Software Security Ch4
________often function as standards or procedures to be used when configuring or maintaining systems.
SysSPs
[___________]-specific security policies often function as standards or procedures to be used when configuring or maintaining systems.
Systems
[_____________] controls are information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets..
Technical
When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems
The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees.
accidental
It is good practice, however, for policy [___________] to solicit input both from technically adept information security experts and from business-focused managers in each community of interest when making revisions to security policies.
administrator
A(n) [__________] is a detailed examination of the events that occurred from first detection to final recovery.
after-action review (AAR)
A(n) _________ is a document containing contact information for the people to be notified in the event of an incident.
alert roster
[___________]management is the set of actions taken by an organization in response to an emergency to minimize injury or loss of life, preserve the organization's image and market share, and complement its disaster recovery and business continuity processes.
crisis
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____.
electronic vaulting
A security ________ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
framework
A(n) [____________] site is a fully configured computer facility, with all services, communications links, and physical plant operations including heating and air conditioning.
hot
The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________."
management
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.
people
RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure.
redundant
A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years.
strategic
A fundamental difference between a BIA and risk management is that risk management focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can protect the information, while the BIA assumes __________.
All of the above
The ________is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
EISP
________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
Managerial
A(n) [________] is a contract between two or more organizations that specifies how each will assist the other in the event of a disaster.
Mutual agreement
[___________] controls are information security safeguards focusing on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning.
Operational
_________ controls address personnel security, physical security, and the protection of production inputs and outputs.
Operational
__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information.
Redundancy
The goals of information security governance include all but which of the following?
Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care
According to NIST SP 800-14's security principles, security should ________.
All of the above
Redundancy can be implemented at a number of points throughout the security architecture, such as in ________
All of the above
The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages?
All of these are BIA stages
__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
Defense in depth
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________.
blueprint
A ____ site provides only rudimentary services and facilities.
cold
Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.
damage assessment
Standards may be published, scrutinized, and ratified by a group, as in formal or ________standards.
de jure
Security __________ are the areas of trust within which users can freely communicate.
domains
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to __________.
identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
A(n) [_________] is an adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization.
incident