Cengage Final Exam Review Pt.1 (Modules 1-4)
Redundancy can be implemented at a number of points throughout the security architecture, such as in _____. firewalls proxy servers access controls All of the above
All of the above
"Knowing yourself" means identifying, examining, and understanding the threats facing the organization's information assets. (T/F)
False
An advance-fee fraud attack involves the interception of cryptographic elements to determine keys and encryption algorithms. (T/F)
False
Network security focuses on the protection of physical items, objects, or areas from unauthorized access and misuse. (T/F)
False
Risk mitigation is the process of assigning a risk rating or score to each information asset. (T/F)
False
The bottom-up approach to information security has a higher probability of success than the top-down approach. (T/F)
False
The operational plan documents the organization's intended long-term direction and efforts for the next several years. (T/F)
False
The primary mission of information security is to ensure that systems and their content retain their confidentiality. (T/F)
False
The security framework is a more detailed version of the security blueprint. (T/F)
False
With the removal of copyright protection mechanisms, software can be easily and legally distributed and installed. (T/F)
False
The community of interest made up of IT managers and skilled professionals in systems design, programming, networks, and other related disciplines is called _____. Information Security Management and Professionals Executive Management Information Technology Management and Professionals Organizational Management and Professionals
Information Technology Management and Professionals
The EISP component of _____ provides information on the importance of information security in the organization and the legal and ethical obligation to protect critical information about customers, employees, and markets. Statement of Purpose Need for Information Security Information Security Responsibilities and Roles Information Security Elements
Need for Information Security
_____ is any technology that aids in gathering information about a person or organization without their knowledge. A Trojan Spyware A bot A worm
Spyware
_____ often function as standards or procedures to be used when configuring or maintaining systems. SysSPs ISSPs ESSPs EISPs
SysSps
The _____ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network. FTP TCP HTTP WWW
TCP
A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information. (T/F)
True
Exposure factor is the expected percentage of loss that would occur from a particular attack. (T/F)
True
Good security programs begin and end with policy. (T/F)
True
Network security focuses on the protection of physical items, objects, or areas from unauthorized access and misuse. (T/F)
True
Some policies may also need a sunset clause indicating their expiration date. (T/F)
True
Technical mechanisms like digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media have been used to deter or prevent the theft of software intellectual property. (T/F)
True
The organization should adopt naming standards that do not convey information to potential system attackers. (T/F)
True
Risk _____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. benefit appetite residual acceptance
appetite
A threat _____ is an evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack. review investigation search assessment
assessment
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security _____. standard policy blueprint plan
blueprint
Human error or failure often can be prevented with training, ongoing awareness activities, and _____. threats hugs controls paperwork
controls
A server would experience a(n) _____ attack when a hacker compromises it to acquire information via a remote location using a network connection. direct hardware software indirect
direct
Understanding the _____ context means understanding the impact of elements such as the business environment, the legal/regulatory/compliance environment, as well as the threat environment. internal external risk evaluation design
external
A short-term interruption in electrical power availability is known as a _____. brownout fault blackout lag
fault
Which of these is NOT a unique function of information security management? planning policy hardware programs
hardware
The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as _____. communications security physical security network security information security
information Security
The probability that a specific vulnerability within an organization will be attacked by a threat is known as _____. likelihood externality potential determinism
likelihood
The average amount of time until the next hardware failure is known as _____. mean time to diagnose (MTTD) mean time to failure (MTTF) mean time to repair (MTTR) mean time between failure (MTBF)
mean time to failure (MTTF)
Individuals who control and are responsible for the security and use of a particular set of information are known as data _____. custodians owners users trustees
owners
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the _____ side of the organization. operational people technology Internet
people
he protection of tangible items, objects, or areas from unauthorized access and misuse is known as _____. communications security network security information security physical security
physical Security
A table of hash values and their corresponding plaintext values used to look up password values if an attacker is able to steal a system's encrypted password file is known as a(n) _____. dictionary crib rainbow table crack file
rainbow Table
A computer is the _____ of an attack when it is used to conduct an attack against another computer. facilitator subject object target
subject
_____ signifies how often you expect a specific type of attack to occur. ARO SLE CBA ALE
ARO
_____ risk treatment is a strategy to do nothing to protect a vulnerability and to accept the outcome of its exploitation. Mitigation Transference Acceptance Defense
Acceptance
