SPM401-True,False

The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information.

T

The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy.

T

The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.

T

Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.

T

"Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance.

F

A benchmark is derived by comparing measured actual performance against established standards for the measured category.

F

A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer.

F

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization schema.

F

A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.

F

A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet.

F

A signaling law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information.

F

A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.

F

An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection.

F

An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment.

F

An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment.

F

An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility.

F

Because it sets out general business intentions, a mission statement does not need to be concise.

F

Corruption of information can occur only while information is being stored.

F

DoS attacks cannot be launched against routers.

F

Ethics carry the sanction of a governing authority.

F

Examples of actions that illustrate compliance with policies are known as laws.

F

Having an established risk management program means that an organization's assets are completely protected.

F

ISACA is a professional association with a focus on authorization, control, and security.

F

In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as the annualized risk of occurrence.

F

In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project.

F

Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy.

F

InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals.

F

It is the responsebility of InfoSec professionals to understand state laws and standards.

F

Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.

F

MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.

F

Most information security projects require a trained project developer.

F

Non mandatory recommendations that the employee may use as a reference in complying with a policy.are known as regulations.

F

One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail.

F

Rule-based policies are less specific to the operation of a system than access control lists.

F

Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex.

F

Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair.

F

Technology is the essential foundation of an effective information security program.

F

The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for.

F

The ISA 27014:2013 standard promotes five risk management processes, which should be adopted by the organization's executive management and its governing board.

F

The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack.

F

The authorization process takes place before the authentication process.

F

The defense risk control strategy may be accomplished by outsourcing to other organizations.

F

The first step in solving problems is to gather facts and make assumptions.

F

The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.

F

The information technology management community of interest often takes on the leadership role in addressing risk.

F

The macro virus infects the key operating system files located in a computer's start up sector.

F

The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.

F

The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.

F

The probability that a specific vulnerability within an organization will be the target of an attack is known as risk.

F

The recognition, enumeration, and documentation of risks to an organization's information assets. is known as risk control.

F

The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy.

F

The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy.

F

The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.

F

The secretarial community often takes on the leadership role in addressing risk.

F

The security education, training, and awareness (SETA) program is designed to reduce the occurrence of external security attacks.

F

The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication.

F

The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.

F

Threats from insiders are more likely in a small organization than in a large one.

F

To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996.

F

Values statements should therefore be ambiguous; after all, they are meant to express the aspirations of the organization.

F

When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment.

F

A clearly directed strategy flows from top to bottom rather than from bottom to top.

T

A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable.

T

A worm may be able to deposit copies of itself onto all web servers that the infected system can reach, so that users who subsequently thoese sites become infected.

T

A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures.

T

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA).

T

Deterrence is the best method for preventing an illegal or unethical activity.

T

Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances.

T

Due diligence requires that an organization make a valid and ongoing effort to protect others.

T

Each organization has to determine its own project management methodology for IT and information security projects.

T

Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.

T

Information security policies are designed to provide structure in the workplace and explain the will of the organization's management.

T

On-the-job training can result in substandard work performance while the trainee gets up to speed.

T

One of the goal of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal of the system.

T

Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.

T

Planners need to estimate the effort required to complete each task, subtask, or action step.

T

Policies must specify penalties for unacceptable behavior and define an appeals process.

T

Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.

T

Small organizations spend more per user on security than medium- and large-sized organizations.

T

Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.

T

The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.

T

The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies.

T

The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.

T

The InfoSec community often takes on the leadership role in addressing risk.

T

The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.

T

The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.

T