info assurance mid term

The security of a computer application is most effective and economical in which of the following cases? The system is procured off-the-shelf. The system is customized to meet the specific security threat. The system is optimized prior to the addition of security. The system is originally designed to provide the necessary security.

The system is originally designed to provide the necessary security.

Why is it important to consistently enforce policy, and not "go easy on someone"? -It is easier to defend in court -Playing favorites creates resentment -The welfare of the overall organization is more important than the individual's -Policies should never be broken

The welfare of the overall organization is more important than the individual's

What issue is addressed by both the Bible and corporate policies? -stealing -without common rules, people may adopt common behaviors and choices that make the overall group less stable -The behavior of people in power -People tend to forget things if they are not periodically reminded of their obligations

without common rules, people may adopt common behaviors and choices that make the overall group less stable

When backing up an applications system's data, which of the following is a key question to be answered first? How to store backups What records to backup When to make backups Where to keep backups

What records to backup

Which of the following is NOT contained in the Security Policy Document Policy? -Who is in charge of enforcing the policy -Who is in charge of designing the policy -A statement about the need for information security policies -What users may or may not do

What users may or may not do

Which part of the U.S. Constitution is analogous to the first approved version of a new information security policy? -the Torah -articles -amendments -the Bill of Rights

articles

Operations Security seeks to primarily protect against which of the following? facility disaster compromising emanations asset threats object reuse

asset threats

Operations Security seeks to primarily protect against which of the following? facility disaster compromising emanations object reuse asset threats

asset threats

The object-relational and object-oriented models are better suited to managing complex data such as required for which of the following? computer-aided development and imaging. computer-aided duplexing and imaging. computer-aided processing and imaging. Correct! computer-aided design and imaging.

computer-aided design and imaging.

An employee accidentally makes changes to a company-owned file. This is known as a violation of Data Integrity Data Confidentiality Data Availability Dave Authorization

data integrity

What is the appropriate role of the security analyst in the application system development or acquisition project? policeman data owner data owner application user

data owner

A persistent collection of interrelated data items can be defined as which of the following? database security database database shadowing database management system

database

If an operating system permits shared resources such as memory to be used sequentially by multiple users/application or subjects without a refresh of the objects/memory area, what security problem is most likely to exist? data leakage through covert channels disclosure of residual data denial of service through a deadly embrace unauthorized obtaining of a privileged execution state

disclosure of residual data

What is opposite of the C.I.A. in risk management: confidentiality, integrity, availability authorization, non-repudiation, integrity disclosure, alteration, destruction misuse, exposure, destruction

disclosure, alteration, destruction (D.A.D.)

Which of the following is NOT a threat to data confidentiality? -Hackers -Social engineering -Encryption -Improper access controls

encryption

Mandatory Access requires that sensitivity labels be attached to all objects. Which of the following would be designated as objects on a MAC system? -devices, processes, I/O pipe, and sockets -files, directories, and print queue -users, windows, and programs -files, directories, processes, and sockets

files, directories, processes, and sockets

Information systems are a combination of applications policies and procedures hardware and software controls and procedures

hardware and software

The information security staff's participation in which of the following system development life cycle phases provides maximum benefit to the organization? in parallel with every phase throughout the project project initiation and planning phase development and documentation phase system design specifications phase

in parallel with every phase throughout the project

The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address? none of the above confidentiality and availability integrity and confidentiality integrity and availability

integrity and availability

In which of the following policy elements should the policy number appear? -Policy objectives -Statement of authority -Policy heading -Policy statement of purpose

policy heading

Which of the following classes is defined in the TCSEC (Orange Book) as mandatory protection? C B D A

B

Which of the following parts of an organization's software policy would most likely indicate that any new software purchases be made only from the approved software products list? -Policy statement of purpose -Policy audience -Policy objective - Policy exceptions

policy objective

Which of the following best describes the sequence of action steps posted on the front of an automated teller machine (ATM) at a bank? -Standards -Guidelines -Procedures -Policies

procedures

This classification level is used by the military for items "the unauthorized disclosure of which reasonably could be expected to cause serious damage to National Security": Secret Confidential For your eyes only Top Secret

secret

Which one of the following represents an ALE calculation? single loss expectancy x annualized rate of occurrence. gross loss expectancy x loss frequency. asset value x loss expectancy. actual replacement cost - proceeds of salvage.

single loss expectancy x annualized rate of occurrence.

Which of the following is NOT an example of malicious code? Virus Worm Key logger Solitaire

solitaire

Which Orange Book evaluation level is described as "Labeled Security Protection"? A1 B2 B1 B3

B1

Who developed one of the first mathematical models of a multilevel-security computer system? Diffie and Hellman Bell and LaPadula Gasser and Lipner Clark and Wilson

Bell and LaPadula

Which of the following is one of the oldest and most common problems in software development and programming and is still very prevalent today? Social Engineering Buffer Overflow Code injection for machine language Unassembled reversable DOS instructions.

Buffer Overflow

Which of the following classes is defined in the TCSEC (Orange Book) as discretionary protection? D C B A

C

Please complete the following sentence: A TCP SYN attack... is not something system users would notice. may result in elevation of privileges. takes advantage of the way a TCP session is established. requires a synchronized effort by multiple attackers

takes advantage of the way a TCP session is established.

This policy document is used to convey the organization's intention, objective, and commitment. It is known as: -The affirmation agreement -The statement of authority -The service level agreement -The Acceptable Use Policy

the statement of authority

What should be the consequences of information security policy violations? -Violations should be cited in the person's annual performance review -Immediate revocation of all user privileges -Always up to, and including, termination -Commensurate with the criticality of information the policy was written to protect

Commensurate with the criticality of information the policy was written to protect

When it comes to information security, what is labeling the vehicle for? Communicating the access controls Communicating the sensitivity level Auditing the access controls Enforcing the access controls

Communicating the sensitivity level

This classification level is used by the military for items "the unauthorized disclosure of which reasonably could be expected to cause damage to National Security": Secret Top Secret Confidential For your eyes only

Confidential

What does CIA stand for? Confidentiality, Integrity and Authorization Confidentiality, Integrity and Accountability Confidentiality, Integrity and Authentication Confidentiality, Integrity and Availability

Confidentiality, Integrity and Availability

Which of the following should you strive for in the policy statement, in order to have a well-written policy? Describe everything in layman's terms, so that it is clear the policy is a statement of everyone's intent Contain areas that address every aspect of operations and information, and every area affecting the organization's information assets Include applicable standards, guidelines, and procedures within the policy document Spell check the document to avoid typographical errors

Contain areas that address every aspect of operations and information, and every area affecting the organization's information assets

Which of the following classes is defined in the TCSEC (Orange Book) as minimal protection? D B A C

D

The description of the database is called a schema, and the schema is defined by which of the following? Data Connection Language (DCL). Data Definition Language (DDL). Data Identification Language (DIL). Data Encapsulation Language (DEL).

Data Definition Language (DDL).

Data availability is the assurance that All sensitive data stored on a hard drive is encrypted All data stored on a hard drive is encrypted Data and systems are accessible anytime they are needed Only authorized users will gain access to a resource

Data and systems are accessible anytime they are needed

Guaranteed 99.999% uptime is an example of Data authentication Data availability Data confidentiality Data integrity

Data availability

Which of the following groups represents the leading source of computer crime losses? Employees Foreign intelligence officers Hackers Industrial saboteurs

Employees

If a new United States federal information-sharing law is adopted, which of the following best represents a related information security policy statement of purpose? -Ensure compliance with federal law -Uphold the U.S. Constitution -Prevent personal information from being used for identity theft -Maintain individuals' right to privacy, as granted under the U.S. Constitution

Ensure compliance with federal law

Which of the following is the MOST important rule of thumb to follow when developing the policy heading? -Ensure the policy heading contains all the same information as every other policy -The policy number must be included in the policy heading -Plan to spend the most time working on the policy heading; it is the most important part of the document -Ensure its structure is scalable, so that it is able to accommodate changes in the future, without losing its original organization

Ensure its structure is scalable, so that it is able to accommodate changes in the future, without losing its original organization

Which of the following federal regulations pertains to the educational field? - SOX -HIPAA -GLBA -FERPA

FERPA

Which is the preferred approach to organizing information security policies, procedures, standards, and guidelines? -Combine policies and procedures -Keep the policy documents separate from the procedures, standards, and guidelines -Keep them all separate -Combine standards and guidelines

Keep the policy documents separate from the procedures, standards, and guidelines

What is a valid definition of data integrity? Data that is encrypted The knowledge that the data is transmitted in ciphertext only Data that has not been accessed by unauthorized users Knowing that the data on the screen is un-tampered with data

Knowing that the data on the screen is un-tampered with data

Which is a two wall challenge? -Lack of awareness, and the lack of awareness about the lack of awareness -Screened-subnet firewall -Requiring security badges at both doors to a room -When two policies conflict with each other

Lack of awareness, and the lack of awareness about the lack of awareness

What is shoulder surfing? - Looking at a person using their computer in hopes of viewing sensitive information -Another word for social engineering -Conning someone into giving away their password -Waiting for a user to leave their workstation and taking their place behind the keyboard

Looking at a person using their computer in hopes of viewing sensitive information

Which data classification method is used by the US military? DAC MAC RDAC RBAC

MAC

Which of the following is LEAST likely to lead to employees accepting and following policy? -Seek input from the organization when developing policies -Introduce policies through training programs - Consistently enforce policies -Make policy compliance part of the job descriptions

Make policy compliance part of the job descriptions

If a new United States federal information-sharing law is adopted, which of the following best represents a related information security policy objective? -Prevent personal information from being used for identity theft -Maintain individuals' right to privacy, as granted under the U.S. Constitution -Obtain prior written approval from all individuals whose personal data is to be shared -Ensure compliance with federal law

Obtain prior written approval from all individuals whose personal data is to be shared

Who is directly responsible for using information asset in accordance with their classification levels? The users The Information Custodian The Information Owner The ISO

the users

Which is the worst that may happen if information security policies are out of date, or address technologies no longer used in the organization? -People may not know which policy applies -The company may incur unnecessary costs to change them Correct! -People may take the policies less seriously, or dismiss them entirely -Executive management may become upset

People may take the policies less seriously, or dismiss them entirely

If you are assigned to author your company's information security policies, which of the following is the MOST important thing to do first? -Look at all the other policies to get an idea of how they are written -Express thanks for being given such a good assignment -Plan before you write -Determine when they are due

Plan before you write

If a policy refers the reader to another section for clarification of any instance of non-standard language, that other section would best be called which of the following? -Policy Definitions -Policy Enforcement Clause -Policy Exceptions -Policy Header

Policy Definitions

Which of the following virus types changes some of its characteristics as it spreads? Boot Sector Polymorphic Stealth Parasitic

Polymorphic

The goal of protecting confidentiality is to Prevent the authorized disclosure of sensitive information Prevent the authorized disclosure of public information. Prevent the unauthorized disclosure of public information Prevent the unauthorized disclosure of sensitive information

Prevent the unauthorized disclosure of sensitive information

Data integrity is -Making sure the data is always transmitted in encrypted format -Making sure the data is always available when legitimately needed -Protecting the data from intentional or accidental modification -Protecting the data from intentional or accidental disclosure

Protecting the data from intentional or accidental modification

This is known as the process of upgrading the classification level of an information asset: Declassification Classification review Classification Upgrade Reclassification

Reclassification

Operation security requires the implementation of physical security to control which of the following? contingency conditions incoming hardware unauthorized personnel access evacuation procedures

unauthorized personnel access

Operation security requires the implementation of physical security to control which of the following? evacuation procedures unauthorized personnel access incoming hardware contingency conditions

unauthorized personnel access

Which of the following is the act of performing tests and evaluations to test a system's security level to see if it complies with the design specifications and security requirements? accuracy validation verification assessment

verification

Why is it important to remind people about best practice information security behaviors? -Reminders are the least expensive way to ensure compliance with policies -This approach is a mandatory requirement of information security policies -Reminders reinforce their knowledge, and help them better understand expectations -It ensures they are aware that management is watching them

Reminders reinforce their knowledge, and help them better understand expectations

An Architecture where there are more than two execution domains or privilege levels is called: Security Models Network Environment Ring Architecture Ring Layering

Ring Architecture

Which of the following is NOT an example of social engineering? - Calling an employee on the phone and impersonating an IT consultant to learn passwords -Running a password-cracking utility against a web server -Dressing up as UPS employee and gaining access to sensitive areas of a business -Posing as a potential customer in a Bank and gaining access to a computer terminal by pretending to need to send an email

Running a password-cracking utility against a web server

Which of the following are necessary components of a Multi-Level Security Policy? Security Clearances for subjects & Security Labels for objects and Mandatory Access Control Sensitivity Labels for subjects & objects and a "system high" evaluation Sensitivity Labels for only objects and Mandatory Access Control Sensitivity Labels for subjects & objects and Discretionary Access Control

Security Clearances for subjects & Security Labels for objects and Mandatory Access Control

Which must bear the primary responsibility for determining the level of protection needed for information systems resources? IS security specialists systems Auditors Senior security analysts Senior Management

Senior Management

As it pertains to information security policies, what is the SOA? -Summary of Authentication -Statement of Authority -Start of authority -Statement of Accountability

Statement of Authority

Which section of the ISO 17799 deals with asset classification? 3 2 4 5

5

What does it mean if a system uses "Trusted Recovery"? -The recovery process is done from media that have been locked in a safe -A failure or crash of the system cannot be used to breach security -A single account on the system has the administrative rights to recover or reboot the system after a crash -There is no such principle as "Trusted Recovery" in security

A failure or crash of the system cannot be used to breach security

Which of the following places the Orange Book classifications in order from most secure to least secure? A, B, C, D C, D, B, A D, C, B, A D, B, A, C

A, B, C, D

Which Orange Book evaluation level is described as "Verified Design"? B1 B3 A1 B2

A1

This is known as the process of downgrading the classification level of an information asset: Classification review Declassification Asset Publication Reclassification

Declassification

Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or a cassette? Buffer overflow Degaussing Zeroization Parity Bit Manipulation

Degaussing

The disciplinary process indicated in an information security policy enforcement clause usually includes which of the following most severe punishments? -Loss of one month's pay -Transfer to another division in the company -Demotion to a lower level -Dismissal or criminal prosecution

Dismissal or criminal prosecution

Which of the following provide a way and place to process, store, transmit, and communicate information? Outsourced storage solutions Information assets Off-site storage solutions Information systems

Information systems

Which is the preferred approach to organizing information security policies, procedures, standards, and guidelines? -Ensure it is detailed enough that everyone will understand it -Hold meetings to explain it -Involve people in policy development by conducting interviews -Give everyone a copy of the policy after it is written

Involve people in policy development by conducting interviews

Which of the following is NOT true concerning Application Control? -It limits end users use of applications in such a way that only particular screens are visible. -Particular usage of the application can be recorded for audit purposes -Only specific records can be requested through the application controls -It is non-transparent to the endpoint applications so changes are needed to the applications and databases involved

It is non-transparent to the endpoint applications so changes are needed to the applications and databases involved

Memory management in TCSEC levels B3 and A1 operating systems may utilize "data hiding". What does this mean? -Only security processes are allowed to write to ring zero memory -System functions are layered, and none of the functions in a given layer can access data outside that layer -Auditing processes and their memory addresses cannot be accessed by user processes -It is a form of strong encryption cipher

System functions are layered, and none of the functions in a given layer can access data outside that layer

With SQL Relational databases where is the actual data stored? Views Schemas and sub-schemas Tables Index-sequential tables

Tables

The Orange Book is founded upon which security policy model? The Biba Model The Bell LaPadula Model TEMPEST Clark-Wilson Model

The Bell LaPadula Model

Who should issue the statement of authority? -All the employees -The CEO, President or Chairman of the Board -All the information owners -The IT Manager

The CEO, President or Chairman of the Board

Who is directly responsible for defining information asset protection? The CEO/President/Chairman of the Board The ISO The Information Owner The Information Custodian

The Information Owner

Why do we need the Graham-Leach-Bliley Act (GLBA)? -Businesses need expert advice to achieve and sustain compliance -Health care organizations must safeguard private health care information from disclosure -The information banks possess can be identifiable and whole in regard to any customer -It protects banks from lawsuits due to a lack of fair treatment of employees

The information banks possess can be identifiable and whole in regard to any customer

Leadership by setting the example, or "do as I do", is considered: -Ineffective in a high-tech company -The same as "management by walking around" -The most effective leadership style, especially in relation to information security -Something that should only be employed when information security policies are new

The most effective leadership style, especially in relation to information security

Which of the following is the reason why United States government official communications about new federal laws frequently include references to other documents? These references help those affected by the new laws gain a better understanding of what they need to do It makes it easier to keep track of things Congress must ensure that the new laws are comprehensive, so they can be defended in court This approach is required by law

These references help those affected by the new laws gain a better understanding of what they need to do

In what way are the Torah and the U.S. Constitution like information security policies? -They contain articles and amendments -They define the role of government in our daily lives - They include business rules -They serve as rules to guide behavior in support of organizational goals

They serve as rules to guide behavior in support of organizational goals

A computer program in which malicious or harmful code is contained inside apparently harmless programming but it can get control and do damage without the user installing the program being aware of this is called a: worm virus Trojan horse trapdoor

Trojan horse

In which of the following ways does understanding policy elements enable the development of information security policies? -One cannot develop information security policies without an understanding of policy elements -Understanding policy elements enables us to break the policies down into their essential components, in order to more efficiently and effectively create usable policies -Information security policies must include all policy elements in order to be valid -It is necessary to understand policy elements in order to document which penalties apply for violation of information security policies

Understanding policy elements enables us to break the policies down into their essential components, in order to more efficiently and effectively create usable policies

Which of the following is NOT a threat to data integrity? Use of encrypted emails Malicious code Hackers Improper access controls

Use of encrypted emails