Cyber Policy and Ethics Final

Which of the following scenarios demonstrates consideration of building consensus on intent?

* A manager calls a meeting with employees discuss the drivers for the change in terms of the architecture operating model and principles.

As employees find new ways to improve a system or process, it is important to have a way to capture their ideas. ________________________ can be understood as finding a better way or as a lesson learned.

* Continuous improvement

There are many IT security policy frameworks that can often be combined to draw upon each of their strengths. Which of the following is not one of the frameworks?

* GRC for IT operations, governance, risk management, and compliance

A key component to IT security is authorization, which is especially important in large, complex organizations with thousands of employees and hundreds of systems. Two methods of authorization are role based access control (RBAC) and attribute based access control (ABAC). Although RBAC and ABAC can provide the same access, which of the following is an advantage of ABAC?

* In ABAC, roles are expressed more in business terms and thus may be more understandable.

When publishing your policy and standards library, it is necessary to evaluate the communications tools that are available in your organization. Which of the following statements best captures one of the best practices for publishing your documents?

* It is good idea to create separate Web pages for each document and provide a link to the document itself on that Web page.

It is important to create an IT security program structure that aligns with program and organizational goals and describes the operating and risk environment. Which of the following is one of the important issues for the structure of the information security program?

* Management and coordination of security-related resources

If a security policy clearly distinguishes the responsibilities of computer services providers from those of the managers of applications who use the computer services, which of the following goals is served?

* accountability

Generally, regardless of threat or vulnerability, there will ____________ be a chance a threat can exploit a vulnerability.

* always

A(n) ___________________ sets expectations on the use and security of mobile devices, whereas a(n) _________________ establishes a broad set of rules for approved conduct when a user accesses information on company-owned devices.

* corporate mobility policy, acceptable use policy

There are many distinct benefits to control measurement. Which of the following benefits is the result of determining which security controls to measure?

* defines the scope of the compliance being measured

It is important for an organization to determine how it wants to manage ____________________, which means how to group various tasks, and____________________, which relates to the number of layers and number of direct reports found in an organization.

* division of labor, span of control

Of the roles commonly found in the development, maintenance, and compliance efforts related to a policy and standards library, which of the following has the responsibilities of directing policies and procedures designed to protect information resources, identifying vulnerabilities, and developing a security awareness program?

* information resources security officer

The Barings Bank collapsed in 1995 after it was found that an employee had lost over $1.3 billion of the bank's assets on the market. The collapse occurred when an arbitrage trader was responsible for both managing trades and guaranteeing that trades were settled and reported according to proper procedures. To which of the following causes is this collapse attributed?

* lack of separation of duties

If human action is required, the control is considered _______________.

* manual

In the ______________ principle adopted by many organizations, you gain access only to the systems and data you need to perform your job.

* need to know

Of the many factors one must consider to ensure security policies and controls align with regulations; ________________________ is/are important to demonstrate coverage of regulatory requirements because they show the importance of each security control.

* security control mappings

One of seven domains of a typical IT infrastructure is the user domain. Within that domain is a range of user types, and each type has specific and distinct access needs. Which of the following types of users has the responsibility of creating and putting into place a security program within an organization?

* security personnel

A typical data leakage protection program provides several layers of defense to prevent confidential data from leaving the organization. Which of the following is not one of the layers of defense?

* self-regulation

Implementing security policy means continuous communication with ___________________ and ensuring transparency about what's working and what's not working.

* stakeholders

Aside from human user types, there are two other non-human user groups. Known as account types, ________________ are accounts implemented by the system for the purpose of supporting automated service, and ___________________ are accounts that remain non-human until individuals are assigned access and can use them to recover a system following a major outage.

* system accounts, contingent IDs

In January 2013, two important changes were made to ___________________. First, it became easier to share records with child welfare agencies. Second, the change eliminates some requirements to notify parents when school records are being released.

* the Family Educational Rights and Privacy Act (FERPA)

Authentication of a workstation and encryption of wireless traffic are issues that belong to which of the following two domains?

* workstation and LAN

Because not all automated tools have the same functions, it is important to run tests on their effectiveness before making a financial or resource allocation investment. For example, if an organization is interested in discovery, which of the follow questions is important to ask?

Can the system accurately locate systems on the network?

A ________________________ is a string of data associated with a file that provides added security, authentication, and nonrepudiation.

Digital Signature

Depending on staffing availability, the complexity of implementation, backlog, and how many approvals are needed, manual access requests can take weeks or days. Thus, automation can make the process far more efficient and minimize the time required. Which of the following is not one of the areas in which the time required can be reduced through automation?

Employee verifications—automated controls can be put in place to verify information on a employee's background.

Which of the following is not one of the outcomes of a wide acceptance of security awareness among employees?

Employees who have accepted security policies distinguish themselves from others in the organizational culture.

A vulnerability is a human-caused or natural event that could impact the system, whereas a risk is a weakness in a system that can be exploited.

False

All states laws and the federal government share the same definition of data privacy.

False

Although there are security tasks that can achieved with specific tools, any tasks concerning IT security policy compliance need to address one basic concern: change and configuration management. This management is important because changes made to the system and enhancing configurations each affect the life cycle of a system.

False

As a statement of formal written policies describing employee behavior when using company computer and network systems, an acceptable use policies (AUPs) document is an important tool to create a legal partnership between the employer and employee.

False

Because employees always respond and react in relation to their environment, it is vital that front-line employees work to counteract the forces of peer pressure. Peer pressure is a negative influence on the security culture of an organization.

False

In general, the incident response team is managed and constructed by information security personnel, which can be directly or indirectly engaged in the three main IRT activities: discovery, IRT activation, and containment.

False

In the organizational structure, the vendor management team is responsible for managing security concerns involving third parties and vendors. This team conducts an assessment on a vendor before data leaves the organization and is processed by a third party. The concept of separation of duties is often put in place to ensure that data is verified before it leaves the organization.

False

It is human nature to resist working hard unless there is a material outcome to be gained, so the concept of organizational culture is used to identify shared beliefs that employees have regarding financial success.

False

It is rare that technology outages occur apart from a security breach.

False

Operational deviation can be avoided by implementing two controls: 1) the policy should be clearly communicated, and 2) the policy should cover specific topics.

False

Policies associated with risk management endorse a series of actions that enable an organization to be consistently conscious of risks. There are two efforts deployed: threat and vulnerability assessments and penetration testing.

False

SQL injections are attacks that result from the absence of separating high-risk assets on their own network segments.

False

The Sarbanes-Oxley (SOX) Act became law in 1999 and was meant to repeal existing laws so that banks, investment companies, and other financial services companies could merge.

False

The chief executive officer (CEO) usually approves and signs the information security program charter because the charter establishes the responsibility for information security within the organization. However, it is not important that senior leadership expresses support for the information security program. However, it is most important that the chief information security officer (CISO) approves and issues the framework for IT security policies.

False

The external connection committee supports the accepted use of architecture and technology by establishing architectural models to be observed by security policies. These models are constructed with security policies already embedded.

False

The front-line manager/supervisor plays a crucial role in enforcing disciplinary actions; these actions follow particular guidelines and should be applied in a fair and consistent manner.

False

The main difference between a guideline and a standard is that the former is a mandated control and the latter is a strong endorsement of a course of action.

False

The privacy policy emerged as a type of code of conduct. With the rise of social media, many businesses are concerned about employees posting information about the company on social media sites. For many organizations, posting any information about the business beyond the employee's name and title is strictly forbidden. @ Reference: p 81 Explanation: B is correct because the social networking policy has emerged as a type of code of conduct. Due to the rise of social media, many businesses are concerned about employees posting information about the company on social media sites. The privacy policy addresses the importance the organization places on protecting privacy.

False

When discussing security policies and implementation tasks, one should follow a checklist with three items: things to do; things to pay attention to; and things to report.

False

_____________ risk is the possible outcome that can occur when an organization or business unsuccessfully addresses its fiscal obligations.

Financial

Of the many tools that can be used in training to connect with an audience of employees, _______________ can inspire a sense of fun that leads to community and commitment.

Humor

Of the different IRT roles, the _______________is head of the team and issues the ultimate call regarding how to respond to an incident, whereas the __________________ role is to monitor and document all the activity that unfolds during an incident.

IRT manager, IRT coordinator's

Which of the following is the most important reason to solicit feedback from people who have completed security awareness training?

It helps discern that attendees can demonstrate knowledge gained through training.

One of the many roles of the security compliance committee is to focus on controls that are widely used across a large population of applications, systems, and operations. These types of controls are known as ___________________.

Pervasive Controls

A chain of custody is used to maintain a record of the life span of a user ID; this includes when an ID is assigned, reassigned, or deleted.

True

Because regulatory compliance is a significant effort, some organizations engage full-time teams to collect, review, and report in an attempt to demonstrate that regulations are being followed. However, creating these full-time teams redirects business protection resources needlessly. A better strategy is to create an IT policies framework that defines security controls that aligns with policies and regulations.

True

Continuous improvement relies on people telling you what is and isn't working, and a good source for this information is an employee departing a company.

True

Examples of strategic risk include an organizational merger or acquisition, a change in the customer, or a change in the industry.

True

In 2002, the U.S. Senate passed the Sarbanes-Oxley (SOX) Act, which was passed in the wake of the collapse of Enron, Arthur Andersen, WorldCom, and several other large firms. SOX requires publicly traded companies to maintain internal controls. The controls ensure the integrity of financial statements to the Securities and Exchange Commission (SEC) and shareholders. As a result of this mandate, these internal controls are now highly scrutinized.

True

In many organizations, there exists an established process for requesting changes. This process ensures that key players in organizations play a role in reviewing the requests for change and providing input using a shared intranet Web application. Such players involved in the review process are security experts, senior IT experts, disaster recovery experts, and management personnel.

True

Security frameworks establish behavior expectations and define policy. Policies cannot address every scenario employees will face, but strong training on the core principles that create those policies will equip employees to do their jobs successfully.

True

Telecommunications generally encompasses any service, technology, or system that facilitates transmission of information and data delivered electronically.

True

The Control Objectives for Information and related Technology (COBIT) is an IT governance framework developed by ISACA that includes resources to support bridging the gaps between business risks, control requirements, and technical issues.

True

The Gramm-Leach-Bliley Act (GLBA) is enforced through regulators who are members of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC publishes booklets of what type of computer security policies and controls must be in place for an institution or company to be compliant with GLBA.

True

The RSCA is utilized to construct plans for risk management, which can include the location of where to implement the procedures for quality assurance and quality control.

True

The authority to conduct audits differs from one organization to another. Governments, for instance, are bound to conduct audits at the behest of legal statutes and directives, whereas a private company might be required to submit to audit requirements as determined by its board of directors.

True

The benefit of a risk-aware culture is that people want do the right thing all the time, which leads to an increased likelihood of policies being followed. Thus, when this behavior is modeled every day by everyone, it becomes the norm.

True

The process known as "lessons learned" seeks to guarantee that mistakes are only made once and not repeated. Such lessons are not attached to a person or role but can come from anyone and anywhere.

True

The process of ensuring the security of a physical fax device is as vital as securing a copier because both have internal memory and contain storage of prior documents printed. If these documents contain sensitive information, it is necessary to monitor access.

True

The process of restricting users' access so that they access an application rather than the data itself is often referred to as entitlement.

True

The value of an early adopter on security policy is that such a user can illustrate the efficacy of the policy. Locating an early adopter can also help lay to rest objections and concerns about policy change.

True

There are different opportunities that can be engaged by senior leaders to deliver expectations connected to security policies. Among these opportunities are brown bag sessions, which can offer a safe, relaxed forum for the CISO to connect positively with employees at different levels in the organization.

True

Version control is an important consideration when it comes to IT security policy automation for two reasons. First, the security policy document itself needs to record the policy if the policy is changed. Second, actual changes to the system need to be recorded in the database for change control work orders and the configuration management database (CMDB).

True

When going through the steps to create a vision for change, it is valuable to find a leader in your organization who can be an agent of change; someone who doesn't follow the pack, who can think outside the box, and can steer the organization through the politics of creating change.

True

In general, WAN-specific standards identify specific security requirements for WAN devices. For example, the ____________________ explains the family of controls needed to secure the connection from the internal network to the WAN router, whereas the ______________________ identifies which controls are vital for use of Web services provided by suppliers and external partnerships.

WAN router security standard, Web services standard

The act of recording noteworthy security events that transpire on a network or computing device is known as a(n) ______________________

audit

The goal of conducting an incident analysis is to ascertain weakness. Because each incident is unique and might necessitate a distinct set of approaches, there is a range of steps that can be pursued to aid the analysis. One of these steps is to ________________, which entails mapping the network traffic according to the time of day and look for trends.

profile your network

A ______________________ is an apparatus for risk management that enables the organization to comprehend its risks and how those risks might impact the business.

risk and control self-assessment (RCSA)

Of the risk management strategies, _________________ refers to the act of not engaging in actions that lead to risk, whereas ____________________refers to acquiescence in regard to the risks of particular actions as well as their potential results

risk avoidance, risk acceptance