Ch. 4

Ace your homework & exams now with Quizwiz!

A cold site provides many of the same services and options of a hot site, but at a lower cost.

False

A(n) differential backup only archives the files that have been modified that day, and thus requires less space and time than a full backup.

False

A(n) sequential roster is activated as the first person calls a few people on the roster, who in turn call a few other people.

False

A(n) strategic ​information security policy is also known as a general security policy, and sets the strategic direction, scope, and tone for all security efforts.

False

Guidelines are detailed statements of what must be done to comply with policy.

False

In 2016, NIST published a new Federal Master Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of critical infrastructure services at every organization in the United States, based on vendor-specific technologies.

False

The ISSP is a plan which sets out the requirements that must be met by the information security blueprint or framework.

False

The complete details of ISO/IEC 27002 are widely available to everyone.

False

The operational plan documents the organization's intended long-term direction and efforts for the next several years.

False

The security framework is a more detailed version of the security blueprint.

False

When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems?

The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.

The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.

false

The key components of the security perimeter include firewalls, DMZs (demilitarized zones), Web servers, and IDPSs.

false

The security model is the basis for the design, selection, and implementation of all security program elements, including policy implementation and ongoing policy and program management.

false

An information security ________ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training. Selected Answer: a. framework

framework

Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training, and rehearsal.

True

Managerial controls set the direction and scope of the security process and provide detailed instructions for its conduct.

True

________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.

managerial

The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.

people

RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure.

redundant

The ISO/IEC 27000 series is derived from an earlier standard, BS7799.

true

A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes __________.

All of the above

According to NIST SP 800-14's security principles, security should ________.

All of the above

SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________.

Blueprint

_________ controls address personnel security, physical security, and the protection of production inputs and outputs.

Operational

__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information.

Redundancy

A service bureau is an agency that provides a service for a fee.

True

Some policies may also need a(n) sunset clause indicating their expiration date.

True

To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards.

True

A(n) _________ is a document containing contact information for the people to be notified in the event of an incident.

alert roster

Redundancy can be implemented at a number of points throughout the security architecture, such as in ________.

all of the above

The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages?

all of these are BIA stages

A ____ site provides only rudimentary services and facilities.

cold

The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____.

database shadowing

__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.

defense in depth

__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. Selected Answer: a. Best-effort

defense in depth

A hard drive feature known as "hot swap" is a RAID implementation (typically referred to as RAID Level 1) in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails.

false

A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.

false

A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee's actions.

false

Every member of the organization's InfoSec department must have a formal degree or certification in information security.

false

One of the basic tenets of security architectures is the layered implementation of security, which is called defense in redundancy.

false

Systems-specific security policies are organizational policies that provide detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.

false

In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to __________.

identify and prioritize opportunities for improvement within the context of a continuous and repeatable process

The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________."

management

A security policy should begin with a clear statement of purpose.

true

A(n) capability table specifies which subjects and objects users or groups can access.

true

Failure to develop an information security system based on the organization's mission, vision, and culture guarantees the failure of the information security program.

true

Good security programs begin and end with policy.

true

Technical controls are the tactical and technical implementations of security in the organization.

true

The Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area.

true

The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.

true

The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification.

true

The stated purpose of ISO/IEC 27002 is to offer guidelines and voluntary directions for information security management

true

To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates.

true

You can create a single, comprehensive ISSP document covering all information security issues.

true


Related study sets

Manhattan Prep 1000 GRE Words: Usage

View Set

Federal Reserve Structure & Policy

View Set

Catcher in the Rye chapters 1-14

View Set

Section VIII - Long-Term Care Policies

View Set

Fundamentals of Nursing NCLEX Style

View Set