463 set
The struggle between how to manage a business versus how to "grow" has significant implications for security policies that must reflect the core values of the business. Which of the following statements reflects one of the security policy approaches often taken by entrepreneurs growing a business? - A company in high-growth mode focuses on agility and innovation and tends to have a greater acceptance of risk. - A company in its early startup stages focuses on stability and seeks to avoid risk. - A company starts growing its bureaucracy as early in its development as possible. - A company in its startup stages often hires professional managers and defers to their judgment about how to create the business culture.
- A company in high-growth mode focuses on agility and innovation and tends to have a greater acceptance of risk.
_____ are formal written policies describing employee behavior when using company computer and network systems - nondisclosure agreements - confidentiality agreements - acceptable use policy - waiver requests
acceptable use policy
true or false? compliance can be defines as the ability to reasonably ensure conformity and adherence to both internal and external polices, standards, procedures, laws, and regulatiosn
true
which of the following statements states the difference between business liability and business legal obligation?
Business liability occurs when a company fails to meet its obligation to its employees and community. A business's legal obligation is an action that it is required to take in compliance with the law.
In an issue-specific standard, the __________ section defines a security issue and any relevant terms, distinctions, and conditions. - Definition of Roles and Responsibilities - Statement of Applicability - Statement of the Organization's Position - Statement of an Issue
Statement of an Issue
Organizations can use common core security principles recommended as industry best practices when developing policies, standards, baselines, procedures, and guidelines. Which principle specifies that all personnel, assigned agents, and third-party providers should act in a timely manner to prevent and to respond to security breaches? - Awareness principle - Adversary principle - Defense-in-depth principle - Timeliness principle
Timeliness principle
__________ is designed to eliminate as many security risks as possible. It limits access credentials to the minimum required to conduct any activity and ensures that access is authenticated to particular individuals. - Social engineering - An integrated audit - Escalating - Hardening
Hardening
__________ is a law that requires the digital, rather than manual, exchange of records between entities such as an insurance company and a doctor's office. - The Federal Information Security Management Act (FISMA) - The Sarbanes-Oxley (SOX) Act - The Gramm-Leach-Bliley Act (GLBA) - The Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance ( HIPAA)
true or false? the cobit monitor, evaluate, and assets domain phase looks at specific business requirements and strategic direction and determines of the system still meets these objectives
True
ture or false ? ISO 38500 provides guidance for managing IT governance
True
In order for an IT security framework to meet information assurance needs, the framework needs to include policies for several areas. Which of the following is not one of the areas? - Automation of security controls, where possible - Implementation of appropriate accounting and other integrity controls - Calculations for risk appetite and risk tolerance - Assurance of a level of uptime of all systems
NOT - Assurance of a level of uptime of all systems
Which of the following business benefits is the result of verifying that controls are working - defines the scope of the compliance being measured - defines the impact of the business if the goals are not achieved - defines the effectiveness of the controls being measured - defines how the policy will be enforced
NOT - defines how the policy will be enforced
During the COBIT______ domain phase the service level agreement (SLA) plays a significant role because it determines the type of solutions that will be selected. Additionally, change management is critical to the phase - monitor, evaulate, and access - evaulte, acquire, impleemnt - align, plan, and organize - Deliver service and support
acquire, and implement phase
All of the following are true of insiders, except: - an insider may be motivated by money. - due to the nature of their positions, IT technical staff cannot be considered insiders. - an insider may have a sense of entitlement, "taking" rewards he or she feels have been earned. - employees, consultants, contractors, and vendors may be insiders.
due to the nature of their positions, IT technical staff cannot be considered insiders.
True or False? A benefit to giving system administrators enhanced access rights is that it significantly increases security to the organization. false true
false
the phase "tone at the top" refers to the ways that a company' leaders express their commitment to a security polcies and make sure every employee knwos the priorites true or false
idk
true or false a confidentiality agreement CA is a non-legal agreement between human resources and employees
idk
true or false? a physical control refers to some physical device that prevents or deters access
idk true
it is recommended that systems administrators analyze logs to determine if the logs have been altered because monitoring can deterisk. to serve this goal, a ______ can be used to assemble logs from platforms throughout a network. - chain of custody -log chain - trouble ticket system - log server
log server
ISO/IEC 27002, "Information Technology - Asset management - Physical and environmental security - Access control - Operations security
not asset management maybe operations security
during which phase of business process reengineering (BPR) are new policies written or current ones are updated? - phase 1 :plan - phase 3: research and benchmarking - phase 4 : Develop the future process - phase 2: Create/refine process baseline
phase 4: develop the future process
True or False? Compliance can be defined as the ability to reasonably ensure conformity and adherence to both internal and external policies, standards, procedures, laws, and regulations. true false
true
True or False? Control partner network access should be highly prohibiting, allowing access to specific functions. true false
true
True or False? ISO/IEC 27002 covers the three aspects of the information security management program: managerial, operational, and technical activities. true false
true
True or False? In a large organization, the vendor management team manages security concerns with vendors and third parties. true false
true
True or False? The ability to measure the enterprise against a fixed set of standards and controls assures regulators of compliance and helps reduce uncertainty. true false
true
True or False? Under the proportionality principle, a common core security principle, security levels, costs, practices, and procedures are appropriate and proportionate to the degree of reliance on the system and the value of the data. true false
true
True or False? Whereas least privileges customize access to the individual, best fit privileges typically customize access to groups or classes of users. true false
true
True or false ? the legal concept of nonrepudiation provides assurance that an individual cannot deny having digital signed a document or been party to a transaction false or true
true
policy and standards often change as a result of business drivers. Which of the following drivers is most closely related to the organization that changes its business model and comes under new regulatory requirements - legal change - business exception - strategic change - business technology innovation
- business exception
It is important for an organization to determine how it wants to manage __________, which means how to group various tasks, and __________, which relates to the number of layers and number of direct reports found in an organization. - division of labor, separation of duties -separation of duties, flat organizational structure -division of labor, span of control - span of control, division of labor
- division of labor, span of control
An acceptable use policy (AUP) defines the intended uses of computers and networks. This policy delimits unacceptable uses and the consequences for policy violation. Which of the following is not likely to be found in an AUP? - Level of privacy an individual should expect - Managing intellectual property - Managing passwords - Level of upward mobility an individual should expect
Level of upward mobility an individual should expect
When is the best time to implement security policies to help developers diminish the number of vulnerabilities in an application? - While the application is used by end users - While the application is being developed - After the first prototype of the application is completed and has been submitted for stakeholder review - After application development is completed
While the application is being developed
true or false? the term compliance refers to how well an individual or business adheres to a set of rules false true
idk true
within the user domain of a typical IT infrastrucutre is a range of user types. Each type has a specific and distinc access needs. Which of the following types of users are external to the organiztion, provide services to the organization, and are not direclty managed by the organization - control partners -vendors -contractors -system administrators
idk vendors
The term "critical infrastructure" refers to key elements of the country's transportation, energy, communications, and banking systems. Which of the following is not an example of critical infrastructure? - power companies - large banks - public universities - oil and gas pipelines
public universities
although, its impossible to eliminate all business risks, a good policy can reduce the likelihood of a risk occurring or reduce its impact. A business must find its way to balance a number of computing drivers. Which of the following is not one of the drivers - cost - customer satisfaction - - compliance
regulation
In order to be thoughtful about the implementation of security policies and controls, leaders must balance the need to reduce __________ with the impact to the business operations. Doing so could mean phasing security controls in over time or be as simple as aligning security implementation with the business's training events. - risk - productivity - staff count - costs
risk
Several U.S. compliance laws provide confidence in the financial markets. __________ are the primary beneficiaries of these laws. - shareholders - national security organizations - consumers - public interest groups
shareholders
Which of the following statements captures an example of a manager tapping into pride as a source of motivation? - "The supervisor is requiring that I inform you that you need to complete this task because the person originally assigned is not available." - "It is necessary that you complete this task because not doing so would result in disciplinary action." - "It's really important that you complete this task because it is one of your roles and responsibilities." - "It is really important that you complete this task because the team values your contributions and would benefit from your input."
"It is really important that you complete this task because the team values your contributions and would benefit from your input."
The ___________ domain of the ISACA risk IT framework provides a business view and context for a risk evaluation. The _______ domain ensures that technology risks are identified and presented to leadership in business terms - risk governance, risk response - risk governance, risk evaluation - risk evaluation, risk governacne - risk resposne, risk evaluation
- risk governance, risk evaluation
Which of the following policy frameworks is a widely accepted set of documents that is commonly used as the basis for an information security program and is an ISACA initiative? - ISO/IEC 27002 - Control Objectives for Information and related Technology (COBIT) - NIST SP 800-53 - ISO/IEC 30105
Control Objectives for Information and related Technology (COBIT)
__________ is a security framework for any organization that accepts, stores, or processes credit cards. - PCI DSS - COSO - COBIT - ISO
PCI DSS
The SOX Act created the __________, which sets accounting and auditing standards. - Committee of Sponsoring Organizations (COSO) - Family Educational Rights and Privacy Act (FERPA) -Public Company Accounting Oversight Board (PCAOB) -Control Objectives for Information and related Technology (COBIT)
Public company accounting oversight board
a good security awareness program makes employees aware of the behaviors expected of them. All security awareness programs have tow enforcemeent compo
carrot aims to educate the employee about the important of security polcies and stick reminds the empoyees of he consqueqnec of not following polciy.
__________ in e-commerce broadly deal with creating rules on how to handle a consumer's transaction and other information. - security controls - Shareholder rights - Personal privacy - Consumer rights
consumer rights
True or False? The dollars spent for security measures to control or contain losses should never be less than the estimated dollar loss if something goes wrong. true false
false
true or false? a mitigating control achieves the desired outcome and policy intent
false
true or false? a policy is a process or method for implementing a solution
false
True or false COSCO is an international governance and controls framework and a widely accepted standard for assessing, governing and managing IT security and risks
false cobit
which of the following provides temporary elevated access to unprivileged users? - firecall-ID - trouble ticket - best fit access - whaling
firecall-id
implementing security policies is easier if you manage it from a change model perspective. Which of the following change model steps requires leadership to back you and to establish a tone at the top for the need for the security policy - create a vision for change - form a powerful coalition - create urgency - remove obstacle
form a powerful coalition
when writing a _______, one could state how often a supplier will provide a service or how quickly a firm will respond. For manager services, this document often covers system availability and acceptable performance measures - service level agreement -standard - policy - policy framework
idk
A preventive control limits the impact to the business by correcting a vulnerability.
idk false
which of the following is least likely to protect digital assets? - security polcies - hr polcies - data labeling and classification - inventory tools
idk hr policies
true or false the public sector and private sector share the same definition of data privacy false true
idk true
true or false? the term safeguards and countermeasures are used synonymously with "control" false true
idk true
true or false. Business liability insurance lowers the financial loss to an organization in the event of an incident
true
Carl is a security professional. He needs to ensure the confidentiality of his company's emails. Which of the following would be least helpful in ensuring confidentiality? - Create an objective of ensuring that all sensitive information be protected against eavesdropping. - Create a procedure that describes how to back up stored emails. - Require that all emails containing sensitive information be encrypted. Ensure that only authorized individuals have access to the decryption key for encrypted emails.
Create a procedure that describes how to back up stored emails.
Bill is promoted to a position that has an elevated level of trust. He started with the organization in an entry-level position, and then moved to a supervisory position and finally to a managerial role. This role entails that the employee trains other employees and has a deep understanding of how the department functions. Which of the following actions should be taken that provide adequate access for Bill without making him a target of suspicious activity? - Bill should be granted access based on his current and past roles. - Because Bill needs to train other employees, he should have the access granted in his previous roles. - Bill should have prior access removed to ensure separation of duties and avoid future instances of security risk. - Bill should request that his access be downgraded.
NOT - Bill should be granted access based on his current and past roles. prob this one : - Bill should have prior access removed to ensure separation of duties and avoid future instances of security risk.
All of the following are general rules and guidelines for handling privacy data, except: - an organization should remember that it has both a legal and an ethical responsibility to its customers. - well-written policies, rather than focusing on one law, will tend to satisfy regulatory requirements by fostering sound security practices across the enterprise. -organizations should protect customers' personal information even when a law does not explicitly call for privacy controls. - whenever an organization handles personal information, the organization should be sure its security policies and controls protect senior management.
NOT - an organization should remember that it has both a legal and an ethical responsibility to its customers. - Idk
The NIST SP 800-53, "Recommended Security Controls for Federal Information Systems," was written using a popular risk management approach. Which of the following control areas best fits this description: "This is the area in which information and information system flaws are identified, reported, and corrected in a timely manner"? - System and Information Integrity - System and Communications Protection - System and Services Acquisition - Maintenance
NOT - maintenance maybe system and services
All of the following are true of IT policy frameworks, except: - an IT policy framework should be fully accessible by executives and managers, with relevant highlights shared with general employees. - an IT policy framework includes policies, standards, baselines, procedures, guidelines, and a taxonomy. - you can measure success by how well the framework helps reduce risk to the organization. - the framework must define the business as usual (BAU) activities and accountabilities needed to ensure information security policies are maintained.
NOT - you can measure success by how well the framework helps reduce risk to the organization.
At some point, __________ accounts become a type of user account and must be managed appropriately. - system - service - sensitive - contingent
NOT system
Imagine a scenario in which an employee feels compelled by management to regularly shirk the organization's established security policies in favor of convenience. What does this employee's continued violation suggest about the culture of risk management in the organization? - The organization does not believe security policy training is valuable. - The organization does not terminate employees when needed. - The organization does not see its employees as risks. - The organization lacks a good risk culture wherein employees and managers have "bought in."
The organization lacks a good risk culture wherein employees and managers have "bought in."