Management of Information Security Midterm

Ace your homework & exams now with Quizwiz!

Penetration tester

An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolution for vulnerabilities in those systems

availability disruption

An interruption in service, usually from a service provider which causes an adverse event within an organization

Attack

An ongoing act against an asset that could result in a loss of its value

In which phase of the SecSDLC does the risk management task occur?

Analysis

The __________ phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution.

Analysis

Why is threat identification so important in the process of risk management?

Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end. At every step, the manager is called on to exercise good judgment and draw on experience to make the process function smoothly.

An approach that applies moral codes to actions drawn from realistic situations.

Applied ethics

Describe the key approaches organizations are using to achieve unified ERM.

Combining physical security and InfoSec under one leader as one business function Using separate business functions that report to a common senior executive Using a risk council approach to provide a collaborative approach to risk management

an application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function.

Command injection

Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?

Common good

which of the following is NOT a step in the problem-solving process?

Build support among management for the candidate solution

The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a __________.

CISO

The __________ certification, considered to be one of the most prestigious certifications for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral.

CISSP

a model of infosec that offers a comprehensive view of security for data while being stored, processed, or transmitted is the __________ security model

CNSS

Data Security

Commonly used as a surrogate for information security, the focus of protecting information in its various states- at rest, in processing, and in transmission

the collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage.

Competitive intelligence

Policy __________ means the employee must agree to the policy.

Compliance

Classification categories must be mutually exclusive and which of the following?

Comprehensive

There are twelve categories of threats to information security. List five of them and provide an example of each.

Compromises to intellectual property: Software piracy or other copyright infringement Deviations in quality of service: Fluctuations in power, data, and other services Espionage or trespass: Unauthorized access and/or data collection Forces of nature: Fire, flood, earthquake, lightning, etc. Human error or failure: Accidents, employee mistakes Information extortion: Blackmail threat of information disclosure Sabotage or vandalism:Damage to or destruction of systems or information Software attacks: Malware: viruses, worms, macros, etc. Technical hardware failures or errors: Hardware equipment failure Technical software failures or errors: Bugs, code problems, loopholes, back doors Technological obsolescence: Antiquated or outdated technologies Theft: Illegal confiscation of equipment or information

One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.

Computer Security Act (CSA)

Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?

Confidentiality

What are configuration rules? Provide examples

Configuration rules are instructional codes that guide the execution of the system when information is passing through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly. Many security systems require specific configuration scripts that dictate which actions to perform on each set of information they process. Examples include firewalls, intrusion detection and prevention systems (IDPSs), and proxy servers.

The process of integrating the governance of the physical security and information security efforts is known in the industry as __________.

Convergence

a hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.

Cracker

attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software.

Cracking

Managerial Guidance SysSPs

Created by management to guide the implementation and configuration of technology • Applies to any technology that affects the confidentiality, integrity or availability of information • Informs technologists of management intent

What is a type of law that addresses violations harmful to society and that is enforced by prosecution by the state?

Criminal Law

a web application fault that occurs when an application running on a Web server inserts commands into a user's browser session and causes information to be sent to a hostile server.

Cross site scripting (XSS)

Focuses on enhancing the security of the critical infrastructure in the United States.

Cybersecurity Act

According to Mark Pollitt, ____ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents.

Cyberterrorism

a hacker who attacks systems to conduct terrorist activities via networks or internet pathways.

Cyberterrorist

formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state.

Cyberwarfare

A ____ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

DDoS

Which of the following is the result of a U.S. led international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?

DMCA

CIA Triad figure 1.3 *

Data & services: Confidentiality Integrity Availability

Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.

Data Owners

commonly used as a surrogate for information security, data security is the focus of protecting data or information in its various states-at rest (in storage), in processing, and in transmission (over networks).

Data security

a collection of related data stored in a structured form and usually managed by a database management system.

Database

a subset of information security that focuses on the assessment and protection of information stored in data repositories like database management systems and storage media.

Database security

Which type of attack involves sending a large number of connection or information requests to a target?

Denial-of-Service (DoS)

In a ____ attack, the attacker sends a large number of connection or information requests to a target.

Denial-of-service

an attack that attempts to overwhelm a computer target's ability to handle incoming communications, prohibiting legitimate users from accessing those systems.

Denial-of-service (DoS) attack

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics) a. Meta-ethics b. Applied ethics c. Deontological ethics d. Normative ethics

Deontological ethics

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)?

Deontological ethics

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past?

Descriptive ethics

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls.

Deterrance

a variation of the brute force attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information.

Dictionary password attack

Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis are known as _________.

Digital forensics

a form of DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots or zombies.

Distributed denial-of-service (DDoS)

the intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate Internet locations.

Domain Name System (DNS) cache poisoning

the percentage of time a particular service is not available; the opposite of uptime.

Downtime

An organization increases its liability if it refuses to take the measures a prudent organization should; this is known as the standard of _____________.

Due care

In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is this important?

During the implementation phase, the team must create a plan to distribute and verify the distribution of the policies. Members of the organization must explicitly acknowledge that they have received and read the policy. Otherwise, an employee can claim never to have seen a policy, and unless the manager can produce strong evidence to the contrary, any enforcement action, such as dismissal for inappropriate use of the Web, can be overturned and punitive damages might be awarded to the former employee.

Maintenance Phase

During the maintenance phase, the policy development team monitors, maintains, and modifies the policy as needed to ensure that it remains effective as a tool to meet changing threats • The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously • Periodic review should be built in to the process

Which policy is the highest level of policy and is usually created first?

EISP

Identifying Threats

Each threat presents a unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent's attack strategy • Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset • In general, this process is referred to as a threat assessment

Human error or failure often can be prevented with training, ongoing awareness activities, and _______________.

Education

With policy, the most common distribution methods are hard copy and __________.

Electronic

A collection of statutes that regulates the interception of wire, electronic, and oral communications.

Electronic Communications Privacy Act (ECPA)

Which of the following is usually conducted via leased lines or secure Internet connections whereby the receiving server archives the data as it is received

Electronic vaulting

Enterprise information security program policy (EISP)

Enterprise information security policy (EISP) is that high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts • An EISP is also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy

three types of information security policy

Enterprise information security program policy (EISP) Issue-specific information security policies (ISSP) Systems-specific policies (SysSPs)

Rooting

Escalating privileges to gain administrator-level control over a computer system (including smartphones)

Jailbreaking

Escalating privileges to gain administrator-level control over a smartphone operating system (typically associated with Apple iOS smartphones)

According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?

Establishing

Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? a. enterprise information security policy b. user-specific security policies c. issue-specific security policies d. system-specific security policies

b

Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy.

False

InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals

False

It is the responsibility of InfoSec professionals to understand state laws and bills

False

MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.

False

Penetration testing is often conducted by contractors, who are commonly referred to as black-hats.

False

The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for.

False

The IT community often takes on the leadership role in addressing risk.

False

The information security blueprint build's on top of an organizations information security standards.

False

The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.

False

To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996

False

The information technology management community of interest often takes on the leadership role in addressing risk. __________

False - InfoSec

Technology is the essential foundation of an effective information security program. _____________

False - Policy

Risk identification, risk analysis, and risk evaluation are part of a single function known as risk protection. __________

False - assessment

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. __________

False - classification

The degree to which a current control can reduce risk is also subject to calculation error. __________

False - estimation

Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations. ____________

False - guidelines

The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk control. __________

False - identification

The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ___________

False - likelihood

The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization. ____________

False - maintenance

Examples of actions that illustrate compliance with policies are known as laws.

False - practices

6. When operating any kind of organization, a certain amount of debt is always involved. __________

False - risk

An evaluation of the threats to information assets, including a determination of their potential to endanger the organization, is known as exploit assessment. __________

False - threat

A prioritized list of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. __________

False - vulnerabilities

Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. __________

False - vulnerabilities

A short-term interruption in electrical power availability is known as a ________.

Fault

Complete loss of power for a moment is known as a ____.

Fault

Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity?

Fear of humiliation

Which of the following is a requirement for laws and policies to deter illegal or unethical activity?

Fear of penalty, probability of being penalized, and probability of being caught

An example of a stakeholder of a company includes all of the following except: a) employees b) the general public c) stockholders d) management

b) the general public

In information security governance who is responsible for policy, procedures, and training?

Chief Information Officer

The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.

Chief Information Security Officer(CISO)

Due diligence requires that an organization make a valid and ongoing effort to protect others

True

Information security is the protection of the confidentiality, integrity, and availability of information assets, in storage, processing, and transmission via the application of policy, education, training, awareness, and technology.

True

Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________

True

Likelihood is the overall rating of the probability that a specific vulnerability will be exploited or attacked.

True

A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system is known as __________.

a security analyst

Treating risk begins with which of the following?

an understanding of risk treatment strategies

A gathering of key reference materials is performed during which phase of the SDLC?

analysis

A risk assessment is performed during which phase of the SDLC?

analysis

A risk assessment is performed during which phase of the SecSDLC?

analysis

In the __________ phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution.

analysis

Organizational feasibility

analysis examines how well the proposed information security alternatives will contribute to efficiency, effectiveness, and overall operation of an organization

The most complex part of an investigation is usually __________.

analysis for potential EM

the most complex part of an investigation is usually

analysis for potential evidenttiary material

In addition to specifying the penalties for unacceptable behavior, what else must the policy specify?

appeals process

In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?

appeals progress

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited availability is known as risk __________.

appetite

Force majeure includes all of the following EXCEPT: a. acts of war b. forces of nature c. armed robbery d. civil disorder

armed robbery

General business

articulates and communicates organizational policy and objectives and allocates resources to the other groups

An evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack, is known as threat __________.

assessment

Risk __________ is an approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.

assessment

The process of assigning financial value or worth to each information asset is known as __________.

asset valuation

Which of the following activities is part of the risk identification process?

assigning a value to each information asset

An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it is known as a(n) __________.

attack

an act that is an intentional or unintentional attempt to compromise the information and/or the systems that support it

attack

The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?

authentication

Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area?

authentication

behavioral types of leaders

autocratic democratic laissez-faire

Which of the following is a C.I.A. triad characteristic that ensures only those with sufficient privileges and a demonstrated need may access certain information? authentication b. confidentiality c. integrity d. availability

confidentiality

Which of the following are instructional codes that guide the execution of the system when information is passing through it?

configuration rules

Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an event?

contingency planning

Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems.

control

In order to ensure effort is spent protecting information that needs protecting, organizations implement _____.

data classification schemes

individual who determines the level of classification associated with data

data owner

Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.

data users

organization's information assets

data, hardware, software, procedures, people

Honey pots

decoy systems designed to lure potential attackers away from critical systems.

Application of training and education among other approach elements is a common method of which risk treatment strategy?

defense

Political feasibility

defines what can and cannot occur based on the consensus and relationships between the communities of interest, especially given that the budget allocation decisions can be politically charged

Which type of attack involves sending a large nyumber of connection or information requests to a target?

denial of service (DoS)

which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?

descriptive ethics

The _________ phase of the SecSDLC, has team members create and develop the blueprint for security and develop critical contingency plans for incident response.

design

Technical feasibility

determines whether or not the organization has or can acquire the technology and expertise to implement, support and manage the new safeguards

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls. a. remediation b. rehabilitation c. deterrence d. persecution

deterrence

The act of attempting to prevent an unwanted action by threatening punishment or retaliation on the instigator if the act takes place is known as ___________.

detterence

investigations involving the preservation, identification extraction documentation and interpretation of computer media for evidentiary and rooat cause analysis is known as __________

digital forensics

a __________ is an attack in which a coordinated stream of requests is launched against a target form many locations at the same time

distributed denial-of-service

Remains even after the current control has been applied.

i. residual risk

A section of policy that should specify users' and systems administrators' responsibilities.

i. systems management

The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk __________.

identification

The organization can perform risk determination using certain risk elements, including all but which of the following?

legacy cost of recovery

Which of the following is not a role of managers within the communities of interest in controlling risk?

legal management must develop corporate-wide standards

The probability that a specific vulnerability within an organization will be attacked by a threat is known as __________.

likelihood

The probability that a specific vulnerability within an organization will be the target of an attack is known as _____.

likelihood

Assessing risks includes determining the __________ that vulnerable systems will be attacked by specific threats.

likelihood probability

Damage, destruction, modification, disclosure, denial of use refers to data ___________.

loss

The _____ phase is the last phase of SecSDLC, but perhaps the most important.

maintenance and change

The ______________________ phase is the last phase of SecSDLC, but perhaps the most important.

maintenance and change

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? a. accident b. ignorance c. malice d. intent

malice

there are three general categories of unethical behavior that organizations and society should seek to eliminate. which of the following is not one of them?

malice

Risk __________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

management

Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP.

management guidance, technical specifications

System-specific policies can be organized into two general groups: ____ and _____.

managerial guidance, technical specifications

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

manufacturer's model or part number

The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics?

market

as a subset of information assets, the systems and network that store, process, and transmit information.

media

Communications security involves the protection of which of the following?

media, technology, and content

Which of the following risk treatment strategies describes an organization's efforts to reduce damage caused by a realized incident or disaster?

mitigation

The protection of voice and data components, connections, and content is known as _________ security.

network

In the bull's-eye model, the ___________ layer is the place where threats from public networks meet the organization's networking infrastructure.

networks

In the bull's-eye model, the ____________________ layer is the place where threats from public networks meet the organization's networking infrastructure.

networks

Access control list user privileges include all but which of these?

operate

measures that deal with the functionality of security in an organization

operational controls

Which of the following determines how well a proposed treatment will address user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders?

operational feasibility

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?

organization

Which of the following variables is the most influential in determining how to structure an information security program?

organizational culture

Which of the following is a key step needed in order for a JAD approach to be successful?

organize workshop activities

Which of the following is an example of a technological obsolescence threat?

outdated servers

In which contingency plan strategy do individuals act as if an actual incident occurred, and begin performing their required tasks and executing the necessary procedures, without interfering with the normal operations of the business?

parallel testing

In ____________________ testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.

penetration

an information securitry professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a __________

penetration tester

A set of security tests and evaluations that simulate attacks by a malicious external source is known as

penetration testing

testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.

penetration testing

the impetus for a project that is the result of a carefully developed planning strategy

plan-driven

Which of the following is the process that develops, creates, and implements strategies for the accomplishment of objectives?

planning

six ps

planning policy programs protection people project management

A __________ is simply a manager's or other governing body's statement of intent regarding employee behavior with respect to the workplace.

policy

A good information security program begins and ends with __________.

policy

The document designed to regulate organizational efforts related to the identification, assessment, and treatment of risk to information assets is known as the RM __________.

policy

Which of the following functions of information security management seeks to dictate certain behavior within the organization through a set of organizational guidelines? a. programs b. planning c. people d. policy

policy

The champion and manager of the information security policy is called the _______.

policy administrator

The champion and manager of the information security policy is called the ____________________.

policy administrator

Which individual is responsible for the creation, revision, distribution, and storage of the policy?

policy administrator

Which of the following is NOT one of the basic rules that must be followed when shaping a policy?

policy should be agreed upon by all employees and managemen

Which of the following is NOT one of the basic rules that must be followed when developing a policy?

policy should be focused on protecting the organization from public embarrassment

__________ are examples of actions that illustrate compliance with policies.

practices

Which of the following is NOT a unique function of Information Security Management?

principles

What is the last stage of the business impact analysis?

prioritize resources associated with the business processes

Step-by-step instructions designed to assist employees in following policies, standards, and guidelines.

procedures

The Risk Management Framework includes all of the following EXCEPT:

process contingency planning

For an organization to manage its InfoSec risk properly, managers should understand how information is __________.

processed collected transmitted

Which of the following attributes does NOT apply to software information assets?

product dimensions

What should you be armed with to adequately assess potential weaknesses in each information asset?

properly classified inventory

Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT __________.

properly conceived

Communications securtity

protection of all communications media, technology and content

cyber (computer) Security

protection of computerized information processing systems

operations security

protection of details of an organizations operations

Physical security

protection of physical objects

network security

protection of voice and data networking componets

Which type of device exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server?

proxy server

What is the final step in the risk identification process?

ranking assets in order of importance

an attack that uses phishing techniques along with specialized forms of malware to encrypt the victm's data files is known as __________

ransomware

What is the SETA program designed to do?

reduce the occurrence of accidental security breaches

Operational feasibility

refers to user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders - User acceptance and support can be achieved by means of communication, education, and involvement

SP 800-18, Rev.1: Guide for Developing Security Plans for Federal Information Systems

reinforces a business process centered approach to policy management

As each information asset is identified, categorized, and classified, a __________ value must also be assigned to it.

relative

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

relative value

Which of the following is NOT one of the administrative challenges to the operation of firewalls?

replacement

What is the risk to information assets that remains even after current controls have been applied?

residual risk

Which of the following is a disadvantage of the one-on-one training method?

resource intensive, to the point of being inefficient

which of the following is compensation for a wrong committed by an individual or organization?

restitution

________ equals the probability of a successful attack times the expected loss from a successful attack plus an element of uncertainty

risk

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________.

risk appetite

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?

risk appetite

The identification, analysis, and evaluation of risk in an organization describes which of the following?

risk assessment

assigns a comparative risk rating or score to each specific information asset

risk assessment

associated with assessing risks and then implementing or repairing controls to assure the confidentiality, integrity, and availability of information

risk management

What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?

risk tolerance

behavioral feasibility

same as operational feasibility

permission to search for evidentiary material at a specified locaiton and/or to seize items to return to the investirgators lab for examination is know as a

search warrant

Qualified individuals who are tasked with configuring security technologies and operating other technical control systems are known as a(n) ___________.

security technician

Data classification schemes should categorize information assets based on which of the following?

sensitivity and security needs

is an agency that provides, in the case of DR/BC planning, physical facilities for a fee.

service bureau

Which contingency plan strategy do individuals work on their own tasks and are responsible for identifying the faults in their own procedures?

simulation

Which of the following is NOT a task performed by the governance group during the framework design phase, in cooperation with the framework team?

specifying who will supervise and perform the RM process

Which type of document is a more detailed statement of what must be done to comply with a policy?

standard

type of document is a more detailed statement of what must be done to comply with a policy

standard

the process of moving an organization towards its vision by accomplishing its mission

strategic planning

The first priority of the CISO and the InfoSec management team should be the __________. a. development of a security policy b. implementation of a risk management program c. adoption of an incident response plan d. structure of a strategic plan

structure of a strategic plan

The first priority of the CISO and the InfoSec management team should be the _____________.

structure of a strategic plan

IT

supports the business objectives of the organization by supplying and supporting IT appropriate to the business' needs

The three types of information security policies include the enterprise information security policy, the issue-specific security policy, and the ____________________ security policy.

system-specific

The three types of information security policies include the enterprise security policy, the issue-specific security policy, and the _____________ security policy.

system-specific

The responsibilities of both the users and the systems administrators with regard to specific technology rules should be specified in the ____________________ section of the ISSP.

systems management

Which of the following breaks down each applicable strategic goal into a series of incremental objectives?

tactical

A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ___________.

team leader

Human error or failure often can be prevented with training and awareness programs, policy, and __________. ISO 27000 b. technical controls c. outsourcing d. hugs

technical controls

Human error or failure often can be prevented with training, ongoing awareness activities, and ______.

technical controls

measures that use or implement a technical solution to reduce risk of loss in an organization

technical controls

Which of the following are the two general groups into which SysSPs can be separated?

technical specifications and managerial guidance

Another key U.S. federal agency is _________, which is responsible for coordinating, directing, and performing highly specialized activities to protect U.S. information systems and produce foreign intelligence information.

the NSA

Single Lose Expectancy(SLE)

the calculation value associated with the most likely loss from an attack

which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees whoare involved with the management, use, or operation of each federal computer system?

the computer security act

In the area of risk management, process communications is the necessary information flow within and between all of the following EXCEPT:

the corporate change control officer

Authorization

the matching of an authenticated entity to a list of information assets and corresponding access levels

Factors that affect the external context and impact the RM process, its goals, and its objectives include the following EXCEPT:

the organization's governance structure

In addition to specifying acceptable and unacceptable behavior, what else must a policy specify?

the penalties for violation of the policy

when an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________

the type of crime commited

When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________.

the type of crime committed

When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________. a. the network provider the hacker used b. how many perpetrators were involved c. what kind of computer the hacker used d. the type of crime committed

the type of crime committed

Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer? a. information extortion b. espionage or trespass c. theft d. sabotage or vandalism

theft

which of the 12 categories of threats best describes a situation where the adversary removes data from a vitctim's comptuer?

theft

Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________ a. threat b. vulnerability c. exploit d. attack

threat

any event or circumstance that has the potential to adversely affect operations and assets is known as a

threat

a specific instance or component that represents a danger to an organization's assets

threat agent

The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization.

threat severity weighted table analysis

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

threats-vulnerabilities-assets worksheet

A(n) ___________ attack enables an attacker to extract secrets maintained in a security system by observing the time it takes the system to respond to various queries.

timing

The goal of InfoSec is not to bring residual risk to __________; rather, it is to bring residual risk in line with an organization's risk appetite.

zero

an attack that makes use of malware that is not yet known by the anti-malware software companies.

zero-day attack

Defense

—Applying safeguards that eliminate or reduce the remaining uncontrolled risk The defense risk control strategy attempts to prevent the exploitation of the vulnerability • This is the preferred approach and is accomplished by means of countering threats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards • This approach is sometimes referred to as "avoidance". • Three common methods of risk defense are: - Application of policy - Application of training and education - Implementation of technology

Access Control Lists (ACLs)

• Include the user access lists, matrices, and capability tables that govern the rights and privileges • A capability table specifies which subjects and objects that users or groups can access • These specifications are frequently complex matrices, rather than simple lists or tables • In general ACLs enable administrations to restrict access according to user, computer, time, duration, or even a particular file In general ACLs regulate: - Who can use the system - What authorized users can access - When authorized users can access the system - Where authorized users can access the system from - How authorized users can access the system

NIST Risk Management Framework

• National Institute for Standards and Technology (NIST) has modified its fundamental approach to systems management and certification/ accreditation to one that follows the industry standard of effective risk management • As discussed in "Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View" The first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made • The risk frame establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations • Establishing a realistic and credible risk frame requires that organizations identify: (i) risk assumptions (ii) risk constraints (iii) risk tolerance; and (iv) priorities and tradeoffs

Blackout

A long-term interruption in electrical power availability

Confidentiality

"An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems" Limiting access to information only to those who need it, and preventing access by those who don't To protect the confidentiality of information, a number of measures are used: - Information classification - Secure document (and data) storage - Application of general security policies - Education of information custodians and end users - Cryptography (encryption)

Availability

"An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction" Availability of information means that users, either people or other systems, have access to it in a usable format Availability does not imply that the information is accessible to any user; rather, it means it can be accessed when needed by authorized users

Authentication

"The access control mechanism that requires the validation and verification of an unauthenticated entity's purported identity" It is the process by which a control establishes whether a user (or system) has the identity it claims to have Individual users may disclose a personal identification number (PIN), a password, or a passphrase to authenticate their identities to a computer system

Integrity

"an attribute of information that describes how data is whole, complete, and uncorrupted" integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state Corruption can occur while information is being entered, stored, or transmitted

Privacy

"in the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality" information that is collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected

Accountability

"the access control mechanism that ensures all actions on a system authorized or unauthorized—can be attributed to an authenticated identity. Also known as auditability"

Identification

"the access control mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system" An information system possesses the characteristic of identification when it is able to recognize individual users Identification and authentication are essential to establishing the level of access or authorization that an individual is granted Identification is typically performed by means of a user name or other ID

which of the following organizations put forth a code of ethics designed primarily for infosec professionals who have earned their cetifications? the code includes the canon: provide diligent and competent service to principals

(ISC)2

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.

(ISC)^2

Script kiddie

A hacker of limited skill who uses expertly written software to attack a system

What are the four elements that an EISP document should include?

- An overview of the corporate philosophy on security - Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role - Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) - Fully articulated responsibilities for security that are unique to each role within the organization

What are the included tasks in the identification of risks?

- Creating an inventory of information assets - Classifying and organizing those assets meaningfully - Assigning a value to each information asset - Identifying threats to the cataloged assets - Pinpointing vulnerable assets by tying specific threats to specific assets

What should an effective ISSP accomplish?

- It articulates the organization's expectations about how its technology-based system should be used. - It documents how the technology-based system is controlled and identifies the processes and authorities that provide this control. - It indemnifies the organization against liability for an employee's inappropriate or illegal use of the system.

Information Security Roles and Titles

-Chief Information Security Officer (CISO) or Chief Security Officer (CSO) - Security managers - Security administrators and analysts - Security technicians - Security staffers and watchstanders - Security consultants - Security officers and investigators - Help desk personnel

4 steps FDIC: SLA

-Determining objectives - Defining requirements - Setting measurements - Establishing accountability

List the major components of the ISSP.

-Statement of Purpose -Authorized Uses -Prohibited Uses -Systems Management -Violations of Policy -Policy Review and Modification -Limitations of Liability

professional hacker

A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government

Information security governance yields significant benefits. List five.

1. An increase in share value for organizations 2. Increased predictability and reduced uncertainty of business operations by lowering information-security-related risks to definable and acceptable levels 3. Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care 4. Optimization of the allocation of limited security resources 5. Assurance of effective information security policy and policy compliance 6. A firm foundation for efficient and effective risk management, process improvement, and rapid incident response 7. A level of assurance that critical decisions are not based on faulty information 8. Accountability for safeguarding information during critical business activities, such as mergers and acquisitions, business process recovery, and regulatory response.

Briefly describe five different types of laws.

1. Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations. 2. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. 3. Tort law is a subset of civil law that allows individuals to seek recourse against others in the event of personal, physical, or financial injury. 4. Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law. 5. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.

Cracker

A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use

12 category of threat

1. compromises to intellectual property 2. Deviations in quality of service 3.Espionage or Trespass 4.Forces of Nature 5.Human Error or Failure 6.Information Extortion 7.Sabotage or Vandalism 8. Software Attacks 9. Technical Hardware Failures 10. Technical Software Failure 11.Technological obsolenscence 12. Theft

Phreaker

A hacker who manipulates the public telephone system to make free calls or disrupt services

Expert hacker

A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information

Brownout

A long-term decrease in electrical power availability

Surge

A long-term increase in electrical power availability

an industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character

10.4 password rule

Medium sized organizations tend to spend approximately __________ percent of the total IT budget on security.

11

Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) which is longer than ____ characters in Internet Explorer 4.0, the browser will crash.

256

Larger organizations tend to spend approximately __________ percent of the total IT budget on security.

5

Service level agreement

A document or part of a document that specifies the expected level of service from a service provider. Usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime

A content filter

A network filter that allows administrators to restrict access to external content from within a network is known as a _____.

Threat agent

A person or other entity that may cause a loss in an asset's value

Hacker

A person who accesses systems and information without authorization and often illegally

Threat

A potential risk of an asset's loss of value

Vulnerability

A potential weakness in an asset or its defensive control system

Novice Hacker

A relatively unskilled hacker who uses the work of expert hackers to perform attacks

Packet Monkey

A script kiddie who uses automated exploits to engage in denial-of-service attacks

Sag

A short-term decrease in electrical power availability

Spike

A short-term increase in electrical power availability, also known as a swell

Fault

A short-term interruption in electrical power availability

Database security

A subset of information security that focuses on the assessment and protection of information stored in repositories

Rainbow Table

A table of has values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file

dictionary password attack

A variation of the brute force password attack that attempts to narrow the possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information

Exploit

A vulnerability that can be used to cause a loss to an asset

Issue-specific information security policies (ISSP)

An Issue-specific security policy (ISSP) is - An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies • An issue-specific security policy (ISSP) is designed to regulate the use of some technology or resource issue within the organization • In some organizations, ISSPs are referred to as fair and responsible use policies, describing the intent of the policy to regulate appropriate use • The ISSP should assure members of the organization that its purpose is not to establish a foundation for administrative enforcement or legal prosecution but rather to provide a common understanding of the purposes for which an employee can and cannot use the resource Every organization's ISSPs should: - Address specific technology-based systems - Require frequent updates - Contain an issue statement on the organization's position on an issue

Help Desk Personnel

An important part of the information security team is the help desk, which enhances the security team's ability to identify potential problems • When a user calls the help desk with a complaint about his or her computer, the network, or an Internet connection, the user's problem may turn out to be related to a bigger problem, such as a hacker, denial-ofservice attack, or a virus • Because help desk technicians perform a specialized role in information security, they have a need for specialized training

10.3 password rule

An industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character

The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees.

Accidental

Which of the following is a responsibility of the crisis management team?

Activating the alert roster

"4-1-9" is one form of a(n) __________ fraud.

Advance-fee fraud

a form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer.

Advance-fee fraud (AFF)

malware intended to provided undesired marketing and advertising, including popups and banners on a user's screen.

Adware

Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________.

Affidavit

Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?

All federal agencies are required under the Freedom of Information Act (FOIA) to disclose records requested in writing by any person. However, agencies may withhold information pursuant to nine exemptions and three exclusions contained in the statute. FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each state has its own public access laws that should be consulted for access to state and local records.

The management of human resources must address many complicating factors; which of the following is NOT among them?

All workers operate at approximately the same level of efficiency

Why is policy so important?

Among other reasons, policy may be one of the very few controls or safeguards protecting certain information. Also, properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace. Policy also serves to protect both the employee and the organization from inefficiency and ambiguity.

Which of the following should be included in an InfoSec governance program?

An InfoSec risk management methodology

A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law.

Breach

a long-term decrease in electrical power availability.

Brownout

an attempt to guess a password by attempting every possible combination of characters and numbers in it.

Brute force password attack

an application error that occurs when more data is sent to a program buffer than it is designed to handle.

Buffer overrun (or buffer overflow)

Which of the following is NOT a step in the problem-solving process?

Build support among management for the candidate solution

Threat Assessment

Armed with a properly classified inventory, you can assess potential weaknesses in each information asset—a process known as threat assessment • Any organization typically faces a wide variety of threats; if you assume that every threat can and will attack every information asset, then the project scope becomes too complex • To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end

Risk Assessment

Assessing the relative risk for each vulnerability is accomplished via a process called risk assessment • Risk assessment assigns a risk rating or score to each specific vulnerability • While this number does not mean anything in absolute terms, it enables you to gauge the relative risk associated with each vulnerable information asset, and it facilitates the creation of comparative ratings later in the risk control process

_____ is a respected professional society founded in 1947 as "the world's first educational and scientific computing society."

Association of Computing Machinery (ACM)

an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.

Attack

cracking

Attempting to reverse-engineer, remove, or bypass password or other access control protection, such as copyright protection software.

an interruption of service, usually from a service provider, which causes an adverse event within an organization.

Availability disruption

Which of the following is NOT a threat to information security systems?

Availibility

If operations at the primary site cannot be quickly restored, the ____________________ occurs concurrently with the DR plan, enabling the business to continue at an alternate site.

BCP BC plan business continuity plan

Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?

Back door

a malware payload that provides access to a system by bypassing normal access controls.

Back door

Risk Appetite

Before the organization can or should proceed, it needs to understand whether the current level of controls identified at the end of the risk assessment process results in a level of risk management it can accept • The amount of risk that remains after all current controls are implemented is residual risk • The organization may very well reach this point in the risk management process, examine the documented residual risk, simply state, "Yes, we can live with that," and then document everything for the next risk management review cycle • What is difficult is the process of formalizing exactly what the organization "can live with"; this process is the heart of risk appetite

Alternatives to Feasibility Analysis

Benchmarking • Due care and due diligence • Best business practices • Gold standard • Government recommendations and best practices • Baseline

a long-term interruption (outrage) in electrical power availability.

Blackout

also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system's hard drive or removable storage media.

Boot virus

an abbreviation of robot; an automated software program that executes certain commands when it receives a specific input. See also Zombie.

Bot

Assessing Risk

Estimating risk is not an exact science; thus some practitioners use calculated values for risk estimation, whereas others rely on broader methods of estimation • The goal is to develop a repeatable method to evaluate the relative risk of each of the vulnerabilities that have been identified and added to the list

Defines socially acceptable behaviors.

Ethics

The impetus to begin an SDLC-based project may be ____________________, that is, a response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders.

Event driven

Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________.

Evidentiary material

Writing a policy is not always as easy as it seems. However, the prudent security manager always scours available resources for __________ that may be adapted to the organization.

Examples

a hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information.

Expert hacker

a technique used to compromise a system

Exploit

In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.

F

In most organizations, the COO is responsible for creating the IR plan

F

The authorization process takes place before the authentication process.

F

The first step in solving problems is to gather facts and make assumptions.

F

The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses

F

Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster

F

When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.

F

Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex. TRUE OR FALSE

FALSE

What is one of the most frequently cited failures in project management?

Failure to meet project deadlines

A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.

False

A(n) compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information.

False

Access control lists regulate who, what, when, where, and why authorized users can access a system.

False

All traffic exiting from the trusted network should be filtered.

False

Because it sets out general business intentions, a mission statement does not need to be concise.

False

Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex. a. True b. False

False

Corruption of information can occur only while information is being stored.

False

Ethics carry the sanction of a governing authority.

False

Having an established risk management program means that an organization's assets are completely protected.

False

ISACA is a professional association with a focus on authorization, control, and security. ___________

False

Laws and policies and their associated penalties only deter if three conditions are present. What are these conditions?

Fear of penalty—Threats of informal reprimand or verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of pay.Probability of being caught—There must be a strong possibility that perpetrators of illegal or unethical acts will be caught. Probability of penalty being administered—The organization must be willing and able to impose the penalty.

What is necessary for a top-down approach to the implementation of InfoSec to succeed?

For any top-down approach to succeed, high-level management must buy into the effort and provide its full support to all departments. Such an initiative must have a champion—ideally, an executive with sufficient influence to move the project forward, ensure that it is properly managed, and push for its acceptance throughout the organization.

Which of the following is NOT a knowledge area in the Project Management knowledge body?

Technology

Guidelines for Effective Policy

For policies to be effective, they must be properly: 1. Developed using industry-accepted practices, and formally approved by management 2. Distributed using all appropriate methods 3. Read by all employees 4. Understood by all employees 5. Formally agreed to by act or affirmation 6. Uniformly applied and enforced

List the significant guidelines used in the formulation of effective information security policy.

For policies to be effective, they must be properly: 1. Developed using industry-accepted practices 2. Distributed or disseminated using all appropriate methods 3. Reviewed or read by all employees 4. Understood by all employees 5. Formally agreed to by act or assertion 6. Uniformly applied and enforced

The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons?

For political advantage

The penalty for violating the National Information Infrastructure Protection Act of 1996 depends on the value of the information obtained and whether the offense is judged to have been committed for one of three reasons. What are those reasons?

For purposes of commercial advantage For private financial gain In furtherance of a criminal act

The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is one of those reasons?

For purposes of commercial advantage; For private financial gain; In furtherance of a criminal act

The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________.

Forensics

The law that provides any person with the right to request access to federal agency records is the _____.

Freedom of Information Act

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset identification using this attribute difficult?

IP address

In large organizations, the InfoSec department is often located within a(n) _________ division headed by the _________, who reports directly to the _________.

IT, CISO, CIO

Contrast the vision statement with the mission statement.

If the vision statement states where the organization wants to go, the mission statement describes how it wants to get there.

The three general categories of unethical behavior that organizations and society should seek to eliminate

Ignorance, accident, and intent

the unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.

Privilege escalation

ISO 27014:2013 is the ISO 27000 series standard for ________________.

Governance of Information Security

ISO 27014:2013 is the ISO 27000 series standard for:

Governance of Information Security

Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?

HIPAA

One form of online vandalism is ____ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

Hacktivist

One form of online vandalism is __________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

Hacktivist/Cyberactivist

a hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

Hacktivist/Cyberactivist

Which of the following is an example of a Trojan horse program?

Happy99.exe

Which law addresses privacy and security concerns associated with the electronic transmission of PHI?

Health Information Technology for Economic and Clinical Health Act

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____.

Hoaxes

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus _______________.

Hoaxes

The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?

Hold regular meetings with the CIO to discuss tactical InfoSect planning

Discuss the three general categories of unethical behavior that organizations should try to control.

Ignorance:Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education. Organizations must design, publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to abide by them. Reminders, training, and awareness programs support retention, and one hopes, compliance. Accident: Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident. The careful placement of controls can help prevent accidental modification to systems and data. Intent: Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A legal defense can be built upon whether the accused acted out of ignorance, by accident, or with the intent to cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution, and technical controls. Intent is only one of several factors to consider when determining whether a computer-related crime has occurred.

In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies?

Implementation

Review Schedule

In a changing environment, policies can retain their effectiveness only if they are periodically reviewed for currency and accuracy, and modified to keep them updated • Any policy document should contain a properly organized schedule of reviews • Generally, a policy should be reviewed at least annually

Security in Small Organizations

In a small organization, InfoSec often becomes the responsibility of a jack-of-all-trades, a single security administrator with perhaps one or two assistants for managing the technical components • It is not uncommon in smaller organizations to have the systems or network administrators play these many roles • Because resources are often limited in smaller organizations, the security administrator frequently turns to freeware or open source software to lower the costs of assessing and implementing security • In small organizations, security training and awareness is most commonly conducted on a one-on-one basis, with the security administrator providing advice to users as needed Some feel that small organizations, to their advantage, avoid some threats precisely because of their small size • Threats from insiders are also less likely in an environment where every employee knows every other employee • In general, the less anonymity an employee has, the less likely he or she feels able to get away with abuse or misuse of company assets • Smaller organizations typically have either one individual who has full-time duties in InfoSec or, more likely, one individual who manages or conducts InfoSec duties in addition to those of other functional areas, most likely IT, possibly with one or two assistants

Policy and Revision Date

In some organizations, policies are drafted and published without a date, leaving users of the policy unaware of its age or status • This practice can create problems, including legal ones, if employees are complying with an out-of-date policy • Ideally, the policy document should include its date of origin, along with the dates, if any, of revisions • Some policies may need a "sunset clause," particularly if they govern information use for a short-term association with second-party businesses or agencies

Implementation Phase

In the implementation phase, the team must create a plan to distribute and verify the distribution of the policies • Members of the organization must explicitly acknowledge that they have received and read the policy (compliance) • The simplest way to document acknowledgment of a written policy is to attach a cover sheet that states "I have received, read, understood, and agreed to this policy" - The employee's signature and date provide a paper trail of his or her receipt of the policy

Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident

Incident classification

contingency planning

Incident response Disaster recovery Business continuity

a person who accesses systems and information without authorization and often illegally.

hacker

According to the ITGI, what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met?

Inculcate a culture that recognizes the criticality of information and InfoSec to the organization Verify that management's investment in InfoSec is properly aligned with organizational strategies and the organization's risk environment Assure that a comprehensive InfoSec program is developed and implemented Demand reports from the various layers of management on the InfoSec program's effectiveness and adequacy

the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage.

Industrial espionage

What strategic role do the InfoSec and IT communities play in risk management? Explain.

InfoSec - Because members of the InfoSec community best understand the threats and attacks that introduce risk, they often take a leadership role in addressing risk. IT - This group must help to build secure systems and ensure their safe operation. For example, IT builds and operates information systems that are mindful of operational risks and have proper controls implemented to reduce risk.

data that has been organized, structured, and presented to provide additional insight into its context, worth, and usefulness.

Information

the focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information.

Information asset

Blackmail threat of informational disclosure is an example of which threat category?

Information extortion

the act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information. Also known as cyberextortion.

Information extortion

This collaborative support group began as a cooperative effort between the FBI's Cleveland field office and local technology professionals with a focus of protecting critical national infrastructure.

InfraGard

According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?

Initiating

According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?

Initiating

Describe what happens during each phase of the IDEAL General governance framework.

Initiating - Lay the groundwork for a successful improvement effort. Diagnosing - Determine where you are relative to where you want to be. Establishing - Plan the specifics of how you will reach your destination. Acting - Do the work according to the plan. Learning - Learn from the experience and improve your ability to adopt new improvements in the future.

a class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers.

Integer bug

Which of the following is a C.I.A. characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state?

Integrity

the creation, ownership, and control of original ideas as well as the representation of those ideas.

Intellectual property(IP)

Which of the following is NOT used to categorize some types of law?

International

A detailed outline of the scope of the policy development project is created during which phase of the SDLC?

Investigation

The _________ phase of the secSDLC begins with a directive from upper management specifying the process, outcomes, and goals of a project as well as its budget and other constraints.

Investigation

What is the first phase of the SecSDLC?

Investigation

Which phase of the SDLC should get support from senior management?

Investigation

Which phase of the SDLC should see clear articulation of goals?

Investigation

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource

Issue-Specific Security Policy

A(n) _____ addresses specific areas of technology, requires frequent updates, and contains a statement on the organization's position on a specific issue.

Issue-specific Security Policy (ISSP)

Which of the following is true about a hot site?

It duplicates computing resources, peripherals, phone systems, applications, and workstations.

According to Wood, which of the following are reasons the InfoSec department should report directly to top management?

It fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole

A well-defined risk appetite should have the following characteristics EXCEPT:

It is not limited by stakeholder expectations.

escalating privileges to gain administrator-level control over a smartphone operating system (typically associated with Apple iOS smartphones). See also Rooting.

Jailbreaking

Any court can impose its authority over an individual or organization if it can establish which of the following?

Jurisdiction

Policy Administrator

Just as information systems and InfoSec projects must have a champion and a manager, so must policies • The policy champion position combined with the manager position is called the policy administrator • Typically, this person is a mid-level staff member who is responsible for the creation, revision, distribution, and storage of the policy

The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response.

Justification

Policy Development and Implementation Using the SecSDLC

Like any major project, a policy development or redevelopment project should be well planned, properly funded, and aggressively managed to ensure that it is completed on time and within budget • One way to accomplish this goal is to use a systems development life cycle (SDLC)

Likelihood

Likelihood is the overall rating - a numerical value on a defined scale - of the probability that a specific vulnerability will be exploited • Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset, i.e. 1- 100, low-med-high, etc. • Whatever rating system you employ for assigning likelihood, use professionalism, experience, and judgment to determine the rating—and use it consistently • Whenever possible, use external references for likelihood values, after reviewing and adjusting them for your specific circumstances

the overall rating of the probability that a specific vulnerability will be exploited or attacked.

Liklihood

Which of the following is an attribute of a network device built into the network interface?

MAC address

a type of virus written in a specific macro language to target applications that use the language.

Macro virus

an attack designed to overwhelm the receiver with excessive quantities of email.

Mail bomb

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?

Managerial controls

Information Aggregation

Many organizations collect, swap, and sell personal information as a commodity

the average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures.

Mean time between failure (MTBF)

the average amount of time a computer technician needs to determine the cause of a failure.

Mean time to diagnose (MTTD)

the average amount of time until the next hardware failure.

Mean time to failure (MTTF)

the average amount of time a computer technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.

Mean time to repair (MTTR)

Intellectual property

The creation, ownership and control of original ideas as well as the representation of those ideas

Describe the foundations and frameworks of ethics.

Normative ethics—The study of what makes actions right or wrong, also known as moral theory—that is, how should people act?Meta-ethics—The study of the meaning of ethical judgments and properties—that is, what is right? Descriptive ethics—The study of the choices that have been made by individuals in the past—that is, what do others think is right? Applied ethics—An approach that applies moral codes to actions drawn from realistic situations; it seeks to define how we might use ethics in practice. Deontological ethics—The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences; also known as duty-based or obligation-based ethics. This approach seeks to define a person's ethical duty.

___________are malware programs that hide their true nature, and reveal their designed behavior only when activated.

Trojan Horses

What does it mean to "know the enemy" with respect to risk management?

Once an organization becomes aware of its weaknesses, managers can take up Sun Tzu's second dictum: Know the enemy. This means identifying, examining, and understanding the threats facing the organization's information assets. Managers must be fully prepared to identify those threats that pose risks to the organization and the security of its information assets.

What is the values statement and what is its importance to an organization?

One of the first positions that management must articulate is the values statement. The trust and confidence of stakeholders and the public are important factors for any organization. By establishing a formal set of organizational principles and qualities in a values statement, as well as benchmarks for measuring behavior against these published values, an organization makes its conduct and performance standards clear to its employees and the public.

Classifying and Categorizing Information Assets

Once the initial inventory is assembled, determine whether its asset categories are meaningful to the risk managementprogram • Inventory should also reflect sensitivity and security priority assigned to each information asset • A data classification scheme categorizes these information assets based on their sensitivity and security needs • Each of these categories designates the level of protection needed for a particular information asset • Some asset types, such as personnel, may require an alternative classification scheme that would identify the clearance needed to use the asset type • Classification categories must be comprehensive and mutually exclusive

a form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target's identity, but the real object is to trick the target into revealing confidential information.

Pretexting

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?

Malice

computer software specifically designed to perform malicious or unwanted actions.

Malware

In the ______________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.

Man-in-the-Middle

In the well-known ____ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.

Man-in-the-Middle

a group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner.

Man-in-the-Middle

All network devices are assigned a unique number by the hardware at the network interface layer called the _____.

Media Access Control (MAC) address

Security in Medium-Sized Organizations

Medium-sized organizations may still be large enough to implement the multi-tiered approach to security described for large organizations, though perhaps with fewer dedicated groups and more functions assigned to each group • In a medium-sized organization, more of the functional areas are assigned to other departments within IT but outside the InfoSec department, especially the central authentication function • The medium-sized organization only have one full-time security person, with perhaps three individuals with part-time InfoSec responsibilities

a virus that is capable of installing itself in a computer's operating system, starting when the computer is activated, and residing in the system's memory even after the host application is terminated.

Memory-resident virus

the presence of additional and disruptive signals in network communications or electrical power delivery.

Noise

A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective is known as a ____________.

Methodology

Microsoft Risk Management Approach

Microsoft Corp. also promotes a risk management approach • Four phases in the MS InfoSec risk management process: - Assessing risk - Conducting decision support - Implementing controls - Measuring program effectiveness

A statement explicitly declaring the business of the organization and its intended areas of operations is a ____________.

Mission statement

The EISP must directly support the organization's __________.

Mission statement

Which of the following explicitly declares the business of the organization and its intended areas of operations?

Mission statement

a virus that terminates after it has been activated, infected its host system, and replicated itself.

Non-memory-resident virus

The study of what makes actions right or wrong, also known as moral theory.

Normative ethics

Ethics

Principles/codes that define acceptable behavior

There are generally two skill levels among hackers: expert and ____

Novice

a relatively unskilled hacker who uses the work of expert hackers to perform attacks.

Novice hacker

Security Officers and Investigators

Occasionally, the physical security and InfoSec programs are blended into a single, converged functional unit • When that occurs, several roles are added to the pure IT security program, including physical security officers and investigators • Sometimes referred to as the guards, gates, and guns (GGG) aspect of security, these roles are often closely related to law enforcement and may rely on employing persons trained in law enforcement and/or criminal justice

Security Awareness

One of the least frequently implemented, but most effective security methods is the security awareness program • Security awareness programs: - set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure - remind users of the procedures to be followed When developing an awareness program: - Focus on people - Refrain from using technical jargon - Use every available venue - Define learning objectives, state them clearly, and provide sufficient detail and coverage - Keep things light - Don't overload the users - Help users understand their roles in InfoSec - Take advantage of in-house communications media - Make the awareness program formal; plan and document all actions. - Provide good information early, rather than perfect information late.

The type of planning that is used to organize the ongoing, day-to-day performance of tasks is ____________?

Operational

Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?

Operational

Which type of planning is used to organize the ongoing, day-to-day performance of tasks?

Operational

Common law, case law, and precedent

Originates from a judicial branch or oversight board and involves the interpretation of law based on the actions of a previous and/or higher court or board

Statutory law

Originates from a legislative branch specifically tasked with the creation and publication of laws and statutes

Regulatory or administrative law

Originates from an executive branch or authorized regulatory agency, and includes executive orders and regulations

Annualized Loss Expectancy(ALE)

Overall loss potential per risk

Which of the following was originally developed in the late 1950s to meet the need of the rapidly expanding engineering projects associated with government acquisitions such as weapons systems?

PERT

____ is an integrated system of software, encryption methodologies, and legal agreements that can be used to support the entire information infrastructure of an organization

PKI

a script kiddie who uses automated exploits to engage in denial-of-service attacks.

Packet monkey

a software program or hardware appliance that can intercept, copy, and interpret network traffic.

Packet sniffer

an information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.

Penetration tester

Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?

People

the redirection of legitimate Web to illegitimate Web sites with the intent to collect personal information.

Pharming

a form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.

Phishing

a hacker who manipulates the public telephone system to make free calls or disrupt services.

Phreaker

_________ resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states.

Physical

resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states

Physical

Specialized areas of security

Physical security Operations security Communications security Cyber (or computer)security Network security

Which subset of civil law regulates the relationships among individuals and among individuals and organizations?

Private

What is the role of planning in InfoSec management? What are the factors that affect planning?

Planning usually involves many interrelated groups and organizational processes. The groups involved in planning represent the three communities of interest; they may be internal or external to the organization and can include employees, management, stockholders, and other outside stakeholder. Among the factors that affect planning are the physical environment, the political and legal environment, the competitive environment, and the technological environment.

_____ direct how issues should be addressed and technologies used.

Policies

A key difference between policy and law is that ignorance of policy is a viable defense. What steps must be taken to assure that an organization has a reasonable expectation that policy violations can be appropriately penalized without fear of legal retribution?

Policies must be: Effectively written Distributed to all individuals who are expected to comply with them Read by all employees Understood by all employees, with multilingual translations and translations for visually impaired or low-literacy employees Acknowledged by the employee, usually by means of a signed consent form Uniformly enforced, with no special treatment for any group (e.g., executives)

Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?

Policy

Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?

Policy Review and Modification

According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?

Policy administrator

malware that over time changes the way it appears to antivirus programs, making it undetectable by techniques that look for preconfigured signatures.

Polymorphic threat

_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present.

Portable

a hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government.

Professional hacker

Information security project managers often follow methodologies based on what methodology promoted by the Project Management Institute?

Project Management Body of Knowledge (PMBoK)

Which of the following is NOT a primary function of Information Security Management?

Projects

Information security is needed to:

Protect the ability to function, protect data and information, enable operations of applications, and safeguarding the organization's IT assets

Which of the following functions does information security perform for an organization?

Protecting the organization's ability to function; Enabling the safe operation of applications implemented on the organization's IT systems; Protecting the data the organization collects and uses

Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

Public law

7 steps to Implement Training

Step 1: Identify program scope, goals, and objectives Step 2: Identify training staff Step 3: Identify target audiences Step 4: Motivate management and employees Step 5: Administer the program Step 6: Maintain the program Step 7: Evaluate the program

Solving Problems

Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions Step 4: Analyze and Compare Possible Solutions (Feasibility analyses) Step 5: Select, Implement, and Evaluate a solution

Which type of planning is the primary tool in determining the long-term direction taken by an organization?

Strategic

Which of the following is true about planning?

Strategic plans are used to create tactical plans

Termination

Removing or discontinuing the information asset from the organization's operating environment Like acceptance, the termination risk management strategy is based on the organization's need or choice not to protect an asset; - Here, however, the organization does not wish the information asset to remain at risk and so removes it from the environment that represents risk • The cost of protecting an asset may outweigh its value, or, it may be too difficult or expensive to protect an asset, compared to the value or advantage that asset offers the company • In either case, termination must be a conscious business decision, not simply the abandonment of an asset, which would technically qualify as acceptance

Which of the following is compensation for a wrong committed by an individual or organization?

Restitution

Risk identification is performed within a larger process of identifying and justifying risk controls, which is called ____.

Risk Management

Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

Risk assessment

For the purposes of relative risk assessment, how is risk calculated?

Risk equals likelihood of vulnerability occurrence multiplied by value (or impact), minus percentage risk already controlled, plus an element of uncertainty.

The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts.

Risk management policy

__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty.

Risk ranking worksheet

escalating privileges to gain administrator-level control over a computer system (including smartphones).

Rooting

The ____ data file contains the hashed representation of the user's password.

SAM

Technology services are usually arranged with an agreement defining minimum service levels known as an

SLA

Web hosting services are usually arranged with an agreement providing minimum service levels known as a(n) ____.

SLA

_____ is an excellent reference for security managers involved in the routine management of information security.

SP 800-12, An Introduction to Computer Security: The NIST Handbook

a short-term decrease in electrical power availability.

Sag

____ are software programs that hide their true nature, and reveal their designed behavior only when activated.

Trojan horses

a document or part of a document that specifies the expected level of service from a service provider.

Service Level Agreement (SLA)

Which of the following is an information security governance responsibility of the Chief Security Officer?

Set security policy, procedures, programs, and training

a malware program that hides its true nature and reveals its designed behavior only when activated.

Trojan horses

A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization is known as a(n)_______________.

Stakeholder

_____ are detailed statements of what must be done to comply with policy.

Standards

The Computer Security Act charges the National Bureau of Standards, in cooperation with the National Security Agency (NSA), with the development of five standards and guidelines establishing minimum acceptable security practices. What are three of these principles?

Standards, guidelines, and associated methods and techniques for computer systems Uniform standards and guidelines for most federal computer systems Technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in federal computer systems Guidelines for use by operators of federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice Validation procedures for, and evaluation of the effectiveness of, standards and guidelines through research and liaison with other government and private agencies

A clearly directed strategy flows from top to bottom rather than from bottom to top.

True

Systems-specific policies (SysSPs)

Systems-Specific Security Policies (SysSPs) sometimes have a different look and may seem more like procedures to some readers • They may often function as standards or procedures to be used when configuring or maintaining systems • SysSPs can be separated into: - Managerial guidance - Technical specifications Or combined in a single unified SysSP document

Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts?

RM Framework

Which of these denotes the identification, analysis, evaluation, and treatment of risk to information assets?

RM process

What is the system most often used to authenticate the credentials of users who are trying to access an organization's network via a dial-up connection?

Radius

The hash values for a wide variety of passwords can be stored in a database known as a(n) __________ which can be indexed and quickly searched using the hash value allowing the corresponding plaintext password to be determined.

Rainbow table

a table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.

Rainbow table

computer software specifically designed to identify and encrypt valuable information in a victim's system in order to extort payment for the key needed to unlock the encryption.

Ransomware

To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology.

Reading level

Which of the following is the first step in the problem-solving process?

Recognize and define the problem

Mitigation

Reducing the impact to information assets should an attacker successfully exploit a vulnerability The mitigation risk control strategy is the control approach that attempts to reduce, by means of planning and preparation, the damage caused by a realized incident or disaster • This approach includes three types of plans: - Disaster recovery (DR) plan - Incident response (IR) plan - Business continuity (BC) plan • Mitigation depends upon the ability to detect and respond to an attack as quickly as possible

a hacker of limited skill who use expertly written software to attack a system.

Script kiddie

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________.

Search warrent

This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.

Security manager

Security Managers

Security managers are accountable for the day-to-day operations of the InfoSec program • They accomplish objectives identified by the CISO, to whom they and they resolve issues identified by technicians, administrators, analysts, or staffers whom they supervise • Managing security requires an understanding of technology but not necessarily technical mastery

Security Staffers and Watchstanders

Security staffer is a catchall title that applies to those who perform routine watchstanding or administrative activities • The term "watchstander" includes the people who watch intrusion consoles, monitor e-mail accounts, and perform other routine yet critical roles that support the mission of the InfoSec department • Security watchstanders are often entry-level InfoSec professionals responsible for monitoring some aspect of the organization's security posture, whether technical or managerial • In this position, new InfoSec professionals have the opportunity to learn more about the organization's InfoSec program before becoming critical components of its administration

Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?

Security technician

Security Technician

Security technicians are the technically qualified individuals who configure firewalls and IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented • A security technician is usually an entry-level position, but one that requires strong technical skills, which can make this job challenging for those who are new to the field, given that it is difficult to get the job without experience and yet experience comes with the job • Security technicians who want to move up in the corporate hierarchy must expand their technical knowledge horizontally, gaining an understanding of the general organizational issues of InfoSec as well as all technical areas

Security Training

Security training involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely • Management can either develop customized training or outsource all or part of the training program • There are two methods for customizing training for users by functional background or skill level - Functional background: • General user • Managerial user • Technical user - Skill level: • Novice • Intermediate • Advanced

A project can have more than one critical path.

T

The ____ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network.

TCP

a form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications.

TCP hijacking

Deterrence is the best method for preventing an illegal or unethical activity.

True

Transference

Shifting risks to other areas or to outside entities The transference risk control strategy attempts to shift risk to another entity • This goal may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers • When an organization does not have adequate security management and administration experience, it should hire individuals or firms that provide expertise in those areas (outsourcing)

the direct, covert observation of individual information or system use.

Shoulder surfing

"4-1-9" fraud is an example of a ____ attack.

Social engineering

the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.

Social engineering

the unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property.

Software piracy

Security Education

Some organizations may have employees within the InfoSec department who are not prepared by their background or experience for the InfoSec roles they are supposed to perform • When tactical circumstances allow and/or strategic imperatives dictate, these employees may be encouraged to use a formal education method • Local and regional resources might also provide information and services in educational areas

undesired e-mail, typically commercial advertising transmitted in bulk.

Spam

a highly targeted phishing attack.

Spear phishing

a short-term increase in electrical power availability, also known as a swell

Spike

a technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.

Spoofing

____ is any technology that aids in gathering information about a person or organization without their knowledge.

Spyware

In which level of planning are budgeting, resource allocation, and manpower critical components?

Tactical

How does tactical planning differ from strategic planning?

Tactical planning has a more short-term focus than strategic planning—usually one to three years. It breaks down each applicable strategic goal into a series of incremental objectives. Each objective should be specific and ideally will have a delivery date within a year.

Which of the following is a part of an information security program?

Technologies used by an organization to manage the risks to its information assets; activities used by an organization to manage the risks to its information assets; personnel used by an organization to manage the risks to its information assets

a long-term increase in electrical power availability.

Surge

What is a SysSP and what is one likely to include?

SysSPs often function as standards or procedures to be used when configuring or maintaining systems—for example, to configure and operate a network firewall. Such a document could include: a statement of managerial intent; guidance to network engineers on selecting, configuring, and operating firewalls; and an access control list that defines levels of access for each authorized user.

Technical Specifications SysSPs

System administrators directions on implementing managerial policy • Each type of equipment has its own type of policies • There are two general methods of implementing such technical controls: - access control lists - configuration rules

Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?

System testing

_____ are frequently codified as standards and procedures to be used when configuring or maintaining systems.

System-specific security policies (SysSP)

A methodology for the design and implementation of an information system that is a formal development strategy is referred to as a __________.

Systems Development Life Cycle(SDLC)

The responsibilities of users and systems administrators with regard to systems administration duties should be specified in the ____________________ section of the ISSP.

Systems Management

Privilege escalation

Th unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources

Analysis Phase

The Analysis phase should include the following activities: - A new or recent risk assessment or IT audit documenting the current InfoSec needs of the organization - The gathering of key reference materials—including any existing policies

Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system?

The Computer Security Act

Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?

The Electronic Communications Privacy Act of 1986

FAIR Approach

The Factor Analysis of Information Risk (FAIR) framework includes: - A taxonomy for information risk - Standard nomenclature for information risk terms - A framework for establishing data collection criteria - Measurement scales for risk factors - A computational engine for calculating risk - A modeling construct for analyzing complex risk scenarios Basic FAIR analysis is comprised of ten steps in four stages: Stage 1 - Identify scenario components: 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2 - Evaluate Loss Event Frequency (LEF): 3. Estimate the probable Threat Event Frequency (TEF) 4. Estimate the Threat Capability (TCap) 5. Estimate Control strength (CS) 6. Derive Vulnerability (Vuln) 7. Derive Loss Event Frequency (LEF) Stage 3 - Evaluate Probable Loss Magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4—Derive and articulate Risk 10. Derive and articulate Risk • Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low

ISO 27005 Standard for InfoSec Risk Management

The ISO 27000 series includes a standard for the performance of Risk Management, ISO 27005 (http://www.27000.org/iso-27005.htm) • The 27005 document includes five-stage a risk management methodology: 1. Risk Assessment 2. Risk Treatment 3. Risk Acceptance 4. Risk Communication 5. Risk Monitoring and Review

Security Consultants

The InfoSec consultant is typically an independent expert in some aspect of InfoSec • He or she is usually brought in when the organization makes the decision to outsource one or more aspects of its security program • While it is usually preferable to involve a formal security services company, qualified individual consultants are available for hire

Cost Benefit Analysis (CBA)

The criterion most commonly used when evaluating a project that implements InfoSec controls and safeguards is economic feasibility • Organizations can begin this type of economic feasibility analysis by valuing the information assets and determining the loss in value if those information assets became compromised • This decision-making process is called a cost benefit analysis or an economic feasibility study

Shoulder surfing

The direct, covert observation of individual information or system use

The OCTAVE Methods

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation • By following the OCTAVE Method, an organization can make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets • The operational or business units and the IT department work together to address the information security needs of the organization There are three variations of the OCTAVE Method: - The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge, and which was designed for larger organizations (300 or more users) - OCTAVE-S, for smaller organizations of about 100 users - OCTAVE-Allegro, a streamlined approach for information security assessment and assurance

Risk Identification

The Risk Management project should be well organized and funded, with a clear champion, a statement of work, and all needed support. • Risk identification begins with the process of self-examination • Managers: - Identify the organization's information assets - Classify and categorize them into useful groups - Prioritize them by overall importance

Implementing Security Education, Training, and Awareness Programs

The SETA program is designed to reduce accidental security breaches by members of the organization • SETA programs offer three major benefits: - They can improve employee behavior - They can inform members of the organization about where to report violations of policy - They enable the organization to hold employees accountable for their actions • The purpose of SETA is to enhance security: - By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems - By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely - By improving awareness of the need to protect system resources Management of Info

List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.

The advantages of the modular ISSP policy are: - Often considered an optimal balance between the individual ISSP and the comprehensive ISSP approaches - Well controlled by centrally managed procedures, assuring complete topic coverage - Clear assignment to a responsible department Written by those with superior subject matter expertise for technology-specific systems The disadvantages of the modular ISSP policy are: - May be more expensive than other alternatives - Implementation can be difficult to manage

Chief Information Security Officer (CISO) or Chief Security Officer (CSO)

The chief information security officer (CISO), or in some cases, the CSO, is primarily responsible for the assessment, management, and implementation of the program that secures the organization's information • The senior executive responsible for security may also be called the director of security, senior security manager, or some similar title • The CISO usually reports directly to the CIO, although in larger organizations one or more additional layers of management may separate the two officers

Competitive intelligence

The collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage

industrial espionage

The collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage

unauthorized entry into the real or virtual property of another party.

Trespass

What is the final component of the design and implementation of effective policies? Describe this component.

The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination—organizations must establish high standards of due care with regard to policy management.

Prioritizing (Rank Ordering) Information Assets

The final step in the risk identification process is to prioritize, or rank order, the assets • This goal can be achieved by using a weighted table analysis

Design Phase

The first task in the design phase is the drafting of the actual policy document • While this task can be done by a committee, it is most commonly done by a single author - There are a number of references and resources available on the Web, through professional literature and from peers and consultants • Next, the development team or committee reviews the work of the primary author and makes recommendations about its revision • Once the committee approves the document, it goes to the approving manager or executive for sign-off

How should the initial inventory be used when classifying and categorizing assets?

The inventory should reflect the sensitivity and security priority assigned to each information asset. A classification scheme should be developed (or reviewed, if already in place) that categorizes these information assets based on their sensitivity and security needs.

What is a key difference between law and ethics?

The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not.

In the WBS approach, the project plan is first broken down into tasks placed on the WBS task list. The minimum attributes that should be identified for each task include all but which of the following?

The number of people and other resources needed for each task

Uptime

The percentage of time a particular service is available; the opposite of downtime

Downtime

The percentage of time a particular service is not available

Investigation Phase

The policy development team should attain: - Support from senior management, - Support and active involvement of IT management, specifically the CIO - Clear articulation of goals - Participation of the correct individuals from the communities of interest affected by the policies • Be composed from Legal, Human Resources and end-users • Assign a project champion with sufficient stature and prestige • Acquire a capable project manager - A detailed outline of the scope of the policy development project and sound estimates for the cost and scheduling of the project

Noise

The presence of additional and disruptive signals in network communications or electrical power delivery

Annual Rate of Occurence(ARO)

The probability of the specific attack per year

Identification and Prioritization of Information Assets

The risk identification process begins with the identification of information assets, including people, procedures, data and information, software, hardware, and networking elements • This step should be done without pre-judging the value of each asset; values will be assigned later in the process

Security Administrators and Analysts

The security administrator is a hybrid of a security technician and a security manager, with both technical knowledge and managerial skill • The security analyst is a specialized security administrator that, in addition to performing security administration duties, must analyze and design security solutions within a specific domain • Security analysts must be able to identify users' needs and understand the technological complexities and capabilities of the security systems they design

Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT:

The threat environment—threats, known vulnerabilities, attack vectors

software piracy

The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property

the illegal taking of another's property, which can be physical, electronic, or intellectual.

Theft

Project Management Tools

There are many tools that support the management of the diverse resources in complex projects - Most project managers combine software tools that implement one or more of the dominant modeling approaches • Projectitis occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work prjectlibre libreplan openproject project-open redmine agilefant

Describe the use of an IP address when deciding which attributes to track for each information asset.

This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a relational database and track software instances on specific servers or networking devices. Many larger organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification process very difficult.

Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________

Threat

The process of examining how each threat will affect an organization is called a(n) _____.

Threat assessment

The basic outcomes of InfoSec governance should include all but which of the following?

Time management by aligning resources with personnel schedules and organizational objectives

PMBoK Knowledge Areas

To apply project management to InfoSec, you must first identify an established project management methodology • While other project management approaches exist, the PMBoK, promoted by the Project Management Institute (PMI) is considered the industry best practice

How should a policy administrator facilitate policy reviews?

To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation. Recommendation methods could include e-mail, office mail, or an anonymous drop box.

___________________ is a subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury.

Tort law

Acts of ____ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.

Trespass

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

True

People of differing nationalities profess varying points of view on the ethical practices with the use of information technology.

True

Policies must specify penalties for unacceptable behavior and define an appeals process.

True

Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. a. True b. False

True

The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies

True

The Secret Service is charged with the detection and arrest of any person who commits a U.S. federal offense relating to computer fraud, as well as false identification crimes.

True

The commonly used name for an intermediate area between a trusted network and an untrusted network is the DMZ.

True

The cornerstone of many current federal computer-related criminal laws is the Computer Fraud and Abuse Act of 1986.

True

The purpose of a weighted factor analysis is to list assets in order of their importance to the organization.

True

Specifications of authorization that govern the rights and privileges of users to a particular information asset.

h. access control lists

Which law extends protection to intellectual property, which includes words published in electronic formats?

U.S. Copyright Law

Which law extends protection to intellectual property, which includes words published in electronic formats? a. Security and Freedom through Encryption Act b. Freedom of Information Act c. U.S. Copyright Law d. Sarbanes-Oxley Act

U.S. Copyright Law

which law extends protection to intellectual property, which includes words published in electronic formats?

U.S. Copyright law

Trespass

Unauthorized entry into the real or virtual property of another party

The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes, is known as __________.

Uncertainty

Acceptance

Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control The acceptance risk control strategy is the decision to do nothing to protect an information asset from risk, and to accept the outcome from any resulting exploitation • It may or may not be a conscious business decision. • Unconscious acceptance of risk is not a valid approach to risk control • An organization that decides on acceptance as a strategy for every identified risk of loss may in fact be unable to conduct proactive security activities and may have an apathetic approach to security in general

the percentage of time a particular service is available; the opposite of downtime.

Uptime

Which of the following is an advantage of the user support group form of training?

Usually conducted in an informal social setting

Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infractions?

Violations of Policy

a type of malware that is attached to other executable programs.

Virus

a message that reports the presence of a nonexistent virus or worm and wastes valuable time as employees share the message.

Virus hoax

a potential weakness in an asset or its defensive control system(s).

Vulnerability

In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?

Waterfall

It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity. Which of the following is NOT one of them?

What other activities require the same resources as this activity?

Which of the following is NOT a valid rule of thumb on risk treatment strategy selection?

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls.

All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT:

When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.

a type of malware that is capable of activation and replication without being attached to an existing program.

Worm

Which statement defines the differences between a computer virus and a computer worm?

Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate

____ are machines that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack.

Zombies

authentication

____ is the process of validating a supplicant's purported identity.

Enterprise information security policy(EISP)

a general security policy

An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.

h. qualitative assessment

Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? a. Policy Review and Modification b. Limitations of Liability c. Systems Management d. Statement of Purpose

a. Policy Review and Modification

Specifies the subjects and objects that users or groups can access.

a. capability table

The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

a. risk management

4. A useful tool for resolving the issue of what business function is the most critical, based on criteria selected by the organization, is the __________. a. weighted table analysis or weighted factor analysis b. threats-vulnerability-assets worksheet or TVA c. business impact assessment or BIA d. critical patch method assessment or CPMA

a. weighted table analysis or weighted factor analysis

The __________ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.

acceptance

The method by which systems determine whether and how to admit a user into a trusted area of the organization is known as _____.

access control

_______________ include the user access lists, matrices, and capability tables that govern the rights and privileges of users.

access control lists

____________________ include the user access lists, matrices, and capability tables that govern the rights and privileges of users.

access control lists

What are the two general approaches for controlling user authorization for the use of a technology?

access control lists and capability tables

What are the two general methods for implementing technical controls?

access control lists and configuration rules

What do audit logs that track user activity on an information system provide?

accountability

Footprinting

activities that gather information about the organization and its network activities and assets.

The policy champion and manager is called the policy ____________________.

administrator

When dealing with an incident, the incident response team must conduct a(n) ____________________, which entails a detailed examination of the events that occurred from first detection to final recovery.

after action review

Information ____________ occurs when pieces of non-private data are combined to create information that violates privacy.

aggregation

is a document containing contact information of the individuals to notify in the event of an actual incident.

alert roster

Brute force password attack

an attempt to guess a password by attempting every possible combination of characters and numbers in it

Contract employees—or simply contractors—should not be allowed to do what? a. Work on the premises. b. Wander freely in and out of facilities. c. Visit the facility without an escort. d. Be compensated based on hourly rates.

b. Wander freely in and out of facilities.

A gathering of key reference materials is performed during which phase of the SDLC? a. implementation b. analysis c. design d. investigation

b. analysis

Which of the following is NOT a task that must be performed if an employee is terminated? a. former employee must return all media b. former employee's home computer must be audited c. former employee's office computer must be secured d. former employee should be escorted from the premises

b. former employee's home computer must be audited

An approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.

b. risk assessment

A clear declaration that outlines the scope and applicability of a policy

b. statement of purpose

_____is the analysis of measures against established standards.

baselining

A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law a. compromise b. spill c. notification d. breach

breach

a more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. This is commonly known as a __________ law.

breach

A ____________ overflow is an application error that occurs when the system can't handle the amount of data that is sent.

buffer

overflow is an application error that occurs when the system can't handle the amount of data that is sent.

buffer

Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?

bull's-eye model

In the event of an incident or disaster, which team sets up and starts off-site operations?

business continuity

When a disaster renders the current business location unusable, which plan is put into action?

business continuity

A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the ____________ while offering opportunities to lower costs.

business mission

The purpose of SETA is to enhance security in all but which of the following ways?

by adding barriers

Which of the following is NOT one of the basic rules that must be followed when developing a policy? a. policy should never conflict with law b. policy must be able to stand up in court if challenged c. policy should be focused on protecting the organization from public embarrassment d. policy must be properly supported and administered

c

Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? a. on-target model b. Wood's model c. bull's-eye model d. Bergeron and Berube model

c

Which of the following should be included in an InfoSec governance program? a) All of these are components of the InfoSec governance program b) An InfoSec project management assessment c) An InfoSec risk management methodology d) An InfoSec maintenance methodology

c) An InfoSec risk management methodology

When issues are addressed by moving from the general to the specific, always starting with policy

c. bull's eye model

Labels that must be comprehensive and mutually exclusive.

c. classification categories

Workers typically hired to perform specific services for the organization and hired via a third-party organization are known as __________. a. temporary workers b. consultants c. contract employees d. business partners

c. contract employees

Which of the following is the first step in the process of implementing training? a. identify training staff b. identify target audiences c. identify program scope, goals, and objectives d. motivate management and employees

c. identify program scope, goals, and objectives

Which of the following policies makes it difficult for an individual to violate InfoSec and is quite useful in monitoring financial affairs?

c. separation of duties

Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access. a. bypass b. theft c. trespass d. security

c. trespass

Which of the following activities is part of the risk evaluation process?

calculating the severity of risks to which assets are exposed in their current setting

Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?

can suffer from poor policy dissemination, enforcement, and review

Which of the following is a disadvantage of the individual policy organization approach?

can suffer from poor policy enforcement

Which of the following is NOT one of the three general causes of unethical and illegal behavior?

carelessness

Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?

centralized authentication

A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.

champion

The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n).

chief information security officer

In which type of site are no computer hardware or peripherals provided?

cold site

which ethical standard is based on the notion that life in community yields a positive outcome for the individual requiring each individual to contribute to that community?

common good

Classification categories must be __________ and mutually exclusive.

comprehensive

components of info sec figure 1.1 *

computer security data security network security

After an incident, but before returning to its normal duties, the CSIRT must do which of the following?

conduct an after-action review

According to the C.I.A. triad, which of the following is the most desirable characteristic for privacy

confidentiality

According to the CIA triad, which of the following is the most desirable characteristic for privacy?

confidentiality

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________.

cost avoidance

a hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use is known as a

cracker

Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________.

create a subjective ranking based on anticipated recovery costs

Addresses violations harmful to society and is actively enforced and prosecuted by the state.

criminal law

Using the Program Evaluation and Review Technique, which of the following identifies the sequence of events or activities that requires the longest duration to complete, and that therefore cannot be delayed without delaying the entire project?

critical path

Ethics are based on ___________________, which are the relatively fixed moral attitudes or customs of a societal group.

cultural mores

For an organization to manage its InfoSec risk properly, managers should understand how information is __________. a. collected b. processed c. transmitted d. all of these are needed

d

In addition to specifying acceptable and unacceptable behavior, what else must a policy specify? a. appeals process b. legal recourse c. individual responsible for approval d. the penalties for violation of the policy

d

Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP

d

Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP

d. EISP

When an information security team is faced with a new technology, which of the following is NOT a recommended approach? a. Determine if the benefits of the proposed technology justify the expected costs. b. Include costs for any additional risk control requirements that are mandated by the new technology. c. Consider how the proposed solution will affect the organization's risk exposure. d. Evaluate how the new technology will enhance employee skills.

d. Evaluate how the new technology will enhance employee skills.

. Which of the following is NOT a stage in the NIST Cybersecurity Framework (CSF)? a. Identify b. Detect c. Recover d. React

d. React

Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.

d. SysSP

What is the final step in the risk identification process? a. assessing values for information assets b. classifying and categorizing assets c. identifying and inventorying assets d. ranking assets in order of importance

d. ranking assets in order of importance

Which of the following is a disadvantage of the one-on-one training method? a. inflexible scheduling b. may not be responsive to the needs of all the trainees c. content may not be customized to the needs of the organization d. resource intensive, to the point of being inefficient

d. resource intensive, to the point of being inefficient

The recognition, enumeration, and documentation of risks to an organization's information assets.

d. risk identification

Which of the following is NOT a consideration when selecting recommended best practices? a. threat environment is similar b. resource expenditures are practical c. organization structure is similar d. same certification and accreditation agency or standard

d. same certification and accreditation agency or standard

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring

due diligence

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?

due diligence

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is ensuring?

due dilligence

A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________.

e-discovery

a process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as __________

e-discovery

Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.

e. field change order

The bulk batch-transfer of data to an off-site facility is known as

electronic vaulting

A(n) ____________________, which is usually presented on a screen to the user during software installation, spells out fair and responsible use of the software being installed.

end user license agreement EULA

The evaluation and reaction to risk to the entire organization is known as __________.

enterprise risk management (ERM)

The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as ___________.

ethics

compromises to intellectual property

ex Piracy, copyright infringement

Human Error or Failure

ex accidents, employee mistakes

Information Extortion

ex blackmail, information disclosure

Sabotage or Vandalism

ex destruction of systems or information

Technical Hardware Failures

ex equipment failure

Forces of Nature

ex fire, floods, earthquakes, lightning

Deviations in quality of service

ex internet service provider(ISP), power, or WAN service problems

technological obsolenscence

ex antiquated or outdated technologies

Technical Software Failure

ex bugs, code problems, unknown loopholes

theft

ex illegal confiscation of equipment or information

Software Attacks

ex viruses, worms, macros, denial of service

__________ is the set of responsibilities and practices exercised by the board and execiutive management with the goal of prvoiding strategic direction ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises resources are used responsibly

governance

usually a documented way to circumvent controls or take advantage of weaknesses in control systems

exploit

The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.

f. InfoSec policy

An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization.

f. threat assessment

As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted __________ worksheet.

factor analysis table analysis

Rule-based policies are less specific to the operation of a system than access control lists.

false

Rule-based policies are less specific to the operation of a system than access control lists. (T/F)

false

Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex. (T/F)

false

Users have the right to use an organization's information systems to browse the Web, even if this right is not specified in the ISSP.

false

Users have the right to use an organization's information systems to browse the Web, even if this right is not specified in the ISSP. (T/F)

false

a short-term interruption in electrical power availability

fault

Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity? a. probability of being caught b. probability of being penalized c. fear of penalty d. fear of humiliation

fear of humiliation

To move the InfoSec discipline forward, organizations should take all of the following steps EXCEPT:

form a committee and approve suggestions from the CISO

Which of the following is a generic model for a security program?

framework

44. Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?

frequency of review

Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?

frequency of review

testing of contingency plans, the individuals follow each and every procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals.

full-interruption

The quantity and nature of risk that organizations are willing to accept.

g. risk appetite

A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance.

g. standard

The _____ community of interest must ensure sufficient resources are allocated to the risk management process

general management

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are manages appropriately, and verifying that the enterprise's resources are used responsibly is known as _____________.

governance

Non-mandatory recommendations the employee may use as a reference in complying with a policy are known as

guidelines

In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________.

identifying relevant items of evidentiary value

in digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with __________

identifying relevant items of evidentiary value

An understanding of the potential consequences of a successful attack on an information asset by a threat is known as __________.

impact

plan is a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets

incident response

__________ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization.

information asset value weighted table analysis

blackmail threat of informational disclosure is an example of which threat category?

information extortion

Which of the following is a common element of the enterprise information security policy?

information on the structure of the InfoSec organization

Which of the following is an element of the enterprise information security policy?

information on the structure of the InfoSec organization

Which of the following is NOT used to categorize some types of law? a. constitutional b. regulatory c. statutory d. international

international

which of the following is NOT an origin used ot categorize types of law?

international

A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC

investigation

A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?

investigation

The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints.

investigation

Information Security

is about identifying, measuring and mitigating the risk associated with operating information assets

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?

issue-specific

Once the members of the RM framework team have been identified, the governance group should communicate all of the following for the overall RM program EXCEPT:

its personnel structure

An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.

j. ISSP

Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.

j. risk rating worksheet

Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?

joint application design

Digital forensics can be used for two key purposes: ________ or _________.

to investigate allegations of digital malfeasance; to perform root cause analysis

Digital forensics can be used for two key purposes: ________ or _________. a. to investigate allegations of digital malfeasance; to solicit testimony b. e-discovery; to perform root cause analysis c. to solicit testimony; to perform root cause analysis d. to investigate allegations of digital malfeasance; to perform root cause analysis.

to investigate allegations of digital malfeasance; to perform root cause analysis

The assessment of the amount of risk an organization is willing to accept for a particular information asset is known as risk __________.

tolerance

Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?

traditional waterfall

Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access.

trespass

__________ are malware programs that hide their true nature and reveal their designed behavior only when activated

trojan horses

One of the goals of an issue-specific security policy is to idemnify the organization against liability for an employee's inappropriate or illegal use of the system. (T/F)

true

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system

true

An estimate made by the manager using good judgment and experience can account for which factor of risk assessment?

uncertainty

Which of the following is NOT among the typical columns in the risk rating worksheet?

uncertainty percentage

The final component of the design and implementation of effective policies is __________.

uniform and impartial enforcement

Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?

user-specific security policies

Which of the following is NOT among the three types of InfoSex policies based on NIST's Special Publication 800-14?

user-specific security policies

Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14

user-specific security policy

Which of the following is a key advantage of the bottom-up approach to security implementation?

utilizes the technical expertise of the individual administrators

Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?

violation of policy

What is defined as specific avenues that threat agents can exploit to attack an information asset?

vulnerabilities

A potential weakness in an asset or its defensive control system(s) is known as a(n) __________

vulnerability

The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as.

vulnerability assessment

Which of the following is a tool that can be useful in resolving the issue of what business function is the most critical?

weighted analysis tool

_____ is the process of assigning scores for critical factors, each of which is weighted in importance by the organization.

weighted factor analysis

Which of the following is NOT an aspect of access regulated by ACLs?

where the system is located

Which of the following is NOT an aspect of access regulated by ACLS?

why authorized users need access to the system

Which of the following is NOT an aspect of access regulated by ACLs

why authorized users need access to the system

Delivery Methods

• Selection of the training delivery method is not always based on the best outcome for the trainee • Often other factors — budget, scheduling, and needs of the organization — come first - One-on-One - Formal Class - Computer-Based Training (CBT) - Distance Learning/Web Seminars - User Support Group - On-the-Job Training - Self-Study (Noncomputerized)

Automated Tools

• The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and maintenance • Tools like Vigilent Policy Center (VPC) keep policies confidential, behind password-protected intranets, and generate periodic reports indicating which employees have and have not read and acknowledged the policies • Tools such as VPC also make it clear which manager was responsible for the policy, as his or her name is prominently displayed on the policy, along with the date of approval

Review Procedures and Practices

• To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation • Recommendation methods could include e-mail, office mail, or an anonymous drop box • Once the policy has come up for review, all comments should be examined and management-approved changes should be implemented


Related study sets

Final: Chapter 17 Auditors' Reports

View Set

American Revolutionary War Notes and Questions

View Set

MyProgrammingLab Starting out with Python Ch.6

View Set

Iggy Ch 25 - Care of Patients with Skin Problems

View Set