IS 350 Exam 2 (Cronk)
The United States Department of Homeland Security defines how many critical infrastructure sectors? A) 16 B) 14 C) 20 D) 17
A) 16
Which of the following key information security principles traces actions to their source? A) Accountability B) Assurance C) Authorization D) Accounting
A) Accountability
At which of the following states of the CMM scale are there no documented policies and processes? A) Ad hoc B) Defined process C) Optimized D) Nonexistent
A) Ad hoc
Which of the following is not one of the "Five A's" of information security? A) Availability B) Assurance C) Authorization D) Authentication
A) Availability
Which of the following is a monitoring control that safeguards against the loss of integrity? A) File integrity monitoring B) Separation of duties C) Encryption D) Digital signatures
A) File integrity monitoring
Which of the following refers to the process of managing, directing, controlling, and influencing organizational decisions, actions, and behaviors? A) Governance B) Risk sharing C) Risk management D) CMM
A) Governance
A MAC address uses which of the following formats? A) Hexadecimal B) Binary C) Decimal D) Unicode
A) Hexadecimal
Which of the following is a network of the national standards institutes of more than 160 countries? A) ISO B) NIST C) FIPS D) IEC
A) ISO
Which key task in the policy adoption phase is the busiest and most challenging task of all? A) Implementation B) Enforcement C) Monitoring D) Education
A) Implementation
Which of the following statements best describes risk transfer? A) It shifts a portion of the risk responsibility or liability to other organizations. B) It shifts the entire risk responsibility to other organizations. C) It takes steps to eliminate or modify the risk. D) None of the above
A) It shifts a portion of the risk responsibility or liability to other organizations.
Which of the following would most likely be classified as confidential information under the private sector classification system? A) Laboratory research B) Social Security number C) List of upcoming trade shows D) Nonsensitive client or vendor information
A) Laboratory research
Which of the following is another term for statutory law? A) Legislation B) Regulation C) Policy D) Governance
A) Legislation
Which of the following identifies a policy by name and provides the reader with an overview of the policy topic or category? A) Policy heading B) Policy goal C) Policy objective D) Policy statement
A) Policy heading
Which of the following refers to how much of the undesirable outcome a risk taker is willing to accept in exchange for the potential benefit? A) Risk tolerance B) Risk mitigation C) Risk management D) Risk acceptance
A) Risk tolerance
Which of the following is a behavioral control that can be used to safeguard against the loss of integrity? A) Rotation of duties B) Log analysis C) Code testing D) Digital signatures
A) Rotation of duties
Which of the following classification levels for national security information refers to any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security? A) Secret B) Confidential C) Protected D) Top secret
A) Secret
Which of the following refers to programs or code that provide the interface between the hardware, the users, and the data? A) Software assets B) Hardware assets C) Infrastructure equipment D) Printers
A) Software assets
Which of the following NIST publications focuses on cybersecurity practices and guidelines? A) Special Publication 1800 series B) FIPS C) ITL bulletins D) NIST Internal or Interagency reports
A) Special Publication 1800 series
Which of the following statements about standards and guidelines is true? A) Standards are mandatory, whereas guidelines are not. B) Guidelines are mandatory, whereas standards are not. C) Both standards and guidelines are mandatory. D) Neither standards nor guidelines are mandatory.
A) Standards are mandatory, whereas guidelines are not.
Which of the following is a collection of articles and amendments that provide a framework for the American government and define citizens' rights? A) The Constitution B) The Torah C) Data Protection Act D) Consumer Credit Act
A) The Constitution
Which of the following best describes the accounting key information security principle? A) The logging of access and usage of information resources B) The configuring of the Security log to record events C) The process of tracing actions to their source D) The process of identifying users who seek access to secure information
A) The logging of access and usage of information resources
Endorsed is one of the seven policy characteristics. Which of the following statements best describes endorsed? A) The policy is supported by management. B) The policy is accepted by the organization's employees. C) The policy is mandatory; compliance is measured; and appropriate sanctions are applied. D) The policy is regulated by the government.
A) The policy is supported by management.
What is the purpose of the policy exceptions section of a policy document? A) To acknowledge exclusions B) To track changes C) To convey intent D) To identify the topic
A) To acknowledge exclusions
What is the purpose of the administrative notations section of a policy? A) To refer the reader to additional information B) To explain terms, abbreviations, and acronyms used in the policy C) To provide the policy version number D) To provide information about policy exceptions
A) To refer the reader to additional information
The two approaches to cybersecurity are silo-based and __________. A) integrated B) operational C) environmental D) strategic
A) integrated
Which of the following version numbers is an example of a major policy revision? A) 3.5 B) 4.0 C) 4.1 D) 5.1
B) 4.0
Where are the policy definitions located in a consolidated policy document? A) At the beginning of the document B) At the end of the document C) Just after the policy heading D) In a separate document
B) At the end of the document
Which of the following are the three elements of the CIA triad? A) Authentication, integrity, confidentiality B) Availability, integrity, confidentiality C) Access, integrity, confidentiality D) Authorization, integrity, confidentiality
B) Availability, integrity, confidentiality
Which of the following refers to the requirement that private or confidential information not be disclosed to unauthorized individuals? A) Availability B) Confidentiality C) Integrity D) Control
B) Confidentiality
Which of the following can be defined as the shared attitudes, goals, and practices that characterize a company, corporation, or institution? A) Regulations B) Corporate culture C) Cybersecurity policy D) Guiding principles
B) Corporate culture
Which of the following is a systematic, evidence-based evaluation of how well an organization conforms to such established criteria as Board-approved policies, regulatory requirements, and internationally recognized standards, such as the ISO 27000 series? A) Audit report B) Cybersecurity audit C) CMM D) CISA
B) Cybersecurity audit
Which of the following is the correct order of the policy life cycle? A) Review, develop, adopt, publish B) Develop, publish, adopt, review C) Publish, develop, review, adopt D) Review, adopt, develop, publish
B) Develop, publish, adopt, review
Which major regulation entity within the European Union (EU) was created to maintain a single standard for data protection among all member states in the EU? A) Directive on Security of Network and Information Systems (the NIS Directive) B) EU General Data Protection Regulation (GDPR) C) European Union Agency for Network and Information Security (ENISA) D) The Consumer Credit Regulations 2010
B) EU General Data Protection Regulation (GDPR)
FERPA protects which of the following? A) Medical records B) Educational records C) Personally identifiable information D) Financial records
B) Educational records
Which of the following is the official publication series for NIST standards and guidelines? A) ITL bulletins B) FIPS C) Special Publication 800 series D) NIST Internal or Interagency reports
B) FIPS
Which of the following procedure formats is best suited when there is a decision-making process associated with a task? A) Simple Step B) Flowchart C) Hierarchical D) Graphic
B) Flowchart
Which of the following informs custodians and users how to treat the information they use and the systems they interact with? A) Processing standards B) Handling standards C) Organizational standards D) Classification standards
B) Handling standards
Which of the following is not one of the responsibilities of a data owner? A) Assigning the economic or business value to the asset B) Implementing security controls for the asset C) Defining the level of protection required for the asset D) Deciding who should have access to the asset
B) Implementing security controls for the asset
Which of the following best describes a procedure? A) Application of a standard to a specific category or grouping B) Instructions on how a policy is carried out C) Teaching tools that help people conform to a policy D) Specifications for implementation of a policy
B) Instructions on how a policy is carried out
Which data type protected by DLP includes patent applications, product design documents, the source code of software, research information, and customer data? A) Personally Identifiable Information (PII) B) Intellectual Property (IP) C) Nonpublic Information (NPI) D) None of the above
B) Intellectual Property (IP)
Which of the following is a hardware identification number that uniquely identifies a device? A) IP domain name B) MAC address C) IPv4 address D) IPv6 address
B) MAC address
Which of the following risk assessment methodologies was originally developed by CERT? A) FAIR B) OCTAVE C) RMF D) CMM
B) OCTAVE
OCTAVE is short for which of the following? A) Operationally Critical Threat, Assessment, and Vulnerability Evaluation B) Operationally Critical Threat, Asset, and Vulnerability Evaluation C) Optimized Critical Threat, Assessment, and Vulnerability Evaluation D) Optimized Critical Threat, Asset, and Vulnerability Evaluation
B) Operationally Critical Threat, Asset, and Vulnerability Evaluation
Which of the following refers to the relationship between a policy and its supporting documents? A) Policy format B) Policy hierarchy C) Policy audience D) Policy objectives
B) Policy hierarchy
A Social Security number would be classified in which of the following levels under the private sector classification system? A) Internal use B) Protected C) Confidential D) Public
B) Protected
Which of the following is not one of the classification levels for national security information? A) Secret B) Protected C) Confidential D) Unclassified
B) Protected
Which of the following is the outcome of policy review? A) Retirement or renewal B) Retirement or reauthorization C) Renewal or reauthorization D) None of the above
B) Retirement or reauthorization
Which of the following statements best describes strategic risk? A) Risk that relates to monetary loss B) Risk that relates to adverse business decisions C) Risk that relates to loss resulting from inadequate or failed processes or systems D) Risk that relates to violations of laws, rules, regulations, or policy
B) Risk that relates to adverse business decisions
Which of the following is not one of the classification levels for private sector information? A) Protected B) Secret C) Internal use D) Public
B) Secret
Which of the following is a collective term given to guidance on topics related to information systems security, predominantly regarding the planning, implementing, managing, and auditing of overall information security practices? A) Service level agreements B) Security framework C) "Five A's" of information security D) CIA security model
B) Security framework
Which of the following version numbers would indicate a minor revision? A) IV B) 2.0 C) 2.1 D) 3.0
C) 2.1
Which of the following statements best describes NIST? A) A regulatory government organization that enforces standards B) A coalition of over 160 countries that creates standards C) A non-regulatory federal agency that develops and promotes standards D) A nongovernment organization that develops and promotes standards
C) A non-regulatory federal agency that develops and promotes standards
Policy implementation and enforcement are part of which of the following phases of the cybersecurity policy life cycle? A) Develop B) Review C) Adopt D) Publish
C) Adopt
Which of the following statements is not true? A) Policies should require only what is possible. B) Policies that are no longer applicable should be retired. C) All guiding principles and corporate cultures are good. D) Guiding principles set the tone for a corporate culture.
C) All guiding principles and corporate cultures are good.
How often should policies be reviewed? A) Monthly B) Twice a year C) Annually D) Never
C) Annually
Which of the following best describes a baseline? A) Specifications for implementation of a policy B) Instructions on how a policy is carried out C) Application of a standard to a specific category or grouping D) Teaching tools that help people conform to a policy
C) Application of a standard to a specific category or grouping
Which of the following is designed to implement the business rules of the organization and is often custom-developed? A) Productivity software B) Operating system software C) Application software D) Software assets
C) Application software
Which of the following key information security principles grants users and systems a predetermined level of access to information resources? A) Assurance B) Authentication C) Authorization D) Accountability
C) Authorization
Which of the following refers to a computer used in a DDoS attack? A) Botnet B) Victim C) Bot D) Handler
C) Bot
Which of the following statements about policies and standards is true? A) Policies are mandatory, whereas standards are not. B) Standards are mandatory, whereas policies are not. C) Both policies and standards are mandatory. D) Neither policies nor standards are mandatory.
C) Both policies and standards are mandatory.
CVSS is short for which of the following? A) Confidential Vulnerability Secure System B) Common Vulnerability Secure System C) Common Vulnerability Scoring System D) Confidential Vulnerability Scoring System
C) Common Vulnerability Scoring System
Which of the following is not one of the tasks of the policy development phase? A) Approve B) Write C) Communicate D) Authorize
C) Communicate
Which of the following provides a model for understanding, analyzing, and quantifying information risk in quantitative financial and business terms? A) RMF B) NIST C) FAIR D) OCTAVE
C) FAIR
In the NIST Cybersecurity Framework, which governance subcategory references legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations? A) ID.GV-1 B) ID.GV-2 C) ID.GV-3 D) ID.GV-4
C) ID.GV-3
Which of the following is the magnitude of harm? A) Risk B) Threat C) Impact D) Vulnerability
C) Impact
Which of the following refers to the level of risk before security measures are applied? A) Residual risk B) Vulnerability C) Inherent risk D) Impact
C) Inherent risk
Which of the following means the loss of CIA could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals? A) High potential impact B) Moderate potential impact C) Low potential impact D) No potential impact
C) Low potential impact
Which of the following best described the Bell-Lapadula security model? A) No read up, no write up B) No write up, no write down C) No read up, no write down D) No read down, no write up
C) No read up, no write down
Which of the following is not an example of a standard? A) Passwords must include at least one special character. B) Passwords must not include repeating characters. C) Pass phrases make good passwords. D) Passwords must not include the user's name
C) Pass phrases make good passwords.
Which layer in the defense-in-depth strategy includes firewalls, IDS/IPS devices, segmentation, and VLANs? A) Physical security B) Network security C) Perimeter security D) Application security
C) Perimeter security
Which of the following refers to directives that codify organizational requirements? A) Guidelines B) Standards C) Policies D) Baselines
C) Policies
Which of the following is best thought of as a high-level directive or strategic roadmap? A) Policy objective B) Policy heading C) Policy statement D) Policy goal
C) Policy statement
Which of the following best describes residual risk? A) The likelihood of occurrence of a threat B) The level of risk before security measures are applied C) The level of risk after security measures are applied D) The impact of risk if a threat is realized
C) The level of risk after security measures are applied
Which if the following statements best describes declassification? A) The process of upgrading a classification B) The process of assigning a new classification C) The process of downgrading sensitivity levels D) The process of removing a classification
C) The process of downgrading sensitivity levels
Which of the following best describes the accountability key information security principle? A) The logging of access and usage of information resources B) The configuring of the Security log to record events C) The process of tracing actions to their source D) The process of identifying users who seek access to secure information
C) The process of tracing actions to their source
What is the purpose of the policy definition section? A) To provide information about policy exceptions B) To refer the reader to additional information C) To explain terms, abbreviations, and acronyms used in the policy D) To provide the policy version number
C) To explain terms, abbreviations, and acronyms used in the policy
Which of the following is not one of the plain language techniques for policy writing? A) Use active voice. B) Write short sentences. C) Use "shall" instead of "must." D) Avoid double negatives.
C) Use "shall" instead of "must."
Which key task in the policy development phase requires the authors to consult with internal and external experts, including legal counsel, human resources, compliance, cybersecurity and technology professionals, auditors, and regulators? A) Writing B) Authorizing C) Vetting D) Planning
C) Vetting
The objective of an __________ is to differentiate data types to enable organizations to safeguard CIA based on content. A) asset classification policy B) information ownership policy statement C) information classification system D) inventory information systems
C) information classification system
Where is the policy introduction located in a consolidated policy document? A) In a separate document B) Before the version control table C) At the beginning of the document D) After the version control table
D) After the version control table
Which of the following elements ensures a policy is enforceable? A) Compliance can be measured. B) Appropriate sanctions are applied when the policy is violated. C) Appropriate administrative, technical, and physical controls are put in place to support the policy. D) All of the above
D) All of the above
Which of the following is a characteristic of the silo-based approach to cybersecurity? A) Compliance is discretionary. B) Security is the responsibility of the IT department. C) Little or no organizational accountability exists. D) All of the above
D) All of the above
Which of the following is an example of a security mechanism designed to preserve confidentiality? A) Controlled traffic routing B) Logical and physical access controls C) Database views D) All of the above
D) All of the above
Which of the following is an example of an information asset? A) Business plans B) Employee records C) Company reputation D) All of the above
D) All of the above
Which of the following is the objective of risk assessment? A) Identify the inherent risk B) Determine the impact of a threat C) Calculate the likelihood of a threat occurrence D) All of the above
D) All of the above
Which of the following refers to those responsible for implementing, maintaining, and monitoring safeguards and systems? A) Network engineers B) System administrators C) Webmasters D) All of the above
D) All of the above
Which of the following federal legislations, also known as the Financial Modernization Act of 1999, was created to reform and modernize the banking industry by eliminating existing barriers between banking and commerce? A) HITECH B) HIPAA C) FERPA D) GLBA
D) GLBA
The ISO 27002 standard has its origins in which of the following countries? A) France B) United States C) Germany D) Great Britain
D) Great Britain
Which of the following is the topmost object in the policy hierarchy? A) Standards B) Baselines C) Procedures D) Guiding Principles
D) Guiding Principles
Which of the following refers to visible and tangible pieces of equipment and media, such as computer equipment and storage media? A) Operating system software B) Software assets C) Productivity software D) Hardware assets
D) Hardware assets
Which of the following is one of the ten plain language techniques for policy writing? A) Use passive voice. B) Include redundant pairs or modifiers. C) Use long sentences. D) Limit a paragraph to one subject.
D) Limit a paragraph to one subject.
Which of the following refers to the unauthorized or unintentional modification or destruction of information? A) Loss of availability B) Loss of confidentiality C) Loss of control D) Loss of integrity
D) Loss of integrity
Which of the following is the final step in the NIST Risk Assessment methodology? A) Communicate the results. B) Prepare for the assessment. C) Conduct the assessment. D) Maintain the assessment.
D) Maintain the assessment
Which of the following is the leading membership organization for Boards and Directors in the U.S.? A) ISO B) NIST C) CERT D) NACD
D) NACD
Which of the following statements best describes the Biba security model? A) No read up, no write up B) No write up, no write down C) No read up, no write down D) No read down, no write up
D) No read down, no write up
Which of the following is the seminal tool used to protect both our critical infrastructure and our individual liberties? A) Information security B) Society C) Physical security D) Policy
D) Policy
Which of the following risks relates to negative public opinion? A) Operational risk B) Strategic risk C) Financial risk D) Repetitional risk
D) Repetitional risk
Which of the following statements describes reclassification? A) The process of changing the classification level to a lower level B) The process of removing a classification C) The process of assigning a classification D) The process of upgrading a classification
D) The process of upgrading a classification
Which of the following can achieve authentication in information security? A) Intrusion detection systems B) Log files C) Auditing D) Tokens
D) Tokens
A(n) __________ or waiver process is required for exceptions identified after a policy has been authorized. A) administrative notation B) policy statement C) policy definition D) exemption
D) exemption