InfoSec exam 1

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.

(ISC)2

Which of the following is NOT used to categorize some types of law?

international

Any court can impose its authority over an individual or organization if it can establish which of the following?

jurisdiction

The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response.

justification

A type of attack where the adversary intercepts network packets, modifies them, and inserts them back into the network is called a ____________.

man-in-the-middle

In the __________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network

man-in-the-middle

Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP.

management guidance, technical specifications

A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective is known as a ____________.

methodology

A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________

methodology

A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________.

methodology

Access control list user privileges include all but which of these?

operate

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?

organiztion

An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________.

penetration tester

Which function of InfoSec management encompasses security personnel as well as aspects of the SETA program?

people

_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present.

portable

Which of the following is NOT a primary function of information security management?

projects

The hash values for a wide variety of passwords can be stored in a database known as a(n) __________, which can be indexed and quickly searched using the hash value, allowing the corresponding plaintext password to be determined.

rainbow table

An attack that uses phishing techniques along with specialized forms of malware to encrypt the victim's data files is known as __________.

ransomware

To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology.

reading level

Which of the following is compensation for a wrong committed by an individual or organization?

restitution

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________.

search warrant

"4-1-9" fraud is an example of a __________ attack.

social engineering

The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property, is called __________.

software piracy

When creating a __________, each level of each division translates its goals into more specific goals for the level below it.

strategic plan

A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.

team leader

Which of the following are the two general groups into which SysSPs can be separated?

technical specifications and managerial guidance

When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________.

the type of crime committed

Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer?

theft

Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________.

threat

The basic outcomes of InfoSec governance should include all but which of the following?

time management by aligning resources with personnel schedules and organizational objectives

Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access.

trespass

A clearly directed strategy flows from top to bottom rather than from bottom to top.

true

A maintenance model is intended to focus ongoing maintenance efforts so as to keep systems usable and secure.

true

Deterrence is the best method for preventing an illegal or unethical activity. ____________

true

Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________

true

Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs. ____________

true

InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence ​professionals.​ ___________

true

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system

true

The Secret Service is charged with the detection and arrest of any person who commits a U.S. federal offense relating to computer fraud, as well as false identification crimes.

true

The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. __________

true

Today's InfoSec systems need constant monitoring, testing, modifying, updating, and repairing.

true

The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies. ___________

true(i think)

Which law extends protection to intellectual property, which includes words published in electronic formats?

us copyright law

Which of the following is a key advantage of the bottom-up approach to security implementation?

utilizes the technical expertise of the individual administrators

In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it?

waterfall

Which statement defines the differences between a computer virus and a computer worm?

worm exists and propagates on a computer network while a virus needs the host to be active to survive and need people's lack of awareness to propagate

What are the two general approaches for controlling user authorization for the use of a technology?

Access control lists and capability tables

What function will an audit log provide when it is configured to track user activity on an information system?

Accountability

Which of the following should be included in an InfoSec governance program?

An InfoSec risk management methodology

Policy __________ means the employee must agree to the policy.

Compliance

Which of the following are instructional codes that guide the execution of the system when information is passing through it?

Configuration rules

Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?

DMCA

Which type of attack involves sending a large number of connection or information requests to a target?

Denial-of-service (DoS)

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)?

Deontological ethics

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?

Deontological ethics

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past, attempting to answer the question, what do others think is right?

Descriptive ethics

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls.

Deterrence

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?

Due diligence

Which policy is the highest level of policy and is usually created first?

EISP

Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?

Electronic Communications Privacy Act

"Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. __________

False

Ethics carry the sanction of a governing authority.

False

ISACA is a professional association with a focus on authorization, control, and security. ________

False - auditing(maybe)

Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?

HIPAA

A law that addresses privacy and security concerns associated with the electronic transmission of Personal Healthcare Information is the ____________?

Health Information Technology for Economic and Clinical Health Act

The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?

Hold regular meetings with the CIO to discuss tactical InfoSect planning

In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________.

Identifying relevant items of evidentiary value.

In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies?

Implementation

In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?

Implementation

__________ is the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair edge over them.

Industrial espionage

Which of the following is a common element of the enterprise information security policy?

Information on the structure of the InfoSec organization

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is not one of them?

Malice

Which of the following explicitly declares the business of the organization and its intended areas of operations?

Mission statement

The protection of voice and data components, connections, and content is known as __________ security.

Network

Which of the following functions of information security management seeks to dictate certain behavior within the organization through a set of organizational guidelines?

Policy

Which of the following is NOT one of the basic rules that must be followed when developing a policy?

Policy should be agreed upon by all employees and management

Which of the following is not one of the basic rules that must be followed when shaping a policy?

Policy should be agreed upon by all employees and management.

Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected?

Privacy

Which of the following is NOT an approach to password cracking?

Ransomware

Which of the following is the first step in the problem-solving process?

Recognize and define the problem

When solving problems, what is the first step?

Recognize and define the problem.

Which type of document is a more detailed statement of what must be done to comply with a policy?

Standard

Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?

Tactical

Which law is a collection of statutes that regulates the interception of wire, electronic, and oral communications?

The Electronic Communications Privacy Act of 1986

In addition to specifying acceptable and unacceptable behavior, what else must a policy specify?

The penalties for violation of the policy

A malware program that hides its true nature and reveals its designed behavior only when activated is called a ____________.

Trojan horse

According to the CGTF, the organization should treat InfoSec as an integral part of the system life cycle. ____________

True

Which law extends protection to intellectual property, which includes words published in electronic formats?

U.S. Copyright Law

Which of the following is NOT a step in the problem-solving process?

Use trial and error in a problem

Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infractions?

Violations of Policy

Which statement defines the differences between a computer virus and a computer worm?

Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate.

What do audit logs that track user activity on an information system provide?

accountability

The __________ phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution.

analysis

The most complex part of an investigation is usually __________.

analysis for potential EM

An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it is known as a(n) __________.

attack

The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?

authentication

A process that defines what the user is permitted to do is known as __________.

authorization

Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?

back door

A long-term interruption in electrical power availability is known as a ____________.

blackout

Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?

can suffer from poor policy dissemintation, enforcement, and review

A high-level executive such as a CIO or VP-IT, who will provide political support and influence for a specific project, is known as a(n) _________.

champion

The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a __________.

chief information security officer

Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.

data owners

Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.

data users

Internal and external stakeholders, such as customers, suppliers, or employees who interact with information in support of their organization's planning and operations, are known as

data users

According to the Corporate Governance Task Force (CGTF), during which phase of the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?

establishing

Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________.

evidentiary material (EM)

A technique used to compromise a system is known as a(n) __________.

exploit

A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of systems.

false

A(n) compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________

false

Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex.

false

Corruption of information can occur only while information is being stored.

false

DoS attacks cannot be launched against routers.

false

Examples of actions that illustrate compliance with policies are known as laws. __________

false

The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for.

false

The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. __________

false

The authorization process takes place before the authentication process.

false

The first step in solving problems is to gather facts and make assumptions.

false

A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. __________

false - sniffer

The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________.

forensics

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly is known as __________.

governance

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus __________.

hoaxes

The protection of confidentiality, integrity, and availability of data regardless of its location is known as __________ security.

information

Blackmail threat of informational disclosure is an example of which threat category?

information extortion

Force majeure includes all of the following EXCEPT:

Armed robbery

The C.I.A. triad for computer security includes which of these characteristics?

Availability

Which phase of the SDLC should see clear articulation of goals?

Investigation

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?

Issue-specific


Ensembles d'études connexes

IHUM 202 Rimmasch Exam 2: History Section

View Set

Straighterline Econ Midterm Exam

View Set

Human Anatomy & Physiology 2 [Ch. 21: Lymphatic System]

View Set

Understanding Business Chapter 7

View Set