ISM 4223 Quiz 1-12
An ISACA certification targeted at IT professionals who are in careers that link IT risk management with enterprise risk management is known as the __________.
CRISC
Which of the following activities is part of the risk evaluation process?
Calculating the severity of risks to which assets are exposed in their current setting
Which of the following are instructional codes that guide the execution of the system when information is passing through it?
Configuration rules
In which form of access control is access to a specific set of information contingent on its subject matter?
Content-dependent access controls
Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?
Corrective
A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use is known as a(n) __________.
Cracker
Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________.
Create a subjective ranking based on anticipated recovery costs
Which of the following is the result of a U.S. led international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?
DMCA
Internal and external stakeholders, such as customers, suppliers, or employees who interact with information in support of their organization's planning and operations, are known as ____________.
Data users
Which of the following is the first major task in the BIA, according to NIST SP 800-34, Rev. 1?
Determine mission/business processes and recovery criticality.
Which control category discourages an incipient incident—e.g, video monitoring?
Deterrent
Which policy is the highest level of policy and is usually created first?
EISP
With policy, the most common distribution methods are hard copy and __________.
Electronic
The Microsoft Risk Management Approach includes four phases; which of the following is NOT one of them?
Evaluating alternative strategies
An alert digest is a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process.
F
An effective information security governance program requires no ongoing review once it is well established.
F
An intranet vulnerability scan starts with the scan of the organization's default Internet search engine.
F
Dumpster exploitation is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information.
F
Ethics carry the sanction of a governing authority.
F
In e-commerce situations, some cryptographic tools can be used for misrepresentation in order to assure that parties to the transaction are authentic, and that they cannot later deny having participated in a transaction.
F
Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations.
F
WLAN stands for "wide local area network."
F
When operating any kind of organization, a certain amount of debt is always involved.
F
When performing full-interruption testing, normal operations of the business are not impacted.
F
The risk treatment strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk treatment strategy.
F, transference
The risk treatment strategy that indicates the organization is willing to accept the current level of risk and do nothing further to protect an information asset is known as the termination risk treatment strategy.
False - acceptance
An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel, is known as operational feasibility.
False - technical
Which of the following is true about firewalls and their ability to adapt in a network?
Firewalls deal strictly with defined patterns of measured observation.
Which of the following is the best example of a rapid-onset disaster?
Flood
Each of the following is a recommendation from the FDIC when creating a successful SLA EXCEPT:
Forecasting costs
Although COBIT was designed to be an IT __________ and management structure, it includes a framework to support InfoSec requirements and assessment needs.
Governance
Incorporating InfoSec components into periodic employee performance evaluations can __________.
Heighten InfoSec awareness
Which of the following is NOT a step in the process of implementing training?
Hire expert consultants
Medium-sized organizations tend to spend approximately __________ percent of the total IT budget on security.
11
Smaller organizations tend to spend approximately __________ percent of the total IT budget on security.
20
Force majeure includes all of the following EXCEPT:
Armed robbery
Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area?
Authentication
The C.I.A. triad for computer security includes which of these characteristics?
Availability
The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints.
Investigation
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
Malice
A type of attack where the adversary intercepts network packets, modifies them, and inserts them back into the network is called a ____________.
Man-in-the-middle
A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________.
Methodology
The EISP must directly support the organization's __________.
Mission statement
Which of the following is NOT a category of access control?
Mitigating
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine its effectiveness and to estimate the remaining risk?
Monitoring and measurement
The protection of voice and data components, connections, and content is known as __________ security.
Network
Access control list user privileges include all but which of these?
Operate
Which of the following variables is the most influential in determining how to structure an information security program?
Organizational culture
The __________ process is designed to find and document vulnerabilities that may be present because there are misconfigured systems in use within the organization.
PSV
Which function of InfoSec management encompasses security personnel as well as aspects of the SETA program?
People
In which cipher method are values rearranged within a block to create the ciphertext?
Permutation
According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
Policy administrator
Which of the following is NOT one of the basic rules that must be followed when developing a policy?
Policy should be focused on protecting the organization from public embarrassment
Which of the following is NOT a common type of background check that may be performed on a potential employee?
Political activism
Which of the following determines acceptable practices based on consensus and relationships among the communities of interest?
Political feasibility
Which subset of civil law regulates the relationships among individuals and among individuals and organizations?
Private
The Risk Management Framework includes all of the following EXCEPT:
Process contingency planning
__________ allows for major security control components to be reviewed on a periodic basis to ensure that they are current, accurate, and appropriate.
Program Review
The ISO certification process takes approximately six to eight weeks and involves all of the following steps EXCEPT:
Rejection of the certification application based on lack of compliance or failure to remediate shortfalls
Once an information asset is identified, categorized, and classified, what must also be assigned to it?
Relative value
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
Risk appetite
Which of the following specifies the authorization level that each user of an information asset is permitted to access, subject to the need-to-know principle?
Security clearances
The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________.
Security manager
Data classification schemes should categorize information assets based on which of the following?
Sensitivity and security needs
Which of the following biometric authentication systems is the most accepted by users?
Signature recognition
Which of the following is NOT among the three types of authentication mechanisms?
Something a person says
Which of the following is not among the three types of authentication mechanisms?
Something a person sees
A person or organization that has a vested interest in a particular aspect of the planning or operation of an organization—for example, the information assets used in a particular organization—is known as a(n) _________.
Stakeholder
Which type of firewall keeps track of each network connection established between internal and external systems?
Stateful packet inspection
A clearly directed strategy flows from top to bottom rather than from bottom to top.
T
A firewall is any device that prevents a specific type of information from moving between the untrusted network and the trusted network.
T
A hot site is a fully configured computing facility that includes all services, communications links, and physical plant operations.
T
A maintenance model is intended to focus ongoing maintenance efforts so as to keep systems usable and secure.
T
A security clearance is an access control model in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access.
T
A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.
T
A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures.
T
According to the CGTF, the organization should treat InfoSec as an integral part of the system life cycle.
T
All systems that are mission critical should be enrolled in platform security validation (PSV) measurement.
T
Biometrics are the use of physiological characteristics to provide authentication of an identification.
T
Deterrence is the best method for preventing an illegal or unethical activity.
T
Due diligence requires that an organization make a valid and ongoing effort to protect others.
T
One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?"
T
Policy needs to be reviewed and refreshed from time to time to ensure that it's providing a current foundation for the information security program.
T
Project management is focused on achieving the objectives of the project.
T
Project scope management ensures that the project plan includes only those activities that are necessary to complete it.
T
Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
T
The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
T
The process of identifying and documenting specific and provable flaws in the organization's information asset environment is called vulnerability assessment (VA).
T
Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
The Electronic Communications Privacy Act of 1986
When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________.
The type of crime committed
Which of the following describes the primary reason the InfoSec department should NOT fall under the IT function?
There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information.
A process called __________ examines the traffic that flows through a system and its associated devices to identify the most frequently used devices.
Traffic analysis
Which of the following risk treatment strategies describes an organization's attempt to shift risk to other assets, other processes, or other organizations?
Transference
Which of the following is a "possible" indicator of an actual incident, according to Donald Pipkin?
Unusual consumption of computing resources
Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________.
evidentiary material
Larger organizations tend to spend approximately __________ percent of the total IT budget on security.
5
What are the two general approaches for controlling user authorization for the use of a technology?
Access control lists and capability tables
What function will an audit log provide when it is configured to track user activity on an information system?
Accountability
__________ are a component of the "security triple."
All of the above
Which of the following should be included in an InfoSec governance program?
An InfoSec risk management methodology
Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people?
Are the user accounts of former employees immediately removed on termination?
Which of the following activities is part of the risk identification process?
Assigning a value to each information asset
Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following?
Benchmarking
Which of the following is the first component in the contingency planning process?
Business impact analysis
Which of the following is not among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
Centralized authentication
Which document must be changed when evidence changes hands or is stored?
Chain of custody
A high-level executive such as a CIO or VP-IT, who will provide political support and influence for a specific project, is known as a(n) _________.
Champion
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
Champion
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
Chief information security officer (CISO)
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
Common good
The team responsible for designing and managing the IR plan by specifying the organization's preparation, reaction, and recovery from incidents is known as the __________.
Computer security incident response team (CSIRT)
After an incident, but before returning to its normal duties, the CSIRT must do which of the following?
Conduct an after-action review.
The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster are known as __________.
Contingency planning
Workers typically hired to perform specific services for the organization and hired via a third-party organization are known as __________.
Contract employees
The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________.
Cost avoidance
The group of senior managers and project members organized to conduct and lead all CP efforts is known as the __________.
Crisis management planning team (CMPT)
Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis are known as _________.
Digital forensics
The bastion host is usually implemented as a __________, as it contains two network interfaces: one that is connected to the external network and one that is connected to the internal network, such that all traffic must go through the device to move between the internal and external networks.
Dual-homed host
What do you call the legal requirements that an organization must adopt a standard based on what a prudent organization should do, and then maintain that standard?
Due care and due diligence
An information attack that involves searching through a target organization's trash and recycling bins for sensitive information is known as __________.
Dumpster diving
A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________.
E-discovery
According to the Corporate Governance Task Force (CGTF), during which phase of the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
Establishing
Writing a policy is not always as easy as it seems. However, the prudent security manager always scours available resources for __________ that may be adapted to the organization.
Examples
A bollard host is a device placed between an external, untrusted network and an internal, trusted network.
F
A management model such as ISO 27000 deals with methods to maintain systems.
F
A security metric is an assessment of the performance of some action or process against which future performance is assessed.
F
A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects.
F
A standard of due process is a legal standard that requires an organization and its employees to act as a "reasonable and prudent" individual or organization would under similar circumstances.
F
A user ticket is opened when a user calls about an issue.
F
A(n) compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information.
F
Access control lists regulate who, what, when, where, and why authorized users can access a system.
F
Establishing performance measures and creating project way points simplifies project monitoring.
F
Examples of actions that illustrate compliance with policies are known as laws.
F
ISACA is a professional association with a focus on authorization, control, and security.
F
InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals.
F
MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.
F
Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair.
F
Standardization is an attempt to improve information security practices by comparing an organization's efforts against those of a similar organization or an industry-developed standard to produce results it would like to duplicate.
F
The ISO 27014:2013 standard promotes five governance processes, which should be adopted by the organization's executive management and its consultant.
F
The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures.
F
The Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure.
F
The degree to which a current control can reduce risk is also subject to calculation error.
F
The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties.
F
The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization.
F
The security education, training, and awareness (SETA) program is designed to reduce the occurrence of external security attacks.
F
US-CERT is a set of moderated mailing lists full of detailed, full-disclosure discussions and announcements about computer security vulnerabilities. It is sponsored in part by SecurityFocus.
F
Using complex project management tools may result in a complication where the project manager creates project diagrams with insufficient detail for the implementation of the project.
F
Values statements should be ambitious; after all, they are meant to express the aspirations of an organization.
F
Which of the following biometric authentication systems is considered to be truly unique, suitable for use, and currently cost-effective?
Fingerprint recognition
What is the next phase of the pre-attack data gathering process after an attacker has collected all of an organization's Internet addresses?
Fingerprinting
Which of the following is NOT a task that must be performed if an employee is terminated?
Former employee's home computer must be audited
There are a number of methods for customizing training for users; two of the most common involve customizing by __________ and by __________.
Functional background; skill level
NIST's Risk Management Framework follows a three-tiered approach, with most organizations working from the top down, focusing first on aspects that affect the entire organization, such as __________.
Governance
A law that addresses privacy and security concerns associated with the electronic transmission of Personal Healthcare Information is the ____________?
Health Information Technology for Economic and Clinical Health Act (HITECH Act)
Which of the following is not a factor critical to the success of an information security performance measurement program?
High level of employee buy-in
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset identification using this attribute difficult?
IP address
Which of the following is NOT a phase in the NIST InfoSec performance measures development process?
Identify relevant stakeholders and their interests in InfoSec measurement.
An understanding of the potential consequences of a successful attack on an information asset by a threat is known as _____
Impact
__________ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization.
Information asset value weighted table analysis
Blackmail threat of informational disclosure is an example of which threat category?
Information extortion
Which of the following is a common element of the enterprise information security policy?
Information on the structure of the InfoSec organization
This collaborative support group began as a cooperative effort between the FBI's Cleveland field office and local technology professionals with a focus of protecting critical national infrastructure.
InfraGard
Which of the following is a C.I.A. triad characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state?
Integrity
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
Issue-specific
Which of the following is true about a hot site?
It duplicates computing resources, peripherals, phone systems, applications, and workstations.
Which of the following is true about a company's InfoSec awareness Web site?
It should be tested with multiple browsers.
Which of the following is true about symmetric encryption?
It uses a secret key to encrypt and decrypt.
When the ISO 27002 standard was first proposed, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems; which of the following is NOT one of them?
It was feared it would lead to government intrusion into business matters.
Any court can impose its authority over an individual or organization if it can establish which of the following?
Jurisdiction
Which of the following is a Kerberos service that initially exchanges information with the client and server by using secret keys?
Key distribution center
Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary?
Least privilege
The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices primarily for __________.
Managing the development and operation of IT infrastructures
The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics?
Market
Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?
Measurements must be useful for tracking non-compliance by internal personnel.
Communications security involves the protection of which of the following?
Media, technology, and content
Which alternative risk management methodology is a process promoted by the Computer Emergency Response Team (CERT) Coordination Center (www.cert.org) that has three variations for different organizational needs, including one known as ALLEGRO?
OCTAVE
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________.
Penetration Tester
Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
Planning
Which of the following functions of information security management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
Policy
Which tool can best identify active computers on a network?
Port scanner
_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present.
Portable
Which of the following is an organizational CP philosophy for overall approach to contingency planning reactions?
Protect and forget
Under the Common Criteria, which term describes the user-generated specifications for security requirements?
Protection Profile (PP)
Which type of device exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server?
Proxy server
Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts?
RM framework
What is the final step in the risk identification process?
Ranking assets in order of importance
An attack that uses phishing techniques along with specialized forms of malware to encrypt the victim's data files is known as __________.
Ransomware
Which of the following is NOT a stage in the NIST Cybersecurity Framework (CSF)?
React
Which of the following is the first step in the problem-solving process?
Recognize and define the problem.
The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources and supported business processes is known as __________.
Recovery time objective (RTO)
Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
Risk assessment
The ISO 27005 Standard for Information Security Risk Management includes all but which of the following stages?
Risk determination
The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts.
Risk management policy
What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?
Risk tolerance
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a __________.
Security manager
Which of the following would most likely be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
Security technician
Which of the following is an information security governance responsibility of the chief information security officer?
Set security policy, procedures, programs, and training.
In the _________ firewall architecture, a single device configured to filter packets serves as the sole security point between the two networks.
Single bastion host
By multiplying the asset value by the exposure factor, you can calculate which of the following?
Single loss expectancy
If an organization deals successfully with change and has created procedures and systems that can be adjusted to the environment, the existing security improvement program will probably continue to work well.
T
In an IDPS, a sensor is a piece of software that resides on a system and reports back to a management server.
T
In information security, a security blueprint is a framework or security model customized to an organization, including implementation details.
T
Inventory characteristics for hardware and software assets that record the manufacturer and versions are related to technical functionality, and should be highly accurate and updated each time there is a change.
T
Lattice-based access control specifies the level of access each subject has to each object, if any.
T
Major planning components should be reviewed on a periodic basis to ensure that they are current, accurate, and appropriate.
T
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
T
Policies must specify penalties for unacceptable behavior and define an appeals process.
T
The simplest kind of validation, the desk check, involves distributing copies of the appropriate plans to all individuals who will be assigned roles during an actual incident or disaster.
T
US-CERT is generally viewed as the definitive authority for computer emergency response teams.
T
Unlike many other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
T
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
Tactical
A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
Team Leader
Which of the following determines whether the organization already has or can acquire the technology necessary to implement and support the proposed treatment?
Technical feasibility
A time-release safe is an example of which type of access control?
Temporal isolation
If a temporary worker (temp) violates a policy or causes a problem, what is the strongest action that the host organization can usually take, depending on the SLA?
Terminate the relationship with the individual and request that he or she be censured.
In addition to specifying acceptable and unacceptable behavior, what else must a policy specify?
The penalties for violation of the policy
Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer?
Theft
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
Threats-vulnerabilities-assets worksheet
A malware program that hides its true nature and reveals its designed behavior only when activated is called a ____________.
Trojan horse
Which of the following policies requires that two individuals review and approve each other's work before the task is considered complete?
Two-person control
Which of the following is NOT one of the methods noted for selecting the best risk management model?
Use the methodology most similar to what is currently in use.
Which of the following is a key advantage of the bottom-up approach to security implementation?
Utilizing the technical expertise of the individual administrators
A potential weakness in an asset or its defensive control system(s) is known as a(n) __________.
Vulnerability
All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT:
When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.
The __________ vulnerability assessment is designed to find and document vulnerabilities that may be present in the organization's wireless local area networks.
Wireless
The amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered is known as __________.
Work recovery time (WRT)
"GGG security" is a term commonly used to describe which aspect of security?
physical
Digital forensics can be used for two key purposes: ________ or _________.
to investigate allegations of digital malfeasance; to perform root cause analysis