Mgt. of Information Security - FINAL

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

In the area of risk management, process communications is the necessary information flow within and between all of the following EXCEPT: - the governance group - the corporate change control officer - the RM framework team - the RM process team during implementation

- the corporate change control officer

To maintain optimal performance, one typical recommendation suggests that when the memory usage associated with a particular CPU-based system averages __________% or more over prolonged periods, you should consider adding more memory. - 40 - 60 - 10 - 100

60

A primary mailing list for new vulnerabilities, called simply __________, provides time-sensitive coverage of emerging vulnerabilities, documenting how they are exploited and reporting on how to remediate them. Individuals can register for the flagship mailing list or any one of the entire family of its mailing lists. - Bugs - Bugfix - Buglist - Bugtrac

Bugtrac

The Information Security __________ is a managerial model provided by an industry working group, National Cyber Security Partnership, which provides guidance in the development and implementation of organizational InfoSec structures and recommends the responsibilities that various members should have in an organization. - Governance Framework - Security Blueprint - Risk Model - Compliance Architecture

Governance Framework

The COSO framework is built on five interrelated components. Which of the following is NOT one of them? - control environment - risk assessment - control activities - InfoSec governance

InfoSec governance

Which of the following is true about a hot site? - It is an empty room with standard heating, air conditioning, and electrical service. - It includes computing equipment and peripherals with servers but not client workstations. - It duplicates computing resources, peripherals, phone systems, applications, and workstations. - All communications services must be installed after the site is occupied.

It duplicates computing resources, peripherals, phone systems, applications, and workstations.

When the ISO 27002 standard was first proposed, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems; which of the following is NOT one of them? - It was not as complete as other frameworks. - The standard lacked the measurement precision associated with a technical standard. - The standard was hurriedly prepared. - It was feared it would lead to government intrusion into business matters.

It was feared it would lead to government intrusion into business matters .

__________ is used to respond to network change requests and network architectural design proposals. - Network connectivity RA - Dialed modem RA - Application RA - Vulnerability RA

Network connectivity RA

The __________ commercial site focuses on current security tool resources. - Nmap-hackerz - Packet Storm - Security Laser - Snort-SIGs

Packet Storm

__________, a level beyond vulnerability testing, is a set of security tests and evaluations that simulate attacks by a malicious external source (hacker). - Penetration simulation - Attack testing - Penetration testing - Attack simulation

Penetration testing

__________ allows for major security control components to be reviewed on a periodic basis to ensure that they are current, accurate, and appropriate. - System review - Project review - Program review - Application review

Program review

If a temporary worker (temp) violates a policy or causes a problem, what is the strongest action that the host organization can usually take, depending on the SLA? - Nothing, the organization has no control over temps. - Terminate the relationship with the individual and request that he or she be censured. - Fine the temp or force the temp to take unpaid leave, like permanent employees. - Sue the temp agency for cause, demanding reparations for the actions of the temp.

Terminate the relationship with the individual and request that he or she be censured.

Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT: - The organization's governance structure - The organization's culture - The maturity of the organization's information security program - The threat environment—threats, known vulnerabilities, attack vectors

The threat environment—threats, known vulnerabilities, attack vectors

Which of the following is NOT one of the methods noted for selecting the best risk management model? - Use the methodology most similar to what is currently in use. - Study known approaches and adapt one to the specifics of the organization. - Hire a consulting firm to provide a proprietary model. - Hire a consulting firm to develop a proprietary model.

Use the methodology most similar to what is currently in use.

Which of the following is NOT a question a CISO should be prepared to answer before beginning the process of designing, collecting, and using performance measurements, according to Kovacich? - Why should these measurements be collected? - Where will these measurements be collected? - What affect will measurement collection have on efficiency? - Who will collect these measurements?

What affect will measurement collection have on efficiency?

All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT: - When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. - When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. - When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls. - When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls.

__________ penetration testing is usually used when a specific system or network segment is suspect and the organization wants the pen tester to focus on a particular aspect of the target. - Black box - White box - Green box - Grey box

White box

You are do amazing!

You got this

Treating risk begins with which of the following? - applying controls and safeguards that eliminate risk - an understanding of risk treatment strategies - understanding the consequences of choosing to ignore certain risks - rethinking how services are offered

an understanding of risk treatment strategies

Which of the following is not a step in the FAIR risk management framework? - identify scenario components - evaluate loss event frequency - assess control impact - derive and articulate risk

assess control impact

The process of assigning financial value or worth to each information asset is known as __________. - probability estimate - cost estimation - risk acceptance premium - asset valuation

asset valuation

Which of the following activities is part of the risk identification process? - determining the likelihood that vulnerable systems will be attacked by specific threats - calculating the severity of risks to which assets are exposed in their current setting - assigning a value to each information asset - documenting and reporting the findings of risk analysis

assigning a value to each information asset

When hiring security personnel, which of the following should be conducted before the organization extends an offer to any candidate, regardless of job level? - new hire orientation - covert surveillance - organizational tour - background check

background check

To evaluate the performance of a security system, administrators must establish system performance __________. - profiles - baselines - maxima - means

baselines

Which of the following activities is part of the risk evaluation process? - creating an inventory of information assets - classifying and organizing information assets into meaningful groups - assigning a value to each information asset - calculating the severity of risks to which assets are exposed in their current setting

calculating the severity of risks to which assets are exposed in their current setting

An ATM that limits what kinds of transactions a user can perform is an example of which type of access control? - content-dependent - constrained user interface - temporal isolation - nondiscretionary

constrained user interface

The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster are known as __________. - risk management - contingency planning - business impact - disaster readiness

contingency planning

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________. - probability estimate - cost avoidance - risk assessment premium - asset valuation

cost avoidance

What is the result of subtracting the postcontrol annualized loss expectancy and the annualized cost of the safeguard from the precontrol annualized loss expectancy? - cost-benefit analysis - exposure factor - single loss expectancy - annualized rate of occurence

cost-benefit analysis

Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________. Correct answer: - create a subjective ranking based on anticipated recovery costs - estimate cost from past experience - leave the value empty until later in the process - leave the value empty until later in the process

create a subjective ranking based on anticipated recovery costs

Application of training and education among other approach elements is a common method of which risk treatment strategy? - mitigation - defense - acceptance - transferral

defense

The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following? - determined the level of risk posed to the information asset - performed a thorough cost-benefit analysis - determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset - assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability

determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset

Which control category discourages an incipient incident—e.g., video monitoring? - preventative - detrrant - remitting - compensating

detrrant

One approach that can improve the situational awareness of the information security function is to use a process known as __________ to quickly identify changes to the internal environment. - baselining - difference analysis - differentials - revision

difference analysis

Strategies to reestablish operations at the primary site after an adverse event threatens continuity of business operations are covered by which of the following plans in the mitigation control approach? - incident response plan - business continuity plan - disaster recovery plan - damage control plan

disaster recovery plan

What do you call the legal requirements that an organization must adopt a standard based on what a prudent organization should do, and then maintain that standard? - certification and accreditation - best practices - due care and due diligence - baselining and benchmarking

due care and due diligence

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information is known as __________. - rubbish surfing - social engineering - dumpster diving - trash trolling

dumpster diving

One of the fundamental challenges in InfoSec performance measurement is defining what? - interested stakeholders - effective security - appropriate performance measures - the proper assessment schedule

effective security

The Microsoft Risk Management Approach includes four phases; which of the following is NOT one of them? - conducting decision support - implementing controls - evaluating alternative strategies - measuring program effectiveness

evaluating alternative strategies

Each of the following is a recommendation from the FDIC when creating a successful SLA EXCEPT: - determining objectives - forecasting costs - defining requirements - setting measurements

forecasting costs

Which of the following is NOT a task that must be performed if an employee is terminated? - former employee must return all media - former employee's home computer must be audited - former employee's office computer must be secured - former employee should be escorted from the premises

former employee's home computer must be audited

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a __________. - blueprint - security plan - security standard - framework

framework

Which of the following is a generic model for a security program? - framework - methodology - security standard - blueprint

framework

Although COBIT was designed to be an IT __________ and management structure, it includes a framework to support InfoSec requirements and assessment needs. - governance - policy - auditiing - awareness

governance

Which of the following is NOT a factor critical to the success of an information security performance program? - strong upper-level management support - high level of employee buy-in - quantifiable performance measurements - results-oriented measurement analysis

high level of employee buy-in

The InfoSec measurement development process recommended by NIST is divided into two major activities. Which of the following is one of them? - development and selection of qualified personnel to gauge the implementation, effectiveness, efficiency, and impact of the security controls - identification and definition of the current InfoSec program - maintenance of the vulnerability management program - comparison of organizational practices against similar organizations

identification and definition of the current InfoSec program

Which of the following is a part of the incident recovery process? - identifying the vulnerabilities that allowed the incident to occur and spread - determining the event's impact on normal business operations and, if necessary, making a disaster declaration - supporting personnel and their loved ones during the crisis - keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise

identifying the vulnerabilities that allowed the incident to occur and spread

The benefits of ISO certification to organizations include all of the following EXCEPT: - increased opportunities for government contracts - reduced costs associated with incidents - smoother operations resulting from more clearly defined processes and responsibilities - improved public image of the organization, as certification implies increased trustworthiness

increased opportunities for government contracts

The __________ Web site is home to the leading free network exploration tool, Nmap. - Snort-sigs - Packet Storm - Security Focus - insecure.org

insecure.org

Detailed __________ on the highest risk warnings can include identifying which vendor updates apply to which vulnerabilities as well as which types of defenses have been found to work against the specific vulnerabilities reported. - escalation - intelligence - monitoring - elimination

intelligence

Which of the following is a responsibility of the crisis management team? - restoring the data from backups - evaluating monitoring capabilities - keeping the public informed about the event and the actions being taken - restoring the services and processes in use

keeping the public informed about the event and the actions being taken

The organization can perform risk determination using certain risk elements, including all but which of the following? - legacy cost of recovery - impact (consequence) - likelihood of threat event (attack) - element of uncertainty

legacy cost of recovery

Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence? - baselining - legal liability - competitive disadvantage - certification revocation

legal liability

Which of the following is not a role of managers within the communities of interest in controlling risk? - general management must structure the IT and InfoSec functions - IT management must serve the IT needs of the broader organization - legal management must develop corporate-wide standards - InfoSec management must lead the way with skill, professionalism, and flexibility

legal management must develop corporate-wide standards

The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices primarily for __________. - managing the development and operation of IT infrastructures - operation of IT control systems to improve security - managing the security infrastructure - developing secure Web applications

managing the development and operation of IT infrastructures

The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption, including all impact considerations, is known as __________. - maximum tolerable downtime (MTD) - recovery point objective (RPO) - work recovery time (WRT) - recovery time objective (RTO)

maximum tolerable downtime (MTD)

Which of the following is NOT a category of access control? - preventative - mitigating - deterrant - compensating

mitigating

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine its effectiveness and to estimate the remaining risk? - analysis and adjustment - review and reapplication - monitoring and measurement - evaluation and funding

monitoring and measurement

Which access control principle limits a user's access to the specific information required to perform the currently assigned task? - need-to-know - eyes only - least privilege - separation of duties

need-to-know

Which of the following determines how well the proposed InfoSec treatment alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization? - organizational feasibility - political feasibility - technical feasibility - behavioral feasibility

organizational feasibility

The Hartford insurance company estimates that, on average, __________ businesses that don't have a disaster plan go out of business after a major loss like a fire, a break-in, or a storm. - over 40% of - at least 60% of - about 20% of - 2 % of

over 40% of

Control __________ baselines are established for network traffic and for firewall performance and IDPS performance. - system - application - performance - environment

performance

Employees pay close attention to job __________, and including InfoSec tasks in them will motivate employees to take more care when performing these tasks. - performance evaluations - descriptions - quarterly reports - vacation requests

performance evaluations

Contingency planning is primarily focused on developing __________. - policies for normal operation - plans for normal operations - policies for breach notifications - plans for unexpected adverse events

plans for unexpected adverse events

Which of the following is an organizational CP philosophy for overall approach to contingency planning reactions? - protect and forget - pre-action review - transfer to local/state/federal law enforcement - track, hack and prosecute

protect and forget

What is the final step in the risk identification process? - assessing values for information assets - classifying and categorizing assets - identifying and inventorying assets - ranking assets in order of importance

ranking assets in order of importance

Which of the following refers to the backup of data to an off-site facility in close to real time based on transactions as they occur? - remote journaling - electronic vaulting - database shadowing - timesharing

remote journaling

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? - residual risk - risk appetite - risk assurance - risk termination

risk appetite

The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts. - enterprise information security policy - risk control implementation policy - risk management board directive - risk management policy

risk management policy

__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty. - information asset value weighted table analysis - risk ranking worksheet - threat severity weighted table analysis - TVA controls worksheet

risk ranking worksheet

Which of the following is NOT a consideration when selecting recommended best practices? - threat environment is similar - resource expenditures are practical - organization structure is similar - same certification and accreditation agency or standard

same certification and accreditation agency or standard

A step commonly used for Internet vulnerability assessment includes __________, which occurs when the penetration test engine is unleashed at the scheduled time using the planned target list and test selection. - targeting - scanning - delegation - subrogation

scanning

Which of the following specifies the authorization level that each user of an information asset is permitted to access, subject to the need-to-know principle? - discretionary access controls - task-based access controls - security clearances - sensitivity levels

security clearances

26. What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them? - need to know - eyes only - least privilege - separation of duties

separation of duties

In which contingency plan testing strategy do individuals participate in a role-playing exercise in which the CP team is presented with a scenario of an actual incident or disaster and expected to react as if it had occurred? - desk check - simulation - structured walk-through - parallel testing

simulation

Which of the following is NOT among the three types of authentication mechanisms? - something a person knows - something a person has - something a person says - something a person can produce

something a person says

Which of the following is NOT a task performed by the governance group during the framework design phase, in cooperation with the framework team? - ensuring compliance with all legal and regulatory statutes and mandates - guiding the development of, and formally approving, the RM policy - recommending performance measures for the RM effort and ensuring that they are compatible with other performance measures in the organization - specifying who will supervise and perform the RM process

specifying who will supervise and perform the RM process

The steps in IR are designed to: - stop the incident, mitigate incident effects, provide information for recovery from the incident - control legal exposure, avoid unfavorable media attention, and minimize impact on stock prices - delay the incident progress, backtrack the attack to its source IP, and apprehend the intruder - stop the incident, inventory affected systems, and determine appropriate losses for insurance settlement

stop the incident, mitigate incident effects, provide information for recovery from the incident

A time-release safe is an example of which type of access control? - content-dependent - constrained user interface - temporal isolation - nondiscretionary

temporal isolation

Factors that affect the external context and impact the RM process, its goals, and its objectives include the following EXCEPT: - the organization's governance structure - the legal/regulatory/compliance environment—laws, regulations, industry standards - the business environment—customers, suppliers, competitors - the threat environment—threats, known vulnerabilities, attack vectors

the organization's governance structure

NIST recommends the documentation of performance measurements in a standardized format to ensure ____________. - the suitability of performance measure selection - the effectiveness of performance measure corporate reporting - the repeatability of measurement development, customization, collection, and reporting activities - the acceptability of the performance measurement program by upper management

the repeatability of measurement development, customization, collection, and reporting activities

Which of the following is NOT a major component of contingency planning? - disaster recovery - business continuity - incident response - threat assessment

threat assessment

The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization. - information asset value weighted table analysis - risk ranking worksheet - threat severity weighted table analysis - TVA controls worksheet

threat severity weighted table analysis

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? - risk exposure report - threats-vulnerabilities-assets worksheet - costs-risks-prevention database - threat assessment catalog

threats-vulnerabilities-assets worksheet

A process called __________ examines the traffic that flows through a system and its associated devices to identify the most frequently used devices. - difference analysis - traffic analysis - schema analysis - data flow assessment

traffic analysis

Which of the following policies requires that two individuals review and approve each other's work before the task is considered complete? - task rotation - two person control - separation of duties - job rotation

two person control

The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes, is known as __________. - impact - likelihood - uncertainty - tolerance

uncertainty

Which of the following is a "possible" indicator of an actual incident, according to Donald Pipkin? - activities at unexpected times - unusual consumption of computing resources - presence of hacker tools - reported attacks

unusual consumption of computing resources

Which of the following is a definite indicator of an actual incident, according to Donald Pipkin? - unusual system crashes - reported attack - presence of new accounts - use of dormant accounts

use of dormant accounts

A useful tool for resolving the issue of what business function is the most critical, based on criteria selected by the organization, is the __________. - weighted table analysis or weighted factor analysis - threats-vulnerability-assets worksheet or TVA - business impact assessment or BIA - critical patch method assessment or CPMA

weighted table analysis or weighted factor analysis

The __________ vulnerability assessment is designed to find and document vulnerabilities that may be present in the organization's wireless local area networks. - phone-in - wireless - battle-dialling - network

wireless


Ensembles d'études connexes

Spanish 1B: Unit 3: Chapters 11-15

View Set

Organizational Communication- Exam 1- OU

View Set

Module 5 - Types of Economic Systems and Examples

View Set

Chapter 10: Fetal Development and Genetics

View Set

Dorman: Emergency Medicine EOR Practice Exam (Rosh Review)

View Set

Unit 1, Period 1: Native American Societies before European Contact through Permanent English Settlement, 1491 - 1607

View Set

ACCT 308 Exam 1 Homework Questions

View Set