ITM 350 chapter 9 quiz study guide
true or false? often an extension of a memorandum of understanding (MOU), the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assts
false
true or false: a remediation liaison makes sure all personnel are aware of comply with an organization's policies
false - a compliance liaison makes sure all personnel are aware of comply with an organization policies
true or false? certification is the formal agreement by an authorizing official to accept the risk of implementing a system
false - accreditation is the formal agreement by an authorizing official to accept the risk of implementing a system
true or false? the term "data owner" refers to the person or group that manages an IT infrastructure
false - the term "system owner" refers to the person or group that manages the infrastructure
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?
formatting
Sets direction for the management of an organization pertaining to security in such specific functionaries such as email, remote access, and international interaction
functional policy
actions that the organization recommends?
guidelines
a strategy to minimize risk by rotating employees between various systems of duties
job rotation
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
service level agreement (SLA)
true or false? the idea that users should be granted inly the levels of permission they need in order to preform their duties is called the principle of lease privilege.
true
in what software development model does activity progress in a lock- step sequential process where no phase begins until the previous phase is complete?
waterfall
what is the correct order of steps in the change control process
1. request 2. impact assessment 3. approval 4. build/test 5. implement 6. monitor
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?
Access to a higher level of expertise
True or False? The waterfall software development model works well in very dynamic environments where requirements change and are often revisited.
False
what 9 examples of functional policies?
1. Acceptable use 2. Antivirus 3. interconnection 4. email use 5. firewall 6. host security 7. wireless use 8. extranet 9. other policies
what is the total of number of data classification standards criteria?
3
What is not a privacy principle created by the Organisation for Economic Co-operation and Development (OECD)?
An organization should share its information.
Lin is creating a template for the configuration of Windows servers in her organization. The configuration includes the basic security settings that should apply to all systems. What type of document should she create?
Baseline
Rylie is a newly hired cybersecurity expert for a government agency. Rylie used to work in the private sector. She has discovered that, whereas private sector companies often had confusing hierarchies for data classification, the government's classifications are well known and standardized. As part of her training, she is researching data that requires special authorization beyond normal classification. What is this type of data called?
Compartmentalized
Donnelly is an IT specialist. He is in charge of the server and network appliances inventory. The infrastructure roadmap calls for a network systems reconfiguration in the next six months. Adina, the security expert, asks Donnelly to prepare a standardized list of all current and proposed equipment and then to present it to her in a hardware configuration chart. What does Adina tell Donnelly that the chart should include?
Copies of all software configurations for routers and switches
what is XSRF?
Cross Site request forgery - causes users to perform action son web sites such as making purchases without their knowledge
Applications represent the most common avenue for users, customers, and attackers to access data, which means you must build the software to enforce the security policy and to ensure compliance with regulations, including the privacy and integrity of both data and system processes. Regardless of the development model, the application must validate all input. Certain attacks can take advantage of weak validation. One such attack provides script code that causes a trusted user who views the input script to send malicious commands to a web server. What is this called?
Cross-site request forgery (XSRF)
Omar is an infrastructure security professional. After reviewing a set of professional ethics issued by his company, he is learning and adopting ethical boundaries in an attempt to demonstrate them to others. What is this called?
Encouraging the adoption of ethical guidelines and standards
True or False? Regulatory compliance means complying with an organization's own policies, audits, culture, and standards.
False
True or False? The process of remediation makes sure all personnel are aware of and comply with an organization's policies.
False
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is not a good approach for destroying data?
Formatting
Antivirus, firewall, and email use policies belong to what part of a security policy hierarchy?
Functional policies in support of organization policy
Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking?
Project initiation and planning
What is the least likely goal of an information security awareness program?
Punish users who violate policy
What is the correct order of change control procedures regarding changes to systems and networks?
Request, impact assessment, approval, build/test, implement, monitor
______ is an attack technique in which an attacker provides malicious SQL statements to access unauthorized data or carry out unauthorized commands
SQL injection
in what type of attack dies the attacker send unauthorized commands directly to database?
SQL injection
Mia is her company's network security professional. She is developing access policies based on personnel security principles. As part of this effort, she is devising a method of taking high-security tasks and splitting them among several different employees so that no one person is responsible for knowing and performing the entire task. What practice is she developing?
Separation of duties
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is not normally used to make these types of classification decisions?
Threat
True or False? Using the names of superiors to convince another person that a higher authority has allowed access to information is a form of social engineering.
True
True or False? A blanket purchase agreement (BPA) creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services.
True
____ is an attack in which an attacker inputs client-side script code to a web allocation. the code would then be viewed by other users, and their client software would execute the script instructions. exploits the trust users have in a server
XSS
what is NOT a good practice for developing strong professional ethics?
assume that information should be free
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. which phase of access control process is she performing?
authorization
in an accreditation process, who has the authority to approve a system fir implementation?
authorizing official (AO)
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
baseline
basic configuration documents ?
baseline
which activity manages the baseline settings for a system or device?
configuration control
_____ is the measure of the importance of the information to the mission of organization
criticality
which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?
enforcing the integrity of computer base information
what are cords of actions that organization's operating systems or application software relates, showing witch user or system accessed stat or a resource and when
event logs
compulsory time during which workers must step away from their work responsibilities, often used as a time to audit critical functions
mandatory vacation
A property that indicuates a specific subject needs access to a specific object. This is necessary to access the object in addition to processing the proper clearance for the object's classification
need to know
specifies to consumers how an organization collects, uses , and disposes of their personal information
privacy policy
step-by-step systematic actions taken to accomplish a security requirement, process or objective
procedures
Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?
project initiation and planning
what is NOT a goal of information security awareness programs?
punish users who violate policy
which is an advantage of outsourcing?
reaching out to high level expertise that the organization may have not
helps all employees understand the assets and principles the organization values
security policy
what are the criteria for classifying information?
value
True or False? Configuration changes can be made at any time during a system life cycle, and no process is required.
False
what is XSS?
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
True or False? Change does not create risk for a business.
False
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Memorandum of understanding (MOU)
True or False? A security awareness program should address the requirements and expectations of an organization's security policy.
True
True or False? Classification scope determines what data to classify; the classification process determines how to handle classified data.
True
True or False? Company-related classifications are not standard; therefore, there may be some differences of meaning between the terms "private" and "confidential" in different companies.
True
True or False? Procedures help enforce the intent of a policy.
True
true or false? one advantage of using a security management firm for security monitoring is that it has a high level of expertise
true
Biyu is a network administrator. She is developing the compliance aspect of her company's security policy. Currently, she is focused on the records of actions that the organization's operating system or application software creates. What aspect of compliance is Biyu focusing on?
Event logs
Rodrigo has just received an email at work from an unknown person. The sender claims to have incriminating evidence against Rodrigo and threatens to release it to his employer and his family unless he discloses certain confidential information about his employer's company. Rodrigo does not know that several other people in the organization received the same email. What form of social engineering has occurred?
Intimidation
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?
Threat
True or False? A functional policy declares an organization's management direction for security in such specific functional areas as email use, remote access, and Internet interaction (including social media).
True
what kind of attack provides a script code that causes a trusted user who views the input script to send malicious commands to web server?
XSRF
true or false? a hardware configuration chart should NOT include copies of software configurations
false
True or False? The term "data owner" refers to the person or group that manages an IT infrastructure.
False
True or False? Mandatory vacations minimize risk by rotating employees among various systems or duties.
False
which of the following would NOT be considered in the scope of organizational compliance efforts?
laws
_____ is the measure of the effect that a breach of integrity or the disclosure of the information would have on the organization
sensitivity
The process of dividing a task into a series of uqniue activities performed by diferrent people, each of who is allowed to execute only one part of the overall task
separation of duties
the ____ to the organization, to the competitor, the cost of replacement or less, the _____ to the organizations reputation
value
Hajar is a network engineer. She is creating a system of access involving clearance and classification based on users and the objects they need in a secure network. She is restricting access to secure objects by users based on least privilege and which of the following?
Need to know
Janette is the director of her company's network infrastructure group. She is explaining to the business owners the advantages and disadvantages of outsourcing network security. One consideration she presents is the question of who would be responsible for the data, media, and infrastructure. What consideration is she describing?
Ownership
True or False? Policies that cover data management should cover transitions throughout the data's life cycle.
True
True or False? The Common Criteria is a set of system procurement standards used by several countries.
True
True or False? The idea that users should be granted only the levels of permissions they need to perform their duties is called the principle of least privilege.
True
True or false? configuration changes can be made at any time during a system life cycle and no process is required
false - all configuration changes occur only within a controlled process
True or False? Change control is the management of changes to the configuration of a system.
True
In an accreditation process, who has the authority to approve a system for implementation?
Authorizing official (AO)
True or False? Standards are mandated requirements for hardware and software solutions used to address security risk throughout an organization.
True
a type of social engineering that uses threats or harassment to bully another person for information
intimidation
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?
separation of duties
_____ is a streamlined methos of meeting recurring needs for supplies if services, creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services
blanket purchase agreement
