IAA202-Part 2
How many Technical Controls in the NIST SP 800-53 ?
4
How many categories of Data and information assets ?
4
How many element in system access and availability ?
4
In the CMMI, level ______ indicates the highest level of maturity.
5
How many Legal Requirements, Compliance Laws, Regulations, and Mandates ?
6
How many elements to consider when Identifying Assets and Activities Within Risk Assessment Boundaries ?
6
What is "five nine"?
99.999 percent up time, is sometimes needed for certain services
Several types of malicious code exist. Malware that appears to be one thing but is actually something else is ________.
A Trojan horse
What can you use to identify relevant vulnerabilities?
A and B only
What is a data warehouse?
A database created by combining multiple databases into a central database
What is a security policy?
A document created by senior management that identifies the role of security in the organization
What is a common drawback or weakness of a vulnerability scanner ?
A high false-positive error rate
What is a common drawback or weakness of a vulnerability scanner?
A high false-positive error rate
What should be included in the objectives of a risk management plan
A list of threats, vulnerabilities, Costs associated with risks, cba
Which of the following is NOT included in the objectives of a risk management plan?
A list of threats, vulnerabilities, Costs associated with risks, cba
What is a proximity card?
A proximity card is a small credit-card sized device. It includes electronics that will activate when it is close to a proximity reader. The card sends a signal to the reader identifying it. If the card is authorized, the door will open
Which of the following is a major component of a risk management plan?
A risk Assessment
What is a single point of failure?
A single point of failure is any part of a system that can cause an entire system to fail, if it fails
Of the following, what should be included in a cost-benefit analysis report?
A, B, C, and D
What would an account management policy include?
A, B, and C
When identifying the assets you have in your organization, what would you include?
A, B, and C
A ________ is used to identify the impact on an organization if a risk occurs.
Business impact analysis (BIA)
Laura and her team are diligently working on a company-wide risk assessment initiative. At the conclusion of her teams work, all of the following goals could be met, except:
Countermeasures have been put into place and communicated to the appropriate personnel.
You are considering an alternate location for a DRP. You want to minimize costs for the site. What type of site would you choose?
Cold site
Companies that pratice separation of duties force two or more employees to carry out which of the following in order to carry out fraud?
Collusion
What can be used to remind users of the contents of the AUP?
Companies also sometimes use banners and logon screens to remind personnel of the policy
Which of the following are accurate pairings of threat categories? (Select two.)
Computer and user,A External and internal
A(n) ________ is a violation of a security policy or security practice.
Computer incident or computer security incident
An administrator has discovered that a Web server is responding very slowly. Investigation shows that the processor, memory, and network resources are being consumed by outside attackers. This is a ________________attack.
Denial of service (DoS) or distributed DoS (DDoS)
What is the second step of the incident response life cycle?
Detection and analysis
What type of control is an intrusion detection system (IDS)?
Detective
What does a BCP help to protect during and after a disruption or disaster?
Confidentiality, integrity, and availability
What can you use to ensure that unauthorized changes are not made to systems?
Configuration management
After an incident has been verified, you need to ensure that it doesn't spread to other systems. What is this called?
Containment
A ________ will reduce or eliminate a threat or vulnerability.
Control or countermeasure
According to Maylor, what are traditionally the core three risk categories ?
Cost, schedule, and quality
Which is the most valuable technique when determining if a specific security control should be implemented?
Cost/benefits analysis
Laura and her team are diligently working on a company-wide risk assessment initiative. At the conclusion of her team's work, all of the following goals could be met, except:
Countermeasures have been put into place and communicated to the appropriate personnel
What determines if an organization is governed by FERPA?
FERPA mandates access to educational records by students or parents. If the school has a large volume of these requests, it could affect regular operations. The school could choose to limit when access to records is granted.
A BCP and DRP are the same thing.
False
A cost-benefit analysis is an important part of a BIA.
False
A technical control prevents unauthorized personnel from having physical access to a secure area or secure system.
False
Business continuity and disaster recovery are the same thing.
False
Configuration management ensures that changes are not made to a system without formal approval.
False
Disaster recovery and fault tolerance are the same thing.
False
ITL and ITIL are different names for the same thing.
False
In general, it's acceptable for members of a CIRT to take actions to attack attackers. This is one of the normal responsibilities of a CIRT.
False
MAO is the minimal acceptable outage that a system or service can have before affecting the mission.
False
Once a DRP has been created, it's not necessary to update it.
False
Once you have deployed countermeasures, it's not necessary to retest to ensure that the exploit has been mitigated.
False
Only police or other law enforcement personnel are allowed to do computer forensics investigations.
False
Qualitative analysis is more time consuming than quantitative analysis.
False
Risk assessments are a continuous process.
False
Technical controls protect the physical environment. They include basics such as locks to protect access to secure areas. They also include environmental controls.
False
You can completely eliminate risk in an IT environment.
False
What is US-based Laws ?
Federal Information Security Management Act (FISMA) 2002
A POAM is used to track the progress of a project. What type of chart is commonly used to assist with tracking?
GANTT chart
A POAM is used to track the progress of a project. What type of chart is commonly used to assist with tracking?
Gantt chart
Your organization is governed by HIPAA. You suspect that your organization is not in compliance. What would document the differences between what is required and what is currently implemented?
Gap analysis
What is the first step in an exploit assessment?
Get permission first
When performing exploit assessments, best practice is:
Get permission first, identify as many as exploits, Use a gap analysis
GLBA on US-based Laws is ?
Gramm-Leach-Bliley Act 1999
What law applies to organizations handling health care information?
HIPAA
What is the information you need to know hardware assets?
Hardware assets are any assets that you can physically touch. This includes computers such as laptops, workstations, and servers. It also includes network devices such as routers, switches, and firewalls
What are two types of intrusion detection systems?
Host-based and network-based
You want to ensure that users are granted only the rights to perform actions required for their jobs. What should you use?
Principle of least privileg
You want to ensure that users are granted only the rights to perform actions required for their jobs. What should you use?
Principle of least privilege
You want to ensure that users are granted only the permissions needed to access data required to perform their jobs. What should you use?
Principle of need to know
What elements are included in a qualitative analysis?
Probability and Impact
What does a qualitative RA use to prioritize a risk ?
Probability and impact
What does a qualitative RA use to prioritize a risk?
Probability and impact
What elements are included in a qualitative analysis?
Probability and impact
Controls are often categorized based on how they are implemented. What are the three common methods of implementing controls?
Procedural, technical, and physical
The COBIT framework refers to IT governance. Of the following choices, what best describes IT governance?
Processes to manage IT resources
You are performing a cost-benefit analysis. You want to determine if a countermeasure should be used. Which of the following formulas should you apply?
Projected Benefits Cost of Countermeasure
What is one way that you can help to reduce safety risks for your organization's activities and events ?
Properly plan by thoroughly thinking through events and activities
The Federal Information Security Management Act (FISMA) assigns specific agencies are resoponsible for ?
Protecting system and data
A malicious virus is replicating and causing damage to computers. How do security professionals refer to the virus?
In the wild
Which controls is not belong to Control Categories when identifying and evaluating the countermeasures ?
In-Place and Planned controls
A(n) ________ countermeasure has been approved and has a date for implementation.
In-place
A(n) __________ countermeasure has been approved and has a date for implementation.
In-place
After an incident has been verified, you need to ensure that it doesnt spread other systems. What is this called?
Incident response
You are working on a BIA. You are calculating costs to determine the impact of an outage for a specific system. When calculating the costs, you should calculate the direct and ________ costs.
Indirect
What is the category of intellectual property?
Industrial property
What can you use to share or transfer risk associated with potential disasters?
Insurance
A loss of client confidence or public trust is an example of a loss of the following category?
Intangible Value
A loss of client confidence or public trust is an example of a loss of ________.
Intangible value
Which of the following methods is methods to Identify Assets and Activities to Be Protected ?
Manual
The ________ identifies the maximum acceptable downtime for a system.
Maximum acceptable outage (MAO)
What is the MAO?
Maximum acceptable outage (MAO) The MAO identifies the maximum acceptable downtime for a system.
Logon identifiers help ensure that users cannot deny taking a specific action such as deleting a file. What is this called ?
Non-repudation
What are the three phases of a BCP?
Notification/activation, recovery, reconstitution
What are valid contents of a risk management plan?
Objectives, Scope, Recommendations, POAM
Which of the following is NOT valid contents of a risk management plan?
Objectives, Scope, Recommendations, POAM
When review the previous findings, the items especially worth investigating are all except:
Obsolete proposals
A copy of backups should be stored ________ to ensure the organization can survive a catastrophic disaster to the primary location.
Off-site
An account management policy needs to be created as a mitigation countermeasure. You will write the policy. What's a reasonable amount of time for the written policy to be completed and approved?
One month
What type of data should be included when identifying an organization's data or information assets?
Organizational data,Customer data,Intellectual property
Merchants that handle credit cards are expected to implement data security. What standard should they follow?
PCI DSS
Which of the following is a technical control?
PKI
What is created with a risk assessment to track the implementation of the controls ?
POAM
What is created with a risk assessment to track the implementation of the controls?
POAM
Shirley is in charge of asset identification and classification as part of a risk assessment initiative. In going through an inventory list, she must decide if an asset is tangible or intangible. Which of the following should she mark as intangible?
Reputation
HIPAA is ?
Requires the protection of any health-related data
You have applied controls to minimize risk in the environment. What is the remaining risk called?
Residual risk
You are working on a qualitative risk assessment for your company. You are thinking about the final report. What should you consider when providing the results and recommendations?
Resource Allocation -Risk Acceptance
You are working on a qualitative risk assessment for your company. You are thinking about the final report. What should you consider when providing the results and recommendations? (Select two.)
Resource allocation,Risk acceptance
At the suggestion of NIST SP 800-30, if a threat exploits the vulnerability the medium impact is:
Result in human injury
Techniques for Identifying Threats ?
Review Historical Data
Which statement is incorrect about Risk Assessment ?
Risk Assessment are not relevant to Risk Management program
A company decides to reduce losses of a threat by purchasing insurance. The way it is kind of risk management techniques of the following?
Risk Transfer
What problem can occur if the scope of a risk management plan is not defined?
Scope creep
What is hardening a server?
Securing it from the default configuration
Who is ultimately responsible for losses resulting from residual risk?
Senior management
If a programmer is restricted from updating and modifying production code, what is this an example of?
Separation of duties
Which of the following security principles divides job responsibilities to reduce fraud?
Separation of duties
Which of the following is NOT a domain of the COBIT categories?
Support and Monitor
Which of the following is NOT a result of a penetration test?
System testing, Exploit assessments
What is the scope of risk management for System/Application Domain?
System/Application Domain - A primary requirement to keep these systems secure is to ensure administrators have adequate training and knowledge. Additionally, configuration and change management practices are helpful. Configuration management ensures the systems are configured using sound security practices.
After a BCP has been activated, who will recover and restore critical IT services?
TRT
What types of exercises can demonstrate a BCP in action? (Select three.)
Tabletop exercises,Functional exercises,Full-scale exercises
Your organization requires users to log on with smart cards. This is an example of a(n) ________ control.
Technical
Which best describes Technical controlsl?
Technical controls are software tools that automate protection. A technical control is enforced using technology
What dost TPM stand for?
Technology Protection Measure
If your organization is governed by FISMA. What is one of the important issues to understand first?
The Federal Information Security Management Act (FISMA) was passed in 2002. Its purpose is to ensure that federal agencies protect their data. It assigns specific responsibilities for federal agencies.
The CVE list is maintained by ________.
The MITRE Corporation
Which of the following statements is true?
The RTO applies to any systems or functions. However, the RPO only refers to data housed in databases.
Which best describes System and Services Acquisition (SA) control?
The SA family includes many controls related to the purchase of products and services. It also includes controls related to software usage and user installed software
When defining the system for the risk assessment, what should you ensure is included?
The current configuration of the system
What is the first step in an exploit assessment?
The first step in an exploit assessment is to perform a vulnerability test.
A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset?
The level of insurance required to cover the asset
Which statement is true about ARO ?
The number of times an incident is expected to occur in a year
Your organization purchased a control and installed it on several servers. This control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased?
The operational impact of the control
What is data mining?
The process of retrieving relevant data from a data warehouse
Bussiness continuity plans address all of the following except:
The protection of cold sites at a remote location
You are reviewing your organization's asset management data. You want to ensure that all elements of the organization are included. What can you compare the asset management system against to ensure the entire organization is covered?
The seven domains of a typical IT infrastructure
What is the RTO?
The time when a system or function must be recoverd.
What is the risk of the assets in Workstation Domain?
Theft,Update
Which definition is true about Planned controls ?
These are controls that have a specified implementation date.
A DRP has multiple purposes. This includes saving lives, ensuring business continuity, and recovering after a disaster.
True
A POAM can be used to follow up on a risk mitigation plan.
True
A PTZ camera is used within a CCTV system. It can pan, tilt, and zoom.
True
A fishbone diagram can link causes with effects.
True
A key stakeholder should have authority to make decisions about a project. This includes authority to provide additional resources.
True
A milestone plan chart is a simple graphical representation of major milestones. It shows the major milestones laid out in a graphical format.
True
A single risk can be mitigated by more than one countermeasure.
True
A threat is any activity that represents a possible danger, with the potential to affect confidentiality, integrity, or availability.
True
All events on a system or network are considered computer security incidents.
True
Controls can be identified based on their function. The functions are preventative, detective, and corrective.
True
Controls can be identified based on their function. The functions are preventive, detective, and corrective.
True
Fiduciary refers to a relationship of trust.
True
ITIL is a group of five books developed by the United Kingdom's Office of Government Commerce.
True
It is possible to ensure a service is operational 99.999 percent of the time even if a server needs to be regularly rebooted.
True
Once a BCP has been developed, it should be reviewed and updated on a regular basis, such as annually.
True
Risk assessments are a continuous process.
True
Stakeholders can determine what functions are considered critical business functions.
True
The SQL injection attacks is a technique that allows an attacker to insert SQL code into data sent to the server and is implemented on the database server.
True
Threat modeling allows you to prioritize attacks based on their probability of occurring and the potential harm.
True
You are beginning an RA for a system. You should define both the operational characteristics and the mission of the system in the early stages of the RA.
True
Which U.S. government agency regularly publishes alerts and bulletins related to security threats?
US-CERT
One of the challenges facing risk assessments is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data?
Uncertainty level
Which of the following is an best example of internal threat?
Unintentional access
In best practices for exploit assessments, what is a solution for legal compliance?
Use a gap analysis
What is the best for Managing Threats within Your IT infrastructure ?
Use accesses control
Of the following choices, what are considered best practices related to a BIA?
Use different data collection methods.
Which of the following is an internal threat?
User accidentally deletes new product designs.
12-what is the main reason of the vividness weighting problem
the channel for communication of intelligence is too short
An acceptable use policy is an example of a(n) ________ control.
Administrative
An acceptable use policy is an example of an __________ security control.
Administrative
Awareness and training is an example of
Administrative Control
Which of following is NOT a type of risk management techniques ?
Against
A router can filter traffic based on ?
All of above
What Is the Scope of Risk Management for Your Organization ?
All of above
A certain DRP covers a system that hosts a large database. You want to ensure that the data is copied to an off-site location. What could you use?
All of the above
A log has shown that a user has copied proprietary data to his computer. The organization wants to take legal action against the user. You are tasked with seizing the computer as evidence. What should you establish as soon as you seize the computer?
All of the above
Of the following choices, what would be considered an asset?
All of the above
Of the following, what would be considered a best practice when performing risk assessments?
All of the above
What are valid contents of a risk management plan?
All of the above
What can an organization use to remind users of AUP contents?
All of the above
What can you use to help quantify risks?
All of the above
What should be included in the objectives of a risk management plan?
All of the above
Which of the following may be included in a CIRT plan?
All of the above
Which of the following should you identify during a risk assessment?
All of the above
Which of the following steps could be taken to harden a server?
All of the above
You are considering using a hot site as an alternate location. You want to consider different technologies to keep the data updated and decrease the time it will take for the hot site to become operational. What are some technologies that may help?
All of the above
You are reviewing a countermeasure to add to the mitigation plan. What costs should be considered?
All of the above
Your organization has created a DRP but it hasn't been tested. Which of the following methods can you use to test it?
All of the above
NIST SP 800-53 identifies controls in three primary classes. What are they ?
All of the below
Of the following choices, what would be considered an asset ?
All of the below
Of the following, what should be included in a cost-benefit analysis report ?
All of the below
What would an account management policy include ?
All of the below
A risk assessment (RA) is ?
All of them
A vulnerability assessment may have multiple goals, such as ?
All of them
If your company is involved with the sale or trade of securities, what laws do you should be aware of ?
All of them
Two primary assessments to identify and evaluate vulnerabilities
All of them
What are properties of IA ?
All of them
When identifying hardware assets in your organization, what information should you include ?
All of them
Which of the following statement is correct when referring to qualitative risk assessment
All statement are correct
Which of the following choices is not considered a best practice when identifying threats?
Assume the systems have not changed since the last threat assessment.
When reviewing historical data, you can look some events. They are
Attack, Accident, Natural Event, Equipment failures
When reviewing historical data, you can look some events. Which of the follwing is not one of them?
Attacks,natural events,accidents,equipment failure
Which of the following methods can be used to identify threats?
Both A and B
The system testing include ?
Both of them
What will the scope of a risk management plan define?
Boundaries
Of the following, what is critical for any DRP?
Budget
A program that receives too much data so that it cannot execute instructions properly has been exploited by which of the following attacks?
Buffer overflow
What allows an attacker to gain additional privileges on a system by sending unexpected code to the system?
Buffer overflow
Which of the following is used to identify the impact on an organization if a risk occurs?
Business Impact Analysis (BIA)
DRP mean essentially the same thing all but which of following?
Business continuity plan
The BIA is a part of the ________.
Business continuity plan (BCP)
How much can an organization be fined in a year for HIPAA-related mistakes?
$25,000
How much can an organization be fined in a year for mistakes that result in noncompliance ?
$25,000
Larry is in charge of presenting risk assessment calculations to his boss by the end of the week. He concludes that a server with heavy traffic has an annualized loss expectancy (ALE) of $15,000 with an annualized rate of occurrence (ARO) of 5. What is the server's single loss expectancy (SLE) value?
$3,000
Larry is in charge of presenting risk assessment calculations to his boss by the end of the week. He concludes that a server with heavy traffic has an annualized loss expectancy (ALE) of $15,000 with an annualized rate of occurrence (ARO) of 5. What is the servers single loss expectancy (SLE) value?
$3,000
A company issues laptop computer to employees. The value of each laptop is $1500.About 100 laptops are being used at anytime. In the past two years, the company has lost an average of one laptop per quarter. The company provides hardware locks for the laptops in bulk at a cost of $10 each, the ARO will decrease to 1. What is saving with control?
$4,500
How many preliminary actions that need to complete before progressing with the RA ?
2
Routers have __________ to control what traffic is allowed through them.
ACLs
Of the following, what would be considered a best practice when performing risk assessments?
ALL OF THE BELOW
You present management with recommendations from a risk management plan. What can management choose to do?
Accept, defer, or modify the recommendations
What can you do to manage risk? (Select three.)
Accept,Transfer,Avoid
What is an AUP?
Acceptable use policy (AUP)An AUP defines acceptable use of systems. It identifies what a user can and cannot do on a system. It is sometimes referred to as Rules of Behavior
Routers have ________ to control what traffic is allowed through them.
Access control lists (ACLs)
You want to know if users are granted the rights and permissions needed to do their job only, and no more. You should perform a(n) ________ test.
Access controls
You want to know if users are granted the rights and permissions needed to do their job only, and no more. You should perform which of the following tests?
Access controls
Which of the following tests verifies user rights and permissions?
Access controls testing
A(n) ________ control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more.
AccessLogon identifiers help ensure that users cannot deny taking a specific action such as deleting a file. What is this called? | Nonrepudiation
What their actual responsibilities are when the BCP is ?
Activated
Your organization wants to check compliance with internal rules and guidelines. The organization wants to ensure that existing policies are being followed. What should be performed?
An audit
What should be performed ?
An audit trail
What is a stakeholder?
An individual or group that has an interest in the project
What is an ARO?
Annualized Rate of Occurrence
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
Annually
What is a single point of failure?
Any single part of a system that can cause the entire system to fail, if it fails
Which choice MOST closely depicts the difference between qualitative and quantitative risk analysis?
Aquantitative RAuses less guesswork than a qualitative RA.
A risk ________ is a major component of a risk management plan.
Assessment
An organization wants to ensure it can continue mission-critical operations in the event of a disaster. What should it use?
BCP
An organization wants to ensure they can continue mission-critical operations in the event of a disaster. What should they use ?
BCP
The ________ is responsible for declaring an emergency and activating the BCP.
BCP coordinator
A(n) ________ is a plan that helps an organization continue to operate during and after a disruption or disaster.
BCP or business continuity plan
What can you do to show that the BCP will work as planned?
BCP testing
An organization wants to determine what the impact will be if a specific IT server fails. What should it use?
BIA
Which of the following is used to identify the impact on an organization if a risk occurs?
BIA
There are the major categories of reporting requirements except:
BIA report
Which of the following has an incorrect definition assigned to term?
Baseline = a description of what the environtment will look like, a standard of measure, after security in implemented
Before progressing with the RA, you need to complete which of the following actions?
Define the assessment
What is a primary tool used to identify the financial significance of a mitigation tool?
CBA
What is included in an RA that helps justify the cost of a control ?
CBA
What is included in an RA that helps justify the cost of a control?
CBA
You are evaluating two possible countermeasures to mitigate a risk. Management only wants to purchase one. What can you use to determine which countermeasure provides the best cost benefits?
CBA
You are evaluating two possible countermeasures to mitigate the risk. Management only wants to purchase one. What can you use to determine which countermeasure provides the best cost benefits ?
CBA
If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing one which of the following work?
CBA Costs Business Analysis
If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing a ________.
CBA or cost-benefit analysis
Which of the following is a physical control ?
CCTV
Which of the following is a physical control?
CCTV
What law requires schools and libraries to limit offensive content on their computers?
CIPA
What is this standard?
COBIT
Which of the following is the de facto standart of best practices for IT service management. It was created because of the increased dependence on the information technology to meet business needs.
COBIT
The ________ is an industry-recognized standard list of common vulnerabilities.
CVE
What is the standard used to create Information Security Vulnerability names?
CVE
Which of the following is an industry recognized standard list of common vulnerabilities?
CVE
Which of the following is an industryrecognized standard list of common vulnerabilities ?
CVE
A risk management plan includes a list of findings in a report. The findings identify threats and vulnerabilities. What type of diagram can document some of the findings?
Cause and effect diagram
What three elements should be included in the findings of the risk management report?
Causes, Criteria, and effects
What three elements should be included in the findings of the risk management report?
Causes, criteria, and effects
Your organization wants to issue certificates for internal systems such as an internal Web server. You'll need to install a ________ to issue and manage certificates.
Certification authority (CA)
What management program can be implemented to ensure that the configuration of systems is not modified without a formal approval ?
Change management
What management program can be implemented to ensure that the configuration of systems is not modified without a formal approval?
Change management
What can be used to help identify mission-critical systems ?
Critical business functions
What would you use to identify mission-critical systems?
Critical business functions
A ________ is an element necessary for success. For example, the success of a DRP depends on elements such as management support and a disaster recovery budget.
Critical success factor (CSF)
Mission-critical business functions are considered vital to an organization. What are they derived from?
Critical success factors
Which of the following is the intangible value?
Customer influence
After a BCP has been activated, who will assess the damages?
DAT
Mary is creating malicious code that will steal a user's cookies by modifying the original client-side Java script. What type of cross-site scripting vulnerability is she exploiting?
DOM-based
An organization wants to ensure it can recover a system in the event of a disaster. What should it use?
DRP
An organization wants to ensure they can recover a system in the event of a disaster. What should they use ?
DRP
Which of the following is a procedural control?
DRP
Intellectual Property is a example of
Data and information assets
What is the greatest risk loan organization when peer-to-peer software is installed on a users system?
Data leakage
What is the greatest risk to an organization when peer-to-peer software is installed on a user's system?
Data leakage
Which of the following strategies helps reduce security gaps even if a security control fails?
Defense in depth
Which of the strategies below can help to reduce security gaps even if a security control fails?
Defense in depth
A(n) ________ is a plan used to restore critical business functions to operation after a disruption or disaster.
Disaster recovery plan (DRP)
Which of following is the most serious attacker?
Disgrunted employess
What are some sources of internal threats? (Select all that apply.)
Disgruntled employee ,Equipment failure,Software failure,Data loss
Attackers attempt a DoS attack on servers in your organization. The CIRT responds and mitigates the attack. What should be the last step that the CIRT will complete in response to this incident?
Document the incident.
Risk assessment is not always met with open arms by management for all of the following reasons except:
Due care and due diligence
After a BCP has been activated, who has overall authority for the recovery of systems?
EMT
Who should perform vulnerability assessments ?
Either internal or external security professionals, or both
Who should perform vulnerability assessments?
Either internal or external security professionals, or both
Corruption/modification is one of the biggest threats to an operations environment. Which of the following is the typical culprit in this type of threat?
Employees
Which of the following is an internal threat?
Employees not following security policy
Training help ?
Employees understand that security is everyone's responsibility
What can be used to ensure confidentiality of sensitive data ?
Encryption
What can be used to ensure confidentiality of sensitive data?
Encryption
A risk management plan project manager oversees the entire plan. What is the project manager responsible for?
Ensuring costs are controlled -Ensuring the project stays on
A risk management plan project manager oversees the entire plan. What is the project manager responsible for? (Select two.)
Ensuring costs are controlled,Ensuring the project stays on schedule
You want to identify if any of the discovered vulnerabilities can be exploited. What should you perform?
Exploit assessment
Which of the following are accurate pairing of threat categories?
External and internal, Intentional and accidental
Which of the following is accurate pairing of threat categories?
External and internal, intentional and accidental
What does ELT stand for?
Extract, Load and Transform
What type of site would you choose?
Hot site
Which of the following ISO standards can be used to verify that an organization meets certain requirements? Part I identifies objectives and controls. Part II is used for certification.
ISO 27002 Information Technology Security Techniques
Which of the following ISO documents provides generic guidance on risk management?
ISO 31000 Risk Management Principles and Guidelines
You are performing a BIA for an organization. What should you map the critical business functions to?
IT systems
What are the three stages of cyclical risk management ?
Identification, analysis, and monitoring and control (Missed)
Which one is the order of steps of the Risk Identification Techniques ?
Identify Asset Value, Identify threats, Identify vulnerabilities, Identify consequences
What is not risk identification techniques ?
Identify cost of Risk
What are two objectives of a BIA? (Select two.)
Identify critical resources.Identify critical business functions.
Which of the following is not a key objectives that directly support the BCP?
Identify critical threats
What is 3rd step of Business impact analysis planning ?
Identify mission-critical business functions and processes
Which one is Critical Components of Risk Assessment ?
Identify scope, Identify critical areas, Identify team
What is the second step of a BIA process?
Identify stakeholders.
Which of the following is a goal of a risk management?
Identify the correct cost balance between risk and controls
Which of the following is not purpose of the DRP?
Identity business impact
What determines if an organization is governed by HIPAA?
If employees handle health-related information
What determines if an organization is governed by FERPA?
If it is a federal agency
What determines if an organization is governed by FISMA?
If it is a federal agency
What determines if an organization is governed by SOX?
If it is registered with the Securities and Exchange commission
What determines if an organization is governed by CIPA?
If it receives E-Rate funding
What is stakeholder ?
Is an individual or group that has a stake, or interest, in the success of a project
What is Functionality Testing ?
Is primarily used with software development. It helps ensure that a product meets the functional requirements or specifications defined for the product
What is the Asset valuation ?
Is the process of determining the fair market value of an asset
Which correct describes the audit trail?
It is a series of events recorded in one or more logs.
Why should employers make sure employees take their vacations?
It is a way that fraud can be uncovered.
What is a certification authority (CA)?
It issues and manages certificates
The DIACAP is a risk management process applied to IT systems. What happens after a system is accredited?
It receives authority to operate.
An organization may use a ________ rotation policy to help discover dangerous shortcuts or fraudulent activity.
Job
Employees in some companies are often required to take an annual vacation of at least five consecutive days. The purpose is to reduce fraud and embezzlement. What is this called?
Job rotation
Which of the following is critical success factor of the DRP?
Knowledge and authority for DRP developers
What is the impact of legal and compliance implications on the LAN-to-WAN Domain?
LAN-to-WAN DomainA firewall is used to protect a network here. PCI DSS specifically requires a firewall. A library may use a proxy server as a TPM to comply with CIPA. A proxy server has access to the Internet and the intranet. It would need additional security to protect it from external attacks.
A major disruption has forced you to move operations to an alternate location. The disruption is over and you need to begin normalizing operations. What operations should you move back to the original location first?
Least critical business functions
What could a password policy include?
Length of password
Business processed can survive without the business functions for one or more days. What is this impact value level?
Level2
Which of the following is an example of the technical security control?
Login identifier, Session timeout, System log, Audit trails, Input validation, Firewalls, Encryption
What can be used to remind users of the contents of the AUP?
Logon banners -Posters -E-mails
Which of the following is a valid formula used to identify the projected benefits of a control?
Loss Before Control Loss After Control
Which of the following is a valid formula used to identify the projected benefits of a control?
Loss before control - Loss after control = Projected benefits
Which of the following is a valid formula used to identify the projected benefits of a control?
Loss before control - loss after control
You are working on a BIA. You are calculating costs to determine the impact of an outage for a specific system. Which one of the following is a direct cost?
Loss of sales
A risk management plan includes steps to mitigate risks. Who is responsible for choosing what steps to implement?
Management
Although there threats are unintentional, you can address them with a risk management plan. Which of following is a method do that?
Managing environmental threats
Which of the following is NOT the risk management technique?
Migrate
The ________ plan will include details on how and when to implement approved countermeasures.
Mitigation
Some malware can execute on a users system alter the user accessed a web site. The malware executes from within the Web browser. What type of malware is this?
Mobile code
What type of malware is this?
Mobile code
When identifying hardware assets in your organization, what information should you include?
Model and manufacturer,Serial number,Location
Which of the following is NOT a result of a penetration test?
Modify access control permissions
What is a full-scale exercise ?
More realistic than either tabletop or functional exercises
What is the kind of Intrusion detection system ?
NIDS and HIDS
Which government agency includes the Information Technology Laboratory and publishes SP 800-30?
NIST
Contingency Planning(CP) is an example of
NIST SP 800-53 Operational Controls
The two major categories of threats are human and ________.
Natural
What is the name of a common tool used to perform an automated vulnerability assessment scan ?
Nessus
What is the name of a common tool used to perform an automated vulnerability assessment scan?
Nessus
When identify assets, your asset inventory could have resulted in the high priority with:
Network infrastructure
Which of following NOT true about Risk Management Techniques ?
Performance
Which of the following is an example of operational control?
Personal Security (PS)
You use video cameras to monitor the entrance of secure areas of your building. This is an example of a(n) ________ control.
Physical
Which statement is true about Physical security controls ?
Physical security controls includes controls such as locks and guards to restrict physical access
What is a POAM?
Plan of action and milestones
Which of the following is an example of the administrative security control?
Policies and procedures, Security plans, Insurance, Personnel checks, Awareness and training, Rules of behavior
Which of the following are considered facility costs for the implementation of a countermeasure?
Power and air conditioning
Many steps are taken before, during, and after an incident. Of the following choices, what accurately identifies the incident response life cycle?
Preparation, detection and analysis, containment, eradication and recovery, and post-incident recovery
What is not risk management techniques ?
Prevent
What are the primary objectives of a control?
Prevent, recover, and detect
What are the primary objectives of a control ?
Prevent, recover, detect
What should you do?
Purchase the control.
Which of the following elements are commonly included in a DRP?
Purpose, scope, communications, recovery procedures
A ________ risk assessment is subjective. It relies on the opinions of experts.
Qualitative
A company needs to determine its security budget for the next year. It interviews users, administrators, and managers in the information technology division, who render opinions and recommendations based upon their perceptions of security risk. This is an example of what kind of approach to risk analysis?
Qualitative
You are trying to decide what type of risk assessment methodology to use. A primary benefit of a ________ risk assessment is that it can be completed more quickly than other methods.
Qualitative
A ________ risk assessment is objective. It uses data that can be verified.
Quantitative
A ________ risk assessment uses SLE.
Quantitative
You are trying to decide what type of risk assessment methodology to use. A primary benefit of a ________ risk assessment is that it includes details for a cost-benefit analysis.
Quantitative
What would be an appropriate difference between a qualitative and a quantitative risk analysis?
Quantitative approach indicates the total cost of security implemented for protection, while qualitative identifies the expected acceptance of the security policy from the organization.
You want to ensure that a BCP includes specific locations, systems, employees, and vendors. You should identify these requirements in the ________ statement.
Scope
You are working on a BIA. You want to identify the maximum amount of data loss an organization can accept. What is this called?
Recovery point objectives
A business impact analysis (BIA) includes a maximum acceptable outage (MAO). The MAO is used to determine the amount of time in which a system must be recovered. What term is used in the DRP instead of the MAO?
Recovery time objective (RTO)
You have identified the MAO for a system. You now want to specify the time required for a system to be recovered. What is this called?
Recovery time objectives
What is the primary goal of an information security program?
Reduce losses related to loss of confidentiality, integrity, and availability
The primary purpose of countermeasures, safeguards, or controls is to mitigate risk ?
Reducing the impact of threats and a vulnerability to an acceptable level
A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset?
Replacement value - This is the cost to purchase a new asset in its place, Recovery value - This is the cost to get the asset operational after a failure.
The National Institute of Standards and Technology published Special Publication 800-30. What does this cover?
Risk assessments
Which of the following elements is commonly included in any CBA report for a countermeasure?
Risk to be mitigated
What should you use to ensure that users understand what they can and cannot do on systems within the network ?
Rules of behavior
What should you use to ensure that users understand what they can and cannot do on systems within the network?
Rules of behavior
A major disruption has forced you to move operations to an alternate location. The disruption is over and you need to begin normalizing operations. You have rebuilt several servers at the primary location. What should you do?
Run the servers concurrently with the alternate location for three to five days.
Your organization wants to have an agreement with a vendor for an expected level of performance for a service. You want to ensure that monetary penalties are assessed if the minimum uptime requirements are not met. What should you use ?
SLA
Your organization wants to have an agreement with a vendor for an expected level of performance for a service. You want to ensure that monetary penalties are assessed if the minimum uptime requirements are not met. What should you use?
SLA
What elements are included in a quantitative analysis?
SLE, ALE, ARO
What does a quantitative RA use to prioritize a risk ?
SLE, ARO, and ALE
What does a quantitative RA use to prioritize a risk?
SLE, ARO, and ALE
CEOs and CFOs can go to jail if financial statements are inaccurate. What law is this from?
SOX
Which of the following is a CBF?
Sales from the Web site
What must you define when performing a qualitative risk assessment?
Scales used to define probability and impact
What defines the boundaries of a business impact analysis?
Scope
A CBA can be used to justify the purchase of a control.
True
Which of the following best describes separation of duties and job rotation?
Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position.
The risk management plan specifies responsibilities. You can assign responsibilities to all except:
Staffs and customers
A user has installed P2P software on a system. The organization's policy specifically states this is unauthorized. An administrator discovered the software on the user's system. Is this a computer security incident? If so, what type?
This is a form of inappropriate usage.
What is the recovery value?
This is the cost to get the asset operational after a failure
The formula for risk is Risk ?
Threat * Vulnerability
Total Risk = ?
Threat Vulnerability Asset Value
Which one of the following properly defines risk?
Threat X Vulnerability
Which of the following information is not provided by threat model?
Threat controls
The formula for risk is Risk ________.
Threat × Vulnerability
Which one of the following properly defines risk?
Threat × Vulnerability
Which one of the following properly defines total risk?
Threat × Vulnerability × Asset Value
What can you use to determine the priority of countermeasures?
Threat/likelihood-impact matrix
Which of the following should you match with a control to mitigate a relevant risk ?
Threat/vulnerability pair
Which of the following should you match with a control to mitigate a relevant risk?
Threat/vulnerability pair
Which of the following is not consideration when developing the mitigation plan?
Time to approve the countermeasures
What is the purpose of a BCP?
To ensure mission-critical elements of an organization continue to operate after a disruption
Which of the following is a goal of risk management?
To identify the correct cost balance between risk and controls
What is the primary goal of an information security program?
To reduce losses related to loss of confidentiality, integrity, and availability
What type of approach does a BIA use?
Top-down approach where CBFs are examined first
What is the responsible of risk management PM?
Tracking and managing all project issues
A company decides to reduce losses of a threat by purchasing insurance. This is known as risk ________.
Transfer
You have applied controls to minimize risk in the environment. What is the remaining risk called?
Transfer
When evaluating this type of automated method, there are several other things to consider, such as the following ?
Value to the customers
A risk assessment was completed three months ago. It has recently been approved, and you're tasked with implementing a mitigation plan. What should you do first?
Verify risk elements.
A ________ assessment is used to identify vulnerabilities within an organization.
Vulnerability
A __________ assessment is used to identify vulnerabilities within an organization
Vulnerability
Which type of assessment can you perform to identify weaknesses in a system without exploiting the weaknesses?
Vulnerability assessment
You are considering an alternate location for a DRP. You want to use a business location that is already running noncritical business functions as the alternate location. This location has most of the equipment needed. What type of site is this?
Warm site
What should be logged in an audit log ?
Who, what, when, and where details of an event
What should be logged in an audit log?
Who, what, when, and where details of an event
8-which of the following is a brawback of the traditional intelligence cycel
a gap exists between dissemination and needs
31-which of the following is correct pertaining to the stochastic model
a model that has any uncertainty incorporated into it
2-which best describes physical model
a tangible representation of something
13-what is the framing effect
awareness of the problems in a certain frame
29-wich of the following is not the predictive mechanism
bayesian
24-what is a passive deception
decoys
22-crisis management is activity called for wich of the following levels
defeat
17-in social network analysis, what is the source to evaluate the centrality concept
degree, closeness and betweenness
28-what is the first step of the predictive approach
determine the forces that acted on the entity to bring it to its present state
7-what is the finished step in a cycle of the traditional intelligence cycel
dissemination
25-in wigmoire's charting method, question marks mean like
doubt about the probative effect of the evidence
6-what is a SIGINT denial
emissions control
14-the network persective suggests that the power of an individual actor arises from relationships with other actors. this concept is called:
equivalence
18-what is the first step of collection strategy
examining the relationship
9-what is occam's razor principle
explain your observations with the fewest possible hypotheses
As long as a company is profitable, it does not need to consider survivability.
fasle
32-what is not SIGINT
imint
35-geospatical intelligence is an example of
imint
15-which of the following is a projection technique
influence trees
Which of the following is NOT a type of assets?
installed components, hardware peripherals, installed software, update versions, and more
36-what is SIGINT
intelligence derived from deliberate electronic trasmission
26-which of the following is a positive government regulatory force
intervention
20-what is the deterrence level
it focuses on an opponent's potential actions as a way to resolve an already unfavorable situation
37-what is not an open source in technology assessment
license
11-what is the most complex system
narcotics distribution system
4-what does NIH stand for
not-invented-here
19-which of the following is not a characteristic of the complex problems
only one stakeholder
Intellectual Property is a example of
organization's data or information assets
33-what is the top stage of the generic target model has been used for describing the development of a technology or product
production prototype
23-what is the first of the traditional intelligence cycle
requirements or needs
30-what are enigmas
something that the analyst knows exists with physical evidence
16-which of the following is not a level of conflict
statistical
1-what is the complex descriptive conceptual model?
stochastic
27-what is a cumulative reducdancy
the report does not duplicate information,butit adds credibility to the other reports
What is the ROI?
the return on investment
21-what is tradecraft
the techniques are standardized in business intelligence
A DMZ, or demilitarized zone, is used in a networking context for what primary purpose?
to provide a high level of security for the private network
5-which of the following is not a relationship model
tree
Quantitative risk assessment is objective. It uses data that can be verified.
true
34-in statement of the problem, what is the result needed
written reports(increasingly in electronic form)