midterm
Guards are appropriate whenever the function required by the security program involves which of the following?
The use of discriminating judgment
Why is it important to consistently enforce policy, and not "go easy on someone"?
The welfare of the overall organization is more important than the individual's
Which of the following is the reason why United States government official communications about new federal laws frequently include references to other documents?
These references help those affected by the new laws gain a better understanding of what they need to do
Which of the following is NOT contained in the Security Policy Document Policy?
What users may or may not do
When should information security policies, procedures, standards, and guidelines be revisited?
When dictated by change drivers
The object-relational and object-oriented models are better suited to managing complex data such as required for which of the following?
computer-aided design and imaging.
Mandatory Access requires that sensitivity labels be attached to all objects. Which of the following would be designated as objects on a MAC system?
files, directories, processes, and sockets
Examples of types of physical access controls include all EXCEPT which of the following?
passwords
Which of the following classes is defined in the TCSEC (Orange Book) as mandatory protection?
B
Which one of the following represents an ALE calculation
single loss expectancy x annualized rate of occurrence.
Which of the following is the lowest TCSEC class wherein the system must protect against covert storage channels (but not necessarily covert timing channels)?
B2
Which of the following is the lowest TCSEC class wherein the systems must support separate operator and system administrator roles?
B2
Which of the following is a good way to help ensure that your company's information security policies represent best practices?
Base them on current industry standards for practices and technology
Who developed one of the first mathematical models of a multilevel-security computer system?
Bell and LaPadula
The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following?
Clipping level
What should be the consequences of information security policy violations?
Commensurate with the criticality of information the policy was written to protect
When it comes to information security, what is labeling the vehicle for?
Communicating the sensitivity level
What does CIA stand for?
Confidentiality, Integrity, and Availability
When calculating the value of an asset, which of the following is NOT a criterion?
Cost to disclose the asset
Which of the following classes is defined in the TCSEC (Orange Book) as minimal protection?
D
Guaranteed 99.999% uptime is an example of
Data Availability
The description of the database is called a schema, and the schema is defined by which of the following?
Data Definition Language (DDL).
An employee accidentally makes changes to a company-owned file. This is known as a violation of
Data Integrity
Data availability is the assurance that
Data and systems are accessible anytime they are needed
Which of the following is NOT a step used by hackers to infiltrate a network?
Data corruption
What is the appropriate role of the security analyst in the application system development or acquisition project?
Data owner
A persistent collection of interrelated data items can be defined as which of the following?
Database
An information security affirmation agreement would be likely to cover the use of
The most prevalent cause of computer center fires is which of the following?
Electrical distribution systems
Which of the following is the MOST important rule of thumb to follow when developing the policy heading?
Ensure its structure is scalable, so that it is able to accommodate changes in the future, without losing its original organization
Which of the following federal regulations pertains to the educational field?
FERPA
Which of the following is NOT a state in which information exists?
Factored
A security clearance investigation does NOT involve research into a person's
Family connections
Which is the preferred approach to organizing information security policies, procedures, standards, and guidelines?
Keep the policy documents separate from the procedures, standards, and guidelines
What is a valid definition of data integrity?
Knowing that the data on the screen is un-tampered with data
Which is a two wall challenge?
Lack of awareness, and the lack of awareness about the lack of awareness
What is shoulder surfing?
Looking at a person using their computer in hopes of viewing sensitive information
Which data classification method is used by the US military?
MAC
Which of the following is LEAST likely to lead to employees accepting and following policy?
Make policy compliance part of the job descriptions
If a new United States federal information-sharing law is adopted, which of the following best represents a related information security policy objective?
Obtain prior written approval from all individuals whose personal data is to be shared
Which is the last line of defense in a physical security sense?
People
Which is the worst that may happen if information security policies are out of date, or address technologies no longer used in the organization?
People may take the policies less seriously, or dismiss them entirely
If a policy refers the reader to another section for clarification of any instance of non-standard language, that other section would best be called which of the following?
Policy Defnitions
In which of the following policy elements should the policy number appear?
Policy heading
Which of the following parts of an organization's software policy would most likely indicate that any new software purchases be made only from the approved software products list?
Policy objective
The goal of protecting confidentiality is to
Prevent the unauthorized disclosure of sensitive information
Which of the following is the primary objective of the Clear Desk and Clear Screen Policy?
Prevent theft of information from documents and media in plain view
Data integrity is
Protecting the data from intentional or accidental modification
What mechanism does a system use to compare the security labels of a subject and an object?
Reference monitor
Why is it important to remind people about best practice information security behaviors?
Reminders reinforce their knowledge, and help them better understand expectations
What is the goal of the Physical Entry Controls Policy?
Require authorized users to be authenticated, and visitors to be identified, labeled, and authorized
An Architecture where there are more than two execution domains or privilege levels is called:
Ring architecture
Which of the following is NOT an example of social engineering?
Running a password cracking utility against a web server
This classification level is used by the military for items "the unauthorized disclosure of which reasonably could be expected to cause serious damage to National Security"
Secret
Which is the best goal for a new policy?
Secure and protect assets from foreseeable harm, and provide flexibility for the unforeseen
Which physical and environmental security policy addresses offices and facilities that require an additional level of security?
Securing offices, rooms, and Facilities policy
Which of the following is NOT an example of malicious code?
Solitaire
In which of the following ways do password construction standards in a password policy make it better?
Standards help to ensure consistency with minimum requirements
Which of the following is NOT true of policy elements?
Standards, guidelines, and procedures are policy element
Which of the following best describes Guidelines?
Suggestions
Memory management in TCSEC levels B3 and A1 operating systems may utilize "data hiding". What does this mean?
System functions are layered, and none of the functions in a given layer can access data outside that layer
Which section of the ISO 17799 deals with asset classification?
5
Which section of the ISO 17799 deals with personnel security?
6
The Orange Book describes four hierarchical levels to categorize security systems. Which of the following levels require mandatory protection?
A and B
What does it mean if a system uses "Trusted Recovery"?
A failure or crash of the system cannot be used to breach security
What are the two schools of thought regarding policy format?
A separate document for each policy, or one large document with multiple section
Operations Security seeks to primarily protect against which of the following?
Asset threats
Which of the following components are considered part of the Trusted Computing Base (from the Orange Book)?
Trusted hardware, software, and firmware
Operation security requires the implementation of physical security to control which of the following?
Unauthorized personnel access
When backing up an applications system's data, which of the following is a key question to be answered first?
What records to backup
The Clear Desk and Clear Screen Policy is the way to avoid which of the following kinds of physical attacks?
All of the above
Which of the following might the Working in Secure Areas Policy restrict from being brought into a facility?
All of the above
Which of the following places the Orange Book classifications in order from most secure to least secure?
A,B,C,D
Which Orange Book evaluation level is described as "Verified Design"?
A1
Which of the following is a straightforward approach that provides access rights to subjects for objects?
Access matrix model
Which part of the U.S. Constitution is analogous to the first approved version of a new information security policy?
Articles
When should the process of identification begin?
As soon as the person attempts to gain entry
Which of the following is commonly used for retrofitting multilevel security to a database management system?
Trusted front-end
This is known as the process of downgrading the classification level of an information asset:
Declassification
Which of the following is NOT something that a statement of authority tries to do?
Define what employees are expected to do in order to comply with the policies
Which of the following is NOT one of the common pitfalls encountered when policy companions (standards, guidelines, and procedures) are combined into the same document as the policy itself?
Difficult to justify
If an operating system permits shared resources such as memory to be used sequentially by multiple users/application or subjects without a refresh of the objects/memory area, what security problem is most likely to exist?
Disclosure of residual data
Which of the following are all federal regulations?
GLBA, HIPAA, and Sarbanes-Oxley
Which of the following suppresses combustion by disrupting a chemical reaction, by doing so it kills the fire?
Halon
The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address?
Integrity and Availability
Why is it sometimes better to isolate critical equipment, than it is to apply additional protective measures, in order to protect against exposure to greater hazards or risks from unauthorized access?
It can be less costly
Which of the following is an advantage of using a high-level programming language?
It enforces coding standards
Which of the following is an important function of the statement of authority?
It provides a bridge between an organization's core values and security strategies
With SQL Relational databases where is the actual data stored?
Tables
Please complete the following sentence: A TCP SYN attack...
Takes advantage of the way a TCP session is established.
The control of communications test equipment should be clearly addressed by security policy for which of the following reasons?
Test equipment can be used to browse information passing on a network.
Who should issue the statement of authority?
The CEO, President, or Chairman of the Board
Why do we need the Graham-Leach-Bliley Act (GLBA)?
The information banks possess can be identifiable and whole in regard to any customer
Who is directly responsible for defining information asset protection?
The information owner
Leadership by setting the example, or "do as I do", is considered:
The most effective leadership style, especially in relation to information security
Which of the following best describes how the penalties defined in the Policy Enforcement Clause should relate to the infractions?
The penalty should be proportional to the level of risk incurred as a result of the infraction
Why is it important for leadership to set a tone of compliance with policy?
The rest of the organization feels better about following the rules
The security of a computer application is most effective and economical in which of the following cases?
The system is originally designed to provide the necessary security.
In what way are the Torah and the U.S. Constitution like information security policies?
They serve as rules to guide behavior in support of organizational goals
This classification level is used by the military for items "the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to National Security":
Top Secret
A computer program in which malicious or harmful code is contained inside apparently harmless programming but it can get control and do damage without the user installing the program being aware of this is called a:
Trojan horse
Information labels should be
Universally understandable
Which of the following is NOT a threat to data integrity?
Use of encrypted emails
Which of the following determines that the product developed meets the projects goals?
Validation
Which of the following is the act of performing tests and evaluations to test a system's security level to see if it complies with the design specifications and security requirements?
Verification