Exam 2 Quizzes
Tom determined the cost to reduce a particular risk impact is not warranted, and so there will be no response to the risk. This is an example of what kind of control strategy?
Risk acceptance
Which of the following organizations is best known for its series of technical InfoSec certifications through Global Information Assurance Certification (GIAC)?
SANS Institute
A control that should be applied to work tasks that are particularly sensitive is:
Separation of duties
Which of the following can function as standards or procedures to be used when configuring or maintaining systems?
SysSPs
Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?
TCSEC
Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?
access control list
Redundancy can be implemented at a number of points throughout the security architecture, such as in:
access controls firewalls proxy servers
Which of the following is NOT a part of an information security program?
activities used by an organization to manage the risks to its information assets personnel used by an organization to manage the risks to its information assets technologies used by an organization to manage the risks to its information assets
An ATM that limits what kinds of transactions a user can perform is an example of which type of access control?
constrained user interface
Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems.
control
Controls that remedy a circumstance or mitigate damage done during an incident are categorized as __________.
corrective
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called _______________.
electronic vaulting
Using the simplified information classification scheme outlined in the text, all information that has been approved by management for public release has a(n) ____________________ classification.
external
An outline or structure of the organization's overall information security strategy that is used as a road map for planned changes to its information security environment is the security ____________________.
framework
Although COBIT was designed to be an IT __________ and management structure, it includes a framework to support InfoSec requirements and assessment needs.
governance
A(n) ____________________ site is a fully configured computer facility with all services, communications links, and physical plant operations provided, including heating and air conditioning
hot
The first phase of risk management is risk ____________________.
identification
RAID Level 1 is commonly called disk ____________________.
mirroring
To design a security program, an organization can use a security __________, which is a generic outline of the more thorough and organization-specific blueprint.
model
Which type of access controls can be role-based or task-based?
non-discretionary
The ____________________ controls focus on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning.
operational
Which of the following variables is the most influential in determining how to structure an information security program?
organizational culture
The spheres of security model illustrates that there are far fewer protection layers between the information and potential attackers on the __________ side of the organization.
people
The boundary between the outer limit of an organization's security and the beginning of the outside world is a security ____________________.
perimeter
Management of classified data includes its storage and _________.
portability distribution destruction
Which of the following best describes what the SETA program is designed to do?
reduce the occurrence of accidental security breaches
The transfer of transaction data in real time to an off-site facility is called ______________.
remote journaling
A SETA program consists of three elements. Which of the following is one of them?
security awareness
specific security policies often function as standards or procedures to be used when configuring or maintaining systems
systems
After identifying and performing the preliminary classification of an organization's information assets, the analysis phase moves on to an examination of the ____________________ facing the organization.
threats
Asset ____________________ is the process of assigning financial value or worth to each information asset.
valuation
In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores.
weighted factor analysis
Which objects and subjects have a label in a MAC model?
All objects and subjects have a label
Which of the following certifications is considered to be one of the most prestigious certifications for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral?
CISSP
Which of the following is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts?
EISP
Using redundant components is a common method to achieve:
Fault tolerance
Which one of the following controls protects an organization in the event of a sustained period of power loss?
Generator
Which of the following is NOT one of the BIA stages?
Identify resource requirements Determine mission/business processes and recovery criticality Identify recovery priorities for system resources
_________ addresses are sometimes called electronic serial numbers or hardware addresses.
MAC
Which of the following are the controls that cover security processes and are designed by strategic planners and implemented by the security administration of the organization?
Managerial
Sabrina recently implemented a network intrusion prevention system for the purpose of blocking common attacks on the company's network. What would you call the risk management strategy she is applying?
Mitigation
Eleni has Secret clearance and is accessing files that use a mandatory access control scheme with Top Secret, Secret, Confidential, and Unclassified labels. If she has a valid need-to-know, which classification level(s) are we certain she can access?
Only Secret
Which one of the following metrics represents the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources?
RTO
Most network servers have redundant power supplies which provide fault tolerance and therefore represent _____________ controls.
Recovery
Which one of the following events, once completed, marks the completion of a disaster recovery process?
Restoring operations in the primary facility
_________ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty.
Risk
A strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection is:
Defense in depth
Which of the following models allows the owner of an object to grant privileges to other users?
Discretionary access
Purchasing insurance is a form of what type of risk response?
Transfer
Risk _________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
appetite
The purpose of SETA is to enhance security in all but which of the following ways?
by adding barriers
An alternate site that provides only rudimentary services and facilities is known as a(n) ____________ site.
cold
Physical keys are an example of a(n) __________ control which will temporarily replace electronic door locks in the case of a power outage.
compensating
What term describes a layered security approach that provides comprehensive protection?
defense-in-depth
A(n) ____________________ backup includes all files that have changed or been added since the last full backup.
differential
Security __________ are the areas of trust within which users can freely communicate.
domains
Some people search trash and recycling bins—a practice known as _________—to retrieve information that could embarrass a company or compromise information security.
dumpster diving
A(n) ____________________ is an adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization.
incidents
What level of privilege should an employee have?
least amount
____________________ is the probability that a specific vulnerability within an organization's assets will be successfully attacked.
likelihood