previous quiz questions
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics) a. Meta-ethics b. Applied ethics c. Deontological ethics d. Normative ethics
Deontological ethics
A well-defined risk appetite should have the following characteristics EXCEPT: a. It is not limited by stakeholder expectations. b. It is documented as a formal risk appetite statement. c. It is reflective of all key aspects of the business. d. It acknowledges a willingness and capacity to take on risk.
It is not limited by stakeholder expectations.
The basic outcomes of InfoSec governance should include all but which of the following? a. Value delivery by optimizing InfoSec investments in support of organizational objectives b. Time management by aligning resources with personnel schedules and organizational objectives c. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively d. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
Time management by aligning resources with personnel schedules and organizational objectives
Which of the following is NOT a valid rule of thumb on risk treatment strategy selection? a. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls. b. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. c. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. d. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls.
All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT: a. When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. b. When a vulnerability exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being exploited. c. When the potential loss is substantial, apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss. d. When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.
When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.
Which of the following activities is part of the risk identification process? a. documenting and reporting the findings of risk analysis b. calculating the severity of risks to which assets are exposed in their current setting c. assigning a value to each information asset d. determining the likelihood that vulnerable systems will be attacked by specific threats
assigning a value to each information asset
An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it is known as a(n) __________. a. threat b. exploit c. attack d. vulnerability
attack
A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law a. compromise b. spill c. notification d. breach
breach
The purpose of SETA is to enhance security in all but which of the following ways? a. by developing skills b. by adding barriers c. by building in-depth knowledge d. by improving awareness
by adding barriers
The process of integrating the governance of the physical security and information security efforts is known in the industry as __________. a. optimization b. combination c. intimation d. convergence
convergence
The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________. a. risk acceptance premium b. cost avoidance c. probability estimate d. asset valuation
cost avoidance
Application of training and education among other approach elements is a common method of which risk treatment strategy? a. acceptance b. mitigation c. transferal d. defense
defense
Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity? a. probability of being caught b. probability of being penalized c. fear of penalty d. fear of humiliation
fear of humiliation
To move the InfoSec discipline forward, organizations should take all of the following steps EXCEPT: a. learn more about the requirements and qualifications needed b. grant the InfoSec function needed influence and prestige c. form a committee and approve suggestions from the CISO d. learn more about budgetary and personnel needs
form a committee and approve suggestions from the CISO
Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them? a. probability of penalty being applied b. frequency of review c. probability of being apprehended d. fear of the penalty
frequency of review
An understanding of the potential consequences of a successful attack on an information asset by a threat is known as __________. a. impact b. tolerance c. uncertainty d. likelihood
impact
The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints. a. implementation b. justification c. investigation d. analysis
investigation
The organization can perform risk determination using certain risk elements, including all but which of the following? a. element of uncertainty b. impact (consequence) c. likelihood of threat event (attack) d. legacy cost of recovery
legacy cost of recovery
The probability that a specific vulnerability within an organization will be attacked by a threat is known as __________. a. likelihood b. impact c. tolerance d. uncertainty
likelihood
Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP. a. management guidance, technical specifications b. management guidance, technical directive c. management specification, technical directive d. management directive, technical specifications
management guidance, technical specifications
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? a. managerial controls b. technical controls c. system controls d. operational controls
managerial controls
The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics? a. culture b. market c. size d. budget
market
The EISP must directly support the organization's __________. public announcements b. values statement c. mission statement d. financial statement
mission statement
Which of the following risk treatment strategies describes an organization's efforts to reduce damage caused by a realized incident or disaster? a. transference b. acceptance c. avoidance d. mitigation
mitigation
Which of the following determines how well a proposed treatment will address user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders? a. technical feasibility b. operational feasibility c. political feasibility d. behavioral feasibility
operational feasibility
Which of the following is NOT one of the basic rules that must be followed when developing a policy? a. policy must be properly supported and administered b. policy should never conflict with law c. policy must be able to stand up in court if challenged d. policy should be focused on protecting the organization from public embarrassment
policy should be focused on protecting the organization from public embarrassment
Which subset of civil law regulates the relationships among individuals and among individuals and organizations? a. public b. criminal c. tort d. private
private
For an organization to manage its InfoSec risk properly, managers should understand how information is __________. a. processed b. collected c. all of these are needed d. transmitted
processed collected transmitted
What is the final step in the risk identification process? a. identifying and inventorying assets b. classifying and categorizing assets c. assessing values for information assets d. ranking assets in order of importance
ranking assets in order of importance
What is the SETA program designed to do? a. reduce the occurrence of accidental security breaches b. reduce the occurrence of external attacks c. improve operations d. increase the efficiency of InfoSec staff
reduce the occurrence of accidental security breaches
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________. a. risk acceptance b. residual risk c. risk avoidance d. risk appetite
risk appetite
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. risk assurance b. risk appetite c. risk termination d. residual risk
risk appetite
The identification, analysis, and evaluation of risk in an organization describes which of the following? a. risk management b. risk reduction c. risk assessment d. risk determination
risk assessment
This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator. a. security technician b. security manager c. security analyst d. security consultant
security manager
Human error or failure often can be prevented with training and awareness programs, policy, and __________. ISO 27000 b. technical controls c. outsourcing d. hugs
technical controls
In addition to specifying acceptable and unacceptable behavior, what else must a policy specify? a. appeals process b. the penalties for violation of the policy c. individual responsible for approval d. legal recourse
the penalties for violation of the policy
When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________. a. the network provider the hacker used b. how many perpetrators were involved c. what kind of computer the hacker used d. the type of crime committed
the type of crime committed
Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer? a. information extortion b. espionage or trespass c. theft d. sabotage or vandalism
theft
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________ a. threat b. vulnerability c. exploit d. attack
threat
Digital forensics can be used for two key purposes: ________ or _________. a. to investigate allegations of digital malfeasance; to solicit testimony b. e-discovery; to perform root cause analysis c. to solicit testimony; to perform root cause analysis d. to investigate allegations of digital malfeasance; to perform root cause analysis.
to investigate allegations of digital malfeasance; to perform root cause analysis
Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access. a. security b. bypass c. trespass d. theft
trespass
Which of the following is a key advantage of the bottom-up approach to security implementation? a. utilizing the technical expertise of the individual administrators b. coordinated planning from upper management c. a clear planning and implementation process d. strong upper-management support
utilizing the technical expertise of the individual administrators
The goal of InfoSec is not to bring residual risk to __________; rather, it is to bring residual risk in line with an organization's risk appetite. a. zero b. its theoretical minimum c. below the cost-benefit break-even point d. de minimus
zero
Treating risk begins with which of the following? a. rethinking how services are offered b. an understanding of risk treatment strategies c. applying controls and safeguards that eliminate risk d. understanding the consequences of choosing to ignore certain risks
an understanding of risk treatment strategies
Force majeure includes all of the following EXCEPT: a. acts of war b. forces of nature c. armed robbery d. civil disorder
armed robbery
The process of assigning financial value or worth to each information asset is known as __________. a. risk acceptance premium b. probability estimate c. cost estimation d. asset valuation
asset valuation
Policy __________ means the employee must agree to the policy. a. complacency b. conformance c. consequence d. compliance
compliance
According to the C.I.A. triad, which of the following is the most desirable characteristic for privacy a. accountability b. confidentiality c. availability d. integrity
confidentiality
Which of the following is a C.I.A. triad characteristic that ensures only those with sufficient privileges and a demonstrated need may access certain information? authentication b. confidentiality c. integrity d. availability
confidentiality
Which of the following should be included in an InfoSec governance program? a. An InfoSec project management assessment b. All of these are components of the InfoSec governance program. c. An InfoSec maintenance methodology d. An InfoSec risk management methodology
An InfoSec risk management methodology
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls. a. remediation b. rehabilitation c. deterrence d. persecution
deterrence
Which of the following is NOT used to categorize some types of law? a. constitutional b. regulatory c. statutory d. international
international
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? a. accident b. ignorance c. malice d. intent
malice
Access control list user privileges include all but which of these? a. execute b. read c. operate d. write
operate
Which of the following variables is the most influential in determining how to structure an information security program? a. online exposure of organization b. organizational culture c. security capital budget d. competitive environment
organizational culture
Which of the following functions of information security management seeks to dictate certain behavior within the organization through a set of organizational guidelines? a. programs b. planning c. people d. policy
policy
Once an information asset is identified, categorized, and classified, what must also be assigned to it? a. location ID b. relative value c. asset tag d. threat risk
relative value
The first priority of the CISO and the InfoSec management team should be the __________. a. development of a security policy b. implementation of a risk management program c. adoption of an incident response plan d. structure of a strategic plan
structure of a strategic plan
A potential weakness in an asset or its defensive control system(s) is known as a(n) __________ a. attack b. exploit c. vulnerability d. threat
vulnerability
Which law extends protection to intellectual property, which includes words published in electronic formats? a. Security and Freedom through Encryption Act b. Freedom of Information Act c. U.S. Copyright Law d. Sarbanes-Oxley Act
U.S. Copyright Law