MIS 515 1st Try
As organizations grew in size, they become more efficient with information security and its governance
False
Authorization validates the identity of an individual while Authentication defines the level of access. True or False
False
Backup technology and the media used to store backups is reliable enough that periodic testing of backups is really unnecessary
False
Because cloud service providers have heightened security, databases housed in the cloud are not vulnerable to hackers. True or False
False
Both public and private companies are responsible for Sarbanes-Oxley compliance.
False
Business Disruption is actually viewed as a higher external consequence cost of cybercrime than information loss.
False
By industry, the retail sector currently suffers the highest cost per data breach record.
False
Carpets are a nice addition to equipment rooms because they lower the noise levels.
False
Cloud sourcing and Crowdsourcing are the same thing.
False
Cloud sourcing is a term that applies solely to public cloud providers
False
Cloud sourcing is not good for quick deployment of resources
False
Conducting forensic investigations is high on the majority of organization's budget list. True or False
False
Confidentiality, integrity and availability apply only to the storage and transmission of data
False
Containment of a cybercrime incident is seen as the most costly activity for an organization
False
Corporate governance is only concerned with internal issues of the corporation
False
Corporate technology operations do not have supply chains
False
Corporations and government agencies are required to comply with FISMA requirements
False
Countries that invest in infrastructure and IT and more likely to be candidates for insourcing
False
IS is rarely at odds with IT within a corporation and is the primary reason why it is often positioned under IT
False
IT governance is more about making and implementing decisions than who makes the decisions
False
If IT at higher education institutions is centralized, the number of necessary governance groups would drop significantly.
False
In the European Union, when the European Council issues a decision, it is considered directly applicable and "binding" to all Member States.
False
In the US, all states are governed by a federal breach notification requirement. True or False
False
Increased C-level support is considered the highest driving factor for improving information security posture.
False
Information Assurance is not concerned with provisions for restoration of information systems only the protection of them.
False
Information Security is rarely at odds with Information Technology within a corporation and is the primary reason why it is often positioned under Information Technology
False
Intellectual property records constitute the majority of records stolen in data breaches. True or False
False
It is estimated that only 25% of the U.S. critical infrastructure is covered by the private sector. True or False
False
It is not important that front-line help desk employees have security awareness. They can always route the call to one who does.
False
It is not possible to taint computer hardware technology
False
It takes longer to contain a data breach than to clearly identify one. True or False
False
Large organizations tend to spend more, per capita, on security than smaller organizations
False
MLS provides for storing and processing of information with a single level of sensitivity.
False
Mandatory Access Control gives users the flexibility to create policy and assign security attributes.
False
Most organizations are not required by law to take special precautions with personnel or customer information
False
Most organizations outsource their Information Security
False
Newly purchased systems must be sanitized before configuring and deploying.
False
Non-repudiation's goal is to provide disputable evidence that the source and the target of a process, transaction, or communication are validated and verified.
False
Most corporations allocate Information Security budgets as:
% of IT Budget
The cost and value of lost or stolen information represents the highest consequence cost for most organizations. True or False
True
The inability to hire and retain expert staff is a significant problem in the area of Cybersecurity
True
The main difference between laws and ethics is that ethics does not carry the sanction of a governing authority
True
The majority of data breaches are caused by outsiders or third parties.
True
The majority of physical supply chain threats incidents have internal company connections
True
Two benefits of improved information security governance are increased strategic alliance with organizational goals and improved risk managment
True
Vibration based sensors are not good on fences because they create many false positives.
True
Which of the following would not be considered an administrative function of operational security?
Upgrading the firmware of a network switch
Discretionary Access Control is managed centrally by a security policy administrator and users do not have the ability to override security settings.
False
Operational security staff generally never concern themselves with malfunctioning HVAC, lighting or cipher locks. These are viewed as facilities issues.
False
Outsource arrangements should produce a net benefit for the organization but it is not possible to select one whose capabilities compliment the organization's capabilities
False
Patch management, while important, is not a priority item for security management teams True or False
False
Per record data breach costs have increased dramatically since 2018. True or False
False
Public Law regulates the relationship among individuals and among individuals and organizations and encompasses family law, commercial law, and labor law.
False
Recovery, Containment and Business Disruptions are representative of internal cost activities of an organization following a breach. True or False
False
SSAE stands for Safeguarding Supply chains for Attestation Engagements
False
Scheduled and unscheduled downtime are not considered potential problems with availability from an information assurance perspective.
False
Security metrics and future planning are minimally affected by poor operations security
False
Small and medium businesses, in a supply chain, are generally too insignificant and do not have the payoff sought by a disrupter. True or False
False
Social networking forums, like Face Book, do not represent problems for organizations so long as the employee does not engage in their usage while at work. True or False
False
Sourcing is an old business concept of using temp agencies and is rarely done today
False
Space under raised floors can and should be used for power, data, cables, and important or applicable storage or magnetic tapes.
False
Studies show that breaches only affect confidentiality and do not affect integrity or availability. True or False
False
System and Media declassification and downgrading is not an issue since there is little to no chance that someone might extract sensitive information froman old system or drive True or False
False
The Biba access control model defines protection focused on confidentiality of information where-as the Bell-La Padula access control model defines protection of information integrity. True or False
False
The USA Patriot Act stands for the United States of America Protection Against Terrorist, Retaliation, Interception and Obstruction of Technology.
False
The concept of "least privilege" is only applied to new employees
False
The cyber attack known as Titan Rain was carried out in 2007 when Russia used cyber technology to cripple elements of Estonia's technology infrastructure. True or False
False
The definition of "personal information" is much more narrow in the European Union that is in the United States.
False
The definition of personal information is much more narrow in the EU than in the US
False
The indirect labor of cyber crime costs is always more expensive than the direct labor component. True or False
False
The internal cost of containing a breach is the highest cost activity for most organizations
False
The loss of customer confidence, as a result of a data breach, is not a great concern for organizations. True or False
False
The main feature of Advanced Persistent Threats (or APT) is the constant denial of service attacks they incur.
False
The most alarming trend in SCADA systems is the continued use of older control and collection systems based on DOS, VMS, and UNIX.
False
Today's backup media is robust and does not require special environmental controls.
False
Under the Eu "Cookie Law" providers are NOT generally required to secure viewers consent prior to forming and storing an internet browser cookie.
False
Unethical behavior is best handled solely through deterrence consisting of education and policies without direct consequences.
False
If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable.
True
In the European Union, when the European Council issues a Regulation, it is considered directly applicable and "binding" to all Member States.
True
Information Assurance attempts to infuse greater accountability, training and awareness into information security practices.
True
Information Security budgets are often-times a percentage of the Information Technology budget. True or False
True
Insourcing is generally considered the opposite of outsourcing
True
Integration of 3rd parties into internal networks and applications is seen as a growing organizational risk.
True
It is advisable to systematically startup a series of servers so as to avoid a high surge of current known as an in-rush current
True
Job rotation is a tool that requires every employee to be able to perform the work of at least one other employee
True
Lost business costs are generally higher than detection and escalation costs of a data breach. True or False
True
Low humidity in an area with electronic devices can cause static electricity which could damage components if discharged. Excessive humidity could cause corrosion.
True
Malicious code insertion into a software or firmware product is an example of tainting.
True
Many companies are still untrusting with the security of cloud service providers.
True
Most data breaches are the result of malicious attacks. True or False
True
On a per record basis, indirect costs of a data breach incident are greater than direct costs.
True
Operational Security is focused more on the daily security tasks rather than actual evaluation of security metrics or security planning activates.
True
Organizations concerned with budgeting for improved access management are concerned with provision and de-provisioning of user accounts True or False
True
Owing a data center in a foreign land is an example of offshoring
True
PDD-63 was the first presidential directive to recognize critical infrastructure as both physical and cyber-based True or False
True
Positive air flow pressurization keeps the air flowing outward when doors are opened, from an area, so that unwanted air does not flow back into the area.
True
Power flow can be disrupted by electromagnetic and radio frequency emissions.
True
Private clouds can be hosted on premise or off premise.
True
Residual risk is what is a potential risk (or loss) after threats and vulnerabilities are matched with controls to reduce risk.
True
Security awareness and security related issues should be reflected as a component of an employee's performance appraisal to raise their awareness and reflect the seriousness of security issues.
True
Security is all about the management and control of risk. True or False
True
Security of all about the management and control of risk.
True
Separation of duties was an important part of early castle layered defense mechanisms. True or False
True
Site accessibility is important with regards to the ability and expectations of assistance from law enforcement, ambulances, or fire truck response times.
True
Software can contain undocumented back door access.
True
Supply chains encompass the processes necessary to get a good or service from the supplier to the customer.
True
The Common Criteria is a framework by which users can specify security requirements and have vendors implement the requirements. The validation of a vendor meeting these requirements is derived after extensive testing and, if successful, certification.
True
The EU Data Retention legislation (Directive 2006/24/EC) is intended to help provide law enforcement and authorized investigative institutions with access to internet service provider logs and records.
True
The EU E-Privacy Directive 2002/58/EC deals only with public communication service providers.
True
During Covid 19 pandemic, employees were required to work remotely. This was an easy move for many organizations because employee home systems were typically well equipped with all the proper security protection mechanisms True or False
False
Excessive humidity in an area with electronic devices can cause static electricity which could damage components if discharged.
False
Executive Order 13636 is primarily concerned with the creation of a situational awareness capability for only the cyber aspects of critical infrastructure.
False
Which of the following is a coordinated effort, between government and private sector, to establish a knowledge base for information sharing related to critical infrastructure concerns.
1NFRAGARD- INFRAGARD is managed by the FBI as an information sharing and analysis effort regarding critical infrastructure issues.
What is a mantrap?
A double-door facility used for physical access control
For potential employees its generally a good idea to reflect security access information on job descriptions, in interviews and in site tours.
False
An equipment fan becomes clogged with dust and lint. Although the room is cool, the machine overheats internally and fails. What information assurance pillar is involved in the failure?
Availability
Which of the following is the most representative of the INFOSEC process?
Access, Plan, Implement, Monitor, Update
Which of the following are valid reasons for an information security professional to posses a rudimentary grasp on IS related laws?
All of the above (1. More effectively plan organizational security, 2. Help mitigate an organization's legal risks, 3. Assist in planning awareness training, 4. Help the organization avoid embarrassing security situations
The department of homeland security C3 program focuses on which of the following areas of critical infrastructure participants?
All of the above (Convergence, Connection, Coordination)
Which of the following presents constant challenges to the success of operational security?
All of the above (High level Support, Documented Procedures, Size of Security Staff, Degree of staff overlap)
Organizations must deal efficiently with which of the following Information Assurance issues:
All of the above (IT and Security Governance, Disaster recovery, Compliance, Business Continuity)
Which of the following is not an item of importance for IS governance? 1. Reduce liability 2. Policy compliance 3. Optimize security resources 4. Safeguard information 5. All of the above
All of the above (Reduce liability, policy compliance, Optimize security resources, safeguard information)
Which of the following is not a pillar of information assurance? 1. Integrity 2. Non-Repudiation 3. Availability 4. Authentication 5. Confidentiality 6. All of the above are pillars of IA 7. None of the above are pillars of IA
All of the above are pillars of IA
Which of the following is NOT a step of the Department of Defense Information Assurance certification and Accreditation Process?
All of the above are steps of DIACAP: Security Process Initialization, Security certification, Security Accreditation, Monitoring
Which of the following is an example of the manifestation of the espionage threat in supply chains? 1. Alteration of software to allow unauthorized control 2. The use of intellectual property for monetary gain 3. The unauthorized duplication of a finished good 4. All of the above
All of the above: (Alteration of software to allow unauthorized control, The use of intellectual property for monetary gain, The unauthorized duplication of a finished good)
Which of the following would be a surrounding area influence in site selection?
All of the above: (Crime rate, Proximity to medical or hospital facilities, Riots or terrorism, Potentially hazardous neighboring facilities)
Which of the following is not an element of concern for desktop configuration managment?
All of the above: (Disk drive sanitization before redeployment, End user machine backup before sanitization, Ensuring the machine is installed with the correct software, Limiting administrative privileges)
Which of the following would not represent an event type that would indicate an incident is occurring?
All of the above: (Loss of integrity, Loss of availability, Loss of confidentiality, Violation of Law)
Which of the following is an important question to ask regarding infrastructure backups? 1. Where are the backups stored? 2. Who has access to the backups? 3. Who is responsible for the backups? 4. Are the backups procedures and schedules well documented 5. All of the above
All of the above: (Where are the backups stored?, Who has access to the backups?, Who is responsible for the backups?, Are the backups procedures and schedules well documented?)
Which of the following information security characteristics MOST applies to SCADA systems?
Availability
Match the governance style with its decstiption Anarchy Federal IT Duopoly Feudal IT Monarchy Business Monarchy
Anarchy - individual process owners have decision rights Federal- rights shared by C suite executive and at least one other group IT Duopoly- IT executive and other business leaders share rights Feudal- unit leaders have decision rights locally IT Monarchy- IT executive have decision rights Business Monarchy- executive leadership has decision rights
Which of the following are among the top 3 current spending priorities for organizations with regards to technology and security?
Application Security, Cloud Security, Data Security
When a company rents the use of an application to a customer, this is:
Application Service Provider
Which of the following is most representative of the INFOSEC process? 1. Assess, Monitor, Implement Update, Plan- 2. Monitor, Implement, Plan, Assess, Update- 3. Plan, Assess, Monitor, Update, Implement- 4. Assess, Plan, Implement, Monitor, Update
Assess, Plan, Implement, Monitor, Update
Which of the following is not a pillar of Information Assurance? 1. Integrity 2. Authentication 3. Authorization 4. Confidentiality 5. Non-Repudiation
Authorization
High security controls are designed to impede, detect, assess, and neutralize.
False
Match the governance style with its description:
Business Monarchy -- Executive leadership has decision rights IT Monarchy -- IT executive have decision rights Federal -- Rights shared by "C-level" executives and at least one other group Feudal -- Unit leaders have decision rights locally IT Duopoly -- IT executive and other business leaders share rights Anarchy -- Individual process owners have decision rights
An outsourced customer call center is an example of which type of outsourcing?
Business Process
Hiring qualified information security personnel is not a major concern of organizations since there is an abundance of those possessing the skill sets. True or False
False
Which of the following directives was instrumental in instructing all Federal Agencies to fund, develop and implement Information Assurance training and awareness?
CNSS Directive 500
Which of the following most accurately depicts the traditional government path to INFOSEC?
COMSEC + COMPUSEC + TEMPEST = INFOSEC
In theory, which of the following acquisition types offers lower cost and quicker deployment YET offers the least control and higher risk of potential vulnerabilities? 1. MOTS 2. COTS 3. NOTS 4. GOTS
COTS
Which of the following is not a drawback of intrusion detection and monitoring systems?
Cannot be penetrated
Which of the following would not be possible incident indicator?
Changes to logs; Log changes are an example of a definite indicator
Which of the following would NOT be consistent with a computer being incidental to a crime?
Computer was used to attack another computer
From the policy pyramid, correctly match the entities with the things they create: Congress Executive Government Agencies Department of Defense Army, Navy, USMC, AF
Congress- Public Law Executive- Federal Government Policy Government Agencies- Guidelines, Publications, Standards Department of Defense- Policy and Directives Army, Navy, USMC, AF- Agency Specific Policy and Directives
Which of the following would not be considered a cybercrime category as discussed in this module? 1. Criminal activities involving or against individuals 2. Criminal activities against property 3. Criminal Activities against government 4. Criminal activities against animals
Criminal activities against animals
Which of the following would not be considered a crime targeting a computer device network? 1. Cyber stalking 2. Malicious code 3. Denial of service 4. Viruses
Cyber Stalking
Human error accounts for the majority of data breach causes. True or False
False
According to the Ponemon survey, the average amount of time to resolve a breach by a malicious insider in 2017 was 41 days.
False
All unethical behavior is conducted with intent.
False
Which of the following are among the top 3 current spending priorities for organizations with regards to technology and security?
Data warehousing, Security privacy, and cloud applications & infrastructure
Which of the following word combinations best describe IT governance? 1. Assessing, planning, implementing 2. Decision rights, accountability, behavior 3. Legislation, compliance, risk 4. Budget, machines, people
Decision rights, accountability, behavior
Match the following designations with their descriptions
Definers -- Provide policies, guidelines, and standards Builders -- Provide and install the technical solutions Operators -- Provide operational and monitoring support
Which of the following represent the highest internal cost activity of a breach?
Discovery/Detection and Containment
How does Halon suppress a fire?
Disrupts the chemical reaction of a fire
Which of the following is intended to provide individual's protection and privacy when personal information is collected and held by Member State institutions? 1. EU Regulation 45/2001 2. PCI/DSS 3. Direct 2002/58/EC 4 Directive 2006/24/EC
EU Regulation 45/2001
A computer is the object of a crime when it is used to conduct online gambling True or False
False
A system high security mode is more restrictive than a dedicated security mode
False
Vendors or maintenance contractors can always be trusted since they are under contractual obligation. Accounts setup for vendors diagnostic access should remain open so the vendor can assist, at any time, with problems.
False
While malicious insider abuse may happen with great frequency, the cost borne by an organization for such cybercrime is relatively low.
False
With regards to data breach costs, indirect costs are generally higher than direct costs. True or False
False
Without a question, the larger the organization, the larger the percentage of revenues allocated to the IT budget. True or False
False
COMSEC stands for Common Security.
False, it stands for Communications Security
Security CPR refers to an emphasis on common algorithms, proactivity, and reactive perimeter, controls.
False- CPR stands for Compliance, Protection, Recovery
Which is not an example of a digital operational supply chain?
Fed-X delivery service
Match the following legislation with the descriptions Federal Privacy Act- Electronic Communications Privacy Act- US Copyright Law- Freedom of Information Act-
Federal Privacy Act- Regulates government use of private information Electronic Communications Privacy Act- Regulates unauthorized interception of electronic and oral communications US Copyright Law- protects intellectual property Freedom of Information Act- allows citizens to see what personal info government agencies are maintaining on them
Which of the following is NOT true regarding NSDD 145? 1. Responsible for the formation of the NTISSC which later became NSTISSC 2. First large-scale national security policy enacted by Congress 3. Failed to produce adequate results due to changing technology and threats 4. Ordered in 1984 5. Established a national Policy on Telecommunications and Automated Systems Security.
First large-scale national security policy enacted by Congress
Which of the following is not a recommended secure way to dispose of the disk drives?
Format the disk drive prior to disposal or redeployment
Match the instrument with its description:
G8 Points of Contact: Attempts to provide 24x7 POCs to assist in cyber crime issues Security Freedom through Encryption Act -- Prohibits federal government from requiring the use of encryption on official documents Letter Rogatory -- A diplomatic letter of request for assistance to another country Mutual Legal Assistance Treaty -- Bilateral treaties that establish crime investigation cooperation Digital Millennium Copyright Act -- Attempts to protect private or trademark information internationally
Which of the following types of software acquisitions typically involve the development, by a technical staff, from a government agency? 1. GOTS 2. COTS 3. NOTS 4. MOTS
GOTS
Match the statements with the corresponding laws:Federal Information Security Management ActComputer Fraud and Abuse ActUSA Patriot ActComputer Security ActIdentity Theft Enforcement and Restitution Act
Identity Theft Enforcement and Resolution Act -- Considers threats to steal information as a crime USA Patriot Act -- Laundering actions to defend against terrorism Computer Security Act -- Required mandatory security awareness training at the federal level Federal Information Security Management Act -- Requires government agencies to assess the information security risks of their computer systems. Computer Fraud and Abuse Act -- Considers unauthorized access to national security data as a crime.
Match the following with descriptions HIPPA- SOX- GLB- Fair and Accurate Credit Transaction Act-
HIPPA- protects healthcare data SOX- CEO & CFO responsible for accurate reporting GLB- financial institution to disclose their privacy policies Fair and Accurate Credit Transaction Act- requires measurers to dispose of sensitive information
From the 2018 analysis, which of the following industries has the highest customer churn rate caused by data breaches?
Health
Which of the following industries has the highest customer churn rate caused by data breaches?
Health
Which of the following is NOT true regarding the Gramm-Leach-Bliley Act? 1. Holds organization CEOs personally responsible 2. Applies to banks, security firms, and insurance companies 3. Requires financial institutions to disclose their privacy policies 4. Affects anyone who extends credit to consumers 5. Requires organizations perform security risk assessments, testing, and monitoring.
Holds organization CEO's personally responsible
Which of the following is not a reason why IT governance is important? 1. IT value is all about technology 2. IT is expensive 3. IT is pervasive 4. Important for organization to understand IT value 5. Upper management has limited bandwidth
IT value is all about technology
The Help desk and customer support function should be tied closely to which of the following?
Incident Response Plans
Which of the following best describes a closed-loop HVAC system?
Inside air is re-circulated and re-filtered constantly to keep outside air contaminants out as much as possible.
If an access control has a fail-safe characteristic but not a fail-safe characteristic, what does it mean?
It defaults to being unlocked
Which of the following is the most pressing problem with FISMA? 1. It is a trailer indicator and not a leading indicator and thus does not help with real time security issues 2. It requires a great deal of resources to be compliant 3. It is paper compliant intensive 4. Too many agencies are reporting weakness in compliance areas
It is a trailing indicator and not a leading indicator and thus does not help with real-time security issues
Which of the following would be considered a breach of integrity?
John used SQL Injection techniques to change values in the database
Why is it important to clean keypad based locks from a security perspective?
Keeps intruders from discovering code patterns
Which of the following is NOT a human factor of concern to information security professionals
Lack of business knowledgeable leadership
What over overarching concept does the castle example provide with regards to information security?
Layered defenses
Which of the following security models of operation require minimum clearance level of not-cleared and a maximum data classification level of unclassified but sensitive? 1. Compartmented 2. Dedicated 3. System High 4. Limited 5. Multilevel Security 6. Partitioned
Limited
Which of the following is not a claim of Cloud sourcing?
Moderate availability
Executive Order 13231 superseded NSDD 145 and was responsible for the creation of the President's Critical Infrastructure Protection Board as well as the formalization of CNSS. True or False
True
Which of the following are applicable to a hostile departure for a terminated employee?
Obtain all keys, key cards, and other organizational assets before individual leaves the premise Terminate or disable access codes and logins prior to giving the employee termination notice Inventory and monitor access logs surrounding the termination time Conduct an exit interview with the employee
FISMA required Federal government agencies to provide security protection to proportionate to the risk.
True
Match the following regarding the 6 P's of Information Security: Planning- Policy- Programs- Protection- People- Project Management-
Planning- Support, Design, Create, and Implement Policy- Behavior guidelines Programs- Entities managed in information security domain Protection- risk assessment People- security personnel and personnel security, training and awareness (SETA) Project Management- allows decision makers to control resource allocation and ROI
Financial motivation still dominates actor intentions with most data breach incidents True or False
True
For contract employees, service level agreements or contracts should explicitly address issues of visit or cancellation notice as well as any background checks required.
True
Which of the following fire suppression systems is more appropriate for use in a data center?
Pre-Action sprinkler systems
Match the decision domain with it description Principles Architecture Infrastructure Application Needs Investment and Prioritization
Principles- How IT adds business value Architecture- Choices that satisfy business needs Infrastructure- sharing and standardization of IT Application Needs- outsource of develop internally Investment and Prioritization- what to find and how to fund
Which of the following is not an information security spending priority area?
Projection
Which of the following are true with respect to HIPAA.
Protects the confidentiality of health care data, Establishes standards for electronic interchange and handling of health care data, Requires organizations to conduct comprehensive assessments of information protection mechanisms.
Which of the following is not a goal of IS governance? 1. Provide policy 2. Provide standards and guidance 3. Provide strategic linkage 4. Provide specific security equipment purchase information
Provide specific security equipment purchase information
Which of the following is NOT true about the Computer Fraud and Abuse Act of 1986? 1. Provided the cornerstone of computer related federal laws 2. Was amended by the national infrastructure Protection Act of 1996 3. Was modified by the USA Patriot Act 4. Provided roving surveillance authority 5. Used in conviction related to the Morris Worm
Provided roving surveillance authority
Which of the following is NOT true regarding the Computer Fraud and Abuse Act of 1986? 1. Provided the cornerstone of computer related federal laws 2. Was amended by the national infrastructure Protection Act of 1996 3. Was modified by the USA Patriot Act 4. Provided roving surveillance authority 5. Used in conviction related to the Morris Worm
Provided roving surveillance authority
Which of the following is not a specific requirement of FISMA? 1. Required to designate an ISO to manage the FISMA process 2. Required to provide information security awareness training 3. Required to use independent auditors to review compliance results 4. Required to coordinate all security activity with the Department of Defense 5. None of the above
Required to coordinate all security activity with department of defense
Which of the following is not specific requirement of FISMA as covered in this module? 1. Required to designate an ISO to manage the FISMA process 2. Required to provide information security awareness training 3. Required to use independent auditors to review compliance results 4. Required to coordinate all security activity with the Department of Defense 5. None of the above
Required to coordinate all security activity with the Department of Defense
Which of the following laws deal mostly with financial reporting and disclosure concerns? 1. Gramm-Leach-Bliley Act and COPPA 2. Sarbanes-Oxley Act and HIPAA 3. Sarbanes Oxley (SOX) Act and Gramm-Leach-Bliley Act 4. COPPA and CIPA
Sarbanes Oxley (SOX) Act and Gramm-Leach-Bliley Act
Which of the following laws deal mostly with financial reporting and disclosure concerns? 1. Gramm-Leach-Bliley Act and COPPA 2. Sarbanes-Oxley Act and HIPAA 3. Sarbanes-Oxley Act and Gramm-Leach-Bliley Act 4. COPPA and CIPA
Sarbanes-Oxley Act and Gramm-Leach-Bliley Act
Which of the following is not true of SaaS, Cloud computing, and outsourcing? 1. Since the function is outsourced, the security issues are not important 2. A company has to rely upon the security arrangement of the outsourced provider 3. Despite contracts and MOUs, a company cannot be certain of who has access to their resources at the outsourced 4. Services and computing power could be provided from a less-than-desirable global area
Since the function is outsourced, the security issues are not important
HSPD-7 instructed government sector agencies to read out to the private sector for help with critical infrastructure security issues. True or False
True
Match the organizational aspects with the organizational size Small organizations medium organizarions large organizations very large organizations
Small organizations- tend to spend more, per capita, on security medium organizations- implement multi layer solutions but have insufficient staff to manage them large organizations- have 1,000-10,000 employees very large organizations- spend far less, per capita on security per user
Match the suppression method with how it works:
Soda, acid -- Removes fuel from fire Gas, halon or substitute -- Interferes with chemical reaction of elements of fire CO2 -- Removes oxygen from fire Water -- Reduces temperature of fire
HSPD-7 instructed government sectors agencies to reach out to the private sector for help with critical infrastructure security issues. True or False
True
Which of the following is not true regarding National Security Presidential Directive 54? 1. Supersedes OMB Circular A-130 2. Also known as Homeland Security Directive 23 3. Seeks to expand Cyber Education 4. Increases funding for IT security across the federal government
Supersedes OMB Circular A-130
SCADA stands for: 1. Security Control and Data Acquisition 2. Supervisory Control and Data Acquisition 3. Systems Control and Data Acquisition 4. Supervisory control and Device Acknowledgement
Supervisory Control and Data Acquisition
What 3 fundamental high-level countermeasures of Defense in Depth are all people-centric?
Technology, Operations and People
Which of the following are safeguards mentioned in the CNSS Security Model (aka the McCumber model)
Technology, Policy, and Education
What three fundamental high-level countermeasures of Defense in depth are all people-centric? 1. Technology, operations, and people 2. Threat, vulnerability, and countermeasure 3. Hardware, software, and firmware 4. Firewall, antivirus, and anti-spyware
Technology, operation, and people
Which of the following would not be determining factor in the design of a company's physical security program?
The value of real-estate prices in the surrounding areas
Hidden supply chains are those that exist behind a supplier that are not readily visible or obvious.
True
From a security perspective, Call Tracking or incident tracking systems are important because:
They keep the user appraised of the status and measures taken to resolve a problem
Which of the following would not be an important metric for measuring an organization's physical security risk?
Total number of times facilities was notified of burnt out lights.
A company outsourced a call center function but later brought it back in-house. This is an example of back sourcing.
True
A computer is the object of a crime if its integrity, confidentiality or availability is affected by a criminal activity.
True
A concern of an outsourced arrangements is that you can never be absolutely sure that are managing their business according to best practices or even maintain good security.
True
Access to restricted areas should be designed so that they are not easy to enter and are not obvious.
True
According to the Ponemon survey, the average amount of time to resolve a breach by a malicious insider is more than the time dealing with denial of service True or False
True
An electrical ground acts as a conduit for any excess current on a power line and helps ensure that devices are not negatively affected by a spike in electrical current.
True
An incident candidate is an event that is a possible security incident and is identified through a process of incident classification.
True
Approximately 80% of all spam mail is generated by botnets. True or False
True
Background checks should be conducted before extending, an offer to a potential employee despite the job level.
True
Backup tapes and media should be located in a separate area apart from normal IT operations
True
Buffer overflow attacks are the most targeted attack method for SCADA systems
True
CCTVs are best used in conjunction with other monitoring and intrusion alert methods.
True
Convergence is a results-oriented effort of cooperation between previously disjointed security functions
True
Convergence trends advocate creation a single point of contact responsible for security issues. This is typically a CSO.
True
Critical Infrastructures are the technical structures, physical and cyber, that support a society True or False
True
Which of the following would be a type of backup performed by the operations infrastructure support function?
User desktop backups
When should a Class C fire extinguisher be used instead of a Class A fir extinguisher?
When electrical equipment is on fire
Which best describes the act of bringing IT services back in-house?
back sourcing
Producing a counterfeit product that is intended to fail and produce delays or irrecoverable events is an example of:
disruption
The EU organization which provides information security guidance to its Member States is:
enisa
The European Union organization which provides information security guidance to Member States is:
enisa
What is the first step in identifying complex supply chain risks?
identify ecosystems
Which of the following is not a main component of CPTED?
target hardening
Which of the following would not be an example of a direct cost incurred by am organization of a data breach?
time employees spent on data breach notification