CSS Midterm
Smaller organizations tend to spend approximately __________ percent of the total IT budget on security
20
Larger organizations tend to spend approximately __________ percent of the total IT budget on security
5
Which of the following is NOT a part of an information security program?
All of these are part of an information security program
Which of the following should be included in an InfoSec governance program?
An InfoSec risk management methodology
When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, and so that it selects key stakeholders as well as the ____________.
Board Risk Committee
Which of the following is NOT a step in the problem-solving process?
Build support among management for the candidate solution.
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)?
Deontological ethics
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons ?
For political advantage
__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly.
Governance
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
Hold regular meetings with the CIO to discuss tactical InfoSec planning
According to Wood, which of the following is a reason the InfoSec department should report directly to top management?
It fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole
Which of the following is an information security governance responsibility of the chief information security officer ?
Set security policy, procedures, programs, and training.
Which of the following describes the primary reason the InfoSec department should NOT fall under the IT function?
There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information.
The basic outcomes of InfoSec governance should include all but which of the following?
Time management by aligning resources with personnel schedules and organizational objectives
Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infractions?
Violations of Policy
What are the two general approaches for controlling user authorization for the use of a technology?
access control lists and capability tables
What do audit logs that track user activity on an information system provide?
accountability
In which phase of the SecSDLC does the risk management task occur?
analysis
Force majeure includes all of the following EXCEPT:
armed robbery
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
bulls-eye model
A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs.
business mission
The purpose of SETA is to enhance security in all but which of the following ways?
by adding barriers
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
can suffer from poor policy dissemination, enforcement, and review
Which of the following is NOT one of the three general causes of unethical and illegal behavior?
carelessness
Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
centralized authentication
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
champion
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community ?
common good
Which of the following is a C.I.A. triad characteristic that ensures only those with sufficient privileges and a demonstrated need may access certain information?
confidentiality
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
data owners
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past?
descriptive ethics
The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response.
design
Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis are known as _________.
digital forensics
A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time
distributed denial of service
A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________.
e-discovery
Which of the following is the most cost-effective method for disseminating security information and news to employees?
e-mailed security newsletter
Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________.
evidentiary material
Writing a policy is not always as easy as it seems. However, the prudent security manager always scours available resources for __________ that may be adapted to the organization.
examples
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________.
forensics
Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?
frequency of review
ISO 27014:2013 is the ISO 27000 series standard for ____________.
governance of information security
Which of the following is NOT a step in the process of implementing training?
hire expert consultants
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus __________.
hoaxes
In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________.
identifying relevant items of evidentiary value
Which of the following is a common element of the enterprise information security policy?
information on the structure of the InfoSec organization
The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints
investigation
What is the first phase of the SecSDLC?
investigation
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
issue-specific
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
malice
Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP.
management guidance, technical specifications
The protection of voice and data components, connections, and content is known as __________ security
network
Which of the following variables is the most influential in determining how to structure an information security program?
organizational culture
Which function of InfoSec management encompasses security personnel as well as aspects of the SETA program
people
According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
policy administrator
Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected?
privacy
Which subset of civil law regulates the relationships among individuals and among individuals and organizations?
private
Which of the following is NOT a primary function of information security management?
projects
Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT __________.
proper conception
The hash values for a wide variety of passwords can be stored in a database known as a(n) __________, which can be indexed and quickly searched using the hash value, allowing the corresponding plaintext password to be determined.
rainbow table
What is the SETA program designed to do?
reduce the occurrence of accidental security breaches
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________.
search warrant
This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.
security manager
The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property, is called __________.
software piracy
Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
systems testing
Human error or failure often can be prevented with training and awareness programs, policy, and __________.
technical controls
When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________.
the type of crime committed
Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer?
theft
Digital forensics can be used for two key purposes: ________ or _________.
to investigate allegations of digital malfeasance; to perform root cause analysis
The final component of the design and implementation of effective policies is __________.
uniform and impartial enforcement
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
user-specific security policies
Which of the following is an advantage of the user support group form of training?
usually conducted in an informal social setting
Which of the following is a key advantage of the bottom-up approach to security implementation?
utilizing the technical expertise of the individual administrators
In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it?
waterfall
Which of the following is NOT an aspect of access regulated by ACLs?
where the system is located
As noted by Kosutic, options for placing the CISO (and his or her security group) in the organization are generally driven by organizational size and include all of the following EXCEPT:
within a division/department with a conflict of interest