Exam 2 Practice Test

Ace your homework & exams now with Quizwiz!

factor analysis

As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.

likelihood

Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.

single loss expectancy

By multiplying the asset value by the exposure factor, you can calculate which of the following?

corrective

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?

Cost of prevention

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?

Delphi

In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?

True

Planners need to estimate the effort required to complete each task, subtask, or action step.

management

Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

incident response plan

Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?

InfoSec Governance

The COSO framework is built on five interrelated components. Which of the following is NOT one of them?

risk determination

The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?

False

The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures.

evaluating alternative strategies

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?

inform

The NIST risk management approach includes all but which of the following elements?

need-to-know

The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.

SETA

The ____________________ program is designed to reduce the occurrence of accidental security breaches by members of the organization.

transfer

The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.

False

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege.

appetite

The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.

Risk analysis

The identification and assessment of levels of risk in an organization describes which of the following?

consultant

The information security ____________________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program.

False

The information technology management community of interest often takes on the leadership role in addressing risk.​

qualitative assessment of many risk components

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

Vulnerabilities

What is defined as specific avenues that threat agents can exploit to attack an information asset?

reduce the occurence of accidental security breaches

What is the SETA program designed to do?

Listing assets in order of importance

What is the final step in the risk identification process?

cost-benefit analysis

What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?

documented control strategy

What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?

Threats-vulnerabilities-assets worksheet

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

IP address

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?

Interaction with trainer is possible

Which of the following is an advantage of the formal class method of training?

Usually conducted in an informal social setting

Which of the following is an advantage of the user support group form of training?

MAC address

Which of the following is an attribute of a network device is physically tied to the network interface?

Outdated servers

Which of the following is an example of a technological obsolescence threat?

assess control impact

Which of the following is not a step in the FAIR risk management framework?

security newsletter

Which of the following is the most cost-effective method for disseminating security information and news to employees?

it should be tested with multiple browsers

Which of the following is true about a company's InfoSec awareness Web site?

they have larger information security needs than a small organization

Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?

COBIT

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?

Security clearances

Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle?

Organizational culture

Which of the following variables is the most influential in determining how to structure an information security program?

A security technician

Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?

reference monitor

Which piece of the Trusted Computing Base's security system manages access controls?

TCSEC

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?

nondiscretionary

Which type of access controls can be role-based or task-based?

technology product

Advanced technical training can be selected or developed based on which of the following?

relative

As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.

security awareness

A SETA program consists of three elements: security education, security training, and which of the following?.

False

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme.

True

A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access.

True

A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable.

temporal isolation

A time-release safe is an example of which type of access control?

True

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA).

False

An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection.

False

An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment.

Uncertainty

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?

assessment

An organization carries out a risk ____________________ function to evaluate risks present in IT initiatives and/or systems.

defense

Application of training and education is a common method of which risk control strategy?

Comprehensive

Classification categories must be mutually exclusive and which of the following?

False

Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information.

Legal management must develop corporate-wide standards

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?

True

Each organization has to determine its own project management methodology for IT and information security projects.

physical

GGG security is commonly used to describe which aspect of security?

monitoring and measurement

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?

Relative value

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

scope

Project ____________________ is a description of a project's features, capabilities, functions, and quality level, used as the basis of a project plan.

Risk assessment estimate factors

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.

True

The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know.

by adding barriers

The purpose of SETA is to enhance security in all but which of the following ways?

False

The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy.

False

The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy.

mitigation

The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ____________________ .

technology product

The three methods for selecting or developing advanced technical training are by job category, by job function, and by ____________________.

False

Threats from insiders are more likely in a small organization than in a large one.

security model

To design a security program, an organization can use a(n) ____________________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.

secure

To keep up with the competition organizations must design and create a ____________ environment in which business processes and procedures can function and evolve effectively.

Calculating the severity of risks to which assets are exposed in their current setting

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?

Assigning a value to each information asset

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?

access control list

Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?

True

Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.

need-to-know

Which access control principle limits a user's access to the specific information required to perform the currently assigned task?

least privilege

Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary?

deterrent

Which control category discourages an incipient incident?

planning

Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?

maintenance

Which of the following affects the cost of a control?

Product dimensions

Which of the following attributes does NOT apply to software information assets?

mitigation

Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?

political feasibility

Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.

Manufacturer's model or part number

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

Risk assessment

Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

mitigating

Which of the following is NOT a category of access control?

No changes by authorized subjects without external validation

Which of the following is NOT a change control principle of the Clark-Wilson model?

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

Which of the following is NOT a valid rule of thumb on risk control strategy selection?

for official use only

Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information?

Resource intensive, to the point of being inefficient

Which of the following is a disadvantage of the one-on-one training method?

both A & B are correct

Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?

Covert

____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels.

Projectitis

____________________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.

False

​A security ​monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects.

False

​The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.


Related study sets

Macroeconomics Chap 5 and 6 Quiz

View Set

Florida 214 (book summary definitions ) FLORIDA INSURANCE LAWS (unit 18 & 19)

View Set

Lecture Notes (Saul's Disobedience (1 Samuel 13-15))

View Set

Chapter 54: Management of Patients With Kidney Disorders

View Set

A book's call number enables you to

View Set

Mental Health Course Point Chapter 16

View Set