previous quiz questions

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics) a. Meta-ethics b. Applied ethics c. Deontological ethics d. Normative ethics

Deontological ethics

A well-defined risk appetite should have the following characteristics EXCEPT: a. It is not limited by stakeholder expectations. b. It is documented as a formal risk appetite statement. c. It is reflective of all key aspects of the business. d. It acknowledges a willingness and capacity to take on risk.

It is not limited by stakeholder expectations.

The basic outcomes of InfoSec governance should include all but which of the following? a. Value delivery by optimizing InfoSec investments in support of organizational objectives b. Time management by aligning resources with personnel schedules and organizational objectives c. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively d. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved

Time management by aligning resources with personnel schedules and organizational objectives

Which of the following is NOT a valid rule of thumb on risk treatment strategy selection? a. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls. b. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. c. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. d. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls.

All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT: a. When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. b. When a vulnerability exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being exploited. c. When the potential loss is substantial, apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss. d. When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.

When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.

Which of the following activities is part of the risk identification process? a. documenting and reporting the findings of risk analysis b. calculating the severity of risks to which assets are exposed in their current setting c. assigning a value to each information asset d. determining the likelihood that vulnerable systems will be attacked by specific threats

assigning a value to each information asset

An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it is known as a(n) __________. a. threat b. exploit c. attack d. vulnerability

attack

A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law a. compromise b. spill c. notification d. breach

breach

The purpose of SETA is to enhance security in all but which of the following ways? a. by developing skills b. by adding barriers c. by building in-depth knowledge d. by improving awareness

by adding barriers

The process of integrating the governance of the physical security and information security efforts is known in the industry as __________. a. optimization b. combination c. intimation d. convergence

convergence

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________. a. risk acceptance premium b. cost avoidance c. probability estimate d. asset valuation

cost avoidance

Application of training and education among other approach elements is a common method of which risk treatment strategy? a. acceptance b. mitigation c. transferal d. defense

defense

Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity? a. probability of being caught b. probability of being penalized c. fear of penalty d. fear of humiliation

fear of humiliation

To move the InfoSec discipline forward, organizations should take all of the following steps EXCEPT: a. learn more about the requirements and qualifications needed b. grant the InfoSec function needed influence and prestige c. form a committee and approve suggestions from the CISO d. learn more about budgetary and personnel needs

form a committee and approve suggestions from the CISO

Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them? a. probability of penalty being applied b. frequency of review c. probability of being apprehended d. fear of the penalty

frequency of review

An understanding of the potential consequences of a successful attack on an information asset by a threat is known as __________. a. impact b. tolerance c. uncertainty d. likelihood

impact

The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints. a. implementation b. justification c. investigation d. analysis

investigation

The organization can perform risk determination using certain risk elements, including all but which of the following? a. element of uncertainty b. impact (consequence) c. likelihood of threat event (attack) d. legacy cost of recovery

legacy cost of recovery

The probability that a specific vulnerability within an organization will be attacked by a threat is known as __________. a. likelihood b. impact c. tolerance d. uncertainty

likelihood

Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP. a. management guidance, technical specifications b. management guidance, technical directive c. management specification, technical directive d. management directive, technical specifications

management guidance, technical specifications

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? a. managerial controls b. technical controls c. system controls d. operational controls

managerial controls

The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics? a. culture b. market c. size d. budget

market

The EISP must directly support the organization's __________. public announcements b. values statement c. mission statement d. financial statement

mission statement

Which of the following risk treatment strategies describes an organization's efforts to reduce damage caused by a realized incident or disaster? a. transference b. acceptance c. avoidance d. mitigation

mitigation

Which of the following determines how well a proposed treatment will address user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders? a. technical feasibility b. operational feasibility c. political feasibility d. behavioral feasibility

operational feasibility

Which of the following is NOT one of the basic rules that must be followed when developing a policy? a. policy must be properly supported and administered b. policy should never conflict with law c. policy must be able to stand up in court if challenged d. policy should be focused on protecting the organization from public embarrassment

policy should be focused on protecting the organization from public embarrassment

Which subset of civil law regulates the relationships among individuals and among individuals and organizations? a. public b. criminal c. tort d. private

private

For an organization to manage its InfoSec risk properly, managers should understand how information is __________. a. processed b. collected c. all of these are needed d. transmitted

processed collected transmitted

What is the final step in the risk identification process? a. identifying and inventorying assets b. classifying and categorizing assets c. assessing values for information assets d. ranking assets in order of importance

ranking assets in order of importance

What is the SETA program designed to do? a. reduce the occurrence of accidental security breaches b. reduce the occurrence of external attacks c. improve operations d. increase the efficiency of InfoSec staff

reduce the occurrence of accidental security breaches

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________. a. risk acceptance b. residual risk c. risk avoidance d. risk appetite

risk appetite

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. risk assurance b. risk appetite c. risk termination d. residual risk

risk appetite

The identification, analysis, and evaluation of risk in an organization describes which of the following? a. risk management b. risk reduction c. risk assessment d. risk determination

risk assessment

This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator. a. security technician b. security manager c. security analyst d. security consultant

security manager

Human error or failure often can be prevented with training and awareness programs, policy, and __________. ISO 27000 b. technical controls c. outsourcing d. hugs

technical controls

In addition to specifying acceptable and unacceptable behavior, what else must a policy specify? a. appeals process b. the penalties for violation of the policy c. individual responsible for approval d. legal recourse

the penalties for violation of the policy

When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________. a. the network provider the hacker used b. how many perpetrators were involved c. what kind of computer the hacker used d. the type of crime committed

the type of crime committed

Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer? a. information extortion b. espionage or trespass c. theft d. sabotage or vandalism

theft

Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________ a. threat b. vulnerability c. exploit d. attack

threat

Digital forensics can be used for two key purposes: ________ or _________. a. to investigate allegations of digital malfeasance; to solicit testimony b. e-discovery; to perform root cause analysis c. to solicit testimony; to perform root cause analysis d. to investigate allegations of digital malfeasance; to perform root cause analysis.

to investigate allegations of digital malfeasance; to perform root cause analysis

Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access. a. security b. bypass c. trespass d. theft

trespass

Which of the following is a key advantage of the bottom-up approach to security implementation? a. utilizing the technical expertise of the individual administrators b. coordinated planning from upper management c. a clear planning and implementation process d. strong upper-management support

utilizing the technical expertise of the individual administrators

The goal of InfoSec is not to bring residual risk to __________; rather, it is to bring residual risk in line with an organization's risk appetite. a. zero b. its theoretical minimum c. below the cost-benefit break-even point d. de minimus

zero

Treating risk begins with which of the following? a. rethinking how services are offered b. an understanding of risk treatment strategies c. applying controls and safeguards that eliminate risk d. understanding the consequences of choosing to ignore certain risks

an understanding of risk treatment strategies

Force majeure includes all of the following EXCEPT: a. acts of war b. forces of nature c. armed robbery d. civil disorder

armed robbery

The process of assigning financial value or worth to each information asset is known as __________. a. risk acceptance premium b. probability estimate c. cost estimation d. asset valuation

asset valuation

Policy __________ means the employee must agree to the policy. a. complacency b. conformance c. consequence d. compliance

compliance

According to the C.I.A. triad, which of the following is the most desirable characteristic for privacy a. accountability b. confidentiality c. availability d. integrity

confidentiality

Which of the following is a C.I.A. triad characteristic that ensures only those with sufficient privileges and a demonstrated need may access certain information? authentication b. confidentiality c. integrity d. availability

confidentiality

Which of the following should be included in an InfoSec governance program? a. An InfoSec project management assessment b. All of these are components of the InfoSec governance program. c. An InfoSec maintenance methodology d. An InfoSec risk management methodology

An InfoSec risk management methodology

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls. a. remediation b. rehabilitation c. deterrence d. persecution

deterrence

Which of the following is NOT used to categorize some types of law? a. constitutional b. regulatory c. statutory d. international

international

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? a. accident b. ignorance c. malice d. intent

malice

Access control list user privileges include all but which of these? a. execute b. read c. operate d. write

operate

Which of the following variables is the most influential in determining how to structure an information security program? a. online exposure of organization b. organizational culture c. security capital budget d. competitive environment

organizational culture

Which of the following functions of information security management seeks to dictate certain behavior within the organization through a set of organizational guidelines? a. programs b. planning c. people d. policy

policy

Once an information asset is identified, categorized, and classified, what must also be assigned to it? a. location ID b. relative value c. asset tag d. threat risk

relative value

The first priority of the CISO and the InfoSec management team should be the __________. a. development of a security policy b. implementation of a risk management program c. adoption of an incident response plan d. structure of a strategic plan

structure of a strategic plan

A potential weakness in an asset or its defensive control system(s) is known as a(n) __________ a. attack b. exploit c. vulnerability d. threat

vulnerability

Which law extends protection to intellectual property, which includes words published in electronic formats? a. Security and Freedom through Encryption Act b. Freedom of Information Act c. U.S. Copyright Law d. Sarbanes-Oxley Act

U.S. Copyright Law


Ensembles d'études connexes

The Study of Language Chapter 8 - Syntax

View Set

1.14 Compare and contrast differences between the print technologies and the associated imaging process 19

View Set

Short Story and Drama Vocabulary

View Set

Chapter 38: Oxygenation and Perfusion

View Set

HNF 150 Problem Set 2: Digestion + Alcohol

View Set

Structure and Function of the Gastrointestinal System

View Set

Chapter 8 Intro to Hypothesis Testing

View Set