Information Security - Module 2

Which of the following statements best describes a vulnerability? A. A vulnerability is a weakness that could be exploited by a threat source. B. A vulnerability is a weakness that can never be fixed. C. A vulnerability is a weakness that can only be identified by testing. D. A vulnerability is a weakness that must be addressed regardless of the cost.

A. A vulnerability is a weakness that could be exploited by a threat source.

Which of the following terms best describes the security domain that aligns most closely with the objective of confidentiality? A. Access control B. Compliance C. Incident management D. Business continuity

A. Access control

Which of the following states is not included in a CMM? A. Average B. Optimized C. Ad hoc D. Managed

A. Average

Which of the following is a common element of all federal cybersecurity regulations? A. Covered entities must have a written cybersecurity policy. B. Covered entities must use federally mandated technology. C. Covered entities must self-report compliance. D. Covered entities must notify law enforcement if there is a policy violation.

A. Covered entities must have a written cybersecurity policy.

Which domain focuses on proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information? A. Cryptography B. Cryptanalysis C. Encryption and VPN Governance D. Legal and Compliance

A. Cryptography

Which of the following is a control that relates to availability? A. Disaster recovery site B. Data loss prevention (DLP) system C. Training D. Encryption

A. Disaster recovery site

Which of the following are some of the components of NIST's Cybersecurity Framework core functions? (Choose all that apply.) A. Identify B. Integrity C. Detect D. Protect E. All of the above

A. Identify C. Detect D. Protect

Which of the following statements identify threats to availability? (Select all that apply.) A. Loss of processing capabilities due to natural disaster or human error B. Loss of confidentiality due to unauthorized access C. Loss of personnel due to accident D. Loss of reputation from unauthorized event

A. Loss of processing capabilities due to natural disaster or human error C. Loss of personnel due to accident

Which of the following is an objective of confidentiality? A. Protection from unauthorized access B. Protection from manipulation C. Protection from denial of service D. Protection from authorized access

A. Protection from unauthorized access

Which of the following is not a risk-mitigation action? A. Risk acceptance B. Risk sharing or transference C. Risk reduction D. Risk avoidance

A. Risk acceptance

To avoid conflict of interest, the CISO could report to which of the following individuals? A. The Chief Information Officer (CIO) B. The Chief Technology Officer (CTO) C. The Chief Financial Officer (CFO) D. The Chief Compliance Officer (CCO)

A. The Chief Information Officer (CIO)

Which of the following is a good definition for confidentiality? A. The property that information is not made available or disclosed to unauthorized individuals, entities, or processes B. The processes, policies, and controls used to develop confidence that security measures are working as intended C. The positive identification of the person or system seeking access to secured information or systems D. The logging of access and usage of information resources

A. The property that information is not made available or disclosed to unauthorized individuals, entities, or processes

Cybersecurity policies should be authorized by ____________. A. the Board of Directors (or equivalent) B. business unit managers C. legal counsel D. stockholders

A. the Board of Directors (or equivalent)

Which of the following terms best describes the security domain that relates to managing authorized access and preventing unauthorized access to information systems? A. Security policy B. Access control C. Compliance D. Risk assessment

B. Access control

Which of the following terms best describes the security domain that relates to how data is classified and valued? A. Security policy B. Asset management C. Compliance D. Access control

B. Asset management

The primary objective of the __________ domain is to ensure conformance with GLBA, HIPAA, PCI/DSS, and FERPA. A. Security Policy B. Compliance C. Access Control D. Contract and Regulatory

B. Compliance

An important element of confidentiality is that all sensitive data needs to be controlled, audited, and monitored at all times. Which of the following provides an example about how data can be protected? A. Ensuring availability B. Encrypting data in transit and at rest C. Deploying faster servers D. Taking advantage of network programmability

B. Encrypting data in transit and at rest

Which domain focuses on integrating security into the employee life cycle, agreements, and training? A. Operations and Communications B. Human Resources Security Management C. Governance D. Legal and Compliance

B. Human Resources Security Management

Which of the following terms best describes ISO? A. Internal Standards Organization B. International Organization for Standardization C. International Standards Organization D. Internal Organization of Systemization

B. International Organization for Standardization

Which of the following terms best describes the motivation for hacktivism? A. Financial B. Political C. Personal E. Fun

B. Political

Which of the following terms best describes the potential of an undesirable or unfavorable outcome resulting from a given action, activity, and/or inaction? A. Threat B. Risk C. Vulnerability D. Impact

B. Risk

Which of the following risk types best describes an example of insurance? A. Risk avoidance B. Risk transfer C. Risk acknowledgement D. Risk acceptance

B. Risk transfer

Evidence-based techniques used by cybersecurity auditors include which of the following elements? A. Structured interviews, observation, financial analysis, and documentation sampling B. Structured interviews, observation, review of practices, and documentation sampling C. Structured interviews, customer service surveys, review of practices, and documentation sampling D. Casual conversations, observation, review of practices, and documentation sampling

B. Structured interviews, observation, review of practices, and documentation sampling

Which of the following statements best describes the role of the Cybersecurity Steering Committee? A. The committee authorizes policy. B. The committee helps communicate, discuss, and debate on security requirements and business integration. C. The committee approves the InfoSec budget. D. None of the above.

B. The committee helps communicate, discuss, and debate on security requirements and business integration.

Which of the following terms best describes a disgruntled employee with intent to do harm? A. Risk B. Threat source C. Threat D. Vulnerability

B. Threat source

Organizations that choose to adopt the ISO 27002:2103 framework must ________________. A. use every policy, standard, and guideline recommended B. create policies for every security domain C. evaluate the applicability and customize as appropriate D. register with the ISO

B. create policies for every security domain

How much of the undesirable outcome the risk taker is willing to accept in exchange for the potential benefit is known as _________. A. risk acceptance B. risk tolerance C. risk mitigation D. risk avoidance

B. risk tolerance

Inherent risk is the state before __________________. A. an assessment has been conducted B. security measures have been implemented C. the risk has been accepted D. None of the above

B. security measures have been implemented

Which of the following combinations of terms best describes the Five A's of information security? A. Awareness, acceptance, availability, accountability, authentication B. Awareness, acceptance, authority, authentication, availability C. Accountability, assurance, authorization, authentication, accounting D. Acceptance, authentication, availability, assurance, accounting

C. Accountability, assurance, authorization, authentication, accounting

Which of the following terms best describes the logging of access and usage of information resources? A. Accountability B. Acceptance C. Accounting D. Actuality

C. Accounting

How often should cybersecurity policies be reviewed? A. Once a year B. Only when a change needs to be made C. At a minimum, once a year and whenever there is a change trigger D. Only as required by law

C. At a minimum, once a year and whenever there is a change trigger

Which of the following terms best describes a synonym for business continuity? A. Authorization B. Authentication C. Availability D. Accountability

C. Availability

Which of the following are the three principles in the CIA triad? A. Confidence, integration, availability B. Consistency, integrity, authentication C. Confidentiality, integrity, availability D. Confidentiality, integrity, awareness

C. Confidentiality, integrity, availability

Which of the following statements best describes opportunistic crime? A. Crime that is well planned B. Crime that is targeted C. Crime that takes advantage of identified weaknesses or poorly protected information D. Crime that is quick and easy

C. Crime that takes advantage of identified weaknesses or poorly protected information

Which of the following terms best describes an attack whose purpose is to make a machine or network resource unavailable for its intended use? A. Man-in-the-middle B. Data breach C. Denial of service D. SQL injection

C. Denial of service

Which of the following is an example of acting upon the goal of integrity? A. Ensuring that only authorized users can access data B. Ensuring that systems have 99.9% uptime C. Ensuring that all modifications go through a change-control process D. Ensuring that changes can be traced back to the editor

C. Ensuring that all modifications go through a change-control process D. Ensuring that changes can be traced back to the editor

The current ISO family of standards that relates to information security is _______________. A. BS 7799:1995 B. ISO 17799:2006 C. ISO/IEC 27000 D. None of the above

C. ISO/IEC 27000

Processes that include responding to a malware infection, conducting forensics investigations, and reporting breaches are included in the _____________ domain. A. Security Policy B. Operations and Communications C. Incident Management D. Business Continuity Management

C. Incident Management

Which of the following risk types relates to negative public opinion? A. Operational risk B. Financial risk C. Reputation risk D. Strategic risk

C. Reputation risk

Which of the following risks is best described as the expression of (the likelihood of occurrence after controls are applied) × (expected loss)? A. Inherent risk B. Expected risk C. Residual risk D. Accepted risk

C. Residual risk

Which domain focuses on service delivery, third-party security requirements, contractual obligations, and oversight? A. Incident Handling and Forensics B. Security Policy C. Supplier Relationships D. Information Security Incident Management

C. Supplier Relationships

Which of the following statements best describes independence in the context of auditing? A. The auditor is not an employee of the company. B. The auditor is certified to conduct audits. C. The auditor is not responsible for, has not benefited from, and is not in any way influenced by the audit target. D. Each auditor presents his or her own opinion.

C. The auditor is not responsible for, has not benefited from, and is not in any way influenced by the audit target.

Which of the following statements best describes organizations that are required to comply with multiple federal and state regulations? A. They must have different policies for each regulation. B. They must have multiple ISOs. C. They must ensure that their cybersecurity program includes all applicable requirements. D. They must choose the one regulation that takes precedence.

C. They must ensure that their cybersecurity program includes all applicable requirements.

Which of the following terms best describes the natural, environmental, technical, or human event or situation that has the potential for causing undesirable consequences or impact? A. Risk B. Threat source C. Threat D. Vulnerability

C. Threat

The National Institute of Standards and Technology (NIST) is a(n) ______ A. international organization B. privately funded organization C. U.S. government institution, part of the U.S. Department of Commerce D. European Union agency

C. U.S. government institution, part of the U.S. Department of Commerce

Defining protection requirements is the responsibility of ____________. A. the ISO B. the data custodian C. data owners D. the Compliance Officer

C. data owners

Designating an individual or team to coordinate or manage cybersecurity is required by _________. A. GLBA B. 23 NYCRR 500 C. PCI DSS D. All of the above

D. All of the above

Which of the following are benefits of security controls? A. Detect threats B. Deter threats C. Prevent cyber-attacks and breaches D. All of the above

D. All of the above

What does it indicate when a cybersecurity program is said to be "strategically aligned"? A. It supports business objectives. B. It adds value. C. It maintains compliance with regulatory requirements. D. All of the above.

D. All of the above.

Which of the following activities is not considered an element of risk management? A. The process of determining an acceptable level of risk B. Assessing the current level of risk for a given situation C. Accepting the risk D. Installing risk-mitigation technologies and cybersecurity products

D. Installing risk-mitigation technologies and cybersecurity products

Which of the following is not true about compliance risk as it relates to federal and state regulations? A. Compliance risk cannot be avoided B. Compliance risk cannot be transferred C. Compliance risk cannot be accepted D. None of these answers are correct

D. None of these answers are correct

Which of the following terms best describes the security domain that includes HVAC, fire suppression, and secure offices? A. Operations B. Communications C. Risk assessment D. Physical and environmental controls

D. Physical and environmental controls

Which of the following statements best describes policies? A. Policies are the implementation of specifications. B. Policies are suggested actions or recommendations. C. Policies are instructions. D. Policies are the directives that codify organizational requirements.

D. Policies are the directives that codify organizational requirements.

Which of the following activities is not considered a governance activity? A. Managing B. Influencing C. Evaluating D. Purchasing

D. Purchasing

Which of the following security objectives is most important to an organization? A. Confidentiality B. Integrity C. Availability D. The answer may vary from organization to organization

D. The answer may vary from organization to organization

Which of the following statements best represents the most compelling reason to have an employee version of the comprehensive cybersecurity policy? A. Sections of the comprehensive policy may not be applicable to all employees. B. The comprehensive policy may include unknown acronyms. C. The comprehensive document may contain confidential information. D. The more understandable and relevant a policy is, the more likely users will positively respond to it.

D. The more understandable and relevant a policy is, the more likely users will positively respond to it.

The International Organization for Standardization (ISO) is _____ A. a nongovernmental organization B. an international organization C. headquartered in Geneva D. all of the above

D. all of the above

The longer it takes a criminal to obtain unauthorized access, the _____ A. more time it takes B. more profitable the crime is C. better chance of success D. better chance of getting caught

D. better chance of getting caught

An information owner is responsible for _____________________. A. maintaining the systems that store, process, and transmit information B. protecting the business reputation and results derived from use of that information C. protecting the people and processes used to access digital information D. ensuring that information is protected, from creation through destruction

D. ensuring that information is protected, from creation through destruction

Information custodians are responsible for _____ A. writing policy B. classifying data C. approving budgets D. implementing, maintaining, and monitoring safeguards

D. implementing, maintaining, and monitoring safeguards

Which of the following are subcategories of the NIST Cybersecurity Framework that are related to cybersecurity governance? A. ID.GV-1: Organizational information security policy is established. B. ID.GV-2: Information security roles and responsibilities are coordinated and aligned with internal roles and external partners. C. ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed. D. ID.GV-4: Governance and risk management processes address cybersecurity risks. E. All of these answers are correct.

E. All of these answers are correct.