ISA 3300 Chapter 5

Legal assessment for the implementation of the information security program is almost always done by the information security or IT department. True False

False

Threats from insiders are more likely in a small organization than a large one. True False

False

According to Wood, which of the following is a reason the InfoSec department should report directly to top management? a. It fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole. b. It allows independence in the InfoSec department, especially if it is needed to audit the IT division. c. It prevents InfoSec from becoming a drain on the IT budget. d. It allows the InfoSec executive to dictate security requirements with greater authority to the other business divisions.

It fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole.

Small organizations spend more per user on security than medium or large sized organizations. True False

True

The __________ certification, considered to be one of the most prestigious certifications for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral. a. CISSP b. GIAC Security Leadership Certification c. Security + d. Associate of (ISC)2

a. CISSP

An (ISC)2 program geared toward individuals who want to take any of its certification exams before obtaining the requisite experience for certification is the __________. a. Associate of (ISC)2 b. SSCP c. ISSAP d. ISSMP

a. Associate of (ISC)2

An ISACA certification targeted at upper-level executives, including CISOs and CIOs, directors, and consultants with knowledge and experience in IT governance, is known as the __________. a. CGEIT b. CISM c. CISSP d. CRISC

a. CGEIT

Larger organizations tend to spend approximately __________ percent of the total IT budget on security. a. 2 b. 5 c. 11 d. 20

b. 5

29. In large organizations, the InfoSec department is often located within a(n) _________ division headed by the _________, who reports directly to the _________. a. IT, CISO, CIO b. Finance, Comptroller, CFO c. Security, CSO, CIO d. Legal, Corporate Counsel, CEO

a. IT, CISO, CIO

Smaller organizations tend to spend approximately _______ percent of their total IT budget on security. a. 2 b. 5 c. 11 d. 20

d. 20

Which of the following organizations is best known for its series of technical InfoSec certifications through Global Information Assurance Certification (GIAC)? a. SANS Institute b. (ISC)2 c. ISACA d. EC-Council

a. SANS Institute

To move the InfoSec discipline forward, organizations should take all of the following steps EXCEPT: a. form a committee and approve suggestions from the CISO b. learn more about the requirements and qualifications needed c. learn more about budgetary and personnel needs d. grant the InfoSec function needed influence and prestige

a. form a committee and approve suggestions from the CISO

The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics? a. market b. budget c. size d. culture

a. market

Organizations classified as ______ may still be large enough to implement the multitier approach to security, though perhaps with fewer dedicated groups and more functions assigned to each group. a. medium-sized b. small-sized c. large-sized d. super-sized

a. medium-sized

Which of the following would most likely be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems? a. security technician b. security analyst c. security consultant d. security manager

a. security technician

Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness? a. systems testing b. risk assessment c. incident response d. risk treatment

a. systems testing

Which of the following is an advantage of the user support group form of training? a. usually conducted in an informal social setting b. formal training plan c. can be live, or can be archived and viewed at the trainee's convenience d. can be customized to the needs of the trainee

a. usually conducted in an informal social setting

As noted by the Kosutic, options for placing the CISO (and his or her security group) in the organization are generally driven by organizational size and include all of the following except: a. within a division/department with a conflict of interest b. in a separate group reporting directly to the CEO/president c. under a division/department with no conflict of interest d. as an additional duty for an existing manager/executive

a. within a division/department with a conflict of interest

Which of the following describes the primary reason the InfoSec department should NOT fall under the IT function? a. The average salary of the top security executive typically exceeds that of the typical IT executive, creating professional rivalries between the two. b. There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information. c. There is a fundamental difference in the mission of the InfoSec department, which seeks to minimize access to information, and the IT function, which seeks to increase accessibility of information. d. None of the above are reasons the InfoSec department should NOT fall under the IT function.

b. There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information.

__________ is a simple project management planning tool. a. RFP b. WBS c. ISO 17799 d. SDLC

b. WBS

A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system is known as __________. a. a security technician b. a security analyst c. a security consultant d. a security manager

b. a security analyst

The purpose of SETA is to enhance security in all but which of the following ways? a. by building in-depth knowledge b. by adding barriers c. by developing skills d. by improving awareness

b. by adding barriers

Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation? a. policy b. centralized authentication c. compliance/audit d. risk management

b. centralized authentication

Which of the following is NOT a step in the process of implementing training? a. administer the program b. hire expert consultants c. motivate management and employees d. identify target audiences

b. hire expert consultants

Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk? a. risk treatment b. risk assessment c. systems testing d. vulnerability assessment

b. risk assessment

Medium organizations tend to spend approximately __________ percent of the total IT budget on security. a. 2 b. 5 c. 11 d. 20

c. 11

Which of the following organizations is best known for its series of certifications targeted to information systems audit, information security, risk control, and IT governance? a. SANS Institute b. (ISC)2 c. ISACA d. EC-Council

c. ISACA

Which of the following is an advantage of the one-on-one method of training? a. trainees can learn from each other b. very cost-effective c. customized to the needs of the trainee d. maximizes use of company resources

c. customized to the needs of the trainee

There are a number of methods for customizing training for users; two of the most common involve customizing by __________ and by __________. a. skill level; employee rank b. department; seniority c. functional background; skill level d. educational level; organizational need

c. functional background; skill level

Which of the following is the first step in the process of implementing training? a. identify training staff b. identify target audiences c. identify program scope, goals, and objectives d. motivate management and employees

c. identify program scope, goals, and objectives

"GGG security" is a term commonly used to describe which aspect of security? a. technical b. software c. physical d. policy

c. physical

Which function needed to implement the information security program includes researching, creating, maintaining and promoting information security plans? a. compliance b. policy c. planning d. SETA programs

c. planning

What is the SETA program designed to do? a. reduce the occurrence of external attacks b. improve operations c. reduce the occurrence of accidental security breaches d. increase the efficiency of InfoSec staff

c. reduce the occurrence of accidental security breaches

A SETA program consists of three elements: security education, security training, and which of the following? a. security accountability b. security authentication c. security awareness d. security authorization

c. security awareness

Which of the following is NOT a part of an information security program? a. technologies used by an organization to manage the risks to its information assets b. activities used by an organization to manage the risks to its information assets c. personnel used by an organization to manage the risks to its information assets d. All of these are part of an information security program.

d. All of these are parts of an information security program.

An ISACA certification targeted at IT professionals who are in careers that link IT risk management with enterprise risk management is known as the __________. a. CGEIT b. CISM c. CISSP d. CRISC

d. CRISC

Which of the following organizations offers the Certified CISO (C|CISO) certification? a. SANS Institute b. (ISC)2 c. ISACA d. EC-Council

d. EC-Council

Which of the following is true about security staffing, budget, and needs of a medium sized organization? a. It has a larger dedicated (full-time) security staff than a small organization. b. It has a larger security budget (as percent of IT budget) than a small organization. c. It has a smaller security budget (as percent of IT budget) than a large organization. d. It has larger information security needs than a small organization.

d. It has larger information security needs than a small organization.

Which of the following is true about a company's InfoSec awareness Web site? a. It should contain few images to avoid distracting readers. b. Appearance doesn't matter if the information is there. c. It should be placed on the Internet for public use. d. It should be tested with multiple browsers.

d. It should be tested with multiple browsers.

Which of the following variable is the most influential in determining how to structure an information security program? a. security capital budget b. competitive environment c. online exposure of organization d. organizational culture

d. Organizational culture

Which of the following is the most cost-effective method for disseminating security information and news to employees? a. employee seminars b. security-themed Web site c. conference calls d. e-mailed security newsletter

d. e-mailed security newsletter

Which of the following is an advantage of the formal class method of training? a. increased personal interaction between trainer and trainee b. self-paced; can go as fast or as slow as the trainee needs c. can be scheduled to fit the needs of the trainee d. interaction with trainer is possible

d. interaction with trainer is possible

Which of the following is a disadvantage of the one-on-one training method? a. inflexible scheduling b. may not be responsive to the needs of all the trainees c. content may not be customized to the needs of the organization d. resource intensive, to the point of being inefficient

d. resource intensive, to the point of being inefficient

This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator. a. security technician b. security analyst c. security consultant d. security manager

d. security manager