Quiz 1

Ace your homework & exams now with Quizwiz!

Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.

True

T/F A clearly directed strategy flows from top to bottom rather than from bottom to top.

True

T/F A project can have more than one critical path.

True

T/F Asset classification schemes should categorize information assets based on which of the following?

True

T/F Project scope management ensures that the project plan includes only those activities that are necessary to complete it.

True

T/F The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.

True

T/F The InfoSec community often takes on the leadership role in addressing risk.

True

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?

Assigning a value to each information asset

The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?

Authentication

Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?

Confidentiality

Which of the following is a network device attribute that is tied to the network interface?

MAC address

Which of the following is true about planning?

Planning helps you check your progress

If the project deliverables meet the requirements specified in the project plan, the project has met its ____________________ objective.

Quality

What do audit logs that track user activity on an information system provide?

Recognize and define the problem

Which of the following is the first step in the problem-solving process?

Recognizing the problem.

The basic outcomes of InfoSec governance should include all but which of the following?

Resource management by executing appropriate measures to manage and mitigate risks to information technologies

The identification and assessment of levels of risk in an organization describes which of the following?

Risk analysis

Which of the following is an information security governance responsibility of the Chief Security Officer?

Set security policy, procedures, programs and training

According to the C.I.A. triangle, which of the following is a desirable characteristic for computer security?

availability

Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.

likelihood probability

What is the final step in the risk identification process?

listing assets in order of importance

Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated

management

Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

management

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?

managerial controls

Communications security involves the protection of which of the following?

media, technology, and content

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?

organization

Which of the following is a key step needed in order for a JAD approach to be successful?

organize workshop activities

In ____________________ testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.

penetration

Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?

people

_________resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states.

physical

Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?

policy

As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.

relative

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

relative value

It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity. Which of the following is NOT one of them?

What other activities require the same resources as this activity?

Which type of planning is the primary tool in determining the long-term direction taken by an organization?

strategic

In which level of planning are budgeting, resource allocation, and manpower critical components?

tactical

Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?

uncertainty percentage

Which of the following is a key advantage of the bottom-up approach to security implementation?

utilizes the technical expertise of the individual admins

What is defined as specific avenues that threat agents can exploit to attack an information asset?

vulnerabilities

In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?

waterfall

In which phase of the SecSDLC does the risk management task occur?

Analysis

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?

Calculating the risks to which assets are exposed in their current setting

Which type of attack involves sending a large number of connection or information requests to a target?

DoS

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?

Executive management develop corporate-wide policies

What is one of the most frequently cited failures in project management?

Failure to meet project deadlines

Penetration testing is often conducted by contractors, who are commonly referred to as black-hats.

False

T/F A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.

False

T/F Corruption of information can occur only while information is being stored.

False

T/F The authorization process takes place before the authentication process.F

False

The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?

Hold regular meetings with the CIO to discuss tactical InfoSect planning

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?

IP Address

According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?

Initiating

According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?

Initiating

What is the first phase of the SecSDLC?

Investigation

The ______________________ phase is the last phase of SecSDLC, but perhaps the most important.

Maintenance and change

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

Manufacturer's part number

Which type of planning is used to organize the ongoing, day-to-day performance of tasks?

Operational

Which of the following is an example of a technological obsolescence threat?

Outdated Servers

Which of the following was originally developed in the late 1950s to meet the need of the rapidly expanding engineering projects associated with government acquisitions such as weapons systems?

PERT

The set of organizational guidelines that dictates certain behavior within the organization is called ____________________.

Policy

Which of the following attributes does NOT apply to software information assets?

Product dimensions

Information security project managers often follow methodologies based on what methodology promoted by the Project Management Institute?

Project Management Body of Knowledge (PMBoK)

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

Threats-vulnerablilities-assets worksheet

A(n) ___________ attack enables an attacker to extract secrets maintained in a security system by observing the time it takes the system to respond to various queries.

Timing

The management of human resources must address many complicating factors; which of the following is NOT among them?

all worker operate approximately the same level of efficiency

Which of the following should be included in an InfoSec governance program?

an infosec risk management methodology

Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?

back door

Which of the following is NOT a step in the problem-solving process?

build support among management for the candidate solution

Classification categories must be ____________________ and mutually exclusive.

comprehensive

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?

cost of prevention

The impetus to begin an SDLC-based project may be ____________________, that is, a response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders.

event-driven

As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.

factory analysis

Blackmail threat of informational disclosure is an example of which threat category?

information extortion

Which of the following is NOT a unique function of Information Security Management?

principles

What should you be armed with to adequately assess potential weaknesses in each information asset?

properly classified inventory


Related study sets

Organizational Behavior- Chapter 1

View Set

Ch. 38 Assessment and Management of Patients With Allergic Disorders

View Set

Interfacial Phenomena and Surfactants

View Set

5 - Life Insurance Underwriting and Policy Issue

View Set

Biology: QUIZ 3: BODY CONTROL AND INTERACTION WITH ENVIRONMENT

View Set