Mid-Term Exam (CH:1-6)
What are the two general methods for implementing technical controls?
Access control lists and configuration rules
Which of the following should be included in an InfoSec governance program?
An InfoSec risk management methodology
In which phase of the SecSDLC does the risk management task occur?
Analysis
Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
Confidentiality
Which type of attack involves sending a large number of connection or information requests to a target?
Denial-of-Service (DoS)
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
Deterrence
Which policy is the highest level of policy and is usually created first?
EISP
A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.
False
A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________
False
Corruption of information can occur only while information is being stored.
False
DoS attacks cannot be launched against routers.
False
Having an established risk management program means that an organization's assets are completely protected.
False
ISACA is a professional association with a focus on authorization, control, and security. ___________
False
InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals. ___________
False
Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.
False
MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.
False
Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex.
False
The authorization process takes place before the authentication process.
False
The first step in solving problems is to gather facts and make assumptions.
False
The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.
False
The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.
False
To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________
False
It is the responsibility of InfoSec professionals to understand state laws and standards. ____________
False
Values statements should therefore be ambitious; after all, they are meant to express the aspirations of the organization.
False
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
For Political Advantage
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
HIPAA
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
IP Address
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
Manageria Controls
Which of the following explicitly declares the business of the organization and its intended areas of operations?
Mission Statement
Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
Operational
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
Organization
Which of the following variables is the most influential in determining how to structure an information security program?
Organizational Culture
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.
Penetration Tester
A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.
Penetration Testing
Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
People
Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
Policy
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
Policy Review and Modification
Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
Risk Management
Which of the following is an information security governance responsibility of the Chief Security Officer?
Set security policy, procedures, programs and training
Which type of document is a more detailed statement of what must be done to comply with a policy?
Standard
Which type of planning is the primary tool in determining the long-term direction taken by an organization?
Strategic
Which of the following is true about planning?
Strategic plans are used to create tactical plans
Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
System Testing
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
Tactical
Which of the following are the two general groups into which SysSPs can be separated?
Technical specifications and managerial guidance
Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
They have larger information security needs than a small organization
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
Threats-Vulnerabilities-Assets Worksheet
____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
Trojan Horses
A clearly directed strategy flows from top to bottom rather than from bottom to top.
True
A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.
True
A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________
True
Deterrence is the best method for preventing an illegal or unethical activity. ____________
True
Small organizations spend more per user on security than medium- and large-sized organizations.
True
The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information.
True
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
TrueTrue
Which law extends protection to intellectual property, which includes words published in electronic formats?
U.S Copyright Law
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
User-Specific Security Policies
Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?
Violations of Policy
Which of the following is a key advantage of the bottom-up approach to security implementation?
b. utilizes the technical expertise of the individual administrators
According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?
Availability
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
Back Door
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
Bull's-Eye Model
Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
Centralized Authentication
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
Champion
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
Chief Information Security Officer (CISO)
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
Chief of Information Security
What is the first phase of the SecSDLC?
Investigation
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
Issue-Specific
Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?
Joint Application Design
Any court can impose its authority over an individual or organization if it can establish which of the following?
Jurisdiction
What is the final step in the risk identification process?
Listing assets in order of importance
Which of the following is an attribute of a network device is physically tied to the network interface?
MAC Address
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
Malice