MIS 418 Midterm T/F

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

2. Corruption of information can occur only while information is being stored. a. True b. False

False

Chapter 2 1. Ethics carry the sanction of a governing authority. a. True b. False

False

9. Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy. _________________________

False - aggregation

7. A benchmark is derived by comparing measured actual performance against established standards for the measured category. ____________

False - baseline

14. One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________

False - bomb

8. The macro virus infects the key operating system files located in a computer's start up sector. _________________________

False - boot

11. A signaling law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________

False - breach

9. The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. _________________________

False - brute force

11. A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________

False - classification

10. The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. _________________________

False - cracker

2. The InfoSec community often takes on the leadership role in addressing risk. a. True b. False

True

5. On-the-job training can result in substandard work performance while the trainee gets up to speed. a. True b. False

True

6. The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________

True

3. The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for. a. True b. False

False

3. The authorization process takes place before the authentication process. a. True b. False

False

3. The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses. a. True b. False

False

6. Values statements should therefore be ambiguous; after all, they are meant to express the aspirations of the organization.

False - Vision, vision

7. An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________

False - analysis

13. The information technology management community of interest often takes on the leadership role in addressing risk. ____________

False - infosec, information security

12. The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ____________

False - likelihood

3. Deterrence is the best method for preventing an illegal or unethical activity. ____________

True

4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack. a. True b. False

True

9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.

True

1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. a. True b. False

True

12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________

True

12. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________

True

13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.

True

14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________

True

2. A clearly directed strategy flows from top to bottom rather than from bottom to top. a. True b. False

True

2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system. a. True b. False

True

2. The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes. a. True b. False

True

3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. a. True b. False

True

4. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. a. True b. False

True

4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. a. True b. False

True

5. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________

True

5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. a. True b. False

True

5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. a. True b. False

True

7. Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________

True

8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________

True

9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________

True

Chapter 4 1. Policies must specify penalties for unacceptable behavior and define an appeals process. a. True b. False

True

Chapter 5 1. Small organizations spend more per user on security than medium- and large-sized organizations. a. True b. False

True

Chapter 1 1. The first step in solving problems is to gather facts and make assumptions. a. True b. False

False

6. "Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. _________________________

False - surfing

11. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________

True

1. Having an established risk management program means that an organization's assets are completely protected. a. True b. False

False

2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments. a. True b. False

False

2. The defense risk control strategy may be accomplished by outsourcing to other organizations. a. True b. False

False

3. MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof. a. True b. False

False

3. Threats from insiders are more likely in a small organization than in a large one. a. True b. False

False

4. A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems. a. True b. False

False

4. Rule-based policies are less specific to the operation of a system than access control lists. a. True b. False

False

4. The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks. a. True b. False

False

5. DoS attacks cannot be launched against routers. a. True b. False

False

5. Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex. a. True b. False

False

6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables. a. True b. False

False

8. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application. a. True b. False

False

Chapter 3 1. Because it sets out general business intentions, a mission statement does not need to be concise. a. True b. False

False

10. To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________

False - Economic

6. The secretarial community often takes on the leadership role in addressing risk. ____________

False - InfoSec, infosec, Information Security, information security

6. Technology is the essential foundation of an effective information security program. _____________

False - Policy

11. The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.

False - acceptance

4. ISACA is a professional association with a focus on authorization, control, and security. ___________

False - auditing

5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams. a. True b. False

True

7. Planners need to estimate the effort required to complete each task, subtask, or action step. a. True b. False

True

13. A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. _________________________

False - packet

9. Examples of actions that illustrate compliance with policies are known as laws.

False - practices

15. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________

False - qualitative

15. In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as the annualized risk of occurrence. ____________

False - rate

7. It is the responsibility of InfoSec professionals to understand state laws and standards. ____________

False - regulations

10. The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.

False - software

7. When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. _________________________

False - spike

7. A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.

False - stakeholder

6. The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. ____________

False - defense

8. The ISA 27014:2013 standard promotes five risk management processes, which should be adopted by the organization's executive management and its governing board.

False - governance

8. Non mandatory recommendations that the employee may use as a reference in complying with a policy.are known as regulations. ____________

False - guidelines

9. The recognition, enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________

False - identification

12. Most information security projects require a trained project developer. _________________________

False - manager

12. Most information security projects require a trained project developer. _________________________

False - manager Chapter 5 1. Small organizations spend more per user on security than medium- and large-sized organizations. a. True b. False ANSWER: True

11. In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________

False - milestones

10. An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility. ____________

False - technical

8. InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals. ___________

False - technology

10. An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment. ____________

False - threat

9. The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy. ___________

False - transference

14. A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________

False - vulnerabilities

8. Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. ____________

False - vulnerabilities

10. Each organization has to determine its own project management methodology for IT and information security projects. a. True b. False

True


Set pelajaran terkait

Retail Management Chapter 5 Retail Market Strategy

View Set

Chapter 8: Overview of Network Security and Network Threats

View Set

Chapter 40: Oxygenation and Perfusion

View Set

Perspective on Wellness Final Test

View Set

public speaking study guide unit 2 exam

View Set

Mental Health Practice Questions EXAM 2

View Set