MIS 515 1st Try

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

As organizations grew in size, they become more efficient with information security and its governance

False

Authorization validates the identity of an individual while Authentication defines the level of access. True or False

False

Backup technology and the media used to store backups is reliable enough that periodic testing of backups is really unnecessary

False

Because cloud service providers have heightened security, databases housed in the cloud are not vulnerable to hackers. True or False

False

Both public and private companies are responsible for Sarbanes-Oxley compliance.

False

Business Disruption is actually viewed as a higher external consequence cost of cybercrime than information loss.

False

By industry, the retail sector currently suffers the highest cost per data breach record.

False

Carpets are a nice addition to equipment rooms because they lower the noise levels.

False

Cloud sourcing and Crowdsourcing are the same thing.

False

Cloud sourcing is a term that applies solely to public cloud providers

False

Cloud sourcing is not good for quick deployment of resources

False

Conducting forensic investigations is high on the majority of organization's budget list. True or False

False

Confidentiality, integrity and availability apply only to the storage and transmission of data

False

Containment of a cybercrime incident is seen as the most costly activity for an organization

False

Corporate governance is only concerned with internal issues of the corporation

False

Corporate technology operations do not have supply chains

False

Corporations and government agencies are required to comply with FISMA requirements

False

Countries that invest in infrastructure and IT and more likely to be candidates for insourcing

False

IS is rarely at odds with IT within a corporation and is the primary reason why it is often positioned under IT

False

IT governance is more about making and implementing decisions than who makes the decisions

False

If IT at higher education institutions is centralized, the number of necessary governance groups would drop significantly.

False

In the European Union, when the European Council issues a decision, it is considered directly applicable and "binding" to all Member States.

False

In the US, all states are governed by a federal breach notification requirement. True or False

False

Increased C-level support is considered the highest driving factor for improving information security posture.

False

Information Assurance is not concerned with provisions for restoration of information systems only the protection of them.

False

Information Security is rarely at odds with Information Technology within a corporation and is the primary reason why it is often positioned under Information Technology

False

Intellectual property records constitute the majority of records stolen in data breaches. True or False

False

It is estimated that only 25% of the U.S. critical infrastructure is covered by the private sector. True or False

False

It is not important that front-line help desk employees have security awareness. They can always route the call to one who does.

False

It is not possible to taint computer hardware technology

False

It takes longer to contain a data breach than to clearly identify one. True or False

False

Large organizations tend to spend more, per capita, on security than smaller organizations

False

MLS provides for storing and processing of information with a single level of sensitivity.

False

Mandatory Access Control gives users the flexibility to create policy and assign security attributes.

False

Most organizations are not required by law to take special precautions with personnel or customer information

False

Most organizations outsource their Information Security

False

Newly purchased systems must be sanitized before configuring and deploying.

False

Non-repudiation's goal is to provide disputable evidence that the source and the target of a process, transaction, or communication are validated and verified.

False

Most corporations allocate Information Security budgets as:

% of IT Budget

The cost and value of lost or stolen information represents the highest consequence cost for most organizations. True or False

True

The inability to hire and retain expert staff is a significant problem in the area of Cybersecurity

True

The main difference between laws and ethics is that ethics does not carry the sanction of a governing authority

True

The majority of data breaches are caused by outsiders or third parties.

True

The majority of physical supply chain threats incidents have internal company connections

True

Two benefits of improved information security governance are increased strategic alliance with organizational goals and improved risk managment

True

Vibration based sensors are not good on fences because they create many false positives.

True

Which of the following would not be considered an administrative function of operational security?

Upgrading the firmware of a network switch

Discretionary Access Control is managed centrally by a security policy administrator and users do not have the ability to override security settings.

False

Operational security staff generally never concern themselves with malfunctioning HVAC, lighting or cipher locks. These are viewed as facilities issues.

False

Outsource arrangements should produce a net benefit for the organization but it is not possible to select one whose capabilities compliment the organization's capabilities

False

Patch management, while important, is not a priority item for security management teams True or False

False

Per record data breach costs have increased dramatically since 2018. True or False

False

Public Law regulates the relationship among individuals and among individuals and organizations and encompasses family law, commercial law, and labor law.

False

Recovery, Containment and Business Disruptions are representative of internal cost activities of an organization following a breach. True or False

False

SSAE stands for Safeguarding Supply chains for Attestation Engagements

False

Scheduled and unscheduled downtime are not considered potential problems with availability from an information assurance perspective.

False

Security metrics and future planning are minimally affected by poor operations security

False

Small and medium businesses, in a supply chain, are generally too insignificant and do not have the payoff sought by a disrupter. True or False

False

Social networking forums, like Face Book, do not represent problems for organizations so long as the employee does not engage in their usage while at work. True or False

False

Sourcing is an old business concept of using temp agencies and is rarely done today

False

Space under raised floors can and should be used for power, data, cables, and important or applicable storage or magnetic tapes.

False

Studies show that breaches only affect confidentiality and do not affect integrity or availability. True or False

False

System and Media declassification and downgrading is not an issue since there is little to no chance that someone might extract sensitive information froman old system or drive True or False

False

The Biba access control model defines protection focused on confidentiality of information where-as the Bell-La Padula access control model defines protection of information integrity. True or False

False

The USA Patriot Act stands for the United States of America Protection Against Terrorist, Retaliation, Interception and Obstruction of Technology.

False

The concept of "least privilege" is only applied to new employees

False

The cyber attack known as Titan Rain was carried out in 2007 when Russia used cyber technology to cripple elements of Estonia's technology infrastructure. True or False

False

The definition of "personal information" is much more narrow in the European Union that is in the United States.

False

The definition of personal information is much more narrow in the EU than in the US

False

The indirect labor of cyber crime costs is always more expensive than the direct labor component. True or False

False

The internal cost of containing a breach is the highest cost activity for most organizations

False

The loss of customer confidence, as a result of a data breach, is not a great concern for organizations. True or False

False

The main feature of Advanced Persistent Threats (or APT) is the constant denial of service attacks they incur.

False

The most alarming trend in SCADA systems is the continued use of older control and collection systems based on DOS, VMS, and UNIX.

False

Today's backup media is robust and does not require special environmental controls.

False

Under the Eu "Cookie Law" providers are NOT generally required to secure viewers consent prior to forming and storing an internet browser cookie.

False

Unethical behavior is best handled solely through deterrence consisting of education and policies without direct consequences.

False

If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable.

True

In the European Union, when the European Council issues a Regulation, it is considered directly applicable and "binding" to all Member States.

True

Information Assurance attempts to infuse greater accountability, training and awareness into information security practices.

True

Information Security budgets are often-times a percentage of the Information Technology budget. True or False

True

Insourcing is generally considered the opposite of outsourcing

True

Integration of 3rd parties into internal networks and applications is seen as a growing organizational risk.

True

It is advisable to systematically startup a series of servers so as to avoid a high surge of current known as an in-rush current

True

Job rotation is a tool that requires every employee to be able to perform the work of at least one other employee

True

Lost business costs are generally higher than detection and escalation costs of a data breach. True or False

True

Low humidity in an area with electronic devices can cause static electricity which could damage components if discharged. Excessive humidity could cause corrosion.

True

Malicious code insertion into a software or firmware product is an example of tainting.

True

Many companies are still untrusting with the security of cloud service providers.

True

Most data breaches are the result of malicious attacks. True or False

True

On a per record basis, indirect costs of a data breach incident are greater than direct costs.

True

Operational Security is focused more on the daily security tasks rather than actual evaluation of security metrics or security planning activates.

True

Organizations concerned with budgeting for improved access management are concerned with provision and de-provisioning of user accounts True or False

True

Owing a data center in a foreign land is an example of offshoring

True

PDD-63 was the first presidential directive to recognize critical infrastructure as both physical and cyber-based True or False

True

Positive air flow pressurization keeps the air flowing outward when doors are opened, from an area, so that unwanted air does not flow back into the area.

True

Power flow can be disrupted by electromagnetic and radio frequency emissions.

True

Private clouds can be hosted on premise or off premise.

True

Residual risk is what is a potential risk (or loss) after threats and vulnerabilities are matched with controls to reduce risk.

True

Security awareness and security related issues should be reflected as a component of an employee's performance appraisal to raise their awareness and reflect the seriousness of security issues.

True

Security is all about the management and control of risk. True or False

True

Security of all about the management and control of risk.

True

Separation of duties was an important part of early castle layered defense mechanisms. True or False

True

Site accessibility is important with regards to the ability and expectations of assistance from law enforcement, ambulances, or fire truck response times.

True

Software can contain undocumented back door access.

True

Supply chains encompass the processes necessary to get a good or service from the supplier to the customer.

True

The Common Criteria is a framework by which users can specify security requirements and have vendors implement the requirements. The validation of a vendor meeting these requirements is derived after extensive testing and, if successful, certification.

True

The EU Data Retention legislation (Directive 2006/24/EC) is intended to help provide law enforcement and authorized investigative institutions with access to internet service provider logs and records.

True

The EU E-Privacy Directive 2002/58/EC deals only with public communication service providers.

True

During Covid 19 pandemic, employees were required to work remotely. This was an easy move for many organizations because employee home systems were typically well equipped with all the proper security protection mechanisms True or False

False

Excessive humidity in an area with electronic devices can cause static electricity which could damage components if discharged.

False

Executive Order 13636 is primarily concerned with the creation of a situational awareness capability for only the cyber aspects of critical infrastructure.

False

Which of the following is a coordinated effort, between government and private sector, to establish a knowledge base for information sharing related to critical infrastructure concerns.

1NFRAGARD- INFRAGARD is managed by the FBI as an information sharing and analysis effort regarding critical infrastructure issues.

What is a mantrap?

A double-door facility used for physical access control

For potential employees its generally a good idea to reflect security access information on job descriptions, in interviews and in site tours.

False

An equipment fan becomes clogged with dust and lint. Although the room is cool, the machine overheats internally and fails. What information assurance pillar is involved in the failure?

Availability

Which of the following is the most representative of the INFOSEC process?

Access, Plan, Implement, Monitor, Update

Which of the following are valid reasons for an information security professional to posses a rudimentary grasp on IS related laws?

All of the above (1. More effectively plan organizational security, 2. Help mitigate an organization's legal risks, 3. Assist in planning awareness training, 4. Help the organization avoid embarrassing security situations

The department of homeland security C3 program focuses on which of the following areas of critical infrastructure participants?

All of the above (Convergence, Connection, Coordination)

Which of the following presents constant challenges to the success of operational security?

All of the above (High level Support, Documented Procedures, Size of Security Staff, Degree of staff overlap)

Organizations must deal efficiently with which of the following Information Assurance issues:

All of the above (IT and Security Governance, Disaster recovery, Compliance, Business Continuity)

Which of the following is not an item of importance for IS governance? 1. Reduce liability 2. Policy compliance 3. Optimize security resources 4. Safeguard information 5. All of the above

All of the above (Reduce liability, policy compliance, Optimize security resources, safeguard information)

Which of the following is not a pillar of information assurance? 1. Integrity 2. Non-Repudiation 3. Availability 4. Authentication 5. Confidentiality 6. All of the above are pillars of IA 7. None of the above are pillars of IA

All of the above are pillars of IA

Which of the following is NOT a step of the Department of Defense Information Assurance certification and Accreditation Process?

All of the above are steps of DIACAP: Security Process Initialization, Security certification, Security Accreditation, Monitoring

Which of the following is an example of the manifestation of the espionage threat in supply chains? 1. Alteration of software to allow unauthorized control 2. The use of intellectual property for monetary gain 3. The unauthorized duplication of a finished good 4. All of the above

All of the above: (Alteration of software to allow unauthorized control, The use of intellectual property for monetary gain, The unauthorized duplication of a finished good)

Which of the following would be a surrounding area influence in site selection?

All of the above: (Crime rate, Proximity to medical or hospital facilities, Riots or terrorism, Potentially hazardous neighboring facilities)

Which of the following is not an element of concern for desktop configuration managment?

All of the above: (Disk drive sanitization before redeployment, End user machine backup before sanitization, Ensuring the machine is installed with the correct software, Limiting administrative privileges)

Which of the following would not represent an event type that would indicate an incident is occurring?

All of the above: (Loss of integrity, Loss of availability, Loss of confidentiality, Violation of Law)

Which of the following is an important question to ask regarding infrastructure backups? 1. Where are the backups stored? 2. Who has access to the backups? 3. Who is responsible for the backups? 4. Are the backups procedures and schedules well documented 5. All of the above

All of the above: (Where are the backups stored?, Who has access to the backups?, Who is responsible for the backups?, Are the backups procedures and schedules well documented?)

Which of the following information security characteristics MOST applies to SCADA systems?

Availability

Match the governance style with its decstiption Anarchy Federal IT Duopoly Feudal IT Monarchy Business Monarchy

Anarchy - individual process owners have decision rights Federal- rights shared by C suite executive and at least one other group IT Duopoly- IT executive and other business leaders share rights Feudal- unit leaders have decision rights locally IT Monarchy- IT executive have decision rights Business Monarchy- executive leadership has decision rights

Which of the following are among the top 3 current spending priorities for organizations with regards to technology and security?

Application Security, Cloud Security, Data Security

When a company rents the use of an application to a customer, this is:

Application Service Provider

Which of the following is most representative of the INFOSEC process? 1. Assess, Monitor, Implement Update, Plan- 2. Monitor, Implement, Plan, Assess, Update- 3. Plan, Assess, Monitor, Update, Implement- 4. Assess, Plan, Implement, Monitor, Update

Assess, Plan, Implement, Monitor, Update

Which of the following is not a pillar of Information Assurance? 1. Integrity 2. Authentication 3. Authorization 4. Confidentiality 5. Non-Repudiation

Authorization

High security controls are designed to impede, detect, assess, and neutralize.

False

Match the governance style with its description:

Business Monarchy -- Executive leadership has decision rights IT Monarchy -- IT executive have decision rights Federal -- Rights shared by "C-level" executives and at least one other group Feudal -- Unit leaders have decision rights locally IT Duopoly -- IT executive and other business leaders share rights Anarchy -- Individual process owners have decision rights

An outsourced customer call center is an example of which type of outsourcing?

Business Process

Hiring qualified information security personnel is not a major concern of organizations since there is an abundance of those possessing the skill sets. True or False

False

Which of the following directives was instrumental in instructing all Federal Agencies to fund, develop and implement Information Assurance training and awareness?

CNSS Directive 500

Which of the following most accurately depicts the traditional government path to INFOSEC?

COMSEC + COMPUSEC + TEMPEST = INFOSEC

In theory, which of the following acquisition types offers lower cost and quicker deployment YET offers the least control and higher risk of potential vulnerabilities? 1. MOTS 2. COTS 3. NOTS 4. GOTS

COTS

Which of the following is not a drawback of intrusion detection and monitoring systems?

Cannot be penetrated

Which of the following would not be possible incident indicator?

Changes to logs; Log changes are an example of a definite indicator

Which of the following would NOT be consistent with a computer being incidental to a crime?

Computer was used to attack another computer

From the policy pyramid, correctly match the entities with the things they create: Congress Executive Government Agencies Department of Defense Army, Navy, USMC, AF

Congress- Public Law Executive- Federal Government Policy Government Agencies- Guidelines, Publications, Standards Department of Defense- Policy and Directives Army, Navy, USMC, AF- Agency Specific Policy and Directives

Which of the following would not be considered a cybercrime category as discussed in this module? 1. Criminal activities involving or against individuals 2. Criminal activities against property 3. Criminal Activities against government 4. Criminal activities against animals

Criminal activities against animals

Which of the following would not be considered a crime targeting a computer device network? 1. Cyber stalking 2. Malicious code 3. Denial of service 4. Viruses

Cyber Stalking

Human error accounts for the majority of data breach causes. True or False

False

According to the Ponemon survey, the average amount of time to resolve a breach by a malicious insider in 2017 was 41 days.

False

All unethical behavior is conducted with intent.

False

Which of the following are among the top 3 current spending priorities for organizations with regards to technology and security?

Data warehousing, Security privacy, and cloud applications & infrastructure

Which of the following word combinations best describe IT governance? 1. Assessing, planning, implementing 2. Decision rights, accountability, behavior 3. Legislation, compliance, risk 4. Budget, machines, people

Decision rights, accountability, behavior

Match the following designations with their descriptions

Definers -- Provide policies, guidelines, and standards Builders -- Provide and install the technical solutions Operators -- Provide operational and monitoring support

Which of the following represent the highest internal cost activity of a breach?

Discovery/Detection and Containment

How does Halon suppress a fire?

Disrupts the chemical reaction of a fire

Which of the following is intended to provide individual's protection and privacy when personal information is collected and held by Member State institutions? 1. EU Regulation 45/2001 2. PCI/DSS 3. Direct 2002/58/EC 4 Directive 2006/24/EC

EU Regulation 45/2001

A computer is the object of a crime when it is used to conduct online gambling True or False

False

A system high security mode is more restrictive than a dedicated security mode

False

Vendors or maintenance contractors can always be trusted since they are under contractual obligation. Accounts setup for vendors diagnostic access should remain open so the vendor can assist, at any time, with problems.

False

While malicious insider abuse may happen with great frequency, the cost borne by an organization for such cybercrime is relatively low.

False

With regards to data breach costs, indirect costs are generally higher than direct costs. True or False

False

Without a question, the larger the organization, the larger the percentage of revenues allocated to the IT budget. True or False

False

COMSEC stands for Common Security.

False, it stands for Communications Security

Security CPR refers to an emphasis on common algorithms, proactivity, and reactive perimeter, controls.

False- CPR stands for Compliance, Protection, Recovery

Which is not an example of a digital operational supply chain?

Fed-X delivery service

Match the following legislation with the descriptions Federal Privacy Act- Electronic Communications Privacy Act- US Copyright Law- Freedom of Information Act-

Federal Privacy Act- Regulates government use of private information Electronic Communications Privacy Act- Regulates unauthorized interception of electronic and oral communications US Copyright Law- protects intellectual property Freedom of Information Act- allows citizens to see what personal info government agencies are maintaining on them

Which of the following is NOT true regarding NSDD 145? 1. Responsible for the formation of the NTISSC which later became NSTISSC 2. First large-scale national security policy enacted by Congress 3. Failed to produce adequate results due to changing technology and threats 4. Ordered in 1984 5. Established a national Policy on Telecommunications and Automated Systems Security.

First large-scale national security policy enacted by Congress

Which of the following is not a recommended secure way to dispose of the disk drives?

Format the disk drive prior to disposal or redeployment

Match the instrument with its description:

G8 Points of Contact: Attempts to provide 24x7 POCs to assist in cyber crime issues Security Freedom through Encryption Act -- Prohibits federal government from requiring the use of encryption on official documents Letter Rogatory -- A diplomatic letter of request for assistance to another country Mutual Legal Assistance Treaty -- Bilateral treaties that establish crime investigation cooperation Digital Millennium Copyright Act -- Attempts to protect private or trademark information internationally

Which of the following types of software acquisitions typically involve the development, by a technical staff, from a government agency? 1. GOTS 2. COTS 3. NOTS 4. MOTS

GOTS

Match the statements with the corresponding laws:Federal Information Security Management ActComputer Fraud and Abuse ActUSA Patriot ActComputer Security ActIdentity Theft Enforcement and Restitution Act

Identity Theft Enforcement and Resolution Act -- Considers threats to steal information as a crime USA Patriot Act -- Laundering actions to defend against terrorism Computer Security Act -- Required mandatory security awareness training at the federal level Federal Information Security Management Act -- Requires government agencies to assess the information security risks of their computer systems. Computer Fraud and Abuse Act -- Considers unauthorized access to national security data as a crime.

Match the following with descriptions HIPPA- SOX- GLB- Fair and Accurate Credit Transaction Act-

HIPPA- protects healthcare data SOX- CEO & CFO responsible for accurate reporting GLB- financial institution to disclose their privacy policies Fair and Accurate Credit Transaction Act- requires measurers to dispose of sensitive information

From the 2018 analysis, which of the following industries has the highest customer churn rate caused by data breaches?

Health

Which of the following industries has the highest customer churn rate caused by data breaches?

Health

Which of the following is NOT true regarding the Gramm-Leach-Bliley Act? 1. Holds organization CEOs personally responsible 2. Applies to banks, security firms, and insurance companies 3. Requires financial institutions to disclose their privacy policies 4. Affects anyone who extends credit to consumers 5. Requires organizations perform security risk assessments, testing, and monitoring.

Holds organization CEO's personally responsible

Which of the following is not a reason why IT governance is important? 1. IT value is all about technology 2. IT is expensive 3. IT is pervasive 4. Important for organization to understand IT value 5. Upper management has limited bandwidth

IT value is all about technology

The Help desk and customer support function should be tied closely to which of the following?

Incident Response Plans

Which of the following best describes a closed-loop HVAC system?

Inside air is re-circulated and re-filtered constantly to keep outside air contaminants out as much as possible.

If an access control has a fail-safe characteristic but not a fail-safe characteristic, what does it mean?

It defaults to being unlocked

Which of the following is the most pressing problem with FISMA? 1. It is a trailer indicator and not a leading indicator and thus does not help with real time security issues 2. It requires a great deal of resources to be compliant 3. It is paper compliant intensive 4. Too many agencies are reporting weakness in compliance areas

It is a trailing indicator and not a leading indicator and thus does not help with real-time security issues

Which of the following would be considered a breach of integrity?

John used SQL Injection techniques to change values in the database

Why is it important to clean keypad based locks from a security perspective?

Keeps intruders from discovering code patterns

Which of the following is NOT a human factor of concern to information security professionals

Lack of business knowledgeable leadership

What over overarching concept does the castle example provide with regards to information security?

Layered defenses

Which of the following security models of operation require minimum clearance level of not-cleared and a maximum data classification level of unclassified but sensitive? 1. Compartmented 2. Dedicated 3. System High 4. Limited 5. Multilevel Security 6. Partitioned

Limited

Which of the following is not a claim of Cloud sourcing?

Moderate availability

Executive Order 13231 superseded NSDD 145 and was responsible for the creation of the President's Critical Infrastructure Protection Board as well as the formalization of CNSS. True or False

True

Which of the following are applicable to a hostile departure for a terminated employee?

Obtain all keys, key cards, and other organizational assets before individual leaves the premise Terminate or disable access codes and logins prior to giving the employee termination notice Inventory and monitor access logs surrounding the termination time Conduct an exit interview with the employee

FISMA required Federal government agencies to provide security protection to proportionate to the risk.

True

Match the following regarding the 6 P's of Information Security: Planning- Policy- Programs- Protection- People- Project Management-

Planning- Support, Design, Create, and Implement Policy- Behavior guidelines Programs- Entities managed in information security domain Protection- risk assessment People- security personnel and personnel security, training and awareness (SETA) Project Management- allows decision makers to control resource allocation and ROI

Financial motivation still dominates actor intentions with most data breach incidents True or False

True

For contract employees, service level agreements or contracts should explicitly address issues of visit or cancellation notice as well as any background checks required.

True

Which of the following fire suppression systems is more appropriate for use in a data center?

Pre-Action sprinkler systems

Match the decision domain with it description Principles Architecture Infrastructure Application Needs Investment and Prioritization

Principles- How IT adds business value Architecture- Choices that satisfy business needs Infrastructure- sharing and standardization of IT Application Needs- outsource of develop internally Investment and Prioritization- what to find and how to fund

Which of the following is not an information security spending priority area?

Projection

Which of the following are true with respect to HIPAA.

Protects the confidentiality of health care data, Establishes standards for electronic interchange and handling of health care data, Requires organizations to conduct comprehensive assessments of information protection mechanisms.

Which of the following is not a goal of IS governance? 1. Provide policy 2. Provide standards and guidance 3. Provide strategic linkage 4. Provide specific security equipment purchase information

Provide specific security equipment purchase information

Which of the following is NOT true about the Computer Fraud and Abuse Act of 1986? 1. Provided the cornerstone of computer related federal laws 2. Was amended by the national infrastructure Protection Act of 1996 3. Was modified by the USA Patriot Act 4. Provided roving surveillance authority 5. Used in conviction related to the Morris Worm

Provided roving surveillance authority

Which of the following is NOT true regarding the Computer Fraud and Abuse Act of 1986? 1. Provided the cornerstone of computer related federal laws 2. Was amended by the national infrastructure Protection Act of 1996 3. Was modified by the USA Patriot Act 4. Provided roving surveillance authority 5. Used in conviction related to the Morris Worm

Provided roving surveillance authority

Which of the following is not a specific requirement of FISMA? 1. Required to designate an ISO to manage the FISMA process 2. Required to provide information security awareness training 3. Required to use independent auditors to review compliance results 4. Required to coordinate all security activity with the Department of Defense 5. None of the above

Required to coordinate all security activity with department of defense

Which of the following is not specific requirement of FISMA as covered in this module? 1. Required to designate an ISO to manage the FISMA process 2. Required to provide information security awareness training 3. Required to use independent auditors to review compliance results 4. Required to coordinate all security activity with the Department of Defense 5. None of the above

Required to coordinate all security activity with the Department of Defense

Which of the following laws deal mostly with financial reporting and disclosure concerns? 1. Gramm-Leach-Bliley Act and COPPA 2. Sarbanes-Oxley Act and HIPAA 3. Sarbanes Oxley (SOX) Act and Gramm-Leach-Bliley Act 4. COPPA and CIPA

Sarbanes Oxley (SOX) Act and Gramm-Leach-Bliley Act

Which of the following laws deal mostly with financial reporting and disclosure concerns? 1. Gramm-Leach-Bliley Act and COPPA 2. Sarbanes-Oxley Act and HIPAA 3. Sarbanes-Oxley Act and Gramm-Leach-Bliley Act 4. COPPA and CIPA

Sarbanes-Oxley Act and Gramm-Leach-Bliley Act

Which of the following is not true of SaaS, Cloud computing, and outsourcing? 1. Since the function is outsourced, the security issues are not important 2. A company has to rely upon the security arrangement of the outsourced provider 3. Despite contracts and MOUs, a company cannot be certain of who has access to their resources at the outsourced 4. Services and computing power could be provided from a less-than-desirable global area

Since the function is outsourced, the security issues are not important

HSPD-7 instructed government sector agencies to read out to the private sector for help with critical infrastructure security issues. True or False

True

Match the organizational aspects with the organizational size Small organizations medium organizarions large organizations very large organizations

Small organizations- tend to spend more, per capita, on security medium organizations- implement multi layer solutions but have insufficient staff to manage them large organizations- have 1,000-10,000 employees very large organizations- spend far less, per capita on security per user

Match the suppression method with how it works:

Soda, acid -- Removes fuel from fire Gas, halon or substitute -- Interferes with chemical reaction of elements of fire CO2 -- Removes oxygen from fire Water -- Reduces temperature of fire

HSPD-7 instructed government sectors agencies to reach out to the private sector for help with critical infrastructure security issues. True or False

True

Which of the following is not true regarding National Security Presidential Directive 54? 1. Supersedes OMB Circular A-130 2. Also known as Homeland Security Directive 23 3. Seeks to expand Cyber Education 4. Increases funding for IT security across the federal government

Supersedes OMB Circular A-130

SCADA stands for: 1. Security Control and Data Acquisition 2. Supervisory Control and Data Acquisition 3. Systems Control and Data Acquisition 4. Supervisory control and Device Acknowledgement

Supervisory Control and Data Acquisition

What 3 fundamental high-level countermeasures of Defense in Depth are all people-centric?

Technology, Operations and People

Which of the following are safeguards mentioned in the CNSS Security Model (aka the McCumber model)

Technology, Policy, and Education

What three fundamental high-level countermeasures of Defense in depth are all people-centric? 1. Technology, operations, and people 2. Threat, vulnerability, and countermeasure 3. Hardware, software, and firmware 4. Firewall, antivirus, and anti-spyware

Technology, operation, and people

Which of the following would not be determining factor in the design of a company's physical security program?

The value of real-estate prices in the surrounding areas

Hidden supply chains are those that exist behind a supplier that are not readily visible or obvious.

True

From a security perspective, Call Tracking or incident tracking systems are important because:

They keep the user appraised of the status and measures taken to resolve a problem

Which of the following would not be an important metric for measuring an organization's physical security risk?

Total number of times facilities was notified of burnt out lights.

A company outsourced a call center function but later brought it back in-house. This is an example of back sourcing.

True

A computer is the object of a crime if its integrity, confidentiality or availability is affected by a criminal activity.

True

A concern of an outsourced arrangements is that you can never be absolutely sure that are managing their business according to best practices or even maintain good security.

True

Access to restricted areas should be designed so that they are not easy to enter and are not obvious.

True

According to the Ponemon survey, the average amount of time to resolve a breach by a malicious insider is more than the time dealing with denial of service True or False

True

An electrical ground acts as a conduit for any excess current on a power line and helps ensure that devices are not negatively affected by a spike in electrical current.

True

An incident candidate is an event that is a possible security incident and is identified through a process of incident classification.

True

Approximately 80% of all spam mail is generated by botnets. True or False

True

Background checks should be conducted before extending, an offer to a potential employee despite the job level.

True

Backup tapes and media should be located in a separate area apart from normal IT operations

True

Buffer overflow attacks are the most targeted attack method for SCADA systems

True

CCTVs are best used in conjunction with other monitoring and intrusion alert methods.

True

Convergence is a results-oriented effort of cooperation between previously disjointed security functions

True

Convergence trends advocate creation a single point of contact responsible for security issues. This is typically a CSO.

True

Critical Infrastructures are the technical structures, physical and cyber, that support a society True or False

True

Which of the following would be a type of backup performed by the operations infrastructure support function?

User desktop backups

When should a Class C fire extinguisher be used instead of a Class A fir extinguisher?

When electrical equipment is on fire

Which best describes the act of bringing IT services back in-house?

back sourcing

Producing a counterfeit product that is intended to fail and produce delays or irrecoverable events is an example of:

disruption

The EU organization which provides information security guidance to its Member States is:

enisa

The European Union organization which provides information security guidance to Member States is:

enisa

What is the first step in identifying complex supply chain risks?

identify ecosystems

Which of the following is not a main component of CPTED?

target hardening

Which of the following would not be an example of a direct cost incurred by am organization of a data breach?

time employees spent on data breach notification


संबंधित स्टडी सेट्स

Unit 1: Chapter 1//End of Chapter Quiz

View Set

Contemporary Economics Chapter 10

View Set