midterm written questions

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

41. _________resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states.

Physical

50. ____________________ is unsolicited commercial e-mail.

Spam

56. Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.

SysSP

43. The goal of a security ____________________ program is to keep information security at the forefront of users' minds on a daily basis.

awareness

43. Attempting to reverse-calculate a password is called ____________________.

cracking

49. addresses violations harmful to society and is actively enforced and prosecuted by the state

criminal law

37. Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.

likelihood probability

42. The ______________________ phase is the last phase of SecSDLC, but perhaps the most important.

maintenance and change

40. A(n) ____________________ is a specific point in the project plan when a task that has a noticeable impact on plan's the progress is complete.

milestone

36. The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ____________________ .

mitigation mitigate

48. the study of what makes actions right or wrong, also known as moral theory

normative ethics

43. In ____________________ testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.

penetration

42. The set of organizational guidelines that dictates certain behavior within the organization is called ____________________.

policy

36. The champion and manager of the information security policy is called the ____________________.

policy administrator

57. The recognition, enumeration, and documentation of risks to an organization's information assets.

risk identification

41. The project planner should describe the skills or personnel needed for a task, often referred to as a(n) ____________________, needed to accomplish a task.

resource

53. The quantity and nature of risk that organizations are willing to accept.

risk appetite

or systems.

assessment

54. A process of assigning financial value or worth to each information asset.

asset valuation

64. The expansion of the quantity or quality of project deliverables from the original project plan.

scope creep

58. Entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec technology.

security watchstander

58. The calculated value associated with the most likely loss from a single attack.

single loss expectancy

48. A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance.

standard

53. A clear declaration that outlines the scope and applicability of a policy.

statement of purpose

54. A section of policy that should specify users' and systems administrators' responsibilities.

systems management

28. ___________________ is a subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury.

tort law

37. The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.

transference transfer

49. A(n) ____________________ is a potential weakness in an asset or its defensive control(s).

vulnerability

50. An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.

ISSP

51. The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts

InfoSec policy

31. Information ____________ occurs when pieces of non-private data are combined to create information that violates privacy.

aggregation

32. The act of attempting to prevent an unwanted action by threatening punishment or retaliation on the instigator if the act takes place is known as ___________.

deterrence

50. defines socially acceptable behaviors

ethics

41. The three levels of planning are strategic planning, tactical planning, and ____________________ planning.

operational

56. An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.

organizational feasibility

46. A(n) ____________________ hacks the public telephone network to make free calls or disrupt services.

phreaker

45. Duplication of software-based intellectual property is more commonly known as software ____________________.

piracy

32. The three types of information security policies include the enterprise information security policy, the issue-specific security policy, and the ____________________ security policy.

system-specific system specific

42. The three methods for selecting or developing advanced technical training are by job category, by job function, and by ____________________.

technology product

60. A risk control strategy that eliminates all risk associated with an information asset by removing it from service.

termination risk control strategy

58. An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization.

threat assessment

34. ____________________ include the user access lists, matrices, and capability tables that govern the rights and privileges of users.

Access control lists ACLs

62. Typically considered the top information security officer in an organization.

CISO

44. focuses on enhancing the security of the critical infrastructure in the United States

CyberSecurity Act

46. a collection of statutes that regulates the interception of wire, electronic, and oral communications

Electronic Communications Privacy Act

31. In the bull's-eye model, the ____________________ layer is the place where threats from public networks meet the organization's networking infrastructure.

Networks

52. A risk control strategy that indicates the organization is willing to accept the current level of risk and that the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.

acceptance risk control strategy

52. Specifications of authorization that govern the rights and privileges of users to a particular information asset.

access control lists

51. A virus or worm can have a payload that installs a(n) ____________________ door or trap door component in a system, which allows the attacker to access the system at will with special privileges.

back

53. A ____________ overflow is an application error that occurs when the system can't handle the amount of data that is sent.

buffer

36. A study of information security positions found that positions can be classified into one of three types: ____________________ are the real technical types, who create and install security solutions.

builders

55. Specifies which subjects and objects that users or groups can access.

capability table

60. Labels that must be comprehensive and mutually exclusive.

classification

38. Classification categories must be ____________________ and mutually exclusive.

comprehensive

37. The information security ____________________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program.

consultant

61. A diagramming technique designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project.

critical path method

29. Ethics are based on ___________________, which are the relatively fixed moral attitudes or customs of a societal group.

cultural mores

53. A risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.

defense risk control strategy

44. ESD is the acronym for ____________________ discharge.

electrostatic

35. A(n) ____________________, which is usually presented on a screen to the user during software installation, spells out fair and responsible use of the software being installed.

end-user license agreement end user license agreement EULA

33. The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as ___________.

ethics

48. Some information gathering techniques are quite legal, for example, using a Web browser to perform market research. These legal techniques are called, collectively, competitive ____________________.

intelligence

47. Step-by-step instructions designed to assist employees in following policies, standards and guidelines.

procedueres

57. Occurs when a project manager spends more time working in the project management software than accomplishing meaningful project work.

projectitis

54. Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.

ranked vulnerability worksheet

49. When issues are addressed by moving from the general to the specific, always starting with policy.

Bull's eye model

43. one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices

Computer Security Act CSA

44. ____________________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.

Projectitis

47. regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments

Public Law

60. A program designed to improve the security of information assets by providing targeted information, skills, and guidance for organizational employees.

SETA

33. The responsibilities of both the users and the systems administrators with regard to specific systems administration duties should be specified in the ____________________ section of the ISSP.

Systems Management

39. The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.

appetite

45. an approach that applies moral codes to actions drawn from realistic situations

applied ethics

34. An organization's information security program refers to the entire set of activities, resources, personnel, and technologies used by an organization to manage the risks to the information _______ of the organization.

assets

52. A(n) ____________________ is an act against an asset that could result in a loss.

attack

59. The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.

cost avioidance

51. The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization.

cost benefit analysis

40. The impetus to begin an SDLC-based project may be ____________________, that is, a response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders.

event-driven

40. When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.

exploited

40. As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.

factor analysis

51. Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.

field change order

30. An organization increases its _____________ if it refuses to take measures—due care—to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions.

liability

36. Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

management

57. A risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.

mitigation risk control strategy

59. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.

qualitative assessment

39. As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.

relative

56. Remains even after current control has been applied.

residual risk

55. An approach to combining risk identification, risk assessment, and risk appetite into a single strategy.

risk analysis

55. The quantity and nature of risk that organizations are willing to accept.

risk appetite

52. The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

risk management

47. A momentary low voltage is called a(n) ____________________.

sag

39. Project ____________________ is a description of a project's features, capabilities, functions, and quality level, used as the basis of a project plan.

scope

38. To keep up with the competition organizations must design and create a ____________ environment in which business processes and procedures can function and evolve effectively.

secure

38. The ____________________ program is designed to reduce the occurrence of accidental security breaches by members of the organization.

security education, training, and awareness SETA

55. In larger organizations, responsible for some aspect of information security; in smaller organizations, this title may be assigned to the only or senior security administrator.

security manager


Ensembles d'études connexes

Chapter 1: Intro to Financial Planning

View Set

Professional Responsibility Multiple Choice

View Set

A&P II - Unit 5: Reproductive System

View Set