SPM401

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

1. Because it sets out general business intentions, a mission statement does not need to be concise.

False

1. Ethics carry the sanction of a governing authority.

False

1. Having an established risk management program means that an organization's assets are completely protected.

False

1. The first step in solving problems is to gather facts and make assumptions.

False

2. Corruption of information can occur only while information is being stored.

False

2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.

False

2. The defense risk control strategy may be accomplished by outsourcing to other organizations.

False

3. MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.

False

3. The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for.

False

3. The authorization process takes place before the authentication process.

False

3. The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.

False

3. Threats from insiders are more likely in a small organization than in a large one.

False

4. A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.

False

4. Rule-based policies are less specific to the operation of a system than access control lists.

False

4. The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks.

False

5. DoS attacks cannot be launched against routers.

False

5. Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex.

False

6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.

False

8. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.

False

10. To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________

False - Economic

6. The secretarial community often takes on the leadership role in addressing risk. ____________

False - InfoSec, infosec, Information Security, information security

6. Technology is the essential foundation of an effective information security program. _____________

False - Policy

6. Values statements should therefore be ambiguous; after all, they are meant to express the aspirations of the organization.

False - Vision, vision

11. The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.

False - acceptance

9. Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy. _________________________

False - aggregation

7. An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________

False - analysis

4. ISACA is a professional association with a focus on authorization, control, and security. ___________

False - auditing

7. A benchmark is derived by comparing measured actual performance against established standards for the measured category. ____________

False - baseline

14. One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________

False - bomb

8. The macro virus infects the key operating system files located in a computer's start up sector. _________________________

False - boot

11. A signaling law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________

False - breach

9. The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. _________________________

False - brute force

11. A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________

False - classification

2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

True

2. The InfoSec community often takes on the leadership role in addressing risk.

True

2. The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.

True

3. Deterrence is the best method for preventing an illegal or unethical activity. ____________

True

3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.

True

4. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.

True

4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.

True

4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.

True

5. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________

True

5. On-the-job training can result in substandard work performance while the trainee gets up to speed.

True

5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.

True

5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.

True

5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.

True

6. The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________

True

7. Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________

True

7. Planners need to estimate the effort required to complete each task, subtask, or action step.

True

10. The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. _________________________

False - cracker

13. A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. _________________________

False - packet

9. Examples of actions that illustrate compliance with policies are known as laws.

False - practices

15. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________

False - qualitative

15. In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as the annualized risk of occurrence. ____________

False - rate

7. It is the responsibility of InfoSec professionals to understand state laws and standards. ____________

False - regulations

10. The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.

False - software

7. When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. _________________________

False - spike

7. A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.

False - stakeholder

18. Which of the following should be included in an InfoSec governance program?

b. An InfoSec risk management methodology

21. Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?

b. Descriptive ethics

20. According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?

b. Establishing

36. Blackmail threat of informational disclosure is an example of which threat category?

b. Information extortion

21. Which of the following is an attribute of a network device is physically tied to the network interface?

b. MAC address

27. Once an information asset is identified, categorized, and classified, what must also be assigned to it?

b. Relative value

15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

b. Risk assessment

33. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.

b. Risk assessment estimate factors

35. Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.

b. SLA

24. Data classification schemes should categorize information assets based on which of the following?

b. Sensitivity and security needs

21. Which of the following is an information security governance responsibility of the Chief Security Officer?

b. Set security policy, procedures, programs and training

32. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

b. Threats-vulnerabilities-assets worksheet

18. Which law extends protection to intellectual property, which includes words published in electronic formats?

b. U.S. Copyright Law

13. Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?

b. User-specific security policies

31. __________ is a simple project management planning tool.

b. WBS

28. A risk assessment is performed during which phase of the SecSDLC?

b. analysis

16. According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?

b. availability

23. The purpose of SETA is to enhance security in all but which of the following ways?

b. by adding barriers

18. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?

b. centralized authentication

16. Application of training and education is a common method of which risk control strategy?

b. defense

33. Which type of attack involves sending a large number of connection or information requests to a target?

b. denial-of-service (DoS)

24. Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.

b. deterrence

38. A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

b. distributed denial-of-service

31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?

b. documented control strategy

30. When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?

b. due diligence

31. Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.

b. education

30. Which of the following is NOT a step in the process of implementing training?

b. hire expert consultants

17. Which of the following is an element of the enterprise information security policy?

b. information on the structure of the InfoSec organization

27. What is the first phase of the SecSDLC?

b. investigation

24. Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?

b. joint application design

27. Any court can impose its authority over an individual or organization if it can establish which of the following?

b. jurisdiction

23. There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?

b. malice

35. A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.

b. penetration testing

27. Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?

b. people

26. Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?

b. policy

25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.

b. political feasibility

26. Which of the following is compensation for a wrong committed by an employee acting with or without authorization?

b. restitution

20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?

b. risk appetite

23. By multiplying the asset value by the exposure factor, you can calculate which of the following?

b. single loss expectancy

16. Which type of document is a more detailed statement of what must be done to comply with a policy?

b. standard

30. An example of a stakeholder of a company includes all of the following except:

b. the general public

35. Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?

a. Uncertainty percentage

29. Which of the following is an advantage of the user support group form of training?

a. Usually conducted in an informal social setting

20. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?

a. Violations of Policy

21. Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?

a. can suffer from poor policy dissemintation, enforcement, and review

19. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?

c. Assigning a value to each information asset

24. Which of the following is NOT a step in the problem-solving process?

c. Build support among management for the candidate solution

12. Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?

c. Bull's-eye model

25. Classification categories must be mutually exclusive and which of the following?

c. Comprehensive

26. Which of the following is an advantage of the one-on-one method of training?

c. Customized

18. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?

d. authentication

33. A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.

a. champion

28. The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.

a. chief information security officer

24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?

a. cost-benefit analysis

26. Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.

a. data owners

27. In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?

a. design

38. A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.

a. enterprise risk management.

40. A short-term interruption in electrical power availability is known as a ____.

a. fault

37. One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

a. hacktivist

18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?

a. incident response plan

35. The NIST risk management approach includes all but which of the following elements?

a. inform

29. In which phase of the SecSDLC does the risk management task occur?

d. analysis

6. The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. ____________

False - defense

8. The ISA 27014:2013 standard promotes five risk management processes, which should be adopted by the organization's executive management and its governing board.

False - governance

8. Non mandatory recommendations that the employee may use as a reference in complying with a policy.are known as regulations. ____________

False - guidelines

9. The recognition, enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________

False - identification

13. The information technology management community of interest often takes on the leadership role in addressing risk. ____________

False - infosec, information security

12. The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ____________

False - likelihood

12. Most information security projects require a trained project developer. _________________________

False - manager

11. In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________

False - milestones

6. "Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. _________________________

False - surfing

10. An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility. ____________

False - technical

8. InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals. ___________

False - technology

10. An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment. ____________

False - threat

9. The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy. ___________

False - transference

14. A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________

False - vulnerabilities

8. Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. ____________

False - vulnerabilities

1. Policies must specify penalties for unacceptable behavior and define an appeals process.

True

1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.

True

1. Small organizations spend more per user on security than medium- and large-sized organizations.

True

10. Each organization has to determine its own project management methodology for IT and information security projects.

True

11. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________

True

12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________

True

12. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________

True

13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.

True

14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________

True

2. A clearly directed strategy flows from top to bottom rather than from bottom to top.

True

8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________

True

9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________

True

9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.

True

25. Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.

a. (ISC)2

19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?

a. A security technician

34. When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.

a. Board Risk Committee

30. Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?

a. Cost of prevention

34. Which of the following is not among the 'deadly sins of software security'?

a. Extortion sins

22. ISO 27014:2013 is the ISO 27000 series standard for ____________.

a. Governance of Information Security

17. The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?

a. Hold regular meetings with the CIO to discuss tactical InfoSec planning

19. According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?

a. Initiating

19. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?

a. Policy Review and Modification

28. What should you be armed with to adequately assess potential weaknesses in each information asset?

a. Properly classified inventory

17. The identification and assessment of levels of risk in an organization describes which of the following?

a. Risk analysis

12. Which of the following is true about planning?

a. Strategic plans are used to create tactical plans

16. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?

a. Systems testing

16. Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?

a. The Electronic Communications Privacy Act of 1986

18. Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?

a. issue-specific

21. Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?

a. organization

36. An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.

a. penetration tester

27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

a. qualitative assessment of many risk components

32. "4-1-9" fraud is an example of a ____________________ attack.

a. social engineering

11. Which type of planning is the primary tool in determining the long-term direction taken by an organization?

a. strategic

22. Which of the following are the two general groups into which SysSPs can be separated?

a. technical specifications and managerial guidance

37. The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.

a. vulnerability assessment

24. Which of the following is NOT an aspect of access regulated by ACLs?

b. where the system is located

19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?

c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset

14. The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?

c. For political advantage

17. Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?

c. HIPAA

13. Which law addresses privacy and security concerns associated with the electronic transmission of PHI?

c. Health Information Technology for Economic and Clinical Health Act

25. Which of the following is the first step in the process of implementing training?

c. Identify program scope, goals, and objectives

16. Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?

c. Legal management must develop corporate-wide standards

29. Which of the following is an example of a technological obsolescence threat?

c. Outdated servers

23. Which of the following is the first step in the problem-solving process?

c. Recognize and define the problem

15. The basic outcomes of InfoSec governance should include all but which of the following?

c. Time management by aligning resources with personnel schedules and organizational objectives

31. What is defined as specific avenues that threat agents can exploit to attack an information asset?

c. Vulnerabilities

21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?

c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

19. What do audit logs that track user activity on an information system provide?

c. accountability

30. Which of the following is not a step in the FAIR risk management framework?

c. assess control impact

39. Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?

c. back door

25. Which of the following are instructional codes that guide the execution of the system when information is passing through it?

c. configuration rules

32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?

c. cost avoidance

16. Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.

c. data users

26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?

c. evaluating alternative strategies

30. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.

c. hoaxes

10. Which of the following explicitly declares the business of the organization and its intended areas of operations?

c. mission statement

29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?

c. monitoring and measurement

20. GGG security is commonly used to describe which aspect of security?

c. physical

17. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?

c. planning

11. Which of the following is NOT one of the basic rules that must be followed when shaping a policy?

c. policy should be agreed upon by all employees and management

12. Which subset of civil law regulates the relationships among individuals and among individuals and organizations?

c. private

21. What is the SETA program designed to do?

c. reduce the occurence of accidental security breaches

22. A SETA program consists of three elements: security education, security training, and which of the following?.

c. security awareness

32. The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.

c. security manager

33. Which of the following is NOT an alternative to using CBA to justify risk controls?

c. selective risk avoidance

31. A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.

c. team leader

24. Advanced technical training can be selected or developed based on which of the following?

c. technology product

28. Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.

c. trespass

23. Which of the following is a key advantage of the bottom-up approach to security implementation?

c. utilizes the technical expertise of the individual administrators

18. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?

d. Calculating the severity of risks to which assets are exposed in their current setting

17. Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?

d. Confidentiality

20. Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?

d. DMCA

28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?

d. Delphi

19. Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?

d. Deontological ethics

15. Which policy is the highest level of policy and is usually created first?

d. EISP

20. Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?

d. IP address

28. Which of the following is an advantage of the formal class method of training?

d. Interaction with trainer is possible

26. What is the final step in the risk identification process?

d. Listing assets in order of importance

23. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

d. Manufacturer's model or part number

14. Which type of planning is used to organize the ongoing, day-to-day performance of tasks?

d. Operational

13. Which of the following variables is the most influential in determining how to structure an information security program?

d. Organizational culture

22. Which of the following attributes does NOT apply to software information assets?

d. Product dimensions

27. Which of the following is a disadvantage of the one-on-one training method?

d. Resource intensive, to the point of being inefficient

15. Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?

d. The Computer Security Act

29. ____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.

d. Trojan horses

34. An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?

d. Uncertainty

23. What are the two general methods for implementing technical controls?

d. access control lists and configuration rules

22. Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?

d. common good

26. A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?

d. investigation

33. Which of the following is true about a company's InfoSec awareness Web site?

d. it should be tested with multiple browsers

22. Which of the following affects the cost of a control?

d. maintenance

22. In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.

d. man-in-the-middle

39. Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?

d. managerial controls

15. Communications security involves the protection of which of the following?.

d. media, technology, and content

17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?

d. mitigation

25. Which of the following is NOT a primary function of Information Security Management?

d. performance

20. Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives?

d. planning

29. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?

d. policy administrator

34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?

d. risk determination

32. Which of the following is the most cost-effective method for disseminating security information and news to employees?

d. security newsletter

13. Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?

d. tactical

14. In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?

d. the proper operation of equipment

14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?

d. they have larger information security needs than a small organization

25. Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?

d. traditional waterfall


Set pelajaran terkait

Western Tonal Instrument Translations/Abbreviations

View Set

the prefix mis- means "bad" or "wrong"

View Set

AP US History Chapters 16-21 Test Study Guide

View Set

WK11/MN SUCCESS/CH.9 High-Risk Intrapartum

View Set

Exam Simulator Chemistry Questions

View Set

Authorship of Ephesians, the Pastorals and 2 Peter

View Set

Primerica: Life Insurance Basics

View Set

ASSESSMENT 1 PRE PROCTORIO FUNDAMENTALS (NURS 100)

View Set

Changes in Period and Phase Shift of Sine and Cosine Functions Assignment

View Set