3044 Exam 2

Ace your homework & exams now with Quizwiz!

Dumpster exploitation is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. ____________

False

MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.

False

Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.

False

The IT community often takes on the leadership role in addressing risk.

False

A well-defined risk appetite should have the following characteristics EXCEPT

It is not limited by stakeholder expectations.

What does it mean to "know the enemy" with respect to risk management?

Know the enemy refers to knowing the possible threats assosicated with the information assets to any given organization. Knowing the enemy gives an organization an upper hand or advantage to protect the organization valuable information asset.

NIST's Risk Management Framework follows a three-tiered approach, with most organizations working from the top down, focusing first on aspects that affect the entire organization, such as

governance

The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk

identification

Which of the following is the first step in the process of implementing training?

identify program scope, goals, and objectives

Which of the following affects the cost of a control?

maintenance

Which access control principle limits a user's access to the specific information required to perform the currently assigned task?

need-to-know

Which type of access controls can be role-based or task-based?

nondiscretionary

Medium-sized organizations tend to spend approximately __________ percent of the total IT budget on security

11

Smaller organizations tend to spend approximately ______________ percent of the total IT budget on security.

20%

The ________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.

?

Which of the following is NOT a part of an information security program? technologies used by an organization to manage the risks to its information assets activities used by an organization to manage the risks to its information assets personnel used by an organization to manage the risks to its information assets

All of these are part of an information security program.

In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack (impact) is known as _____. It is the product of the asset's value and the exposure factor

SLE

Access controls are built on three key principles. List and briefly define them.

Separation of duties: This principle divides the role of the member so that they have specific set of task to accomplish with specific set of data Least privilage: The least privilage principle is based on the fact that people are not allowed to view data simply because it falls within their level of clearance Need-to-know: The need-to-know principle limits a user's access to the specific information required to perform the currently assigned task.

Describe operational feasibility

Solving problems with new systems

Explain the conflict between the goals and objectives of the CIO and the CISO

The goal of the CIO is the implementation of IT and ensure the secure operation of it whereas the goal of the CISO is to ensure the security of the information asset of the company and taking steps to protect them.

Due care and due diligence occur when an organization adopts a certain minimum level of security-that is, what any prudent organization would do in similar circumstances.

True

On-the-job training can result in substandard work performance while the trainee gets up to speed.

True

Projectitis is a phenomenon in which the project manager spends more time documenting project tasks than in accomplishing meaningful project work

True

Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.

True

All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT When a vulnerability exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being exploited. When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. When the potential loss is substantial, apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss. When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.

When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.

Which of the following activities is part of the risk identification process?

assigning a value to each information asset

The goal of a security ____________ program is to keep information security at the forefront of users' minds on a daily basis.

awareness

Classification categories must be and mutually exclusive.

comprehensive

Classification categories must be mutually exclusive and which of the following?

comprehensive

An ATM that limits what kinds of transactions a user can perform is an example of which type of access control?

constrained user interface

is the financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident.

cost avoidance

____ channels are unauthorized or unintended methods of communications hidden inside a computer system, including storage and timing channels

covert

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information is known as __________.

dumpster diving

is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.

projectitis

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

qualitative assessment of many risk components

What is the risk to information assets that remains even after current controls have been applied?

residual risk

The identification, analysis, and evaluation of risk in an organization describes which of the following?

risk assessment

A SETA program consists of three elements: security education, security training, and which of the following?

security awareness

Which of the following is NOT an alternative to using CBA to justify risk controls?

selective risk avoidance

A time-release safe is an example of which type of access control?

temporal isolation


Related study sets

Chapter Eleven Psych Assignment Quizlet:

View Set

Ch. 13 Parents by Adoption and ART

View Set

WEEKS 3,4,5 QUIZ: INTRAPARTAL COMPLICATIONS, THERAPEUTIC MGT, BLEEDING DISORDERS, POSTPARTUM COMPLICATIONS

View Set

Chapter 44: Digestive and Gastrointestinal Treatment Modalities 1

View Set

Maternal Newborn Practice Questions

View Set

7.04 Unit Test: Savings Accounts

View Set