BADM 7401 Exam 1

What is the difference between IT's focus and InfoSec's focus?

- IT focuses on local network content and preventing unauthorized access - InfoSec goes beyond digital assets

What contract employees should and should not be allowed to do?

- Should be given access only to specific facilities - Should not be allowed to wander freely in and out of buildings

What must a policy specify?

- What's acceptable and unacceptable - The penalties for violation

What are the three general categories of unethical behavior that organizations and society should seek to eliminate?

1) Accident 2) Ignorance 3) Intent

What are the 3 elements of the CIA triad?

1) Confidentiality 2) Integrity 3) Availability

What are the 5 different types of feasibility?

1) Cost benefit analysis 2) Organizational feasibility 3) Operational feasibility 4) Technical feasibility 5) Political feasibility

What are the elements that go into the cost of a control?

1) Cost of development or acquisition 2) Training fees 3) Cost of implementation 4) Service cost 5) Cost of maintenance 6) Potential cost from loss of an asset

What are the 5 different types of risk treatment strategies?

1) Defense 2) Transference 3) Mitigation 4) Acceptance 5) Termination

What 6 steps must be included to make a policy enforceable and legally defensible?

1) Developed using industry accepted practices and formally approved by management 2) Distributed using appropriate methods 3) Read by all employees 4) Understood by all employees 5) Agreed to by act or affirmation 6) Applied and enforced

What are the types of access control?

1) Directive 2) Deterrent 3) Detective 4) Corrective 5) Compensating 6) Preventative 7) Recovery

What should be done (from a security perspective) if an employee is terminated?

1) Disable access to system 2) Return all removable media, technology and data 3) Secure hard drives 4) Change file cabinet locks 5) Change office door locks 6) Revoke key card access 7) Remove personal effects from premise 8) Escorted off premise once keys, keycards and other business property have been turned over

What are the three elements of risk determination?

1) Element of uncertainty 2) Impact or consequence 3) Likelihood a threat event or attack

What are the three types of information security policy?

1) Enterprise information security program policy (EISP) 2) Issue-specific information security policy (ISSP) 3) Systems-specific policy (SysSP)

What is included in the risk management framework (5 key stages)?

1) Executive governance and support 2) Design 3) Implementation 4) Monitoring and review 5) Continuous improvement

What are the three requirements for laws and policies to deter illegal or unethical activity?

1) Fear of penalty 2) Probability of being caught 3) Probability of being penalized

What are the 4 steps in the risk identification process?

1) Identify 2) Classify 3) Categorize 4) Prioritize

What are the ways in which SETA enhances security for firms?

1) Improve employee behavior 2) Inform members of an organization about where to report violations of policy 3) Enable the organization to hold employees accountable for the actions

What are the activities of the risk evaluation process?

1) Information asset and classification worksheet 2) Information asset value weighted table analysis 3) Threat severity weighted table analysis 4) TVA controls worksheet 5) Risk ranking worksheet

The five phases of the SecSDLC:

1) Investigation 2) Analysis 3) Design 4) Implementation 5) Maintenance & Change

What are the three different types of controls?

1) Managerial controls 2) Operational controls 3) Technical controls

What are the variables that influence how to structure an information security program?

1) Organizational culture (the most influential variable) 2) Online exposure of organization 3) Security capital budget 4) Competitive environment

How to characterize information assets? (6 steps)

1) People 2) Procedures 3) Data 4) Software 5) Hardware 6) Networking

What are the primary functions of information security management?

1) Planning 2) Policy 3) Program 4) Protection 5) People 6) Projects

What are the 6 information security principles?

1) Planning 2) Policy 3) Programs 4) Protection 5) People 6) Projects

What are the 14 elements of an information security program?

1) Policy 2) Program management 3) Risk management 4) Life-cycle planning 5) Personnel/ user issues 6) Preparing for contingencies and disasters 7) Computer security incident handling 8) Awareness and training 9) Security considerations in computer support and operations 10) Physical and environmental security 11) Identification and authentication 12) Logical access control 13) Audit trails 14) Cryptography

What are the 4 different access control user privileges?

1) Read 2) Write 3) Execute 4) Delete

What 7 steps should be included in an InfoSec governance program?

1) Risk management methodology 2) Comprehensive security strategy 3) Effective security organizational structure 4) Strategy that talks about the value of information being protected and delivered 5) Complete set of security standards for each policy to ensure procedures and guidelines comply with policy 6) Institutionalized monitoring processes 7) Process to ensure continued evaluation and updating

What are the 4 different HR approaches that make it difficult to violate InfoSec?

1) Separation of duties or two person controls 2) Job rotation 3) Transportation 4) Mandatory vacation policy

The five outcomes of InfoSec governance:

1) Strategic alignment of InfoSec with business strategy to support organizational objectives 2) Risk management by executing appropriate measures to manage and mitigate threats of information resources 3) Resource management by utilizing InfoSec knowledge and infrastructure efficiently and effectively 4) Performance measurement by measuring monitoring and reporting InfoSec governance metrics to ensure that organizational objectives are achieved 5) Value delivery by optimizing InfoSec investments

What are the rules of thumb for selecting a risk treatment strategy?

1) When the potential loss is substantial apply design principles architectural design and technical and non-technical protections to limit the extent of the attack thereby reducing the potential for loss 2) When a vulnerability exists Implement security controls to reduce the likelihood of a vulnerability being exploited 3) One of vulnerability can be exploited apply layered protection architectural designs and administrative controls to minimize the risk or prevent the occurrence of an attack

How does lattice-based access control work?

Assigns users a matrix of authorizations for particular access

What's the difference between discretionary and nondiscretionary access controls?

Discretionary Access Controls (DACs): - Implemented at the discretion or option of the data user - Most personal computer operating systems are designed based on this model - Rule based access (access is granted based on a set of rules specified by the central authority) Nondiscretionary Controls: - Determined by a central authority - Role-based access controls (based on the role a particular user performs) - Task-based controls (specified set of tasks tied to a particular assignment or responsibility)

How to begin the process of treating risk?

Have an understanding of risk treatment strategies

What are the characteristics of an organization that make the InfoSec needs of an organization unique?

Market is not unique

What is the goal of InfoSec with respect to residual risk?

Not to bring residual risk to zero; rather bring it in line with an organization's risk appetite

What are the elements of a SETA program?

Security Education, Training and Awareness

What should new employees understand upon hire?

The security components of their particular job and the rights and responsibilities of all personnel in the organization

Why should InfoSec be included in performance evaluations?

To motivate employees to take care when performing tasks

When is an acceptance strategy is valid?

When the conclusion is that the cost of protecting an asset does not justify the security expenditure

Smaller organizations tend to spend approximately __________ percent of the total IT budget on security. a) 20 b) 5 c) 11 d) 2

a) 20

Which of the following is NOT a step in the problem-solving process? a) Build support among management for the candidate solution. b) Select, implement, and evaluate a solution. c) Analyze and compare possible solutions. d) Gather facts and make assumptions.

a) Build support among management for the candidate solution.

A well-defined risk appetite should have the following characteristics EXCEPT: a) It is not limited by stakeholder expectations. b) It is documented as a formal risk appetite statement. c) It is reflective of all key aspects of the business. d) It acknowledges a willingness and capacity to take on risk.

a) It is not limited by stakeholder expectations.

The access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels is ___________________. a) authorization b) authentication c) accountability d) information security

a) authorization

A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs. a) business mission b) disaster recovery planning c) joint application design d) security policy review

a) business mission

The process of integrating the governance of the physical security and information security efforts is known in the industry as __________. a) convergence b) optimization c) combination d) intimation

a) convergence

The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response. a) design b) investigation c) analysis d) implementation

a) design

The probability that a specific vulnerability within an organization will be attacked by a threat is known as ________________. a) likelihood b) impact c) tolerance d) uncertainty

a) likelihood

Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP. a) management guidance, technical specifications b) management guidance, technical directive c) management specification, technical directive d) management directive, technical specifications

a) management guidance, technical specifications

The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics? a) market b) size c) budget d) culture

a) market

Which of the following is NOT a primary function of information security management? a) projects b) performance c) planning d) protection

a) performance

The process of designing, implementing and managing the use of the collected data elements to determine the effectiveness of the overall security program. a) performance management b) benchmarking c) baseline d) blueprint

a) performance management

Which of the following functions of information security management seeks to dictate certain behavior within the organization through a set of organizational guidelines? a) policy b) planning c) programs d) people

a) policy

In the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality is __________________. a) privacy b) policy c) accountability d) information security

a) privacy

What is the SETA program designed to do? a) reduce the occurrence of accidental security breaches b) reduce the occurrence of external attacks c) improve operations d) increase the efficiency of InfoSec staff

a) reduce the occurrence of accidental security breaches

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a) risk appetite b) risk assurance c) risk termination d) residual risk

a) risk appetite

The first priority of CISO and the InfoSec management team is _____________________. a) structure of a strategic plan b) organization of resources c) understanding consequences d) applying controls and safeguards

a) structure of a strategic plan

Digital forensics can be used for two key purposes: ____________ or ____________. a) to investigate allegations of digital malfeasance; to perform root cause analysis b) to investigate allegations of digital malfeasance; to solicit testimony c) to solicit testimony; to perform root cause analysis d) e-discovery; to perform root cause analysis

a) to investigate allegations of digital malfeasance; to perform root cause analysis

Which of the following is NOT an aspect of access regulated by ACLs? a) where the system is located b) what authorized users can access c) how authorized users can access the system d) when authorized users can access the system

a) where the system is located

The goal of InfoSec is not to bring residual risk to ____________; rather, it is to bring residual risk in line with an organization's risk appetite. a) zero b) its theoretical minimum c) below the cost-benefit break-even point d) de minimus

a) zero

Larger organizations tend to spend approximately __________ percent of the total IT budget on security. a) 20 b) 5 c) 11 d) 2

b) 5

Which policy is the highest level of policy and is usually created first? a) ISSP b) EISP c) USSP d) SysSP

b) EISP

The basic outcomes of InfoSec governance should include all but which of the following? a) Value delivery by optimizing InfoSec investments in support of organizational objectives b) Time management by aligning resources with personnel schedules and organizational objectives c) Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved d) Resource management by utilizing information security knowledge and infrastructure efficiently and effectively

b) Time management by aligning resources with personnel schedules and organizational objectives

Which of the following is NOT a valid rule of thumb on risk treatment strategy selection? a) When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. b) When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls. c) When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. d) When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.

b) When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls.

Treating risk begins with which of the following? a) rethinking how services are offered b) an understanding of risk treatment strategies c) applying controls and safeguards that eliminate risk d) understanding the consequences of choosing to ignore certain risks

b) an understanding of risk treatment strategies

In which phase of the SecSDLC does the risk management task occur? a) investigation b) analysis c) implementation d) physical design

b) analysis

Which of the following activities is part of the risk identification process? a) determining the likelihood that vulnerable systems will be attacked by specific threats b) assigning a value to each information asset c) calculating the severity of risks to which assets are exposed in their current setting d) documenting and reporting the findings of risk analysis

b) assigning a value to each information asset

This is the access control mechanism that requires the validation and verification of an unauthenticated entity's purported identity. a) privacy b) authentication c) accountability d) information security

b) authentication

This is an attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction. a) integrity b) availability c) accountability d) confidentiality

b) availability

An attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry develop standard. a) performance management b) benchmarking c) baseline d) blueprint

b) benchmarking

A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experiences a specified type of information loss. This is commonly known as a ________________ law. a) notification b) breach c) compromise d) spill

b) breach

Which is NOT one of the three general causes of unethical and illegal behavior? a) ignorance b) carelessness c) accident d) intent

b) carelessness

Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation? a) risk management b) centralized authentication c) compliance/audit d) policy

b) centralized authentication

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as _______________________. a) risk acceptance premium b) cost avoidance c) probability estimate d) asset valuation

b) cost avoidance

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls. a) rehabilitation b) deterrence c) remediation d) persecution

b) deterrence

Focuses on the protection of information and the characteristics that give it value, such as confidentiality, integrity and availability, and includes the technology that houses and transfers that information through a variety of protection mechanisms is _______________________________. a) deontological ethics b) information security c) digital forensics d) identification

b) information security

Which of the following is a CIA triad characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state? a) accountability b) integrity c) availability d) authentication

b) integrity

Which of the following is NOT used to categorize some types of law? a) statutory b) international c) constitutional d) regulatory

b) international

The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints. a) implementation b) investigation c) analysis d) justification

b) investigation

Which is NOT one of the HR approaches that make it difficult to violate InfoSec? a) job rotation b) lunch breaks c) separation of duties d) transportation

b) lunch breaks

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? a) operational controls b) managerial controls c) technical controls d) system controls

b) managerial controls

Which of the following determines how well a proposed treatment will address user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders? a) technical feasibility b) operational feasibility c) political feasibility d) behavioral feasibility

b) operational feasibility

Which of the following variables is the most influential in determining how to structure an information security program? a) online exposure of organization b) organizational culture c) security capital budget d) competitive environment

b) organizational culture

Which of the following is NOT one of the basic rules that must be followed when developing a policy? a) policy must be properly supported and administered b) policy should be focused on protecting the organization from public embarrassment c) policy must be able to stand up in court if challenged d) policy should never conflict with law

b) policy should be focused on protecting the organization from public embarrassment

Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT ________________. a) proper implementation b) proper conception c) proper development d) proper design

b) proper conception

Once an information asset is identified, categorized, and classified, what must also be assigned to it? a) location ID b) relative value c) asset tag d) threat risk

b) relative value

The process of doing something about risk once the organization has identified it, assessed it, evaluated it and determine the current level of remaining risk or residual risk is unacceptable, also known as risk control. a) risk monitoring b) risk treatment c) risk assessment d) risk reduction

b) risk treatment

A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system is known as a _______________________. a) security manager b) security analyst c) security consultant d) security technician

b) security analyst

This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator. a) security technician b) security manager c) security analyst d) security consultant

b) security manager

Human error or failure often can be prevented with training and awareness programs, policy, and ____________________. a) outsourcing b) technical controls c) hugs d) ISO 27000

b) technical controls

In addition to specifying acceptable and unacceptable behavior, what else must a policy specify? a) appeals process b) the penalties for violation of the policy c) individual responsible for approval d) legal recourse

b) the penalties for violation of the policy

When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on ____________________. a) the network provider the hacker used b) the type of crime committed c) what kind of computer the hacker used d) how many perpetrators were involved

b) the type of crime committed

Any event or circumstance with the potential to adversely affect operations and assets is know as a _________________________. a) vulnerability b) threat c) attack d) exploit

b) threat

Medium-sized organizations tend to spend approximately __________ percent of the total IT budget on security. a) 20 b) 5 c) 11 d) 2

c) 11

According to Wood, which of the following is a reason the InfoSec department should report directly to top management? a) It allows independence in the InfoSec department, especially if it is needed to audit the IT division. b) It allows the InfoSec executive to dictate security requirements with greater authority to the other business divisions. c) It fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole. d) It prevents InfoSec from becoming a drain on the IT budget.

c) It fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole.

Which of the following is an information security governance responsibility of the CISO (Chief Information Security Officer)? a) Develop policies and the program. b) Bref the board, customers, and public. c) Set security policy, procedures, programs, and training. d) Implement incident response programs to detect security vulnerabilities and breaches.

c) Set security policy, procedures, programs, and training.

Which of the following is true about planning? a) Operational plans are used to create tactical plans. b) Tactical plans are used to create strategic plans. c) Strategic plans are used to create tactical plans. d) Operational plans are used to create strategic plans.

c) Strategic plans are used to create tactical plans.

Which of the following describes the primary reason the InfoSec department should NOT fall under the IT function? a) The average salary of the top security executive typically exceeds that of the typical IT executive, creating professional rivalries between the two. b) There is a fundamental difference in the mission of the InfoSec department, which seeks to minimize access to information, and the IT function, which seeks to increase accessibility of information. c) There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information. d) None of the above are reasons the InfoSec department should NOT fall under the IT function.

c) There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information.

Which of the following is NOT one of the types of InfoSec performance measures used by organizations? a) Those that determine the effectiveness of the execution of InfoSec policy. b) Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services. c) Those that evaluate the frequency with which employees access internal security documents. d) Those that assess the impact of an incident or other security event on the organization or its mission.

c) Those that evaluate the frequency with which employees access internal security documents.

Which law extends protection to intellectual property, which includes words published in electronic formats? a) Security and Freedom through Encryption Act b) Sarbanes-Oxley Act c) U.S. Copyright Law d) Freedom of Information Act

c) U.S. Copyright Law

What are the two general approaches for controlling user authorization for the use of a technology? a) configuration controls and technical controls b) operational controls and managerial controls c) access controls and configuration controls d) access controls and operational controls

c) access controls and configuration controls

The access control mechanism that ensures all actions on a system, authorized or unauthorized, can be attributed to an authenticated identity is ___________________. a) authorization b) authentication c) accountability d) information security

c) accountability

For an organization to manage its InfoSec risk properly, managers should understand how information is __________________. a) processed b) collected c) all of these are needed d) transmitted

c) all of these are needed [processed, collected & transmitted]

Force majeure includes all of the following EXCEPT: a) civil disorder b) acts of war c) armed robbery d) forces of nature

c) armed robbery

Measurement of the performance of some action or process against which future performance is assessed. a) performance management b) benchmarking c) baseline d) blueprint

c) baseline

Application of training and education among other approach elements is a common method of which risk treatment strategy? a) acceptance b) transferal c) defense d) mitigation

c) defense

This involves the preservation, identification, extraction, documentation, and interpretation of digital media for evidentiary and/or root cause analysis. a) deontological ethics b) information security c) digital forensics d) identification

c) digital forensics

Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity? a) probability of being penalized b) fear of penalty c) fear of humiliation d) probability of being caught

c) fear of humiliation

To move the InfoSec discipline forward, organizations should take all of the following steps EXCEPT: a) learn more about the requirements and qualifications needed b) grant the InfoSec function needed influence and prestige c) form a committee and approve suggestions from the CISO d) learn more about budgetary and personnel needs

c) form a committee and approve suggestions from the CISO

In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies? a) design b) investigation c) implementation d) analysis

c) implementation

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? a) system controls b) operational controls c) managerial controls d) technical controls

c) managerial controls

The EISP must directly support the organization's _____________. a) public announcements b) values statement c) mission statement d) financial statement

c) mission statement

Access control list user privileges include all but which of these? a) execute b) read c) operate d) write

c) operate

What is the function of InfoSec management that encompasses security personnel as well as aspects of the SETA program? a) protection b) planning c) people d) projects

c) people

IT's focus is the efficient and effective delivery of information and administration of information resources, while InfoSec's primary focus is the of all information assets. a) availability b) operation c) protection d) valuation

c) protection

What is the final step in the risk identification process? a) classifying and categorizing assets b) identifying and inventorying assets c) ranking assets in order of importance d) assessing values for information assets

c) ranking assets in order of importance

The identification, analysis, and evaluation of risk in an organization describes which of the following? a) risk management b) risk reduction c) risk assessment d) risk determination

c) risk assessment

The first priority of the CISO and the InfoSec management team should be the ________________. a) adoption of an incident response plan b) development of a security policy c) structure of a strategic plan d) implementation of a risk management program

c) structure of a strategic plan

Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer? a) sabotage or vandalism b) espionage or trespass c) theft d) information extortion

c) theft

Which of the following should be included in an InfoSec governance program? a) An InfoSec project management assessment b) All of these are components of the InfoSec governance program c) An InfoSec maintenance methodology d) An InfoSec risk management methodology

d) An InfoSec risk management methodology

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty or obligation based ethics)? a) Normative ethics b) Applied ethics c) Meta-ethics d) Deontological ethics

d) Deontological ethics

Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program? a) Measurements must yield quantifiable information b) Data that supports the measures needs to be readily obtainable c) Only repeatable InfoSec processes should be considered for measurement d) Measurements must be useful for tracking non-compliance by internal personnel

d) Measurements must be useful for tracking non-compliance by internal personnel

All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT: a) When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. b) When a vulnerability exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being exploited. c) When the potential loss is substantial, apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss. d) When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.

d) When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.

The process of assigning financial value or worth to each information asset is known as _____________________. a) risk acceptance premium b) probability estimate c) cost estimation d) asset valuation

d) asset valuation

An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. a) threat b) vulnerability c) exploit d) attack

d) attack

A framework or security model customized to an organization, including implementation details. a) performance management b) benchmarking c) baseline d) blueprint

d) blueprint

The purpose of SETA is to enhance security in all but which of the following ways? a) by improving awareness b) by building in-depth knowledge c) by developing skills d) by adding barriers

d) by adding barriers

Policy __________ means the employee must agree to the policy. a) complacency b) conformance c) consequence d) compliance

d) compliance

According to the CIA triad, which of the following is a desirable characteristic for privacy? a) integrity b) availability c) accountability d) confidentiality

d) confidentiality

Which of the following is a CIA triad characteristic that ensures only those with sufficient privileges and a demonstrated need may access certain information? a) availability b) integrity c) authentication d) confidentiality

d) confidentiality

Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them? a) probability of penalty being applied b) fear of the penalty c) probability of being apprehended d) frequency of review

d) frequency of review

The access control mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system is ______________________________. a) authorization b) authentication c) accountability d) identification

d) identification

An understanding of the potential consequences of a successful attack on an information asset by a threat is known as _________________. a) tolerance b) uncertainty c) likelihood d) impact

d) impact

Which of the following is a common element of the enterprise information security policy? a) indemnification of the organization against liability b) access control lists c) articulation of the organization's SDLC methodology d) information on the structure of the InfoSec organization

d) information on the structure of the InfoSec organization

The organization can perform risk determination using certain risk elements, including all but which of the following? a) element of uncertainty b) impact (consequence) c) likelihood of threat event (attack) d) legacy cost of recovery

d) legacy cost of recovery

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? a) accident b) intent c) ignorance d) malice

d) malice

Which of the following risk treatment strategies describes an organization's efforts to reduce damage caused by a realized incident or disaster? a) transference b) acceptance c) avoidance d) mitigation

d) mitigation

Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans? a) policy b) SETA programs c) compliance d) planning

d) planning

Which subset of civil law regulates the relationships among individuals and among individuals and organizations? a) tort b) public c) criminal d) private

d) private

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as _______________________. a) risk acceptance b) residual risk c) risk avoidance d) risk appetite

d) risk appetite

Which of the following would most likely be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems? a) security analyst b) security consultant c) security manager d) security technician

d) security technician

A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance is known as a _______________. a) procedure b) guideline c) practice d) standard

d) standard

Which of the following are the two general groups into which SysSPs can be separated? a) user specifications and managerial guidance b) technical specifications and business guidance c) business guidance and network guidance d) technical specifications and managerial guidance

d) technical specifications and managerial guidance

Acts of ____________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access. a) bypass b) security c) theft d) trespass

d) trespass

The final component of the design and implementation of effective policies is ___________________. a) full comprehension b) complete distribution c) universal distribution d) uniform and impartial enforcement

d) uniform and impartial enforcement

Which of the following is a key advantage of the bottom-up approach to security implementation? a) strong upper-management support b) coordinated planning from upper management c) a clear planning and implementation process d) utilizing the technical expertise of the individual administrators

d) utilizing the technical expertise of the individual administrators

A potential weakness in an asset or its defensive control system(s) is known as a _________________________. a) attack b) exploit c) threat d) vulnerability

d) vulnerability