with each department to ensure that it understands, implements, and monitors compliance in accordance with the organization's policies. A. True B. False
A. True
A physically constrained user interface is a user interface that does not provide a physical means of entering unauthorized information. A. True B. False
A. True
An organization must comply with rules on two levels: regulatory compliance and organizational compliance. A. True B. False
A. True
Initiating changes to avoid expected problems is the definition of proactive change management. A. True B. False
A. True
Mandatory access control (MAC) is a means of restricting access to an object based on the object's classification and the user's security clearance. A. True B. False
A. True
Resources are protected objects in a computing system, such as files, computers, or printers. A. True B. False
A. True
Single loss expectancy (SLE) means the expected loss for a single threat occurrence. The formula to calculate SLE is SLE = Resource Value × EF. A. True B. False
A. True
Sprint means one of the small project iterations used in the "agile" method of developing software, in contrast with the usual long project schedules of other ways of developing software. A. True B. False
A. True
The process of managing the baseline settings of a system device is the definition of configuration control. A. True B. False
A. True
The proportion of value of a particular asset likely to be destroyed by a given risk, expressed as a percentage, is exposure factor (EF). A. True B. False
A. True
The term annual rate of occurrence (ARO) describes the annual probability that a stated threat will be realized. A. True B. False
A. True
The term asynchronous token refers to an authentication token used to process challenge-response authentication with a server. The token takes the server's challenge value and calculates a response. The user enters the response to authenticate a connection. A. True B. False
A. True
How is decentralized access control defined? A. Two or more people working together to violate a security policy. B. A system that puts access control into the hands of people such as department managers who are closest to system users; there is no one centralized entity to process access requests in this system. C. A database made up of rules that determine individual users' access rights. D. An authentication method in which a user is authenticated at multiple times or event intervals
B. A system that puts access control into the hands of people such as department managers who are closest to system users; there is no one centralized entity to process access requests in this system.
When an information security breach occurs in your organization, a __________ helps determine what happened to the system and when. A. baseline B. security event log C. functional policy D. security policy
B. security event log
Which of the following describes an asynchronous token? A. An authentication method that uses only a single type of authentication credentials. B. An authentication token used to process challenge-response authentication with a server. It takes the server's challenge value and calculates a response. The user enters the response to authenticate a connection. C. An authentication method that uses two types of authentication credentials. D. Associating actions with users for later reporting and research.
B. An authentication token used to process challenge-response authentication with a server. It takes the server's challenge value and calculates a response. The user enters the response to authenticate a connection.
__________ is rapidly becoming an increasingly important aspect of enterprise computing. A. Risk analysis B. Disaster recovery C. Risk management D. Risk methodology
B. Disaster recovery
Annual loss expectancy (ALE) means the process of identifying, assessing, prioritizing, and addressing risks. A. True B. False
B. False
Authority-level policy is a database feature that allows different groups of users to access the database without being able to access each other's data. A. True B. False
B. False
Qualitative risk analysis is a list of identified risks that results from the risk-identification process. A. True B. False
B. False
Residual risk is a risk-analysis method that uses mathematical formulas and numbers to assist in ranking risk severity. A. True B. False
B. False
Role-based access control (RBAC) means limiting users' access to database views, as opposed to allowing users to access data in database tables directly. A. True B. False
B. False
The Delphi method is the estimated loss due to a specific realized threat. The formula to calculate this loss is = SLE × ARO. A. True B. False
B. False
The annual probability that a stated threat will be realized is called a security gap. A. True B. False
B. False
The term constrained user interface describes an authentication method that uses only a single type of authentication credentials. A. True B. False
B. False
The term guideline refers to a group that oversees all proposed changes to systems and networks. A. True B. False
B. False
The term need-to-know refers to a device used as a logon authenticator for remote users of a network. A. True B. False
B. False
The term remediation refers to fixing something before it is broken, defective, or vulnerable. A. True B. False
B. False
The term risk methodology refers to a list of identified risks that results from the risk-identification process. A. True B. False
B. False
The term standard describes initiating changes to avoid expected problems. A. True B. False
B. False
What is meant by constrained user interface? A. Protected objects in a computing system, such as files, computers, or printers. B. Software that allows users to enter only specific information. C. Indicates a change from normal to abnormal behavior. D. An authentication credential that is generally longer and more complex than a password; it can also contain multiple words.
B. Software that allows users to enter only specific information.
Which of the following is the definition of business drivers? A. A comparison of security controls in place and the controls that are needed to address all identified threats. B. The collection of components, including people, information, and conditions, that support business objectives. C. The process of identifying, assessing, prioritizing, and addressing risks. D. The estimated loss due to a specific realized threat.
B. The collection of components, including people, information, and conditions, that support business objectives.
This device uses public key infrastructure (PKI) technology—for example, a certificate signed by a trusted certification authority—and doesn't provide one-time passwords. A. synchronous token B. USB token C. smart card D. asynchronous token
B. USB token
What term is used to describe associating actions with users for later reporting and research? A. constrained user interface B. accountability C. ownership D. event-based synchronization system
B. accountability
A ___________ will help identify not only which functions are critical, but also how quickly essential business functions must return to full operation following a major interruption. A. business continuity plan (BCP) B. business impact analysis (BIA) C. disaster recovery plan (DRP) D. risk methodology
B. business impact analysis (BIA)
What or who is the individual or team responsible for performing the security test and evaluation for the system and for preparing the report for the AO on the risk of operating the system? A. remediation B. certifier C. compliance liaison D. system owners
B. certifier
What name is given to a comparison of security controls in place and the controls that are needed to address all identified threats? A. risk methodology B. gap analysis C. exposure factor (EF) D. qualitative risk analysis
B. gap analysis
For all the technical solutions you can devise to secure your systems, the __________remains your greatest challenge. A. administration B. human element C. certifier D. regulations
B. human element
A mechanism that limits access to computer systems and network resources is ________, A. threshold mechanism B. logical access control C. password mechanism D. actions
B. logical access control
What name is given to a risk-analysis method that uses relative ranking to provide further definition of the identified risks in order to determine responses to them? A. quantitative risk analysis B. qualitative risk analysis C. annual loss expectancy (ALE) D. gap analysis
B. qualitative risk analysis
What name is given to any risk that exists but has a defined response? A. qualitative risk analysis B. residual risk C. risk management D. risk register
B. residual risk
Which of the following adequately defines continuous authentication? A. A mechanism that limits access to computer systems and network resources. B. Optional conditions that exist between users and resources. They are permissions granted to an authorized user, such as read, write, and execute. C. An authentication method in which a user is authenticated at multiple times or event intervals. D. A property that indicates that a specific subject needs access to a specific object. This is necessary to access the object in addition to possessing the proper clearance for the object's classification.
C. An authentication method in which a user is authenticated at multiple times or event intervals.
________ states that users must never leave sensitive information in plain view on an unattended desk or workstation. A. Procedure management B. Emergency operations policy C. Clean desk/clear screen policy D. Security administration policy
C. Clean desk/clear screen policy
_______ is the proportion of value of a particular asset likely to be destroyed by a given risk, expressed as a percentage. A. Annual rate of occurrence (ARO) B. Business drivers C. Exposure factor (EF) D. Risk management
C. Exposure factor (EF)
Which of the following is an accurate description of cloud computing? A. The process of providing credentials to claim to be a specific person or entity. B. The process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task. C. The practice of using computing services that are delivered over a network. D. A database feature that allows different groups of users to access the database without being able to access each other's data.
C. The practice of using computing services that are delivered over a network.
What is meant by certification? A. The formal acceptance by the authorizing official of the risk of implementing the system. B. A strategy to minimize risk by rotating employees between various systems or duties. C. The technical evaluation of a system to provide assurance that you have implemented the system correctly. D. A group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies.
C. The technical evaluation of a system to provide assurance that you have implemented the system correctly.
What name is given to a method of developing software that is based on small project iterations, or sprints, instead of long project schedules? A. baseline B. waterfall model C. agile development D. sprint
C. agile development
The first step in risk analysis is to determine what and where the organization's _________ are located. A. plans B. resources C. assets D. standards
C. assets
What term is used to describe a benchmark used to make sure that a system provides a minimum level of security across multiple applications and across different products? A. configuration control B. functional policy C. baseline D. authorizing official (AO)
C. baseline
You can use quantitative risk analysis for all risks on the risk register; however, the amount of effort required may be overkill for _____________ risks. A. low probability B. low impact C. both A and B D. neither A nor B
C. both A and B
The process of managing the baseline settings of a system device is called ________. A. guideline B. baseline C. configuration control D. sprint
C. configuration control
What term is used to describe a set of step-by-step actions to be performed to accomplish a security requirement, process, or objective? A. security administration B. authorizing official (AO) C. procedure D. proactive change management
C. procedure
The goal of ____________ is to quantify possible outcomes of risks, determine probabilities of outcomes, identify high-impact risks, and develop plans based on risks. A. qualitative risk analysis B. annual rate of occurrence (ARO) C. quantitative risk analysis D. risk register
C. quantitative risk analysis
The ___________ team's responsibilities include handling events that affect your computers and networks and ultimately can respond rapidly and effectively to any event. A. IT group B. management C. security administration D. compliance liaison
C. security administration
One of the most popular types of attacks on computer systems involves ___________. These attacks deceive or use people to get around security controls. The best way to avoid this risk is to ensure that employees know how to handle such attacks. A. cloud computing B. the World Wide Web C. social engineering D. worms
C. social engineering
Which of the following best describes quantitative risk analysis? A. The process of identifying, assessing, prioritizing, and addressing risks. B. A risk-analysis method that uses relative ranking to provide further definition of the identified risks in order to determine responses to them. C. A comparison of security controls in place and the controls that are needed to address all identified threats. D. A risk-analysis method that uses mathematical formulas and numbers to assist in ranking risk severity.
D. A risk-analysis method that uses mathematical formulas and numbers to assist in ranking risk severity.
___________ are the benchmarks that help make sure a minimum level of security exists across multiple applications of systems and across different products. A. Assets B. Functional policies C. Policies D. Baselines
D. Baselines
________ is the difference between the security controls you have in place and the controls you need to have in place in order to address all vulnerabilities. A. Gap analysis B. Negative risk C. Quantitative risk analysis D. Security gap
D. Security gap
_____________is the process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task. A. Accountability B. Decentralized access control C. User Datagram Protocol (UDP) D. Separation of duties
D. Separation of duties
Which of the following is the definition of access control? A. A property that indicates that a specific subject needs access to a specific object. This is necessary to access the object in addition to possessing the proper clearance for the object's classification. B. Some value that indicates a change from normal to abnormal behavior. C. A device used as a logon authenticator for remote users of a network. D. The process of protecting a resource so that it is used only by those allowed to use it; a particular method used to restrict or allow access to resources.
D. The process of protecting a resource so that it is used only by those allowed to use it; a particular method used to restrict or allow access to resources.
A communication protocol that is connectionless and is popular for exchanging small amounts of data or messages is called ________. A. decentralized access control B. authentication C. single-factor authentication D. User Datagram Protocol (UDP)
D. User Datagram Protocol (UDP)
A security awareness program includes ________. A. teaching employees about security objectives B. motivating users to comply with security policies C. informing users about trends and threats in society D. all of the above
D. all of the above
The formal process of monitoring and controlling risk focuses on _____________ new risks. A. identifying B. tracking previously identified C. analyzing D. all of the above
D. all of the above
Information security activities directly support several common business drivers, including ________ and efforts to protect intellectual property. A. confidentiality B. quantitative risk analysis C. regulations D. compliance
D. compliance
When you accept a __________, you take no further steps to resolve. A. positive risk B. residual risk C. risk probability D. negative risk
D. negative risk
An organization's facilities manager is often responsible for ____________. A. group membership policy B. multi-tenancy C. threshold D. physical access control
D. physical access control
Any organization that is serious about security will view ___________ as an ongoing process. A. standards B. gap analysis C. business objectives D. risk management
D. risk management
Your _________ plan shows that you have examined risks to your organization and have developed plans to address each risk. A. business B. compliance C. disaster D. risk-response
D. risk-response
The primary task of an organization's __________ team is to control access to systems or resources. A. compliance liaison B. management C. software development D. security administration
D. security administration
When you apply an account-lockout policy, set the __________ to a high enough number that authorized users aren't locked out due to mistyped passwords. A. access control B. continuous authentication C. resources D. threshold
D. threshold
RTO identifies the maximum allowable ________ to recover the function. A. risk B. support C. data loss D. time
D. time
Because personnel are so important to solid security, one of the best security controls you can develop is a strong security ___________ and awareness program. A. documentation B. environment C. guidelines D. training
D. training
