EOM 5 Quiz (missed 2)
_________ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty. Loss magnitude Risk Loss frequency Loss
Risk
The Security Education Training and Awareness (SETA) program is a control measure designed to reduce the instances of __________ security breaches by employees. intentional external accidental physical
accidental
A(n) _________ is a document containing contact information for the people to be notified in the event of an incident. (p. 229) emergency notification system alert roster phone list call register
alert roster
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____. (p. 242) off-site storage remote journaling electronic vaulting database shadowing
electronic vaulting
The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________." (p. 195) implementation certification management accreditation
management
The __________ is the difference between an organization's observed and desired performance. (p. 307) performance gap objective issue delta risk assessment
performance gap
The transfer of transaction data in real time to an off-site facility is called ____. (p. 242) off-site storage remote journaling electronic vaulting database shadowing
remote journaling
The first phase of risk management is _________. (p. 256) risk identification design risk control risk evaluation
risk identification
A _________ assigns a status level to employees to designate the maximum level of classified data they may access. (p. 268) security clearance scheme data recovery scheme risk management scheme data classification scheme
security clearance scheme
When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as __________. (p. 308) baselining best practices benchmarking standards of due care
standards of due care
A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years. (p.172) standard operational tactical strategic
strategic
The __________ control strategy attempts to shift risk to other assets, other processes, or other organizations. (p. 296) transference defense acceptance mitigation
transference
_________ is the rapid determination of the scope of the breach in the confidentiality, integrity, and availability of information and information assets during or just following an incident. Damage assessment Containment development Incident response Disaster assessment
Incident response
_________ addresses are sometimes called electronic serial numbers or hardware addresses. HTTP IP DHCP MAC
MAC
________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization. (p. 207) Managerial Technical Operational Informational
Managerial
__________ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures. (p. 306) Qualitative assessment A metric-centric model Quantitative assessment A value-specific constant
Qualitative assessment
__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information. (p. 209) Firewalling Hosting Redundancy Domaining
Redundancy
__________ is simply how often you expect a specific type of attack to occur. (p. 301) ARO - Annualized Rate of Occurrence CBA - Cost Benefit Analysis ALE - Annualized Loss Expectancy SLE - Single Loss Expectance
ARO - Annualized Rate of Occurrence
A fundamental difference between a Business Impact Analysis (BIA) and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes __________. (p. 220) controls have been bypassed controls have proven ineffective controls have failed All of the above
All of the above
According to NIST SP 800-14's security principles, security should ________. (p. 201-2) support the mission of the organization require a comprehensive and integrated approach be cost-effective All of the above
All of the above
Management of classified data includes its storage and _________. distribution portability destruction All of the above
All of the above
Redundancy can be implemented at a number of points throughout the security architecture, such as in ________. (p. 209) firewalls proxy servers access controls All of the above
All of the above
__________ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the flood waters recede. IR - incident response DR - disaster recovery BC - business continuity BR
DR - disaster recovery
__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. (p. 207) Networking Proxy Defense in depth Best-effort
Defense in depth
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range is called the __________. loss frequency annualized loss expectancy likelihood benefit of loss
annualized loss expectancy
A(n) _________ is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it. (p. 266) security clearance scheme data recovery scheme risk management scheme data classification scheme
data classification scheme
Standards may be published, scrutinized, and ratified by a group, as in formal or ________ standards. (p. 177) de formale de public de jure de facto
de jure
The _________ control strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. (p. 295) termination defense transference acceptance
defense
Security __________ are the areas of trust within which users can freely communicate. (p. 210) perimeters domains rectangles layers
domains
Some people search trash and recycling bins—a practice known as _________—to retrieve information that could embarrass a company or compromise information security. shoulder surfing dumpster diving pretexting corporate espionage
dumpster diving