Ch. 5 to Ch. 7 Quizzes

The _____ is the difference between an organization's observed and desired performance.

performance gap

Management of classified data includes its storage and _____.

All of the above (distribution, portability, and destruction)

What is NOT a good practice for developing strong professional ethics?

Assume that information should be free

Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?

Checklist

A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them.

False

Certification is the formal agreement by an authorizing official to accept the risk of implementing a system.

False

Change doesn't create risk for a business.

False

Procedures do NOT reduce mistakes in a crisis.

False

The term "data owner" refers to the person or group that manages an IT infrastructure.

False

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Laws

When should an organization's managers have an opportunity to respond to the findings in an audit?

Managers should include their responses to the draft audit report in the final audit report.

Which security testing activity uses tools that scan for services running on systems?

Network mapping

What is NOT a goal of information security awareness programs?

Punish users who violate policy

Which intrusion detection system strategy relies upon pattern matching?

Signature detection

A(n) qualitative assessment is based on characteristics that do not use numerical measures.

True

Best business practices are often called recommended practices.

True

Classification scope determines what data you should classify; classification process determines how you handle classified data.

True

Data loss prevention (DLP) uses business rules to classify sensitive information to prevent unauthorized end users from sharing it.

True

During an audit, an auditor compares the current setting of a computer or device with a benchmark to help identify differences.

True

During the planning and execution phases of an audit, an auditor will most likely review risk analysis output.

True

Performing security testing includes vulnerability testing and penetration testing.

True

Social engineering is deceiving or using people to get around security controls.

True

Which activity manages the baseline settings for a system or device?

Configuration control

What information should an auditor share with the client during an exit interview?

Details on major issues

A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternative location.

False

Configuration changes can be made at any time during a system life cycle and no process is required.

False

Mandatory vacations minimize risk by rotating employees among various systems or duties.

False

Often an extension of a memorandum of understanding (MOU) the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets.

False

Residual risk is the risk that has not been removed, shifted, or planned for after vulnerabilities have been completely resolved.

False

_____ addresses are sometimes called electronic serial numbers or hardware addresses.

MAC

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Memorandum of understanding (MOU)

Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?

Report writing

What is NOT generally a section in an audit report?

System configurations

What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?

System integrity monitoring

A successful change control program should include the following elements to ensure the change control process: peer review, documentation, and back-out plans.

True

An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured.

True

Anomaly-based intrusion detection systems compare current activity with stored profiles of normal (expected) activity.

True

In security testing, reconnaissance involves reviewing a system to learn as much as possible about the organization, its systems, and its networks.

True

Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack.

True

Organizations should communicate with system users throughout the development of the security program, letting them know that changes are coming, and reduce resistance to these expected changes through communication, education, and involvement.

True

Policies that cover data management should cover transitions throughout the data life cycle.

True

Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than justin individual packets.

True

The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege.

True

When determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts.

True

Written security policies document management's goal and objectives.

True

With proactive change management, management initiates the change to achieve a desired goal.

True.

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

Waterfall

Risk _____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.

appetite

The concept of competitive _____ refers to falling behind the competition.

disadvantage

A(n) _____ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.

FCO

Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets.

False

Regarding log monitoring, false negatives are alerts that seem malicious but are not real security events.

False

The four main types of logs that you need to keep to support security auditing include event, access, user, and security.

False

The value of information to the organization's competition should influence the asset's valuation.

True

Risk _____ is the application of security mechanisms to reduce the risks to an organization's data and information systems.

control

The first phase of risk management is _____.

risk identification

A _____ assigns a status level to employees to designate the maximum level of classified data they may access.

security clearance scheme

The _____ control strategy attempts to shift risk to other assets, other processes, or other organizations.

transference

During the secure phase of a security review, you review and measure all controls to capture actions and changes on the system.

False