CMIT 425

Which of the following best describes a security program?

A group of standards, regulations, and best-practices. An organization within an enterprise that houses business activities related to providing security. A framework made up of many entities that work together to provide protection for an organization.

What is "security through obscurity?"

A security practice that uses tricks and other information hiding practices as is based upon the assumption that adversaries are not as smart as you and will not be able to figure things out.

Which category of control types is referred to as "soft controls?"

Administrative

Which of the following formulas should Sifers-Grayson managers use to calculate the potential financial loss associated with an attack or other event that causes a total loss for an asset?

Asset Value x Exposure Factor (EF)

Which of the following best describes the AIC principles?

Availability, Integrity, and Confidentiality Security controls, mechanisms, and safeguards Risks, threats, and vulnerabilities

Which of the following are NOT examples of physical controls?

Bar codes and scanners

Which of the following best describes "threat modeling?"

Connecting an existing vulnerability to a feasible attack and a threat capable of executing that attack.

Which of the following qualitative risk analysis methodologies uses the opinions of a group of Subject Matter Experts?

Delphi Technique

________ is a legal principle that requires that individuals perform necessary actions to prevent negligence from occurring. It is judged using the reasonable person standard.

Due care Customary law Separation of duties

________ is a legal obligation applied to executives which stockholders can use to sue company leaders who fail to protect a company's assets from harm or loss.

Due notice Due diligence Due performance

Which of the following methodologies for risk assessments incorporates "functional failures?"

FMEA

Which of the following lists correctly identifies the phases of the Risk Management Process as defined in NIST SP-800-39?

Frame risk, Assess risk, Respond to risk, Monitor risk.

Three foundational issues in information security are:

Having practitioners who understand and can apply: goals of security, security terminology, and control types.

_______ is a series of international standards that, among other things, provides guidance for managing security controls.

ISO/IEC 27000

Which of the following guidance documents specifically addresses security controls required for information systems owned by or operated for the U.S. Federal Government?

NIST SP-800-53

A company needs to conduct a Business Impact Assessment (BIA) in order to identify important business processes and assets which could be impacted by a cyber attack, natural disaster or any other event with potential to cause an extended interruption in its operations. Which of the following groups are most likely to provide critical information for the team conducting the BIA?

National Hurricane Center. Business process owners. Employees, Managers, and Supervisors.

Which of the following statements is true?

PCI-DSS is a federal law that protects the privacy of credit card transactions. USA Patriot Act broadens privacy protections for federal law enforcement agents and immigration authorities. FISMA applies to federal agencies and their contractors.

Which type of legal protection for an invention requires disclosure of intellectual property in order to secure ownership rights for an individual or company?

Patents.

Security controls function in different ways to provide protection from harm or loss. Which of the following types of controls works before an attack occurs?

Preventive

Metrics are used to evaluate the effectiveness and efficiency of a company's security program and the controls or countermeasures being used to reduce or eliminate risk. Which of the following best describes the characteristics of metrics and associated measurement activities?

Repeatable, Reliable, and Meaningful

Which of the following Enterprise Architecture frameworks / models specifically addresses information security?

SABSA

Which of the following describes an infringement of ownership rights which could result in both civil damages and criminal prosecution?

Software Piracy

Confidentiality can be protected by implementing which of the following controls?

Software digital signing to verify recipients. Data hiding and data obscuring techniques. Encrypting data at rest and in transit.

A ______ is a document which defines mandatory activities, actions, or rules.

Standard

Which of the following is used to reduce the risk of vulnerabilities in purchased or acquired hardware and software products?

Supply Chain Risk Management

Which category of control types is also referred to as "logical controls?

Technical

Which of the following types of enterprise architectures is NOT part of the NIST Enterprise Architecture Framework?

Technical Architecture

Companies implement controls and countermeasures to reduce the amount of risk to a level deemed "acceptable." Why doesn't a company seek to eliminate all risk?

The cost of eliminating some risks may exceed the actual cost of a loss caused when the risk materialized.

Which of the following is NOT a provision of the General Data Protection Regulation (GDPR)?

The right to be canceled and removed from databases.

During an internal investigation, child pornography was found on a storage device. Which of the following best describes the type of crime uncovered by the investigators?

There is not enough information provided to make a determination. Computer-assisted crime. Computer-targeted crime.

Which of the following best describes leadership behaviors which promote ethical behavior amongst employees?

Tone at the Top

Which of the following is NOT a goal of a risk analysis?

Uncertainty of costs of assets.

Risk can be reduced by _____________.

applying countermeasures to eliminate vulnerabilities.

Strategic alignment of a security enterprise architecture is achieved when:

business drivers and legal / regulatory requirements are being met by the architecture.

An exposure occurs when a vulnerability _____________.

creates the possibility of incurring a loss or experiencing harm.

Confidentiality is the principle that _____________.

ensures required levels of secrecy during processing, transmission, storage, and use of information.

The European Union implemented strict regulations to define and harmonize the protection of personal privacy. The current version of these regulations is known as the General Data Protection Regulation. This regulation defines which of the following entities?

individual, business, government agency data subject, data collector, data target data subject, data controller, data processor.

Clustering and load balancing are controls that ________

map to the Availability component of the AIC triad.

Hashing is a control that _______

maps to the Integrity component of the AIC triad.

Which of the following is NOT a category of control types?

protects or assures the accuracy and reliability of information and systems.

Availability is the principle which ensures ____________.

reliability and timely access to data and other resources by authorized individuals.

Which of the following controls are categorized as Preventive Administrative controls?

security policy, separation of duties, and security awareness training

Vulnerability, threat, risk, and exposure are ____________.

terms that are incorrectly treated as having the same meaning

A risk is __________

the probability that a vulnerability will be successfully exploited by a threat agent causing a business to experience loss or harm.

Complete this chain of causality using one of the options listed below: A _________ causes a _________ which can _______ a ________ leading to ____________

threat actor, threat, exploit, vulnerability, risk(s)

A ___________ is a potential danger which occurs when a ___________ exploits a vulnerability.

threat, threat agent

A control is _____________

used to reduce or mitigate risks.

A weakness in a system that allows malware to compromise security is called a _________.

vulnerability

Balanced security refers to _____________

weighing choices in controls against the magnitude of risk presented by a variety of threats. addressing threats and implementing controls for availability, integrity, and confidentiality. understanding the concepts of the AIC triad.