Not a school group
A technique used to compromise a system is known as a(n)
Access method Asset Exploit (answer) Risk
An organizational resource that is being protected is sometimes logical, such as a Web site, software information, or data. Sometimes the resource is physical, such as a person, computer system, hardware, or other tangible object. Either way, the resource is known as a(n)
Access method Asset (answer) Exploit Risk
The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________.
Communications security Network security Physical security Information security (answer)
__________ law comprises a wide variety of laws that govern a nation or state.
Criminal Civil (answer) Public Private
__________ law comprises a wide variety of laws that govern a nation or state.
Criminal Civil(answer) Public Private
Computer assets are the focus of information security and are the information that has value to the organization, as well as the systems that store, process, and transmit the information. ____________
False
Cost mitigation is the process of preventing the financial impact of an incident by implementing a control.
False
Knowing yourself means identifying, examining, and understanding the threats facing the organization.
False
The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.
ISO CIO CISO (answer) CTO
A mail bomb is a form of DoS attack.
True
During the early years of computing, the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage.
True
Laws, policies, and their associated penalties only provide deterrence if offenders fear the penalty, expect to be caught, and expect the penalty to be applied if they are caught.
True
The Department of Homeland Security works with academic campuses nationally, focusing on resilience, recruitment, internationalization, growing academic maturity, and academic research.
True
To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited.
True
__________ was the first operating system to integrate security as one of its core functions.
UNIX DOS MULTICS (answer) ARPANET
The Computer __________ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts.
Violence Fraud (answer) Theft Usage
Criminal or unethical __________ goes to the state of mind of the individual performing the act.
attitude intent (answer) accident All of the above
Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
bypass theft trespass (answer) security
Ideally, the _____, systems administrators, the chief information security officer (CISO), and key IT and business managers should be actively involved during the creation and development of all CP components
chief information officer (CIO)(answer) chief executive officer (CEO) chief financial officer (CFO) senior auditor
Incident _____ is the process of examining a potential incident, or incident candidate, and determining whether the candidate constitutes an actual incident.
classification (answer) category response strategy
A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes _____.
controls have been bypassed controls have proven ineffective controls have failed All of the above (answer)
In a ____________________ attack, the attacker sends a large number of connection or information requests to disrupt a target from a small number of sources.
denial-of-service (answer) distributed denial-of-service virus spam
A business influence analysis (BIA) is an investigation and assessment of adverse events that can affect the organization.
false
A(n) DR plan ensures that critical business functions continue if a catastrophic incident or disaster occurs.
false
According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to be successful in an engagement.
false
Baselining is the comparison of past security activities and events against the organization's current performance.
false
E-mail spoofing involves sending an e-mail message with a harmful attachment.
false
In the context of information security, confidentiality is the right of individuals or groups to protect themselves and their information from unauthorized access.
false
Information security can be an absolute
false
Information security's primary mission is to ensure that systems and their contents retain their confidentiality at any cost.
false
Residual risk is the risk that has not been removed, shifted, or planned for after vulnerabilities have been completely resolved.
false
Risk mitigation is the process of assigning a risk rating or score to each information asset.
false
Root cause analysis is the coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting.
false
The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002.
false
The Department of Homeland Security was created in 2003 by the 9/11 MemorialAct of 2002. _________________________
false
The Security Development Life Cycle (SDLC) is a general methodology for the design and implementation of an information system.
false
The U.S. Secret Service is currently within the Department of the Treasury.
false
The bottom-up approach to information security has a higher probability of success than the top-down approach
false
The continuity planning management team (CPMT) is the group of senior managers and project members organized to conduct and lead all contingency planning efforts.
false
Unethical and illegal behavior is generally caused by ignorance (of policy and/or the law), by accident, and by inadequate protection mechanisms.
false
According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depends on the value of the information obtained and whether the offense is judged to have been committed for each of the following except __________.
for purposes of commercial advantage for private financial gain to harass (answer) in furtherance of a criminal act
____________________ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data that result in violence against noncombatant targets by subnational groups or clandestine agents.
infoterrorism cyberterrorism (answer) hacking cracking
Digital forensics involves the _____, identification, extraction, documentation, and interpretation of digital media.
investigation determination confiscation preservation (answer)
Data backup should be based on a(n) ____ policy that specifies how long log data should be maintained .
replication business resumption incident response retention (answer)
Incident _____ is the set of activities taken to plan for, detect, and correct the impact of an incident on information assets.
response (answer) readiness mitigation recovery
The first phase of risk management is _________.
risk identification (answer) design risk control risk evaluation
"4-1-9" fraud is an example of a ____________________ attack.
social engineering (answer) virus worm spam
Human error or failure often can be prevented with training, ongoing awareness activities, and____________________.
threats education (answer) hugs paperwork
A breach of possession may not always result in a breach of confidentiality
true
A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information
true
Due care and due diligence require that an organization make a valid effort to protect others and continually maintain this level of effort, ensuring these actions are effective.
true
Forces of nature, sometimes called acts of God, can present some of the most dangerous threats because they usually occur with very little warning and are beyond the control of people.
true
Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied.
true
Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied. _________________________
true
Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack
true
Privacy is the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality._________________________
true
Risk control is the application of controls that reduce the risks to an organization's information assets to an acceptable level.
true
In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
zombie-in-the-middle sniff-in-the-middle server-in-the-middle man-in-the-middle (answer)