CASP Chapter 9 Study Guide
A____________________ is a top-tier security document that provides an overall view of security. A. Policy B. Procedure C. Baseline D. Guideline
A
Applying change, cataloging change, scheduling change, implementing change, and reporting change to management are all steps in what process? A. Change control B. Lifecycle assurance C. Operational assurance D. Resource management
A
Which of the following controls is used to ensure you have the right person for a specific job assignment? A. Background checks B. Dual controls C. Mandatory vacations D. Job rotation
A
For what purpose is software escrow most commonly used? A. Offsite backup B. Vendor bankruptcy C. Redundancy D. Insurance coverage
B
Granularity is most closely associated with which of the following terms? A. Accountability B. Authentication C. Nonrepudiation D. Accessibility
B
If someone in payroll wanted to commit fraud, which of the following would force them to collude with someone from accounting? A. Background checks B. Dual control C. Mandatory vacation D. Job rotation
B
Security awareness training is best described as a____________________ control. A. Recovery B. Preventive C. Detective D. Corrective
B
Which of the following review methods ask participants to write down their responses and hand them to the team lead for review? A. Quantitative review B. Modified Delphi C. Structured review D. Performance review
B
_________________is about proving the veracity of the claim. A. Accountability B. Authentication C. Nonrepudiation D. Accessibility
B
The security triad does not include which of the following? A. Availability B. Integrity C. Authenticity D. Confidentiality
C
Which of the following does not help in preventing fraud? A. Mandatory vacations B. Job rotation C. Job enlargement D. Separation of duties
C
Which of the following is the correct sequence of actions in access control mechanisms? A. Access profiles, authentication, authorization, and identification B. Security rules, identification, authorization, and authentication C. Identification, authentication, authorization, and accountability D. Audit trails, authorization, accountability, and identification
C
Which type of document defines a minimum level of security? A. Policy B. Standard C. Baseline D. Procedure
C
_________________are considered a detective control used to uncover employee malfeasance. A. Background checks B. Dual controls C. Mandatory vacations D. Job rotations
C
According to the process described in this chapter for building security controls, what is the last step? A. Discover protection needs B. Design system security architecture C. Audit D. Implement system security
D
Fault tolerance is best described as what type of control? A. Recovery B. Preventive C. Detective D. Corrective
D
Which form of testing is used to verify that program inputs and outputs are correct? A. Pilot B. Blackbox C. Whitebox D. Regression
D
Who in the company is most responsible for initiating a risk analysis, directing a risk analysis, defining goals of the analysis, and making sure the necessary resources are available during the analysis? A. The company's information assurance manager B. The company's security officer C. The company's disaster recovery department and risk analysis team D. Senior management
D
________________is the practice of organizing and documenting a company's IT assets so that planning, management, and expansion can be enhanced. A. Value delivery B. COBIT C. Performance measurement D. Enterprise architecture
D
What form of testing verifies inner logic? A. Pilot B. Blackbox C. Whitebox D. Regression
C
