NET 3730 Final

Ace your homework & exams now with Quizwiz!

True

"Privilege creep" refers to individuals who retain access privileges within an organization based on their previous jobs within the organization. This is an undesirable situation because multiple access privileges create the conditions for employees to engage in fraud. @ Reference: p 241 True False

taxonomy

A ____________________ can be used to hierarchically represent a classification for a given set of objects or documents. taxonomy framework scheme standard

digital signature

A ________________________ is a string of data associated with a file that provides added security, authentication, and nonrepudiation. digital signature public key infrastructure certificate authority gold master

gold master

A __________________________ is a term that refers to the original image that is duplicated for deployment. Using this image saves times by eradicating the need for repeated changes to configuration and tweaks to performance. digital signature public key infrastructure certificate authority gold master

True

A chain of custody is used to maintain a record of the life span of a user ID; this includes when an ID is assigned, reassigned, or deleted. True False

True

A collection of computers infected by malware loaded onto them by hackers without the knowledge of the computers' owners is known as a botnet. This type of attack is distinct because of its ability create a vast array of computers that all communicate for a single purpose. True

True

A collection of computers infected by malware loaded onto them by hackers without the knowledge of the computers' owners is known as a botnet. This type of attack is distinct because of its ability create a vast array of computers that all communicate for a single purpose. @ Reference: p 94 True False

True

A custodian is an individual in the system/application domain that has daily operational control over the implementation of data and resources and data; this individual is generally tasked with the responsibility of guaranteeing that accepted processes are employed to handle resources and data. True False

True

A firecall system is rapid access for the purposes of performing and emergency fix. Such a process is vital to change management. True False

service integration

A good example of ___________________ is a real estate business that shares data on new home purchases between the unit that sells insurance for the home and the business unit that sold the home. a replicated operating model service integration service standardization a diversified operating model

The carrot aims to educate the employee about the importance of security policies, and the stick reminds the employees of the consequences of not following policy.

A good security awareness program makes employees aware of the behaviors expected of them. All security awareness programs have two enforcement components: the carrot and the stick. Which of the following best captures the relationship of the two components? The carrot reminds the employees of the consequences of not following policy, and the stick aims to educate the employee about the importance of security policies. The carrot reminds employees that it is up to them whether to follow security policies, and the stick provides positive reinforcement for following policies. The carrot aims to educate the employee about the importance of security policies, and the stick reminds the employees of the consequences of not following policy. The carrot reminds employees exactly what the security policies are, and the stick provides the reward for remembering those policies.

True

A governance policy committee is vital for monitoring and evaluating policy efficacy. The level of effectiveness will be determined by the number of breaches that have occurred and that have been mitigated. True False

False

A lack of standardization within an infrastructure is a significant technical challenge that is always caused by inconsistent configurations. True False

needs assessment

A major defense corporation rolls out a campaign to manage persistent threats to its infrastructure. The corporation decides to institute a ___________________ to identify and evaluate the knowledge gaps that can be addressed through additional training for all employees, even administrators and management. needs assessment new policy communications plan branding campaign

The manager should not have included the names because even though they were newly appointed, individuals join and leave and the company.

A manager creates a policy document that lists the policy name, identifying information, and the operational policy. When she gets to the section marked "roles and responsibilities," she is uncertain if she should include the names of the individuals assigned to the roles and responsibilities, but decides ultimately that she will because these individuals were newly appointed and have played an active role in reviewing and providing feedback on the policy. Which of the following statements is an accurate assessment of this manager's choice to include the names of the individuals? The manager made the right choice to include the names of the individuals in the policy because it is highly unlikely that newly appointed employees will leave the company anytime soon. The manager should have postponed her decision to include the names until after she consulted the HR department. The manager should not have included the names because even though they were newly appointed, individuals join and leave and the company. The manager should have waited to include the individuals' names until she received verification that their contracts would be renewed.

True

A mitigating control limits the damage caused by not having a control in place and assumes the absence or breakdown of a primary control. True

False

A patch management assessment uses tools to define and comprehend risks to an application, system, or network device; patch management denotes weaknesses, or control gaps, that exist in the IT infrastructure. True False

Because many configuration processes reuse the same procedure, there does not need to be a new procedure document for every configuration.

A procure document should accompany every baseline document. Which of the following is a true statement about the circumstances for when a procedure document needs to be created to support the baseline document?

likelihood, impact

A risk exposure is defined as the impact to the organization when a situation transpires. The widely accepted formula for calculating exposure is as follows: Risk exposure =________________ the event will occur + ____________ if the event occurs

True

A router is a network device that connects LANs, or a LAN and a WAN. @ Reference: p 85 True False

baseline

A security _____________identifies a group of fundamental configurations designed to accomplish particular security objectives.

value, culture, support, relevance, metrics

A security awareness program can be implemented in many ways. Which of the following is the list of generally accepted principles for implementing a program?

False

A security expert, such as a CISO, is inherently adept at teaching a security awareness training session. True False

False

A security expert, such as a CISO, is inherently adept at teaching a security awareness training session. @ Reference: p 380 Explanation: B is correct because having knowledge on a particular subject does not guarantee that one can teach the material pertaining to the subject. True False

True

A security token is either a software code or hardware device that produces a "token" during the logon stage. Often represented as a series of numbers, a security token is nearly impossible to duplicate and serves to ensure the identity of the person seeking access to the network. True False

True

A significant objective in telecommunication standards is the need to identify the devices and protocols to be used and then determine how to handle data on those devices. True False

True

A significant objective in telecommunication standards is the need to identify the devices and protocols to be used and then determine how to handle data on those devices. @ Reference: p 286 True False

True

A town hall meeting is a community-building effort comprised of different teams for the purpose of sharing new developments and discussing topics of concern in an open setting. Such an effort requires an investment of time and money on the side of both IT and business. True False

self-regulation

A typical data leakage protection program provides several layers of defense to prevent confidential data from leaving the organization. Which of the following is not one of the layers of defense? inventory perimeter device management self-regulation

False

A vulnerability is a human-caused or natural event that could impact the system, whereas a risk is a weakness in a system that can be exploited. True False

True

A workstation can be any user device, such as a smartphone or a laptop, that accesses data; policies regarding the workstation domain relate to any such computing device. True False

Security event

A(n) __________________ is a term used to indicate any unwanted event that takes places outside the normal daily security operations. This type of event relates to a breakdown in controls as identified by the security policies. strategic risk security event financial risk operational risk

security event

A(n) __________________ is a term used to indicate any unwanted event that takes places outside the normal daily security operations. This type of event relates to a breakdown in controls as identified by the security policies. strategic risk security event financial risk operational risk

corporate mobility policy, acceptable use policy

A(n) ___________________ sets expectations on the use and security of mobile devices, whereas a(n) _________________ establishes a broad set of rules for approved conduct when a user accesses information on company-owned devices.

enterprise risk management framework

A(n)______________________ aligns strategic goals, operations effectiveness, reporting, and compliance objectives. operational risk committee layered security approach enterprise risk management framework governance, risk management, and compliance framework

policy principles document

A__________________ communicates general rules that cut across the entire organization. procedure policy principles document guideline policy definitions document

False

According to a report published in 2014 by Verizon, it was found that social engineering accounted for only 8 percent of data breaches in 2013. This is due to the fact that social engineering is far less effective than hacking, which usually takes days to be successful. @ Reference: p 235 Explanation: B is correct because the Verizon report found than 29 percent of data breaches resulted from social engineering. It can take hackers many weeks, month, or years to penetrate automated controls True False

It will ensure that users with the most sensitive security access especially adhere to the policies.

After management has created and agreed upon its policies, it must then determine how these policies will be implemented. Which of the following is not one the processes that line management will follow in order to make the new policies operational?

True

All organizations, including business and government, need to create and enforce policies that demonstrate compliance with regulations. It is impossible to design effective security controls without good security policies. True False

False

All states laws and the federal government share the same definition of data privacy. False

False

Although it can be expensive for businesses to implement operational efficiency, this cost produces greater quality results. For organizations with multiple divisions, developing processes once and repeating them saves time. True False

regulation

Although it is impossible to eliminate all business risks, a good policy can reduce the likelihood of risk occurring or reduce its impact. A business must find a way to balance a number of competing drivers. Which of the following is not one of these drivers?

False

Although there are many automated administrator tools that can be used in the service of managing policy, the first step should be to determine which manual controls can assist with enforcement. True False

False

Although there are many automated administrator tools that can be used in the service of managing policy, the first step should be to determine which manual controls can assist with enforcement. @ Reference: p 413 Explanation: B is correct because automated administrator tools should be the first step in policy enforcement because such tools can be swiftly configured for detection and prevention. True False

an employee is given the authority to request a wire transfer, and a manager is required to approve the transfer

An efficient organization requires the proper alignment of people, processes, and technology. One of the ways good security policies can mitigate this risk is through enforcement. Which of the following situations is an example of enforcement? an employee completes a one-day orientation on security policies an employee is given the authority to request a wire transfer, and a manager is required to approve the transfer an employee is given a commendation for a successfully complying with polices in an annual review an employee is required to submit weekly project updates to a manager

True

An example of a preventive control would be a firewall because it stops incidents or breaches immediately and is designed to prevent such incidents from occurring. True False

disposal of risk

An illustration of ________________ would be an organization installing malware software on the network and endpoint, monitoring for suspicious traffic, and responding as needed. risk governance disposal of risk strategic risk risk evaluation

a server crash that was accidentally caused

An occurrence that transgresses an organization's security policies is known as an incident. Which of the following is not an example of a security incident? non-permitted access to any computer system a server crash that was accidentally caused duplicating customer information derived from a database non-permitted use of computer systems for purpose of gaming

How do you measure whether both the policy and the right processes were followed?

An organization mandates that all attempts by traders to use the Internet should be logged, and that each trader's log should be reviewed by a manager at least monthly to ensure compliance. Which of the following questions concerning security is being addressed?

False

An organization mandates use of the firewall, which stops all traffic to the Internet except for Web browsing and company e-mail. For this control, the question concerning security being addressed is, "What type of protection will be achieved?" True False

privacy officer

An organization's _________________ is a good source for determining what should be in security policies to meet regulatory requirements.

incident response team (IRT)

An organization's _______________________ is a particular group of differently skilled individuals who are responsible for attending to serious security situations.

Adjust the implementation strategy to better explain the importance of the policy within the context of the individual role.

Apathy can have detrimental effects on information security. Engaged communication is one strategy that can be implemented to overcome the effects of apathy. Which of the following statements further elaborates this strategy? Continually reinforce the message of the value and importance of information security. Compliance must be monitored and individuals held accountable. Adjust the implementation strategy to better explain the importance of the policy within the context of the individual role. Seek opportunity to spotlight individuals who model the desired behavior.

the difference between governance and management oversight

Assume that the governance committee states that all projects costing more than $70,000 must be reviewed and approved by the chief information officer and the IT senior leadership team (SLT). At this point, the CIO has the responsibility to ensure that management processes observe the governance rules. For example, the project team might present the proposed project in an SLT meeting for a vote of approval. What does this scenario illustrate about organizational structure?

legal classification

At Stanford University, data is labeled according to a classification scheme that identifies information in the following way: prohibited, restricted, confidential, and unrestricted. Which of the following schemes has Stanford adopted? customized classification business classification legal classification military classification

workstation and LAN

Authentication of a workstation and encryption of wireless traffic are issues that belong to which of the following two domains?

True

Because a leader's job is to work through others to achieve specific goals, there are some widely accepted leadership rules that also apply to security policies. These are values, goals, training, support, and reward. True False

False

Because employees always respond and react in relation to their environment, it is vital that front-line employees work to counteract the forces of peer pressure. Peer pressure is a negative influence on the security culture of an organization. True False

False

Because employees always respond and react in relation to their environment, it is vital that front-line employees work to counteract the forces of peer pressure. Peer pressure is a negative influence on the security culture of an organization. @ Reference: p 405 Explanation: B is correct because peer pressure is not an exclusively negative force and can be harnessed in close-knit teams to help foster a grass-roots method of enforcing policies, particularly security policies. True False

True

Because incidents can eventually become court cases, it is necessary that the actions of the IRT demonstrate due care, which requires steps or actions are taken to mitigate harm to another party. True False

False

Because policies and standards are a collection of comprehensive definitions that describe acceptable and unacceptable human behavior, it is important that they contain a significant level of detail and description and address the six key questions who, what, where, when, why, and how. True False

False

Because policies and standards are a collection of comprehensive definitions that describe acceptable and unacceptable human behavior, it is important that they contain a significant level of detail and description and address the six key questions who, what, where, when, why, and how. @ Reference: p 175 Explanation: B is correct because policies and standards are a collection of concrete definitions, and it is important that they are succinct and clearly worded and address the six key questions who, what, where, when, why, and how. True False

True

Because regulatory compliance is a significant effort, some organizations engage full-time teams to collect, review, and report in an attempt to demonstrate that regulations are being followed. However, creating these full-time teams redirects business protection resources needlessly. A better strategy is to create an IT policies framework that defines security controls that aligns with policies and regulations. True False

True

Because some security work is heavily reliant on human judgment, not all controls are subjected to automation. However, manual controls are not appropriate to use with respect to background checks, log reviews, attestations, and access rights reviews. True False

False

Because the PCI DSS is an information security framework, it contains a lot of technical requirements. In particular, a major challenge is encrypting data in transit. Encrypting data at rest is common over the Internet and public networks. Encrypting data in transit, however, can be technically challenging and at times not feasible. True False

True

Best practices are typically the known and shared practices and the standard of professional care expected for an industry. True False

What is a reason the person owns the device?

Bring Your Own Device (BYOD) is a current trend within many organizations, which raises a host of security policy questions that must be addressed for handheld device use. Which of the following is not one the questions? What is a reason the person owns the device?

True

Business process reengineering (BPR) is comprised of five phases: Planning; Create/Refine; Process Baseline Research and Benchmarking; Develop the Future Process; and Add to Governance Routines. True False

False

COSO is an international governance and controls framework and a widely accepted standard for assessing, governing, and managing IT security and risks. True False

integrated audit

Consider this scenario: A company that buys a sizeable amount of equipment for its manufacturing process needs to accurately report such expenditures, so it calls upon the services of financial auditors. While financial auditors might consider how robust the data might be, the company might also involve IT auditors to examine the technology in place to gather the data itself. What process is this company using to address its concerns? access management controls design arbitrage integrated audit

The thorough implementation of security policies was not something that the executive management prioritized.

Consider this scenario: A health insurer in Oklahoma settled a class-action lawsuit after having reported that one laptop was stolen in 2008; this laptop contained personal data of more than 1.6 million customers. Based on the fact that the laptop was not encrypted, and that employees were lacking in security awareness training, which of the following statements captures the root cause of this breach?

True

Consider this scenario: A major government agency experiences a data breach. As a result, more than 100,000 personal records are now subject to authorized access. Despite the fact the CISO announced that there were a few prior warning signs that the system was at risk, no actions were taken to locate the system vulnerability. Because government agencies must comply with NIST standards, it is evident that the breach occurred as a result of insufficient management or governance. True False

This employee should have prior access removed to ensure separation of duties and avoid future instances of security risk.

Consider this scenario: After many years, an employee is promoted to a position that has an elevated level of trust with his management. He started with the company in an entry-level position, and then moved from a supervisory to a managerial role. This role entails that the employee trains other employees and has a deep understanding of how the department functions. Which of the following actions should be taken in regard to this employee's levels of access during the span of time he has worked for the company? Because this employee needs to train other employees, he should have the access granted in his previous roles. This employee should be granted access based on his current and past roles only after being formally reviewed for his effectiveness in the company. This employee should ask his manager to grant only the access that he would prefer to have. This employee should have prior access removed to ensure separation of duties and avoid future instances of security risk.

True

Continuous improvement relies on people telling you what is and isn't working, and a good source for this information is an employee departing a company. True False

False

Creating an accurate inventory is a challenge, given the speed at which data files are created, deleted, moved, and changed. It is therefore recommend that an organization prioritize the inventory of assets, starting with the least sensitive to most sensitive. False

True

Data owners ensure that only the access that is needed to perform day-to-day operations is granted and that duties are separated adequately to mitigate the risk of errors and fraud. True False

Employee verifications—automated controls can be put in place to verify information on a employee's background.

Depending on staffing availability, the complexity of implementation, backlog, and how many approvals are needed, manual access requests can take weeks or days. Thus, automation can make the process far more efficient and minimize the time required. Which of the following is not one of the areas in which the time required can be reduced through automation? Appropriate request—automated controls can verify request completion and that no policy requirements have been violated. Employee verifications—automated controls can be put in place to verify information on a employee's background. Implementation—automated controls can implement a change upon its approval. Approval workflow—automated controls can put a request in route so that it reaches those who need to grant approval in as expedient a manner as possible.

moderately sensitive

Despite the fact that there exists no mandatory scheme of data classification for private industry, there are four classifications used most frequently. Which of the following is not one of the four? highly sensitive moderately sensitive sensitive internal

False

Digital assets encompass any computer-related resources that are owned by an organization if the assets were created on the computer by company employees or if the assets were custom developed for and purchased by the organization. True False

False

Distinguishing between quality assurance and quality control can be challenging, but the key difference is that quality assurance is an assessment to determine the necessary responses to ensure correction, while quality control entails instilling confidence or the state of feeling confident. True False

a dictionary

Domain security control requirements are embodied in several different types of documents. One such document is known as _______________________, which uses a hierarchical organizing structure to identify the key terms and their explanations. a control standard document a procedure document a dictionary a guidelines document

True

Escalation is a process that is regularly implemented by a CISO when risks are being addressed. If a business unit is unresponsive, it is necessary for a CISO to escalate events. However, the path of escalation differs depending on the organization. True False

True

Escalation is a process that is regularly implemented by a CISO when risks are being addressed. If a business unit is unresponsive, it is necessary for a CISO to escalate events. However, the path of escalation differs depending on the organization. @ Reference: p 258-9 True False

True

Examples of strategic risk include an organizational merger or acquisition, a change in the customer, or a change in the industry. True False

False

Executive management is ultimately accountable when an organization has failed to control risks. In general, organizations can be trusted to assign consequences of that failure to a few in top leadership roles who will take on the burden of consequences. Thus, it is rarely necessary that regulators and courts be invoked to ensure accountability. @ Reference: p 416 Explanation: B is correct because many organizations are hesitant to assign consequences to top leaders, so ensuring accountability can be very difficult. In addition to regulators and courts, there are external forces in place to ensure accountability such as public opinion and shareholders. True False

True

Executive management sponsorship motivates users to willingly engage in awareness training in service of policy implementation. Thus, a lack of this sponsorship can send the message that policy implementation is not taken seriously. True False

Regulations

Federal and state governments in the United States establish laws that define how to control, handle, share, and process the sensitive information that the new economy relies on. ___________________are then added to these laws, which are typically written by civil servants to implement the authority of the law.

productivity

For leaders, implementing security policies is all about working through others to gain their support and adhere to the policies. Of the widely accepted leadership rules that apply to security policies, which of the following is not among these rules? productivity values support training

always

Generally, regardless of threat or vulnerability, there will ____________ be a chance a threat can exploit a vulnerability. never occasionally always seldom

False

Good governance provides assurance and confidence that rules are being followed; governance exists for the purpose of providing assurance to regulators that risks to shareholders, customers, and the public are being properly managed. False

False

How security data is classified demonstrates the information in terms of criticality and sensitivity. Sensitivity denotes how vital the information is to accomplishing an organization's mission. Criticality denotes the impact affiliated with unauthorized disclosure of information. True False

True

ISO/IEC 27002 covers the three aspects of the information security management program: managerial, operational, and technical activities. All three must be present in any IT security program for comprehensive coverage. True False

compliance controls for legal mandates

ISS policies ensure the consistent protection of information flowing through the entire system. Which of the following is not one of the foundational reasons for using and enforcing security policies?

False

ISS policies must set rules for users, define consequences of violations, and minimize risk to the organization. There are typically five different types of documents in a policy framework: 1) Principles; 2) Policy; 3) Standard; 4) Procedure, and 5) Guideline. True False

The CISO should talk about how malware could prevent the service desk from helping a customer.

If a CISO seeks to raise employees' awareness of the dangers of malware in the organization, which of the following approaches is recommended?

True

If an organization wants to reduce the number of possible threats and damages, it is recommended that it puts security policies in place to guarantee that access is limited to individual responsibilities and roles. This policy should also mandate that a person's access is revoked when s/he leaves the organization. @ Reference: p 238 True False

manual

If human action is required, the control is considered _______________. corrective automated manual preventative

True

If the governance and compliance framework is well-defined, this means that the approach is structured around a common language and is a foundation from which information security policies can be governed. True False

stakeholders

Implementing security policy means continuous communication with ___________________ and ensuring transparency about what's working and what's not working.

The Gramm-Leach-Bliley Act (GLBA)

In 1999, the ___________________ is a law that came into being to repeal existing laws so that banks, investment companies, and other financial services companies could merge. The Health Insurance Portability and Accountability Act (HIPAA) The Federal Information Security Management Act (FISMA) Correct! The Gramm-Leach-Bliley Act (GLBA) The Sarbanes-Oxley (SOX) Act

True

In 2002, the U.S. Senate passed the Sarbanes-Oxley (SOX) Act, which was passed in the wake of the collapse of Enron, Arthur Andersen, WorldCom, and several other large firms. SOX requires publicly traded companies to maintain internal controls. The controls ensure the integrity of financial statements to the Securities and Exchange Commission (SEC) and shareholders. As a result of this mandate, these internal controls are now highly scrutinized. True False

True

In 2007, the Office of Management and Budget (OMB) defined personally identifiable information (PII) as: "Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc." True

True

In 2012, the software company Televant suffered a breach of its internal firewall and network. In response, the company severed the usual data links between clients and segmented the portions of its internal networks that had been affected. The fact that segmentation was introduced immediately after the breach suggests that such segmentation was not initially built into the LAN security policy, which raises many security control questions. True False

security policy

In 2013, the national retailer Target Corporation suffered a major data breach that put the financial information of an estimated 40 million customers at risk. In 2009, the health care provider BlueCross BlueShield of Tennessee suffered a theft of hard drives when it reported 57 hard drives stolen. Both these cases resulted from a(n) ________________ failure. security policy

False

In Information Technology Infrastructure Library (ITIL), the volume service strategy relates to ongoing support of the service, and the volume service operation relates to how to define the governance and portfolio of services, which includes aligning to the business and IT finance requirements. True False

the Family Educational Rights and Privacy Act (FERPA)

In January 2013, two important changes were made to ___________________. First, it became easier to share records with child welfare agencies. Second, the change eliminates some requirements to notify parents when school records are being released. the Federal Communications Commission (FCC) the Health Insurance Portability and Accountability Act (HIPAA) the Family Educational Rights and Privacy Act (FERPA) the Children's Internet Protection Act (CIPA)

False

In LAN domain control procedures, it is of the utmost importance that the network is protected because an attack on the network threatens the entire organization. Thus, the procedure of audit record retention exists, which responds to the failure of audit tools and network monitoring. @ Reference: p 276 Explanation: B is correct because the process of responding to failure of audit tools and network monitoring is separate and distinct from audit retention, which is the procedure for securing audit records. True False

False

In LAN domain control procedures, it is of the utmost importance that the network is protected because an attack on the network threatens the entire organization. Thus, the procedure of audit record retention exists, which responds to the failure of audit tools and network monitoring. @ Reference: p 276 Explanation: B is correct because the process of responding to failure of audit tools and network monitoring is separate and distinct from audit retention, which is the procedure for securing audit records. True False

IT policy framework

In a (n) ____________________, there are policies, standards, baselines, procedures, guidelines, and taxonomy. asset management policy IT policy framework control standard risk assessment policy

institute recovery time frames for the components with the highest priority only

In a business impact analysis (BIA), the phase of defining the business's components and the component priorities, has several objectives. Which of the following is not one the objectives?

False

In a central management system that typically manages workstations, one of the key functions is discovery management; discovery management systems extract logs from a device and typically move logs to a central repository False

hierarchical organizational structure

In a large organization, the complexity required to keep operations running effectively requires a hierarchy of specialties. Thus, which of following organizational structures is preferred? hierarchical organizational structure

automated

In addition to compiling the list of user access requirements, applications, and systems, the BIA also includes processes that are ______________. These processes safeguard against any risks that might occur due to key staff being unavailable or distracted. automated manual flexible rigid

False

In an attribute based access control (ABAC) model, roles assigned are static, whereas in a role based access control (RBAC), roles are built more dynamically. True False

statement of an issue

In an issue-specific standard, the ___________________________ section defines a security issue and any relevant terms, distinctions, and conditions. definition of roles and responsibilities statement of applicability statement of the organization's position statement of an issue

False

In an organizational structure, the stakeholders in the line of business are focused on effective comprehensive assurance policies. True False

compliance team

In any event in which customer data is involved, it is necessary to check with the ___________________ on the legal requirements related to managing and use of that data.

HR policies and employment agreements about IP may or may not be enforceable, depending on current law and location.

In business, intellectual property (IP) is a term applied broadly to any company information that is thought to bring an advantage. Protecting IP through security policies starts with human resources (HR). Which of the following is a challenge concerning HR policies about IP? HR policies and employment agreements about IP may or may not be enforceable, depending on current law and location.

WAN router security standard, Web services standard

In general, WAN-specific standards identify specific security requirements for WAN devices. For example, the ____________________ explains the family of controls needed to secure the connection from the internal network to the WAN router, whereas the ______________________ identifies which controls are vital for use of Web services provided by suppliers and external partnerships.

False

In general, executive management offers its support of information security policy solely in the form of mandates and budgets. True False

True

In general, it is good practice to make your security policies relevant to business needs because they stand a better chance of being followed. True False

reduction in force

In general, it's not a good idea to implement significant policy changes during a _______________. change in leadership reduction in force new quarter separation of duties

False

In general, matrix relationships are created with control partners. False

False

In general, matrix relationships are created with control partners. True False

False

In general, the enforcement of policies among employees is far less challenging than policy acceptance. False

False

In general, when individuals work effectively in isolation they are less likely to need or benefit from organizational support. Thus, risk management is accomplished because organizational efficiency is achieved. True False

True

In many organizations, there exists an established process for requesting changes. This process ensures that key players in organizations play a role in reviewing the requests for change and providing input using a shared intranet Web application. Such players involved in the review process are security experts, senior IT experts, disaster recovery experts, and management personnel. True False

protecting the privacy of personal data and proprietary information

In order for an IT security framework to meet information assurance needs, the framework needs to include policies for several areas. Which of the following is not one of the areas? automation of security controls, where possible implementation of appropriate accounting and other integrity controls protecting the privacy of personal data and proprietary information assurance of a level of uptime of all systems

True

In order to be compliant with the NIST publications, policies must include key security control requirements. One of these key requirements includes certification and accreditation, which is a process that occurs after the system is documented, controls tested, and risk assessment completed. It is required before going live with a major system. Once a system is certified and accredited, responsibility shifts to the owner to operate the system. True

multiple executive supporters

In order to build security policy implementation awareness across the organization, there should be ____________________ who partner with other team and departments to promote IT security through different communication channels. many HR department personnel numerous marketing department professionals multiple executive supporters several IT department specialists

False

In order to enhance security for certain departments or users in an organization, the Microsoft domain offers PCI DSS Lock Down Policy. This method enables security settings to be increased for some computers or users and allows security gaps to close. True False

video record a message from one the leaders in a senior role to share with new employees

In order to enhance the training experience and emphasize the core security goals and mission, it is recommended that the executives _______________________. issue a written welcome letter to new employees remove themselves from the process because it doesn't concern them schedule multiple training sessions with new employees for face-to-face interaction video record a message from one the leaders in a senior role to share with new employees

Common Platform Enumeration (CPE)

In order to ensure compliance, organizations deploy both new and current technologies. Which of the following is not one these new technologies? COSO Internal Compliance Framework Security Content Automation Protocol (SCAP) Simple Network Management Protocol (SNMP) Common Platform Enumeration (CPE)

False

In order to ensure that policy is implemented in a thoughtful manner, it is recommended that the security manager forms a policy change control board or committee. The only employees who should be invited are those from the compliance team so that the team can guarantee that changes to extant policies and standards bolster the organization's mission and goals. True False

recommendations for creating a healthy organizational culture

In order to establish cogent expectations for what's acceptable behavior for those utilizing an organization's technology asset, an Acceptable Use Policy (AUP) defines the targeted functions of computers and networks. This policy delimits unacceptable uses and the consequences for policy violation. Which of the following topics is not likely to be found in an AUP? how to manage software licenses best practices for e-mail etiquette how to manage intellectual property recommendations for creating a healthy organizational culture

IRT that provides on-site response

In order to form an IRT, an organization is required to create a charter; this document identifies the authority, mission, and goals of a committee or team, and there are a number of different types of IRT models for doing this. Which of the following models permits an IRT to have the complete authority to ensure a breach is contained?

True

In order to move data from an unsecure WAN to a secure LAN, you begin by segmenting a piece of your LAN into a demilitarized zone (DMZ). @ Reference: p 87 True False

demilitarized zone (DMZ)

In order to move data from an unsecure WAN to a secure LAN, you typically begin by segmenting a piece of your LAN into a _________________________, which sits on the outside of your private network facing the public Internet. Servers in this area provide public-facing access to the organization, such as public Web sites. demilitarized zone (DMZ) virtual private network (VPN) remote access domain botnet

profiles identifying the evangelists in the organization

In order to promote continued learning and development among staff, a security newsletter can be created to offer interesting and captivating ways of comprehending the points outlined in the policy and standards library. Which of the following is not one the possible article topics to be covered? password security acceptable Internet use profiles identifying the evangelists in the organization your role in the protection of the organization

physical transport

In policies regarding the __________ of data, it must be guaranteed that the data that exits the private network is secured and monitored; the data should also be encrypted while in transit.

upgrades

In the Build, Acquire, and Implement domain, the ability to manage change is very important. Thus, there are often ___________________ set to avoid disrupting current services while new services are added. authentications entitlements upgrades guidelines

False

In the COBIT Build, Acquire, and Implement domain, the staff tunes the environment to minimize risks and collects lessons learned. True False

cryptography

In the ISO/IEC 27002 framework, _________________ describes the use and controls related to encryption. cryptography operations security communications security access control

need to know

In the ______________ principle adopted by many organizations, you gain access only to the systems and data you need to perform your job.

True

In the methods section of an IRT charter document, the process used to achieve the objective is explained in detail. This section also features a list of services offered by the IRT team. True False

False

In the monitoring process, quality assurance is about sampling work that has already been done to ensure that, collectively, actions meet standards, and quality control is about verifying and approving actions before they occur. True False

False

In the monitoring process, quality assurance is about sampling work that has already been done to ensure that, collectively, actions meet standards, and quality control is about verifying and approving actions before they occur. @ Reference: p 93 Explanation: B is correct because quality control is about sampling work that has already been done to ensure that, collectively, actions meet standards, and quality assurance is about verifying and approving actions before they occur. True False

False

In the three-lines-of-defense model of risk management, the second line of defense is the business unit (BU), which is responsible for controlling risk on a daily basis. The BU locates risk, assesses the impact, and mitigates the risk whenever possible. True False

baseline standards

In workstation domain policies, _________________ provide the specific technology requirements for each device. IT staff uses recorded and published procedures to enact configurations by devices to ensure that secure connectivity for remote devices exists, as well as virus and malware protection and patch management capability, among several other related functions.

False

Integrity broadly means limiting disclosure of information to authorized individuals. For example, if the principle of integrity is applied to e-mail, then you might have an objective of ensuring that all sensitive information be protected against eavesdropping. And then to implement this objective you would require that all e-mails containing sensitive information be encrypted, and then ensure that only authorized individuals have access to the decryption key. True False

True

It is always advised that automated controls are used in the enforcement of policies whenever possible. Concerns about employees' use of social networking sites and personal e-mail can be directly addressed with automated blocking controls. @ Reference: p 419 True False

False

It is generally recommended that security policies should focus on specific products rather than product capabilities because it is important that there is a uniformity of devices across an organization. This consistency makes security policies easier to enforce. True False

False

It is good practice when writing policies and standards to use terms like should rather than must or need to. @ Reference: p 176 Explanation: B is correct because it is preferable to avoid using terms like should when you mean must or need to. True False

False

It is human nature to resist working hard unless there is a material outcome to be gained, so the concept of organizational culture is used to identify shared beliefs that employees have regarding financial success. True False

division of labor, span of control

It is important for an organization to determine how it wants to manage ____________________, which means how to group various tasks, and____________________, which relates to the number of layers and number of direct reports found in an organization.

Wi-Fi security guidelines

It is important that LAN guidelines transfer technical knowledge and experience by guiding an individual through core principles and varied ways of considering risks. Which of the following guidelines documents instructions on the intricacies and uses of wireless structures and types? Wi-Fi security guidelines firewall architecture and management guidelines security assessments guidelines IDS and IPS architecture and management guidelines

information security team, legal department

It is important that partnership exists between the ___________________, which needs to review the standing legislation that governs their business, and the ____________________, which needs to review all recent or significant policy changes.

downtimes

It is important to conduct a nearly continuous evaluation of possible ______________ to guarantee that recovery estimates provided to customers are accurate and maintain credibility with customers. resources vulnerabilities downtimes risks

Management and coordination of security-related resources

It is important to create an IT security program structure that aligns with program and organizational goals and describes the operating and risk environment. Which of the following is one of the important issues for the structure of the information security program?

False

It is important to test automated tools for the purpose of determining their effectiveness. One thing to look for in a tool is whether it has failed to catch existing problems, such as whether or not a patch is missing. Such a test would be monitoring a tool's assessment capabilities. True False

False

It is necessary that writing policies to advocate a mutually agreed-upon target state requires clarity and flexibility. It is recommended that language like "expected" and "should" is favorable to encourage employees to offer their own interpretation of how policies might be applied. True False

False

It is necessary that writing policies to advocate a mutually agreed-upon target state requires clarity and flexibility. It is recommended that language like "expected" and "should" is favorable to encourage employees to offer their own interpretation of how policies might be applied. @ Reference: p 374 Explanation: B is correct because words like "expected" or "should" are not sufficiently precise for inclusion in a policy. It is preferable to compose a statement like "You must log off your computer and shut it down before you leave the office for the day." True False

True

It is not uncommon that committees will create charters, which are formal documents that offer a blueprint for committee goals and mission. These documents can offer useful information regarding the particular function of the committee. True False

True

It is not uncommon that committees will create charters, which are formal documents that offer a blueprint for committee goals and mission. These documents can offer useful information regarding the particular function of the committee. @ Reference: p 401 True False

False

It is often the case that system accounts need increased privileges to start, stop, and manage system services; such accounts can be interactive or non-interactive. The word interactive denotes a person's inability to log on to the account, whereas noninteractive denotes a person's ability to do so. True False

False

It is often the case that system accounts need increased privileges to start, stop, and manage system services; such accounts can be interactive or non-interactive. The word interactive denotes a person's inability to log on to the account, whereas noninteractive denotes a person's ability to do so. @ Reference: p 251 Explanation: B is correct because the reverse is actually true: interactive denotes a person's ability to log on to the account, whereas noninteractive denotes a person's inability to do so. True False

False

It is rare that technology outages occur apart from a security breach. True False

False

It is recommended that organizations retain information for the entire life of their existence because there is no guarantee of when it will be necessary to satisfy the purposes of legal obligations and business operations. True False

True

It is standard practice for organizations to use imaging techniques to establish baselines. Images can include all the desired configuration and security settings for a system, applications, system settings, and the full operating system. True False

True

It is vital to keep in mind that breaches are entirely concerned with data. No matter what physical damage a device incurs, data on any stolen machine may be at risk; thus, encrypting the hard drive on a device that is portable is a considered a best practice by the industry. True False

distributed infrastructure

Many organizations have a(n) ________________________, which is comprised of end user devices (including tablets, laptops, and smartphones) on a shared network and that use distributed system software; this enables these devices to function simultaneously, regardless of location.

group policy

Microsoft domains offer _______________ in order to enhance security for certain departments or users in an organization. This method allows security gaps to close and security settings to be increased for some computers or users. group policy change management policies configuration management policies Simple Network Management Protocol (SNMP)

False

Mobile devices and broadband are becoming very reliable, though much like cell phone coverage, mobile broadband coverage is spotty at times. As a result of their drawbacks, mobile devices offer only one main business benefit: increased customer responsiveness. @ Reference: p 98 Explanation: B is correct because mobile devices offer benefits beyond increased customer responsiveness, such as quick reaction to news and business-related events and the advantage of real-time data access. True False

True

More than memorizing policy word for word, a security awareness program should teach an employee where to go for help. New employees especially need to know they are not alone in dealing with unexpected issues True False

False

Motivated employees are far more likely to embrace the implementation security policies, but this does not correlate to more risks being identified and mitigated for the organization. Rather, it creates a more comfortable work environment. True False

True

Motivation consists of being enthusiastic, energized, and engaged to achieve a goal or objective. The three basic elements of motivation are pride, self-interest, and success. True False

False

Network infrastructure includes devices upon which an application resides, such as application and database servers. All other non-application networked devices may fall under the definition of platforms. True False

transfer information

Of all the needs that an organization might have to classify data, there are three that are most prevalent. Which of the following is not one of the reasons?

True

Of all the team members on the IRT, management plays a fundamental role in decision-making because it gives approval to the charter, response policy, staffing, and budget. True False

False

Of the eight classic personality types in the workplace, commanders, can often appear angry or even hostile toward ideas and others on the team and are critical of others' ideas. True False

humor

Of the many tools that can be used in training to connect with an audience of employees, _______________ can inspire a sense of fun that leads to community and commitment.

False

Of the people working in concert with security teams to ensure data quality and protection, the head of information management is responsible for executing the policies and procedures, such as backup, versioning, uploading, downloading, and database administration. True False

accountability principle

Of the principles that can be used to derive control requirements and help make implementation decisions, which principle functions as a deterrent control and helps to ensure that people understand they are solely responsible for actions they take while using organization resources? awareness principle accountability principle ethics principle timeliness principle

risk avoidance, risk acceptance

Of the risk management strategies, _________________ refers to the act of not engaging in actions that lead to risk, whereas ____________________refers to acquiescence in regard to the risks of particular actions as well as their potential results .

reputational

Of the six specific business risks, the ___________________ risk results from negative publicity regarding an organization's practices. Litigation and a decline in revenue are possible outcomes of this type of risk.

True

On April 2010, the American Institute of Certified Public Accountants (AICPA) created the Statement on Standards for Attestation Engagements No. 16 (SSAE16). It replaced the widely accepted auditing standard referred to as SAS 70 and allows an independent auditor to review an organization's control environment. True False

label, classify

Once an organization clearly defines its IP, the security policies should specify how to ___________ documents with marks or comments, and ____________ the data, which determines in what location the sensitive file should be placed.

False

One of the best practices for policies and standards maintenance is to establish an ad hoc review process for documents in draft form. The process will create space for flexibility when considering which people will be affected by new policies and security controls. True False

False

One of the best practices for policies and standards maintenance is to establish an ad hoc review process for documents in draft form. The process will create space for flexibility when considering which people will be affected by new policies and security controls. @ Reference: p 200 Explanation: B is correct because it is recommended to establish a recursive review process for draft documents. Furthermore, the process should take intro consideration a sample of people who will be impacted by new policies and security controls. True False

True

One of the components of a useful structure for issue-specific standards is the points of contact section, which lists the areas of the organization responsible for the implementation of policies. Those in these areas are the subject matter experts, or SMEs, who interpret the policy and ensure that there are controls to enforce the policy. This section may also identify other applicable standards or guidelines. True False

True

One of the consequences of an organization's expectation that the LAN will be always available and always have capacity is that bandwidth within the LAN decreases as new services such as VoIP and video are offered. True

False

One of the considerations of integrity is how to protect data in the event of a breach or unauthorized access. One way to resolve this issue is to take a security layered approach and to use encryption. A breach in one layer will be caught by another. In this case, even if data is improperly accessed, it still cannot be read. True False

attestation

One of the different manual controls necessary for managing risk is ________________, which is a type of formal management verification. In the process, management confirms that a condition is present and that security controls and policies are in place. attestation background checks log reviews access rights reviews

True

One of the foundational reasons for using and enforcing security policies is to protect systems from the "insider threat," which refers to users with authorized access. These are privileged users who would have the ability and access to wreak havoc on the system True False

harden

One of the processes designed to eradicate maximum possible security risks is to ________________, which limits access credentials to the minimum required to conduct any activity and ensures that access is authenticated to particular individuals. integrated audit harden escalate social engineer

firecall-ID

One of the processes for establishing business requirements and raising the level of privileges is to grant elevated rights on a temporary basis. This process is called _________________. firecall-ID trouble ticket best fit access privileges least access privileges

Common Platform Enumeration (CPE)

One of the six specifications for entities that implement SCAP is to provide particular names for operation systems, applications, and hardware. This specification articulates a standard naming convention for systems to promote consistency across varied products. Which of the following specifications fits this description?

True

One of the vital components of an awareness program is to motivate employees and encourage a healthy organizational culture. Fostering motivation is as significant as mastering a technology because a motivated employee can deal with unpredictable situations and creatively execute policy when needed. True False

True

One of the ways to verify a computer's identity is by using certificates, because, in general terms, the certificate acts like a digital fingerprint. True False

False

One of the well-documented reasons for why projects fail is insufficient support from leadership. This occurs when value is only derived from policies when they are enforced. An organization must have the will and process to reward adherence. True False

True

One should focus on measuring risk to the business as opposed to implementation of policies and control when tying policy adherence to performance measurement. True False

False

Operational deviation can be avoided by implementing two controls: 1) the policy should be clearly communicated, and 2) the policy should cover specific topics. True False

False

Organizations can lower communication costs and save time by leasing private lines for WANs instead of using VPN tunnels. For small and medium-size companies, it's the only practical solution given the cost and technical complexities. False

True

Over time, industries create standards that may become best practices. Yet, the term is overused and difficult to quantify. The term leading practice is more precise, given that it is easier to quantify. If most members of an industry adopt a method, it's considered to be "leading." True False

where, when, and how; what, who, and why

Policies and standards are a collection of concrete definitions that describe acceptable and unacceptable human behavior. The questions related to_______________ are more appropriate for procedures or guidelines than policies or standards, which require detail that is more at the level of________________. where, when and how; what and why how; what where and when; what, who and why where, when, and how; what, who, and why

False

Policies, which can be a process or a method for implementing a solution, often become the measuring stick by which an organization is evaluated for compliance. True False

True

Policy enforcement challenges consist of the following: poorly written policies; failure to report infractions; lack of involvement in enforcement of key departments and management; and lack of clearly defined roles and responsibilities. True False

Full disclosure, Data encryption

Privacy regulations involve two important principles. _____________________ gives the consumer an understanding of what and how data is collected and used. ________________________ provides a standard for handling consumer information. Business liability, Legal obligation Acceptable use policies, Data encryption Full disclosure, Legal obligation Full disclosure, Data encryption

False

RADIUS is an organizational model that is focused on the design, integration, security, distribution, and management of data across the enterprise. Sizable organizations are inclined to concern themselves with the management of data as its own pursuit, which cuts across all domains. True False

something you want to know

Remote authentication has always been a concern because the person is coming from a public network, and many companies require two-factor authentication for remote access. Which of the following is not one of the most commonly accepted types of credentials? something you know something you have something you are something you want to know

False

Risk and control self-assessment is the term used to define how an organization's security policy allows the business to thrive, or the degree to which it diminishes the obstacles to the business. True False

False

SQL injections are attacks that result from the absence of separating high-risk assets on their own network segments. True False

True

Security awareness training is formally conducted in two methods: instructor-led classroom training and computer-based training (CBT). It is common practice for large organizations to use a combination of both methods. True False

True

Security frameworks establish behavior expectations and define policy. Policies cannot address every scenario employees will face, but strong training on the core principles that create those policies will equip employees to do their jobs successfully. True False

minimizes future instances of human error

Security policies that clarify and explain how rights are assigned and approved among employees can ensure that people have only the access needed for their jobs. Which of the following is not accomplished when prior access is removed? minimizes future instances of human error reduces the overall security risk to the organization maintains separation of duties simplifies investigation of incidents

True

Security standards provide guidance for achieving specific security policies, are frequently related to particular technologies or products, are used as benchmarks for audit purposes, and are drawn from industry best practices, experience, business drivers, and internal testing. True False

False

Security standards provide guidance towards achieving specific security policies. Standards are formal documents that establish: 1) details of how the program runs; 2) who is responsible for day-to-day work; 3) how training and awareness are conducted; and 4) how compliance is handled. True False

False

Some organizations create a specific consequence model for information security policy. Violations can replace and absorb the broader HR polices that deal with disciplining individuals. A consequence model is intended to be punitive for the individual. True False

False

The BIA has two intended outcomes: 1) an enumerated list of dependencies and critical processes, and 2) a critical investigation of regulatory and legal requirements. True False

audits

The COBIT Monitor, Evaluate, and Assess domain looks at specific business requirements and strategic direction, and determines if the system still meets these objectives. To ensure requirements are being met, independent assessments known as________________ take place. audits

False

The Committee of Sponsoring Organizations (COSO) is an endorsed framework that companies commonly use to meet SOX 404 requirements. Formerly known as the Information Systems Audit and Control Association, this framework is an internationally recognized best practice. True False

True

The DRP provides the documentation and policies necessary for an organization to gain recovery of its IT assets following a significant outage. True False

True

The Gramm-Leach-Bliley Act (GLBA) is enforced through regulators who are members of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC publishes booklets of what type of computer security policies and controls must be in place for an institution or company to be compliant with GLBA. True False

True

The Gramm-Leach-Bliley Act (GLBA) is enforced through regulators who are members of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC publishes booklets of what type of computer security policies and controls must be in place for an institution or company to be compliant with GLBA. True False

The bank should notify the regulator based on the threshold set for the how many records can be subject to unauthorized access.

The Gramm-Leach-Bliley Act (GLBA) was created to protect confidentiality and security of customer information. Thus, under GLBA, organizations are required to inform regulators quickly if any unauthorized access or breach has occurred. Consider this scenario: A bank teller accesses a customer account out of curiosity. What is best course of action following this event? The bank should notify the regulator based on the threshold set for the how many records can be subject to unauthorized access. The bank should notify the teller that she is to be terminated immediately and investigated for suspicious activity. The bank should notify the regulator immediately because the teller has exhibited suspicious activity. The bank should notify the regulator because it is evidence that a pervasive control weakness exists.

True

The Gramm-Leach-Bliley Act uses the term nonpublic personal information (NPI) to denote any personally identifiable financial information that a consumer discloses to a financial institution. @ Reference: p 180 True False

who detected the incident

The IRT report that is ultimately generated for executive management must be certain to educate all stakeholders regarding exploited risks. Which of the following items is not required to be addressed in the report?

False

The Information Technology Infrastructure Library (ITIL) contains three books that represent the ITIL life cycle: service transition, service operation, and service design. It is standard practice for an organization to adopt all sections of the ITIL life cycle. True False

service assessment

The Information Technology Infrastructure Library (ITIL) is a series of books that describe IT practices and procedures, and it has five core books called volumes. Which of the following is not one of the five volumes? service assessment

True

The Information Technology and Infrastructure Library (ITIL) is a set of practices and predefined procedures for managing specific IT services such as change management. True

True

The Information Technology and Infrastructure Library (ITIL) is a set of practices and predefined procedures for managing specific IT services such as change management. True False

False

The MITRE Corporation Framework was created by the "Committee of Sponsoring Organizations of the Treadway Commission" in 1992. This framework is guided by the goals of establishing a framework of controls to guarantee a company's financial reports were free from fraud and accurately represented. True False

planning

The NIST SP 800-53, "Recommended Security Controls for Federal Information Systems" was written using a popular risk management approach. Which of the following control areas best fits this description: "This is the area in which an organization develops, documents, periodically updates, and implements security plans for information systems"?

secret

The National Security Information document EO 12356 explains the U.S. military classification scheme of top secret, secret data, confidential, sensitive but unclassified, and unclassified. Which of the following data can be reasonably expected to create serious damage to national security in the event that it was subject to unauthorized disclosure?

False

The Sarbanes-Oxley (SOX) Act became law in 2002, and it was enacted in reaction to a series of accusations of corporate fraud. The basic idea behind SOX 404 is to recommend security policies and controls that provide confidence in the accuracy of financial statements. There are many critics who argue that the act does not go far enough in describing how a company should report earnings, valuations, corporate responsibilities, and executive compensation. False

False

The Security Content Automation Protocol (SCAP) was developed under the Federal Information Security Management ACT (FISMA) to institute minimum requirements, standards, and guidelines, and for tools used to scan systems. SCAP identifies two specifications for implementation: Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Score Systems (CVSS). True False

workstation

The _______________ domain refers to any endpoint device used by end users, which includes but is not limited to mean any smart device in the end user's physical possession and any device accessed by the end user, such as a smartphone, laptop, workstation, or mobile device workstation user remote access system/application

False

The acceptable use policy (AUP) is a document dedicated to the safeguarding of passwords. @ Reference: p 381 Explanation: B is correct because the AUP addresses a number of high-risk behaviors in addition to password protection. True False

audit

The act of recording noteworthy security events that transpire on a network or computing device is known as a(n) ______________________.

True

The authority to conduct audits differs from one organization to another. Governments, for instance, are bound to conduct audits at the behest of legal statutes and directives, whereas a private company might be required to submit to audit requirements as determined by its board of directors. @ Reference: p 251 True False

True

The benefit of a risk-aware culture is that people want do the right thing all the time, which leads to an increased likelihood of policies being followed. Thus, when this behavior is modeled every day by everyone, it becomes the norm. True False

True

The central role of the operational risk committee is to manage risk to the business, which entails making certain that the business is functioning within its risk tolerance and risk appetite. @ Reference: p 404 True False

True

The concept of independent audits (or assessments) is that the further one is away from the actual transaction, the more unbiased and independent the opinion that can be obtained. True False

False

The conventional wisdom concerning the security frameworks of domains is that it is always preferable for an organization to create a framework based on its own needs. Frameworks like ISO and COBIT are resources and should not be used as models to build on. @ Reference: p 287-288 Explanation: B is correct because it is strongly advised that organizations initially choose a framework like ISO or COBIT and proceed to develop requirements and standards based on that framework as a model. It is seldom the case that an organization would need to create a new policy with original content. True False

coordinated operating model

The different concepts in the architecture operating model are aligned with how the business chooses to integrate and standardize with an enterprise solution. In the___________________, the technology solution shares data across the enterprise. coordinated operating model diversified operating model replicated operating model unified operating model

True

The disaster declaration policy contains the plan for declaring a disaster. Activating this plan might include the emergency notification of personnel, strategic vendors, and stakeholders as well as activation of alternative sites and housing and transport arrangements. True False

enforce policies at the executive and enterprise levels

The executive management has the responsibility of connecting many lines of business to bring resolution to strategy business issues. However, their ultimate responsibility is to ___________________________.

True

The following example of an air conditioning factory illustrates the QA and QC processes: The QA process assesses the different parts of air conditioners following their installation. This can include, for instance, testing the air filter to ensure that it functions. The QC process, however, examines manufacturer records of air filters to determine why the QA process unsuccessfully caught a defective air filter. True False

False

The functions of a pervasive control are to ascertain when policy violations occur and assess reports of risk and vulnerability. True False

instituting chances for employees to gather new skills, which can foster enhanced job satisfaction

The goal of employee awareness and training is to ensure that individuals are equipped with the tools necessary for the implementation of security policies. Which of the following is one of the other benefits of a successfully enacted training and awareness program? employees will have improved job security instituting chances for employees to gather new skills, which can foster enhanced job satisfaction employees will be easier to discipline management will have more control over employees

subject matter expert (SME)

The information security organization performs a significant role in the implementation of solutions that mitigate risk and control solutions. Because the security organization institutes the procedures and policies to be executed, they occupy role of ____________________. front-line manager executive management general counsel subject matter expert (SME)

explanation of penalties and disciplinary actions for specific infractions

The information security program charter is the capstone document for the information security program. This required document establishes the information security program and its framework. Which of the following components is not defined by this high-level policy?

business impact analysis

The initial step in creating a business continuity and security response plan is a _________________, which can be used to assemble the business and security responses in order to diminish losses. business assessment component assessment component priority business impact analysis

True

The last step on Kotter's Eight-Step Change Model is to anchor the changes in corporate culture; to make anything stick, it must become habit and part of the culture. Therefore, it is important to find opportunities to integrate security controls into day-to-day routines. True False

False

The main difference between a guideline and a standard is that the former is a mandated control and the latter is a strong endorsement of a course of action. True False

True

The main difference between management and governance committees is that the former deals with the details necessary for maintaining daily business operations, while the latter has the responsibility of establishing the strategic direction. True False

True

The main motivation for information security is overall good practice and common sense. While compliance is important, it is necessary to be extremely mindful of other risks to security not covered by laws and regulations. True False

executive, security

The members of the _________________ committee help create priorities, remove obstacles, secure funding, and serve as a source of authority. Members of the _______________ committee, however, are leaders across the organization.

The CPO must be a lawyer.

The most senior leader responsible for managing an organization's risks is the chief privacy officer (CPO). Which of the following is not one of the responsibilities of the CPO?

assessing the proper technical and non-technical operation of controls and remediating areas where controls are lacking or not operating properly

The new class of software available to support policy management and publication is called Governance, Risk, and Compliance (GRC). Which of the following explanations fits the "governance" category of the software? assessing the proper technical and non-technical operation of controls and remediating areas where controls are lacking or not operating properly supporting analysis, quantification, and management of risk within the organization distribution, authoring, and policy and controls mapping to the governing regulation tracking exceptions to security regulations and policies

False

The only benefit to giving system administrators enhanced access rights is that it significantly diminishes the total security risk to the organization. Thus, if the systems administrator's credentials are endangered, access would be limited. @ Reference: p 243-244 Explanation: B is correct because there are several advantages to giving system administrators enhanced access rights, which include: significantly diminishing the volume of logs to be assessed to determine when an administrator is not acting in good faith and improving the cooperation and understanding between technical tasks and business requirements. True False

True

The operational risk committee has the ability to determine which business activities are riskier than others. For example, if a business wants to sell product on the Internet for the first time, then the risk committee would need to understand the wide-ranging risks involved as well as the organization's security capability. True False

True

The process of ensuring the security of a physical fax device is as vital as securing a copier because both have internal memory and contain storage of prior documents printed. If these documents contain sensitive information, it is necessary to monitor access. True False

False

The reason that the United States has privacy laws is that an individual's privacy is the government's sole concern, and as such, the government is the main beneficiary of privacy laws. True False

False

The recovery time objective (RTO) is the greatest permissible level of data loss from the origin point of a disaster. True False

True

The risk governance domain guarantees that the entire range of opportunities and consequences are considered with regard to business strategy. True False

middle management

The scope of security awareness training must be customized based on the type of user assigned to each role in an organization. For instance, it is important that ________________ receives training in security basic requirement, regulatory and legal requirement, detail policy review, and reporting suspicious activity. middle management senior management the end users the IT custodians

False

The security operations team has the responsibility of monitoring intrusions and breaches in the form of firewalls and network traffic. When the team finds a breach, they notify independent auditors who aid in the recovery of the business and will provide an assessment of how the breach occurred. True False

risk appetite, risk tolerance

The security posture of an organization is usually expressed in terms of ___________________, which generally refers to how much risk an organization is willing to accept to achieve its goal, and ____________________, which relates how much variance in the process an organization will accept. risk assessment, risk manageability risk tolerance, risk appetite risk awareness, risk reduction risk appetite, risk tolerance

organizational culture

The shared belief system of employees in a business or company is known as the _____________________. organizational culture architecture operating model coordinated operating model diversified operating model

developer coding standards

The system/application domain covers an expansive range of topics; therefore, the baseline standards in this domain are diverse. For example, the _____________________ explain how to compose and assess the security of applications. public key infrastructure certification authority standard approved cryptographic algorithms and key lengths standard developer coding standards physical security baseline standards

False

The term "noncompliant" is only applied to employees who intentionally violate a policy. True False

data at rest, data in transit

The term ________________ denotes data that is being stored on devices like a universal serial bus (USB) thumb drive, laptop, server, DVD, CD, or server. The term ______________ denotes data that exists in a mobile state on the network, such as data on the Internet, wireless networks, or a private network. data at rest, data in transit data in transit, data at rest data on record, data in motion data in transit, data on record

False

The terms system software and application software can be used interchangeably because they perform the same functions of allowing a computer to communicate over a network. @ Reference: p 91 Explanation: B is correct because even though people often use the terms system software and application software interchangeably, they are not the same. Generally, business software used by an end user is an application such as e-mail, word processing, and spreadsheet software. System software is the operating system that runs applications and allows a computer to communicate over a network. True False

True

The type and frequency of security awareness training is contingent on the type of user. For instance, all users might be required to attend refresher training courses on an annual basis, whereas a vendor should be required to attend outside training only as outlined in the vendor-company contract. True False

True

The type and frequency of security awareness training is contingent on the type of user. For instance, all users might be required to attend refresher training courses on an annual basis, whereas a vendor should be required to attend outside training only as outlined in the vendor-company contract. @ Reference: p 377 True False

finance

The ultimate goal of the review and approval processes is to gain senior executive approval of the policy or standard by the chief information security officer (CISO). In order to gain this approval, the CISO requires all parties to sign off on the document. Which of the following is not among the suggested list of people who should be given the chance to become a second or third layer of review?

vulnerability

The window of ________________ is the time between when an opportunity for risk is identified and when the risk is ultimately eliminated by a patch. threat risk vulnerability danger

democracy

The_____________________ principle states that it is important to consider your users or partners when requiring information that could place their privacy rights at risk. Thus, the security of an information system should be balanced against the rights of customers, users, and other people affected by the system versus your rights as the owners and operators of these systems.

Microsoft Baseline Security Analyzer (MBSA)

There are a number of automated tools created by Microsoft that can be used to verify compliance. Once such tool is the ____________________, which is a free download that locates system vulnerabilities by sending queries. This tool can scan multiple systems in a network and maintain a history of reports for all prior scans. System Center Configuration Manager (SCCM) Systems Management Server (SMS) Microsoft Baseline Security Analyzer (MBSA) Nessus

GRC for IT operations, governance, risk management, and compliance

There are many IT security policy frameworks that can often be combined to draw upon each of their strengths. Which of the following is not one of the frameworks? COSO for financial controls and enterprise risk management structure COBIT for IT controls, governance, and risk management ITIL for IT services management GRC for IT operations, governance, risk management, and compliance

disciplinary action for employees who fail to accept policies

There are many barriers to policy acceptance and enforcement. Which of the following is not one the challenges to policy acceptance? organizational support at all levels giving employees a stake policy awareness and understanding disciplinary action for employees who fail to accept policies

log reviews

There are many different types of automated controls that are configured into devices for the purpose of enforcing a security policy. Which of the following is not an automated control?

defines the scope of the compliance being measured

There are many distinct benefits to control measurement. Which of the following benefits is the result of determining which security controls to measure?

pretexting

There are many ways that people can be manipulated to disclose knowledge that can be used to jeopardize security. One of these ways is to call someone under the false pretense of being from the IT department. This is known as _________________________. hacking social engineering pretexting exploitation

chain of custody

There are particular tools and techniques that the IRT utilizes to gather forensic evidence, including ____________________, which articulates the manner used to document and protect evidence. classification log chain of custody digital data files data log report

using images when feasible in the implementation of new operating systems

There are several different best practices available for implementation when creating a plan for IT security policy compliance monitoring. One such practice is to design a baseline derived from the security policy, which entails _________________. using a security policy document as a blueprint using images when feasible in the implementation of new operating systems formally tracking any rule and regulatory changes in a routinized way regularly checking systems after the baseline being deployed

True

There are two reasons that an industry prefers self-regulation to government regulation: cost and flexibility. True False

False

There are two terms consistently used when describing firewalls: stateful and stateless. A stateless firewall surveys all the traffic for a particular connection and investigates the packets containing the data to seek out sequences and patterns that are incongruent. A stateful firewall examines each packet on a case-by-case basis. It is does not have any prior information and avoids making predictions of what should come next. True False

Federal Desktop Core Configuration (FDCC)

There have been a number of attacks on government systems that have been the result of fundamental errors. Correct configurations of these systems would have prevented these attacks, so security experts created the solution in the form of the ___________________________. Defense Information Systems Agency (DISA) Federal Desktop Core Configuration (FDCC) U.S. Office of Management and Budget (OMB) Security Agency (NSA)

False

Though organizational challenges to security policy implementation vary depending on the culture and industry, the main hurdle has to do with a lack of sufficient budget to support implementation. @ Reference: p 372 Explanation: B is correct because there are other obstacles that exist concerning implementation of security policies, and these include accountability that is not transparent, insufficient prioritizing, and inflexible schedules. True False

True

Though the position of CISO may also be known by many other titles, the CISO role itself is the top-ranking individual with full-time responsibility for information security. True False

data privacy

To be compliant with the security standards and processes outlined in NIST publications, policies must include key security control requirements. Which of the following is not one of the key requirements? inventory data privacy categorize by risk level security controls

True

Understanding the distribution of classification is vital to understanding the levels of sensitive data. If there is an overclassification of data, this might indicate an unnecessarily costly means of securing data that is not as vital, whereas underclassification suggests that the most vital data may not be sufficiently secured. True False

True

Version control is an important consideration when it comes to IT security policy automation for two reasons. First, the security policy document itself needs to record the policy if the policy is changed. Second, actual changes to the system need to be recorded in the database for change control work orders and the configuration management database (CMDB). True False

True

Vulnerability scanners are important tools. However, there are two built-in limitations: 1) scanners are only as good as their testing approach and scripts, and 2) there are some scanners that need increased access to the system's configuration file in order to yield the best results. True False

True

WAN standards often address WAN management, router security, protocols, Domain Name Services (DNS), and Web services. As such, a WAN controls standard might include the following types of statements: "All access points to the WAN shall be approved by the IS department," and "All WAN-related address changes and configurations shall be approved by the IS department." @ Reference: p 279 True False

True

WBEM is based on different standards derived from the Internet and from the Distributed Management Task Force (DMTF), Inc. Such standards include: CIM-XML; WS-Management, and CIM Query Language (CQL). True False

Regulations have authority that derives from the original law.

What is the main difference between a law and a regulation? Security policies try to comply with regulatory requirements. Regulation requirements create procedures for determining legal thresholds. Regulations have authority that derives from the original law. Laws institute legal thresholds.

lack of complete inventory of IT assets and their configurations

When a major private sector business experiences a data breach on the scale that the retailer Target experienced in 2013, the financial impact can be significant. In this event, significant weaknesses in the information security framework and its related controls were present. Which of the following major impact areas is not one of the three that should have been addressed in a well-implemented security framework? lack of complete inventory of IT assets and their configurations lack of vendor access management lack of a dedicated CSO lack of network POS controls

True

When any tool makes any changes on a network, it is necessary that these changes are captured in a change management record for the purpose of creating an audit trail. Then, the tool making the change can capture any changes it makes on any systems. Audit trails are valuable tools for determining the existence of unauthorized changes. True False

False

When changes or maintenance need to be performed, it is helpful to use information that describes changes to the organization; these changes often occur when there are common problems concerning compliance. True False

False

When changes or maintenance need to be performed, it is helpful to use information that describes changes to the organization; these changes often occur when there are common problems concerning compliance. @ Reference: p 199 Explanation: B is correct because information about common problems concerning compliance can be found in exceptions and waivers, not information about changes to the organization. True False

True

When confronting guest and general public access, some best practices include but are not limited to the following: highly prohibiting access to specific functions, conducting a penetration test on all public-facing Web sites to detect control vulnerabilities, and minimizing the amount of network traffic to point-to-point communications True False

access

When constructing policies regarding data _______________, it is important that these policies offer particular guidance on separation of duties (SOD), and that there are procedures that verify SOD requirements. creation access use storage

False

When creating a company's security policy, it is important that scope of the program usually includes resources, information, and personnel. However, it is not necessary that the scope is aligned with the company's annual information security budget. True False

True

When developing policy to secure PII data, the following guidelines should be considered: examine, collaborate, align, educate, retain, limit, disclose, and encrypt. True False

False

When discussing security policies and implementation tasks, one should follow a checklist with three items: things to do; things to pay attention to; and things to report. True False

False

When employees are feeling doubtful, they often feel a lack of motivation and just "go through the motions," and this leads to putting the organization's security at risk. True False

False

When handling data, the process of transmission refers to the need to ensure that data is encrypted, protected, and tracked upon arrival at its destination. True False

True

When implementing a patch, it is recommended that there be an back-out strategy in place; this is necessary because it is possible the patch might create complications. True False

while the application is being written

When is the best time to implement security policies to help developers diminish the number of vulnerabilities during application development?

False

When it comes to information, an organization has one main concern about how that information is collected, stored, and processed: Is the information safe? True False

severity 3

When reporting incidents, it is necessary to institute transparent procedures for filing incident reports. The process of the incident classification is known as triage. When triage is set in motion, the severity of the threat is assessed. For example, ___________________ occurs when there are a number of unauthorized scans, system probes, or vast viruses detected; the event also necessitates manual intervention. severity 1 severity 2 severity 3 severity 4

service level agreement

When writing a ____________________, one could state how often a supplier will provide a service or how quickly a firm will respond. For managed services, this document often covers system availability and acceptable performance measures. contract policy service level agreement standard

True

Whenever a high-risk application is put into place in an organization, is it necessary for the following four user domain-level securities to be enacted: risk assessment, controls design, access management, and escalation. True False

True

Whenever a high-risk application is put into place in an organization, is it necessary for the following four user domain-level securities to be enacted: risk assessment, controls design, access management, and escalation. @ Reference: p 258 True False

the project committee

Which of the following committees is responsible for the review of concepts, testing phases, and designs of new initiatives as well as determining when a project can enter the production phase? the external connection committee the architecture review committee the operational risk committee the project committee

developer-related standards

Which of the following control standards in the system/application domain maintains control of both managing errors and ensuring against potentially damaging code?

flat network

Which of the following is not one of the common network devices found on the LAN domain?

Evaluate, Assess, and Perform

Which of the following is not one of the four domains that collectively represents a conceptual information systems security management life cycle? Evaluate, Assess, and Perform

Employees who have accepted security policies distinguish themselves from others in the organizational culture.

Which of the following is not one of the outcomes of a wide acceptance of security awareness among employees?

software engineers

Which of the following is not one of the types of control partners?

employees lacking in self-interest

Which of the following is not one the consequences of having an unmotivated employee?

It is very expensive and nearly impossible to test all of a company's controls.

Which of the following is one of the challenges of the Sarbanes-Oxley (SOX) Act?

It can only measure individual knowledge of presented material.

Which of the following is one of the downsides of a computer-based training (CBT) approach? It can only measure individual knowledge of presented material. It can be flexible to the point of becoming inconsistent. It is difficult to locate space to conduct training. It is far more expensive than instructor-led training.

It helps discern that attendees can demonstrate knowledge gained through training.

Which of the following is the most important reason to solicit feedback from people who have completed security awareness training?

This approach offers alternative courses of action that might not be obvious to the leaders.

Which of the following outcomes is one of the benefits of a risk-management approach to security policies?

The misuse and abuse of information is has major impact on the lives of individuals and their privacy.

Which of the following statements best captures the reason why U.S. compliance laws came about?

An individual might think that threatening to disclose security information will earn the attention and recognition from the organization and thus result in promotion.

Which of the following statements does not offer an explanation of what motivates an insider to pose a security risk? An individual might feel jaded as a result of not receiving a promotion that s/he was expecting. An individual might have experienced a personal difficulty or disappointment. An individual might feel like s/he is entitled to "claim" the rewards s/he has earned but not received. An individual might think that threatening to disclose security information will earn the attention and recognition from the organization and thus result in promotion.

The LAN needs to establish a secure connection to the WAN to ensure that traffic is thoroughly inspected and carefully filtered.

Which of the following statements illustrates the importance of the LAN-to-WAN domain to an organization's security?

Even when an industry standard is applied, there is no way to predict there will be compatibility.

Which of the following statements is most accurate with respect to infrastructure security? Banking and finance sectors do not required standards for interbank communications. Small banks should not attempt to exchange check information with large banks. Even when an industry standard is applied, there is no way to predict there will be compatibility. Industry standards are never subject to interpretation.

systems acquisition, development, and maintenance

Which of the following topics describes the process of building security into applications?

vendors

Which of the following user groups has both the business needs of being able to access the systems, network, and application to complete contracted services, and access capability that is limited to particular sections of the systems, network, and application?

security personnel

Which of the following user types is responsible for audit coordination and response, physical security and building operations, and disaster recovery and contingency planning? system administrators control partners security personnel vendors

content-blocking tools configuration standard

Which the following is not one the policies concerned with LAN-to-WAN filtering and connectivity? DMZ control standard user Internet proxy standard content-blocking tools configuration standard external information system services connect standard

Classify all forms of data no matter the risk to the organization.

While it would not be possible to classify all data in an organization, there has nonetheless been an increase in the amount of unstructured data retained in recent years, which has included data and logs. There are many different ways to make the time-consuming and expensive process of retaining data less challenging. Which of the following is not one these approaches?

True

While procedures and standards describe the "how" of configuring security devices to implement the policy, security policies provide the "what" and "why" of security measures. True False

15

While the amount of data known as mission-critical depends on the organization and industry, such data should only represent less than ____________ percent of the data population. 0 15 50 90

detecting whether employees are listening to music that is inappropriate for the workplace

While there are many valid reasons to monitor users' computer activities, which of the following is an invalid reason? ensuring a productive workforce determining when security policies are being violated handling the security of sensitive data detecting whether employees are listening to music that is inappropriate for the workplace

True

With a framework in place, controls and risk become more measurable. The ability to measure the enterprise against a set of standards and controls assures regulators of compliance and helps reduce uncertainty. True False

auditors

Within the seven domains of a typical IT infrastructure, there are particular roles responsible for data handling and data quality. Which of the following individuals do not work with the security teams to ensure data protection and quality? data stewards auditors head of information management data custodians

COBIT

_______________ is an international governance and controls framework and a widely accepted standard for governing, assessing, and managing IT security and risks.

Cyberterrorism

_______________ refers to an attempt to cause fear or major disruptions in a society through hacking computers. Such attacks target government computers, major companies, or key areas of the economy. Cyberterrorism Globalization Nation-state attack Sovereign war

Configuration management

________________ controls the processes associated with monitoring and changing configuration throughout the life of a system. This includes the original baseline configuration.

Quality assurance; Quality control

________________ functions as a preventive control designed to prevent mistakes from happening. ________________functions as a detective control intended to improve the quality over time by affording opportunities to learn from past mistakes. Quality assurance; Quality control

Business risk

__________________ is a term that denotes the way that a policy either diminishes business disruptions or facilitates the business's success.

Management committees, government committees

___________________ are responsible for the monitoring of activities the pre, middle, and post stages of goal implementation, whereas __________________are responsible for the monitoring of activities following the implementation and are called upon to evaluate whether or not the goals have been achieved.

Information systems security

___________________ is the act of protecting information and the systems that store and process it. Information systems security Policy framework Change management Policy principles document

Gateway committees

____________________ are instituted by the executive management and are responsible for enforcing policies by reviewing technology activity and greenlighting new projects and activities.

Consumer rights

_____________________ in e-commerce broadly deals with creating rules on how to handle a consumer's transaction and other information.

False

n the concept of best fit privilege, a user has the bare minimum access based on what is needed to complete one's responsibilities. Least privilege, however, states that individuals should have the bare minimum access based on what is needed to complete one's responsibilities and have that access managed with the utmost efficiency. The difference is that best fit privileges customize access to the individual, while least privileges typically customize access to the group or class of users. True False


Related study sets

Unit 4 APUSH Treaties and their Dates

View Set

Chapter 8 - Operations & management

View Set

Anatomy lab: Muscles of the anterior and lateral thigh

View Set

Module 9 - Introducing Risk and Return

View Set

ISM 4220 Final Practice Questions

View Set

Foundations of Networking Midterm

View Set

PART 2 CP4D ASSESSMENT TEST, version 2.5, accuracy 74%

View Set