Test 1 ch 1-4 cis 410
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals. SANS (ISC)2 ACM ISACA
(ISC)2
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? establishing acting initiating learning
initiating
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? user-specific enterprise information issue-specific system-specific
issue-specific
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? ignorance malice intent accident
malice
Communications security involves the protection of which of the following? media, technology, content radio handsets the IT department people, physical assets
media, technology, content
Which of the following explicitly declares the business of the organization and its intended areas of operations? values statement vision statement business statement mission statement
mission statement
The protection of voice and data components, connections, and content is known as __________ security. national network cyber operational
network
The three levels of planning are strategic planning, tactical planning, and __________ planning.
operational
Which type of planning is used to organize the ongoing, day-to-day performance of tasks? operational strategic tactical organizational
operational
resources to support the accomplishment of objectives? planning controlling leading organization
organization
According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy? policy developer policy enforcer policy reviewer policy administrator
policy administrator
Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected? accountability availability confidentiality privacy
privacy
Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT __________. proper development proper conception proper implementation proper design
proper conception
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.
public law
Which of the following is NOT an approach to password cracking? social engineering attacks dictionary attacks brute force ransomware
ransomware
To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology. level of formatting cost reading level size
reading level
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________. search warrant subpoena affidavit forensic clue
search warrant
The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________. chief information security officer security manager security technician chief technology officer
security manager
A qualified individual who is tasked with configuring security technologies and operating other technical control systems is known as a(n) ____________. security manager chief information security officer security technician chief technology officer
security technician
"4-1-9" fraud is an example of a __________ attack. worm spam virus social engineering
social engineering
Which type of document is a more detailed statement of what must be done to comply with a policy? procedure standard practice guideline
standard
Human error or failure often can be prevented with training and awareness programs, policy, and __________. ISO 27000 technical controls outsourcing hugs
technical controls
A maintenance model is intended to focus ongoing maintenance efforts so as to keep systems usable and secure.
true
A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. __________
true
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
true
Deterrence is the best method for preventing an illegal or unethical activity. ____________
true
Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________
true
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? issue-specific security policies user-specific security policies enterprise information security policy system-specific security policies
user-specific security policies
In the __________ phase of the SecSDLC, the team studies documents and looks at relevant legal issues that could affect the design of the security solution. implementation justification investigation analysis
analysis
Which of the following are instructional codes that guide the execution of the system when information is passing through it? capability tables access control lists configuration rules user profiles
configuration rules
Information ambiguation occurs when pieces of nonprivate data are combined to create information that violates privacy. _________________________
false
It is the responsibility of InfoSec professionals to understand state laws and bills. ____________
false
Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations. ____________
false
The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. __________
false
To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________
false
In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies? design investigation implementation analysis
implementation
The protection of confidentiality, integrity, and availability of data regardless of its location is known as __________ security. operational cyber information network
information
A detailed outline of the scope of the policy development project is created during which phase of the SDLC? implementation investigation design analysis
investigation
The study of what makes actions right or wrong, also known as moral theory.
normative ethics
Which of the following are the two general groups into which SysSPs can be separated? 1)business guidance and network guidance 2)technical specifications and business guidance 3)user specifications and managerial guidance 4)technical specifications and managerial guidance
technical specifications and managerial guidance
Policies must specify penalties for unacceptable behavior and define an appeals process.
true
Which of the following should be included in an InfoSec governance program? 1)An InfoSec risk management methodology 2)An InfoSec maintenance methodology 3)An InfoSec project management assessment 4)All of these are components of the InfoSec governance program.
An InfoSec risk management methodology
One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.
Computer security act
What should an effective ISSP accomplish?
Describes the organization's expectations about how its technology-based system should be used. Documents how the technology-based system is controlled and identifies the processes and authorities that provide this control. Indemnifies the organization against liability for an employee's inappropriate or illegal use of the system.
Which policy is the highest level of policy and is usually created first? EISP USSP ISSP SysSP
EISP
__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. Controlling Strategy Governance Leading
Governance
Which of the following is an information security governance responsibility of the chief information security officer? 1)Implement incident response programs to detect security vulnerabilities and breaches. 2)Set security policy, procedures, programs, and training. 3)Develop policies and the program. 4)Brief the board, customers, and the public.
Set security policy, procedures, programs, and training.
Discuss the three general categories of unethical behavior that organizations should try to control.
Ignorance Accident Intent Ignorance of the law is not a defense, but a lack of intent can be. Individuals within a business have the highest chance of causing harm or damage by accident.
__________ is the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair edge over them. Dumpster diving Competitive advantage Packet sniffing Industrial espionage
Industrial espionage
Which statement defines the differences between a computer virus and a computer worm? 1)Worms can make copies all by themselves on one kind of computer but viruses can make copies all by themselves on any kind of computer. 2)Worms and viruses are the same. 3)Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate. 4)Worms can copy themselves to computers and viruses can copy themselves to smartphones.
Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate.
Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________.
affidavit
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs? 1)can suffer from poor policy dissemination, enforcement, and review 2)may skip vulnerabilities otherwise reported 3)implementation can be less difficult to manage 4)may be more expensive than necessary
can suffer from poor policy dissemination, enforcement, and review
Focuses on enhancing the security of the critical infrastructure in the United States.
cybersecurity act
Internal and external stakeholders, such as customers, suppliers, or employees who interact with information in support of their organization's planning and operations, are known as ____________. data owners data custodians data generators data users
data users
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? policy administration due diligence certification and accreditation adequate security measures
due diligence
Defines socially acceptable behaviors.
ethics
"Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. __________
false
Values statements should be ambitious; after all, they are meant to express the aspirations of an organization. ____________
false
One form of online vandalism is __________, in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. phreaking hacktivism cyberhacking red teaming
hacktivism
An example of a company stakeholder includes all of the following EXCEPT: the general public employees management stockholders
the general public
In addition to specifying acceptable and unacceptable behavior, what else must a policy specify? 1)legal recourse 2)the penalties for violation of the policy 3)appeals process 4)individual responsible for approval
the penalties for violation of the policy
Digital forensics can be used for two 1)key purposes: ________ or _________. to investigate allegations of digital malfeasance; to perform root cause analysis 2)to solicit testimony; to perform root cause analysis 3)to investigate allegations of digital malfeasance; to solicit testimony 4)e-discovery; to perform root cause analysis
to investigate allegations of digital malfeasance; to perform root cause analysis
_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present. Portable Desktop computer Satellite transceiver Expansion
Portable
Which of the following is true about planning? 1)Tactical plans are used to create strategic plans. 2)Operational plans are used to create strategic plans. 3)Strategic plans are used to create tactical plans. 4)Operational plans are used to create tactical plans.
Strategic plans are used to create tactical plans.
Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?
The Freedom of Information act requires all federal agencies to disclose records requested in writing by any person. FOIA only applies to federal agencies. Each state has its own public access laws that should be consulted for access to state and local records.
What are the three distinct groups of decision makers or communities of interest on an information security team?
Those in the field of information security. Those in the field of IT. Those from the rest of the organization.
Which law extends protection to intellectual property, which includes words published in electronic formats? Freedom of Information Act Security and Freedom through Encryption Act Sarbanes-Oxley Act U.S. Copyright Law
U.S. Copyright Law
What do audit logs that track user activity on an information system provide? authentication authorization accountability identification
accountability
The most complex part of an investigation is usually __________. analysis for potential EM preventing the destruction of potential EM protecting potential EM requesting potential EM
analysis for potential EM
An approach that applies moral codes to actions drawn from realistic situations.
applied ethics
A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law. breach compromise notification spill
breach
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________. security technician chief technology officer chief information security officer security manager
chief information security officer
Some information gathering techniques are quite legal—for example, using a Web browser to perform market research. These legal techniques are called, collectively, __________.
competitive intelligence
The process of integrating the governance of the physical security and information security efforts is known in the industry as __________. convergence combination optimization intimation
convergence
Addresses violations harmful to society and is actively enforced and prosecuted by the state.
criminal law
The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response. analysis design implementation investigation
design
A collection of statutes that regulates the interception of wire, electronic, and oral communications.
electronic communication privacy act
According to the Corporate Governance Task Force (CGTF), during which phase of the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? initiating learning establishing acting
establishing
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of systems.
false
Access control lists regulate who, what, when, where, and why authorized users can access a system.
false
ISACA is a professional association with a focus on authorization, control, and security. ___________
false
The authorization process takes place before the authentication process.
false
The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization. ____________
false
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________. forensics evidentiary material data imaging crime scene investigation
forensics
The letters GRC represent an approach to information security strategic guidance from a board of directors or senior management perspective. The letters stand for __________, __________, and __________. 1)governance, risk management, compliance 2)governance, risk control, confidentiality 3)government, regulation, classification 4)generalization, risk assessment, cryptography
governance, risk management, compliance
When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, and so that it selects key stakeholders as well as the ____________. Chairman of the Board Board Finance Committee Board Risk Committee Board Ethics Committee
Board Risk Committee
What is a key difference between law and ethics?
Laws bear the sanction of a governing authority and ethics do not.