midterm written questions
41. _________resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states.
Physical
50. ____________________ is unsolicited commercial e-mail.
Spam
56. Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.
SysSP
43. The goal of a security ____________________ program is to keep information security at the forefront of users' minds on a daily basis.
awareness
43. Attempting to reverse-calculate a password is called ____________________.
cracking
49. addresses violations harmful to society and is actively enforced and prosecuted by the state
criminal law
37. Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.
likelihood probability
42. The ______________________ phase is the last phase of SecSDLC, but perhaps the most important.
maintenance and change
40. A(n) ____________________ is a specific point in the project plan when a task that has a noticeable impact on plan's the progress is complete.
milestone
36. The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ____________________ .
mitigation mitigate
48. the study of what makes actions right or wrong, also known as moral theory
normative ethics
43. In ____________________ testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
penetration
42. The set of organizational guidelines that dictates certain behavior within the organization is called ____________________.
policy
36. The champion and manager of the information security policy is called the ____________________.
policy administrator
57. The recognition, enumeration, and documentation of risks to an organization's information assets.
risk identification
41. The project planner should describe the skills or personnel needed for a task, often referred to as a(n) ____________________, needed to accomplish a task.
resource
53. The quantity and nature of risk that organizations are willing to accept.
risk appetite
or systems.
assessment
54. A process of assigning financial value or worth to each information asset.
asset valuation
64. The expansion of the quantity or quality of project deliverables from the original project plan.
scope creep
58. Entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec technology.
security watchstander
58. The calculated value associated with the most likely loss from a single attack.
single loss expectancy
48. A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance.
standard
53. A clear declaration that outlines the scope and applicability of a policy.
statement of purpose
54. A section of policy that should specify users' and systems administrators' responsibilities.
systems management
28. ___________________ is a subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury.
tort law
37. The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.
transference transfer
49. A(n) ____________________ is a potential weakness in an asset or its defensive control(s).
vulnerability
50. An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.
ISSP
51. The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts
InfoSec policy
31. Information ____________ occurs when pieces of non-private data are combined to create information that violates privacy.
aggregation
32. The act of attempting to prevent an unwanted action by threatening punishment or retaliation on the instigator if the act takes place is known as ___________.
deterrence
50. defines socially acceptable behaviors
ethics
41. The three levels of planning are strategic planning, tactical planning, and ____________________ planning.
operational
56. An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.
organizational feasibility
46. A(n) ____________________ hacks the public telephone network to make free calls or disrupt services.
phreaker
45. Duplication of software-based intellectual property is more commonly known as software ____________________.
piracy
32. The three types of information security policies include the enterprise information security policy, the issue-specific security policy, and the ____________________ security policy.
system-specific system specific
42. The three methods for selecting or developing advanced technical training are by job category, by job function, and by ____________________.
technology product
60. A risk control strategy that eliminates all risk associated with an information asset by removing it from service.
termination risk control strategy
58. An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization.
threat assessment
34. ____________________ include the user access lists, matrices, and capability tables that govern the rights and privileges of users.
Access control lists ACLs
62. Typically considered the top information security officer in an organization.
CISO
44. focuses on enhancing the security of the critical infrastructure in the United States
CyberSecurity Act
46. a collection of statutes that regulates the interception of wire, electronic, and oral communications
Electronic Communications Privacy Act
31. In the bull's-eye model, the ____________________ layer is the place where threats from public networks meet the organization's networking infrastructure.
Networks
52. A risk control strategy that indicates the organization is willing to accept the current level of risk and that the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.
acceptance risk control strategy
52. Specifications of authorization that govern the rights and privileges of users to a particular information asset.
access control lists
51. A virus or worm can have a payload that installs a(n) ____________________ door or trap door component in a system, which allows the attacker to access the system at will with special privileges.
back
53. A ____________ overflow is an application error that occurs when the system can't handle the amount of data that is sent.
buffer
36. A study of information security positions found that positions can be classified into one of three types: ____________________ are the real technical types, who create and install security solutions.
builders
55. Specifies which subjects and objects that users or groups can access.
capability table
60. Labels that must be comprehensive and mutually exclusive.
classification
38. Classification categories must be ____________________ and mutually exclusive.
comprehensive
37. The information security ____________________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program.
consultant
61. A diagramming technique designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project.
critical path method
29. Ethics are based on ___________________, which are the relatively fixed moral attitudes or customs of a societal group.
cultural mores
53. A risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.
defense risk control strategy
44. ESD is the acronym for ____________________ discharge.
electrostatic
35. A(n) ____________________, which is usually presented on a screen to the user during software installation, spells out fair and responsible use of the software being installed.
end-user license agreement end user license agreement EULA
33. The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as ___________.
ethics
48. Some information gathering techniques are quite legal, for example, using a Web browser to perform market research. These legal techniques are called, collectively, competitive ____________________.
intelligence
47. Step-by-step instructions designed to assist employees in following policies, standards and guidelines.
procedueres
57. Occurs when a project manager spends more time working in the project management software than accomplishing meaningful project work.
projectitis
54. Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.
ranked vulnerability worksheet
49. When issues are addressed by moving from the general to the specific, always starting with policy.
Bull's eye model
43. one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices
Computer Security Act CSA
44. ____________________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.
Projectitis
47. regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments
Public Law
60. A program designed to improve the security of information assets by providing targeted information, skills, and guidance for organizational employees.
SETA
33. The responsibilities of both the users and the systems administrators with regard to specific systems administration duties should be specified in the ____________________ section of the ISSP.
Systems Management
39. The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.
appetite
45. an approach that applies moral codes to actions drawn from realistic situations
applied ethics
34. An organization's information security program refers to the entire set of activities, resources, personnel, and technologies used by an organization to manage the risks to the information _______ of the organization.
assets
52. A(n) ____________________ is an act against an asset that could result in a loss.
attack
59. The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.
cost avioidance
51. The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization.
cost benefit analysis
40. The impetus to begin an SDLC-based project may be ____________________, that is, a response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders.
event-driven
40. When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.
exploited
40. As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.
factor analysis
51. Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.
field change order
30. An organization increases its _____________ if it refuses to take measures—due care—to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions.
liability
36. Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
management
57. A risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.
mitigation risk control strategy
59. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.
qualitative assessment
39. As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.
relative
56. Remains even after current control has been applied.
residual risk
55. An approach to combining risk identification, risk assessment, and risk appetite into a single strategy.
risk analysis
55. The quantity and nature of risk that organizations are willing to accept.
risk appetite
52. The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.
risk management
47. A momentary low voltage is called a(n) ____________________.
sag
39. Project ____________________ is a description of a project's features, capabilities, functions, and quality level, used as the basis of a project plan.
scope
38. To keep up with the competition organizations must design and create a ____________ environment in which business processes and procedures can function and evolve effectively.
secure
38. The ____________________ program is designed to reduce the occurrence of accidental security breaches by members of the organization.
security education, training, and awareness SETA
55. In larger organizations, responsible for some aspect of information security; in smaller organizations, this title may be assigned to the only or senior security administrator.
security manager