IS Exam 2
Risk Management Process
1. Risk Identification 2. Risk Assessment 3. Risk Response 4. Implement risk responses 5. Monitor and control risk responses
Risk Methodology
A description of how you will manage overall risk. It includes the approach, required information, and techniques to address each risk.
Business Impact Analysis
A formal analysis of an organization's functions and activities that classifies them as critical or noncritical. Arranges critical activities based on importance and helps an organization determine which functions to restore in what order.
Risk Register
A list of identified risks that results from the risk-identification process.
Advantages of Biometrics
A person must be physically present to authenticate there is nothing to remember biometrics are hard to fake lost IDs or forgotten passwords are not problems
An audit examines whether security controls are appropriate, installed correctly, and _____ current addressing their purpose authorized cost effective
Addressing their purpose
The incident-handling process includes which of the following? Documentation Response Notification Recovery and followup All of the above
All of the above
What is the primary purpose of a business impact analysis? (BIA) a. to identify, categorize, and prioritize mission-critical business functions to provide a road map for business continuity and disaster recovery planning c. to assist organizations with risk management d. to assist organizations with incident response planning e. all of the above
All of the above
the objectives of classifying information include which of the following? to identify data value in accordance with organization policy to identify information protection requirements to standardize classification labeling throughout the organization to comply with privacy law, regulations, and so on all of the above
All of the above
Single Sign On
Allows users to sign on to a computer or network once and have their identification and authorization credentials allow them into all computers and systems where they are authorized.
Elements of Risk
Assets Vulnerabilities Threats
Which answer best describes the authentication component of access control? Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access authentication is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited authentication is the process of determining who is approved for access and what resources they are approved for authentication is the method a subject uses to request access to a system
Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access
Authentication vs Identification
Authentication is verifying someone's identify to ensure you are giving access to the right person. Identification is identifying that user when they try to request access
Which answer best describes the authorization component of access control? authorization is the method a subject uses to request access to a system authorization is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited. authorization is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access authorization is the process of determining who is approved for access and what resources they are approved for.
Authorization is the process of determining who is approved for access and what resources they are approved for
A _____ is a standard used to measure how effective your system is as it relates to industry expectations Control objective Configuration Benchmark Policy
Benchmark
A plan that contains the actions needed to keep critical business processes running after a disruption is called a ____. Disaster recovery plan (DRP) Business impact analysis (BIA) Business continuity plan (BCP) None of the above
Business Continuity plan
An algorithm used for cryptographic purposes is known as a ____ Hash Private Key Public Key Cipher
Cipher
The recovery point objective defines the last point in time for _____ recovery that can be enabled back into production. a. system b. application c. production d. data
Data
A plan that details the steps to recover from a major disruption and restore the infrastructure necessary for normal business operations is a ______. Disaster recovery plan (DRP) Business impact analysis (BIA) Business continuity plan (BCP) None of the above
Disaster Recovery Plan
When the owner of the resource determines the access and changes permissions as needed, it's known as ______. Mandatory access control Discretionary access control Non discretionary access control content dependent access control Role based access control
Discretionary access control
what law governs the release of student information? HIPAA SOX FERPA CIPA none of the above
FERPA
Which software testing method provides random input to see how software handles unexpected data? Injection Fuzzing Valid error input Boundary input
Fuzzing
Policy Enforcement Phase
Grants or rejects requests for access based on authorizations defined in the first phase.
Any event that either violates or threatens to violate your security policy is known as a ___. Countermeasure Impact Risk Incident
Incident
Authentication Types
Knowledge Ownership Characteristics Location Action
Data Retention
Laws outline the right ways to handle, store, and dispose of data
When you log on to a network, you are presented with some combination of username, password, token, smart card, or biometrics. You are then authorized or denied access by the system. This is an example of ____. Physical access controls Logical access controls Group membership policy The Biba integrity model None of the above
Logical access controls
Configuration Management
Managing the baseline settings of a system or device.
______ is the limit of time that a business can survive without a particular critical system. Recovery time objective (RTO) Critical business function (CBF) Maximum tolerable downtime (MTD) None of the above
Maximum tolerable downtime (MTD)
Types of Access Controls
Physical Logical
change management
Process of managing changes to computer/device configuration or application software
Which term indicates the maximum amount of data loss over a time period? a. RAI b. ROI c. RTO d. RPO e. none of the above
RPO
Log Files
Records that detail who logged onto the system, when they logged on, and what information and resources they used.
a common platform for capturing and analyzing log entries is _____. intrusion detection system honeypot security information and event management (SIEM) HIPAA All of the above
SIEM
Media Disposal
Shredding, burning, grinding of CDs and other forms of media to dispose of private information.
In ____ methods, the IDS compares current traffic with activity patterns consistent with those of a known network intrusion via pattern matching and stateful matching Signature based Anomaly based Heuristic Scanning All of the above
Signature based
Monitoring and Reviews
Software that monitors your activity logs and generates alerts when it finds suspicious activity
_____ involve the standardization of the hardware and software solutions used to address a security risk throughout the organization
Standards
Which of the following is an example of a formal model of access control? a. discretionary access control (DAC) mandatory access control (MAC) non discretionary access control the clark and wilson integrity model all of the above
The clark and wilson integrity model
Risk Management is responding to a negative event when it occurs. a. True b. False
True
With respect to IT security, a risk can result in either a positive or negative effect a. True b. False
True
Four Central Components of Access Control
Users Resources Actions Relationships
There are several types of software development methods, but most traditional methods are based on the ____ model. Modification Waterfall Developer Integration
Waterfall
Policy Definition Phase
Who has access and what systems or resources can they use
Business Continuity Plan
a written plan for a structured response to any events that result in an interruption to critical business functions or activities.
What elements must a written GLBA information security program include? technical safeguards physical safeguards administrative safeguards a designated employee to run the program all of the above
all of the above
Which of the following business drivers are impacting businesses' and organization's security requirements and implementations? a. Mobility b. Regulatory compliance c. Productivity enhancements d. Always on connectivity e. All of the above
all of the above
Which of the following is one of the four basic forms of a cryptographic attack? ciphertext only attack known plaintext attack chosen plaintext attack chosen ciphertext attack all of the above
all of the above
Single Point of Failure (SPOF)
any component that if it fails, could interrupt business processing
Vulnerability
any exposure that could allow a threat to be realized
A _____ is used to detect forgeries hash function checksum hash vlue KDC
checksum
Gap Analysis
comparison of the security controls you have in place and control you need
what is a main goal of the PCI security council? define a standardized approach for protecting cardholder data recommend firewall solutions define how to process credit cards mandate organizations follow a standard to protect cardholder data
define a standardized approach for protecting cardholder data
Technical Recovery Requirements
define the technical prerequisites that are needed to support each critical business function
Security Policy
defines a risk mitigating definition or solution for your organization
a ________ signature is a representation of a physical signature stored in digital format. digital digitized private key public key
digital
Disaster Recovery Plan
directs the actions necessary to recover resources after a disaster
Poliies
document management's goals and objectives (short summary of key facts and stated at a high level)
GPS
install a GPS that uses satellite and cellular communications to pinpoint the physical location of the device
Remote Wiping
install software that will enable organizations to initiate remote wiping of data or email in the event of loss or theft of the device
Standards
mandated requirements for hardware and software solutions used to address security risk throughout an organization
____ corroborates the identity of an entity, whether the sender, the senders computer, some device, or some information. nonrepudiation confidentiality integrity authentication
nonrepudiation
Disadvantages of Biometrics
physical characteristics might change physically disabled persons
_____ is the concept that users should be granted only the levels of permissions they need in order to perform their duties Mandatory vacations Separation of duties Job rotation Principle of least privilege None of the above
principle of least privilege
Guidelines
provide structure to a security program. actions that the organization recommends.
What types of companies must follow all sarbanes-oxley act provisions? public private nonprofit governmantal none of the above
public
The review of the system to learn as much as possible about the organization, its systems, and networks is known as _____ penetration testing vulnerability testing network mapping reconnaissance
reconnaissance
Which of the following terms defines the amount of time it takes to recover a production IT system, application, and access to data? a. recovery point objective b. recovery time objective c. risk exposure time d. production recovery time
recovery time objective
Impact
refers to the amount of harm a threat exploiting a vulnerability can cause
Asset Tracking
require that all IT assets that are connected to the IT infrastructure to be tracked as IT assets by the organization
Device Access Control
require that all personally owned devices conform to the BYOD policy
Full Device Encryption
require that laptops, tablets, and smartphones are equipped with data encryption
Removable Storage
require the use of removable storage or data backups as defined in the BYOD policy
Business Recovery Requirements
requirements identify any other business functions that must already be in place for the recovery function to occur.
Threat
something that might happen
Procedures
step by step systematic actions to accomplish a security requirement process
Security Gap
the difference between the security controls you have in place and the controls you need in order to address all vulnerabilities
Risk
the likelihood that a particular threat will be realized against a specific vulnerability
Recovery Time Objective
the maximum allowable time to recovery the function.
Recovery Point Objective (RPO)
the maximum amount of data loss that is acceptable.
Emergency Operations Center (EOC)
the place where the recovery team will meet and work during a disruption
Risk Management
the process of identifying, assessing, prioritizing, and addressing risks