CSIS 340 CH. 1-4
An occurrence that transgresses an organization's security policies is known as an incident. Which of the following is not an example of a security incident?
a server crash that was accidentally caused
A(n) ___________________is a confirmed event that compromises the confidentiality, integrity, or availability of information.
breach
ISS policies ensure the consistent protection of information flowing through the entire system. Which of the following is not one of the foundational reasons for using and enforcing security policies?
compliance controls for legal mandates
Which the following is not one the policies concerned with LAN-to-WAN filtering and connectivity?
content-blocking tools configuration standard
It is important that ___________________ accounts have full and unencumbered rights to restore data as well as to configure, install, repair, and recover applications and networks.
contingent
_____________risk is the possible outcome that can occur when an organization or business unsuccessfully addresses its fiscal obligations.
financial
One of the processes designed to eradicate maximum possible security risks is to ________________, which limits access credentials to the minimum required to conduct any activity and ensures that access is authenticated to particular individuals
harden
An organization's _______________________ is a particular group of differently skilled individuals who are responsible for attending to serious security situations.
incident response team (IRT)
In general, the IRT is comprised of a team with individuals that have different specialties; one such individual is the ___________________, which offers analytical skills and risk management. This specialist has focused forensic skills necessary for the collection and analysis of evidence.
information security representative
Once an organization clearly defines its IP, the security policies should specify how to ___________ documents with marks or comments, and ____________ the data, which determines in what location the sensitive file should be placed.
label, classify
At Stanford University, data is labeled according to a classification scheme that identifies information in the following way: prohibited, restricted, confidential, and unrestricted. Which of the following schemes has Stanford adopted?
legal classification
If human action is required, the control is considered _______________.
manual
In policies regarding the ______________________of data, it must be guaranteed that the data that exits the private network is secured and monitored; the data should also be encrypted while in transit.
physical transport
When trying to achieve operational consistency, which of following oversight phases performs the function of periodically assessing to ensure desired results are achieved?
review
Of the many factors one must consider to ensure security policies and controls align with regulations ; ________________________ is/are important to demonstrate coverage of regulatory requirements because they show the importance of each security control.
security control mappings
Which of the following user types is responsible for audit coordination and response, physical security and building operations, and disaster recovery and contingency planning?
security personnel
The Information Technology Infrastructure Library (ITIL) is a series of books that describe IT practices and procedures, and it has five core books called volumes. Which of the following is not one of the five volumes?
service assessment
Of the types of U.S. compliance laws, there are a number of laws that are designed to provide confidence in the markets. _______________ are the beneficiaries of these laws.
shareholders
___________________ is a term that denotes a user's capability to authenticate once to access the network and then have automatic authentication on different applications and devices afterward.
single sign-on
In January 2013, two important changes were made to ___________________. First, it became easier to share records with child welfare agencies. Second, the change eliminates some requirements to notify parents when school records are being released.
the Family Educational Rights and Privacy Act (FERPA)
Which of the following types of baseline documents is often created to serve the demands of the workstation domain?
virus scanner configuration standards
The____________________ domain refers to any endpoint device used by end users, which is including but not limited to mean any smart device in the end user's physical possession and any device accessed by the end user, such as a smartphone, laptop, workstation, or mobile device
workstation
While the amount of data known as mission-critical depends on the organization and industry, such data should only represent less than ____________ percent of the data population.
15
Which of the following situations best illustrates the process of authentication?
A website sets users' passwords to expire every 90 days
___________________________are formal written policies describing employee behavior when using company computer and network systems.
Acceptable use policies
Which of the following is not one of the "five pillars of the IA model"
Assurance
There must be security policies in place to set core standards and requirements when it comes to encrypted data. Which of the following is not one of these standards and requirements?
Encryption keys must be located in isolation from encrypted data.
Organizations seek to create a coherent set of documents that are stable and immune to the need for regularly adjustments. However, the types of policy documents can differ, depending on the organization. Which of the following is not one the reasons why these documents might vary from one organization to the next?
Organizations seldom have both baseline standards and control standards; it is more common to have or one the other.
The COBIT Align, Plan, and Organize domain includes basic details of an organization's requirements and goals; this domain answers which of the following questions?
What do you want to do?
Which of the following is one of the challenges of the Sarbanes-Oxley (SOX) Act?
It is very expensive and nearly impossible to test all of a company's controls.
Which statement most clearly contrasts the difference between policies and procedures?
Policies are requirements placed on processes, whereas procedures are the technical steps taken to achieve those policy goals.
The SOX act created the ______________________, which sets accounting and auditing standards.
Public Company Accounting Oversight Board (PCAOB)
In 1999, the ___________________ is a law that came into being to repeal existing laws so that banks, investment companies, and other financial services companies could merge.
The Gramm-Leach-Bliley Act (GLBA)
Consider this scenario: A company is notified that its servers have been compromised to be the point of departure to attack a host of other companies. The company then initiates an IRT, which is unable to locate the breach. The company then seeks the services of an outside firm that specializes in forensic analysis and intrusions. The outside firm locates the source of the breach and wants to monitor the actions of the intruder. However, the outside firm is informed by its internal legal counsel that the company does not agree with this course of action. Which of the following statements best captures the effectiveness of the company's IRT policies?
The IRT is moderately effective because a breach was found without seeking external counsel.
In general, WAN-specific standards identify specific security requirements for WAN devices. For example, the ____________________explains the family of controls needed to secure the connection from the internal network to the WAN router, whereas the______________________ identifies which controls are vital for use of web services provided by suppliers and external partnerships.
WAN router security standard, web services standard
Bring Your Own Device (BYOD) is a current trend within many organizations, which raises a host of security policy questions that must be addressed for handheld device use. Which of the following is not one the questions?
What is a reason the person owns the device?
An important principle in information security is the concept of layers of security, which is often referred to as layered security, or defense in depth. Which of the following is not an example of a layer of security?
a control standard
Domain security control requirements are embodied in several different types of documents. One such document is known as _______________________, which uses a hierarchical organizing structure to identify the key terms and their explanations.
a dictionary
Generally, regardless of threat or vulnerability, there will ____________ be a chance a threat can exploit a vulnerability.
always
Depending on the organization, the control procedure of the Domain Name System (DNS) might be built into the WAN standard. This standard identifies the criteria securing a domain name. Which of the following is not one of the types of approvals that can be used to track domains?
an explanation of the desired market or audience for which the Web Site is intended
______________________ can run on a workstation or server and is at the heart of all business applications.
application software
If a vulnerability is not fixed at the root cause, there is a possibility that another route of attack can emerge. This route is known as the ____________________.
attack vector
The act of recording noteworthy security events that transpire on a network or computing device is known as a(n)______________________.
audit
The COBIT Monitor, Evaluate, and Assess domain looks at specific business requirements and strategic direction, and determines if the system still meets these objectives. To ensure requirements are being met, independent assessments known as________________ take place.
audits
One of the most important approaches used to secure personal data is ________________, which is the process used to prove the identity of an individual. ______________, however, is the process used to enable a person's access privileges.
authentication, authorization
Which of the following control standards in the system/application domain maintains control of both managing errors and ensuring against potentially damaging code?
developer-related standards
The____________________ identifies the processes entailed in the business continuity plan and/or the disaster recovery plan.
disaster declaration policy
It is important to conduct a nearly continuous evaluation of possible______________ to guarantee that recovery estimates provided to customers are accurate and maintain credibility with customers.
downtimes
Which of the following is not one of the four domains that collectively represent a conceptual information systems security management life cycle?
evaluate, assess, and perform
The Family Educational Rights and Privacy Act (FERPA) was put into law in 1974, and contains several key elements. Which of the key elements states that schools can share information without permission for legitimate education evaluation reasons as well as for health and safety reasons?
exclusions
One of the processes for establishing business requirements and raising the level of privileges is to grant elevated rights on a temporary basis. This process is called _________________.
firecall-ID
Which of the following is not one of the common network devices found on the LAN domain?
flat network
Consider this scenario: A company that buys a sizeable amount of equipment for its manufacturing process needs to accurately report such expenditures, so it calls upon the services of financial auditors. While financial auditors might consider how robust the data might be, the company might also involve IT auditors to examine the technology in place to gather the data itself. What process is this company using to address its concerns?
integrated audit
A security awareness program gains credibility when the business sees a reduction of risk, and there are multiple benefits that come with a security awareness program that emphasizes the business risk. Which of the following is not one of the benefits?
relevance
A security awareness program can be implemented in many ways. Which of the following is the list of generally accepted principles for implementing a program?
repetition, onboarding, support, relevance, metrics
There are many factors one must consider to ensure security policies and controls align with regulations. Which of the following is not one of the factors?
risk assessment
Of the risk management strategies, _________________ refers to the act of not engaging in actions that lead to risk, whereas ____________________refers to acquiescence in regard to the risks of particular actions as well as their potential results .
risk avoidance, risk acceptance
One of seven domains of a typical IT infrastructure is the user domain. Within that domain is a range of user types, and each type has specific and distinct access needs. Which of the following types of users has the responsibility of creating and putting into place a security program within an organization?
security personnel
In 2013 the national retailer Target Corporation suffered a major data breach that put at risk the financial information of an estimated 40 million customers. In 2009, the health care provider BlueCross BlueShield of Tennessee suffered a theft of hard drives when it reported 57 hard drives stolen. Both these cases resulted from a (n) ________________ failure.
security policy
Using switches, routers, internal firewalls, and other devices, you can restrict network traffic with a ____________________, which limits what and how computers are able to talk to each other.
segmented network
When writing a ____________________ one could state how often a supplier will provide a service or how quickly a firm will respond. For managed services, this document often covers system availability and acceptable performance measures.
service level agreement
Remote authentication has always been a concern because the person is coming from a public network, and many companies require two-factor authentication for remote access. Which of the following is not one of the most commonly accepted types of credentials?
something you want to know
While it would not be possible to classify all data in an organization, there has nonetheless been an increase in the amount of unstructured data retained in recent years, which has included data and logs. There are many different ways to make the time-consuming and expensive process of retaining data less challenging. Which of the following is not one these approaches?
Classify all forms of data no matter the risk to the organization.
Because the system/application domain covers an expansive range of topics, it follows that the baseline standards are diverse. For example, the _____________________ explains how to compose and assess the security of applications.
Developer coding standards
Privacy regulations involve two important principles. _____________________ gives the consumer an understanding of what and how data is collected and used. ________________________ provides a standard for handling consumer information.
Full disclosure, Data encryption
In business, intellectual property (IP) is a term applied broadly to any company information that is thought to bring an advantage. Protecting IP through security policies starts with human resources (HR). Which of the following is a challenge concerning HR policies about IP?
HR policies and employment agreements about IP may or may not be enforceable, depending on current law and location.
Of the different IRT roles, the _______________is head of the team and issues the ultimate call regarding how to respond to an incident, whereas the __________________ role is to monitor and document all the activity that unfolds during an incident.
IRT manager, IRT coordinator
___________________ is the act of protecting information and the systems that store and process it.
Information systems security
___________________are attacks that obtain access by means of remote services such as vendor networks, employee remote access tools, and point-of sale (POS) devices.
Insecure remote access
Which of the following agencies is responsible for developing information security standards and procedures that adhere to federal law?
The National Institute of Standards and Technology (NIST)
When an incident occurs, there are a number of options that can be pursued. Which of the following actions is recommended when assets of a low value are being attacked?
The breach may be permitted to proceed so that information on the attacker can be determined, but doing so depends on the goals of the business.
Consider this scenario: A major software company finds that code has been executed on an infected machine in its operating system. As a result, the company begins working to manage the risk and eliminates the vulnerability 12 days later. Which of the following statements best describes the company's approach?
The company effectively implemented patch management.
A procure document should accompany every baseline document. Which of the following is a true statement about the circumstances for when a procedure document needs to be created to support the baseline document?
Because many configuration processes reuse the same procedure, there does not need to be a new procedure document for every configuration.
Which of the following domains addresses schedules and deliverables?
Build, Acquire, and Implement
Which of the following statement states the difference between business liability and a business's legal obligation?
Business liability occurs when a company fails to meet its obligation to its employees and community. A business's legal obligation is an action that it is required to take in compliance with the law.
Which of the following statements is most accurate with respect to infrastructure security?
Even when an industry standard is applied, there is no way to predict there will be compatibility.
In U.S. compliance laws affecting information security policies, there exists a number of concepts with matching objectives. What is the matching objective for the concept of full disclosure?
The concept that individuals should know what information about them is being collected. A company must give written notice on how it plans to use your information.
In workstation domain policies, _________________ provide the specific technology requirements for each device. IT staff uses recorded and published procedures to enact configurations by devices to ensure that there exist secure connectivity for remote devices, as well as virus and malware protection and patch management capability, among several other related functions.
baseline standards
It is necessary to retain information for two significant reasons: legal obligation and business needs. Data that occupies the class of ________________ is comprised of records that are required to support operations; the data included might be customer and vendor records.
business
The initial step in creating a business continuity and security response plan is a _________________, which can be used to assemble the business and security responses in order to diminish losses.
business impact analysis
There are particular tools and techniques that the IRT utilizes to gather forensic evidence, including ____________________, which articulates the manner used to document and protect evidence.
chain of custody
Many organizations have a(n) _____________ policy in place to manage the business concern of how to handle sensitive information in physical form, such as reports. This policy generally requires employees to lock up all documents and digital media at the end of a workday and when not in use
clean desk
In recent years, ___________________ has emerged as major technology. It provides a way of buying software, infrastructure, and platform services on someone else's network.
cloud computing
LAN security policies center on issues concerning connectivity; this includes determining how devices adhere to the network. Among the types of LAN control standards are _______________, which creates the schedules on LAN-attached devices for scheduled preventative and consistent maintenance, and________________, which explains the change control management process for soliciting changes, granting changes, implementing changes on the network
controlled maintenance, configuration change control
When an organization lacks policies, its operations become less predictable. Which of the following is a challenge you can expect without policies?
customer dissatisfaction
_______________refers to an attempt to cause fear or major disruptions in a society through hacking computers. Such attacks target government computers, major companies, or key areas of the economy.
cyberterrorism
To be compliant with the security standards and processes outlined in NIST publications, policies must include key security control requirements. Which of the following is not one of the key requirements?
data privacy
In order to move data from an unsecure WAN to a secure LAN, you typically begin by segmenting a piece of your LAN into a _________________________, which sits on the outside of your private network facing the public Internet. Servers in this area provide public-facing access to the organization, such as public Web sites.
demilitarized zone (DMZ)
The Barings Bank collapsed in 1995 after it was found that an employee had lost over $1.3 billion of the bank's assets on the market. The collapse occurred when an arbitrage trader was responsible for both managing trades and guaranteeing that trades were settled and reported according to proper procedures. To which of the following causes is this collapse attributed?
lack of separation of duties
A risk exposure is defined as the impact to the organization when a situation transpires. The widely accepted formula for calculating exposure is as follows: Risk exposure =________________ the event will occur + ____________ if the event occurs
likelihood, impact
It is recommended that systems administrators analyze logs in order to determine if they have been altered because monitoring can deter risk. To serve this goal, a ________________can be used to assemble logs from platforms throughout the network.
log server
Despite the fact that there exists no mandatory scheme of data classification for private industry, there are four classifications used most frequently. Which of the following is not one of the four?
moderately sensitive
There are many ways that people can be manipulated to disclose knowledge that can be used to jeopardize security. One of these ways is to call someone under the false pretense of being from the IT department. This is known as _________________________.
pretexting
There are a number of classifications that can be applied to security controls. Which of the following is not one the classifications?
preventive control
An organization's _________________ is a good source for determining what should be in security policies to meet regulatory requirements.
privacy officer
The goal of conducting an incident analysis is to ascertain weakness. Because each incident is unique and might necessitate a distinct set of approaches, there is a range of steps that can be pursued to aid the analysis. One of these steps is to ________________, which entails mapping the network traffic according to the time of day and look for trends.
profile your network
The term critical infrastructure refers to key elements of the country's transportation, energy, communications, and banking systems. Which of the following is not an example of critical infrastructure?
public universities
In order to establish cogent expectations for what's acceptable behavior for those utilizing an organization's technology asset, an Acceptable Use Policy (AUP) defines the targeted functions of computers and networks. This policy delimits unacceptable uses and the consequences for policy violation. Which of the following topics is not likely to be found in an AUP?
recommendations for creating a healthy organizational culture
Although it is impossible to eliminate all business risks, a good policy can reduce the likelihood of risk occurring or reduce its impact. A business must find a way to balance a number of competing drivers. Which of the following is not one of these drivers?
regulation
Federal and state governments in the United States establish laws that define how to control, handle, share, and process the sensitive information that the new economy relies on. ___________________are then added to these laws, which are typically written by civil servants to implement the authority of the law.
regulations