Quiz 1
Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
True
T/F A clearly directed strategy flows from top to bottom rather than from bottom to top.
True
T/F A project can have more than one critical path.
True
T/F Asset classification schemes should categorize information assets based on which of the following?
True
T/F Project scope management ensures that the project plan includes only those activities that are necessary to complete it.
True
T/F The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.
True
T/F The InfoSec community often takes on the leadership role in addressing risk.
True
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
Assigning a value to each information asset
The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
Authentication
Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
Confidentiality
Which of the following is a network device attribute that is tied to the network interface?
MAC address
Which of the following is true about planning?
Planning helps you check your progress
If the project deliverables meet the requirements specified in the project plan, the project has met its ____________________ objective.
Quality
What do audit logs that track user activity on an information system provide?
Recognize and define the problem
Which of the following is the first step in the problem-solving process?
Recognizing the problem.
The basic outcomes of InfoSec governance should include all but which of the following?
Resource management by executing appropriate measures to manage and mitigate risks to information technologies
The identification and assessment of levels of risk in an organization describes which of the following?
Risk analysis
Which of the following is an information security governance responsibility of the Chief Security Officer?
Set security policy, procedures, programs and training
According to the C.I.A. triangle, which of the following is a desirable characteristic for computer security?
availability
Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.
likelihood probability
What is the final step in the risk identification process?
listing assets in order of importance
Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated
management
Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
management
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
managerial controls
Communications security involves the protection of which of the following?
media, technology, and content
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
organization
Which of the following is a key step needed in order for a JAD approach to be successful?
organize workshop activities
In ____________________ testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
penetration
Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
people
_________resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states.
physical
Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
policy
As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.
relative
Once an information asset is identified, categorized, and classified, what must also be assigned to it?
relative value
It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity. Which of the following is NOT one of them?
What other activities require the same resources as this activity?
Which type of planning is the primary tool in determining the long-term direction taken by an organization?
strategic
In which level of planning are budgeting, resource allocation, and manpower critical components?
tactical
Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
uncertainty percentage
Which of the following is a key advantage of the bottom-up approach to security implementation?
utilizes the technical expertise of the individual admins
What is defined as specific avenues that threat agents can exploit to attack an information asset?
vulnerabilities
In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?
waterfall
In which phase of the SecSDLC does the risk management task occur?
Analysis
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
Calculating the risks to which assets are exposed in their current setting
Which type of attack involves sending a large number of connection or information requests to a target?
DoS
Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
Executive management develop corporate-wide policies
What is one of the most frequently cited failures in project management?
Failure to meet project deadlines
Penetration testing is often conducted by contractors, who are commonly referred to as black-hats.
False
T/F A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
False
T/F Corruption of information can occur only while information is being stored.
False
T/F The authorization process takes place before the authentication process.F
False
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
Hold regular meetings with the CIO to discuss tactical InfoSect planning
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
IP Address
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
Initiating
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
Initiating
What is the first phase of the SecSDLC?
Investigation
The ______________________ phase is the last phase of SecSDLC, but perhaps the most important.
Maintenance and change
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
Manufacturer's part number
Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
Operational
Which of the following is an example of a technological obsolescence threat?
Outdated Servers
Which of the following was originally developed in the late 1950s to meet the need of the rapidly expanding engineering projects associated with government acquisitions such as weapons systems?
PERT
The set of organizational guidelines that dictates certain behavior within the organization is called ____________________.
Policy
Which of the following attributes does NOT apply to software information assets?
Product dimensions
Information security project managers often follow methodologies based on what methodology promoted by the Project Management Institute?
Project Management Body of Knowledge (PMBoK)
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
Threats-vulnerablilities-assets worksheet
A(n) ___________ attack enables an attacker to extract secrets maintained in a security system by observing the time it takes the system to respond to various queries.
Timing
The management of human resources must address many complicating factors; which of the following is NOT among them?
all worker operate approximately the same level of efficiency
Which of the following should be included in an InfoSec governance program?
an infosec risk management methodology
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
back door
Which of the following is NOT a step in the problem-solving process?
build support among management for the candidate solution
Classification categories must be ____________________ and mutually exclusive.
comprehensive
Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
cost of prevention
The impetus to begin an SDLC-based project may be ____________________, that is, a response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders.
event-driven
As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.
factory analysis
Blackmail threat of informational disclosure is an example of which threat category?
information extortion
Which of the following is NOT a unique function of Information Security Management?
principles
What should you be armed with to adequately assess potential weaknesses in each information asset?
properly classified inventory