yurekli final chapter 6 and 7
False
A report indicating that a system's disk is 80 percent full is a good indication that something is wrong with that system
True
An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured.
Baseline
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
Threat
Ayo is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?
False
Certification is the formal agreement by an authorizing official to accept the risk of implementing a system.
Prudent
Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?
Does the firewall properly blick unsolicited network connection attempts?
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?
Does the firewall properly block unsolicited network connection attempts?
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?
Formatting
Erik is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?
Access to a high level of expertise
Everett is considering outsourcing security functions to a third-party service provider (which is a kind of risky for a CIA agent :). What benefit is he most likely to achieve?
Black-box test
Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting?
Audit
Gilfoyle is reviewing security logs to independently assess security controls. Which security review process is Gilfoyle engaging in?
Secure Sockets Layer (SSL)
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?
True
In security testing data collection, observation is the input used to differentiate between paper procedures and the way the job is really done.
Waterfall
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?
Security Information and Event Management (SIEM)
Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?
Is the security control likely to become obsolete in the near future
Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?
False
Mandatory vacations minimize risk by rotating employees among various systems or duties.
Service Level Agreement (SLA)
Nakia is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
Separation of Duties
Ramonda is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?
Authorization
Richard is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
Project initiation and planning
Shuri is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?
Phishing
T'Challa's organization received a mass email message that attempted to trick vibranium engineers into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
True
The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege.
Punish users who violate policy
What is NOT a goal of information security awareness programs?
Assume that information should be free
What is NOT a good practice for developing strong professional ethics?
An organization should share its information
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?
system configurations
What is NOT generally a section in an audit report?
IT Infrastructure Library (ITIL)
What is a set of concepts and policies for managing IT infrastructure, development, and operations?
Request, approval, impact assessment, build/test, monitor, implement
What is the correct order of steps in the change control process?
system integrity monitoring
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?
Managers should include their responses to the draft report for the final audit report
When should an organization's managers have an opportunity to respond to the findings in an audit?
Report writing
Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?
Memorandum of Understanding (MOU)
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Checklist
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?
Signature detection
Which intrusion detection system strategy relies upon pattern matching?
Resumes of system administrators
Which item is an auditor least likely to review during a system controls audit?
Laws
Which of the following would NOT be considered in the scope of organizational compliance efforts?
Enforcing the integrity of computer-based information
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?
Network Mapping
Which security testing activity uses tools that scan for services running on systems?
