CIS 3350 - Chapter 6
numerical rating describing depth ....
(EAL)
Users must never leave sensitive information in plain view on an unattended desk or workstation A. Clean desk / clear screen policy B. Reactive change management C. Proactive change management D. Configuration control E. Change control
A. Clean desk / clear screen policy
Records of data that your operating system or application software automatically create A. Security Event Log B. Compliance Liaison C. Remediation D. Functional Policy
A. Security Even Log
A ____ is a formal contract between your organization and an outside firm that details the specific services the firm will provide. A. Security event log B. Incident response C. Service level agreement (SLA) D. Compliance report
A. Security Event Log
Mandated requirements for hardware and software solutions used to address security risk throughout an organization. A. Standards B. Procedures C. Baselines D. Guidelines
A. Standards
More and more organizations use the term _____ to describe the entire change and maintenance process for applications A. System Development Life Cycle (SDLC) B. System Life System (SLC) C. System Maintenance Life Cycle (SMLC) D. None of the above
A. System Development Life Cycle (SDLC)
Configurations management is the management of modifications made to the hardware, software, firmware, documentation, test plans, and test documentation of an automated system throughout the system life cycle. A. True B. False
A. True
Data classification is the responsibility of the person who owns the data. A. True B. False
A. True
Policy sets the tone and culture of the organization A. True B. False
A. True
Security administration is the group of individuals responsible for the planning design, implementation, and monitoring of an organization's security plan. A. True B. False
A. True
A _____ makes sure all your personnel are aware of--and complying with--the organization's policies A. Security Event Log B. Compliance Liaison C. Remediation D. Functional Policy
B. Compliance Liaison
An organization does not have to comply with both regulatory standards and organizational standards. A. True B. False
B. False
Assertions made by users about who they are A. Security Administration B. Identification C. Authorization D. Authentication E. Accountability
B. Identification
Systematic actions to accomplish a security requirement, process, or objective A. Standards B. Procedures C. Baselines D. Guidelines
B. Procedures
In 1989, the *IAB* issued a statement of policy about Internet ethics. This document is know as _____. A. OECD B. RFC 1087 C. *(ISC)^2* Code of Ethics Canons D. *(ISC)^2* Code of Ethics Preamble E. None of the above
B. RFC 1087
Management *responds* to changes in the business environment A. Clean desk / clear screen policy B. Reactive change management C. Proactive change management D. Configuration control E. Change control
B. Reactive change management
_____ involve the standardization of the hardware and software solutions used to address a security risk throughout the organization. A. Policies B. Standards C. Procedures D. Baselines
B. Standards
Which of the following is true of procedures?
B. They provide for places within the process to conduct assurance checks.
There are several types of software development methods, but almost all of them are based on the _____ model. A. Modification B. Waterfall C. Developer D. Integration
B. Waterfall
Input & Output
Black Box
After *identification*, during access control, this step proves the the claims made by the user. A. Security Administration B. Identification C. Authorization D. Authentication E. Accountability
C. Authentication
The permissions a legitimate user has on the system A. Security Administration B. Identification C. Authorization D. Authentication E. Accountability
C. Authorization
Basic configurations to ensure that they enforce the security minimums A. Standards B. Procedures C. Baselines D. Guidelines
C. Baselines
Management *initiates* the change to achieve a desired goal. A. Clean desk / clear screen policy B. Reactive change management C. Proactive change management D. Configuration control E. Change control
C. Proactive change management
Fixing something that is broken or defective A. Security Event Log B. Compliance Liaison C. Remediation D. Functional Policy
C. Remediation
The security program requires documentation of: A. The Security Process B. The policies, procedures, and guidelines adopted by the organization C. The authority of the persons responsible for security D. All of the above E. None of the above
D. All of the above
a A. Clean desk / clear screen policy B. Reactive change management C. Proactive change management D. Configuration control E. Change control
D. Configuration control
The change management process includes _____ control and ____ control. A. Clearance, classification B. Document, data C. Hardware inventory, software development D. Configuration, change
D. Configuration, change
Declares an organization's management direction for security in such specific functional areas as e-mail, remote access, and Internet surfing. A. Security Event Log B. Compliance Liaison C. Remediation D. Functional Policy
D. Functional Policy
Recommendations for the purchase and use of acceptable products and systems. A. Standards B. Procedures C. Baselines D. Guidelines
D. Guidelines
_______ is the concept that users should be granted only the levels of permissions they need in order to perform their duties. A. Mandatory vacations B. Separation of duties C. Job rotation D. Principle of least privilege E. None of the above
D. Principle of least privilege
Tracking or logging what authenticated and unauthenticated users do while accessing the system A. Security Administration B. Identification C. Authorization D. Authentication E. Accountability
E. Accountability
The (ISC)^2 Code of Ethics Canons include which of the following statements A. "Protect society, the commonwealth, and the infrastructure." B. "Act honorably, honestly, justly, responsibly, and legally." C. "Provide diligent and competent service to principals." D. "Advance and protect the profession." E. All of the above
E. All of the above
The objectives of classifying information include which of the following? A. To identify data value in accordance with organizational policy B. To identify information-protection requirements C. To standardize classification labeling throughout the organization D. To comply with privacy law, regulations, and so on E. All of the above
E. All of the above
When developing software, you should ensure the application does which of the following? A. Has edit checks, range checks, validity checks, and other similar controls B. Checks user authorization C. Checks user authentication to the application D. Has procedures for recovering database integrity in the event of system failure E. All of the above
E. All of the above
Which of the following is an example of social engineering? A. An emotional appeal for help B. A phishing attack C. Intimidation D. Name-dropping E. All of the above
E. All of the above
Management of changes to the configuration un-managed changes introduces risk A. Clean desk / clear screen policy B. Reactive change management C. Proactive change management D. Configuration control E. Change control
E. Change Control
Functionally tested ______ is applicable where some confidence in correct operation is required, but the threats to security are not viewed as serious
EAL1
Formally verified design and tested _____ is applicable to the development of security TOEs for application in extremely high risk situations, and/or where the high value of the assets justifies the higher costs.
EAL7
Mandatory statement of evaluation criteria when determining whether TOE effectively meets claimed security functions
Functional Requirements
Specific actions an organization takes to ensure compliance with its policies, standards, baselines, procedures, and guidelines Managing your policies
Governance
The procedures maintain and monitor the technology, in order to enforce information security policies. What security procedures and practices are to be utilized?
Operational Management
group of individuals responsible for planning, designing, implementing, and monitoring an organization's security plan. A. Security Administration B. Identification C. Authorization D. Authentication E. Accountability
Security Administration
Mandatory statement of evaluation criteria when determining the assurance of TOEs
Security Assurance
Policies, Goals, Missions Why do security problems exist?
Security Management
Security blueprints are created through ______. They included defining tasks/responsibilities of personnel, how information needs are related to tasks, how information is shared, and the identification, valuation and classification of data assets How are security problems mitigated?
Tactical Management
Think Firewall
Target of Evaluation (TOE)
Look inside and look at the processes.
White Box Testing