Exam 2 Quizzes

Ace your homework & exams now with Quizwiz!

Tom determined the cost to reduce a particular risk impact is not warranted, and so there will be no response to the risk. This is an example of what kind of control strategy?

Risk acceptance

Which of the following organizations is best known for its series of technical InfoSec certifications through Global Information Assurance Certification (GIAC)?

SANS Institute

A control that should be applied to work tasks that are particularly sensitive is:

Separation of duties

Which of the following can function as standards or procedures to be used when configuring or maintaining systems?

SysSPs

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?

TCSEC

Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?

access control list

Redundancy can be implemented at a number of points throughout the security architecture, such as in:

access controls firewalls proxy servers

Which of the following is NOT a part of an information security program?

activities used by an organization to manage the risks to its information assets personnel used by an organization to manage the risks to its information assets technologies used by an organization to manage the risks to its information assets

An ATM that limits what kinds of transactions a user can perform is an example of which type of access control?

constrained user interface

Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems.

control

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as __________.

corrective

The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called _______________.

electronic vaulting

Using the simplified information classification scheme outlined in the text, all information that has been approved by management for public release has a(n) ____________________ classification.

external

An outline or structure of the organization's overall information security strategy that is used as a road map for planned changes to its information security environment is the security ____________________.

framework

Although COBIT was designed to be an IT __________ and management structure, it includes a framework to support InfoSec requirements and assessment needs.

governance

A(n) ____________________ site is a fully configured computer facility with all services, communications links, and physical plant operations provided, including heating and air conditioning

hot

The first phase of risk management is risk ____________________.

identification

RAID Level 1 is commonly called disk ____________________.

mirroring

To design a security program, an organization can use a security __________, which is a generic outline of the more thorough and organization-specific blueprint.

model

Which type of access controls can be role-based or task-based?

non-discretionary

The ____________________ controls focus on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning.

operational

Which of the following variables is the most influential in determining how to structure an information security program?

organizational culture

The spheres of security model illustrates that there are far fewer protection layers between the information and potential attackers on the __________ side of the organization.

people

The boundary between the outer limit of an organization's security and the beginning of the outside world is a security ____________________.

perimeter

Management of classified data includes its storage and _________.

portability distribution destruction

Which of the following best describes what the SETA program is designed to do?

reduce the occurrence of accidental security breaches

The transfer of transaction data in real time to an off-site facility is called ______________.

remote journaling

A SETA program consists of three elements. Which of the following is one of them?

security awareness

specific security policies often function as standards or procedures to be used when configuring or maintaining systems

systems

After identifying and performing the preliminary classification of an organization's information assets, the analysis phase moves on to an examination of the ____________________ facing the organization.

threats

Asset ____________________ is the process of assigning financial value or worth to each information asset.

valuation

In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores.

weighted factor analysis

Which objects and subjects have a label in a MAC model?

All objects and subjects have a label

Which of the following certifications is considered to be one of the most prestigious certifications for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral?

CISSP

Which of the following is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts?

EISP

Using redundant components is a common method to achieve:

Fault tolerance

Which one of the following controls protects an organization in the event of a sustained period of power loss?

Generator

Which of the following is NOT one of the BIA stages?

Identify resource requirements Determine mission/business processes and recovery criticality Identify recovery priorities for system resources

_________ addresses are sometimes called electronic serial numbers or hardware addresses.

MAC

Which of the following are the controls that cover security processes and are designed by strategic planners and implemented by the security administration of the organization?

Managerial

Sabrina recently implemented a network intrusion prevention system for the purpose of blocking common attacks on the company's network. What would you call the risk management strategy she is applying?

Mitigation

Eleni has Secret clearance and is accessing files that use a mandatory access control scheme with Top Secret, Secret, Confidential, and Unclassified labels. If she has a valid need-to-know, which classification level(s) are we certain she can access?

Only Secret

Which one of the following metrics represents the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources?

RTO

Most network servers have redundant power supplies which provide fault tolerance and therefore represent _____________ controls.

Recovery

Which one of the following events, once completed, marks the completion of a disaster recovery process?

Restoring operations in the primary facility

_________ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty.

Risk

A strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection is:

Defense in depth

Which of the following models allows the owner of an object to grant privileges to other users?

Discretionary access

Purchasing insurance is a form of what type of risk response?

Transfer

Risk _________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

appetite

The purpose of SETA is to enhance security in all but which of the following ways?

by adding barriers

An alternate site that provides only rudimentary services and facilities is known as a(n) ____________ site.

cold

Physical keys are an example of a(n) __________ control which will temporarily replace electronic door locks in the case of a power outage.

compensating

What term describes a layered security approach that provides comprehensive protection?

defense-in-depth

A(n) ____________________ backup includes all files that have changed or been added since the last full backup.

differential

Security __________ are the areas of trust within which users can freely communicate.

domains

Some people search trash and recycling bins—a practice known as _________—to retrieve information that could embarrass a company or compromise information security.

dumpster diving

A(n) ____________________ is an adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization.

incidents

What level of privilege should an employee have?

least amount

____________________ is the probability that a specific vulnerability within an organization's assets will be successfully attacked.

likelihood


Related study sets

Ancient India Jeopardy Questions

View Set

How does a country's population affect a country's future?

View Set

AP Human Geo Unit 5: Agriculture & Rural Land Use

View Set