midterm

Ace your homework & exams now with Quizwiz!

Guards are appropriate whenever the function required by the security program involves which of the following?

The use of discriminating judgment

Why is it important to consistently enforce policy, and not "go easy on someone"?

The welfare of the overall organization is more important than the individual's

Which of the following is the reason why United States government official communications about new federal laws frequently include references to other documents?

These references help those affected by the new laws gain a better understanding of what they need to do

Which of the following is NOT contained in the Security Policy Document Policy?

What users may or may not do

When should information security policies, procedures, standards, and guidelines be revisited?

When dictated by change drivers

The object-relational and object-oriented models are better suited to managing complex data such as required for which of the following?

computer-aided design and imaging.

Mandatory Access requires that sensitivity labels be attached to all objects. Which of the following would be designated as objects on a MAC system?

files, directories, processes, and sockets

Examples of types of physical access controls include all EXCEPT which of the following?

passwords

Which of the following classes is defined in the TCSEC (Orange Book) as mandatory protection?

B

Which one of the following represents an ALE calculation

single loss expectancy x annualized rate of occurrence.

Which of the following is the lowest TCSEC class wherein the system must protect against covert storage channels (but not necessarily covert timing channels)?

B2

Which of the following is the lowest TCSEC class wherein the systems must support separate operator and system administrator roles?

B2

Which of the following is a good way to help ensure that your company's information security policies represent best practices?

Base them on current industry standards for practices and technology

Who developed one of the first mathematical models of a multilevel-security computer system?

Bell and LaPadula

The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following?

Clipping level

What should be the consequences of information security policy violations?

Commensurate with the criticality of information the policy was written to protect

When it comes to information security, what is labeling the vehicle for?

Communicating the sensitivity level

What does CIA stand for?

Confidentiality, Integrity, and Availability

When calculating the value of an asset, which of the following is NOT a criterion?

Cost to disclose the asset

Which of the following classes is defined in the TCSEC (Orange Book) as minimal protection?

D

Guaranteed 99.999% uptime is an example of

Data Availability

The description of the database is called a schema, and the schema is defined by which of the following?

Data Definition Language (DDL).

An employee accidentally makes changes to a company-owned file. This is known as a violation of

Data Integrity

Data availability is the assurance that

Data and systems are accessible anytime they are needed

Which of the following is NOT a step used by hackers to infiltrate a network?

Data corruption

What is the appropriate role of the security analyst in the application system development or acquisition project?

Data owner

A persistent collection of interrelated data items can be defined as which of the following?

Database

An information security affirmation agreement would be likely to cover the use of

E-mail

The most prevalent cause of computer center fires is which of the following?

Electrical distribution systems

Which of the following is the MOST important rule of thumb to follow when developing the policy heading?

Ensure its structure is scalable, so that it is able to accommodate changes in the future, without losing its original organization

Which of the following federal regulations pertains to the educational field?

FERPA

Which of the following is NOT a state in which information exists?

Factored

A security clearance investigation does NOT involve research into a person's

Family connections

Which is the preferred approach to organizing information security policies, procedures, standards, and guidelines?

Keep the policy documents separate from the procedures, standards, and guidelines

What is a valid definition of data integrity?

Knowing that the data on the screen is un-tampered with data

Which is a two wall challenge?

Lack of awareness, and the lack of awareness about the lack of awareness

What is shoulder surfing?

Looking at a person using their computer in hopes of viewing sensitive information

Which data classification method is used by the US military?

MAC

Which of the following is LEAST likely to lead to employees accepting and following policy?

Make policy compliance part of the job descriptions

If a new United States federal information-sharing law is adopted, which of the following best represents a related information security policy objective?

Obtain prior written approval from all individuals whose personal data is to be shared

Which is the last line of defense in a physical security sense?

People

Which is the worst that may happen if information security policies are out of date, or address technologies no longer used in the organization?

People may take the policies less seriously, or dismiss them entirely

If a policy refers the reader to another section for clarification of any instance of non-standard language, that other section would best be called which of the following?

Policy Defnitions

In which of the following policy elements should the policy number appear?

Policy heading

Which of the following parts of an organization's software policy would most likely indicate that any new software purchases be made only from the approved software products list?

Policy objective

The goal of protecting confidentiality is to

Prevent the unauthorized disclosure of sensitive information

Which of the following is the primary objective of the Clear Desk and Clear Screen Policy?

Prevent theft of information from documents and media in plain view

Data integrity is

Protecting the data from intentional or accidental modification

What mechanism does a system use to compare the security labels of a subject and an object?

Reference monitor

Why is it important to remind people about best practice information security behaviors?

Reminders reinforce their knowledge, and help them better understand expectations

What is the goal of the Physical Entry Controls Policy?

Require authorized users to be authenticated, and visitors to be identified, labeled, and authorized

An Architecture where there are more than two execution domains or privilege levels is called:

Ring architecture

Which of the following is NOT an example of social engineering?

Running a password cracking utility against a web server

This classification level is used by the military for items "the unauthorized disclosure of which reasonably could be expected to cause serious damage to National Security"

Secret

Which is the best goal for a new policy?

Secure and protect assets from foreseeable harm, and provide flexibility for the unforeseen

Which physical and environmental security policy addresses offices and facilities that require an additional level of security?

Securing offices, rooms, and Facilities policy

Which of the following is NOT an example of malicious code?

Solitaire

In which of the following ways do password construction standards in a password policy make it better?

Standards help to ensure consistency with minimum requirements

Which of the following is NOT true of policy elements?

Standards, guidelines, and procedures are policy element

Which of the following best describes Guidelines?

Suggestions

Memory management in TCSEC levels B3 and A1 operating systems may utilize "data hiding". What does this mean?

System functions are layered, and none of the functions in a given layer can access data outside that layer

Which section of the ISO 17799 deals with asset classification?

5

Which section of the ISO 17799 deals with personnel security?

6

The Orange Book describes four hierarchical levels to categorize security systems. Which of the following levels require mandatory protection?

A and B

What does it mean if a system uses "Trusted Recovery"?

A failure or crash of the system cannot be used to breach security

What are the two schools of thought regarding policy format?

A separate document for each policy, or one large document with multiple section

Operations Security seeks to primarily protect against which of the following?

Asset threats

Which of the following components are considered part of the Trusted Computing Base (from the Orange Book)?

Trusted hardware, software, and firmware

Operation security requires the implementation of physical security to control which of the following?

Unauthorized personnel access

When backing up an applications system's data, which of the following is a key question to be answered first?

What records to backup

The Clear Desk and Clear Screen Policy is the way to avoid which of the following kinds of physical attacks?

All of the above

Which of the following might the Working in Secure Areas Policy restrict from being brought into a facility?

All of the above

Which of the following places the Orange Book classifications in order from most secure to least secure?

A,B,C,D

Which Orange Book evaluation level is described as "Verified Design"?

A1

Which of the following is a straightforward approach that provides access rights to subjects for objects?

Access matrix model

Which part of the U.S. Constitution is analogous to the first approved version of a new information security policy?

Articles

When should the process of identification begin?

As soon as the person attempts to gain entry

Which of the following is commonly used for retrofitting multilevel security to a database management system?

Trusted front-end

This is known as the process of downgrading the classification level of an information asset:

Declassification

Which of the following is NOT something that a statement of authority tries to do?

Define what employees are expected to do in order to comply with the policies

Which of the following is NOT one of the common pitfalls encountered when policy companions (standards, guidelines, and procedures) are combined into the same document as the policy itself?

Difficult to justify

If an operating system permits shared resources such as memory to be used sequentially by multiple users/application or subjects without a refresh of the objects/memory area, what security problem is most likely to exist?

Disclosure of residual data

Which of the following are all federal regulations?

GLBA, HIPAA, and Sarbanes-Oxley

Which of the following suppresses combustion by disrupting a chemical reaction, by doing so it kills the fire?

Halon

The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address?

Integrity and Availability

Why is it sometimes better to isolate critical equipment, than it is to apply additional protective measures, in order to protect against exposure to greater hazards or risks from unauthorized access?

It can be less costly

Which of the following is an advantage of using a high-level programming language?

It enforces coding standards

Which of the following is an important function of the statement of authority?

It provides a bridge between an organization's core values and security strategies

With SQL Relational databases where is the actual data stored?

Tables

Please complete the following sentence: A TCP SYN attack...

Takes advantage of the way a TCP session is established.

The control of communications test equipment should be clearly addressed by security policy for which of the following reasons?

Test equipment can be used to browse information passing on a network.

Who should issue the statement of authority?

The CEO, President, or Chairman of the Board

Why do we need the Graham-Leach-Bliley Act (GLBA)?

The information banks possess can be identifiable and whole in regard to any customer

Who is directly responsible for defining information asset protection?

The information owner

Leadership by setting the example, or "do as I do", is considered:

The most effective leadership style, especially in relation to information security

Which of the following best describes how the penalties defined in the Policy Enforcement Clause should relate to the infractions?

The penalty should be proportional to the level of risk incurred as a result of the infraction

Why is it important for leadership to set a tone of compliance with policy?

The rest of the organization feels better about following the rules

The security of a computer application is most effective and economical in which of the following cases?

The system is originally designed to provide the necessary security.

In what way are the Torah and the U.S. Constitution like information security policies?

They serve as rules to guide behavior in support of organizational goals

This classification level is used by the military for items "the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to National Security":

Top Secret

A computer program in which malicious or harmful code is contained inside apparently harmless programming but it can get control and do damage without the user installing the program being aware of this is called a:

Trojan horse

Information labels should be

Universally understandable

Which of the following is NOT a threat to data integrity?

Use of encrypted emails

Which of the following determines that the product developed meets the projects goals?

Validation

Which of the following is the act of performing tests and evaluations to test a system's security level to see if it complies with the design specifications and security requirements?

Verification


Related study sets

Chapter 44: Nursing Care of the Child With an Alteration in Mobility/Neuromuscular or Musculoskeletal Disorder

View Set

CPA Exam Study - FAR - Select Financial Statement Accounts

View Set

Chapter 20: Safe Medication Preparation

View Set

Experiment 25 Post Lab: Calorimetry

View Set

AP Biology Unit 1 Multiple Choice

View Set

ASSESSMENT OF IMMUNE FUNCTION Chapter 35 1010 Exam 7

View Set