Information Security Management - Midterm Study Guide
True or False: A system administrator may need to create a different type of policy in order to implement a managerial policy
True
True or False: Data integrity can be affected by virus infections and data communications errors.
True
True or False: The Sarbanes-Oxley (SOX) Act of 2002 was passed as a result of the Enron and WorldCom financial scandals.
True
Which of the following is used to establish a formal set of organizational principles and qualities for an organization? - Values statement - Vision statement - Mission statement - Morals statement
Values statement
Which security role is typically responsible for monitoring e-mail accounts and instruction consoles? - Security technicians - Security administrators - Analysts - Watchstanders
Watchstanders
A person who has authorization from an organization to test its information systems and network defense is known as which of the following? - script kiddie - penetration tester - professional hacker - packet monkey
penetration tester
What type of virus actually evolves, changing its size and other external file characteristics to elude detection by antivirus programs? - Trojan horse - trap door - polymorphic threat - macro virus
polymorphic threat
An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as which of the following? - threat assessment - risk analysis - data classification scheme - risk identification
threat assessment
Which of the following best describes a stakeholder? - An individual or group that owns financial stock in an organization - A competing organization - An individual who buys an organization's products - An individual or group who has a vested interest
An individual or group who has a vested interest
Which of the following is not a component of a typical strategic plan? - Executive summary - Archived profile - Organizational profile - Strategic issues and challenges
Archived profile
What is the name of the process that is used to establish whether or not a user's identity is legitimate? - Availability - Accountability - Authorization - Authentication
Authentication
Which law, originally passed in 1986 and amended in 1996, contains provisions that determine the penalties for computer related crimes? - PATRIOT Act - Computer Fraud and Abuse Act - Digital Millennium Copyright Act - Computer Security Act
Computer Fraud and Abuse Act
Which of the following is a collection of statutes that regulates the interception of wire, electronic, and oral communications? - Federal Privacy Act - Copyright Act - Security and Freedom Through Encryption Act - Electronic Communications Privacy Act (ECPA)
Electronic Communications Privacy Act (ECPA)
Which type of security policy is known as the highest level of policy and sets the strategic direction, scope, and tone for an organization's security efforts? - System-specific security policy - Issue-specific security policy - Enterprise information security policy - Strategic planning security policy
Enterprise information security policy
Which of the following is NOT a typical permission available for use in ACLs? - Read - Write - Delete - Expunge
Expunge
True or False: A CISO never reports to the CIO, and must always go through management hierarchies.
False
True or False: Only the InfoSec and IT communities have a role to play in the management of risks to information assets.
False
True or False: The CISO is another name for a CIO, as both roles perform the same tasks
False
Which of the following occurs when a manufacture performs an upgrade to a hardware component at a customer's premises? - Asset type - Field change order - Controlling entity - Manufacturer's model or part number
Field change order
Which entity is not exempt from the Federal Privacy Act of 1974? - Bureau of the Census - U.S. Congress - Hospitals - Credit agencies
Hosptials
Which of the following terms can be used to describe trade secrets, copyrights, trademarks, and patents? - Quality of service - Availability - Intellectual property - Competitive intelligence
Intellectual property
Which of the following is NOT a specific characteristic of ISSP? - It addresses specific technology-based resources - It requires frequent updates - It addresses hardware implementation issues - It contains an issue statement
It addresses hardware implementation issues
Which of the following is used to declare the intended areas of operation for a business? - Values statement - Vision statement - Objectives statement - Mission Statement
Mission statement
An organization is considered to be medium-sized when it has approximately how many devices? - Less than 100 - More than 1000 - More than 100, less than 1000 - More than 2000
More than 100, less than 1000
The simplified risk management components consist of which of the following groups? - People, planning, technology - Planning, performing, tasking - Preparedness, planning, and technology - People, process, and technology
People, process, and technology
All but which of the following is one of the five fundamental privacy principles of HIPAA? - Public control of medical information - Boundaries on the use of medical information - Balance of public responsibility for the use of medical information - Security of health information
Public control of medical information
Which term below defines the identification and assessment of risks and also defining acceptable levels of risk within an organization? - Risk assessment - Risk analysis - Risk identification - Risk management
Risk analysis
Which NIST publication covers topics such as elements of computer security, roles and responsibilities, and common threats? - SP 800-21 - SP 800-12 - SP 800-11 - SP 800-01
SP 800-12
Which of the following information security roles best describe a type of specialized security administrator, and is typically responsible for analyzing and designing security solutions in a specific domain. - Security manager - Chief security officer - Security analyst - Chief information security officer
Security analyst
Which of the following is NOT an InfoSec policy recommended in NIST's Special Publication 800-14 document? - Enterprise information security policy (EISP) - Issue-specific security policies (ISSP) - System-specific security policies (SysSP) - Task-specific security policies (TSSP)
Task-specific security policies (TSSP)