160 final
Computer assets are the focus of information security and are the information that has value to the organization, as well as the systems that store, process, and transmit the information. ____________
FALSE
Encryption methodologies that require the same secret key to encipher and decipher the message are using what is called public-key encryption. _________________________
FALSE
Every member of the organization's InfoSec department must have a formal degree or certification in information security.
FALSE
Fingerprinting is the organized research of the Internet addresses owned or controlled by a target organization. _________________________
FALSE
In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________
FALSE
Knowing yourself means identifying, examining, and understanding the threats facing the organization.
FALSE
Planning for the implementation phase requires the creation of a detailed request for proposal, which is often assigned either to a project manager or the project champion. _________________________
FALSE
Criminal laws address activities and conduct harmful to society and is categorized as private or public.
TRUE
Each organization has to determine its own project management methodology for IT and information security projects.
TRUE
A best practice proposed for a small to medium-sized business will be similar to one used to help design control strategies for a large multinational company.
FALSE
A cold site provides many of the same services and options of a hot site, but at a lower cost.
FALSE
A routing table tracks the state and context of each packet in the conversation by recording which station sent what packet and when. _________________________
FALSE
A(n) NIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing. _________________________
FALSE
ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.
FALSE
Accountability is the matching of an authenticated entity to a list of information assets and corresponding access levels.
FALSE
Alarm filtering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by the system administrators. _________________________
FALSE
All IDPS vendors target users with the same levels of technical and security expertise.
FALSE
CERT stands for "computer emergency recovery team." _________________________
FALSE
Common implementations of a registration authority (RA) include functions to issue digital certificates to users and servers.
FALSE
CompTIA offers a vendor-specific certification program called the Security+ certification.
FALSE
Port Address Translation assigns non-routing local addresses to computer systems in the local area network and uses ISP-assigned addresses to communicate with the Internet on a one-to-one basis. _________________________
FALSE
Process-based measures are comparisons based on observed numerical data, such as numbers of successful attacks. _________________________
FALSE
Risk acceptance defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. _________________________
FALSE
Task-based controls are associated with the assigned role a user performs in an organization, such as a position or temporary assignment like project manager.
FALSE
The Analysis phase of the SDLC examines the event or plan that initiates the process and specifies the objectives, constraints, and scope of the project. _________________________
FALSE
The Federal Privacy Act of 1974 regulates government agencies and holds them accountable if they release information about national security without permission. _________________________
FALSE
The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms. _________________________
FALSE
The SSCP examination is much more rigorous than the CISSP examination.
FALSE
The ability of a router to restrict traffic to a specific service is an advanced capability and not considered a standard feature for most routers.
FALSE
The computed value of the ALE compares the costs and benefits of a particular control alternative to determine whether the control is worth its cost. _________________________
FALSE
The defense control strategy is the risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards, but it is not the preferred approach to controlling risk.
FALSE
The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not.
FALSE
The parallel operations strategy works well when an isolated group can serve as a test area, which prevents any problems with the new system dramatically interfering with the performance of the organization as a whole. _________________________
FALSE
The physical design is the blueprint for the desired solution.
FALSE
To use a packet sniffer legally, an administrator only needs permission of the organization's top computing executive.
FALSE
Usually, as the length of a cryptovariable increases, the number of random guesses that have to be made in order to break the code is reduced.
FALSE
Videoconferencing is off-site computing that uses Internet connections, dial-up connections, connections over leased point-to-point links between offices, and other mechanisms. _________________________
FALSE
Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _________________________
FALSE
A content filter, also known as a reverse firewall, is a network device that allows administrators to restrict access to external content from within a network.
TRUE
A service bureau is an agency that provides a service for a fee. _________________________
TRUE
A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________
TRUE
A(n) known vulnerability is a published weakness or fault in an information asset or its protective systems that may be exploited and result in loss. _________________________
TRUE
A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures. _________________________
TRUE
An HIDPS can detect local events on host systems and detect attacks that may elude a network-based IDPS.
TRUE
An organization should integrate security awareness education into a new hire's ongoing job orientation and make it a part of every employee's on-the-job security training.
TRUE
If an organization deals successfully with change and has created procedures and systems that can be adjusted to the environment, the existing security improvement program will probably continue to work well.
TRUE
In digital forensic investigations for information security, most operations focus on policies-documents that provide managerial guidance for ongoing implementation and operations. ____________
TRUE
In many organizations, information security teams lack established roles and responsibilities.
TRUE
In most cases, organizations look for a technically qualified information security generalist who has a solid understanding of how an organization operates.
TRUE
NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans, and provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size.
TRUE
Over time, external monitoring processes should capture information about the external environment in a format that can be referenced across the organization as threats emerge and for historical use.
TRUE
Over time, policies and procedures may become inadequate due to changes in the organization's mission and operational requirements, threats, or the environment.
TRUE
Remediation of vulnerabilities can be accomplished by accepting or transferring the risk, removing the threat, or repairing the vulnerability.
TRUE
Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices. _________________________
TRUE
Security managers are accountable for the day-to-day operation of the information security program.
TRUE
Security tools that go beyond routine intrusion detection include honeypots, honeynets, and padded cell systems.
TRUE
Sometimes a risk assessment report is prepared for a specific IT project at the request of the project manager, either because it is required by organizational policy or because it is good project management practice. _________________________
TRUE
Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality's ethical behavior violates the ethics of another national group.
TRUE
The ISO/IEC 27000 series is derived from an earlier standard, BS7799.
TRUE
The Metasploit Framework is a collection of exploits coupled with an interface that allows the penetration tester to automate the custom exploitation of vulnerable systems.
TRUE
The Simple Network Management Protocol contains trap functions, which allow a device to send a message to the SNMP management console indicating that a certain threshold has been crossed, either positively or negatively.
TRUE
The best method of remediation in most cases is to repair a vulnerability. _________________________
TRUE
The false reject rate describes the number of legitimate users who are denied access because of a failure in the biometric device. _________________________
TRUE
The investigation phase of the SDLC involves specification of the objectives, constraints, and scope of the project.
TRUE
The stated purpose of ISO/IEC 27002 is to offer guidelines and voluntary directions for information security management. _________________________
TRUE