Midterm
Medium-sized organizations tend to spend approximately __________ percent of the total IT budget on security.
11
Smaller organizations tend to spend approximately __________ percent of the total IT budget on security.
20
A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system is known as __________.
A Security Analyst
"4-1-9" is one form of a(n) __________ fraud
Advance Fee
The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
Authentication
When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, and so that it selects key stakeholders as well as the ____________.
Board Risk Committee
Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex.
False
Information ambiguation occurs when pieces of nonprivate data are combined to create information that violates privacy. _________________________
False
To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996.___________
False
The individual accountable for ensuringthe day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________.
Security Manager
This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.
Security Manager
A qualified individual who is tasked with configuring security technologies and operating other technical control systems is known as a(n) ____________.
Security Technician
The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property, is called __________.
Software Piracy
A person or organization that has a vested interest in a particular aspect of the planning or operation of an organization—for example, the information assets used in a particular organization—is known as a(n) _________.
Stakeholder
A clearly directed __________ flows from top to bottom, and a systematic approach is required to translate it into a program that can inform and lead all members of the organization.
Strategy
The first priority of the CISO and the InfoSec management team should be the __________.
Structure of a Strategic Plan
A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
Team Leader
Human error or failure often can be prevented with training and awareness programs, policy, and _________.
Technical Controls
Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access.
Trespass
__________ are malware programs that hide their true nature and reveal their designed behavior only when activated.
Trojan Horses
Deterrence is the best method for preventing an illegal or unethical activity. ___________
True
Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________
True
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
True
The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies. ___________
True
The Secret Service is charged with the detection and arrest of any person who commits a U.S. federal offense relating to computer fraud, as well as false identification crimes.
True
A potential weakness in an asset or its defensive control system(s) is known as a(n) __________.
Vulnerability
In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it?
Waterfall
What is the SETA program designed to do?
reduce the occurrence of accidental security breaches
In the __________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
Man-in-the-Middle
Organizations classified as __________ may still be large enough to implement the multitier approach to security, though perhaps with fewer dedicated groups and more functions assigned to each group.
Medium-Sized
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________.
Penetration Tester
"GGG security" is a term commonly used to describe which aspect of security?
Physical
"4-1-9" fraud is an example of a __________ attack.
Social Engineering
When creating a __________, each level of each division translates its goals into more specific goals for the level below it.
Strategic Plan
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________
Threat
Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________
True
Policies must specify penalties for unacceptable behavior and define an appeals process.
True
__________ is a simple project management planning tool.
WBS
What do audit logs that track user activity on an information system provide?
Accountability
In the __________ phase of the SecSDLC, the team studies documents and looks at relevant legal issues that could affect the design of the security solution.
Analysis
In which phase of the SecSDLC does the risk management task occur?
Analysis
An (ISC) 2 program geared toward individuals who want to take any of its certification exams before obtaining the requisite experience for certification is the __________.
Associate of (ISC)2
An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it is known as a(n) _________.
Attack
A process that defines what the user is permitted to do is known as __________.
Authorization
A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs.
Business Mission
An ISACA certification targeted at upper-level executives, including CISOs and CIOs, directors, and consultants with knowledge and experience in IT governance, is known as the __________.
CGEIT
The __________ certification, considered to be one of the most prestigious certifications for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral.
CISSP
A model of InfoSec that offers a comprehensive view of security for data while being stored, processed, or transmitted is the __________ security model.
CNSS
An ISACA certification targeted at IT professionals who are in careers that link IT risk management with enterprise risk management is known as the __________.
CRISC
A high-level executive such as a CIO or VP-IT, who will provide political support and influence for a specific project, is known as a(n) _________.
Champion
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
Champion
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
Chief Information Security Officer
The process of integrating the governance of the physical security and information security efforts is known in the industry as __________.
Covergence
A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use is known as a(n) __________.
Cracker
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
Data Owners
Internal and external stakeholders, such as customers, suppliers, or employees who interact withinformation in support of their organization's planning and operations, are known as ____________.
Data Users
The __________ phase of the SecSDLChas team members create and develop the blueprint for security and develop critical contingency plans for incident response.
Design
A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
Distributed Denial of Service
According to the Corporate Governance Task Force (CGTF), during which phase of the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
Establishing
A technique used to compromise a system is known as a(n) __________.
Exploit
A(n) compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________
False
Access control lists regulate who, what, when, where, and why authorized users can access a system.
False
Ethics carry the sanction of a governing authority.
False
Examples of actions that illustrate compliance with policies are known as laws. __________
False
ISACA is a professional association with a focus on authorization, control, and security. ___________
False
InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals.___________
False
It is the responsibility of InfoSec professionals to understand state laws and bills. ____________
False
Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations. ____________
False
Technology is the essential foundation of an effective information security program. ____________
False
The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for.
False
The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization. _________
False
A short-term interruption in electrical power availability is known as a _________.
Fault
There are anumber of methods for customizing training for users; two of the most common involve customizing by __________ and by __________.
Functional Background; Skill Level
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly is known as __________.
Governance
__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly.
Governance
ISO 27014:2013 is the ISO 27000 series standard for ____________.
Governance of Information Security
The letters GRC represent an approach to information security strategic guidance from a board of directors or senior management perspective. The letters stand for __________, __________, and __________.
Governance, Risk Management, Compliance
One form of online vandalism is __________, in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Hacktivism
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus __________.
Hoaxes
In large organizations, the InfoSec department is often located within a(n) _________ division headed by the _________, who reports directly to the _________.
IT; CISO; CIO
__________ is the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair edge over them.
Industrial Espionage
The protection of confidentiality, integrity, and availability of data regardless of its location is known as __________ security.
Information
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
Initiating
The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as itsbudget and other constraints.
Investigation
What is the first phase of the SecSDLC?
Investigation
A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________.
Methodology
The protection of voice and data components, connections, and content is known as __________ security.
Network
IT's focus is the efficient and effective delivery of information and administration of information resources, while InfoSec's primary focus is the __________ of all information assets.
Protection
The hash values for a wide variety of passwords can be stored in a database known as a(n) __________, which can be indexed and quickly searched using the hash value, allowing the corresponding plaintext password to be determined.
Rainbow Table
An attack that uses phishing techniques along with specialized forms of malware to encrypt the victim's data files is known as________.
Ransomware
Technology services are usually arranged with an agreement defining minimum service levels known as a(n) __________.
SLA
Larger organizations tend to spend approximately __________ percent of the total IT budget on security.
5