Ball State CIS 410 Hua Exam 1
Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?
The Freedom of Information Act (FOIA) allows for the disclosure of previously undisclosed information and documents controlled by the US government. The FOIA applies only to federal agencies and does not affect local state agencies.
What should an effective ISSP accomplish?
The ISSP should assure members of the organization that its purpose is not to establish a foundation for administrative enforcement or legal prosecution but rather to provide a common understanding of the purposes for which an employee can and cannot use the resource.
Discuss the planning element of information security.
The planning element of information security is the integration of strategies such as IT strategies to develop information security strategies. The goal is to make plans that support long term achievement of the overall organizational strategy. Information security plans include incident response planning, risk management planning, and security program planning.
Describe the foundations and frameworks of ethics.
Traditional foundations and frameworks of ethics include: 1. Normative ethics- what makes actions right or wrong 2. Meta-ethics- the meaning of ethical judgements and properties 3. Descriptive ethics- the choices that have been made by individuals in the past 4. Applied ethics- applies moral codes to actions drawn from realistic situations 5. Deontological ethics- the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences
T/F: According to the CGTF, the organization should treat InfoSec as an "integral" part of the system life cycle.
True
T/F: Enterprise "risk management" is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.
True
T/F: Policies must specify penalties for unacceptable behavior and define an appeals process.
True
T/F: The Gramm-Leach-Bliley (GLB) Act, also known as the "Financial" Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies.
True
T/F: Today's InfoSec systems need constant monitoring, testing, modifying, updating, and repairing.
True
T/F: Information security policies are designed to provide structure in the workplace and explain the "will" of the organization's management.
True
Step-by-step instructions designed to assist employees in following policies, standards, and guidelines. A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. When issues are addressed by moving from the general to the specific, always starting with policy. An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts. Specifications of authorization that govern the rights and privileges of users to a particular information asset. A clear declaration that outlines the scope and applicability of a policy. A section of policy that should specify users' and systems administrators' responsibilities. Specifies the subjects and objects that users or groups can access. Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.
You gotta fill in the blank here.
The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as ___________.
ethics
Which of the following should be included in an InfoSec governance program? A. All of these are components of the InfoSec governance program. B. An InfoSec maintenance methodology C. An InfoSec project management assessment D. An InfoSec risk management methodology
B. An InfoSec risk management methodology
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them? A. ECPA B. HIPAA C. Gramm-Leach-Bliley D. Sarbanes-Oxley
B. HIPAA
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? A. Systems Management B. Policy Review and Modification C. Limitations of Liability D. Statement of Purpose
B. Policy Review and Modification
Which law extends protection to intellectual property, which includes words published in electronic formats? A. Security and Freedom through Encryption Act B. U.S. Copyright Law C. Sarbanes-Oxley Act D. Freedom of Information Act
B. U.S. Copyright Law
What do audit logs that track user activity on an information system provide? A. authorization B. accountability C. authentication D. identification
B. accountability
In the __________ phase of the SecSDLC, the team studies documents and looks at relevant legal issues that could affect the design of the security solution. A. justification B. analysis C. implementation D. investigation
B. analysis
An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it is known as a(n) __________. A. vulnerability B. attack C. exploit D. threat
B. attack
A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs. A. disaster recovery planning B. business mission C. joint application design D. security policy review
B. business mission
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team. A. auditor B. champion C. project manager
B. champion
Which of the following are instructional codes that guide the execution of the system when information is passing through it? A. capability tables B. configuration rules C. user profiles D. access control lists
B. configuration rules
Internal and external stakeholders, such as customers, suppliers, or employees who interact with information in support of their organization's planning and operations, are known as ____________. A. data custodians B. data users C. data owners D. data generators
B. data users
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? A. adequate security measures B. due diligence C. policy administration D. certification and accreditation
B. due diligence
With policy, the most common distribution methods are hard copy and __________. A. final B. electronic C. draft D. published
B. electronic
In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies? A. design B. implementation C. investigation D. analysis
B. implementation
Blackmail threat of informational disclosure is an example of which threat category? A. compromises of intellectual property B. information extortion C. espionage or trespass D. sabotage or vandalism
B. information extortion
Which of the following is a common element of the enterprise information security policy? A. indemnification of the organization against liability B. information on the structure of the InfoSec organization C. articulation of the organization's SDLC methodology D. access control lists
B. information on the structure of the InfoSec organization
Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP. A. management guidance, technical directive B. management guidance, technical specifications C. management directive, technical specifications D. management specification, technical directive
B. management guidance, technical specifications
A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________. A. formula B. methodology C. model D. approach
B. methodology
Which of the following is the result of a U.S. led international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures? A. PCI DSS B. European Council Cybercrime Convention C. DMCA D. U.S. Copyright Law
C. DMCA
__________ is the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair edge over them. A. Competitive advantage B. Dumpster diving C. Industrial espionage
C. Industrial espionage
_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present. A. Satellite transceiver B. Expansion C. Portable D. Desktop computer
C. Portable
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system? A. Computer Fraud and Abuse Act B. The Telecommunications Deregulation and Competition Act C. The Computer Security Act D. National Information Infrastructure Protection Act
C. The Computer Security Act
Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________. A. forensic finding B. search warrant C. affidavit D. subpoena
C. affidavit
A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use is known as a(n) __________. A. phreaker B. expert hacker C. cracker D. penetration tester
C. cracker
A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. A. denial of service B. spam C. distributed denial of service D. virus
C. distributed denial of service
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________. A. data imaging B. crime scene investigation C. forensics D. evidentiary material
C. forensics
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? A. user-specific B. enterprise information C. issue-specific D. system-specific
C. issue-specific
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________. A. cracker B. expert hacker C. penetration tester D. phreaker
C. penetration tester
Which of the following is NOT one of the basic rules that must be followed when developing a policy? A. policy must be able to stand up in court if challenged B. policy should never conflict with law C. policy should be focused on protecting the organization from public embarrassment D. policy must be properly supported and administered
C. policy should be focused on protecting the organization from public embarrassment
Which subset of civil law regulates the relationships among individuals and among individuals and organizations? A. tort B. public C. private D. criminal
C. private
To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology. A. size B. level of formatting C. reading level D. cost
C. reading level
Which of the following is compensation for a wrong committed by an individual or organization? A. due diligence B. liability C. restitution D. jurisdiction
C. restitution
A person or organization that has a vested interest in a particular aspect of the planning or operation of an organization—for example, the information assets used in a particular organization—is known as a(n) _________. A. investiture B. venture capitalist C. stakeholder
C. stakeholder
The first priority of the CISO and the InfoSec management team should be the __________. A. adoption of an incident response plan B. development of a security policy C. structure of a strategic plan D. implementation of a risk management program
C. structure of a strategic plan
A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________. A. champion B. policy developer C. team leader D. auditor
C. team leader
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________. A. exploit B. vulnerability C. threat D. attack
C. threat
Technology services are usually arranged with an agreement defining minimum service levels known as a(n) __________. A. MIN B. SSL C. MSL D. SLA
D. SLA
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? A. Wood's model B. on-target model C. Bergeron and Berube model D. bull's-eye model
D. bull's-eye model
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs? A. may skip vulnerabilities otherwise reported B. implementation can be less difficult to manage C. may be more expensive than necessary D. can suffer from poor policy dissemination, enforcement, and review
D. can suffer from poor policy dissemination, enforcement, and review
A high-level executive such as a CIO or VP-IT, who will provide political support and influence for a specific project, is known as a(n) _________. A. auditor B. sponsor C. overseer D. champion
D. champion
Policy __________ means the employee must agree to the policy. A. conformance B. complacency C. consequence D. compliance
D. compliance
According to the Corporate Governance Task Force (CGTF), during which phase of the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? A. initiating B. learning C. acting D. establishing
D. establishing
A technique used to compromise a system is known as a(n) __________. A. threat B. attack C. vulnerability D. exploit
D. exploit
Which of the following is not among the "deadly sins of software security"? A. Web application sins B. implementation sins C. networking sins D. extortion sins
D. extortion sins
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? A. acting B. learning C. establishing D. initiating
D. initiating
Which of the following is a C.I.A. triad characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state? A. accountability B. authentication C. availability D. integrity
D. integrity
The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints. A. implementation B. analysis C. justification D. investigation
D. investigation
What is the first phase of the SecSDLC? A. analysis B. logical design C. physical design D. investigation
D. investigation
Access control list user privileges include all but which of these? A. write B. execute C. read D. operate
D. operate
Which type of planning is used to organize the ongoing, day-to-day performance of tasks? A. tactical B. organizational C. strategic D. operational
D. operational
An attack that uses phishing techniques along with specialized forms of malware to encrypt the victim's data files is known as __________. A. jailbreaking B. crypto locking C. spam D. ransomware
D. ransomware
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives? A. organizational B. operational C. strategic D. tactical
D. tactical
Human error or failure often can be prevented with training and awareness programs, policy, and __________. A. hugs B. outsourcing C. ISO 27000 D. technical controls
D. technical controls
Which of the following are the two general groups into which SysSPs can be separated? A. business guidance and network guidance B. user specifications and managerial guidance C. technical specifications and business guidance D. technical specifications and managerial guidance
D. technical specifications and managerial guidance
Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer? A. espionage or trespass B. sabotage or vandalism C. information extortion D. theft
D. theft
T/F: "Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. __________
False
T/F: "Technology" is the essential foundation of an effective information security program
False
T/F: "Values" statements should be ambitious; after all, they are meant to express the aspirations of an organization.
False
T/F: A person or organization that has a vested interest in a particular aspect of the planning or operation of an organization is a(n) investiture. ____________
False
T/F: A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of systems.
False
T/F: Access control lists regulate who, what, when, where, and "why" authorized users can access a system.
False
T/F: Because it sets out general business intentions, a mission statement does not need to be concise.
False
T/F: Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex.
False
T/F: Examples of actions that illustrate compliance with policies are known as "laws".
False
T/F: ISACA is a professional association with a focus on "authorization", control, and security. ___________
False
T/F: InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals. ___________
False
T/F: It is the responsibility of InfoSec professionals to understand state laws and "bills". ____________
False
T/F: The ISO 27014:2013 standard promotes five governance processes, which should be adopted by the organization's executive management and its "consultant".
False
T/F: The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and "decentralization".
False
T/F: To protect intellectual property and competitive advantage, Congress passed the "Entrepreneur" Espionage Act (EEA) in 1996.
False
The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for.
False
A(n) __________ is an act against an asset that could result in a loss.
attack
There are 12 general categories of threat to an organization's people, information, and systems. List at least six of the general categories of threat and identify at least one example of those listed.
1. Compromises to Intellectual Property (Ex. Piracy) 2. Deviations in Quality of Service (Ex. WAN Service Problems) 3. Espionage (Ex. Unauthorized Access or Data Collection) 4. Forces of Nature (Ex. Fire) 5. Human Error (Ex. Employee Mistakes) 6. Information Extortion (Ex. Blackmail)
What are the three distinct groups of decision makers or communities of interest on an information security team?
1. Those in the field of information security 2. Those in the field of IT 3. Those from the rest of the organization
Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity? A. fear of humiliation B. probability of being penalized C. probability of being caught D. fear of penalty
A. fear of humiliation
The EISP must directly support the organization's __________. A. mission statement B. financial statement C. values statement D. public announcements
A. mission statement
Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT __________. A. proper conception B. proper development C. proper implementation D. proper design
A. proper conception
Which type of planning is the primary tool in determining the long-term direction taken by an organization? A. strategic B. tactical C. managerial D. operational
A. strategic
The final component of the design and implementation of effective policies is __________. A. uniform and impartial enforcement B. universal distribution C. complete distribution D. full comprehension
A. uniform and impartial enforcement
Which of the following is a key advantage of the bottom-up approach to security implementation? A. utilizing the technical expertise of the individual administrators B. strong upper-management support C. a clear planning and implementation process D. coordinated planning from upper management
A. utilizing the technical expertise of the individual administrators
Which of the following is NOT an aspect of access regulated by ACLs? A. where the system is located B. what authorized users can access C. when authorized users can access the system D. how authorized users can access the system
A. where the system is located
Which phase of the SDLC should see clear articulation of goals? A. analysis B. investigation C. implementation D. design
B. investigation
The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________. A. chief technology officer B. security manager C. chief information security officer D. security technician
B. security manager
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past? A. Deontological ethics B. Normative ethics C. Descriptive ethics D. Applied ethics
C. Descriptive ethics
__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. A. Leading B. Controlling C. Governance D. Strategy
C. Governance
Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access. A. theft B. security C. trespass D. bypass
C. trespass
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? A. issue-specific security policies B. system-specific security policies C. user-specific security policies D. enterprise information security policy
C. user-specific security policies
A potential weakness in an asset or its defensive control system(s) is known as a(n) __________. A. attack B. threat C. vulnerability D. exploit
C. vulnerability
Which of the following is NOT a step in the problem-solving process? A. Select, implement, and evaluate a solution. B. Analyze and compare possible solutions. C. Gather facts and make assumptions. D. Build support among management for the candidate solution.
D. Build support among management for the candidate solution.
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)? A. Applied ethics B. Meta-ethics C. Normative ethics D. Deontological ethics
D. Deontological ethics
ESD is the acronym for __________.
Electrostatic Discharge
An organization increases its liability if it refuses to take the measures a prudent organization should; this is known as the standard of _____________.
due care
A momentary low voltage is called a(n) __________.
sag
T/F: A maintenance model is intended to focus ongoing maintenance efforts so as to keep systems usable and secure.
True
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons? A. For political advantage B. For private financial gain C. For purposes of commercial advantage D. In furtherance of a criminal act
A. For political advantage
__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. A. Governance B. Leading C. Strategy D. Controlling
A. Governance
Which of the following is true about planning? A. Strategic plans are used to create tactical plans. B. Tactical plans are used to create strategic plans. C. Operational plans are used to create strategic plans. D. Operational plans are used to create tactical plans.
A. Strategic plans are used to create tactical plans.
Which statement defines the differences between a computer virus and a computer worm? A. Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate. B. Worms can copy themselves to computers and viruses can copy themselves to smartphones. C. Worms can make copies all by themselves on one kind of computer but viruses can make copies all by themselves on any kind of computer. D. Worms and viruses are the same.
A. Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate.
A risk assessment is performed during which phase of the SDLC? A. analysis B. design C. investigation D. implementation
A. analysis
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________. A. chief information security officer B. security technician C. chief technology officer D. security manager
A. chief information security officer
The process of integrating the governance of the physical security and information security efforts is known in the industry as __________. A. convergence B. combination C. intimation D. optimization
A. convergence
A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________. A. e-discovery B. indexing C. root cause analysis D. forensics
A. e-discovery
One form of online vandalism is __________, in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. A. hacktivism B. red teaming C. phreaking D. cyberhacking
A. hacktivism
In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________. A. identifying relevant items of evidentiary value B. acquiring (seizing) the evidence without alteration or damage C. investigating allegations of digital malfeasance D. analyzing the data without risking modification or unauthorized access
A. identifying relevant items of evidentiary value
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? A. malice B. accident C. ignorance D. intent
A. malice
IT's focus is the efficient and effective delivery of information and administration of information resources, while InfoSec's primary focus is the __________ of all information assets. A. protection B. valuation C. operation D. availability
A. protection
When creating a __________, each level of each division translates its goals into more specific goals for the level below it. A. strategic plan B. maintenance program C. security policy D. security program
A. strategic plan
In addition to specifying acceptable and unacceptable behavior, what else must a policy specify? A. the penalties for violation of the policy B. appeals process C. individual responsible for approval D. legal recourse
A. the penalties for violation of the policy
