CIST 1602
For her growing chiropractic practice, Dr. Pippa has to create a formal program that reduces the likelihood of accidental or malicious loss of sensitive data. She will have a consultant create security policies that will define what is often called a ______________________________________ program.
DLP - Data Loss Protection or Data Leakage Protection
An organization adopts the COBIT framework for IT governance. According to the COBIT literature, one of the following is NOT an expected benefit. Which one?
Decentralization of risk
"Security increases when it is implemented as a series of overlapping layers of controls and countermeasures" is a security development principle known as __________________.
Defense-in-depth
Which of the following would be the best example of an outcome of financial risk?
Due to inadequate cash flow, a business is unable to make payroll.
Which of the following would be the best example of an outcome of operational risk?
Due to insufficient alternate power planning, a power outage brings a company's data center offline.
An important privacy principle gives the consumer an understanding of what and how data is collected and used. This is known as ____________________.
Full disclosure
___________________ addresses how specific a policy is with respect to resources.
Granularity
A _______________ is a non-mandatory instruction that may include recommended practices or policies
Guideline
Although there is no "one correct scheme" for business classification levels, which level from the following is commonly used to label mission critical and/or highly regulated data?
Highly Sensitive
Which of the following has the responsibility of offering instruction on intrusion detection systems and intrusion prevention system standards as well as their accompanying uses for diminishing false alerts?
IDS and IPS architecture and management guidelines.
While these two approaches have similarities in terms of the topics they address, COBIT will cover broad IT management topics and specify which security controls and management need to be installed; however, ________ does not address how to implement specific controls.
ISO
In a (n) ____________________, there are policies, standards, baselines, procedures, guidelines, and taxonomy.
IT policy framework
Which of the following is a series of books originally developed in Britain that describes recommended IT management practices and procedures?
ITIL
Which of the following roles typically has the responsibilities of managing policies and procedures designed to protect information resources, identifying vulnerabilities, and developing a security awareness program?
Information resources security officer
___________ is the act of protecting information and the systems that store and process it.
Information systems security
Marion has been tasked with FISMA compliance for an agency within the Department of the Interior. According to NIST guidelines, what should she do first in the risk management process?
Inventory all hardware, software, and data.
Which of the following is one of the challenges of the Sarbanes-Oxley (SOX) Act?
It is very expensive and nearly impossible to test all of a company's controls.
According the the article stating that security awareness programs are a waste of time, one common thought among the security experts was that the best way to implement a security training program was to:
Make programs more relevant to their employees in a way which will help to build an organization-wide culture.
If human action is required, the control is considered _______________.
Manual
Also known as the Federal Information Processing Standards (FIPS), the_______________ framework is a shared set of security standards required by the Federal Information Security Management Act (FISMA).
NIST
___________ risk deals with any event that could disrupt the daily activities of an organization.
Operational
Which of the following industry data security standards was developed to require protection of credit card information?
PCI DSS
A deadbolt door lock is an example of a/an _____________ security control.
Physical
The NIST publication SP 800-53, "Recommended Security Controls for Federal Information Systems" was written using a popular risk management approach. Which of the following control areas best fits this description: "this is the area in which an organization develops, documents, periodically updates, and implements security plans for information systems"?
Planning
An Acceptable Use Policy (AUP) defines the targeted functions of computers and networks. This policy delimits unacceptable uses and the consequences for policy violation. Which of the following topics is not likely to be found in an AUP?
Recommendations for creating a healthy organizational culture.
A patch management procedure should include a section for a back out plan. What does a back out plan refer to?
Restoring a system to its pre-patch state.
The Risk IT framework process model is built on three domains. Which domain ensures that technology risks are identified and presented to leadership in business terms? This domain also creates a risk database of all known risks.
Risk Evaluation
Comparing risk likelihood to risk impact determines _____________________.
Risk exposure
___________________ is a term that denotes a user's capability to authenticate once to access the network and then have automatic authentication on different applications and devices afterward.
Single sign-on
In an issue-specific standard, the ___________________________ section defines a security issue and any relevant terms and conditions.
Statement of an issue
Aside from human user types, there are two other non-human user groups. ________________ are accounts implemented by the system for the purpose of supporting automated service.
System accounts
Charles manages application servers and database servers for a mid-sized company. He has access to books with security guidelines for the seven domains of an IT infrastructure. What domain should he refer to first for guidance with his job function?
System/Application
According to ISO/IEC 27002, which of the following topics describes the process of building security into applications?
Systems Acquisition, Development, and Maintenance
Some organizations have established the position of chief privacy officer (CPO), who is charged with managing risks to PII. Which of the following is not one of the responsibilities or attributes of the CPO?
The CPO must be a lawyer in order to flawlessly interpret federal regulations.
Bonus Question: Read carefully. The possible responses below are similar and sound reasonable. According to The Register article (Note: The article is in the Chapter 3 folder in Blackboard.), the Electronic Communications Privacy Act (ECPA) Amendments Act of 2015 is stalled in committee because a senator attached an amendment that would grant warrantless access to Internet browser history metadata.to the FBI. What was the original intended purpose of the ECPA Amendments Act?
The ECPA Amendments Act would eliminate the "180 day old email" rule and the "already read email" rule for warrantless access to messages, and would require a search warrant no matter what the age or status of an email message.
In 1999, the ___________________ law repealed existing laws so that banks, investment companies, and other financial services companies could merge. It also required privacy protections for consumer information.
The Gramm-Leach-Bliley Act (GLBA)
Which of the following statements illustrates the importance of the LAN-to-WAN domain to an organization's security?
The LAN needs to establish a secure connection to the WAN to ensure that traffic is thoroughly inspected and carefully filtered.
Which of the following agencies is responsible for developing information security standards and procedures for federal agencies?
The National Institute of Standards and Technology (NIST)
The weakest part of an information security program is typically with people. Which of the seven domains of an IT infrastructure usually has the administrative security controls for this?
User
Which of the following types of baseline documents is often created to serve the demands of the workstation domain?
Virus scanner configuration standards.
"BYOD" is a popular and increasing trend within many organizations, which raises a host of security policy questions that must be addressed . Which of the following questions does not enter into the debate?
What is a reason the person owns the device?
It is important that LAN guidelines transfer technical knowledge and experience by guiding an individual through core principles and varied ways of considering risks. Which of the following guidelines documents instructions on the intricacies and uses of wireless structures and types?
Wi-Fi security guidelines.
The _______________ domain refers to any endpoint device used by end users, which includes but is not limited to mean any smart device in the end user's physical possession and any device accessed by the end user, such as a smartphone, laptop, workstation, or mobile device.
Workstation
Security controls are measures taken to protect systems from attacks on the integrity, confidentiality, and availability of the system. If a potential employee is required to undergo a drug screening, which of the following control categories is being used?
administrative controls
Information must be accessible to authorized persons whenever job functions require it. This fundamental tenet of information security is known as _____________.
availability
In workstation domain policies, _________________ provide the specific technology requirements for each device. IT staff uses recorded and published procedures to enact configurations by devices to ensure that secure connectivity for remote devices exists, as well as virus and malware protection and patch management capability, among several other related functions.
baseline standards
Because the system/application domain covers an expansive range of topics, it follows that the baseline standards are diverse. For example, the _____________________ explains how to compose and assess the security of applications, especially those developed in-house.
developer coding standards
A common method of grouping security risks and security safeguards (controls) is to organize them into logical __________________ whose components share common characteristics.
domains
Although it is impossible to eliminate all business risks, a good policy can reduce the likelihood of risk occurring or reduce its impact. A business must find a way to balance a number of competing drivers. Which of the following is not one of these drivers?
executive compensation packages
One of the processes for establishing business requirements and raising the level of privileges is to grant elevated rights on a temporary basis. This process is called _______________.
firecall-ID
A ______________ document provides recommended practices which are applied as applicable.
guidelines
Which of the following standards is important to issue as new technologies develop, considering that some issues diminish in importance while new ones continually appear?
issue-specific standard
Once an organization clearly defines its IP, the security policies should specify how to ___________ documents with marks or comments, and classify the data, which determines in what location the sensitive file should be placed.
label
A ____________ is a combination of the likelihood that a vulnerability could exist, a hacker's exploitation of that vulnerability, and the impact if the event occurred.
risk
The security posture of an organization is usually expressed in terms of ___________________, which generally refers to how much risk an organization is willing to accept to achieve its goal.
risk appetite
A ___________ is a device usually found on the edge of the LAN domain (some would say it's in the LAN-to-WAN domain) that can connect LANs to each other, or to connect a LAN to a WAN. It typically uses the destination IP address of a data packet to determine where the packet should be delivered.
router
A(n) _______________ ___ is a term used to indicate any unwanted event that takes places outside the normal daily security operations. This type of event relates to a breakdown in controls as identified by the security policies.
security event
Which of the following user types is responsible for physical security and building operations, and disaster recovery and contingency planning?
security personnel
The ultimate goal of the review and approval processes is to gain senior executive approval of the policy or standard by the chief information security officer (CISO). In order to gain this approval, the CISO requires direct-reports or other advisors to sign off on the document. Which of the following is not among the textbook's suggested list of people who should be given the chance to become a second or third layer of review?
service desk
_____________________ denotes the use of human interactions to gain any kind of desired access. Most often, this term involves exploiting personal relationships by manipulating an individual into granting access to something a person should not have access to.
social engineering
A ____________________ can be used to hierarchically represent a classification for a given set of objects or documents.
taxonomy
Daisy has been hired by a small online web shop to ensure compliance with PCI DSS. She notes the primary internal data network is flat - every device can communicate with almost every other device. She installs switches, routers, and even an internal firewall for extra security to compartmentalize the network. What has she created for PCI DSS compliance to control the flow of traffic?
A segmented network
Which of the following situations best illustrates the process of authentication?
A sensitive system requires a thumb print of an authorized user to access it.
___________________________ are formal written policies describing employee behavior when using company computer and network systems.
Acceptable use policies
Extra Credit: According to the article "Employee Negligence The Cause Of Many Data Breaches", the 2016 Experian report faults enterprise privacy and training programs' lack of depth as a root cause for employee-caused incidents. The report recommends that companies should do what?
All of these.
Which of the following is not one of the "five pillars of the Information Assurance model?
Assurance
There are a number of classifications that can be applied to security controls. Which of the following is not one the classifications?
Automatic control
A ___________________is a confirmed event that compromises the confidentiality, integrity, or availability of information.
Breach
Which of the following statement states the difference between business liability and a business's legal obligation?
Business liability occurs when a company fails to meet its obligation to its employees and community. A business's legal obligation is an action that it is required to take in compliance with the law.
Which of the following policy frameworks is a widely accepted set of documents that is commonly used as the basis for Sarbanes-Oxley (SOX) compliance, and is an initiative from ISACA?
COBIT (Control Objectives for Information and related Technology)
As a result of a U.S. Supreme Court ruling challenging the restriction of access to information in libraries, the ________________ was declared constitutional, however the courts do require schools and libraries to unblock sites when requested by an adult.
Children's Internet Protection Act (CIPA)
___________________ accounts have full and unencumbered rights to restore data as well as to configure, install, repair, and recover applications and networks.
Contingent
A _________________ is a document describing a core security control requirement. It is sometimes referred to as issue-specific.
Control Standard
In the ISO/IEC 27002 framework, the section covering _________________ describes the use and controls related to encryption.
Cryptography
A good security awareness program makes employees aware of the behaviors expected of them. All security awareness programs have two enforcement components: the carrot and the stick. Which of the following best captures the relationship of the two components?
The carrot aims to educate and potentially reward the employee about the importance of security policies, and the stick reminds the employees of the consequences of not following policy.
The Family Educational Rights and Privacy Act (FERPA) was put into law in 1974, and contains several key elements. Which of the key elements states that schools can share information without permission in certain instances?
The exclusion/exception principle. (Health and safety issues.)
Which of the following statements best captures the reason why U.S. compliance laws came about?
The government has an interest in consumer protection, maintaining a stable economy, and maintaining a reliable source of tax revenue.
Imagine a scenario in which an employee regularly bypasses the organization's established security policies in favor of convenience. What does this employee's continued violation suggest about the culture of risk management in the organization?
The organization lacks a good risk culture wherein employees have "buy in."
Bonus: One advantage of the Critical Security Controls for Effective Cyber Defense over other frameworks for creating a cyber defense program is:
The security controls are prioritized. The most important ones to implement are listed first.
What is a vulnerability window?
The time span between vulnerability discovery and vulnerability fix.
The risk management strategy where the cost of a realized risk is assigned to someone else is known as risk _________________.
Transference
Of all the reasons that people commit errors when it comes to IT security, which of the following is the main reason people make mistakes?
carelessness
A _____________________________ is a committee that makes decisions regarding whether or not proposed new or modified policies, standards, or guidelines should be implemented.
change control board
In any event in which customer data is involved, it is necessary to check with the ___________________on the legal requirements related to the management and use of that data.
compliance officer/team
Sensitive information must be protected so that unauthorized persons, computers, or applications are unable to view or process it. This fundamental tenet of information security is known as ______________.
confidentiality
Which the following is not one the policies concerned with LAN-to-WAN filtering and connectivity?
content-blocking tools configuration standard
To be compliant with the risk management standards and processes outlined in NIST publications (think FISMA), policies must include key security control requirements. One of the following is not one of the key requirements. Which one?
data privacy
In order to move data from an unsecure (not trusted) network to a secure network (trusted), you typically create a _________________________, a small "sub network" which exists between your private network and the untrusted network. Servers placed in this area provide public-facing access to the organization, such as public Web sites.
demilitarized zone (DMZ)
According to the best practices most widely adopted to protect users and organizations, _______________ employs an approach that sets up overlapping layers of security as the preferred means of mitigating threats.
layered defense / defense-in-depth
The_____________________ principle for policies and standards development states that people should be granted only enough privilege to accomplish assigned tasks.
least privilege
It is recommended that systems administrators analyze logs because monitoring can deter risk. To serve this goal, a ________________can be used to assemble logs from platforms throughout the network.
log server
A database containing exceptionally sensitive data requires that a person enter a passphrase and submit to a retinal scan. This form of authentication is known as _____________ authentication.
multifactor / two-factor
Part of the confidentiality strategy adopted by many organizations is the ____________ principle, in which you gain access only to the systems and data you need to perform your job.
need-to-know
In 2010, a major restaurant the chain suffered a network breach when malware was discovered to have collected customer credit card information that was later stolen by an outside party. Such a breach was a PCI DSS framework violation. Which of the following actions is the first step that should have been taken to ensure the PCI DSS framework was safely protecting the credit card information?
network segregation
The shared belief system of employees in a business or company is known as the _____________________.
organizational culture
For an Information Security Framework, the questions related to "what and why" are more appropriate for ____________.
policies and standards
There are many ways that people can be manipulated to disclose knowledge that can be used to jeopardize security. One of these ways is to call someone under the false pretense of being from the IT department. This is known as _________________________.
pretexting
A __________ document provides step-by-step instructions for achieving some form of goal.
procedures
In May 2013, a National Security Agency (NSA) contractor named Edward Snowden leaked thousands of documents to a journalist detailing how the U.S. implements intelligence surveillance across the Internet. In which of the following sectors did this breach occur?
public sector
Charles is running a web browser with an outdated version of Adobe Flash Player, a video player browser plug-in. Running outdated versions of software can introduce a weakness in system security. This weakness is more formally known as a _______________.
vulnerability