SPM401 - SP2019
A clearly directed strategy flows from top to bottom rather than from bottom to top.
True
A polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.
True
A task or subtask becomes an action step when it can be completed by one individual or skill set and when it includes a single deliverable.
True
A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. a. True b. False
True
Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________
True
Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________
True
Information security policies are designed to provide structure in the workplace and explain the will of the organization's management.
True
Policies must specify penalties for unacceptable behavior and define an appeals process.
True
Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
True
The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack. a. True b. False
True
The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________
True
The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. a. True b. False
True
The InfoSec community often takes on the leadership role in addressing risk. a. True b. False
True
The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes. a. True b. False
True
"4-1-9" fraud is an example of a ____________________ attack. a. social engineering b. virus c. worm d. spam
a
Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach? a. incident response plan b. business continuity plan c. disaster recovery plan d. damage control plan
a
The NIST risk management approach includes all but which of the following elements? a. inform b. assess c. frame d. respond
a
The identification and assessment of levels of risk in an organization describes which of the following? a. Risk analysis b. Risk identification c. Risk management d. Risk reduction
a
Which of the following are the two general groups into which SysSPs can be separated? a. technical specifications and managerial guidance b. business guidance and network guidance c. user specifications and managerial guidance d. technical specifications and business guidance
a
Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness? a. Systems testing b. Risk assessment c. Incident response d. Systems security administration
a
Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet? a. Uncertainty percentage b. Asset impact c. Risk-rating factor d. Vulnerability likelihood
a
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs? a. can suffer from poor policy dissemintation, enforcement, and review b. may skip vulnerabilities otherwise reported c. may be more expensive than necessary d. implementation can be less difficult to manage
a
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives? a. organization b. planning c. controlling d. leading
a
Which of the following is true about planning? a. Strategic plans are used to create tactical plans b. Tactical plans are used to create strategic plans c. Operational plans are used to create tactical plans d. Operational plans are used to create strategic plans
a
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals. a. (ISC)2 b. ACM c. SANS d. ISACA
a
Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions? a. Violations of Policy b. Systems Management c. Prohibited Usage of Equipment d. Authorized Access and Usage of Equipment
a
The purpose of SETA is to enhance security in all but which of the following ways? a. by building in-depth knowledge b. by adding barriers c. by developing skills d. by improving awareness
b
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? a. ignorance b. malice c. accident d. intent
b
Which of the following is an element of the enterprise information security policy? a. access control lists b. information on the structure of the InfoSec organization c. articulation of the organization's SDLC methodology d. indemnification of the organization against liability
b
Which of the following is an information security governance responsibility of the Chief Security Officer? a. Communicate policies and the program b. Set security policy, procedures, programs and training c. Brief the board, customers and the public d. Implement policy, report security vulnerabilities and breaches
b
__________ is a simple project management planning tool. a. RFP b. WBS c. ISO 17799 d. SDLC
b
Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter. a. bypass b. theft c. trespass d. security
c
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them? a. conducting decision support b. implementing controls c. evaluating alternative strategies d. measuring program effectiveness
c
The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following? a. Determined the level of risk posed to the information asset b. Performed a thorough cost-benefit analysis c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
c
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following? a. For purposes of commercial advantage b. For private financial gain c. For political advantage d. In furtherance of a criminal act
c
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process? a. Determining the likelihood that vulnerable systems will be attacked by specific threats b. Calculating the severity of risks to which assets are exposed in their current setting c. Assigning a value to each information asset d. Documenting and reporting the findings of risk identification and assessment
c
What do audit logs that track user activity on an information system provide? a. identification b. authorization c. accountability d. authentication
c
Which of the following is NOT a step in the problem-solving process? a. Select, implement and evaluate a solution b. Analyze and compare possible solutions c. Build support among management for the candidate solution d. Gather facts and make assumptions
c
Which of the following is NOT an alternative to using CBA to justify risk controls? a. benchmarking b. due care and due diligence c. selective risk avoidance d. the gold standard
c
Which of the following is a key advantage of the bottom-up approach to security implementation? a. strong upper-management support b. a clear planning and implementation process c. utilizes the technical expertise of the individual administrators d. coordinated planning from upper management
c
Which of the following is the first step in the problem-solving process? a. Analyze and compare the possible solutions b. Develop possible solutions c. Recognize and define the problem d. Select, implement and evaluate a solution
c
In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. a. zombie-in-the-middle b. sniff-in-the-middle c. server-in-the-middle d. man-in-the-middle
d
What are the two general methods for implementing technical controls? a. profile lists and configuration filters b. firewall rules and access filters c. user profiles and filters d. access control lists and configuration rules
d
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community? a. utilitarian b. virtue c. fairness or justice d. common good
d
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system? a. The Telecommunications Deregulation and Competition Act b. National Information Infrastructure Protection Act c. Computer Fraud and Abuse Act d. The Computer Security Act
d
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives? a. strategic b. operational c. organizational d. tactical
d
Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point? a. modular continuous b. elementary cyclical c. time-boxed circular d. traditional waterfall
d
Which of the following affects the cost of a control? a. liability insurance b. CBA report c. asset resale d. maintenance
d
Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives? a. leading b. controlling c. organizing d. planning
d
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics? a. Applied ethics b. Meta-ethics c. Normative ethics d. Deontological ethics
d
Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex. a. True b. False
False
The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for. a. True b. False
False
The defense risk control strategy may be accomplished by outsourcing to other organizations.
False
The first step in solving problems is to gather facts and make assumptions.
False
The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables. a. True b. False
False
The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks. a. True b. False
False
Threats from insiders are more likely in a small organization than in a large one. a. True b. False
False
Ethics carry the sanction of a governing authority.
False - Law
A signaling law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________
False - breach
The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. _________________________
False - brute force
The recognition, enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________
False - identification
The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ____________
False - likelihood
Most information security projects require a trained project developer. _________________________
False - manager
In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________
False - milestones
A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. _________________________
False - packet
Examples of actions that illustrate compliance with policies are known as laws.
False - practices
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________
False - qualitative
In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as the annualized risk of occurrence.
False - rate
The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.
False - software
When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. _________________________
False - spike
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems. a. True b. False
False
Corruption of information can occur only while information is being stored.
False
DoS attacks cannot be launched against routers.
False
Having an established risk management program means that an organization's assets are completely protected.
False
Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments. a. True b. False
False
MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof. a. True b. False
False
The authorization process takes place before the authentication process.
False
The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application. a. True b. False
False
Because it sets out general business intentions, a mission statement does not need to be concise.
False - A mission statement should be concise, should reflect both internal and external operations, and should be robust enough to remain valid for a period of 4 to 6 years.
To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________
False - Economic
The secretarial community often takes on the leadership role in addressing risk. ____________
False - InfoSec, infosec, Information Security, information security
The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.
False - Internal
Entities outside the United States apply the standards provided under the Committee on National Security Systems (CNSS).
False - International Standards Organization
Technology is the essential foundation of an effective information security program.
False - Policy
Values statements should therefore be ambiguous; after all, they are meant to express the aspirations of the organization.
False - Vision, vision
The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.
False - acceptance
Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy.
False - aggregation
An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection.
False - analysis
ISACA is a professional association with a focus on authorization, control, and security. ___________
False - auditing
A benchmark is derived by comparing measured actual performance against established standards for the measured category. ____________
False - baseline
One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________
False - bomb
The macro virus infects the key operating system files located in a computer's start up sector. _________________________
False - boot
A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________. a. enterprise risk management. b. joint application design c. security policy review d. disaster recovery planning
a
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team. a. champion b. end user c. team leader d. policy developer
a
A short-term interruption in electrical power availability is known as a ____. a. fault b. brownout c. blackout d. lag
a
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? a. Initiating b. Establishing c. Acting d. Learning
a
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________. a. penetration tester b. gray-hat hacker c. script kiddie d. zebra team
a
A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme.
False - classification
The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. _________________________
False - cracker
It is the responsibility of InfoSec professionals to understand state laws and standards. ____________
False - regulations
A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.
False - stakeholder
Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________. a. threats b. education c. hugs d. paperwork
b
Once an information asset is identified, categorized, and classified, what must also be assigned to it? a. Asset tag b. Relative value c. Location ID d. Threat risk
b
The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____. a. Vulnerability mitigation controls b. Risk assessment estimate factors c. Exploit likelihood equation d. Attack analysis calculation
b
Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____. a. SSL b. SLA c. MSL d. MIN
b
What is the first phase of the SecSDLC? a. analysis b. investigation c. logical design d. physical design
b
What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed? a. probability calculation b. documented control strategy c. risk acceptance plan d. mitigation plan
b
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? a. Risk exposure report b. Threats-vulnerabilities-assets worksheet c. Costs-risks-prevention database d. Threat assessment catalog
b
Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another? a. Cost of prevention b. Cost of litigation c. Cost of detection d. Cost of identification
a
ISO 27014:2013 is the ISO 27000 series standard for ____________. a. Governance of Information Security b. Information Security Management c. Risk Management d. Policy Management
a
In addition to specifying the penalties for unacceptable behavior, what else must a policy specify? a. appeals process b. legal recourse c. what must be done to comply d. the proper operation of equipment
a
In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies? a. design b. implementation c. investigation d. analysis
a
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________. a. data owners b. data custodians c. data users d. data generators
a
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? a. Initiating b. Establishing c. Acting d. Learning
b
An example of a stakeholder of a company includes all of the following except: a. employees b. the general public c. stockholders d. management
b
Any court can impose its authority over an individual or organization if it can establish which of the following? a. jurisprudence b. jurisdiction c. liability d. sovereignty
b
Application of training and education is a common method of which risk control strategy? a. mitigation b. defense c. acceptance d. transferal
b
Blackmail threat of informational disclosure is an example of which threat category? a. Espionage or trespass b. Information extortion c. Sabotage or vandalism d. Compromises of intellectual property
b
By multiplying the asset value by the exposure factor, you can calculate which of the following? a. annualized cost of the safeguard b. single loss expectancy c. value to adversaries d. annualized loss expectancy
b
Data classification schemes should categorize information assets based on which of the following? a. Value and uniqueness b. Sensitivity and security needs c. Cost and replacement value d. Ease of reproduction and fragility
b
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. ____________
False - defense
The ISA 27014:2013 standard promotes five risk management processes, which should be adopted by the organization's executive management and its governing board.
False - governance
Non mandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations. ____________
False - guidelines
The information technology management community of interest often takes on the leadership role in addressing risk. ____________
False - infosec, information security
Rule-based policies are less specific to the operation of a system than access control lists. a. True b. False
False - more
Once a project is underway, it is managed to completion using a process known as a complete feedback loop, which ensures that progress is measured periodically.
False - negative feedback loop
"Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. _________________________
False - surfing
An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility. ____________
False - technical
InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals. ___________
False - technology
An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment. ____________
False - threat
The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy. ___________
False - transference
A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet.
False - vulnerabilities
Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair.
False - vulnerabilities
A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________
True
Deterrence is the best method for preventing an illegal or unethical activity. ____________
True
Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances.
True
Each organization has to determine its own project management methodology for IT and information security projects. a. True b. False
True
Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.
True
On-the-job training can result in substandard work performance while the trainee gets up to speed.
True
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system. a. True b. False
True
Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.
True
Planners need to estimate the effort required to complete each task, subtask, or action step.
True
Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. a. True b. False
True
Small organizations spend more per user on security than medium- and large-sized organizations.
True
The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. a. True b. False
True
The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________
True
The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________
True
The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.
True
Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. a. True b. False
True
One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. a. hacktivist b. phreak c. hackcyber d. cyberhack
a
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices? a. Hold regular meetings with the CIO to discuss tactical InfoSec planning b. Assign InfoSec to a key committee and ensure adequate support for that committee c. Ensure the effectiveness of the corporation's InfoSec policy through review and approval d. Identify InfoSec leaders, hold them accountable, and ensure support for them
a
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________. a. chief information security officer b. security technician c. security manager d. chief technology officer
a
The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________. a. vulnerability assessment b. penetration testing c. exploit identification d. safeguard neutralization
a
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? a. qualitative assessment of many risk components b. quantitative valuation of safeguards c. subjective prioritization of controls d. risk analysis estimates
a
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy? a. cost-benefit analysis b. exposure factor c. single loss expectancy d. annualized rate of occurrence
a
What should you be armed with to adequately assess potential weaknesses in each information asset? a. Properly classified inventory b. Audited accounting spreadsheet c. Intellectual property assessment d. List of known threats
a
When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________. a. Board Risk Committee b. Board Finance Committee c. Board Audit Committee d. Chairman of the Board
a
Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications? a. The Electronic Communications Privacy Act of 1986 b. The Telecommunications Deregulation and Competition Act of 1996 c. National Information Infrastructure Protection Act of 1996 d. Federal Privacy Act of 1974
a
Which of the following is an advantage of the user support group form of training? a. Usually conducted in an informal social setting b. Formal training plan c. Can be live, or can be archived and viewed at the trainee's convenience d. Can be customized to the needs of the trainee
a
Which of the following is not among the 'deadly sins of software security'? a. Extortion sins b. Implementation sins c. Web application sins d. Networking sins
a
Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems? a. A security technician b. A security analyst c. A security consultant d. The security manager
a
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? a. Policy Review and Modification b. Limitations of Liability c. Systems Management d. Statement of Purpose
a
Which type of planning is the primary tool in determining the long-term direction taken by an organization? a. strategic b. tactical c. operational d. managerial
a
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? a. issue-specific b. enterprise information c. system-specific d. user-specific
a
A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. a. denial-of-service b. distributed denial-of-service c. virus d. spam
b
A risk assessment is performed during which phase of the SecSDLC? a. implementation b. analysis c. design d. investigation
b
A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________. a. vulnerability assessment b. penetration testing c. exploit identification d. safeguard neutralization
b
According to the C.I.a. triad, which of the following is a desirable characteristic for computer security? a. accountability b. availability c. authorization d. authentication
b
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? a. policy administration b. due diligence c. adequate security measures d. certification and accreditation
b
Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program? a. protection b. people c. projects d. policy
b
Which law extends protection to intellectual property, which includes words published in electronic formats? a. Freedom of Information Act b. U.S. Copyright Law c. Security and Freedom through Encryption Act d. Sarbanes-Oxley Act
b
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. residual risk b. risk appetite c. risk assurance d. risk termination
b
Which of the following determines acceptable practices based on consensus and relationships among the communities of interest. a. organizational feasibility b. political feasibility c. technical feasibility d. operational feasibility
b
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right? a. Applied ethics b. Descriptive ethics c. Normative ethics d. Deontological ethics
b
Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk? a. Risk management b. Risk assessment c. Systems testing d. Vulnerability assessment
b
Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines? a. planning b. policy c. programs d. people
b
Which of the following is NOT a step in the process of implementing training? a. administer the program b. hire expert consultants c. motivate management and employees d. identify target audiences
b
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? a. Enterprise information security policy b. User-specific security policies c. Issue-specific security policies d. System-specific security policies
b
Which of the following is NOT an aspect of access regulated by ACLs? a. what authorized users can access b. where the system is located c. how authorized users can access the system d. when authorized users can access the system
b
Which of the following is an attribute of a network device is physically tied to the network interface? a. Serial number b. MAC address c. IP address d. Model number
b
Which of the following is compensation for a wrong committed by an employee acting with or without authorization? a. liability b. restitution c. due diligence d. jurisdiction
b
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls. a. remediation b. deterrence c. persecution d. rehabilitation
b
Which of the following should be included in an InfoSec governance program? a. An InfoSec development methodology b. An InfoSec risk management methodology c. An InfoSec project management assessment from an outside consultant d. All of these are components of the InfoSec governance program
b
Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success? a. software engineering b. joint application design c. sequence-driven policies d. event-driven procedures
b
Which type of attack involves sending a large number of connection or information requests to a target? a. malicious code b. denial-of-service (DoS) c. brute force d. spear fishing
b
Which type of document is a more detailed statement of what must be done to comply with a policy? a. procedure b. standard c. guideline d. practice
b
A SETA program consists of three elements: security education, security training, and which of the following?. a. security accountability b. security authentication c. security awareness d. security authorization
c
A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________. a. champion b. end user c. team leader d. policy developer
c
Advanced technical training can be selected or developed based on which of the following? a. level of previous education b. level of previous training c. technology product d. number of employees
c
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________. a. false alarms b. polymorphisms c. hoaxes d. urban legends
c
Classification categories must be mutually exclusive and which of the following? a. Repeatable b. Unique c. Comprehensive d. Selective
c
Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following? a. General management must structure the IT and InfoSec functions b. IT management must serve the IT needs of the broader organization c. Legal management must develop corporate-wide standards d. InfoSec management must lead the way with skill, professionalism, and flexibility
c
GGG security is commonly used to describe which aspect of security? a. technical b. software c. physical d. theoretical
c
Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________. a. data owners b. data custodians c. data users d. data generators
c
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk? a. analysis and adjustment b. review and reapplication c. monitoring and measurement d. evaluation and funding
c
The basic outcomes of InfoSec governance should include all but which of the following? a. Value delivery by optimizing InfoSec investments in support of organizational objectives b. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved c. Time management by aligning resources with personnel schedules and organizational objectives d. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively
c
The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________. a. chief information security officer b. security technician c. security manager d. chief technology officer
c
What is defined as specific avenues that threat agents can exploit to attack an information asset? a. Liabilities b. Defenses c. Vulnerabilities d. Weaknesses
c
What is the SETA program designed to do? a. reduce the occurrence of external attacks b. improve operations c. reduce the occurence of accidental security breaches d. increase the efficiency of InfoSec staff
c
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them? a. ECPA b. Sarbanes-Oxley c. HIPAA d. Gramm-Leach-Bliley
c
Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans? a. compliance b. policy c. planning d. systems security administration
c
Which law addresses privacy and security concerns associated with the electronic transmission of PHI? a. USA Patriot Act of 2001 b. American Recovery and Reinvestment Act c. Health Information Technology for Economic and Clinical Health Act d. National Information Infrastructure Protection Act of 1996
c
Which of the following are instructional codes that guide the execution of the system when information is passing through it? a. access control lists b. user profiles c. configuration rules d. capability tables
c
Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident? a. feasibility analysis b. asset valuation c. cost avoidance d. cost-benefit analysis
c
Which of the following explicitly declares the business of the organization and its intended areas of operations? a. vision statement b. values statement c. mission statement d. business statement
c
Which of the following is NOT a valid rule of thumb on risk control strategy selection? a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls. d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
c
Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation? a. Policy b. Centralized authentication c. Compliance/Audit d. Risk management
c
Which of the following is NOT one of the basic rules that must be followed when shaping a policy? a. policy should never conflict with law b. policy must be able to stand up in court if challenged c. policy should be agreed upon by all employees and management d. policy must be properly supported and administered
c
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls? a. brute force b. DoS c. back door d. hoax
c
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? a. On-target model b. Wood's model c. Bull's-eye model d. Bergeron and Berube model
c
Which of the following is an advantage of the one-on-one method of training? a. Trainees can learn from each other b. Very cost-effective c. Customized d. Maximizes use of company resources
c
Which of the following is an example of a technological obsolescence threat? a. Hardware equipment failure b. Unauthorized access c. Outdated servers d. Malware
c
Which of the following is not a step in the FAIR risk management framework? a. identify scenario components b. evaluate loss event frequency c. assess control impact d. derive and articulate risk
c
Which of the following is the first step in the process of implementing training? a. Identify training staff b. Identify target audiences c. Identify program scope, goals, and objectives d. Motivate management and employees
c
Which subset of civil law regulates the relationships among individuals and among individuals and organizations? a. tort b. criminal c. private d. public
c
A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC? a. design b. analysis c. implementation d. investigation
d
According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy? a. policy developer b. policy reviewer c. policy enforcer d. policy administrator
d
An estimate made by the manager using good judgement and experience can account for which factor of risk assessment? a. Risk determination b. Assessing potential loss c. Likelihood and consequences d. Uncertainty
d
Communications security involves the protection of which of the following?. a. radio handsets b. people, physical assets c. the IT department d. media, technology, and content
d
In which phase of the SecSDLC does the risk management task occur? a. physical design b. implementation c. investigation d. analysis
d
In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result? a. OCTAVE b. FAIR c. Hybrid Measures d. Delphi
d
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following? a. risk assessment b. risk treatment c. risk communication d. risk determination
d
The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process? a. accountability b. authorization c. identification d. authentication
d
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process? a. Creating an inventory of information assets b. Classifying and organizing information assets into meaningful groups c. Assigning a value to each information asset d. Calculating the severity of risks to which assets are exposed in their current setting
d
What is the final step in the risk identification process? a. Assessing values for information assets b. Classifying and categorizing assets c. Identifying and inventorying assets d. Listing assets in order of importance
d
Which of the following attributes does NOT apply to software information assets? a. Serial number b. Controlling entity c. Manufacturer name d. Product dimensions
d
Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster? a. acceptance b. avoidance c. transference d. mitigation
d
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components? a. Name b. MAC address c. Serial number d. Manufacturer's model or part number
d
Which of the following is NOT a primary function of Information Security Management? a. planning b. protection c. projects d. performance
d
Which of the following is a C.I.a. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information? a. Integrity b. Availability c. Authentication d. Confidentiality
d
Which of the following is a disadvantage of the one-on-one training method? a. Inflexible b. May not be responsive to the needs of all the trainees c. Content may not be customized to the needs of the organization d. Resource intensive, to the point of being inefficient
d
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult? a. Part number b. Serial number c. MAC address d. IP address
d
Which of the following is an advantage of the formal class method of training? a. Personal b. Self-paced, can go as fast or as slow as the trainee needs c. Can be scheduled to fit the needs of the trainee d. Interaction with trainer is possible
d
Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures? a. U.S. Copyright Law b. PCI DSS c. European Council Cybercrime Convention d. DMCA
d
Which of the following is the most cost-effective method for disseminating security information and news to employees? a. distance learning seminars b. security-themed Web site c. conference calls d. security newsletter
d
Which of the following is true about a company's InfoSec awareness Web site? a. it should contain large images to maintain interest b. appearance doesn't matter if the information is there c. it should be placed on the Internet for public use d. it should be tested with multiple browsers
d
Which of the following is true about the security staffing, budget, and needs of a medium-sized organization? a. they have a larger security staff than a small organization b. they have a larger security budget (as percent of IT budget) than a small organization c. they have a smaller security budget (as percent of IT budget) than a large organization d. they have larger information security needs than a small organization
d
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? a. system controls b. technical controls c. operational controls d. managerial controls
d
Which of the following variables is the most influential in determining how to structure an information security program? a. Security capital budget b. Organizational size c. Security personnel budget d. Organizational culture
d
Which type of planning is used to organize the ongoing, day-to-day performance of tasks? a. Strategic b. Tactical c. Organizational d. Operational
d
_____ is a complex process that organizations use to manage the affects and costs of technology implementation, innovation, and obsolescence a. Change management b. Change control c. Resistance reduction d. Technology governance e. none of the mentioned
d
____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated. a. Viruses b. Worms c. Spam d. Trojan horses
d
Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP
d - The usual procedure is to create the EISP first- the highest level of InfoSec policy. After that, general InfoSec policy needs are met by developing ISSP and SysSP policies