MGMT CSGE Ch 1-6

Ace your homework & exams now with Quizwiz!

When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.

Board risk committee

Which of the following is NOT a step in the problem-solving process?

Build support among management for the candidate solution

The purpose of SETA is to enhance security in all but which of the following ways?

By adding barriers

An ISACA certification targeted at upper-level executives, including CISOs and CIOs, directors, and consultants with knowledge and experience in IT governance is known as the __________

CGEIT

The __________ certification, considered to be one of the most prestigious certifications for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral.

CISSP

A model of InfoSec that offers a comprehensive view of security for data while being stored, processed, or transmitted is the __________ security model.

CNSS

An ISACA certification targeted at IT professionals who are in careers that link IT risk management with enterprise risk management is known as the __________

CRISC

The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.

Chief information security officer

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.

(ISC)2

Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?

Confidentiality

A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use is known as a

Cracker

Which of the following is the result of a U.S. led international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?

DCMA

Which type of attack involves sending a large number of connection or information requests to a target?

Denial-of-service (DoS)

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?

Deontological ethics

Which of the following organizations offers the Certified CISO (C|CISO) certification?

EC-Council

Which policy is the highest level of policy and is usually created first?

EISP

To move the InfoSec discipline forward, organizations should take all of the following steps EXCEPT:

Form a committee and approve suggestions from the CISO

__________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly.

Governance

ISO 27014:2013 is the ISO 27000 series standard for ____________.

Governance of information security

Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?

HIPPA

One form of online vandalism is _____ in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization of government agency.

Hacktivism

Which law addresses privacy and security concerns associated with the electronic transmission of PHI?

Health information technology for economic and clinical health act

The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?

Hold regular meetings with the CIO to discuss tactical InfoSec planning

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?

IP address

Which of the following organizations is best known for its series of certifications targeted to Information Systems Audit, Information Security, Risk Control and IT Governance?

ISACA

In large organizations, the InfoSec department is often located within an _________ division headed by the _________, who reports directly to the _________.

IT, CISO, CIO

Which of the following is the first step in the process of implementing training?

Identify program scope, goals, and objectives

Medium-sized organizations tend to spend approximately __________ percent of the total IT budget on security.

11

Smaller organizations tend to spend approximately __________ percent of the total IT budget on security.

20

Larger organizations tend to spend approximately __________ percent of the total IT budget on security.

5

"4-1-9" is one form of an _____ fraud.

Advance fee

Which of the following should be included in an InfoSec governance program?

An infoSec risk management methodology

In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________.

identifying relevant items of evidentiary value

An understanding of the potential consequences of a successful attack on aninformation asset by a threat is known as __________.

impact

The protection of confidentiality, integrity, and availability of data regardless of its location is known as __________ security.

information

__________ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization.

information asset value weighted table analysis

Which of the following is a common element of the enterprise information security policy?

information on the structure of the infosec organization

Blackmail threat of informational disclosure is an example of which threat category?

information or trespass

Which of the following is an advantage of the formal class method of training?

interaction with trainer is possible

Which of the following is NOT an origin used to categorize types of law?

international

Digital forensics can be used for two key purposes: ________ or _________.

investigate allegations of digital malfeasance; perform root cause analysis

The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints.

investigation

What is the first phase of the SecSDLC?

investigation

Which phase of the SecSDLC should see support from senior management?

investigation

A well-defined risk appetite should have the following characteristics EXCEPT:

is not limited by stakeholder expectations

According to Wood, which of the following are reasons the InfoSec department should report directly to top management?

it fosters objectivity and the ability to perceive whats truly in the best interest of the organization as a whole

Which of the following is true about a company's InfoSec awareness Web site?

it should be tested with multiple browsers

Once the members of the RM framework team have been identified, the governance group should communicate all of these for the overall RM program EXCEPT:

its personnel structure

Any court can impose its authority over an individual or organization if it can establish which of the following?

jurisdiction

The organization can perform risk determination using certain risk elements, including all but which of the following?

legacy cost of recovery

Which of the following is not a role of managers within the Communities of Interest in controlling risk?

legal management must develop corporate-wise standards

The probability that a specific vulnerability within an organization will beattacked by a threat is known as __________.

likelihood

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?

malice

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

manufacturers model or part number

The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics?

market

Communications Security involves the protection of which of the following?

media, technology, and content

Organizations classified as __________ may still be large enough to implement the multi tier approach to security, though perhaps with fewer dedicated groups and more functions assigned to each group.

medium sized

A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective. is known as a(n) ____________.

methodlogy

Which of the following explicitly declares the business of the organization and its intended areas of operations?

mission statement

Which type of planning is used to organize the ongoing, day-to-day performance of tasks?

operational

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?

organization

Which of the following is an example of a technological obsolescence threat?

outdated servers

An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________.

penetration tester

Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?

people

GGG security is commonly used to describe which aspect of security?

physical

Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?

planning

Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?

policy

According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?

policy administrator

Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?

policy review and modification

Which of the following is NOT one of the basic rules that must be followed when developing a policy?

policy should be focused on protecting the organization from public embarassment

_________ devices often pose special challenges to investigators since they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present.

portable

Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected?

privacy

Which subset of civil law regulates the relationships among individuals and among individuals and organizations?

private

The Risk Management Framework includes all of the following EXCEPT:

process contingency planning

Which of the following attributes does NOT apply to software information assets?

product deminsions

What should you be armed with to adequately assess potential weaknesses in each information asset?

properly classified inventory

Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT is true and __________.

properly conceived

IT's focus is the efficient and effective delivery of information and administration of information resources, while InfoSec's primary focus is the __________ of all information assets.

protection

What is the final step in the risk identification process?

ranking assets in order of importance

an attack that uses phishing techniques along with specialized forms of malware to encrypt the victim's data files is known as _____?

ransomware

What is the SETA program designed to do?

reduce the occurrence of accidental security breaches

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

relative value

The risk to information assets that remains even after current controls have been applied.

residual risk

Which of the following is a disadvantage of the one-on-one training method?

resource intensive, to the point of being inefficient

Which of the following is compensation for a wrong committed by an individual or organization?

restitution

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________.

risk appetite

The identification, analysis and evaluation of risk in an organization describes which of the following?

risk assessment

Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

risk assessment

The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts

risk management policy

Which of the following is NOT among the typical columns in the risk rating worksheet?

risk threshold

The assessment of the amount of risk an organization is willing to accept for a particular information asset.

risk tolerance

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________.

search warrant

A SETA program consists of three elements: security education, security training, and which of the following?

security awareness

The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.

security manager

Qualified individuals who are tasked with configuring security technologies and operating other technical control systems are known as a(n) ____________.

security technician

Which of the following would most likely be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?

security technician

Data classification schemes should categorize information assets based on which of the following?

sensitivity and security needs

Which of the following is NOT a task performed by the governance group during the framework design phase, in cooperation with the framework team?

specifying who will supervise and perform the RM process

A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization is known as a(n) _________.

stakeholder

Which type of document is a more detailed statement of what must be done to comply with a policy?

standard

Which type of planning is the primary tool in determining the long-term direction taken by an organization?

strategic

When creating a __________, each level of each division translates those goals into more specific goals for the level below it.

strategic plan

A clearly directed __________ flows from top to bottom, and a systematic approach is required to translate it into a program that can inform andlead all members of the organization.

strategy

The first priority of the CISO and the InfoSec management team should be the __________.

structure of a strategic plan

Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?

systems testing

Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?

tactical

A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.

team leader

Human error or failure can often be prevented with training and awareness programs, policy and _____.

technical controls

In the area of risk management, process communications is the necessary information flow within and between all of the following EXCEPT:

the corporate change control officer

Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?

the electronic communications privacy act of 1986

An example of a stakeholder of a company includes all of the following EXCEPT:

the general public

Factors that affect the external context and impact the RM process, its goals, and its objectives include the following EXCEPT:

the organizations governance structure

Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT:

the threat environment-- threats, known vulnerabilities, attack vectors

When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________.

the type of crime committed

Which of the 12 Categories of Threats best describes a situation where the adversary removes data from a victim's computer?

theft

Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?

they have large information security needs than a small orgnization

Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________.

threat

The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization.

threat severity weighted table analysis

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

threats-vulnerabilities-assets worksheet

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?

uncertainty

The state of having limited or imperfect knowledge of a situation, making itless likely that organizations can successfully anticipate future events or outcomes is known as __________.

uncertainty

Which of the following is an advantage of the user support group form of training?

usually conducted in an informal social setting

Which of the following is a key advantage of the bottom-up approach to security implementation?

utilizes the technical expertise of the individual administrators

Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infractions?

violations of policy

What is defined as specific avenues that threat agents can exploit to attack an information asset?

vulnerabilities

In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it?

waterfall

Which of the following is NOT an aspect of access regulated by ACLs?

where the system is located

Three options for placing the CISO (and his or her security group) in the organization (as noted by Kosutic), are generally driven by organizational size and include all of the following EXCEPT:

within a division/department with a conflict of interest

This collaborative support group began as a cooperative effort between the FBI's Cleveland field office and local technology professionals with a focus of protecting critical national infrastructure.

InfraGard

According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?

Initiating

Which of the following is a C.I.A. characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state?

Integrity

Which of the following is an attribute of a network device is built into the network interface?

MAC address

In the _____ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the networks.

Man in the middle

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?

Managerial controls

Another key U.S. federal agency is _________ which is responsible for coordinating, directing, and performing highly specialized activities to protect U.S. information systems and produce foreign intelligence information.

National Security Agency

The protection of voice and data components, connection, and content is known as _____security.

Network.

Which of the following variables is the most influential in determining how to structure an information security program?

Organizational culture

Which of the following is NOT a primary function of Information Security Management?

Performance

Which of the follow is the principal of management that develops, creates, and implements strategies for the accomplishment of objectives?

Planning

Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts.

RM framework

Which of these denotes the identification, analysis, evaluation, and treatment of risk to information assets.

RM process

The hash values for a wide variety of passwords can be stored in a database known as a(n) __________ which can be indexed and quickly searched using the hash value allowing the corresponding plaintext password to be determined

Rainbow table

Which of the following is NOT an approach to password cracking?

Ransomware (approaches are brute force, dictionary attacks, social engineering attacks)

__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty

Risk ranking worksheet

Which of the following organizations is best known for its series of technical InfoSec certifications through an entity known as Global Information Assurance Certification (GIAC)?

SANS institute

Technology services are usually arranges with an agreement defining minimum service levels known as a

SLA

Which of the following is the first step in the problem-solving process?

Select, implement and evaluate a solution

Which of the following is an information security governance responsibility of the Chief Information Security Officer?

Set security policy, procedures, programs and training

The unauthorized duplication, installations, or distribution of copyrighted computer software, which is a violation of intellectual property called _____.

Software piracy

Which of the following is true about planning?

Strategic plans are used to create tactical plans.

Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?

The computer security act

Which of the following describes the primary reason the InfoSec department should NOT fall under the IT function?

There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information

The basic outcomes of InfoSec governance should include all but which of the following?

Time management by aligning resources with personnel schedules and organizational objectives

_____ are malware programs that hide their true nature, and reveal their designed behavior only when activated.

Trojan horses

Which law extends protection to intellectual property, which includes words published in electronic formats?

U.S. copyright law

A potential weakness in an asset or its defensive control system(s) is known as a _____?

Vulnerability

__________ is a simple project management planning tool.

WBS

Which statement defines the differences between a computer virus and a computer worm?

Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer it replicates

A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system is known as a(n) __________

a security analyist

This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator and is known as a(n) __________

a security manager

What do audit logs that track user activity on an information system provide?

accountability

Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________.

affidavit

Which if the following is NOT a part of an information security program.

all of these are part of an information security program technologies, activities and personnel used by an organization to manager the risks to its information assets

For an organization to manage its InfoSec risk properly, managers should understand how information is __________.

all of these: collected, processes, transmitted

A gathering of key reference materials is performed during which phase of the SecSDLC?

analysis

A risk assessment is performed during which phase of the SecSDLC?

analysis

In which phase of the SecSDLC does the risk management task occur?

analysis

The __________ phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution.

analysis

The most complex part of an investigation is usually __________.

analysis for potential evidentiary material

Force majeure includes all of these EXCEPT:

armed robbery

Which of the following activities is part of the risk identification process?

assigning a value to each information asset

An (ISC)2 program geared toward individuals who want to take any of its certification exams before obtaining the requisite experience for certification is the __________.

associate of (ISC)2

An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it is known as a(n) __________.

attack

The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?

authentication

A process that defines what the user is permitted to do is known as __________?

authorization

Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?

back door

A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. This commonly known as a __________ law.

breach

A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs.

business mission

Which of the following activities is part of the risk evaluation process?

calculating the severity of risks to which assets are exposed in their current setting

Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?

centralized authentication

A high-level executive, such as a CIO or VP-IT, who will provide political support and influence for a specific project is known as a(n) _________.

champion

A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.

champion

Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?

common good

Classification categories must be mutually exclusive and which of the following?

comprehensive

According to the C.I.A. triad, which of the following is the most desirable characteristic for privacy?

confidentiality

Which of the following are instructional codes that guide the execution of the system when information is passing through it?

configuration rules

The process of integrating the governance of the physical security and information security efforts is known in the industry as __________.

convergence

Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________.

create a subjective ranking based on anticipated recovery costs

Which of the following is an advantage of the one-on-one method of training?

customized to the needs of the trainee

Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.

data owners

Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.

data users

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?

descriptive ethics

The __________ phase of the SecSDLC, has team members create and develop the blueprint for security and develop critical contingency plans for incident response.

design

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.

deterrence

Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis is known as _________.

digital forensics

A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

distributed denial-of-service

A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________.

e-discovery

With policy, the most common distribution methods are hard copy and __________.

electronic

Which of the following is the most cost-effective method for disseminating security information and news to employees?

emailed security newsletter

According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?

establishing

Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________.

evidentiary material

A technique used to compromise a system.is known as a(n) _____.

exploit

Which of the following is not among the 'deadly sins of software security'?

extortion sins

A short-term interruption in electrical power availability is known as a _____.

fault

Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity?

fear of humiliation

The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?

for political advantage

The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________.

forensics

Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?

frequency of review

There are a number of methods for customizing training for users; two of the most common involve customizing by __________ and by __________.

functional background, skill level

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly is known as __________.

governance

The letters GRC represent an approach to information security strategic guidance from a board of directors or senior management perspective and stands for __________, __________, and __________.

governance, risk management, compliance

Which of the following is NOT a step in the process of implementing training?

hire expert consultants

__________ is the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair edge over them.

Industrial espionage


Related study sets

Chapter 12 - nurtition, NUtrition Chp 13, exam 11-13

View Set

CHAPTER 12 BJU AMERICAN GOVERNMENT

View Set

NRS104L Exam #2: PrepU Practice Questions ALL Chapters

View Set

Solving Quadratic Equations Unit Test 100%

View Set