MGMT CSGE Ch 1-6
When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.
Board risk committee
Which of the following is NOT a step in the problem-solving process?
Build support among management for the candidate solution
The purpose of SETA is to enhance security in all but which of the following ways?
By adding barriers
An ISACA certification targeted at upper-level executives, including CISOs and CIOs, directors, and consultants with knowledge and experience in IT governance is known as the __________
CGEIT
The __________ certification, considered to be one of the most prestigious certifications for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral.
CISSP
A model of InfoSec that offers a comprehensive view of security for data while being stored, processed, or transmitted is the __________ security model.
CNSS
An ISACA certification targeted at IT professionals who are in careers that link IT risk management with enterprise risk management is known as the __________
CRISC
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
Chief information security officer
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
(ISC)2
Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
Confidentiality
A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use is known as a
Cracker
Which of the following is the result of a U.S. led international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?
DCMA
Which type of attack involves sending a large number of connection or information requests to a target?
Denial-of-service (DoS)
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
Deontological ethics
Which of the following organizations offers the Certified CISO (C|CISO) certification?
EC-Council
Which policy is the highest level of policy and is usually created first?
EISP
To move the InfoSec discipline forward, organizations should take all of the following steps EXCEPT:
Form a committee and approve suggestions from the CISO
__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly.
Governance
ISO 27014:2013 is the ISO 27000 series standard for ____________.
Governance of information security
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
HIPPA
One form of online vandalism is _____ in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization of government agency.
Hacktivism
Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
Health information technology for economic and clinical health act
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
Hold regular meetings with the CIO to discuss tactical InfoSec planning
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
IP address
Which of the following organizations is best known for its series of certifications targeted to Information Systems Audit, Information Security, Risk Control and IT Governance?
ISACA
In large organizations, the InfoSec department is often located within an _________ division headed by the _________, who reports directly to the _________.
IT, CISO, CIO
Which of the following is the first step in the process of implementing training?
Identify program scope, goals, and objectives
Medium-sized organizations tend to spend approximately __________ percent of the total IT budget on security.
11
Smaller organizations tend to spend approximately __________ percent of the total IT budget on security.
20
Larger organizations tend to spend approximately __________ percent of the total IT budget on security.
5
"4-1-9" is one form of an _____ fraud.
Advance fee
Which of the following should be included in an InfoSec governance program?
An infoSec risk management methodology
In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________.
identifying relevant items of evidentiary value
An understanding of the potential consequences of a successful attack on aninformation asset by a threat is known as __________.
impact
The protection of confidentiality, integrity, and availability of data regardless of its location is known as __________ security.
information
__________ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization.
information asset value weighted table analysis
Which of the following is a common element of the enterprise information security policy?
information on the structure of the infosec organization
Blackmail threat of informational disclosure is an example of which threat category?
information or trespass
Which of the following is an advantage of the formal class method of training?
interaction with trainer is possible
Which of the following is NOT an origin used to categorize types of law?
international
Digital forensics can be used for two key purposes: ________ or _________.
investigate allegations of digital malfeasance; perform root cause analysis
The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints.
investigation
What is the first phase of the SecSDLC?
investigation
Which phase of the SecSDLC should see support from senior management?
investigation
A well-defined risk appetite should have the following characteristics EXCEPT:
is not limited by stakeholder expectations
According to Wood, which of the following are reasons the InfoSec department should report directly to top management?
it fosters objectivity and the ability to perceive whats truly in the best interest of the organization as a whole
Which of the following is true about a company's InfoSec awareness Web site?
it should be tested with multiple browsers
Once the members of the RM framework team have been identified, the governance group should communicate all of these for the overall RM program EXCEPT:
its personnel structure
Any court can impose its authority over an individual or organization if it can establish which of the following?
jurisdiction
The organization can perform risk determination using certain risk elements, including all but which of the following?
legacy cost of recovery
Which of the following is not a role of managers within the Communities of Interest in controlling risk?
legal management must develop corporate-wise standards
The probability that a specific vulnerability within an organization will beattacked by a threat is known as __________.
likelihood
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
malice
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
manufacturers model or part number
The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics?
market
Communications Security involves the protection of which of the following?
media, technology, and content
Organizations classified as __________ may still be large enough to implement the multi tier approach to security, though perhaps with fewer dedicated groups and more functions assigned to each group.
medium sized
A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective. is known as a(n) ____________.
methodlogy
Which of the following explicitly declares the business of the organization and its intended areas of operations?
mission statement
Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
operational
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
organization
Which of the following is an example of a technological obsolescence threat?
outdated servers
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________.
penetration tester
Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
people
GGG security is commonly used to describe which aspect of security?
physical
Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
planning
Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
policy
According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
policy administrator
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
policy review and modification
Which of the following is NOT one of the basic rules that must be followed when developing a policy?
policy should be focused on protecting the organization from public embarassment
_________ devices often pose special challenges to investigators since they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present.
portable
Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected?
privacy
Which subset of civil law regulates the relationships among individuals and among individuals and organizations?
private
The Risk Management Framework includes all of the following EXCEPT:
process contingency planning
Which of the following attributes does NOT apply to software information assets?
product deminsions
What should you be armed with to adequately assess potential weaknesses in each information asset?
properly classified inventory
Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT is true and __________.
properly conceived
IT's focus is the efficient and effective delivery of information and administration of information resources, while InfoSec's primary focus is the __________ of all information assets.
protection
What is the final step in the risk identification process?
ranking assets in order of importance
an attack that uses phishing techniques along with specialized forms of malware to encrypt the victim's data files is known as _____?
ransomware
What is the SETA program designed to do?
reduce the occurrence of accidental security breaches
Once an information asset is identified, categorized, and classified, what must also be assigned to it?
relative value
The risk to information assets that remains even after current controls have been applied.
residual risk
Which of the following is a disadvantage of the one-on-one training method?
resource intensive, to the point of being inefficient
Which of the following is compensation for a wrong committed by an individual or organization?
restitution
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________.
risk appetite
The identification, analysis and evaluation of risk in an organization describes which of the following?
risk assessment
Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
risk assessment
The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts
risk management policy
Which of the following is NOT among the typical columns in the risk rating worksheet?
risk threshold
The assessment of the amount of risk an organization is willing to accept for a particular information asset.
risk tolerance
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________.
search warrant
A SETA program consists of three elements: security education, security training, and which of the following?
security awareness
The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.
security manager
Qualified individuals who are tasked with configuring security technologies and operating other technical control systems are known as a(n) ____________.
security technician
Which of the following would most likely be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
security technician
Data classification schemes should categorize information assets based on which of the following?
sensitivity and security needs
Which of the following is NOT a task performed by the governance group during the framework design phase, in cooperation with the framework team?
specifying who will supervise and perform the RM process
A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization is known as a(n) _________.
stakeholder
Which type of document is a more detailed statement of what must be done to comply with a policy?
standard
Which type of planning is the primary tool in determining the long-term direction taken by an organization?
strategic
When creating a __________, each level of each division translates those goals into more specific goals for the level below it.
strategic plan
A clearly directed __________ flows from top to bottom, and a systematic approach is required to translate it into a program that can inform andlead all members of the organization.
strategy
The first priority of the CISO and the InfoSec management team should be the __________.
structure of a strategic plan
Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
systems testing
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
tactical
A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
team leader
Human error or failure can often be prevented with training and awareness programs, policy and _____.
technical controls
In the area of risk management, process communications is the necessary information flow within and between all of the following EXCEPT:
the corporate change control officer
Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
the electronic communications privacy act of 1986
An example of a stakeholder of a company includes all of the following EXCEPT:
the general public
Factors that affect the external context and impact the RM process, its goals, and its objectives include the following EXCEPT:
the organizations governance structure
Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT:
the threat environment-- threats, known vulnerabilities, attack vectors
When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________.
the type of crime committed
Which of the 12 Categories of Threats best describes a situation where the adversary removes data from a victim's computer?
theft
Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
they have large information security needs than a small orgnization
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________.
threat
The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization.
threat severity weighted table analysis
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
threats-vulnerabilities-assets worksheet
An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
uncertainty
The state of having limited or imperfect knowledge of a situation, making itless likely that organizations can successfully anticipate future events or outcomes is known as __________.
uncertainty
Which of the following is an advantage of the user support group form of training?
usually conducted in an informal social setting
Which of the following is a key advantage of the bottom-up approach to security implementation?
utilizes the technical expertise of the individual administrators
Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infractions?
violations of policy
What is defined as specific avenues that threat agents can exploit to attack an information asset?
vulnerabilities
In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it?
waterfall
Which of the following is NOT an aspect of access regulated by ACLs?
where the system is located
Three options for placing the CISO (and his or her security group) in the organization (as noted by Kosutic), are generally driven by organizational size and include all of the following EXCEPT:
within a division/department with a conflict of interest
This collaborative support group began as a cooperative effort between the FBI's Cleveland field office and local technology professionals with a focus of protecting critical national infrastructure.
InfraGard
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
Initiating
Which of the following is a C.I.A. characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state?
Integrity
Which of the following is an attribute of a network device is built into the network interface?
MAC address
In the _____ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the networks.
Man in the middle
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
Managerial controls
Another key U.S. federal agency is _________ which is responsible for coordinating, directing, and performing highly specialized activities to protect U.S. information systems and produce foreign intelligence information.
National Security Agency
The protection of voice and data components, connection, and content is known as _____security.
Network.
Which of the following variables is the most influential in determining how to structure an information security program?
Organizational culture
Which of the following is NOT a primary function of Information Security Management?
Performance
Which of the follow is the principal of management that develops, creates, and implements strategies for the accomplishment of objectives?
Planning
Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts.
RM framework
Which of these denotes the identification, analysis, evaluation, and treatment of risk to information assets.
RM process
The hash values for a wide variety of passwords can be stored in a database known as a(n) __________ which can be indexed and quickly searched using the hash value allowing the corresponding plaintext password to be determined
Rainbow table
Which of the following is NOT an approach to password cracking?
Ransomware (approaches are brute force, dictionary attacks, social engineering attacks)
__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty
Risk ranking worksheet
Which of the following organizations is best known for its series of technical InfoSec certifications through an entity known as Global Information Assurance Certification (GIAC)?
SANS institute
Technology services are usually arranges with an agreement defining minimum service levels known as a
SLA
Which of the following is the first step in the problem-solving process?
Select, implement and evaluate a solution
Which of the following is an information security governance responsibility of the Chief Information Security Officer?
Set security policy, procedures, programs and training
The unauthorized duplication, installations, or distribution of copyrighted computer software, which is a violation of intellectual property called _____.
Software piracy
Which of the following is true about planning?
Strategic plans are used to create tactical plans.
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?
The computer security act
Which of the following describes the primary reason the InfoSec department should NOT fall under the IT function?
There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information
The basic outcomes of InfoSec governance should include all but which of the following?
Time management by aligning resources with personnel schedules and organizational objectives
_____ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
Trojan horses
Which law extends protection to intellectual property, which includes words published in electronic formats?
U.S. copyright law
A potential weakness in an asset or its defensive control system(s) is known as a _____?
Vulnerability
__________ is a simple project management planning tool.
WBS
Which statement defines the differences between a computer virus and a computer worm?
Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer it replicates
A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system is known as a(n) __________
a security analyist
This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator and is known as a(n) __________
a security manager
What do audit logs that track user activity on an information system provide?
accountability
Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________.
affidavit
Which if the following is NOT a part of an information security program.
all of these are part of an information security program technologies, activities and personnel used by an organization to manager the risks to its information assets
For an organization to manage its InfoSec risk properly, managers should understand how information is __________.
all of these: collected, processes, transmitted
A gathering of key reference materials is performed during which phase of the SecSDLC?
analysis
A risk assessment is performed during which phase of the SecSDLC?
analysis
In which phase of the SecSDLC does the risk management task occur?
analysis
The __________ phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution.
analysis
The most complex part of an investigation is usually __________.
analysis for potential evidentiary material
Force majeure includes all of these EXCEPT:
armed robbery
Which of the following activities is part of the risk identification process?
assigning a value to each information asset
An (ISC)2 program geared toward individuals who want to take any of its certification exams before obtaining the requisite experience for certification is the __________.
associate of (ISC)2
An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it is known as a(n) __________.
attack
The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
authentication
A process that defines what the user is permitted to do is known as __________?
authorization
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
back door
A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. This commonly known as a __________ law.
breach
A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs.
business mission
Which of the following activities is part of the risk evaluation process?
calculating the severity of risks to which assets are exposed in their current setting
Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
centralized authentication
A high-level executive, such as a CIO or VP-IT, who will provide political support and influence for a specific project is known as a(n) _________.
champion
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
champion
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
common good
Classification categories must be mutually exclusive and which of the following?
comprehensive
According to the C.I.A. triad, which of the following is the most desirable characteristic for privacy?
confidentiality
Which of the following are instructional codes that guide the execution of the system when information is passing through it?
configuration rules
The process of integrating the governance of the physical security and information security efforts is known in the industry as __________.
convergence
Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________.
create a subjective ranking based on anticipated recovery costs
Which of the following is an advantage of the one-on-one method of training?
customized to the needs of the trainee
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
data owners
Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
data users
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?
descriptive ethics
The __________ phase of the SecSDLC, has team members create and develop the blueprint for security and develop critical contingency plans for incident response.
design
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
deterrence
Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis is known as _________.
digital forensics
A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
distributed denial-of-service
A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________.
e-discovery
With policy, the most common distribution methods are hard copy and __________.
electronic
Which of the following is the most cost-effective method for disseminating security information and news to employees?
emailed security newsletter
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
establishing
Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________.
evidentiary material
A technique used to compromise a system.is known as a(n) _____.
exploit
Which of the following is not among the 'deadly sins of software security'?
extortion sins
A short-term interruption in electrical power availability is known as a _____.
fault
Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity?
fear of humiliation
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
for political advantage
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________.
forensics
Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?
frequency of review
There are a number of methods for customizing training for users; two of the most common involve customizing by __________ and by __________.
functional background, skill level
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly is known as __________.
governance
The letters GRC represent an approach to information security strategic guidance from a board of directors or senior management perspective and stands for __________, __________, and __________.
governance, risk management, compliance
Which of the following is NOT a step in the process of implementing training?
hire expert consultants
__________ is the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair edge over them.
Industrial espionage