CS 307 2
Which of the following should be included in an InfoSec governance program?
An InfoSec risk management methodology
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
Establishing
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
False
Because it sets out general business intentions, a mission statement does not need to be concise.
False
Penetration testing is often conducted by contractors, who are commonly referred to as black-hats.
False
The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.
False
Blackmail threat of informational disclosure is an example of which threat category?
Information extortion
Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
Operational
Which of the following is an information security governance responsibility of the Chief Security Officer?
Set security policy, procedures, programs and training
Which of the following is true about planning?
Strategic plans are used to create tactical plans
The basic outcomes of InfoSec governance should include all but which of the following?
Time management by aligning resources with personnel schedules and organizational objectives
A clearly directed strategy flows from top to bottom rather than from bottom to top.
True
In which phase of the SecSDLC does the risk management task occur?
analysis
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
back door
A ____________ overflow is an application error that occurs when the system can't handle the amount of data that is sent.
buffer
Which type of attack involves sending a large number of connection or information requests to a target?
denial-of-service (DoS)
The impetus to begin an SDLC-based project may be ____________________, that is, a response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders.
event-driven
What is the first phase of the SecSDLC?
investigation
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
managerial controls
Which of the following explicitly declares the business of the organization and its intended areas of operations?
mission statement
Which type of planning is the primary tool in determining the long-term direction taken by an organization?
not operational
In ____________________ testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
penetration
A(n) ___________ attack enables an attacker to extract secrets maintained in a security system by observing the time it takes the system to respond to various queries.
timing
Which of the following is a key advantage of the bottom-up approach to security implementation?
utilizes the technical expertise of the individual administrators
In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?
waterfall
