ISS Final

c. security awareness

A SETA program consists of three elements: security education, security training, and which of the following?. a. security accountability b. security authentication c. security awareness d. security authorization

b. collusion

A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions? a. job rotation b. collusion c. collision d. two-person control

b. analysis

A gathering of key reference materials is performed during which phase of the SDLC? a. implementation b. analysis c. design d. investigation

a. standard of due care

A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances. a. standard of due care b. due diligence c. duty of loyalty c. duty of obedience

d. vulnerability

A potential weakness in an asset or its defensive control systems is known as a a. threat b. attack c. exploit d. vulnerability

b. analysis

A risk assessment is performed during which phase of the SecSDLC? a. implementation b. analysis c. design d. investigation

c. exploit

A technique used to compromise a system is known as a(n) a. threat b. attack c. exploit d. vulnerability

a. weighted table analysis or weighted factor analysis

A useful tool for resolving the issue of what business function is the most critical, based on criteria selected by the organization, is the __________. a. weighted table analysis or weighted factor analysis b. threats-vulnerability-assets worksheet or TVA c. business impact assessment or BIA d. critical patch method assessment or CPMA

b. baseline

A______________ is derived by comparing measured actual performance against established standards for the measured category. a. benchmark b. baseline

c. trespass

Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access. a. bypass b. theft c. trespass d. Security

b. defense

Application of training and education is a common method of which risk control strategy? a. transference b. defense c. mitigation d. acceptance

c. hoaxes

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________. a. false alarms b. polymorphisms c. hoaxes d. urban legends

b. single loss expectancy

By multiplying the asset value by the exposure factor, you can calculate which of the following? a. annual loss expectancy b. single loss expectancy c. risk appetite

b. wander freely in and out of facilities

Contract employees—or simply contractors—should not be allowed to do what? a. Work on the premises. b. Wander freely in and out of facilities. c.Visit the facility without an escort. d. Be compensated based on hourly rates.

c. cost and replacement value

Data classification schemes should categorize info assets based on which of the following? a. value and uniqueness b. sensitivity and security needs c. cost and replacement value d. ease of reproduction and fragility

a. control

In the COSO framework, ___________ activities include those policies and procedures that support management directives. a. control b. frame c. respond d. inform

a. design

In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies? a. design b. implementation c. investigation d. analysis

a. accept or ignore

Reserves and contingency plans would be used in which risk strategy ? a. accept or ignore b. avoidance c. mitigation d. transfer e. none of the above

a. incident response plan

Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach? a. incident response plan b. business continuity plan c. termination

d. InfoSec Governance

The COSO framework is built on five interrelated components. Which of the following is NOT one of them? a. Control environment b. Risk assessment c. Control activities d. InfoSec Governance

a. inform

The NIST risk management approach includes all but which of the following? a. inform b. assess c. frame d. respond

b. risk tolerance

The assessment of the amount of risk an organization is willing to accept for a particular info asset a. residual risk b. risk tolerance

performance measurements

The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization.

d. CBA

The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization. a. SLE b. ALE c. ARO d. CBA

c. determined that the costs to control risk to an information asset are much lower than the benefit gained from the information asset

The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following? a. determined the level of risk posed to the information asset b. performed a thorough cost-benefit analysis c. determined that the costs to control risk to an information asset are much lower than the benefit gained from the information asset d. assessed the probability of an attack and the likelihood of a successful exploitation of a vulnerability

a. vulnerability assessment

The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________. a. vulnerability assessment b. penetration testing c. exploit identification d. safeguard neutralization

a. convergence

The process of integrating the governance of the physical security and information security efforts is known in the industry as______ a. convergence b. combination c. intimation d. optimization

b. by adding barriers

The purpose of SETA is to enhance security in all but which of the following ways? a. by building in-depth knowledge b. by adding barriers c. by developing skills d. by improving awareness

c. cryptanalysis

The science of cryptology includes both cryptography and a. algorithms b. ciphers c. cryptanalysis d. encryption

d. authentication

The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process? a. accountability b. authorization c. identification d. authentication

b. packet sniffer

This is used to provide a network admin with valuable information to help diagnose and resolve networking issues. In the wrong hands, it can be used to eavesdrop on network traffic. a. proxy server b. packet sniffer c. trap and trace

a. VPN

This keeps the contents of the network messages hidden from those who may have access to public traffic. It is a private secure network operated over a public and insecure network. a. VPN b. NIST c. CIST d. Kerberos

a. asymmetric

This type of encryption require one key to encrpyt and another to decrypt. Most valuable when one key is public and the other is private. a. asymmetric b. symmetric c. substitution d. transportation

a. 40

What % of businesses that do not have a disaster plan go out of business after a major loss? a. 40 b. 50 c. 20 d. 35

c. accountability

What do audit logs that track user activity on an information system provide? a. identification b. authorization c. accountability d. authentication

a. qualitative risk assessment

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? a. qualitative risk assessment b. Delphi c. NIST

c. vulnerabilities

What is defined as specific avenues that threat agents can exploit to attack an information asset? a. Liabilities b. Defenses c. Vulnerabilities d. Weaknesses

c. reduce the occurrence of accidental security breaches

What is the SETA program designed to do? a. reduce the occurrence of external attacks b. improve operations c. reduce the occurrence of accidental security breaches d. increase the efficiency of InfoSec staff

d. ranking assets in order of importance

What is the final step in the risk identification process? a. assessing values for information assets b. classifying and categorizing assets c. identifying and inventorying assets d. ranking assets in order of importance

a. retina scan

What is the most effective biometric authorization technology? a. retina scan b. fingerprint c. photo ID d. key card

c. photo ID

What is the most widely accepted biometric authorization technology? a. retina scan b. fingerprint c. photo ID d. key card

c. performance targets

What makes it possible to define success in the security program? a. performance measurements b. performance metrics c. performance targets d. performance tests

a. business continuity

When a disaster renders the current business location unusable, which plan is put into action? a.business continuity b.crisis management c.incident response d. business impact analysis

d. evaluated how the new technology will enhance employee skills

When an information security team is faced with a new technology, which of the following is NOT a recommended approach? a. Determine if the benefits of the proposed technology justify the expected costs. b. Include costs for any additional risk control requirements that are mandated by the new technology. c. Consider how the proposed solution will affect the organization's risk exposure. d. Evaluate how the new technology will enhance employee skills.

c. planning

Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans? a. compliance b. policy c. planning d. systems security administration

b. authentication

Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area? a. identification b. authentication c. authorization d. accountability

e. all of the above

Which of the following affects an organization's info security environment? a. formation of new partnerships b. dissolution of old partnerships c. hiring of new personnel d. shifting business priorities e. all of the above

d. mitigation

Which of the following describes an organization's efforts to reduce damages caused by a realized incident or disaster? a. defense b. termination c. acceptance d. mitigation

b. risk assessment

Which of the following functions include identifying the sources of risk and may include offering advice on controls that can reduce risk? a. risk management b. risk assessment c. systems testing d. vulnerability assessment

b. mitigating

Which of the following is NOT a category of access control? a. preventative b. mitigating c. deterrent d. compensating

d. same certification and accreditation agency or standard

Which of the following is NOT a consideration when selecting recommended best practices? a.threat environment is similar b. resource expenditures are practical c.organization structure is similar d. same certification and accreditation agency or standard

d. react

Which of the following is NOT a stage in the NIST Cybersecurity Framework (CSF)? a.Identify b.Detect c.Recover d.React

b. former employee's home computer must be audited

Which of the following is NOT a task that must be performed if an employee is terminated? a.former employee must return all media b.former employee's home computer must be audited c.former employee's office computer must be secured d.former employee should be escorted from the premises

c. replacement

Which of the following is NOT one of the administrative challenges to the operation of firewalls? a.training b.uniqueness c.replacement d. responsibility

d. for official use only

Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information? a. confidential b. secret c. top secret d. for official use only

d. inform

Which of the following is NOT part of the Incident Response Plan? a. detection b. reaction c. recovery d. inform

d. resource intensive, to the point of being inefficient

Which of the following is a disadvantage of the one-on-one training method? a. inflexible scheduling b. may not be responsive to the needs of all the trainees c. content may not be customized to the needs of the organization d. resource intensive, to the point of being inefficient

a. framework

Which of the following is a generic model for a security program? a. framework b. methodology c. security standard d. blueprint

d. interaction with trainer is possible

Which of the following is an advantage of the formal class method of training? a. Personal b.Self-paced, can go as fast or as slow as the trainee needs c.Can be scheduled to fit the needs of the trainee d.Interaction with trainer is possible

a. usually conducted in an informal social setting

Which of the following is an advantage of the user support group form of training? a. Usually conducted in an informal social setting b. Formal training plan c. Can be live, or can be archived and viewed at the trainee's convenience d. Can be customized to the needs of the trainee

b. information on the structure of the InfoSec organization

Which of the following is an element of the enterprise information security policy? a. access control lists b. information on the structure of the InfoSec organization c. articulation of the organization's SDLC methodology d. indemnification of the organization against liability

e. all of the above

Which of the following is included in an InfoSec performance program? a. Strong upper-level management b. practical InfoSec policies and procedures c. quantifiable performance measurements d. results-oriented measurement analysis e. all of the above

c. identify program scope, goals, and objectives

Which of the following is the first step in the process of implementing training? a. identify training staff b. identify target audiences c. identify program scope, goals, and objectives d. motivate management and employees

c. separation of duties

Which of the following policies makes it difficult for an individual to violate InfoSec and is quite useful in monitoring financial affairs? a. task rotation b. mandatory vacations c. separation of duties d. job rotation

a. COBIT

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? a. COBIT b. COSO c. NIST d. ISO

a. security technician

Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems? a. security technician b. security analyst c. security consultant d. security manager

d. EISP

Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP

d. EISP

Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP

a. Policy Review and Modification

Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? a. Policy Review and Modification b. Limitations of Liability c. Systems Management d. Statement of Purpose

b. proxy server

Which type of device exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server? a.dynamic packet filtering firewall b.proxy server c.intrusion detection system d.application layer firewall

b. standard

Which type of document is a more detailed statement of what must be done to comply with a policy? a. procedure b. standard c. guideline d. practice

a. issue-specific

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? a. issue-specific b. enterprise information c. system-specific d. user-specific

a. temporary workers

Workers brought in to fill positions temporarily or to supplement the existing workforce. a. temporary workers b. contract employees c. consultants

c. consultants

Workers hired for a specific task or project. a. temporary workers b. contract employees c. consultants

c. contract employees

Workers typically hired to perform specific services for the organization and hired via a third-party organization are known as __________. a. temporary workers b. Consultants c. contract employees d. business partners

C. Least privilege

_____________ ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary. a. long arm b. mandatory access control c. least privilege

d. Trojan horses

___________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated. a. Viruses b. Worms c. Spam d. Trojan horses

a. benchmarking

_______________is the process of comparing other organizations' activities against the practices used in one's own organization to produce results it would like to duplicate. a. benchmarking b. baselining

c. temporal isolation

time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary