IA 6473 Chapter 8
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? NIST ISO COSO COBIT
COBIT
Dumpster exploitation is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. __________ True False
False
In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). __________ True False
False
In information security, a framework or security model customized to an organization, including implementation details, is known as a template. __________ True False
False
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. __________ True False
False
Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. True False
False
The Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. True False
False
The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as required privilege. __________ True False
False
The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as minimal access. True False
False
Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data at the organization's competitors. True False
False
A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. __________ True False
False
The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. __________ True False
False
The Information Security __________ is a managerial model provided by an industry working group, National Cyber Security Partnership, which provides guidance in the development and implementation of organizational InfoSec structures and recommends the responsibilities that various members should have in an organization. Compliance Architecture Governance Framework Risk Model Security Blueprint
Governance Framework
The COSO framework is built on five interrelated components. Which of the following is NOT one of them? control activities risk assessment InfoSec governance control environment
InfoSec governance
Under the Common Criteria, which term describes the user-generated specifications for security requirements? Security Target (ST) Target of Evaluation (ToE) Protection Profile (PP) Security Functional Requirements (SFRs)
Protection Profile (PP)
This NIST publication provides information on the elements of InfoSec, key roles and responsibilities, an overview of threats and vulnerabilities, a description of the three NIST security policy categories, and an overview of the NIST RM Framework and its use, among other topics needed for a foundation in InfoSec. SP 800-34, Rev. 1: Contingency Planning Guide for Federal Information Systems (2010) SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems (2006) SP 800-12, Rev. 1: An Introduction to Information Security (2017) SP 800-55, Rev. 1: Performance Measurement Guide for Information Security (2008) Question 300 / 1 point
SP 800-12, Rev. 1: An Introduction to Information Security (2017)
Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"? TCSEC Bell-LaPadula ITSEC Common Criteria
TCSEC
The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. __________ True False
True
The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. __________ True False
True
Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following? sensitivity level capabilities table access control list access matrix
access control list
An ATM that limits what kinds of transactions a user can perform is an example of which type of access control? content-dependent constrained user interface nondiscretionary temporal isolation
constrained user interface
In which form of access control is access to a specific set of information contingent on its subject matter? content-dependent access controls constrained user interfaces none of these temporal isolation
content-dependent access controls
Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following? corrective deterrent preventative compensating
corrective
An information attack that involves searching through a target organization's trash and recycling bins for sensitive information is known as __________. social engineering rubbish surfing dumpster diving trash trolling
dumpster diving
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a __________. framework blueprint security plan security standard
framework
Which of the following is a generic model for a security program? blueprint methodology security standard framework
framework
Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary? need-to-know least privilege eyes only separation of duties
least privilege
The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices primarily for __________. managing the security infrastructure managing the development and operation of IT infrastructures developing secure Web applications operation of IT control systems to improve security
managing the development and operation of IT infrastructures
Which access control principle limits a user's access to the specific information required to perform the currently assigned task? eyes only need-to-know separation of duties least privilege
need-to-know
Which of the following is NOT a change control principle of the Clark-Wilson model? no unauthorized changes by authorized subjects no changes by unauthorized subjects no changes by authorized subjects without external validation the maintenance of internal and external consistency
no changes by authorized subjects without external validation
Which type of access controls can be role-based or task-based? discretionary constrained nondiscretionary content-dependent
nondiscretionary
Which piece of the Trusted Computing Base's security system manages access controls? reference monitor covert channel trusted computing base verification module
reference monitor
Which of the following specifies the authorization level that each user of an information asset is permitted to access, subject to the need-to-know principle? task-based access controls security clearances sensitivity levels discretionary access controls
security clearances
What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them? need-to-know eyes only separation of duties least privilege
separation of duties