SPM401 - True
True
1. Policies must specify penalties for unacceptable behavior and define an appeals process.
True
1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
True
1. Small organizations spend more per user on security than medium- and large-sized organizations.
True
10. Each organization has to determine its own project management methodology for IT and information security projects.
True
11. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________
True
12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________
True
12. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________
True
13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.
True
14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________
True
2. A clearly directed strategy flows from top to bottom rather than from bottom to top.
True
2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
True
2. The InfoSec community often takes on the leadership role in addressing risk.
True
2. The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.
True
3. Deterrence is the best method for preventing an illegal or unethical activity. ____________
True
3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
True
4. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.
True
4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.
True
4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
True
5. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________
True
5. On-the-job training can result in substandard work performance while the trainee gets up to speed.
True
5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.
True
5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
True
5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.
True
6. The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________
True
7. Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________
True
7. Planners need to estimate the effort required to complete each task, subtask, or action step.
True
8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________
True
9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________
True
9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.