MIS 515
As organizations grew in size, they become more efficient with information security and its governance
False
Backup technology and the media used to store backups is reliable enough that periodic testing of backups is really unnecessary
False
Both public and private companies are responsible for Sarbanes-Oxley compliance.
False
Business Disruption is actually viewed as a higher external consequence cost of cybercrime than information loss.
False
By industry, the retail sector currently suffers the highest cost per data breach record.
False
By industry, the retail sector currently suffers the highest cost per data breech record.
False
Carpets are a nice addition to equipment rooms because they lower the noise levels.
False
Cloud sourcing and Crowdsourcing are the same thing.
False
Cloud sourcing is a term that applies solely to public cloud providers
False
Cloud sourcing is not good for quick deployment of resources
False
Confidentiality, integrity and availability apply only to the storage and transmission of data
False
Containment of a cybercrime incident is seen as the most costly activity for an organization
False
Corporate governance is only concerned with internal issues of the corporation
False
Corporate technology operations do not have supply chains
False
Corporations and government agencies are required to comply with FISMA requirements
False
Countries that invest in infrastructure and IT and more likely to be candidates for insourcing
False
IT governance is more about making and implementing decisions than who makes the decisions
False
If IT at higher education institutions is centralized, the number of necessary governance groups would drop significantly
False
In the European Union, when the European Council issues a Decision, it is considered directly applicable and "binding" to all Member States
False
Increased C-level support is considered the highest driving factor for improving information security posture.
False
Information Assurance is not concerned with provisions for restoration of information systems only the protection of them.
False
Information Security is rarely at odds with Information Technology within a corporation and is the primary reason why it is often positioned under Information Technology
False
It is estimated that only 25% of the U.S. critical infrastructure is covered by the private sector.
False
It is not important that front-line help desk employees have security awareness. They can always route the call to one who does.
False
It is not possible to taint computer hardware technology
False
Large organizations tend to spend more, per capita, on security than smaller organizations
False
MLS provides for storing and processing of information with a single level of sensitivity
False
MLS provides for storing and processing of information with a single level of sensitivity.
False
Mandatory Access Control gives users the flexibility to create policy and assign security attributes.
False
Most organizations are not required by law to take special precautions with personnel or customer information
False
Most organizations outsource their Information Security
False
Newly purchased systems must be sanitized before configuring and deploying.
False
Non-repudiation's goal is to provide disputable evidence that the source and the target of a process, transaction, or communication are validated and verified.
False
Most corporations allocate Information Security budgets as:
% of IT Budget
The inability to hire and retain expert staff is a significant problem in the area of Cybersecurity
True
The main difference between laws and ethics is that ethics does not carry the sanction of a governing authority
True
The majority of physical supply chain threats incidents have internal company connections
True
Two benefits of improved information security governance are increased strategic alliance with organizational goals and improved risk managment
True
Vibration based sensors are not good on fences because they create many false positives.
True
The majority of data breaches are caused by outsiders or third parties.
Ture
Which of the following would not be considered an administrative function of operational security?
Upgrading the firmware of a network switch
Discretionary Access Control is managed centrally by a security policy administrator and users do not have the ability to override security settings.
False
Operational security staff generally never concern themselves with malfunctioning HVAC, lighting or cipher locks. These are viewed as facilities issues.
False
Outsource arrangements should produce a net benefit for the organization but it is not possible to select one whose capabilities compliment the organization's capabilities
False
Public Law regulates the relationship among individuals and among individuals and organizations and encompasses family law, commercial law, and labor law.
False
Recovery, Containment and Business Disruptions are representative of internal cost activities of an organization following a breach.
False
SSAE stands for Safeguarding Supply chains for Attestation Engagements
False
Scheduled and unscheduled downtime are not considered potential problems with availability from an information assurance perspective.
False
Security CPR refers to an emphasis on common algorithms, proactivity, and reactive perimeter controls
False
Security metrics and future planning are minimally affected by poor operations security
False
Social networking forums, like Face Book, do not represent problems for organizations so long as the employee does not engage in their usage while at work.
False
Sourcing is an old business concept of using temp agencies and is rarely done today
False
Space under raised floors can and should be used for power, data, cables, and important or applicable storage or magnetic tapes.
False
System and media declassification and downgrading is not an issue since there is little-to-no chance that someone might extract sensitive information from an old system or drive.
False
The Biba access control model defines protection focused on confidentiality of information where-as the Bell-La Padula access control model defines protection of information integrity.
False
The USA Patriot Act stands for the United States of America Protection Against Terrorist, Retaliation, Interception and Obstruction of Technology.
False
The concept of "least privilege" is only applied to new employees
False
The cyber attack known as Titan Rain was carried out in 2007 when Russia used cyber technology to cripple elements of Estonia's technology infrastructure
False
The cyber attack known as Titan Rain was carried out in 2007 when Russia used cyber technology to cripple elements of Estonia's technology infrastructure.
False
The definition of "personal information" is much more narrow in the European Union that is in the United States.
False
The main feature of Advanced Persistent Threats (or APT) is the constant denial of service attacks they incur.
False
The most alarming trend in SCADA systems is the continued use of older control and collection systems based on DOS, VMS and UNIX.
False
Today's backup media is robust and does not require special environmental controls.
False
Under the Eu "Cookie Law" providers are NOT generally required to secure viewers consent prior to forming and storing an internet browser cookie.
False
Unethical behavior is best handled solely through deterrence consisting of education and policies without direct consequences.
False
Unethical behavior is best handled through deterrence consisting of education and policies.
False
If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable.
True
In the European Union, when the European Council issues a Regulation, it is considered directly applicable and "binding" to all Member States/
True
Information Assurance attempts to infuse greater accountability, training and awareness into information security practices.
True
Information Security budgets are often-times a percentage of the Information Technology budget.
True
Insourcing is generally considered the opposite of outsourcing
True
Integration of 3rd parties into internal networks and applications is seen as a growing organizational risk.
True
It is advisable to systematically startup a series of servers so as to avoid a high surge of current known as an in-rush current
True
Job rotation is a tool that requires every employee to be able to perform the work of at least one other employee
True
Low humidity in an area with electronic devices can cause static electricity which could damage components if discharged. Excessive humidity could cause corrosion.
True
Malicious code insertion into a software or firmware product is an example of tainting.
True
Many companies are still untrusting with the security of cloud service providers.
True
On a per record basis, indirect costs of a data breach incident are greater than direct costs.
True
Operational Security is focused more on the daily security tasks rather than actual evaluation of security metrics or security planning activates.
True
Owing a data center in a foreign land is an example of offshoring
True
PDD-63 was the first presidential directive to recognize critical infrastructure as both physical and cyber-based
True
Positive air flow pressurization keeps the air flowing outward when doors are opened, from an area, so that unwanted air does not flow back into the area.
True
Power flow can be disrupted by electromagnetic and radio frequency emissions.
True
Private clouds can be hosted on premise or off premise.
True
Residual risk is what is a potential risk (or loss) after threats and vulnerabilities are matched with controls to reduce risk.
True
Security awareness and security related issues should be reflected as a component of an employee's performance appraisal to raise their awareness and reflect the seriousness of security issues.
True
Security is all about the management and control of risk.
True
Separation of duties was an important part of early castle layered defense mechanisms.
True
Site accessibility is important with regards to the ability and expectations of assistance from law enforcement, ambulances, or fire truck response times.
True
Software can contain undocumented back door access.
True
Supply chains encompass the processes necessary to get a good or service from the supplier to the customer.
True
The Common Criteria is a framework by which users can specify security requirements and have vendors implement the requirements. The validation of a vendor meeting these requirements is derived after extensive testing and, if successful, certification.
True
The EU Data Retention legislation (Directive 2006/24/EC) is intended to help provide law enforcement and authorized investigative institutions with access to internet service provider logs and records.
True
The EU E-Privacy Directive 2002/58/EC deals only with public communication service providers.
True
Excessive humidity in an area with electronic devices can cause static electricity which could damage components if discharged.
False
Executive Order 13636 is primarily concerned with the creation of a situational awareness capability for only the cyber aspects of critical infrastructure.
False
What is a mantrap?
A double-door facility used for physical access control
Which of the following are valid reasons for an information security professional to posses a rudimentary grasp on IS related laws?
All of the above (1. More effectively plan organizational security, 2. Help mitigate an organization's legal risks, 3. Assist in planning awareness training, 4. Help the organization avoid embarrassing security situations
The department of homeland security C3 program focuses on which of the following areas of critical infrastructure participants?
All of the above (Convergence, Connection, Coordination)
Which of the following presents constant challenges to the success of operational security?
All of the above (High level Support, Documented Procedures, Size of Security Staff, Degree of staff overlap)
Organizations must deal efficiently with which of the following Information Assurance issues
All of the above (IT and Security Governance, Disaster recovery, Compliance, Business Continuity)
Organizations must deal efficiently with which of the following Information Assurance issues:
All of the above (IT and Security Governance, Disaster recovery, Compliance, Business Continuity)
Which of the following is not an item of importance for IS governance?
All of the above (Reduce liability, policy compliance, Optimize security resources, safeguard information)
Which of the following is NOT a step of the Department of Defense Information Assurance certification and Accreditation Process?
All of the above are steps of DIACAP: Security Process Initialization, Security certification, Security Accreditation, Monitoring
Which of the following is an example of the manifestation of the espionage threat in supply chains?
All of the above: (Alteration of software to allow unauthorized control, The use of intellectual property for monetary gain, The unauthorized duplication of a finished good)
Which of the following would be a surrounding area influence in site selection?
All of the above: (Crime rate, Proximity to medical or hospital facilities, Riots or terrorism, Potentially hazardous neighboring facilities)
Which of the following is not an element of concern for desktop configuration managment?
All of the above: (Disk drive sanitization before redeployment, End user machine backup before sanitization, Ensuring the machine is installed with the correct software, Limiting administrative privileges)
Which of the following would not represent an event type that would indicate an incident is occurring?
All of the above: (Loss of integrity, Loss of availability, Loss of confidentiality, Violation of Law)
Which of the following is an important question to ask regarding infrastructure backups?
All of the above: (Where are the backups stored?, Who has access to the backups?, Who is responsible for the backups?, Are the backups procedures and schedules well documented?)
An equipment fan becomes clogged with dust and lint. Although the room is cool, the machine overheats internally and fails. What information assurance pillar is involved in the failure?
Availability
Which of the following information security characteristics MOST applies to SCADA systems?
Availability
For potential employees its generally a good idea to reflect security access information on job descriptions, in interviews and in site tours.
False
Which of the following are among the top 3 current spending priorities for organizations with regards to technology and security?
Application Security, Cloud Security, Data Security
When a company rents the use of an application to a customer, this is:
Application Service Provider
Which of the following is most representative of the INFOSEC process?
Assess, Plan, Implement, Monitor, Update
Which of the following is not a pillar of Information Assurance
Authorization
High security controls are designed to impede, detect, assess, and neutralize.
False
Match the governance style with its description:
Business Monarchy -- Executive leadership has decision rights IT Monarchy -- IT executive have decision rights Federal -- Rights shared by "C-level" executives and at least one other group Feudal -- Unit leaders have decision rights locally IT Duopoly -- IT executive and other business leaders share rights Anarchy -- Individual process owners have decision rights
An outsourced customer call center is an example of which type of outsourcing?
Business Process
Hiring qualified information security personnel is not a major concern of organizations since there is an abundance of those possessing the skill sets.
False
Which of the following directives was instrumental in instructing all Federal Agencies to fund, develop and implement information Assurance training and awareness?
CNSS Directive 500
Which of the following most accurately depicts the traditional government path to INFOSEC?
COMSEC+COMPUSEC+TEMPEST=INFOSEC
In theory, which of the following acquisition types offers lower cost and quicker deployment YET offers the least control and higher risk of potential vulnerabilities
COTS
Which of the following is not a drawback of intrusion detection and monitoring systems?
Cannot be penetrated
Which of the following would not be possible incident indicator?
Changes to logs; Log changes are an example of a definite indicator
Which of the following would NOT be consistent with a computer being incidental to a crime?
Computer was used to attack another computer
From the Policy Pyramid, correctly match the entities with the things they create.
Congress--Public Law Executive--Federal Government Policy Government Agencies--Guidelines, Publications, and Standards Department of Defense--Military/Defense Policy and Directives Army, navy, USMC, AF--Agency-specific, Policy and Directives
Which of the following would not be considered a cybercrime category as discussed in this module?
Criminal activities against animals
Human error accounts for the majority of data breach causes.
False
Which of the following would not be considered a crime targeting a computer device or network?
Cyber stalking
According to the Ponemon, Web-based attacks are by far the most costly attack type.
False
All unethical behavior is conducted with intent.
False
Match the following designations with their descriptions
Definers -- Provide policies, guidelines, and standards Builders -- Provide and install the technical solutions Operators -- Provide operational and monitoring support
Which of the following represent the highest internal cost activity of a breach?
Discovery, Containment
How does Halon suppress a fire?
Disrupts the chemical reaction of a fire
Which of the following is intended to provide individual's protection and privacy when personal information is collected and held by Member State institutions?
EU Regulation 45/2001
A computer is the object of a crime when it is used to conduct online gambling
False
A system high security mode is more restrictive than a dedicated security mode
False
Vendors or maintenance contractors can always be trusted since they are under contractual obligation. Accounts setup for vendors diagnostic access should remain open so the vendor can assist, at any time, with problems.
False
While malicious insider abuse may happen with great frequency, the cost borne by an organization for such cybercrime is relatively low.
False
Without a question, the larger the organization, the larger the percentage of revenues allocated to the IT budget.
False
Which is not an example of a digital operational supply chain?
Fed-X delivery service
Which of the following is NOT true regarding NSDD 145?
First large-scale national security policy enacted by Congress.
Match the statements with the corresponding laws:
Identity Theft Enforcement and Resolution Act -- Considers threats to steal information as a crime USA Patriot Act -- Laundering actions to defend against terrorism Computer Security Act -- Required mandatory security awareness training at the federal level Federal Information Security Management Act -- Requires government agencies to assess the information security risks of their computer systems. Computer Fraud and Abuse Act -- Considers unauthorized access to national security data as a crime.
Which of the following is not a recommended secure way to dispose of the disk drives?
Format the disk drive prior to disposal or redeployment
Match the following legislation with the description:
Freedom of Information Act -- Allows citizens to see what personal information government agencies are maintaining on them Electronic Communications Privacy Act -- Regulates unauthorized interception of electronic and oral communications Federal Privacy Act -- Regulates government's use of private information U.S. Copyright Law -- Protects intellectual property
Match the instrument with its description:
G8 Points of Contact: Attempts to provide 24x7 POCs to assist in cyber crime issues Security Freedom through Encryption Act -- Prohibits federal government from requiring the use of encryption on official documents Letter Rogatory -- A diplomatic letter of request for assistance to another country Mutual Legal Assistance Treaty -- Bilateral treaties that establish crime investigation cooperation Digital Millennium Copyright Act -- Attempts to protect private or trademark information internationally
Which of the following types of software acquisitions typically involve the development, by a technical staff, from a government agency?
GOTS
The common Criteria is a framework by which users can specify security requirements and have vendors implement the requirements. The validation of a vendor meeting these requirements is derived after extensive testing and, if successful, certification.
True
Which of the following industries has the highest customer churn rate caused by data breaches?
Health
Which of the following is NOT true regarding the Gramm-Leach-Bliley Act?
Holds organization CEO's personally responsible
Which of the following is a coordinated effort, between government and private sector, to establish a knowledge base for information sharing related to critical concerns
INFRAGARD
Which of the following is not a reason why IT governance is important?
IT value is all about technology
The Help desk and customer support function should be tied closely to which of the following?
Incident Response Plans
Which of the following best describes a closed-loop HVAC system?
Inside air is re-circulated and re-filtered constantly to keep outside air contaminants out as much as possible.
If an access control has a fail-safe characteristic but not a fail-safe characteristic, what does it mean?
It defaults to being unlocked
Which of the following is the most pressing problem with FISMA?
It is a trailing indicator and not a leading indicator and thus does not help with real-time security issues
Which of the following would be considered a breach of integrity?
John used SQL Injection techniques to change values in the database
Why is it important to clean keypad based locks from a security perspective?
Keeps intruders from discovering code patterns
Which of the following is NOT a human factor of concern to information security professionals
Lack of business knowledgeable leadership
What over overarching concept does the castle example provide with regards to information security?
Layered defenses
Which of the following security models of operation require minimum clearance level of not-cleared and a maximum data classification level of unclassified but sensitive?
Limited
Which of the following is not a claim of Cloud sourcing?
Moderate availability
Which of the following are applicable to a hostile departure for a terminated employee?
Obtain all keys, key cards, and other organizational assets before individual leaves the premise Terminate or disable access codes and logins prior to giving the employee termination notice Inventory and monitor access logs surrounding the termination time Conduct an exit interview with the employee
FISMA requires Federal government agencies to provide security protection proportionate to the risk
True
Match the following regarding the 6 - P's of information security
People - SETA Programs - Entities managed in Information Security domain Protection - Risk assessment Project management - Resource control Planning - Support, design, create and implement Policy - behavior guidelines
Which of the following fire suppression systems is more appropriate for use in a data center?
Pre-Action sprinkler systems
Which of the following is not an information security spending priority area?
Projection
Which of the following are true with respect to HIPAA.
Protects the confidentiality of health care data, Establishes standards for electronic interchange and handling of health care data, Requires organizations to conduct comprehensive assessments of information protection mechanisms.
Which of the following is not a goal of IS governance
Provide specific security equipment purchase information
Which of the following is NOT true regarding the Computer Fraud and Abuse Act of 1986?
Provided roving surveillance authority
Which of the following is not specific requirement of FISMA as covered in this module?
Required to coordinate all security activity with the Department of Defense
Which of the following laws deal mostly with financial reporting and disclosure concerns?
Sarbanes-Oxley Act and Gramm-Leach-Bliley Act
For contract employees, service level agreements or contracts should explicitly address issues of visit or cancellation notice as well as any background checks required.
True
Which of the following is not true of SaaS, Cloud Computing, and outsourcing?
Since the function is outsourced, the security issues are not important.
HSPD-7 instructed government sectors agencies to reach out to the private sector for help with critical infrastructure security issues.
True
Match the suppression method with how it works:
Soda, acid -- Removes fuel from fire Gas, halon or substitute -- Interferes with chemical reaction of elements of fire CO2 -- Removes oxygen from fire Water -- Reduces temperature of fire
Which of the following is not true regarding National Security Presidential Directive 54?
Supersedes OMB Circular A-130
SCADA stands for:
Supervisory Control and Data Acquisition
Which of the following are safeguards mentioned in the CNSS Security Model (also know as the McCumber model)?
Technology, Policy, Education
What three fundamental high-level countermeasures of Defense in depth are all people-centric?
Technology, operation, and people
Which of the following would not be determining factor in the design of a company's physical security program?
The value of real-estate prices in the surrounding areas
From a security perspective, Call Tracking or incident tracking systems are important because:
They keep the user appraised of the status and measures taken to resolve a problem
Hidden supply chains are those that exist behind a supplier that are not readily visible or obvious.
True
Which of the following would not be an important metric for measuring an organization's physical security risk?
Total number of times facilities was notified of burnt out lights.
A company outsourced a call center function but later brought it back in-house. This is an example of back sourcing.
True
A computer is the object of a crime if its integrity, confidentiality or availability is affected by a criminal activity.
True
A concern of an outsourced arrangements is that you can never be absolutely sure that are managing their business according to best practices or even maintain good security.
True
Access to restricted areas should be designed so that they are not easy to enter and are not obvious.
True
An electrical ground acts as a conduit for any excess current on a power line and helps ensure that devices are not negatively affected by a spike in electrical current.
True
An incident candidate is an event that is a possible security incident and is identified through a process of incident classification.
True
Approximately 80% of all spam mail is generated by botnets.
True
Background checks should be conducted before extending, an offer to a potential employee despite the job level.
True
Backup tapes and media should be located in a separate area apart from normal IT operations
True
Buffer overflow attacks are the most targeted attack method for SCADA systems
True
CCTVs are best used in conjunction with other monitoring and intrusion alert methods.
True
Convergence is a results-oriented effort of cooperation between previously disjointed security functions
True
Convergence trends advocate creation a single point of contact responsible for security issues. This is typically a CSO.
True
Critical Infrastructures are the technical structures, physical and cyber, that support a society
True
Executive Order 13231 superseded NSDD 145 and was responsible for the creation of the President's Critical Infrastructure Protection Board as well as the formalization of CNSS.
True
The cost and value of lost or stolen information represents the highest consequence cost for most organizations.
True
Which of the following would be a type of backup performed by the operations infrastructure support function?
User desktop backups
When should a Class C fire extinguisher be used instead of a Class A fir extinguisher?
When electrical equipment is on fire
Which best describes the act of bringing IT services back in-house?
back sourcing
Which of the following word combination best describe IT governance?
decision rights, accountability, behavior
Producing a counterfeit product that is intended to fail and produce delays or irrecoverable events is an example of:
disruption
The European Union organization which provides information security guidance to Member States is:
enisa
What is the first step in identifying complex supply chain risks?
identify ecosystems
Which of the following is not a main component of CPTED?
target hardening