ISM 4323
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
(ISC)2
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
Assigning a value to each information asset
Problems with benchmarking include all but which of the following?
Benchmarking doesn't help in determining the desired outcome of the security process
Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones.
Biba
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
Bull's-eye model
In the event of an incident or disaster, which planning element is used to guide off-site operations?
Business continuity
When a disaster renders the current business location unusable, which plan is put into action?
Business continuity
Which is the first step in the contingency planning process among the options listed here?
Business impact analysis
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
Deontological ethics
What are the legal requirements that an organization adopt a standard based on what a prudent organization should do, and then maintain that standard?
Due care and due diligence
Which policy is the highest level of policy and is usually created first?
EISP
Which of the following InfoSec measurement specifications makes it possible to define success in the security program?
Establishing targets
A standard of due process is a legal standard that requires an organization and its employees to act as a "reasonable and prudent" individual or organization would under similar circumstances.
False
The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.
False
Which of the following is an example of a rapid-onset disaster?
Flood
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
data owners
Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________
data users
A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
team leader
Which of the following is true about a hot site?
It duplicates computing resources, peripherals, phone systems, applications, and workstations.
Which of the following is a responsibility of the crisis management team?
Keeping the public informed about the event and the actions being taken
Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
Legal management must develop corporate-wide standards
Which of the following is the final step in the risk identification process of information assets?
Listing by order of importance
The identification and assessment of levels of risk in an organization describes which of the following?
Risk analysis
The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.
Risk assessment estimate factors
Which of the following is NOT one of the three types of performance measures used by organizations?
Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
Threats-vulnerabilities-assets worksheet
Which law extends protection to intellectual property, which includes words published in electronic formats?
U.S. Copyright Law
In a TVA worksheet, along one asset lies the prioritized set of ____, along the other the prioritized set of ____.
assets, threats
According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?
availability
Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following?
benchmarking
The purpose of SETA is to enhance security in all but which of the following ways?
by adding barriers
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
chief information security officer
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
common good
Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?
corrective
Which type of attack involves sending a large number of connection or information requests to a target?
denial-of-service (DoS)
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
deterrence
A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
distributed denial-of-service
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
due diligence
Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the ____ consequences of the vulnerability.
economic and non-economic
Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.
education
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
evaluating alternative strategies
Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?
framework & security model
In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
implementation
Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
incident response plan
The NIST risk management approach includes all but which of the following elements?
inform
Which of the following is an element of the enterprise information security policy?
information on the structure of the InfoSec organization
A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?
investigation
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
malice
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
managerial controls
When determining the relative importance of each information asset, refer to the organization's ____ or statement of objectives. From this source, determine which assets are essential for meeting the organization's objectives, which assets support the objectives, and which are merely adjuncts.
mission statement
Reducing the impact of a successful attack on an organization's system falls under the ____ risk control strategy.
mitigation
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
monitoring and measurement
Which access control principle limits a user's access to the specific information required to perform the currently assigned task?
need-to-know
Which type of access controls can be role-based or task-based?
nondiscretionary
The typical security staff in a small organization consists of ____.
one person
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
organization
Which of the following is NOT a primary function of Information Security Management?
performance
Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
planning
Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
political feasibility
A SETA program consists of three elements: security education, security training, and ____.
security awareness
Which type of planning is the primary tool in determining the long-term direction taken by an organization?
strategic
Which of the following are the two general groups into which SysSPs can be separated?
technical specifications and managerial guidance
A time-release safe is an example of which type of access control?
temporal isolation
Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
they have larger information security needs than a small organization
An organization that chooses to outsource its risk management practice to independent consultants is taking the ____ control approach.
transference
Risk is the likelihood of the occurrence of a(n) ____ multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability.
vulnerability
Which of the following is the first step in the problem-solving process?
Recognize and define the problem
Blackmail threat of informational disclosure is an example of which threat category?
Information extortion
Which of the following should be included in an InfoSec governance program?
An InfoSec risk management methodology
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?
COBIT
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
Calculating the severity of risks to which assets are exposed in their current setting
Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
Confidentiality
Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an adverse event?
Contingency planning
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
For political advantage
Which of the following allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental?
Forensics
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
HIPAA
Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
Health Information Technology for Economic and Clinical Health Act
Which of the following is a part of the incident recovery process?
Identifying the vulnerabilities that allowed the incident to occur and spread
Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident?
Incident classification
Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?
Measurements must be useful for tracking non-compliance by internal personnel
Which of the following is NOT a change control principle of the Clark-Wilson model?
No changes by authorized subjects without external validation
InfoSec measurements collected from production statistics depend greatly on which of the following factors?
Number of systems and users of those systems
Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
Operational
Which of the following variables is the most influential in determining how to structure an information security program?
Organizational culture
Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program?
Performance management
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
Policy Review and Modification
The Annualized Loss Expectancy in the CBA formula is determined as ____.
SLE * ARO
____ are accountable for the day-to-day operation of the information security program.
Security managers
Which of the following is an information security governance responsibility of the Chief Security Officer?
Set security policy, procedures, programs and training
Which of the following is true about planning?
Strategic plans are used to create tactical plans
Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
Systems testing
Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?
TCSEC
Which of the following is the primary purpose of ISO/IEC 27001:2005?
To enable organizations that adopt it to obtain certification
____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
Trojan horses
Recommended practices are those security efforts that seek to provide a superior level of performance in the protection of information. ____________
True
Which of the following is a definite indicator of an actual incident?
Use of dormant accounts
__________ is a simple project management planning tool.
WBS
What are the two general methods for implementing technical controls?
access control lists and configuration rules
A cost-benefit analysis is calculated by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy
annualized cost of the safeguard