SPM.

What do audit logs that track user activity on an information system provide? a. identification b. authorization c. accountability d. authentication

accountability

In which phase of the SecSDLC does the risk management task occur? a. physical design b. implementation c. investigation d. analysis

analysis

Which of the following is not a step in the FAIR risk management framework? a. identify scenario components b. evaluate loss event frequency c. assess control impact d. derive and articulate risk

assess control impact

The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process? a. accountability b. authorization c. identification d. authentication

authentication

According to the C.I.A. triad, which of the following is a desirable characteristic for computer security? a. accountability b. availability c. authorization d. authentication

availability

Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls? a. brute force b. DoS c. back door d. hoax

back door

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals. a. (ISC)2 b. ACM c. SANS d. ISACA

(ISC)2

A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____ on a development team. a. champion b. end user c. team leader d. policy developer

champion

Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community? a. utilitarian b. virtue c. fairness or justice d. common good

common good

Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident? a. feasibility analysis b. asset valuation c. cost avoidance d. cost-benefit analysis

cost avoidance

What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy? a. cost-benefit analysis b. exposure factor c. single loss expectancy d. annualized rate of occurrence

cost-benefit analysis

Which of the following should be included in an InfoSec governance program? a. An InfoSec development methodology b. An InfoSec risk management methodology c. An InfoSec project management assessment from an outside consultant d. All of these are components of the InfoSec governance program

An InfoSec risk management methodology

When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the _______. a. Board Risk Committee b. Board Finance Committee c. Board Audit Committee d. Chairman of the Board

Board Risk Committee

Which of the following is NOT a step in the problem-solving process? a. Select, implement and evaluate a solution b. Analyze and compare possible solutions c. Build support among management for the candidate solution d. Gather facts and make assumptions

Build support among management for the candidate solution

Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information? a. Integrity b. Availability c. Authentication d. Confidentiality

Confidentiality

Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures? a. U.S. Copyright Law b. PCI DSS c. European Council Cybercrime Convention d. DMCA

DMCA

In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result? a. OCTAVE b. FAIR c. Hybrid Measures d. Delphi

Delphi

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics? a. Applied ethics b. Meta-ethics c. Normative ethics d. Deontological ethics

Deontological ethics

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right? a. Applied ethics b. Descriptive ethics c. Normative ethics d. Deontological ethics

Descriptive ethics

The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following? a. Determined the level of risk posed to the information asset b. Performed a thorough cost-benefit analysis c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability

Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset

Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP

EISP

According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? a. Initiating b. Establishing c. Acting d. Learning

Establishing

Which of the following is not among the 'deadly sins of software security'? a. Extortion sins b. Implementation sins c. Web application sins d. Networking sins

Extortion sins

The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following? a. For purposes of commercial advantage b. For private financial gain c. For political advantage d. In furtherance of a criminal act

For political advantage

ISO 27014:2013 is the ISO 27000 series standard for ______. a. Governance of Information Security b. Information Security Management c. Risk Management d. Policy Management

Governance of Information Security

Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them? a. ECPA b. Sarbanes-Oxley c. HIPAA d. Gramm-Leach-Bliley

HIPAA

Which law addresses privacy and security concerns associated with the electronic transmission of PHI? a. USA Patriot Act of 2001 b. American Recovery and Reinvestment Act c. Health Information Technology for Economic and Clinical Health Act d. National Information Infrastructure Protection Act of 1996

Health Information Technology for Economic and Clinical Health Act

The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices? a. Hold regular meetings with the CIO to discuss tactical InfoSec planning b. Assign InfoSec to a key committee and ensure adequate support for that committee c. Ensure the effectiveness of the corporation's InfoSec policy through review and approval d. Identify InfoSec leaders, hold them accountable, and ensure support for them

Hold regular meetings with the CIO to discuss tactical InfoSec planning

Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________. a. data owners b. data custodians c. data users d. data generators

data owners

Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as _______. a. data owners b. data custodians c. data users d. data generators

data users

Application of training and education is a common method of which risk control strategy? a. mitigation b. defense c. acceptance d. transferal

defense

Which type of attack involves sending a large number of connection or information requests to a target? a. malicious code b. denial-of-service (DoS) c. brute force d. spear fishing

denial-of-service (DoS)

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls. a. remediation b. deterrence c. persecution d. rehabilitation

deterrence

A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. a. denial-of-service b. distributed denial-of-service c. virus d. spam

distributed denial-of-service

What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed? a. probability calculation b. documented control strategy c. risk acceptance plan d. mitigation plan

documented control strategy

Human error or failure often can be prevented with training, ongoing awareness activities, and ______ a. threats b. education c. hugs d. paperwork

education

A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________. a. enterprise risk management. b. joint application design c. security policy review d. disaster recovery planning

enterprise risk management.

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them? a. conducting decision support b. implementing controls c. evaluating alternative strategies d. measuring program effectiveness

evaluating alternative strategies

A short-term interruption in electrical power availability is known as a ____. a. fault b. brownout c. blackout d. lag

fault

One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. a. hacktivist b. phreak c. hackcyber d. cyberhack

hacktivist

The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________. a. chief information security officer b. security technician c. security manager d. chief technology officer

hief information security officer

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus _____. a. false alarms b. polymorphisms c. hoaxes d. urban legends

hoaxes

Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach? a. incident response plan b. business continuity plan c. disaster recovery plan d. damage control plan

incident response plan

The NIST risk management approach includes all but which of the following elements? a. inform b. assess c. frame d. respond

inform

Which of the following is an element of the enterprise information security policy? a. access control lists b. information on the structure of the InfoSec organization c. articulation of the organization's SDLC methodology d. indemnification of the organization against liability

information on the structure of the InfoSec organization

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? a. issue-specific b. enterprise information c. system-specific d. user-specific

issue-specific

Any court can impose its authority over an individual or organization if it can establish which of the following? a. jurisprudence b. jurisdiction c. liability d. sovereignty

jurisdiction

Which of the following affects the cost of a control? a. liability insurance b. CBA report c. asset resale d. maintenance

maintenance

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? a. ignorance b. malice c. accident d. intent

malice

In the ______ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. a. zombie-in-the-middle b. sniff-in-the-middle c. server-in-the-middle d. man-in-the-middle

man-in-the-middle

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? a. system controls b. technical controls c. operational controls d. managerial controls

managerial controls

Communications security involves the protection of which of the following? a. radio handsets b. people, physical assets c. the IT department d. media, technology, and content

media, technology, and content

Which of the following explicitly declares the business of the organization and its intended areas of operations? a. vision statement b. values statement c. mission statement d. business statement

mission statement

Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster? a. acceptance b. avoidance c. transference d. mitigation

mitigation

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk? a. analysis and adjustment b. review and reapplication c. monitoring and measurement d. evaluation and funding

monitoring and measurement

Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success? a. software engineering b. joint application design c. sequence-driven policies d. event-driven procedures

oint application design

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives? a. organization b. planning c. controlling d. leading

organization

A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________. a. vulnerability assessment b. penetration testing c. exploit identification d. safeguard neutralization

penetration testing

Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program? a. protection b. people c. projects d. policy

people

Which of the following is NOT a primary function of Information Security Management? a. planning b. protection c. projects d. performance

performance

Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives? a. leading b. controlling c. organizing d. planning

planning

Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines? a. planning b. policy c. programs d. people

policy

Which of the following is NOT one of the basic rules that must be followed when shaping a policy? a. policy should never conflict with law b. policy must be able to stand up in court if challenged c. policy should be agreed upon by all employees and management d. policy must be properly supported and administered

policy should be agreed upon by all employees and management

Which of the following determines acceptable practices based on consensus and relationships among the communities of interest. a. organizational feasibility b. political feasibility c. technical feasibility d. operational feasibility

political feasibility

Which subset of civil law regulates the relationships among individuals and among individuals and organizations? a. tort b. criminal c. private d. public

private

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? a. qualitative assessment of many risk components b. quantitative valuation of safeguards c. subjective prioritization of controls d. risk analysis estimates

qualitative assessment of many risk components

Which of the following is compensation for a wrong committed by an employee acting with or without authorization? a. liability b. restitution c. due diligence d. jurisdiction

restitution

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. residual risk b. risk appetite c. risk assurance d. risk termination

risk appetite

The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following? a. risk assessment b. risk treatment c. risk communication d. risk determination

risk determination

Which of the following is NOT an alternative to using CBA to justify risk controls? a. benchmarking b. due care and due diligence c. selective risk avoidance d. the gold standard

selective risk avoidance

By multiplying the asset value by the exposure factor, you can calculate which of the following? a. annualized cost of the safeguard b. single loss expectancy c. value to adversaries d. annualized loss expectancy

single loss expectancy

"4-1-9" fraud is an example of a ______ attack. a. social engineering b. virus c. worm d. spam

social engineering

Which type of document is a more detailed statement of what must be done to comply with a policy? a. procedure b. standard c. guideline d. practice

standard

Which type of planning is the primary tool in determining the long-term direction taken by an organization? a. strategic b. tactical c. operational d. managerial

strategic

Which level of planning breaks down each applicable strategic goal into a series of incremental objectives? a. strategic b. operational c. organizational d. tactical

tactical

A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________. a. champion b. end user c. team leader d. policy developer

team leader

An example of a stakeholder of a company includes all of the following except: a. employees b. the general public c. stockholders d. management

the general public

In addition to specifying the penalties for unacceptable behavior, what else must a policy specify? a. appeals process b. legal recourse c. what must be done to comply d. the proper operation of equipment

the proper operation of equipment

Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point? a. modular continuous b. elementary cyclical c. time-boxed circular d. traditional waterfall

traditional waterfall

Acts of ______ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter a. bypass b. theft c. trespass d. security

trespass

Which of the following is a key advantage of the bottom-up approach to security implementation? a. strong upper-management support b. a clear planning and implementation process c. utilizes the technical expertise of the individual administrators d. coordinated planning from upper management

utilizes the technical expertise of the individual administrators

The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________. a. vulnerability assessment b. penetration testing c. exploit identification d. safeguard neutralization

vulnerability assessment

Blackmail threat of informational disclosure is an example of which threat category? a. Espionage or trespass b. Information extortion c. Sabotage or vandalism d. Compromises of intellectual property

Information extortion

According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? a. Initiating b. Establishing c. Acting d. Learning

Initiating

What is the first phase of the SecSDLC? a. analysis b. investigation c. logical design d. physical design

Investigation

Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications? a. The Electronic Communications Privacy Act of 1986 b. The Telecommunications Deregulation and Competition Act of 1996 c. National Information Infrastructure Protection Act of 1996 d. Federal Privacy Act of 1974

National Information Infrastructure Protection Act of 1996

Which type of planning is used to organize the ongoing, day-to-day performance of tasks? a. Strategic b. Tactical c. Organizational d. Operational

Operational

Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? a. Policy Review and Modification b. Limitations of Liability c. Systems Management d. Statement of Purpose

Policy Review and Modification

Which of the following is the first step in the problem-solving process? a. Analyze and compare the possible solutions b. Develop possible solutions c. Recognize and define the problem d. Select, implement and evaluate a solution

Recognize and define the problem

Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____. a. SSL b. SLA c. MSL d. MIN

SLA

The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________. a. chief information security officer b. security technician c. security manager d. chief technology officer

Security manager

Which of the following is an information security governance responsibility of the Chief Security Officer? a. Communicate policies and the program b. Set security policy, procedures, programs and training c. Brief the board, customers and the public d. Implement policy, report security vulnerabilities and breaches

Set security policy, procedures, programs and training

Which of the following is true about planning? a. Strategic plans are used to create tactical plans b. Tactical plans are used to create strategic plans c. Operational plans are used to create tactical plans d. Operational plans are used to create strategic plans

Strategic plans are used to create tactical plans

Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system? a. The Telecommunications Deregulation and Competition Act b. National Information Infrastructure Protection Act c. Computer Fraud and Abuse Act d. The Computer Security Act

The Computer Security Act

The basic outcomes of InfoSec governance should include all but which of the following? a. Value delivery by optimizing InfoSec investments in support of organizational objectives b. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved c. Time management by aligning resources with personnel schedules and organizational objectives d. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively

Time management by aligning resources with personnel schedules and organizational objectives

______ are malware programs that hide their true nature, and reveal their designed behavior only when activated. a. Viruses b. Worms c. Spam d. Trojan horses

Trojan horses

Which law extends protection to intellectual property, which includes words published in electronic formats? a. Freedom of Information Act b. U.S. Copyright Law c. Security and Freedom through Encryption Act d. Sarbanes-Oxley Act

U.S. Copyright Law

Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? a. Enterprise information security policy b. User-specific security policies c. Issue-specific security policies d. System-specific security policies

User-specific security policies

Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions? a. Violations of Policy b. Systems Management c. Prohibited Usage of Equipment d. Authorized Access and Usage of Equipment

Violations of Policy

Which of the following is NOT a valid rule of thumb on risk control strategy selection? a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls. d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.