ITSY-1300 CHAPTER 9
Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking?
Project initiation and planning
What is the least likely goal of an information security awareness program?
Punish users who violate policy
True or False? A blanket purchase agreement (BPA) creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services.
True
True or False? Policies that cover data management should cover transitions throughout the data's life cycle.
True
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?
Access to a higher level of expertise
Lin is creating a template for the configuration of Windows servers in her organization. The configuration includes the basic security settings that should apply to all systems. What type of document should she create?
Baseline
True or False? Mandatory vacations minimize risk by rotating employees among various systems or duties.
False
True or False? The waterfall software development model works well in very dynamic environments where requirements change and are often revisited.
False
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is not a good approach for destroying data?
Formatting
Antivirus, firewall, and email use policies belong to what part of a security policy hierarchy?
Functional policies in support of organization policy
What is not a privacy principle created by the Organisation for Economic Co-operation and Development (OECD)?
An organization should share its information.
In an accreditation process, who has the authority to approve a system for implementation?
Authorizing official (AO)
What is the correct order of change control procedures regarding changes to systems and networks?
Request, impact assessment, approval, build/test, implement, monitor
Mia is her company's network security professional. She is developing access policies based on personnel security principles. As part of this effort, she is devising a method of taking high-security tasks and splitting them among several different employees so that no one person is responsible for knowing and performing the entire task. What practice is she developing?
Separation of duties
True or False? The Common Criteria is a set of system procurement standards used by several countries.
True
True or False? A functional policy declares an organization's management direction for security in such specific functional areas as email use, remote access, and Internet interaction (including social media).
True
True or False? A security awareness program should address the requirements and expectations of an organization's security policy.
True
True or False? Change control is the management of changes to the configuration of a system.
True
True or False? Procedures help enforce the intent of a policy.
True
True or False? The idea that users should be granted only the levels of permissions they need to perform their duties is called the principle of least privilege.
True
True or False? Using the names of superiors to convince another person that a higher authority has allowed access to information is a form of social engineering.
True
Rylie is a newly hired cybersecurity expert for a government agency. Rylie used to work in the private sector. She has discovered that, whereas private sector companies often had confusing hierarchies for data classification, the government's classifications are well known and standardized. As part of her training, she is researching data that requires special authorization beyond normal classification. What is this type of data called?
Compartmentalized
Donnelly is an IT specialist. He is in charge of the server and network appliances inventory. The infrastructure roadmap calls for a network systems reconfiguration in the next six months. Adina, the security expert, asks Donnelly to prepare a standardized list of all current and proposed equipment and then to present it to her in a hardware configuration chart. What does Adina tell Donnelly that the chart should include?
Copies of all software configurations for routers and switches
Applications represent the most common avenue for users, customers, and attackers to access data, which means you must build the software to enforce the security policy and to ensure compliance with regulations, including the privacy and integrity of both data and system processes. Regardless of the development model, the application must validate all input. Certain attacks can take advantage of weak validation. One such attack provides script code that causes a trusted user who views the input script to send malicious commands to a web server. What is this called?
Cross-site request forgery (XSRF)
Omar is an infrastructure security professional. After reviewing a set of professional ethics issued by his company, he is learning and adopting ethical boundaries in an attempt to demonstrate them to others. What is this called?
Encouraging the adoption of ethical guidelines and standards
Biyu is a network administrator. She is developing the compliance aspect of her company's security policy. Currently, she is focused on the records of actions that the organization's operating system or application software creates. What aspect of compliance is Biyu focusing on?
Event logs
True or False? Change does not create risk for a business.
False
True or False? Configuration changes can be made at any time during a system life cycle, and no process is required.
False
True or False? Regulatory compliance means complying with an organization's own policies, audits, culture, and standards.
False
True or False? The process of remediation makes sure all personnel are aware of and comply with an organization's policies.
False
True or False? The term "data owner" refers to the person or group that manages an IT infrastructure.
False
Rodrigo has just received an email at work from an unknown person. The sender claims to have incriminating evidence against Rodrigo and threatens to release it to his employer and his family unless he discloses certain confidential information about his employer's company. Rodrigo does not know that several other people in the organization received the same email. What form of social engineering has occurred?
Intimidation
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Memorandum of understanding (MOU)
Hajar is a network engineer. She is creating a system of access involving clearance and classification based on users and the objects they need in a secure network. She is restricting access to secure objects by users based on least privilege and which of the following?
Need to know
Janette is the director of her company's network infrastructure group. She is explaining to the business owners the advantages and disadvantages of outsourcing network security. One consideration she presents is the question of who would be responsible for the data, media, and infrastructure. What consideration is she describing?
Ownership
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is not normally used to make these types of classification decisions?
Threat
True or False? Classification scope determines what data to classify; classification process determines how to handle classified data.
True
True or False? Company-related classifications are not standard; therefore, there may be some differences of meaning between the terms "private" and "confidential" in different companies.
True
True or False? Standards are mandated requirements for hardware and software solutions used to address security risk throughout an organization.
True