ITEC370 Test 2
The section of the security newsletter that informs or educates staff and serves as an information security glossary is called __________________________.
"What Is . . . ?"
Which of the following scenarios demonstrates consideration of building consensus on intent?
A manager calls a meeting with employees to discuss the drivers for the change in terms of the architecture operating model and principles.
_______________ is an international governance and controls framework and a widely accepted standard for governing, assessing, and managing IT security and risks.
COBIT
While these two approaches have similarities in terms of the topics they address, ________ will cover broad IT management topics and specify which security controls and management need to be installed; however, ________ does not address how to implement specific controls.
COBIT, ISO
Which of the following policy frameworks is a widely accepted set of documents that is commonly used as the basis for an information security program, and is an initiative from ISACA, formerly known as the Information Systems Audit and Control Association?
Control Objectives for Information and related Technology (COBIT)
If a security policy clearly distinguishes the responsibilities of computer services providers from those of the managers of applications who use the computer services, which of the following goals is served?
accountability
There are many IT security policy frameworks that can often be combined to draw upon each of their strengths. Which of the following is not one of the frameworks?
GRC for IT operations, governance, risk management, and compliance
___________________ addresses how specific a policy is with respect to resources.
Granularity
Which of the following statements captures the function of guidelines presented in guidance documents for IT security?
Guidelines provide those who implement standards/baselines more detailed information such as hints, tips, and processes to ensure compliance.
In a (n) ____________________, there are policies, standards, baselines, procedures, guidelines, and taxonomy.
IT policy framework
Which of the following statements best captures the role of information security teams in ensuring compliance with laws and regulations?
Information security personnel work with their organizations' compliance and legal teams to determine violations of an organization's security policy.
When publishing your policy and standards library, it is necessary to evaluate the communications tools that are available in your organization. Which of the following statements best captures one of the best practices for publishing your documents?
It is good idea to create separate Web pages for each document and provide a link to the document itself on that Web page.
It is important to create an IT security program structure that aligns with program and organizational goals and describes the operating and risk environment. Which of the following is one of the important issues for the structure of the information security program?
Management and coordination of security-related resources
Also known as the Federal Information Processing Standards (FIPS), the_______________ framework is a shared set of security standards required by the Federal Information Security Management Act (FISMA).
NIST
_________________describes how to design and implement an information security governance structure, whereas __________________ describes security aspects for employees joining, moving within, or leaving an organization.
Organization of information security, human resources security
One of the processes for establishing business requirements and raising the level of privileges is to grant elevated rights on a temporary basis. This process is called _________________.
firecall-ID
If a CISO seeks to raise employees' awareness of the dangers of malware in the organization, which of the following approaches is recommended?
The CISO should talk about how malware could prevent the service desk from helping a customer.
A manager creates a policy document that lists the policy name, identifying information, and the operational policy. When she gets to the section marked "roles and responsibilities," she is uncertain if she should include the names of the individuals assigned to the roles and responsibilities, but decides ultimately that she will because these individuals were newly appointed and have played an active role in reviewing and providing feedback on the policy. Which of the following statements is an accurate assessment of this manager's choice to include the names of the individuals?
The manager should not have included the names because even though they were newly appointed, individuals join and leave and the company.
Consider this scenario: After many years, an employee is promoted to a position that has an elevated level of trust with his management. He started with the company in an entry-level position, and then moved from a supervisory to a managerial role. This role entails that the employee trains other employees and has a deep understanding of how the department functions. Which of the following actions should be taken in regard to this employee's levels of access during the span of time he has worked for the company?
This employee should have prior access removed to ensure separation of duties and avoid future instances of security risk.
In the financial services sector, some organizations have implemented a three-lines-of defense model. What does the use of this model suggest about an organization's structure?
This organization uses a layered approach that creates a separation of duties.
Of the principles that can be used to derive control requirements and help make implementation decisions, which principle functions as a deterrent control and helps to ensure that people understand they are solely responsible for actions they take while using organization resources?
accountability principle
Security controls are measures taken to protect systems from attacks on the integrity, confidentiality, and availability of the system. If a potential employee is required to undergo a drug screening, which of the following controls is being conducted?
administrative controls
The new class of software available to support policy management and publication is called Governance, Risk, and Compliance (GRC). Which of the following explanations fits the "governance" category of the software?
assessing the proper technical and non-technical operation of controls and remediating areas where controls are lacking or not operating properly
Within the seven domains of a typical IT infrastructure, there are particular roles responsible for data handling and data quality. Which of the following individuals do not work with the security teams to ensure data protection and quality?
auditors
Policy and standards often change as a result of business drivers. One such driver, known as ___________________, occurs when business shifts and new systems or processes are incorporated; these business shifts and new systems and processes may differ from what a standard or policy requires.
business exceptions
There are no universal prescriptions for building an IT security program. Instead, principles can be used to help make decisions in new situations using industry best practices and proven experience. Which of the following is not created with the use of principles?
business plan
One of the processes designed to eradicate maximum possible security risks is to ________________, which limits access credentials to the minimum required to conduct any activity and ensures that access is authenticated to particular individuals.
harden
Which of the following responsibilities is in the purview of the second line of defense?
identify and assess enterprise risk
In any event in which customer data is involved, it is necessary to check with the ___________________ on the legal requirements related to managing and use of that data.
compliance team
It is important that ___________________ accounts have full and unencumbered rights to restore data as well as to configure, install, repair, and recover applications and networks.
contingent
The different concepts in the architecture operating model are aligned with how the business chooses to integrate and standardize with an enterprise solution. In the___________________, the technology solution shares data across the enterprise.
coordinated operating model
When implementing a framework, the two main considerations for implementation are _____________ and _____________.
cost, impact
In the ISO/IEC 27002 framework, _________________ describes the use and controls related to encryption.
cryptography
Which of the following statements does not offer an explanation of what motivates an insider to pose a security risk?
individual might think that threatening to disclose security information will earn the attention and recognition from the organization and thus result in promotion.
The_____________________ principle states that it is important to consider your users or partners when requiring information that could place their privacy rights at risk. Thus, the security of an information system should be balanced against the rights of customers, users, and other people affected by the system versus your rights as the owners and operators of these systems.
democracy
An illustration of ________________ would be an organization installing malware software on the network and endpoint, monitoring for suspicious traffic, and responding as needed.
disposal of risk
Which of the following is not one of the types of control partners?
engineers
A(n)______________________ aligns strategic goals, operations effectiveness, reporting, and compliance objectives.
enterprise risk management framework
The members of the _________________ committee help create priorities, remove obstacle, secure funding, and serve as a source of authority. Members of the _______________ committee, however, are leaders across the organization.
executive, security
The information security program charter is the capstone document for the information security program. This required document establishes the information security program and its framework. Which of the following components is not defined by this high-level policy?
explanation of penalties and disciplinary actions for specific infractions
The ultimate goal of the review and approval processes is to gain senior executive approval of the policy or standard by the chief information security officer (CISO). In order to gain this approval, the CISO requires all parties to sign off on the document. Which of the following is not among the suggested list of people who should be given the chance to become a second or third layer of review?
finance
Of the roles commonly found in the development, maintenance, and compliance efforts related to a policy and standards library, which of the following has the responsibilities of directing policies and procedures designed to protect information resources, identifying vulnerabilities, and developing a security awareness program?
information resources security officer
Consider this scenario: A company that buys a sizeable amount of equipment for its manufacturing process needs to accurately report such expenditures, so it calls upon the services of financial auditors. While financial auditors might consider how robust the data might be, the company might also involve IT auditors to examine the technology in place to gather the data itself. What process is this company using to address its concerns?
integrated audit
Which of the following standards is important to issue as new technologies develop considering that some issues diminish in importance while new ones continually appear?
issue-specific standard
When a major private sector business experiences a data breach on the scale that the retailer Target experienced in 2013, the financial impact can be significant. In this event, significant weaknesses in the information security framework and its related controls were present. Which of the following major impact areas is not one of the three that should have been addressed in a well-implemented security framework?
lack of complete inventory of IT assets and their configurations
The Barings Bank collapsed in 1995 after it was found that an employee had lost over $1.3 billion of the bank's assets on the market. The collapse occurred when an arbitrage trader was responsible for both managing trades and guaranteeing that trades were settled and reported according to proper procedures. To which of the following causes is this collapse attributed?
lack of separation of duties
According to the best practices most widely adopted to protect users and organizations, _______________ employs an approach that sets up overlapping layers of security as the preferred means of mitigating threats.
layered defense
It is recommended that systems administrators analyze logs in order to determine if they have been altered because monitoring can deter risk. To serve this goal, a ________________ can be used to assemble logs from platforms throughout the network.
log server
Security policies that clarify and explain how rights are assigned and approved among employees can ensure that people have only the access needed for their jobs. Which of the following is not accomplished when prior access is removed?
minimizes future instances of human error
Operations security describes operational management of controls to ensure that capacity is adequate and performance is delivered. Which of the following is not one of the key topics included in this section?
network security management
In 2010, a major restaurant the chain suffered a network breach when malware was discovered to have collected customer credit card information that was later stolen by an outside party. Such a breach was a PCI DSS framework violation. Which of the following actions is the first step that should have been taken to ensure the PCI DSS framework was safely protecting the credit card information?
network segregation
The shared belief system of employees in a business or company is known as the _____________________.
organizational culture
One of seven domains of a typical IT infrastructure is the user domain. Within that domain is a range of user types, and each type has specific and distinct access needs. Which of the following types of users has the responsibility of creating and putting into place a security program within an organization?
personnel
The NIST SP 800-53, "Recommended Security Controls for Federal Information Systems" was written using a popular risk management approach. Which of the following control areas best fits this description: "This is the area in which an organization develops, documents, periodically updates, and implements security plans for information systems"?
planning
There are many ways that people can be manipulated to disclose knowledge that can be used to jeopardize security. One of these ways is to call someone under the false pretense of being from the IT department. This is known as _________________________.
pretexting
In order to promote continued learning and development among staff, a security newsletter can be created to offer interesting and captivating ways of comprehending the points outlined in the policy and standards library. Which of the following is not one the possible article topics to be covered?
profiles identifying the evangelists in the organization
In order for an IT security framework to meet information assurance needs, the framework needs to include policies for several areas. Which of the following is not one of the areas?
protecting the privacy of personal data and proprietary information
In May 2013, a National Security Agency (NSA) contractor named Edward Snowden leaked thousands of documents to a journalist detailing how the U.S. implements intelligence surveillance across the Internet. In which of the following sectors did this breach occur?
public sector
In order to establish cogent expectations for what's acceptable behavior for those utilizing an organization's technology asset, an Acceptable Use Policy (AUP) defines the targeted functions of computers and networks. This policy delimits unacceptable uses and the consequences for policy violation. Which of the following topics is not likely to be found in an AUP?
recommendations for creating a healthy organizational culture
Of the six specific business risks, the ___________________ risk results from negative publicity regarding an organization's practices. Litigation and a decline in revenue are possible outcomes of this type of risk.
reputational
Transparency is an important concept in policies related to the handling and use of customer data. Organizations should be transparent and should notify individuals of the distribution, use, collection, and maintenance of personally identifiable information (PII). Which of the following elements does not need to be included with regard to handling of customer data?
response controls
The security posture of an organization is usually expressed in terms of ___________________, which generally refers to how much risk an organization is willing to accept to achieve its goal, and ____________________, which relates how much variance in the process an organization will accept.
risk appetite, risk tolerance
The _______________________domain establishes the context and business view for a risk evaluation and guarantees that risk activity aligns with the business goals, objectives, and tolerances. The ________________ domain establishes that technology risks are identified and delivered to leadership in business terms.
risk governance, risk evaluation
The ________________ domain ensures risks are diminished and remediated in the most cost-effective manner. To prevent risk from increasing in severity and scope, this domain coordinates risk responses ensuring that the right people are engaged when appropriate.
risk response
Before publishing major policy changes, it can be beneficial to conduct a _______________ in order to offer employees an explanation of the upcoming changes and create a space for dialogue.
roadshow
A(n) __________________ is a term used to indicate any unwanted event that takes places outside the normal daily security operations. This type of event relates to a breakdown in controls as identified by the security policies.
security event
Which of the following user types is responsible for audit coordination and response, physical security and building operations, and disaster recovery and contingency planning?
security personnel
A good example of ___________________ is a real estate business that shares data on new home purchases between the unit that sells insurance for the home and the business unit that sold the home.
service integration
_____________________ denotes the use of human interactions to gain any kind of desired access. Most often, this term involves exploiting personal relationships by manipulating an individual into granting access to something a person should not have access to.
social engineering
In an issue-specific standard, the ___________________________section defines a security issue and any relevant terms, distinctions, and conditions.
statement of an issue
Aside from human user types, there are two other non-human user groups. Known as account types, ________________ are accounts implemented by the system for the purpose of supporting automated service, and ___________________ are accounts that remain non-human until individuals are assigned access and can use them to recover a system following a major outage.
system accounts, contingent IDs
Which of the following topics describes the process of building security into applications?
systems acquisition, development, and maintenance
A ____________________ can be used to hierarchically represent a classification for a given set of objects or documents.
taxonomy
Imagine a scenario in which an employee regularly shirks the organization's established security policies in favor of convenience. What does this employee's continued violation suggest about the culture of risk management in the organization?
that the organization lacks a good risk culture wherein employees have "buy in"
When is the best time to implement security policies to help developers diminish the number of vulnerabilities during application development?
the application is being written
Assume that the governance committee states that all projects costing more than $70,000 must be reviewed and approved by the chief information officer and the IT senior leadership team (SLT). At this point, the CIO has the responsibility to ensure that management processes observe the governance rules. For example, the project team might present the proposed project in an SLT meeting for a vote of approval. What does this scenario illustrate about organizational structure?
the difference between governance and management oversight
Which of the following is not one of the similarities shared by an enterprise risk management (ERM) framework and a governance, risk management, and compliance (GRC) framework?
the importance of value delivery
Which of the following user groups has both the business needs of being able to access the systems, network, and application to complete contracted services, and access capability that is limited to particular sections of the systems, network, and application?
vendors
Policies and standards are a collection of concrete definitions that describe acceptable and unacceptable human behavior. The questions related to_______________ are more appropriate for procedures or guidelines than policies or standards, which require detail that is more at the level of________________.
where, when, and how; what, who, and why
