CH 6 Info Sec
Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking? -Project initiation and planning -Functional requirements and definition -System design specification -Operations and maintenance
-Project initiation and planning
What is the correct order of steps in the change control process? -Request, approval, impact assessment, build/test, monitor, implement -Request, impact assessment, approval, build/test, implement, monitor -Request, approval, impact assessment, build/test, implement, monitor -Request, impact assessment, approval, build/test, monitor, implement
-Request, impact assessment, approval, build/test, implement, monitor
Which of the following is true of procedures? -They increase mistakes in a crisis. -They provide for places within the process to conduct assurance checks. -Important steps are often overlooked. -None of the above -All of the above
-They provide for places within the process to conduct assurance checks.
Which of the following is an example of social engineering? An emotional appeal for help A phishing attack Intimidation Name-dropping All of the above
All of the above
A ___________ is a generally agreed-upon technology, method or format for a given application such as TCP/IP protocol standard procedure guidelines baseline
standard
The objectives of classifying information include which of the following? -To identify data value in accordance with organization policy -To identify information protection requirements -To standardize classification labeling throughout the organization -To comply with privacy law, regulations, and so on -All of the above
-All of the above
The change management process includes ________ control and ________ control. -Clearance, classification -Document, data -Hardware inventory, software development -Configuration, change
-Configuration, change
Which activity manages the baseline settings for a system or device? Configuration control Reactive change management Proactive change management Change control
Configuration control
An organization does not have to comply with both regulatory standards and organizational standards. True False
False
In 1989, the IAB issued a statement of policy about Internet ethics. This document is known as ________. OECD RFC 1087 (ISC)2 Code of Ethics Canons CompTIA Candidate Code of Ethics None of the above
RFC 1087
A(n) ________ is a formal contract between your organization and an outside firm that details the specific services the firm will provide. Security event log Incident response Service-level agreement (SLA) Compliance report
Service Level Agreement
More and more organizations use the term ________ to describe the entire change and maintenance process for applications. System development life cycle (SDLC) System life cycle (SLC) System maintenance life cycle (SMLC) None of the above
System Development Life Cycle (SDLC)
Data classification is the responsibility of the person who owns the data. True or False? True False
True
Policy sets the tone and culture of the organization. True False
True
Security administration is the group of individuals responsible for the planning, design, implementation, and monitoring of an organizations security plan. True False
True
There are several types of software development methods, but most traditional methods are based on the ________ model. Modification Waterfall Developer Integration
Waterfall
The security program requires documentation of: -The security process -The policies, procedures, and guidelines adopted by the organization -The authority of the persons responsible for security -All of the above -None of the above
-All of the above
When developing software, you should ensure the application does which of the following? -Has edit checks, range checks, validity checks, and other similar controls -Checks user authorization -Checks user authentication to the application -Has procedures for recovering database integrity in the event of system failure -All of the above
-All of the above
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create? Baseline Policy Guideline Procedure
Baseline
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of? Intimidation Name dropping Appeal for help Phishing
Phishing
________ is the concept that users should be granted only the levels of permissions they need in order to perform their duties. Mandatory vacations Separation of duties Job rotation Principle of least privilege None of the above
Principle of least privilege
________ involve the standardization of the hardware and software solutions used to address a security risk throughout the organization. Policies Standards Procedures Baselines
Standards
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions? Value Sensitivity Criticality Threat
Threat
Configuration management is the management of modifications made to the hardware, software, firmware, documentation, test plans, and test documentation of an automated system throughout the system life cycle. True False
True
Which software testing method provides random input to see how software handles unexpected data? Injection Fuzzing Valid error input Boundary input
Valid error input
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete? Spiral Agile Lean Waterfall
Waterfall