3607 Midterm review Quizzes 4-6

In a (n) ____________________, there are policies, standards, baselines, procedures, guidelines, and taxonomy.

IT policy framework

Web graffiti on an organization's Web site can diminish an organization's reputation. Web graffiti is a result of Web site defacement, in which a Web site is breached and its content altered, usually in a way that embarrasses the Web site owner. True or False?

True

When an organization implements a division of labor, the depth and quality is higher. The result is the organization grows, along with operating costs. An organization needs to divide labor in such a way that it can create quality, remain competitive, and control operating costs. True or False?

True

When going through the steps to create a vision for change, it is valuable to find a leader in your organization who can be an agent of change; someone who doesn't follow the pack, who can think outside the box, and can steer the organization through the politics of creating change. True or False?

True

When situations arise in which your organization cannot meet one or more standards immediately, it is vitally important to recognize an exception to standards to determine where problems may exist. True or False?

True

While procedures and standards describe the "how" of configuring security devices to implement the policy, security policies provide the "what" and "why" of security measures. True or False?

True

A flat network limits what and how computers are able to talk to each other. Many standards require flat networks such as the Payment Card Industry Data Security Standard (PCI DSS). This standard requires a flat network to further protect credit cardholder information. True or False?

False

A procedure is a written instruction on how to comply with a standard. Procedures can be generalized to apply to all employees and can be accessed at any time. True or False?

False

In an attribute based access control (ABAC) model, roles assigned are static, whereas in a role based access control (RBAC), roles are built more dynamically. True or False?

False

In an organizational structure, the stakeholders in the line of business are focused on effective comprehensive assurance policies. True or False?

False

In the ISO/IEC 27002, the framework of asset control is outlined, and this includes a description of how to conduct an inventory and classification of information assets. This section covers responsibility for assets and information classification. True or False?

False

When creating a company's security policy, it is important that scope of the program usually includes resources, information, and personnel. However, it is not necessary that the scope is aligned with the company's annual information security budget. True or False?

False

When discussing security policies and implementation tasks, one should follow a checklist with three items: 1) things to do; 2) things to pay attention to; and 3) things to report. True or False?

False

When employees are feeling doubtful, they often feel a lack of motivation and just "go through the motions," and this leads to putting the organization's security at risk. True or False?

False

When it comes to information, an organization has one main concern about how that information is collected, stored, and processed: Is the information safe? True or False?

False

When you need to discipline employees, it is important to discipline different employees differently for the same policy violation in order to prevent them from becoming complacent. It is necessary to work independently from the human resources department and create your own procedures. True or False?

False

Apathy can have detrimental effects on information security. Engaged communication is one strategy that can be implemented to overcome the effects of apathy. Which of the following statements further elaborates this strategy?

Adjust the implementation strategy to better explain the importance of the policy within the context of the individual role.

Which of the following statements captures an example of a manager tapping into pride as a source of motivation?

"It is really important that you complete this task because the team values your contributions and would benefit from your input"

The struggle between how to manage a business versus how to "grow" has significant implications for security policies that must reflect the core values of the business. Which of the following statements reflects one of the security policy approaches often taken by entrepreneurs growing a business?

A company in high-growth mode focuses on agility and innovation and tends to have a greater acceptance of risk.

Hierarchical models have many advantages to organizations, but there are also a number of disadvantages. Which of the following is one of the disadvantages?

Accountability can be a problem because when many component teams are involved, it can be difficult to determine whose fault it is if something doesn't work

______________________ can run on a workstation or server and is at the heart of all business applications.

Application software

_______________ is a measurement that quantifies how much information can be transmitted over the network

Bandwidth

Which of the following policy frameworks is a widely accepted set of documents that is commonly used as the basis for an information security program, and is an initiative from ISACA, formerly known as the Information Systems Audit and Control Association?

Control Objectives for Information and related Technology (COBIT)

In the ISO/IEC 27002 framework, _________________ describes the use and controls related to encryption.

Cryptography

Integrity broadly means limiting disclosure of information to authorized individuals. For example, if the principle of integrity is applied to e-mail, then you might have an objective of ensuring that all sensitive information be protected against eavesdropping. And then to implement this objective you would require that all e-mails containing sensitive information be encrypted, and then ensure that only authorized individuals have access to the decryption key. True or False?

False

It is advised to always have discretion with leaders. Explain in general terms what information security policies can and cannot achieve. It is equally important to be conservative in your estimates regarding the impact on the business; otherwise you risk losing credibility. True or False?

False

It is generally recommended that security policies should focus on specific products rather than product capabilities because it is important that there is a uniformity of devices across an organization. This consistency makes security policies easier to enforce. True or False?

False

Motivated employees are far more likely to embrace the implementation security policies, but this does not correlate to more risks being identified and mitigated for the organization. Rather, it creates a more comfortable work environment. True or False?

False

Network infrastructure includes devices upon which an application resides, such as application and database servers. All other non-application networked devices may fall under the definition of platforms. True or False?

False

Of the eight classic personality types in the workplace, commanders, can often appear angry or even hostile toward ideas and others on the team and are critical of others' ideas. True or False?

False

One of the well-documented reasons for why projects fail is insufficient support from leadership. This occurs when value is only derived from policies when they are enforced. An organization must have the will and process to reward adherence. True or False?

False

Organizations can lower communication costs and save time by leasing private lines for WANs instead of using VPN tunnels. For small and medium-size companies, it's the only practical solution given the cost and technical complexities. True or False?

False

Some organizations create a specific consequence model for information security policy. Violations can replace and absorb the broader HR polices that deal with disciplining individuals. A consequence model is intended to be punitive for the individual. True or False?

False

The only difference between a remote access domain and a user domain is that in a user domain, you are traveling from a public unsecure network into the private secure company network. True or False?

False

The privacy policy emerged as a type of code of conduct. With the rise of social media, many businesses are concerned about employees posting information about the company on social media sites. For many organizations, posting any information about the business beyond the employee's name and title is strictly forbidden. True or False?

False

The term "noncompliant" is only applied to employees who intentionally violate a policy. True or False?

False

The terms system software and application software can be used interchangeably because they perform the same functions of allowing a computer to communicate over a network. True or False?

False

___________________ addresses how specific a policy is with respect to resources

Granularity

Which of the following statements captures the function of guidelines presented in guidance documents for IT security?

Guidelines provide those who implement standards/baselines more detailed information such as hints, tips, and processes to ensure compliance.

A key component to IT security is authorization, which is especially important in large, complex organizations with thousands of employees and hundreds of systems. Two methods of authorization are role based access control (RBAC) and attribute based access control (ABAC). Although RBAC and ABAC can provide the same access, which of the following is an advantage of ABAC?

In ABAC, roles are expressed more in business terms and thus may be more understandable.

In order to gain a deeper understanding of how employees interact in the workplace, it is useful to learn about the eight classic personality types that have been identified by HR Magazine. One of these is the achievers. Which of the following descriptions best captures this personality type?

These people are very result oriented. They genuinely want the best result and may seek different ways to bring that result into being

One of the key functionalities of a central management system is inventory management, which does which of the following?

This system tracks devices as they connect to the LAN, which devices are on the network, and how often they connect to the LAN.

A router is a network device that connects LANs, or a LAN and a WAN. True or False?

True

Authentication is one of the most important components of the user domain, and it is necessary to determine an authentication method that makes sense for your organization. It is best to restrict access to an ID and password to one individual and ensure that users frequently change passwords. True or False?

True

Continuous improvement relies on people telling you what is and isn't working, and a good source for this information is an employee departing a company. True or False?

True

Data owners ensure that only the access that is needed to perform day-to-day operations is granted and that duties are separated adequately to mitigate the risk of errors and fraud. True or False?

True

ISO/IEC 27002 covers the three aspects of the information security management program: managerial, operational, and technical activities. All three must be present in any IT security program for comprehensive coverage. True or False?

True

In 2002, the U.S. Senate passed the Sarbanes-Oxley (SOX) Act, which was passed in the wake of the collapse of Enron, Arthur Andersen, WorldCom, and several other large firms. SOX requires publicly traded companies to maintain internal controls. The controls ensure the integrity of financial statements to the Securities and Exchange Commission (SEC) and shareholders. As a result of this mandate, these internal controls are now highly scrutinized. True or False?

True

In a flat network, a workstation can communicate with any other computer on the network because it has few controls, or none, to limit network traffic. True or False?

True

In order to move data from an unsecure WAN to a secure LAN, you begin by segmenting a piece of your LAN into a demilitarized zone (DMZ). True or False?

True

It is often the case that a security manager must make tough management decisions when defining the scope of a program. For example, the manager may need to decide how the program applies to contractors who connect to the company's systems. True or False?

True

Motivation consists of being enthusiastic, energized, and engaged to achieve a goal or objective. The three basic elements of motivation are pride, self-interest, and success. True or False?

True

One example of granularity is a policy that requires an e-mail server to have a specific configuration in order to be considered secure and a server-based monitoring tool that can report the configuration and compliance to the appropriate personnel. In this scenario, the policy is appropriately fine-grained and automates enforcement. True or False?

True

One of the basic measurements for assessing whether or not individuals are being held accountable for adherence to security policies is the reported number of security violations by employees. You should investigate any unexplained increases in reported violations to determine why an abnormal number is occurring. True or False?

True

One of the components of a useful structure for issue-specific standards is the points of contact section, which lists the areas of the organization responsible for the implementation of policies. Those in these areas are the subject matter experts, or SMEs, who interpret the policy and ensure that there are controls to enforce the policy. This section may also identify other applicable standards or guidelines. True or False?

True

One of the consequences of an organization's expectation that the LAN will be always available and always have capacity is that bandwidth within the LAN decreases as new services such as VoIP and video are offered. True or False?

True

One of the ways to verify a computer's identity is by using certificates, because, in general terms, the certificate acts like a digital fingerprint. True or False?

True

The last step on Kotter's Eight-Step Change Model is to anchor the changes in corporate culture; to make anything stick, it must become habit and part of the culture. Therefore, it is important to find opportunities to integrate security controls into day-to-day routines. True or False?

True

Though the position of CISO may also be known by many other titles, the CISO role itself is the top-ranking individual with full-time responsibility for information security. True or False?

True

There are several types of domains in the IT infrastructure. Which of the following is not one of these domains?

VPN

Bring Your Own Device (BYOD) is a current trend within many organizations, which raises a host of security policy questions that must be addressed for handheld device use. Which of the following is not one the questions?

What is a reason the person owns the device?

If a security policy clearly distinguishes the responsibilities of computer services providers from those of the managers of applications who use the computer services, which of the following goals is served?

accountability

An efficient organization requires the proper alignment of people, processes, and technology. One of the ways good security policies can mitigate this risk is through enforcement. Which of the following situations is an example of enforcement?

an employee is given the authority to request a wire transfer, and a manager is required to approve the transfer

Many organizations have a(n) _____________ policy in place to manage the business concern of how to handle sensitive information in physical form, such as reports. This policy generally requires employees to lock up all documents and digital media at the end of a workday and when not in use

clean desk

In recent years, ___________________ has emerged as major technology. It provides a way of buying software, infrastructure, and platform services on someone else's network

cloud computing

A(n) ___________________ sets expectations on the use and security of mobile devices, whereas a(n) _________________ establishes a broad set of rules for approved conduct when a user accesses information on company-owned devices

corporate mobility policy, acceptable use policy

When implementing a framework, the two main considerations for implementation are _____________ and _____________.

cost, impact

In order to build a coalition, it's the responsibility of the chief information security officer (CISO) to reach out to stakeholders, explain the policy change, and listen to concerns. Many organizations have what are called control partners, who give input before a policy change can be made. Which of the following is not an example of control partners found in many large organizations?

data custodians

The concept of _________________ comes from the acknowledgment that data changes form and often gets copied, moved, and stored in many places. Sensitive data often leaves the protection of application databases and ends up in e-mails, spreadsheets, and personal workstation files.

data loss protection

In order to move data from an unsecure WAN to a secure LAN, you typically begin by segmenting a piece of your LAN into a _________________________, which sits on the outside of your private network facing the public Internet. Servers in this area provide public-facing access to the organization, such as public Web sites.

demilitarized zone (DMZ)

It is important for an organization to determine how it wants to manage ____________________, which means how to group various tasks, and____________________, which relates to the number of layers and number of direct reports found in an organization.

division of labor, span of control

Though there are many ways to group security policies, a common method is to organize common risks and related policy issues into__________________ that share similarities but are distinctive enough to allow logical separation into more manageable secure areas.

domains

The information security program charter is the capstone document for the information security program. This required document establishes the information security program and its framework. Which of the following components is not defined by this high-level policy?

explanation of penalties and disciplinary actions for specific infractions

Which of the following is not one of the common network devices found on the LAN domain?

flat network

Successful security policy implementation in the workplace depends on people understanding key concepts and embracing the material. Thus, people need to be motivated to succeed if they are going to implement such policies. There are three basic elements of motivation: pride, self-interest, and success. Which of the following does not occur when these elements are combined?

individuals meeting the basic expectations of their job requirements to be successful

Of the roles commonly found in the development, maintenance, and compliance efforts related to a policy and standards library, which of the following has the responsibilities of directing policies and procedures designed to protect information resources, identifying vulnerabilities, and developing a security awareness program?

information resources security officer

Which of the following standards is important to issue as new technologies develop considering that some issues diminish in importance while new ones continually appear?

issue-specific standard

When a major private sector business experiences a data breach on the scale that the retailer Target experienced in 2013, the financial impact can be significant. In this event, significant weaknesses in the information security framework and its related controls were present. Which of the following major impact areas is not one of the three that should have been addressed in a well-implemented security framework?

lack of complete inventory of IT assets and their configurations

In a hierarchical organization, there are a large number of touch points and personalities that must be engaged to successfully implement a security policy. As the number of touch points increases, the number of complex ________________ also increases between stakeholders

matrix relationships

Operations security describes operational management of controls to ensure that capacity is adequate and performance is delivered. Which of the following is not one of the key topics included in this section?

network security management

The NIST SP 800-53, "Recommended Security Controls for Federal Information Systems" was written using a popular risk management approach. Which of the following control areas best fits this description: "This is the area in which an organization develops, documents, periodically updates, and implements security plans for information systems"?

planning

For leaders, implementing security policies is all about working through others to gain their support and adhere to the policies. Of the widely accepted leadership rules that apply to security policies, which of the following is not among these rules?

productivity

In order for an IT security framework to meet information assurance needs, the framework needs to include policies for several areas. Which of the following is not one of the areas?

protecting the privacy of personal data and proprietary information

Although an organization's list of stakeholders will vary depending on the policy being implemented, there are stakeholders who can be seen commonly across organizations. What is the key focus of stakeholders in information security?

protection of the company and the customer

In general, it's not a good idea to implement significant policy changes during a _______________.

reduction in force

In order to be thoughtful about the implementation of security policies and controls, leaders must balance the need to reduce______________ with the impact to the business operations. Doing so could mean phasing security controls in over time or be as simple as aligning security implementation with the business's training events

risk

Using switches, routers, internal firewalls, and other devices, you can restrict network traffic with a ____________________, which limits what and how computers are able to talk to each other

segmented network

A typical data leakage protection program provides several layers of defense to prevent confidential data from leaving the organization. Which of the following is not one of the layers of defense?

self-regulation

In order to convince an organization to adopt security policies, it is necessary for a manager to have some proficiency in ________________, which refers to certain social personality traits such as the ability to communicate and project optimism.

soft skills

Remote authentication has always been a concern because the person is coming from a public network, and many companies require two-factor authentication for remote access. Which of the following is not one of the most commonly accepted types of credentials?

something you want to know

Implementing security policy means continuous communication with ___________________ and ensuring transparency about what's working and what's not working

stakeholders

In an issue-specific standard, the ___________________________section defines a security issue and any relevant terms, distinctions, and conditions.

statement of an issue

In an LAN domain, a_______________ is similar to a hub but can filter traffic, a ______________ connects LANs, or a LAN and a WAN, and a ______________ is a software or hardware device that filters traffic in and out of a LAN.

switch, router, firewall

The _______________ domain refers to any endpoint device used by end users, which includes but is not limited to mean any smart device in the end user's physical possession and any device accessed by the end user, such as a smartphone, laptop, workstation, or mobile device

workstation

Authentication of a workstation and encryption of wireless traffic are issues that belong to which of the following two domains?

workstation and LAN