INFS 3400 Hasan test 2

The transfer of transaction data in real time to an off-site facility is called ____.

remote journaling

Risk _____ is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization's overall risk appetite.

risk tolerance

An alert message is a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process.

?

25. The first phase of the risk management process is _____. a. risk identification b. forming the risk management planning team c. risk control d. risk evaluation

A

Which if these is the primary reason contingency response teams should not have overlapping membership with one person on multiple teams? a. To spread the work out among more people. b. So individuals don't find themselves with different responsibilities in different locations at the same time. c. To allow people to specialize in one area. d. To avoid cross-division rivalries.

B

Flaws or weaknesses in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to breach security are known as _____. a. threats b. exploits c. vulnerabilities d. events

C

Risk _____ is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization's overall risk appetite. a. benefit b. baseline c. tolerance d. residual

C

23. The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any _____ purposes. a. troubleshooting b. billing c. customer service d. marketing

D

A resumption location known as a ____ is a fully configured computer facility capable of establishing operations at a moment's notice. a. mobile site b. cold site c. service bureau d. hot site

D

A threat _____ is an evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack. a. review b. search c. investigation d. assessment

D

Cultural differences can make it difficult to determine what is ethical and not ethical between cultures, except when it comes to the use of computers, where ethics are considered universal

F

Database shadowing duplicates data in real-time data storage, but does not back up the databases at the remote site.

F

In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack; the SLE is the product of the asset's value and the annualized loss expectancy.

F

In a study on software license infringement, licenses from the United States were significantly more permissive than those from the Netherlands and other countries. _____

F

In 2001, the Council of Europe drafted the European Council Cybercrime Convention, which empowers an international task force to oversee a range of security functions associated with _____ activities.

Internet

In 2002, Congress passed the Federal Information Security Management Act (FISMA), which mandates that all federal agencies _____.

Provide security awareness training

The risk management (RM) _____ is the overall structure of the strategic planning and design for the entirety of the organization's RM efforts.

RM framework

The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources is ____.

Recovery time objective RTO

Risk _____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

Risk appetite

. Risk control, also known as risk treatment, is the application of controls that reduce the risks to an organization's information assets to an acceptable level.

T

A key difference between a policy and a law is that ignorance of a law is an acceptable defense.

T

A service bureau is an agency that provides a service for a fee. _____

T

Criminal laws address activities and conduct harmful to society and are categorized as public law

T

For policy to become enforceable, it only needs to be distributed, read, understood, agreed to, and applied to all

T

Incident classification is the process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident.

T

Prior to the development of each of the types of contingency planning documents, the CP team should work to develop the policy environment.

T

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kennedy-Kassebaum Act, protects the confidentiality and security of healthcare data.

T

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kennedy-Kassebaum Act, protects the confidentiality and security of healthcare data. _____

T

The business impact analysis is a preparatory activity common to both contingency plan (CP) and risk management

T

The code of ethics put forth by (ISC)2 focuses on four mandatory canons: "Protect society, the commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession." _____

T

The value of information to the organization's competition should influence the asset's valuation

T

individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident.

T

​The FTC recommends that people place an initial fraud alert (among other things) when they suspect they are victims of identity theft.

T

A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes _____

all of the above- controls have proven ineffective b.controls have failed c.controls have been bypassed d.All of the above

Risk _____ is a determination of the extent to which an organization's information assets are exposed to risk.

assessment

Each of the following is a role for the crisis management response team EXCEPT:

d.Supporting personnel and their loved ones during the crisis?

Identifying human resources, documentation, and data information assets of an organization is easier than identifying hardware and software assets.

f

Cost mitigation ​is the process of preventing the financial impact of an incident by implementing a control. _____

false

_____ is the rapid determination of the scope of the breach in the confidentiality, integrity, and availability of information and information assets during or just following an incident.

incident damage assessment

In the 1999 study of computer use-ethics, which of the following countries reported the least tolerant attitudes toward the misuse of organizational computing resources?

singapore

If the acceptance risk treatment strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and may portray an apathetic approach to security in general.

t

Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack. _____

t

The _____ risk treatment strategy attempts to shift risk to other assets, other processes, or other organizations.

transference / transfer

In a _____, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores.

weighted factor analysis

In the TVA worksheet, assets are placed into a matrix with threats and then the exposure of the assets to specific threats is explored by documenting _____

? vulnerabilities

Understanding the _____ context means understanding the impact of elements such as the business environment, the legal/regulatory/compliance environment, as well as the threat environment. a. external b. design c. internal d. risk evaluation

A

Which type of organizations should prepare for the unexpected? a. Organizations of every size and purpose should also prepare for the unexpected. b. Large organizations which have many assets at risk. c. Small organizations that can easily recover. d. Only those without good insurance.

A

_____ is simply how often you expect a specific type of attack to occur.

ARO

The sworn testimony that certain facts are in the possession of an investigating officer and that they warrant the examination of specific items located at a specific place is called a(n) _____.

Affidavit

19. There are three general causes of unethical and illegal behavior: _____, Accident, and Intent. a. Curiosity b. Ignorance c. Revenge d. None of the other answers are correct

B

24. Risk _____ is the application of security mechanisms to reduce the risks to an organization's data and information systems. a. avoidance b. treatment c. identification d. assessment

B

The point in time before a disruption or system outage to which business process data can be recovered after an outage is ____. a. recovery time objective (RTO) b. recovery point objective (RPO) c. work recovery time (WRT) d. maximum tolerable downtime (MTD)

B

22. The process of examining an adverse event or incident and determining whether it constitutes an actual disaster is known as _____. a. disaster indication b. incident review c. disaster classification d. event escalation

C

Laws, policies, and their associated penalties only provide deterrence if which of the following conditions is present? a. Fear of penalty b. Probability of being caught c. Probability of penalty being administered d. All of the other answers are correct

D

The _____ risk treatment strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. a. defense b. transference c. mitigation d. acceptance

D

Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications?

ECPA - electronic communications privacy act of 1986

The _____ attempts to prevent trade secrets from being illegally shared.

Economy Espionage Act

Understanding the _____ context means understanding the impact of elements such as the business environment, the legal/regulatory/compliance environment, as well as the threat environment.

External

"Know the enemy" means identifying, examining, and understanding the competition facing the organization.

F

A recovery time objective (RTO) is the total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption

F

In the context of information security, confidentiality is the right of individuals or groups to protect themselves and their information from unauthorized access.

F

Knowing yourself means identifying, examining, and understanding the threats facing the organization's information assets.

F

The Computer Security Act of 1987, the cornerstone of many computer-related federal laws and enforcement efforts, was originally written as an extension and clarification of the Comprehensive Crime Control Act of 1984.

F

The Council of Europe Convention on Cybercrime has not been well received by advocates of intellectual property rights because it de-emphasizes prosecution for copyright infringement.

F

The Department of Homeland Security is the only U.S. federal agency charged with the protection of American information resources and the investigation of threats to, or attacks on, those resources.

F

The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms.

F

The computer security incident response team is composed solely of technical IT professionals who are prepared to detect, react to, and recover from an incident.

F

The continuity planning management team (CPMT) is the group of senior managers and project members organized to conduct and lead all contingency planning efforts.

F

The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not.

F

The disaster recovery preparation team (DRPT) is the team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recovery from disasters.

F - Disaster recovery planning DRP

A cold site provides many of the same services and options of a hot site, but at a lower cost.

F - warm site

Risk perception is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically part of the risk appetite. _____

F- risk tolerance?

Knowing yourself means identifying, examining, and understanding the threats facing the organization's information assets.

F?

The unauthorized taking of person information with the intent of committing fraud and abuse of a person's financial and personal reputation, purchasing goods and services without authorization, and generally impersonating the victim for illegal or unethical purposes.is known as _____.

Identity theft

There are three general causes of unethical and illegal behavior: _____, Accident, and Intent.

Ignorance

The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any _____ purposes.

Marketing

Payment Card Industry _____ Standards are designed to enhance the security of customers' payment card account data.

PCI-DSS

Which if these is the primary reason contingency response teams should not have overlapping membership with one person on multiple teams?

To allow people to specialize in one area

Ethics are the moral attitudes or customs of a particular group. _____

True?

A(n) _____ is a document containing contact information for the people to be notified in the event of an incident.

alert roster

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage _____.

by accident

Risk _____ is the application of security mechanisms to reduce the risks to an organization's data and information systems.

control

The storage of duplicate online transaction data, along with the duplication of the databases, at a remote site on a redundant server is called _____.

database shadowing

The _____ risk treatment strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.

defense

The concept of competitive _____ refers to falling behind the competition.

disadvantage

Most common data backup schemes involve ______.

disk to disk to cloud

An organization aggregates all local backups to a central repository and then backs up that repository to an online vendor with a ____ backup strategy.

disk-to-disk-to-cloud

Which of the following is NOT one of the categories recommended for categorizing information assets?

firmware

A resumption location known as a ____ is a fully configured computer facility capable of establishing operations at a moment's notice.

hot site

. If the acceptance risk treatment strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and may portray an apathetic approach to security in general

T

____ uses a number of hard drives to store information across multiple drive units.

RAID