info assurance mid term
The security of a computer application is most effective and economical in which of the following cases? The system is procured off-the-shelf. The system is customized to meet the specific security threat. The system is optimized prior to the addition of security. The system is originally designed to provide the necessary security.
The system is originally designed to provide the necessary security.
Why is it important to consistently enforce policy, and not "go easy on someone"? -It is easier to defend in court -Playing favorites creates resentment -The welfare of the overall organization is more important than the individual's -Policies should never be broken
The welfare of the overall organization is more important than the individual's
What issue is addressed by both the Bible and corporate policies? -stealing -without common rules, people may adopt common behaviors and choices that make the overall group less stable -The behavior of people in power -People tend to forget things if they are not periodically reminded of their obligations
without common rules, people may adopt common behaviors and choices that make the overall group less stable
When backing up an applications system's data, which of the following is a key question to be answered first? How to store backups What records to backup When to make backups Where to keep backups
What records to backup
Which of the following is NOT contained in the Security Policy Document Policy? -Who is in charge of enforcing the policy -Who is in charge of designing the policy -A statement about the need for information security policies -What users may or may not do
What users may or may not do
Which part of the U.S. Constitution is analogous to the first approved version of a new information security policy? -the Torah -articles -amendments -the Bill of Rights
articles
Operations Security seeks to primarily protect against which of the following? facility disaster compromising emanations asset threats object reuse
asset threats
Operations Security seeks to primarily protect against which of the following? facility disaster compromising emanations object reuse asset threats
asset threats
The object-relational and object-oriented models are better suited to managing complex data such as required for which of the following? computer-aided development and imaging. computer-aided duplexing and imaging. computer-aided processing and imaging. Correct! computer-aided design and imaging.
computer-aided design and imaging.
An employee accidentally makes changes to a company-owned file. This is known as a violation of Data Integrity Data Confidentiality Data Availability Dave Authorization
data integrity
What is the appropriate role of the security analyst in the application system development or acquisition project? policeman data owner data owner application user
data owner
A persistent collection of interrelated data items can be defined as which of the following? database security database database shadowing database management system
database
If an operating system permits shared resources such as memory to be used sequentially by multiple users/application or subjects without a refresh of the objects/memory area, what security problem is most likely to exist? data leakage through covert channels disclosure of residual data denial of service through a deadly embrace unauthorized obtaining of a privileged execution state
disclosure of residual data
What is opposite of the C.I.A. in risk management: confidentiality, integrity, availability authorization, non-repudiation, integrity disclosure, alteration, destruction misuse, exposure, destruction
disclosure, alteration, destruction (D.A.D.)
Which of the following is NOT a threat to data confidentiality? -Hackers -Social engineering -Encryption -Improper access controls
encryption
Mandatory Access requires that sensitivity labels be attached to all objects. Which of the following would be designated as objects on a MAC system? -devices, processes, I/O pipe, and sockets -files, directories, and print queue -users, windows, and programs -files, directories, processes, and sockets
files, directories, processes, and sockets
Information systems are a combination of applications policies and procedures hardware and software controls and procedures
hardware and software
The information security staff's participation in which of the following system development life cycle phases provides maximum benefit to the organization? in parallel with every phase throughout the project project initiation and planning phase development and documentation phase system design specifications phase
in parallel with every phase throughout the project
The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address? none of the above confidentiality and availability integrity and confidentiality integrity and availability
integrity and availability
In which of the following policy elements should the policy number appear? -Policy objectives -Statement of authority -Policy heading -Policy statement of purpose
policy heading
Which of the following classes is defined in the TCSEC (Orange Book) as mandatory protection? C B D A
B
Which of the following parts of an organization's software policy would most likely indicate that any new software purchases be made only from the approved software products list? -Policy statement of purpose -Policy audience -Policy objective - Policy exceptions
policy objective
Which of the following best describes the sequence of action steps posted on the front of an automated teller machine (ATM) at a bank? -Standards -Guidelines -Procedures -Policies
procedures
This classification level is used by the military for items "the unauthorized disclosure of which reasonably could be expected to cause serious damage to National Security": Secret Confidential For your eyes only Top Secret
secret
Which one of the following represents an ALE calculation? single loss expectancy x annualized rate of occurrence. gross loss expectancy x loss frequency. asset value x loss expectancy. actual replacement cost - proceeds of salvage.
single loss expectancy x annualized rate of occurrence.
Which of the following is NOT an example of malicious code? Virus Worm Key logger Solitaire
solitaire
Which Orange Book evaluation level is described as "Labeled Security Protection"? A1 B2 B1 B3
B1
Who developed one of the first mathematical models of a multilevel-security computer system? Diffie and Hellman Bell and LaPadula Gasser and Lipner Clark and Wilson
Bell and LaPadula
Which of the following is one of the oldest and most common problems in software development and programming and is still very prevalent today? Social Engineering Buffer Overflow Code injection for machine language Unassembled reversable DOS instructions.
Buffer Overflow
Which of the following classes is defined in the TCSEC (Orange Book) as discretionary protection? D C B A
C
Please complete the following sentence: A TCP SYN attack... is not something system users would notice. may result in elevation of privileges. takes advantage of the way a TCP session is established. requires a synchronized effort by multiple attackers
takes advantage of the way a TCP session is established.
This policy document is used to convey the organization's intention, objective, and commitment. It is known as: -The affirmation agreement -The statement of authority -The service level agreement -The Acceptable Use Policy
the statement of authority
What should be the consequences of information security policy violations? -Violations should be cited in the person's annual performance review -Immediate revocation of all user privileges -Always up to, and including, termination -Commensurate with the criticality of information the policy was written to protect
Commensurate with the criticality of information the policy was written to protect
When it comes to information security, what is labeling the vehicle for? Communicating the access controls Communicating the sensitivity level Auditing the access controls Enforcing the access controls
Communicating the sensitivity level
This classification level is used by the military for items "the unauthorized disclosure of which reasonably could be expected to cause damage to National Security": Secret Top Secret Confidential For your eyes only
Confidential
What does CIA stand for? Confidentiality, Integrity and Authorization Confidentiality, Integrity and Accountability Confidentiality, Integrity and Authentication Confidentiality, Integrity and Availability
Confidentiality, Integrity and Availability
Which of the following should you strive for in the policy statement, in order to have a well-written policy? Describe everything in layman's terms, so that it is clear the policy is a statement of everyone's intent Contain areas that address every aspect of operations and information, and every area affecting the organization's information assets Include applicable standards, guidelines, and procedures within the policy document Spell check the document to avoid typographical errors
Contain areas that address every aspect of operations and information, and every area affecting the organization's information assets
Which of the following classes is defined in the TCSEC (Orange Book) as minimal protection? D B A C
D
The description of the database is called a schema, and the schema is defined by which of the following? Data Connection Language (DCL). Data Definition Language (DDL). Data Identification Language (DIL). Data Encapsulation Language (DEL).
Data Definition Language (DDL).
Data availability is the assurance that All sensitive data stored on a hard drive is encrypted All data stored on a hard drive is encrypted Data and systems are accessible anytime they are needed Only authorized users will gain access to a resource
Data and systems are accessible anytime they are needed
Guaranteed 99.999% uptime is an example of Data authentication Data availability Data confidentiality Data integrity
Data availability
Which of the following groups represents the leading source of computer crime losses? Employees Foreign intelligence officers Hackers Industrial saboteurs
Employees
If a new United States federal information-sharing law is adopted, which of the following best represents a related information security policy statement of purpose? -Ensure compliance with federal law -Uphold the U.S. Constitution -Prevent personal information from being used for identity theft -Maintain individuals' right to privacy, as granted under the U.S. Constitution
Ensure compliance with federal law
Which of the following is the MOST important rule of thumb to follow when developing the policy heading? -Ensure the policy heading contains all the same information as every other policy -The policy number must be included in the policy heading -Plan to spend the most time working on the policy heading; it is the most important part of the document -Ensure its structure is scalable, so that it is able to accommodate changes in the future, without losing its original organization
Ensure its structure is scalable, so that it is able to accommodate changes in the future, without losing its original organization
Which of the following federal regulations pertains to the educational field? - SOX -HIPAA -GLBA -FERPA
FERPA
Which is the preferred approach to organizing information security policies, procedures, standards, and guidelines? -Combine policies and procedures -Keep the policy documents separate from the procedures, standards, and guidelines -Keep them all separate -Combine standards and guidelines
Keep the policy documents separate from the procedures, standards, and guidelines
What is a valid definition of data integrity? Data that is encrypted The knowledge that the data is transmitted in ciphertext only Data that has not been accessed by unauthorized users Knowing that the data on the screen is un-tampered with data
Knowing that the data on the screen is un-tampered with data
Which is a two wall challenge? -Lack of awareness, and the lack of awareness about the lack of awareness -Screened-subnet firewall -Requiring security badges at both doors to a room -When two policies conflict with each other
Lack of awareness, and the lack of awareness about the lack of awareness
What is shoulder surfing? - Looking at a person using their computer in hopes of viewing sensitive information -Another word for social engineering -Conning someone into giving away their password -Waiting for a user to leave their workstation and taking their place behind the keyboard
Looking at a person using their computer in hopes of viewing sensitive information
Which data classification method is used by the US military? DAC MAC RDAC RBAC
MAC
Which of the following is LEAST likely to lead to employees accepting and following policy? -Seek input from the organization when developing policies -Introduce policies through training programs - Consistently enforce policies -Make policy compliance part of the job descriptions
Make policy compliance part of the job descriptions
If a new United States federal information-sharing law is adopted, which of the following best represents a related information security policy objective? -Prevent personal information from being used for identity theft -Maintain individuals' right to privacy, as granted under the U.S. Constitution -Obtain prior written approval from all individuals whose personal data is to be shared -Ensure compliance with federal law
Obtain prior written approval from all individuals whose personal data is to be shared
Who is directly responsible for using information asset in accordance with their classification levels? The users The Information Custodian The Information Owner The ISO
the users
Which is the worst that may happen if information security policies are out of date, or address technologies no longer used in the organization? -People may not know which policy applies -The company may incur unnecessary costs to change them Correct! -People may take the policies less seriously, or dismiss them entirely -Executive management may become upset
People may take the policies less seriously, or dismiss them entirely
If you are assigned to author your company's information security policies, which of the following is the MOST important thing to do first? -Look at all the other policies to get an idea of how they are written -Express thanks for being given such a good assignment -Plan before you write -Determine when they are due
Plan before you write
If a policy refers the reader to another section for clarification of any instance of non-standard language, that other section would best be called which of the following? -Policy Definitions -Policy Enforcement Clause -Policy Exceptions -Policy Header
Policy Definitions
Which of the following virus types changes some of its characteristics as it spreads? Boot Sector Polymorphic Stealth Parasitic
Polymorphic
The goal of protecting confidentiality is to Prevent the authorized disclosure of sensitive information Prevent the authorized disclosure of public information. Prevent the unauthorized disclosure of public information Prevent the unauthorized disclosure of sensitive information
Prevent the unauthorized disclosure of sensitive information
Data integrity is -Making sure the data is always transmitted in encrypted format -Making sure the data is always available when legitimately needed -Protecting the data from intentional or accidental modification -Protecting the data from intentional or accidental disclosure
Protecting the data from intentional or accidental modification
This is known as the process of upgrading the classification level of an information asset: Declassification Classification review Classification Upgrade Reclassification
Reclassification
Operation security requires the implementation of physical security to control which of the following? contingency conditions incoming hardware unauthorized personnel access evacuation procedures
unauthorized personnel access
Operation security requires the implementation of physical security to control which of the following? evacuation procedures unauthorized personnel access incoming hardware contingency conditions
unauthorized personnel access
Which of the following is the act of performing tests and evaluations to test a system's security level to see if it complies with the design specifications and security requirements? accuracy validation verification assessment
verification
Why is it important to remind people about best practice information security behaviors? -Reminders are the least expensive way to ensure compliance with policies -This approach is a mandatory requirement of information security policies -Reminders reinforce their knowledge, and help them better understand expectations -It ensures they are aware that management is watching them
Reminders reinforce their knowledge, and help them better understand expectations
An Architecture where there are more than two execution domains or privilege levels is called: Security Models Network Environment Ring Architecture Ring Layering
Ring Architecture
Which of the following is NOT an example of social engineering? - Calling an employee on the phone and impersonating an IT consultant to learn passwords -Running a password-cracking utility against a web server -Dressing up as UPS employee and gaining access to sensitive areas of a business -Posing as a potential customer in a Bank and gaining access to a computer terminal by pretending to need to send an email
Running a password-cracking utility against a web server
Which of the following are necessary components of a Multi-Level Security Policy? Security Clearances for subjects & Security Labels for objects and Mandatory Access Control Sensitivity Labels for subjects & objects and a "system high" evaluation Sensitivity Labels for only objects and Mandatory Access Control Sensitivity Labels for subjects & objects and Discretionary Access Control
Security Clearances for subjects & Security Labels for objects and Mandatory Access Control
Which must bear the primary responsibility for determining the level of protection needed for information systems resources? IS security specialists systems Auditors Senior security analysts Senior Management
Senior Management
As it pertains to information security policies, what is the SOA? -Summary of Authentication -Statement of Authority -Start of authority -Statement of Accountability
Statement of Authority
Which section of the ISO 17799 deals with asset classification? 3 2 4 5
5
What does it mean if a system uses "Trusted Recovery"? -The recovery process is done from media that have been locked in a safe -A failure or crash of the system cannot be used to breach security -A single account on the system has the administrative rights to recover or reboot the system after a crash -There is no such principle as "Trusted Recovery" in security
A failure or crash of the system cannot be used to breach security
Which of the following places the Orange Book classifications in order from most secure to least secure? A, B, C, D C, D, B, A D, C, B, A D, B, A, C
A, B, C, D
Which Orange Book evaluation level is described as "Verified Design"? B1 B3 A1 B2
A1
This is known as the process of downgrading the classification level of an information asset: Classification review Declassification Asset Publication Reclassification
Declassification
Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or a cassette? Buffer overflow Degaussing Zeroization Parity Bit Manipulation
Degaussing
The disciplinary process indicated in an information security policy enforcement clause usually includes which of the following most severe punishments? -Loss of one month's pay -Transfer to another division in the company -Demotion to a lower level -Dismissal or criminal prosecution
Dismissal or criminal prosecution
Which of the following provide a way and place to process, store, transmit, and communicate information? Outsourced storage solutions Information assets Off-site storage solutions Information systems
Information systems
Which is the preferred approach to organizing information security policies, procedures, standards, and guidelines? -Ensure it is detailed enough that everyone will understand it -Hold meetings to explain it -Involve people in policy development by conducting interviews -Give everyone a copy of the policy after it is written
Involve people in policy development by conducting interviews
Which of the following is NOT true concerning Application Control? -It limits end users use of applications in such a way that only particular screens are visible. -Particular usage of the application can be recorded for audit purposes -Only specific records can be requested through the application controls -It is non-transparent to the endpoint applications so changes are needed to the applications and databases involved
It is non-transparent to the endpoint applications so changes are needed to the applications and databases involved
Memory management in TCSEC levels B3 and A1 operating systems may utilize "data hiding". What does this mean? -Only security processes are allowed to write to ring zero memory -System functions are layered, and none of the functions in a given layer can access data outside that layer -Auditing processes and their memory addresses cannot be accessed by user processes -It is a form of strong encryption cipher
System functions are layered, and none of the functions in a given layer can access data outside that layer
With SQL Relational databases where is the actual data stored? Views Schemas and sub-schemas Tables Index-sequential tables
Tables
The Orange Book is founded upon which security policy model? The Biba Model The Bell LaPadula Model TEMPEST Clark-Wilson Model
The Bell LaPadula Model
Who should issue the statement of authority? -All the employees -The CEO, President or Chairman of the Board -All the information owners -The IT Manager
The CEO, President or Chairman of the Board
Who is directly responsible for defining information asset protection? The CEO/President/Chairman of the Board The ISO The Information Owner The Information Custodian
The Information Owner
Why do we need the Graham-Leach-Bliley Act (GLBA)? -Businesses need expert advice to achieve and sustain compliance -Health care organizations must safeguard private health care information from disclosure -The information banks possess can be identifiable and whole in regard to any customer -It protects banks from lawsuits due to a lack of fair treatment of employees
The information banks possess can be identifiable and whole in regard to any customer
Leadership by setting the example, or "do as I do", is considered: -Ineffective in a high-tech company -The same as "management by walking around" -The most effective leadership style, especially in relation to information security -Something that should only be employed when information security policies are new
The most effective leadership style, especially in relation to information security
Which of the following is the reason why United States government official communications about new federal laws frequently include references to other documents? These references help those affected by the new laws gain a better understanding of what they need to do It makes it easier to keep track of things Congress must ensure that the new laws are comprehensive, so they can be defended in court This approach is required by law
These references help those affected by the new laws gain a better understanding of what they need to do
In what way are the Torah and the U.S. Constitution like information security policies? -They contain articles and amendments -They define the role of government in our daily lives - They include business rules -They serve as rules to guide behavior in support of organizational goals
They serve as rules to guide behavior in support of organizational goals
A computer program in which malicious or harmful code is contained inside apparently harmless programming but it can get control and do damage without the user installing the program being aware of this is called a: worm virus Trojan horse trapdoor
Trojan horse
In which of the following ways does understanding policy elements enable the development of information security policies? -One cannot develop information security policies without an understanding of policy elements -Understanding policy elements enables us to break the policies down into their essential components, in order to more efficiently and effectively create usable policies -Information security policies must include all policy elements in order to be valid -It is necessary to understand policy elements in order to document which penalties apply for violation of information security policies
Understanding policy elements enables us to break the policies down into their essential components, in order to more efficiently and effectively create usable policies
Which of the following is NOT a threat to data integrity? Use of encrypted emails Malicious code Hackers Improper access controls
Use of encrypted emails