Test 1 ch 1-4 cis 410

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals. SANS (ISC)2 ACM ISACA

(ISC)2

According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? establishing acting initiating learning

initiating

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? user-specific enterprise information issue-specific system-specific

issue-specific

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? ignorance malice intent accident

malice

Communications security involves the protection of which of the following? media, technology, content radio handsets the IT department people, physical assets

media, technology, content

Which of the following explicitly declares the business of the organization and its intended areas of operations? values statement vision statement business statement mission statement

mission statement

The protection of voice and data components, connections, and content is known as __________ security. national network cyber operational

network

The three levels of planning are strategic planning, tactical planning, and __________ planning.

operational

Which type of planning is used to organize the ongoing, day-to-day performance of tasks? operational strategic tactical organizational

operational

resources to support the accomplishment of objectives? planning controlling leading organization

organization

According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy? policy developer policy enforcer policy reviewer policy administrator

policy administrator

Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected? accountability availability confidentiality privacy

privacy

Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT __________. proper development proper conception proper implementation proper design

proper conception

Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

public law

Which of the following is NOT an approach to password cracking? social engineering attacks dictionary attacks brute force ransomware

ransomware

To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology. level of formatting cost reading level size

reading level

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________. search warrant subpoena affidavit forensic clue

search warrant

The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________. chief information security officer security manager security technician chief technology officer

security manager

A qualified individual who is tasked with configuring security technologies and operating other technical control systems is known as a(n) ____________. security manager chief information security officer security technician chief technology officer

security technician

"4-1-9" fraud is an example of a __________ attack. worm spam virus social engineering

social engineering

Which type of document is a more detailed statement of what must be done to comply with a policy? procedure standard practice guideline

standard

Human error or failure often can be prevented with training and awareness programs, policy, and __________. ISO 27000 technical controls outsourcing hugs

technical controls

A maintenance model is intended to focus ongoing maintenance efforts so as to keep systems usable and secure.

true

A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. __________

true

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

true

​Deterrence is the best method for preventing an illegal or unethical activity. ____________

true

​Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________

true

Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? issue-specific security policies user-specific security policies enterprise information security policy system-specific security policies

user-specific security policies

In the __________ phase of the SecSDLC, the team studies documents and looks at relevant legal issues that could affect the design of the security solution. implementation justification investigation analysis

analysis

Which of the following are instructional codes that guide the execution of the system when information is passing through it? capability tables access control lists configuration rules user profiles

configuration rules

Information ambiguation occurs when pieces of nonprivate data are combined to create information that violates privacy. _________________________

false

It is the responsibility of InfoSec professionals to understand state laws and bills. ____________

false

Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations. ____________

false

The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. __________

false

To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996.​ ___________

false

In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies? design investigation implementation analysis

implementation

The protection of confidentiality, integrity, and availability of data regardless of its location is known as __________ security. operational cyber information network

information

A detailed outline of the scope of the policy development project is created during which phase of the SDLC? implementation investigation design analysis

investigation

The study of what makes actions right or wrong, also known as moral theory.

normative ethics

Which of the following are the two general groups into which SysSPs can be separated? 1)business guidance and network guidance 2)technical specifications and business guidance 3)user specifications and managerial guidance 4)technical specifications and managerial guidance

technical specifications and managerial guidance

Policies must specify penalties for unacceptable behavior and define an appeals process.

true

Which of the following should be included in an InfoSec governance program? 1)An InfoSec risk management methodology 2)An InfoSec maintenance methodology 3)An InfoSec project management assessment 4)All of these are components of the InfoSec governance program.

An InfoSec risk management methodology

One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.

Computer security act

What should an effective ISSP accomplish?

Describes the organization's expectations about how its technology-based system should be used. Documents how the technology-based system is controlled and identifies the processes and authorities that provide this control. Indemnifies the organization against liability for an employee's inappropriate or illegal use of the system.

Which policy is the highest level of policy and is usually created first? EISP USSP ISSP SysSP

EISP

__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. Controlling Strategy Governance Leading

Governance

Which of the following is an information security governance responsibility of the chief information security officer? 1)Implement incident response programs to detect security vulnerabilities and breaches. 2)Set security policy, procedures, programs, and training. 3)Develop policies and the program. 4)Brief the board, customers, and the public.

Set security policy, procedures, programs, and training.

Discuss the three general categories of unethical behavior that organizations should try to control.

Ignorance Accident Intent Ignorance of the law is not a defense, but a lack of intent can be. Individuals within a business have the highest chance of causing harm or damage by accident.

__________ is the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair edge over them. Dumpster diving Competitive advantage Packet sniffing Industrial espionage

Industrial espionage

Which statement defines the differences between a computer virus and a computer worm? 1)Worms can make copies all by themselves on one kind of computer but viruses can make copies all by themselves on any kind of computer. 2)Worms and viruses are the same. 3)Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate. 4)Worms can copy themselves to computers and viruses can copy themselves to smartphones.

Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate.

Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________.

affidavit

Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs? 1)can suffer from poor policy dissemination, enforcement, and review 2)may skip vulnerabilities otherwise reported 3)implementation can be less difficult to manage 4)may be more expensive than necessary

can suffer from poor policy dissemination, enforcement, and review

Focuses on enhancing the security of the critical infrastructure in the United States.

cybersecurity act

Internal and external stakeholders, such as customers, suppliers, or employees who interact with information in support of their organization's planning and operations, are known as ____________. data owners data custodians data generators data users

data users

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? policy administration due diligence certification and accreditation adequate security measures

due diligence

Defines socially acceptable behaviors.

ethics

"Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. __________

false

Values statements should be ambitious; after all, they are meant to express the aspirations of an organization. ____________

false

One form of online vandalism is __________, in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. phreaking hacktivism cyberhacking red teaming

hacktivism

An example of a company stakeholder includes all of the following EXCEPT: the general public employees management stockholders

the general public

In addition to specifying acceptable and unacceptable behavior, what else must a policy specify? 1)legal recourse 2)the penalties for violation of the policy 3)appeals process 4)individual responsible for approval

the penalties for violation of the policy

Digital forensics can be used for two 1)key purposes: ________ or _________. to investigate allegations of digital malfeasance; to perform root cause analysis 2)to solicit testimony; to perform root cause analysis 3)to investigate allegations of digital malfeasance; to solicit testimony 4)e-discovery; to perform root cause analysis

to investigate allegations of digital malfeasance; to perform root cause analysis

_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present. Portable Desktop computer Satellite transceiver Expansion

Portable

Which of the following is true about planning? 1)Tactical plans are used to create strategic plans. 2)Operational plans are used to create strategic plans. 3)Strategic plans are used to create tactical plans. 4)Operational plans are used to create tactical plans.

Strategic plans are used to create tactical plans.

Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?

The Freedom of Information act requires all federal agencies to disclose records requested in writing by any person. FOIA only applies to federal agencies. Each state has its own public access laws that should be consulted for access to state and local records.

What are the three distinct groups of decision makers or communities of interest on an information security team?

Those in the field of information security. Those in the field of IT. Those from the rest of the organization.

Which law extends protection to intellectual property, which includes words published in electronic formats? Freedom of Information Act Security and Freedom through Encryption Act Sarbanes-Oxley Act U.S. Copyright Law

U.S. Copyright Law

What do audit logs that track user activity on an information system provide? authentication authorization accountability identification

accountability

The most complex part of an investigation is usually __________. analysis for potential EM preventing the destruction of potential EM protecting potential EM requesting potential EM

analysis for potential EM

An approach that applies moral codes to actions drawn from realistic situations.

applied ethics

A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law. breach compromise notification spill

breach

​The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________. security technician ​chief technology officer chief information security officer security manager

chief information security officer

Some information gathering techniques are quite legal—for example, using a Web browser to perform market research. These legal techniques are called, collectively, __________.

competitive intelligence

The process of integrating the governance of the physical security and information security efforts is known in the industry as __________. convergence combination optimization intimation

convergence

Addresses violations harmful to society and is actively enforced and prosecuted by the state.

criminal law

The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response. analysis design implementation investigation

design

A collection of statutes that regulates the interception of wire, electronic, and oral communications.

electronic communication privacy act

According to the Corporate Governance Task Force (CGTF), during which phase of the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? initiating learning establishing acting

establishing

A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of systems.

false

Access control lists regulate who, what, when, where, and why authorized users can access a system.

false

ISACA is a professional association with a focus on authorization, control, and security. ___________

false

The authorization process takes place before the authentication process.

false

The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization. ____________

false

The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________. forensics evidentiary material data imaging crime scene investigation

forensics

The letters GRC represent an approach to information security strategic guidance from a board of directors or senior management perspective. The letters stand for __________, __________, and __________. 1)governance, risk management, compliance 2)governance, risk control, confidentiality 3)government, regulation, classification 4)generalization, risk assessment, cryptography

governance, risk management, compliance

When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, and so that it selects key stakeholders as well as the ____________. Chairman of the Board Board Finance Committee Board Risk Committee Board Ethics Committee

Board Risk Committee

What is a key difference between law and ethics?

Laws bear the sanction of a governing authority and ethics do not.


Ensembles d'études connexes

NCLEX EAQ Nursing 170 Adaptive Quizzing

View Set

EMT-B Ch. 11 Test (Airway Management)

View Set

ATI CLINICAL DECISION MAKING: Clinical Judgement Process, Managing Client Care, priority-setting framework

View Set

FL Exam Study for Health & Life Insurance, Part 1

View Set

Water Transport in Plants - Biology II

View Set

Environmental Studies - Chapter 5 FINAL

View Set

CATALÀ: apòstrof, contracció, guionet

View Set