SPM.
What do audit logs that track user activity on an information system provide? a. identification b. authorization c. accountability d. authentication
accountability
In which phase of the SecSDLC does the risk management task occur? a. physical design b. implementation c. investigation d. analysis
analysis
Which of the following is not a step in the FAIR risk management framework? a. identify scenario components b. evaluate loss event frequency c. assess control impact d. derive and articulate risk
assess control impact
The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process? a. accountability b. authorization c. identification d. authentication
authentication
According to the C.I.A. triad, which of the following is a desirable characteristic for computer security? a. accountability b. availability c. authorization d. authentication
availability
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls? a. brute force b. DoS c. back door d. hoax
back door
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals. a. (ISC)2 b. ACM c. SANS d. ISACA
(ISC)2
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____ on a development team. a. champion b. end user c. team leader d. policy developer
champion
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community? a. utilitarian b. virtue c. fairness or justice d. common good
common good
Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident? a. feasibility analysis b. asset valuation c. cost avoidance d. cost-benefit analysis
cost avoidance
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy? a. cost-benefit analysis b. exposure factor c. single loss expectancy d. annualized rate of occurrence
cost-benefit analysis
Which of the following should be included in an InfoSec governance program? a. An InfoSec development methodology b. An InfoSec risk management methodology c. An InfoSec project management assessment from an outside consultant d. All of these are components of the InfoSec governance program
An InfoSec risk management methodology
When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the _______. a. Board Risk Committee b. Board Finance Committee c. Board Audit Committee d. Chairman of the Board
Board Risk Committee
Which of the following is NOT a step in the problem-solving process? a. Select, implement and evaluate a solution b. Analyze and compare possible solutions c. Build support among management for the candidate solution d. Gather facts and make assumptions
Build support among management for the candidate solution
Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information? a. Integrity b. Availability c. Authentication d. Confidentiality
Confidentiality
Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures? a. U.S. Copyright Law b. PCI DSS c. European Council Cybercrime Convention d. DMCA
DMCA
In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result? a. OCTAVE b. FAIR c. Hybrid Measures d. Delphi
Delphi
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics? a. Applied ethics b. Meta-ethics c. Normative ethics d. Deontological ethics
Deontological ethics
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right? a. Applied ethics b. Descriptive ethics c. Normative ethics d. Deontological ethics
Descriptive ethics
The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following? a. Determined the level of risk posed to the information asset b. Performed a thorough cost-benefit analysis c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP
EISP
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? a. Initiating b. Establishing c. Acting d. Learning
Establishing
Which of the following is not among the 'deadly sins of software security'? a. Extortion sins b. Implementation sins c. Web application sins d. Networking sins
Extortion sins
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following? a. For purposes of commercial advantage b. For private financial gain c. For political advantage d. In furtherance of a criminal act
For political advantage
ISO 27014:2013 is the ISO 27000 series standard for ______. a. Governance of Information Security b. Information Security Management c. Risk Management d. Policy Management
Governance of Information Security
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them? a. ECPA b. Sarbanes-Oxley c. HIPAA d. Gramm-Leach-Bliley
HIPAA
Which law addresses privacy and security concerns associated with the electronic transmission of PHI? a. USA Patriot Act of 2001 b. American Recovery and Reinvestment Act c. Health Information Technology for Economic and Clinical Health Act d. National Information Infrastructure Protection Act of 1996
Health Information Technology for Economic and Clinical Health Act
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices? a. Hold regular meetings with the CIO to discuss tactical InfoSec planning b. Assign InfoSec to a key committee and ensure adequate support for that committee c. Ensure the effectiveness of the corporation's InfoSec policy through review and approval d. Identify InfoSec leaders, hold them accountable, and ensure support for them
Hold regular meetings with the CIO to discuss tactical InfoSec planning
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________. a. data owners b. data custodians c. data users d. data generators
data owners
Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as _______. a. data owners b. data custodians c. data users d. data generators
data users
Application of training and education is a common method of which risk control strategy? a. mitigation b. defense c. acceptance d. transferal
defense
Which type of attack involves sending a large number of connection or information requests to a target? a. malicious code b. denial-of-service (DoS) c. brute force d. spear fishing
denial-of-service (DoS)
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls. a. remediation b. deterrence c. persecution d. rehabilitation
deterrence
A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. a. denial-of-service b. distributed denial-of-service c. virus d. spam
distributed denial-of-service
What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed? a. probability calculation b. documented control strategy c. risk acceptance plan d. mitigation plan
documented control strategy
Human error or failure often can be prevented with training, ongoing awareness activities, and ______ a. threats b. education c. hugs d. paperwork
education
A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________. a. enterprise risk management. b. joint application design c. security policy review d. disaster recovery planning
enterprise risk management.
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them? a. conducting decision support b. implementing controls c. evaluating alternative strategies d. measuring program effectiveness
evaluating alternative strategies
A short-term interruption in electrical power availability is known as a ____. a. fault b. brownout c. blackout d. lag
fault
One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. a. hacktivist b. phreak c. hackcyber d. cyberhack
hacktivist
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________. a. chief information security officer b. security technician c. security manager d. chief technology officer
hief information security officer
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus _____. a. false alarms b. polymorphisms c. hoaxes d. urban legends
hoaxes
Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach? a. incident response plan b. business continuity plan c. disaster recovery plan d. damage control plan
incident response plan
The NIST risk management approach includes all but which of the following elements? a. inform b. assess c. frame d. respond
inform
Which of the following is an element of the enterprise information security policy? a. access control lists b. information on the structure of the InfoSec organization c. articulation of the organization's SDLC methodology d. indemnification of the organization against liability
information on the structure of the InfoSec organization
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? a. issue-specific b. enterprise information c. system-specific d. user-specific
issue-specific
Any court can impose its authority over an individual or organization if it can establish which of the following? a. jurisprudence b. jurisdiction c. liability d. sovereignty
jurisdiction
Which of the following affects the cost of a control? a. liability insurance b. CBA report c. asset resale d. maintenance
maintenance
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? a. ignorance b. malice c. accident d. intent
malice
In the ______ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. a. zombie-in-the-middle b. sniff-in-the-middle c. server-in-the-middle d. man-in-the-middle
man-in-the-middle
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? a. system controls b. technical controls c. operational controls d. managerial controls
managerial controls
Communications security involves the protection of which of the following? a. radio handsets b. people, physical assets c. the IT department d. media, technology, and content
media, technology, and content
Which of the following explicitly declares the business of the organization and its intended areas of operations? a. vision statement b. values statement c. mission statement d. business statement
mission statement
Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster? a. acceptance b. avoidance c. transference d. mitigation
mitigation
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk? a. analysis and adjustment b. review and reapplication c. monitoring and measurement d. evaluation and funding
monitoring and measurement
Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success? a. software engineering b. joint application design c. sequence-driven policies d. event-driven procedures
oint application design
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives? a. organization b. planning c. controlling d. leading
organization
A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________. a. vulnerability assessment b. penetration testing c. exploit identification d. safeguard neutralization
penetration testing
Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program? a. protection b. people c. projects d. policy
people
Which of the following is NOT a primary function of Information Security Management? a. planning b. protection c. projects d. performance
performance
Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives? a. leading b. controlling c. organizing d. planning
planning
Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines? a. planning b. policy c. programs d. people
policy
Which of the following is NOT one of the basic rules that must be followed when shaping a policy? a. policy should never conflict with law b. policy must be able to stand up in court if challenged c. policy should be agreed upon by all employees and management d. policy must be properly supported and administered
policy should be agreed upon by all employees and management
Which of the following determines acceptable practices based on consensus and relationships among the communities of interest. a. organizational feasibility b. political feasibility c. technical feasibility d. operational feasibility
political feasibility
Which subset of civil law regulates the relationships among individuals and among individuals and organizations? a. tort b. criminal c. private d. public
private
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? a. qualitative assessment of many risk components b. quantitative valuation of safeguards c. subjective prioritization of controls d. risk analysis estimates
qualitative assessment of many risk components
Which of the following is compensation for a wrong committed by an employee acting with or without authorization? a. liability b. restitution c. due diligence d. jurisdiction
restitution
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. residual risk b. risk appetite c. risk assurance d. risk termination
risk appetite
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following? a. risk assessment b. risk treatment c. risk communication d. risk determination
risk determination
Which of the following is NOT an alternative to using CBA to justify risk controls? a. benchmarking b. due care and due diligence c. selective risk avoidance d. the gold standard
selective risk avoidance
By multiplying the asset value by the exposure factor, you can calculate which of the following? a. annualized cost of the safeguard b. single loss expectancy c. value to adversaries d. annualized loss expectancy
single loss expectancy
"4-1-9" fraud is an example of a ______ attack. a. social engineering b. virus c. worm d. spam
social engineering
Which type of document is a more detailed statement of what must be done to comply with a policy? a. procedure b. standard c. guideline d. practice
standard
Which type of planning is the primary tool in determining the long-term direction taken by an organization? a. strategic b. tactical c. operational d. managerial
strategic
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives? a. strategic b. operational c. organizational d. tactical
tactical
A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________. a. champion b. end user c. team leader d. policy developer
team leader
An example of a stakeholder of a company includes all of the following except: a. employees b. the general public c. stockholders d. management
the general public
In addition to specifying the penalties for unacceptable behavior, what else must a policy specify? a. appeals process b. legal recourse c. what must be done to comply d. the proper operation of equipment
the proper operation of equipment
Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point? a. modular continuous b. elementary cyclical c. time-boxed circular d. traditional waterfall
traditional waterfall
Acts of ______ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter a. bypass b. theft c. trespass d. security
trespass
Which of the following is a key advantage of the bottom-up approach to security implementation? a. strong upper-management support b. a clear planning and implementation process c. utilizes the technical expertise of the individual administrators d. coordinated planning from upper management
utilizes the technical expertise of the individual administrators
The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________. a. vulnerability assessment b. penetration testing c. exploit identification d. safeguard neutralization
vulnerability assessment
Blackmail threat of informational disclosure is an example of which threat category? a. Espionage or trespass b. Information extortion c. Sabotage or vandalism d. Compromises of intellectual property
Information extortion
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? a. Initiating b. Establishing c. Acting d. Learning
Initiating
What is the first phase of the SecSDLC? a. analysis b. investigation c. logical design d. physical design
Investigation
Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications? a. The Electronic Communications Privacy Act of 1986 b. The Telecommunications Deregulation and Competition Act of 1996 c. National Information Infrastructure Protection Act of 1996 d. Federal Privacy Act of 1974
National Information Infrastructure Protection Act of 1996
Which type of planning is used to organize the ongoing, day-to-day performance of tasks? a. Strategic b. Tactical c. Organizational d. Operational
Operational
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? a. Policy Review and Modification b. Limitations of Liability c. Systems Management d. Statement of Purpose
Policy Review and Modification
Which of the following is the first step in the problem-solving process? a. Analyze and compare the possible solutions b. Develop possible solutions c. Recognize and define the problem d. Select, implement and evaluate a solution
Recognize and define the problem
Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____. a. SSL b. SLA c. MSL d. MIN
SLA
The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________. a. chief information security officer b. security technician c. security manager d. chief technology officer
Security manager
Which of the following is an information security governance responsibility of the Chief Security Officer? a. Communicate policies and the program b. Set security policy, procedures, programs and training c. Brief the board, customers and the public d. Implement policy, report security vulnerabilities and breaches
Set security policy, procedures, programs and training
Which of the following is true about planning? a. Strategic plans are used to create tactical plans b. Tactical plans are used to create strategic plans c. Operational plans are used to create tactical plans d. Operational plans are used to create strategic plans
Strategic plans are used to create tactical plans
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system? a. The Telecommunications Deregulation and Competition Act b. National Information Infrastructure Protection Act c. Computer Fraud and Abuse Act d. The Computer Security Act
The Computer Security Act
The basic outcomes of InfoSec governance should include all but which of the following? a. Value delivery by optimizing InfoSec investments in support of organizational objectives b. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved c. Time management by aligning resources with personnel schedules and organizational objectives d. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively
Time management by aligning resources with personnel schedules and organizational objectives
______ are malware programs that hide their true nature, and reveal their designed behavior only when activated. a. Viruses b. Worms c. Spam d. Trojan horses
Trojan horses
Which law extends protection to intellectual property, which includes words published in electronic formats? a. Freedom of Information Act b. U.S. Copyright Law c. Security and Freedom through Encryption Act d. Sarbanes-Oxley Act
U.S. Copyright Law
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? a. Enterprise information security policy b. User-specific security policies c. Issue-specific security policies d. System-specific security policies
User-specific security policies
Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions? a. Violations of Policy b. Systems Management c. Prohibited Usage of Equipment d. Authorized Access and Usage of Equipment
Violations of Policy
Which of the following is NOT a valid rule of thumb on risk control strategy selection? a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls. d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.