CIST 1602 Module 1 Study Set

The Council of Europe adopted the Convention of Cybercrime in ____.

2001

____________________ information is created by combining pieces of non-private data—often collected during software updates, and via cookies—that when combined may violate privacy.

Aggregate

The ___________ is a respected professional society that was established in 1947 as "the world's first educational and scientific computing society."

Association of Computing Machinery

____ law comprises a wide variety of laws that govern a nation or state.

Civil

The _________ is the American contribution to an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially when accomplished via the removal of technological copyright protection measures.

DMCA or Digital Millennium Copyright Act

2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments. a. True b. False

False

3. The authorization process takes place before the authentication process. a. True b. False

False

4. Rule-based policies are less specific to the operation of a system than access control lists. a. True b. False

False

Chapter 2 1. Ethics carry the sanction of a governing authority. a. True b. False

False

Every state has implemented uniform laws and regulations placed on organizational use of computer technology.

False

The Department of Homeland Security was created in 1999.

False

The difference between a policy and a law is that ignorance of a law is an acceptable defense.

False

7. An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________

False - analysis

7. A benchmark is derived by comparing measured actual performance against established standards for the measured category. ____________

False - baseline

8. The macro virus infects the key operating system files located in a computer's start up sector. _________________________

False - boot

9. The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. _________________________

False - brute force

11. A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________

False - classification

10. The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. _________________________

False - cracker

The ____________________ Act seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded companies.

Sarbanes-Oxley

1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. a. True b. False

True

10. Each organization has to determine its own project management methodology for IT and information security projects. a. True b. False

True

11. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________

True

12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________

True

2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system. a. True b. False

True

4. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. a. True b. False

True

4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. a. True b. False

True

5. On-the-job training can result in substandard work performance while the trainee gets up to speed. a. True b. False

True

5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams. a. True b. False

True

5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. a. True b. False

True

7. Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________

True

7. Planners need to estimate the effort required to complete each task, subtask, or action step. a. True b. False

True

Deterrence can prevent an illegal or unethical activity from occurring.

True

Established in January 2001, the National InfraGard Program began as a cooperative effort between the FBI's Cleveland Field Office and local technology professionals.

True

In 1995 the Directive 95/46/EC was adopted by the European Union.

True

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident.

True

Studies have reported that the Pacific Rim countries of Singapore and Hong Kong are hotbeds of software piracy.

True

Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality's ethical behavior violates the ethics of another national group.

True

The Clipper Chip can be used to monitor or track private communications.

True

According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depends on the value of the information obtained and whether the offense is judged to have been committed for each of the following except ____.

To Harass

3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. a. True b. False

True

5. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________

True

Ethics define socially acceptable behaviors.

True

Privacy is not absolute freedom from observation, but rather is a more precise "state of being free from unsanctioned intrusion."

True

The Economic Espionage Act of 1996 protects American ingenuity, intellectual property, and competitive advantage.

True

The Federal Bureau of Investigation's National InfraGard Program serves its members in four basic ways: Maintains an intrusion alert network using encrypted e-mail; Maintains a secure Web site for communication about suspicious activity or intrusions; Sponsors local chapter activities; Operates a help desk for questions.

True

The NSA is responsible for signal intelligence and information system security.

True

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage ____.

By accident

The ____________________ Act of 1996 attempts to prevent trade secrets from being illegally shared.

Economic Espionage

1. Having an established risk management program means that an organization's assets are completely protected. a. True b. False

False

2. Corruption of information can occur only while information is being stored. a. True b. False

False

2. The defense risk control strategy may be accomplished by outsourcing to other organizations. a. True b. False

False

Chapter 1 1. The first step in solving problems is to gather facts and make assumptions. a. True b. False

False

Civil law addresses activities and conduct harmful to society and is actively enforced by the state.

False

The Association for Computing Machinery and the Information Systems Security Association have the authority to banish violators of their ethical standards from practicing their trade.

False

The Department of Homeland Security is the only U.S. federal agency charged with the protection of American information resources and the investigation of threats to, or attacks on, the resources.

False

The Federal Privacy Act of 1974 regulates government agencies and holds them accountable if they release information about national security.

False

The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms.

False

The U.S. Secret Service is a department within the Department of the Interior.

False

The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not.

False

13. The information technology management community of interest often takes on the leadership role in addressing risk. ____________

False - infosec, information security

12. Most information security projects require a trained project developer. _________________________

False - manager

11. In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________

False - milestones

9. Examples of actions that illustrate compliance with policies are known as laws.

False - practices

15. In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as the annualized risk of occurrence. ____________

False - rate

7. When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. _________________________

False - spike

7. A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.

False - stakeholder

10. An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility. ____________

False - technical

What is the subject of the Computer Security Act?

Federal Agency Information Security

Criminal or unethical ____ goes to the state of mind of the individual performing the act.

Intent

The _______________ manages a body of knowledge on information security and administers and evaluates examinations for information security certifications.

International Information Systems Security Certification Consortium, Inc. (ISC)

Family law, commercial law, and labor law are all encompassed by ____________________ law.

Private

Laws and policies and their associated penalties only deter if which of the following conditions is present?

Probability of penalty being administered, Probability of being caught, and Fear of penalty

____________________ are the fixed moral attitudes or customs of a particular group.

Cultural Mores

____ attempts to prevent trade secrets from being illegally shared.

Economic Espionage Act

Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is ____________________.

Education

The ____________ Act of 1986 is a collection of statutes that regulates the interception of wire, electronic, and oral communications.

Electronic Communications Privacy

Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications?

Electronic Communications Privacy Act

3. MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof. a. True b. False

False

3. The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for. a. True b. False

False

3. The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses. a. True b. False

False

3. Threats from insiders are more likely in a small organization than in a large one. a. True b. False

False

4. A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems. a. True b. False

False

4. The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks. a. True b. False

False

5. DoS attacks cannot be launched against routers. a. True b. False

False

5. Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex. a. True b. False

False

6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables. a. True b. False

False

8. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application. a. True b. False

False

Chapter 3 1. Because it sets out general business intentions, a mission statement does not need to be concise. a. True b. False

False

Cultural differences can make it easy to determine what is and is not ethical—especially when it comes to the use of computers.

False

DHS is made up of three directorates.

False

Due care requires that an organization make a valid effort to protect others and continually maintain this level of effort.

False

HIPAA specifies particular security technologies for each of the security requirements to ensure the privacy of the health-care information.

False

In a study on software licence infringement, those from United States were significantly more permissive.

False

Intellectual privacy is recognized as a protected asset in the United States.

False

The United States has implemented a version of the DMCA law called the Database Right, in order to comply with Directive 95/46/EC.

False

There are four general causes of unethical and illegal behavior.

False

Thirty-four countries have ratified the European Council Cyber-Crime Convention as of April 2010.

False

10. To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________

False - Economic

6. The secretarial community often takes on the leadership role in addressing risk. ____________

False - InfoSec, infosec, Information Security, information security

6. Technology is the essential foundation of an effective information security program. _____________

False - Policy

6. Values statements should therefore be ambiguous; after all, they are meant to express the aspirations of the organization.

False - Vision, vision

11. The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.

False - acceptance

9. Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy. _________________________

False - aggregation

4. ISACA is a professional association with a focus on authorization, control, and security. ___________

False - auditing

14. One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________

False - bomb

11. A signaling law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________

False - breach

2. The InfoSec community often takes on the leadership role in addressing risk. a. True b. False

True

2. The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes. a. True b. False

True

3. Deterrence is the best method for preventing an illegal or unethical activity. ____________

True

4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack. a. True b. False

True

5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. a. True b. False

True

6. The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________

True

6. The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. ____________

False - defense

13. A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. _________________________

False - packet

15. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________

False - qualitative

7. It is the responsibility of InfoSec professionals to understand state laws and standards. ____________

False - regulations

10. The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.

False - software

The ______________________________ contains a number of provisions focusing on facilitating affiliation among banks, securities firms, and insurance companies.

Financial Services Modernization or Gramm-Leach-Bliley Act of 1999)

The Computer ____ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts.

Fraud

The _________ Act of 1966 allows any person to request access to federal agency records or information not determined to be a matter of national security.

Freedom of Information

The ____ Portability and Accountability Act Of 1996, also known as the Kennedy-Kassebaum Act, protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.

Health Insurance

The low overall degree of tolerance for ____________________ system use may be a function of the easy association between the common crimes of breaking and entering, trespassing, theft, and destruction of property to their computer-related counterparts.

Illicit

The _____________Association is a professional association that focuses on auditing, control, and security and whose membership comprises both technical and managerial professionals.

Information Systems Audit and Control or ISACA

"Long arm ____________________" refers to the long arm of the law reaching across the country or around the world to draw an accused individual into its court systems.

Jurisdiction

____________________ are rules that mandate or prohibit certain behavior in society.

Laws

____________________ is the legal obligation of an entity that extends beyond criminal or contract law.

Liability

The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any ____ purposes.

Marketing

What is the subject of the Sarbanes-Oxley Act?

Financial Reporting

Which of the following acts is also widely known as the Gramm-Leach-Bliley Act?

Financial Services Modernization Act

The National Information Infrastructure Protection Act of 1996 modified which Act?

Computer Fraud and Abuse Act

Which of the following acts defines and formalizes laws to counter threats from computer related acts and offenses?

Computer Fraud and Abuse Act

8. The ISA 27014:2013 standard promotes five risk management processes, which should be adopted by the organization's executive management and its governing board.

False - governance

8. Non mandatory recommendations that the employee may use as a reference in complying with a policy.are known as regulations. ____________

False - guidelines

9. The recognition, enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________

False - identification

12. The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ____________

False - likelihood

12. Most information security projects require a trained project developer. _________________________

False - manager Chapter 5 1. Small organizations spend more per user on security than medium- and large-sized organizations. a. True b. False ANSWER: True

6. "Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. _________________________

False - surfing

8. InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals. ___________

False - technology

10. An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment. ____________

False - threat

9. The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy. ___________

False - transference

14. A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________

False - vulnerabilities

8. Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. ____________

False - vulnerabilities

Software license infringement is also often called software ____________________.

Piracy

Guidelines that describe acceptable and unacceptable employee behaviors in the workplace are known as ____________________.

Policies

____ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

Public

The ____ of 1999 provides guidance on the use of encryption and provides protection from government intervention.

Security and Freedom through Encryption Act

Which of the following countries reported generally intolerant attitudes toward personal use of organizational computing resources?

Singapore

12. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________

True

13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.

True

14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________

True

2. A clearly directed strategy flows from top to bottom rather than from bottom to top. a. True b. False

True

8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________

True

9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________

True

9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.

True

Chapter 4 1. Policies must specify penalties for unacceptable behavior and define an appeals process. a. True b. False

True

Chapter 5 1. Small organizations spend more per user on security than medium- and large-sized organizations. a. True b. False

True

The Information Systems Security Association (ISSA) is a nonprofit society of information security professionals whose primary mission is to bring together qualified information security practitioners for information exchange and educational development.

True

The Secret Service is charged with the detection and arrest of any person committing a United States federal offense relating to computer fraud and false identification crimes.

True

The code of ethics put forth by (ISC)2 focuses on four mandatory canons: "Protect society, the commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.".

True

The communications networks of the United States carry more funds than all of the armored cars in the world combined.

True

____ defines stiffer penalties for prosecution of terrorist crimes.

USA Patriot Act

The ____________________ Act of 2001 provides law enforcement agencies with broader latitude in order to combat terrorism-related activities.

USA Patriot or U.S.A Patriot