Security Policies and Governance Final (Ch. 8 - 14)
RADIUS is an organizational model that is focused on the design, integration, security, distribution, and management of data across the enterprise. Sizable organizations are inclined to concern themselves with the management of data as its own pursuit, which cuts across all domains.
False
Risk and control self-assessment is the term used to define how an organization's security policy allows the business to thrive, or the degree to which it diminishes the obstacles to the business.
False
The BIA has two intended outcomes: 1) an enumerated list of dependencies and critical processes, and 2) a critical investigation of regulatory and legal requirements.
False
The acceptable use policy (AUP) is a document dedicated to the safeguarding of passwords.
False
The conventional wisdom concerning the security frameworks of domains is that it is always preferable for an organization to create a framework based on its own needs. Frameworks like ISO and COBIT are resources and should not be used as models to build on.
False
The only benefit to giving system administrators enhanced access rights is that it significantly diminishes the total security risk to the organization. Thus, if the systems administrator's credentials are endangered, access would be limited.
False
When creating an IRT charter document, it is necessary to create a mission statement, which summarizes prior information on incident response and its significance to the organization.
False
WAN standards often address WAN management, router security, protocols, Domain Name Services (DNS), and Web services. As such, a WAN controls standard might include the following types of statements: "All access points to the WAN shall be approved by the IS department," and "All WAN-related address changes and configurations shall be approved by the IS department."
True
When confronting guest and general public access, some best practices include but are not limited to the following: highly prohibiting access to specific functions, conducting a penetration test on all public-facing Web sites to detect control vulnerabilities, and minimizing the amount of network traffic to point-to-point communications
True
When developing baseline standards, it is vital to use industry best practices. Industry best practices standards enable one to justify choices being made to regulators. Furthermore, there is increased efficiency to be gained by modifying an existing standard as opposed to creating one from the ground up.
True
When implementing a patch, it is recommended that there be an back-out strategy in place; this is necessary because it is possible the patch might create complications.
True
Whenever a high-risk application is put into place in an organization, is it necessary for the following four user domain-level securities to be enacted: risk assessment, controls design, access management, and escalation.
True
With a framework in place, controls and risk become more measurable. The ability to measure the enterprise against a set of standards and controls assures regulators of compliance and helps reduce uncertainty.
True
The _______________________domain establishes the context and business view for a risk evaluation and guarantees that risk activity aligns with the business goals, objectives, and tolerances. The ________________ domain establishes that technology risks are identified and delivered to leadership in business terms.
risk governance, risk evaluation
The National Security Information document EO 12356 explains the U.S. military classification scheme of top secret, secret data, confidential, sensitive but unclassified, and unclassified. Which of the following data can be reasonably expected to create serious damage to national security in the event that it was subject to unauthorized disclosure?
secret
There are many IT security policy frameworks that can often be combined to draw upon each of their strengths. Which of the following is not one of the frameworks?
GRC for IT operations, governance, risk management, and compliance
What is the main difference between a law and a regulation?
Regulations have authority that derives from the original law.
If a CISO seeks to raise employees' awareness of the dangers of malware in the organization, which of the following approaches is recommended?
The CISO should talk about how malware could prevent the service desk from helping a customer.
The Gramm-Leach-Bliley Act (GLBA) was created to protect confidentiality and security of customer information. Thus, under GLBA, organizations are required to inform regulators quickly if any unauthorized access or breach has occurred. Consider this scenario: A bank teller accesses a customer account out of curiosity. What is best course of action following this event?
The bank should notify the regulator based on the threshold set for the how many records can be subject to unauthorized access.
It is important that LAN guidelines transfer technical knowledge and experience by guiding an individual through core principles and varied ways of considering risks. Which of the following guidelines documents instructions on the intricacies and uses of wireless structures and types?
Wi-Fi security guidelines
When constructing policies regarding data _______________, it is important that these policies offer particular guidance on separation of duties (SOD), and that there are procedures that verify SOD requirements.
access
A security _____________identifies a group of fundamental configurations designed to accomplish particular security objectives.
baseline
Of all the reasons that people commit errors when it comes to IT security, which of the following is the main reason people make mistakes?
carelessness
The ____________________ identifies the processes entailed in the business continuity plan and/or the disaster recovery plan.
disaster declaration policy
Consider this scenario: A company that buys a sizeable amount of equipment for its manufacturing process needs to accurately report such expenditures, so it calls upon the services of financial auditors. While financial auditors might consider how robust the data might be, the company might also involve IT auditors to examine the technology in place to gather the data itself. What process is this company using to address its concerns?
integrated audit
The Barings Bank collapsed in 1995 after it was found that an employee had lost over $1.3 billion of the bank's assets on the market. The collapse occurred when an arbitrage trader was responsible for both managing trades and guaranteeing that trades were settled and reported according to proper procedures. To which of the following causes is this collapse attributed?
lack of separation of duties
Which of the following statements does not offer an explanation of what motivates an insider to pose a security risk?
An individual might think that threatening to disclose security information will earn the attention and recognition from the organization and thus result in promotion.
Training that happens in a classroom has many benefits, but which of the following is the one of the most significant drawbacks concerning the instructors' abilities?
Instructors with sufficient expertise are difficult to find.
Also known as the Federal Information Processing Standards (FIPS), the_______________ framework is a shared set of security standards required by the Federal Information Security Management Act (FISMA).
NIST
Organizations seek to create a coherent set of documents that are stable and immune to the need for regularly adjustments. However, the types of policy documents can differ, depending on the organization. Which of the following is not one the reasons why these documents might vary from one organization to the next?
Organizations seldom have both baseline standards and control standards; it is more common to have one or the other.
During the process of developing a communications plan, it is necessary to ask the question, __________________.
"What is the target audience?"
A procure document should accompany every baseline document. Which of the following is a true statement about the circumstances for when a procedure document needs to be created to support the baseline document?
Because many configuration processes reuse the same procedure, there does not need to be a new procedure document for every configuration.
Which of the following is the most important reason why data needs to be both retrievable and properly stored?
Companies need to maintain data or the purpose of keeping an audit trail.
Which of the following is not one of the outcomes of a wide acceptance of security awareness among employees?
Employees who have accepted security policies distinguish themselves from others in the organizational culture.
There must be security policies in place to set core standards and requirements when it comes to encrypted data. Which of the following is not one of these standards and requirements?
Encryption keys must be located in the same server as the encryption data.
In general, executive management offers its support of information security policy solely in the form of mandates and budgets.
False
The domains of the risk IT framework mutually inform each other, creating flexibility and agility. It is possible to uncover a potential threat in the risk governance domain and quickly assess its impact using the risk evaluation domain.
False
The recovery point objective (RPO) is the duration of time within which the recovery of a business process should occur following downtime or an outage.
False
Vulnerability scanning is created with the intention of exploiting weaknesses in the computing environment or system architecture. In most cases, vulnerability scanning involves a group of people posing as hackers who deploy social engineering and other techniques to try to hack the systems or network.
False
The department responsible for providing security training to new employees is the _______________.
HR
A(n) __________________ is a term used to indicate any unwanted event that takes places outside the normal daily security operations. This type of event relates to a breakdown in controls as identified by the security policies.
security event
Of all the needs that an organization might have to classify data, there are three that are most prevalent. Which of the following is not one of the reasons?
transfer information
Because employees always respond and react in relation to their environment, it is vital that front-line employees work to counteract the forces of peer pressure. Peer pressure is a negative influence on the security culture of an organization.
False
It is recommended that organizations retain information for the entire life of their existence because there is no guarantee of when it will be necessary to satisfy the purposes of legal obligations and business operations.
False
SQL injections are attacks that result from the absence of separating high-risk assets on their own network segments.
False
The Federal Information Security Management Act (FISMA) mandates that the government use the National Institute of Standards and Technology (NIST) Special Publication 800-61 to categorize incidents into a range of events on a network or system. These events include malicious code, which is an exploit to secure access, and denial of service, a code that quickly causes infections in other machines.
False
The Information Technology Infrastructure Library (ITIL) contains three books that represent the ITIL life cycle: service transition, service operation, and service design. It is standard practice for an organization to adopt all sections of the ITIL life cycle.
False
There are a number of automated tools created by Microsoft that can be used to verify compliance. Once such tool is the ____________________, which is a free download that locates system vulnerabilities by sending queries. This tool can scan multiple systems in a network and maintain a history of reports for all prior scans.
Microsoft Baseline Security Analyzer (MBSA)
___________________ is a term that denotes a user's capability to authenticate once to access the network and then have automatic authentication on different applications and devices afterward.
Single sign-on
A custodian is an individual in the system/application domain that has daily operational control over the implementation of data and resources and data; this individual is generally tasked with the responsibility of guaranteeing that accepted processes are employed to handle resources and data.
True
A privileged-level access agreement (PAA) is created to increase the knowledge, understanding, and accountability of those users who have administrative rights. For example, the federal government employs PAAs in the defense industry. However, PAA use seldom takes places in organizations outside the defense industry.
True
A security token is either a software code or hardware device that produces a "token" during the logon stage. Often represented as a series of numbers, a security token is nearly impossible to duplicate and serves to ensure the identity of the person seeking access to the network.
True
A significant amount of IT risk is operational risk, which encompasses any occurrence that troubles the activities the organization conducts on a regular basis. Examples of operational risk include errors in coding, a system outage, a security breach, or a network slowdown.
True
As one of the most vital actions performed in an organization, the risk assessment delimits vulnerabilities and threats as well as recommendations for controls.
True
Because incidents can eventually become court cases, it is necessary that the actions of the IRT demonstrate due care, which requires steps or actions are taken to mitigate harm to another party.
True
Best practices are typically the known and shared practices and the standard of professional care expected for an industry.
True
Companies seek to monitor employee e-mail usage to safeguard against malware, viruses, sensitive information, and data leakage protection (DLP). Additionally, e-mail use might be scanned for threatening language and obscenities.
True
Examples of strategic risk include an organizational merger or acquisition, a change in the customer, or a change in the industry.
True
In many organizations, there exists an established process for requesting changes. This process ensures that key players in organizations play a role in reviewing the requests for change and providing input using a shared intranet Web application. Such players involved in the review process are security experts, senior IT experts, disaster recovery experts, and management personnel.
True
In the methods section of an IRT charter document, the process used to achieve the objective is explained in detail. This section also features a list of services offered by the IRT team.
True
It is important to test automated tools for the purpose of determining their effectiveness. One thing to look for in a tool is whether it has failed to catch existing problems, such as whether or not a patch is missing. Such a test would be monitoring a tool's assessment capabilities.
True
It is not uncommon that committees will create charters, which are formal documents that offer a blueprint for committee goals and mission. These documents can offer useful information regarding the particular function of the committee.
True
It is standard practice for organizations to use imaging techniques to establish baselines. Images can include all the desired configuration and security settings for a system, applications, system settings, and the full operating system.
True
The customization of applications and systems is widely known asconfiguration. The configuration for databases and operating systems features security controls. It is necessary that the DRP guarantee that these controls remain functional in the midst of a disaster.
True
The front-line manager/supervisor plays a crucial role in enforcing disciplinary actions; these actions follow particular guidelines and should be applied in a fair and consistent manner.
True
Web-Based Enterprise Management (WBEM) is a set of Internet and management standard technologies that set the standard for language used to exchange data among different platforms for management of applications and systems.
True
When any tool makes any changes on a network, it is necessary that these changes are captured in a change management record for the purpose of creating an audit trail. Then, the tool making the change can capture any changes it makes on any systems. Audit trails are valuable tools for determining the existence of unauthorized changes.
True
When new policies are introduced into an organization, the culture is forced to change. This change entails requiring individuals to cease bad habits and adopt new ways to cope with risk.
True
Domain security control requirements are embodied in several different types of documents. One such document is known as _______________________, which uses a hierarchical organizing structure to identify the key terms and their explanations.
a dictionary
If a vulnerability is not fixed at the root cause, there is a possibility that another route of attack can emerge. This route is known as the ____________________.
attack vector
The term ________________ denotes data that is being stored on devices like a universal serial bus (USB) thumb drive, laptop, server, DVD, CD, or server. The term ______________ denotes data that exists in a mobile state on the network, such as data on the Internet, wireless networks, or a private network.
data at rest, data in transit
While there are many valid reasons to monitor users' computer activities, which of the following is an invalid reason?
detecting whether employees are listening to music that is inappropriate for the workplace
An illustration of ________________ would be an organization installing malware software on the network and endpoint, monitoring for suspicious traffic, and responding as needed.
disposal of risk
One of the processes for establishing business requirements and raising the level of privileges is to grant elevated rights on a temporary basis. This process is called _________________.
firecall-ID
Which of the following responsibilities is in the purview of the second line of defense?
identify and assess enterprise risk
In a business impact analysis (BIA), the phase of defining the business's components and the component priorities, has several objectives. Which of the following is not one the objectives?
institute recovery time frames for the components with the highest priority only
There are many different types of automated controls that are configured into devices for the purpose of enforcing a security policy. Which of the following is not an automated control?
log reviews
It is recommended that systems administrators analyze logs in order to determine if they have been altered because monitoring can deter risk. To serve this goal, a ________________ can be used to assemble logs from platforms throughout the network.
log server
Security policies that clarify and explain how rights are assigned and approved among employees can ensure that people have only the access needed for their jobs. Which of the following is not accomplished when prior access is removed?
minimizes future instances of human error
A major defense corporation rolls out a campaign to manage persistent threats to its infrastructure. The corporation decides to institute a ___________________ to identify and evaluate the knowledge gaps that can be addressed through additional training for all employees, even administrators and management.
needs assessment
In 2010, a major restaurant the chain suffered a network breach when malware was discovered to have collected customer credit card information that was later stolen by an outside party. Such a breach was a PCI DSS framework violation. Which of the following actions is the first step that should have been taken to ensure the PCI DSS framework was safely protecting the credit card information?
network segregation
There are several different best practices available for implementation when creating a plan for IT security policy compliance monitoring. One such practice is to design a baseline derived from the security policy, which entails _________________.
using images when feasible in the implementation of new operating systems
Which of the following types of baseline documents is often created to serve the demands of the workstation domain?
virus scanner configuration standards
Which of the following statements is most accurate with respect to infrastructure security?
Even when an industry standard is applied, there is no way to predict there will be compatibility.
A certificate authority refers to the original image that is duplicated for deployment. Using this image saves times by eradicating the need for repeated changes to configuration and tweaks to performance.
False
A lack of standardization within an infrastructure is a significant technical challenge that is always caused by inconsistent configurations.
False
A patch management assessment uses tools to define and comprehend risks to an application, system, or network device; patch management denotes weaknesses, or control gaps, that exist in the IT infrastructure.
False
Because some security work is heavily reliant on human judgment, not all controls are subjected to automation. However, manual controls are not appropriate to use with respect to background checks, log reviews, attestations, and access rights reviews.
False
Beyond computer workstation usage, e-mail usage is the only employee action subject to monitoring.
False
Distinguishing between quality assurance and quality control can be challenging, but the key difference is that quality assurance is an assessment to determine the necessary responses to ensure correction, while quality control entails instilling confidence or the state of feeling confident.
False
In general, the incident response team is managed and constructed by information security personnel, which can be directly or indirectly engaged in the three main IRT activities: discovery, IRT activation, and containment.
False
Of the people working in concert with security teams to ensure data quality and protection, the head of information management is responsible for executing the policies and procedures, such as backup, versioning, uploading, downloading, and database administration.
False
The issue of securing data in transit and data at rest concerns the subject of encryption due to the fact that all states have privacy laws that fall under one type of encryption requirement: that all private data is encrypted.
False
The recovery time objective (RTO) is the greatest permissible level of data loss from the origin point of a disaster.
False
____________________ are instituted by the executive management and are responsible for enforcing policies by reviewing technology activity and greenlighting new projects and activities.
Gateway committees
Because regulatory compliance is a significant effort, some organizations engage full-time teams to collect, review, and report in an attempt to demonstrate that regulations are being followed. However, creating these full-time teams redirects business protection resources needlessly. A better strategy is to create an IT policies framework that defines security controls that aligns with policies and regulations.
True
If an organization wants to reduce the number of possible threats and damages, it is recommended that it puts security policies in place to guarantee that access is limited to individual responsibilities and roles. This policy should also mandate that a person's access is revoked when he/she leaves the organization.
True
If an organization wants to reduce the number of possible threats and damages, it is recommended that it puts security policies in place to guarantee that access is limited to individual responsibilities and roles. This policy should also mandate that a person's access is revoked when s/he leaves the organization.
True
A(n) ______________________ is a centrally located device that is capable and permitted to extend and connect to distributed services.
agentless central management tool
The act of recording noteworthy security events that transpire on a network or computing device is known as a(n) ______________________.
audit
Which the following is not one the policies concerned with LAN-to-WAN filtering and connectivity?
content-blocking tools configuration standard
It is important that ___________________ accounts have full and unencumbered rights to restore data as well as to configure, install, repair, and recover applications and networks.
contingent
Which of the following control standards in the system/application domain maintains control of both managing errors and ensuring against potentially damaging code?
developer-related standards
It is important to conduct a nearly continuous evaluation of possible ______________ to guarantee that recovery estimates provided to customers are accurate and maintain credibility with customers.
downtimes
In policies regarding the ___________ of data, it must be guaranteed that the data that exits the private network is secured and monitored; the data should also be encrypted while in transit.
physical transport
There are many ways that people can be manipulated to disclose knowledge that can be used to jeopardize security. One of these ways is to call someone under the false pretense of being from the IT department. This is known as _________________________.
pretexting
Of the six specific business risks, the ___________________ risk results from negative publicity regarding an organization's practices. Litigation and a decline in revenue are possible outcomes of this type of risk.
reputational
A ______________________ is an apparatus for risk management that enables the organization to comprehend its risks and how those risks might impact the business.
risk and control self-assessment (RCSA)
The ______________________ denotes the application software and technology that concerns a wide range of topics from the data management to the systems that process information.
system/application domain
Which of the following is not one of the similarities shared by an enterprise risk management (ERM) framework and a governance, risk management, and compliance (GRC) framework?
the importance of value delivery
In order to enhance the training experience and emphasize the core security goals and mission, it is recommended that the executives _______________________.
video record a message from one the leaders in a senior role to share with new employees
When is the best time to implement security policies to help developers diminish the number of vulnerabilities during application development?
while the application is being written
_______________ is an international governance and controls framework and a widely accepted standard for governing, assessing, and managing IT security and risks.
COBIT
While it would not be possible to classify all data in an organization, there has nonetheless been an increase in the amount of unstructured data retained in recent years, which has included data and logs. There are many different ways to make the time-consuming and expensive process of retaining data less challenging. Which of the following is not one these approaches?
Classify all forms of data no matter the risk to the organization.
COSO is an international governance and controls framework and a widely accepted standard for assessing, governing, and managing IT security and risks.
False
In the concept of best fit privilege, a user has the bare minimum access based on what is needed to complete one's responsibilities. Least privilege, however, states that individuals should have the bare minimum access based on what is needed to complete one's responsibilities and have that access managed with the utmost efficiency. The difference is that best fit privileges customize access to the individual, while least privileges typically customize access to the group or class of users.
False
In the data classification scheme for recovery of information, data that is designated as urgent is that which needs to be recovered as soon as possible to mitigate significant impact on the organization.
False
One example of a baseline standard that configures devices to address connectivity and monitoring activity is a firewall baseline security standard, which establishes a configuration of network filters by manufacturer type, router, and version.
False
The IRT has a vital responsibility in gathering forensic evidence, which is defined as collecting and preserving the information that can be used to reconstruct events. Analysis of this information relies on gathering information about two factors: the actions that led up to the occurrence and then what actions followed the occurrence.
False
The security operations team has the responsibility of monitoring intrusions and breaches in the form of firewalls and network traffic. When the team finds a breach, they notify independent auditors who aid in the recovery of the business and will provide an assessment of how the breach occurred.
False
The workstation domain control standard that institutes restrictions for employer-owned mobile and portable workstations is known as the acquisitions standard.
False
Vendors are users who need to be able to access particular application functions. Such access is issued based on the type of user rather than the individual. Guests and general public users, however, need to review and evaluate controls, and this access contains unlimited read access to logs and configuration settings.
False
When handling data, the process of transmission refers to the need to ensure that data is encrypted, protected, and tracked upon arrival at its destination.
False
There have been a number of attacks on government systems that have been the result of fundamental errors. Correct configurations of these systems would have prevented these attacks, so security experts created the solution in the form of the ___________________________.
Federal Desktop Core Configuration (FDCC)
Even though SNMP is a part of the TCP/IP suite of protocols, it has undergone a series of improvements since its first version. Which of the following is not one of the improvements offered in version 3?
HP SCAP Scanner by HP is now implemented, which enhances overall security.
Which of the following has the responsibility of offering instruction on intrusion detection systems and intrusion prevention system standards as well as their accompanying uses for diminishing false alerts?
IDS and IPS architecture and management guidelines
Because risk management is a both a governance process and a model that seeks consistent improvement, there is a series of steps to be followed every time a new risk emerges. Which of the following is not one of these steps?
Identify the prior risks; it is not necessary to determine the cause.
Because risk management is both a governance process and a model that seeks consistent improvement, there is a series of steps to be followed every time a new risk emerges. Which of the following is not one of these steps?
Identify the prior risks; it is not necessary to determine the cause.
Which of the following departments has a significant role to play concerning the act of creating the messaging around an incident to the media and the parties impacted?
PR
Consider this scenario: A sales organization with an onsite IT staff experiences a major outage due to a minor change to a printer. Though systems were working successfully, the printer stopped working when a new server was added to the network. The new server that was added to the network shared the same IP address as the printer. Which of the following statements captures a contributing cause of the problem with the IP compatibility?
The IP address conflict demonstrates that the organization failed to comply with change management policies.
In the financial services sector, some organizations have implemented a three-lines-of defense model. What does the use of this model suggest about an organization's structure?
This organization uses a layered approach that creates a separation of duties.
Employees who occupy a vendor status directly report to that vendor company, and that company will often manage their access. Thus, processes must be instituted to guarantee that the vendor company is managing its employees effectively. The situations that demand a vendor to give notification to the company that's engaged the vendor are as follows: 1) when people are hired or fired; 2) when people switch roles; 3) when systems are enhanced or separated from the organization's network; and 4) when security configuration adjustments are made to the communications between the vendor and the organization.
True
Escalation is a process that is regularly implemented by a CISO when risks are being addressed. If a business unit is unresponsive, it is necessary for a CISO to escalate events. However, the path of escalation differs depending on the organization.
True
In order to create a detailed communication plan, it is recommended that these elements are included: intranet Web site; monthly communications; management briefing; and the incorporation of security policies into current training events and communications.
True
It is vital to keep in mind that breaches are entirely concerned with data. No matter what physical damage a device incurs, data on any stolen machine may be at risk; thus, encrypting the hard drive on a device that is portable is a considered a best practice by the industry.
True
LAN Domain enables multiple computers to connect within a small physical area such as an office, home, or a group of buildings. While LAN configuration issues are similar to those used in workstations, the main difference is administration: the LAN Domain is often limited to a small group of network administrators, so devices are distributed on an irregular basis and are more restricted.
True
The DRP provides the documentation and policies necessary for an organization to gain recovery of its IT assets following a significant outage.
True
There are different opportunities that can be engaged by senior leaders to deliver expectations connected to security policies. Among these opportunities are brown bag sessions, which can offer a safe, relaxed forum for the CISO to connect positively with employees at different levels in the organization
True
To reduce malware attacks, it can be useful to implement a content filtering standard. One such policy that involves LAN-to-WAN connectivity and filtering is a DMZ control standard, which institutes the controls for publicly accessible devices to situate them in a DMZ.
True
Understanding the distribution of classification is vital to understanding the levels of sensitive data. If there is an overclassification of data, this might indicate an unnecessarily costly means of securing data that is not as vital, whereas underclassification suggests that the most vital data may not be sufficiently secured.
True
Version control is an important consideration when it comes to IT security policy automation for two reasons. First, the security policy document itself needs to record the policy if the policy is changed. Second, actual changes to the system need to be recorded in the database for change control work orders and the configuration management database (CMDB).
True
When implementing a patch, it is recommended that there be a back-out strategy in place; this is necessary because it is possible the patch might create complications.
True
An occurrence that transgresses an organization's security policies is known as an incident. Which of the following is not an example of a security incident?
a server crash that was accidentally caused
Depending on the organization, the control procedure of the Domain Name System (DNS) might be built into the WAN standard. This standard identifies the criteria securing a domain name. Which of the following is not one of the types of approvals that can be used to track domains?
an explanation of the desired market or audience for which the Web site is intended
Within the seven domains of a typical IT infrastructure, there are particular roles responsible for data handling and data quality. Which of the following individuals do not work with the security teams to ensure data protection and quality?
auditors
As part of the National Institute of Standards and Technology (NIST) program, the Security Content Automation Protocol (SCAP) identifies standards and protocol implemented to establish a range of different automated compliance tools and scanners. One of the different tools available is the ______________________, which deploys a privileged account to authenticate on the target system, and it eventually scans the system to ascertain compliance with an identified set of configuration requirements.
authenticated configuration scanner
One of the most important approaches used to secure personal data is ________________, which is the process used to prove the identity of an individual. ______________, however, is the process used to enable a person's access privileges.
authentication, authorization
In addition to compiling the list of user access requirements, applications, and systems, the BIA also includes processes that are ____________. These processes safeguard against any risks that might occur due to key staff being unavailable or distracted.
automated
It is necessary to retain information for two significant reasons: legal obligation and business needs. Data that occupies the class of ________________ is comprised of records that are required to support operations; the data included might be customer and vendor records.
business
There are particular tools and techniques that the IRT utilizes to gather forensic evidence, including ____________________, which articulates the manner used to document and protect evidence.
chain of custody
In information security, the individual responsible for setting goals for implementing security policies is the _________________.
chief information security officer
A(n)______________________ aligns strategic goals, operations effectiveness, reporting, and compliance objectives.
enterprise risk management framework
It is important that security policies establish a concrete distinction between work life and home life. Such a distinction requires that employees understand that they have no expectation of _______________.
privacy with respect to personal devices connected to the network
In May 2013, a National Security Agency (NSA) contractor named Edward Snowden leaked thousands of documents to a journalist detailing how the U.S. implements intelligence surveillance across the Internet. In which of the following sectors did this breach occur?
public sector
In order to establish cogent expectations for what's acceptable behavior for those utilizing an organization's technology asset, an Acceptable Use Policy (AUP) defines the targeted functions of computers and networks. This policy delimits unacceptable uses and the consequences for policy violation. Which of the following topics is not likely to be found in an AUP?
recommendations for creating a healthy organizational culture
Of the risk management strategies, _________________ refers to the act of not engaging in actions that lead to risk, whereas ____________________refers to acquiescence in regard to the risks of particular actions as well as their potential results .
risk avoidance, risk acceptance
The ________________ domain ensures risks are diminished and remediated in the most cost-effective manner. To prevent risk from increasing in severity and scope, this domain coordinates risk responses ensuring that the right people are engaged when appropriate.
risk response
One of seven domains of a typical IT infrastructure is the user domain. Within that domain is a range of user types, and each type has specific and distinct access needs. Which of the following types of users has the responsibility of creating and putting into place a security program within an organization?
security personnel
When reporting incidents, it is necessary to institute transparent procedures for filing incident reports. The process of the incident classification is known as triage. When triage is set in motion, the severity of the threat is assessed. For example, ___________________ occurs when there are a numbers of unauthorized scans, system probes, or vast viruses detected; the event also necessitates manual intervention.
severity 3
Which of the following is not one of the types of control partners?
software engineers
Aside from human user types, there are two other non-human user groups. Known as account types, ________________ are accounts implemented by the system for the purpose of supporting automated service, and ___________________ are accounts that remain non-human until individuals are assigned access and can use them to recover a system following a major outage.
system accounts, contingent IDs
Imagine a scenario in which an employee regularly shirks the organization's established security policies in favor of convenience. What does this employee's continued violation suggest about the culture of risk management in the organization?
that the organization lacks a good risk culture wherein employees have "buy in"
Assume that the governance committee states that all projects costing more than $70,000 must be reviewed and approved by the chief information officer and the IT senior leadership team (SLT). At this point, the CIO has the responsibility to ensure that management processes observe the governance rules. For example, the project team might present the proposed project in an SLT meeting for a vote of approval. What does this scenario illustrate about organizational structure?
the difference between governance and management oversight
When a CISO is seeking executive buy-in for implementing security policies with respect to a target state, the dialogue should make certain to address each of the following except:
the names of the teams members who were consulted to create the policy
Which of the following committees is responsible for the review of concepts, testing phases, and designs of new initiatives as well as determining when a project can enter the production phase?
the project committee
___________________ make use of baselines to identify changes in the behavior of the network.
Anomaly-based intrusion detection systems
Among the ways that one's privilege status can be raised for the sake of solving a security access problem is to provide a trouble ticket, which issues non-permanent, enhanced access to previously unprivileged users.
False
As leaders across the organization, the security team reviews the business processes and determines possible risks and threats. The team works closely with the business to understand any existing threats of fraud.
False
Executive management is ultimately accountable when an organization has failed to control risks. In general, organizations can be trusted to assign consequences of that failure to a few in top leadership roles who will take on the burden of consequences. Thus, it is rarely necessary that regulators and courts be invoked to ensure accountability.
False
How security data is classified demonstrates the information in terms of criticality and sensitivity. Sensitivity denotes how vital the information is to accomplishing an organization's mission. Criticality denotes the impact affiliated with unauthorized disclosure of information.
False
In LAN domain control procedures, it is of the utmost importance that the network is protected because an attack on the network threatens the entire organization. Thus, the procedure of audit record retention exists, which responds to the failure of audit tools and network monitoring.
False
In general, when individuals work effectively in isolation they are less likely to need or benefit from organizational support. Thus, risk management is accomplished because organizational efficiency is achieved.
False
Of the different risks that can occur in an IT security framework, events that transpire outside an organization's domain of control and impact IT operations fall under the category of operational risks.
False
The main difference between a guideline and a standard is that the former is a mandated control and the latter is a strong endorsement of a course of action.
False
The requirements for patch management outlined in security policies include determining how patches should be utilized and tracked. It is important to have a steady approach to utilizing patches that includes the two main components: vetting and prioritization.
False
There are two terms consistently used when describing firewalls: stateful and stateless. A stateless firewall surveys all the traffic for a particular connection and investigates the packets containing the data to seek out sequences and patterns that are incongruent. A stateful firewall examines each packet on a case-by-case basis. It is does not have any prior information and avoids making predictions of what should come next.
False
There are two terms consistently used when describing firewalls: statefuland stateless. A stateless firewall surveys all the traffic for a particular connection and investigates the packets containing the data to seek out sequences and patterns that are incongruent. A stateful firewall examines each packet on a case-by-case basis. It is does not have any prior information and avoids making predictions of what should come next.
False
Though organizational challenges to security policy implementation vary depending on the culture and industry, the main hurdle has to do with a lack of sufficient budget to support implementation.
False
Though security awareness is widely recommended, the only federal mandate that requires an organization to have a security awareness programs is the Gramm-Leach-Bliley Act.
False
_____________ risk is the possible outcome that can occur when an organization or business unsuccessfully addresses its fiscal obligations.
Financial
Which of the following outcomes is one of the benefits of a risk-management approach to security policies?
This approach offers alternative courses of action that might not be obvious to the leaders.
Consider this scenario: After many years, an employee is promoted to a position that has an elevated level of trust with his management. He started with the company in an entry-level position, and then moved from a supervisory to a managerial role. This role entails that the employee trains other employees and has a deep understanding of how the department functions. Which of the following actions should be taken in regard to this employee's levels of access during the span of time he has worked for the company?
This employee should have prior access removed to ensure separation of duties and avoid future instances of security risk.
"Privilege creep" refers to individuals who retain access privileges within an organization based on their previous jobs within the organization. This is an undesirable situation because multiple access privileges create the conditions for employees to engage in fraud.
True
Consider this scenario: A major government agency experiences a data breach. As a result, more than 100,000 personal records are now subject to authorized access. Despite the fact the CISO announced that there were a few prior warning signs that the system was at risk, no actions were taken to locate the system vulnerability. Because government agencies must comply with NIST standards, it is evident that the breach occurred as a result of insufficient management or governance.
True
Despite the different levels of accountability that exist in the layers of an organization, it is the information security officer (CISO) that has the main responsibility of establishing and escalating noncompliance to the senior leadership. Then, the senior leadership is responsible for enforcing the security policies while taking under advisement the guidance of the CISO.
True
Following an outage or disruption of services, consult the BCP for a blueprint for establishing the continuity of business operations.
True
For the sake of protection during a lawsuit, it is advised that a company creates a retention policy that delineates how data is regularly classified, deleted, and retained. Such a policy illustrates "good faith."
True
One of the most significant human mistakes that can lead to a security threat is carelessness, which is often brought about when an employee is not well-trained to see information security as worthy of protection.
True
Telecommunications generally encompasses any service, technology, or system that facilitates transmission of information and data delivered electronically.
True
The IRT has the fundamental mission of guaranteeing that operations are recovered in an expedient manner. Recovery entails the assurance that the vulnerabilities that allowed the incident have been eliminated. Successful implementation of an effective recovery strategy can be accomplished with the business continuity plan (BCP) representative.
True
The Security Content Automation Protocol (SCAP) was developed under the Federal Information Security Management ACT (FISMA) to institute minimum requirements, standards, and guidelines, and for tools used to scan systems. SCAP identifies two specifications for implementation: Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Score Systems (CVSS).
True
The business impact analysis (BIA) contains the requirements for the business continuity plan (BCP) and the recovery time objective (RTO). It is a rare occurrence that the BIA requirements will be altered during the BCP process.
True
The business impact analysis (BIA) is utilized for the purposes of both information security and non-information security. In general, it is employed for the recovery of many incidents that include, but are not limited to, security breaches.
True
The central role of the operational risk committee is to manage risk to the business, which entails making certain that the business is functioning within its risk tolerance and risk appetite.
True
The disaster declaration policy contains the plan for declaring a disaster. Activating this plan might include the emergency notification of personnel, strategic vendors, and stakeholders as well as activation of alternative sites and housing and transport arrangements.
True
The main difference between management and governance committees is that the former deals with the details necessary for maintaining daily business operations, while the latter has the responsibility of establishing the strategic direction.
True
The process of ensuring the security of a physical fax device is as vital as securing a copier because both have internal memory and contain storage of prior documents printed. If these documents contain sensitive information, it is necessary to monitor access.
True
The risk governance domain guarantees that the entire range of opportunities and consequences are considered with regard to business strategy.
True
In general, WAN-specific standards identify specific security requirements for WAN devices. For example, the ____________________ explains the family of controls needed to secure the connection from the internal network to the WAN router, whereas the ______________________ identifies which controls are vital for use of Web services provided by suppliers and external partnerships.
WAN router security standard, Web services standard
An important principle in information security is the concept of layers of security, which is often referred to as layered security, or defense in depth. Which of the following is not an example of a layer of security?
a control standard
There are many roles and responsibilities entailed in the management and identification of risks and the enforcement of policies related to information security. One such role is ________________, which has the responsibility of enforcing policies at the employee level.
front-line manager/supervisor
A __________________________ is a term that refers to the original image that is duplicated for deployment. Using this image saves times by eradicating the need for repeated changes to configuration and tweaks to performance.
gold master
Microsoft domains offer _______________ in order to enhance security for certain departments or users in an organization. This method allows security gaps to close and security settings to be increased for some computers or users.
group policy
One of the processes designed to eradicate maximum possible security risks is to ________________, which limits access credentials to the minimum required to conduct any activity and ensures that access is authenticated to particular individuals.
harden
There are number of issues to consider when composing security policies. One such issue concerns the use of security devices. One such device is a ____________, which is a network security device with characteristics of a decoy that serves as a target that might tempt a hacker.
honeypot
The goal of employee awareness and training is to ensure that individuals are equipped with the tools necessary for the implementation of security policies. Which of the following is one of the other benefits of a successfully enacted training and awareness program?
instituting chances for employees to gather new skills, which can foster enhanced job satisfaction
In order to assess policy compliance, many organizations will use a report card. The evaluation tools are comprised of criteria based on an organization's requirements. Which of the following is not one the elements that would be included on a report card?
number of random audits performed
One of the many roles of the security compliance committee is to focus on controls that are widely used across a large population of applications, systems, and operations. These types of controls are known as ___________________.
pervasive controls
Which of the following user types is responsible for audit coordination and response, physical security and building operations, and disaster recovery and contingency planning?
security personnel
To measure the effectiveness of the IRT, which of the following does notneed to be evaluated?
the tests provided to employees to ensure their response to incidents
While these two approaches have similarities in terms of the topics they address, ________ will cover broad IT management topics and specify which security controls and management need to be installed; however, ________ does not address how to implement specific controls.
COBIT, ISO
In the organizational structure, the vendor management team is responsible for managing security concerns involving third parties and vendors. This team conducts an assessment on a vendor before data leaves the organization and is processed by a third party. The concept of separation of duties is often put in place to ensure that data is verified before it leaves the organization.
False
It is often the case that system accounts need increased privileges to start, stop, and manage system services; such accounts can be interactive or non-interactive. The word interactive denotes a person's inability to log on to the account, whereas noninteractive denotes a person's ability to do so.
False
Risk management policies establish the framework for measuring risk for data classification and actions associated with risk and control self-assessment (RCSA); these policies also define the standards for judging the assessments as well as the content that comprises the assessments.
True
A significant objective in telecommunication standards is the need to identify the devices and protocols to be used and then determine how to handle data on those devices.
True
A useful method for sharing security policies across an organization is a document-handling server, such as an intranet. Benefits of this server include material cost control, keeping policies current, and ensuring that policies are searchable.
True
A workstation can be any user device, such as a smartphone or a laptop, that accesses data; policies regarding the workstation domain relate to any such computing device.
True
If the governance and compliance framework is well-defined, this means that the approach is structured around a common language and is a foundation from which information security policies can be governed.
True
Security awareness training is formally conducted in two methods: instructor-led classroom training and computer-based training (CBT). It is common practice for large organizations to use a combination of both methods.
True
In order for the data owner and IT department to discern the controls necessary to secure data, they need to decide between the authentication method and encryption controls; both are not required.
False
In the 5 Code of Federal Regulations (C.F.R.), it is recommended that an individual has security awareness training before s/he can access information. The C.F.R is unusual in that it requires all users to receive broad training in system/application life cycle management, security planning and system/application security management, risk management, and contingency planning.
False
In the three-lines-of-defense model of risk management, the second line of defense is the business unit (BU), which is responsible for controlling risk on a daily basis. The BU locates risk, assesses the impact, and mitigates the risk whenever possible.
False
Policies associated with risk management endorse a series of actions that enable an organization to be consistently conscious of risks. There are two efforts deployed: threat and vulnerability assessments and penetration testing.
False
Consider this scenario: A company is notified that its servers have been compromised to be the point of departure to attack a host of other companies. The company then initiates an IRT, which is unable to locate the breach. The company then seeks the services of an outside firm that specializes in forensic analysis and intrusions. The outside firm locates the source of the breach and wants to monitor the actions of the intruder. However, the outside firm is informed by its internal legal counsel that the company does not agree with this course of action. Which of the following statements best captures the effectiveness of the company's IRT policies?
The IRT is moderately effective because a breach was found without seeking external counsel.
Which of the following statements illustrates the importance of the LAN-to-WAN domain to an organization's security?
The LAN needs to establish a secure connection to the WAN to ensure that traffic is thoroughly inspected and carefully filtered.
Consider this scenario: A major software company finds that code has been executed on an infected machine in its operating system. As a result, the company begins working to manage the risk and eliminates the vulnerability 12 days later. Which of the following statements best describes the company's approach?
The company effectively implemented patch management.
Guidelines in the LAN-to-WAN domain offer recommendations for individuals who have the responsibility of determining the degree to which Internet access should be allowed. To offer additional choices while also negotiating risk, individuals can implement content-filtering guidelines (which offer options for effective ways filter content), methods for recording of the list of banned sites, and ways to request user privileges to blocked sites, as needed.
True
In 2012, the software company Televant suffered a breach of its internal firewall and network. In response, the company severed the usual data links between clients and segmented the portions of its internal networks that had been affected. The fact that segmentation was introduced immediately after the breach suggests that such segmentation was not initially built into the LAN security policy, which raises many security control questions.
True
In addition to being federally mandated, a good security awareness policy has many benefits including the processes of notifying employees of the following: 1) basic foundations of information security; 2) raising consciousness of risk and threats; 3) how to cope with unexpected risk; 4) how give a record of incidents, breaches, and suspicious activity; and 5) how to help create a culture that educated about security and risk awareness.
True
In most cases, a Quality Assurance function is a control that occurs in real-time and is preventive. A Quality Control function differs because, as a detective control, it examines defects over time and surveys a wide range of samples.
True
In order to record the dates when new policies and changes to those policies are enacted, it is advisable to use a use a consolidated calendar. Stakeholders should review a calendar monthly to prepare for policy implementation appropriately.
True
In the third line of defense, the auditor serves as an advisor to the first and second lines of defense in matters concerning risk. The third line must preserve his or her independence but also offer input on risk direction and strategies.
True
Security frameworks establish behavior expectations and define policy. Policies cannot address every scenario employees will face, but strong training on the core principles that create those policies will equip employees to do their jobs successfully.
True
The RSCA is utilized to construct plans for risk management, which can include the location of where to implement the procedures for quality assurance and quality control.
True
The operational risk committee has the ability to determine which business activities are riskier than others. For example, if a business wants to sell product on the Internet for the first time, then the risk committee would need to understand the wide-ranging risks involved as well as the organization's security capability.
True
LAN security policies center on issues concerning connectivity; this includes determining how devices adhere to the network. Among the types of LAN control standards are _______________, which creates the schedules on LAN-attached devices for scheduled preventative and consistent maintenance, and ________________, which explains the change control management process for soliciting changes, granting changes, and implementing changes on the network
controlled maintenance, configuration change control
The system/application domain covers an expansive range of topics; therefore, the baseline standards in this domain are diverse. For example, the _____________________ explain how to compose and assess the security of applications.
developer coding standards
The members of the _________________ committee help create priorities, remove obstacle, secure funding, and serve as a source of authority. Members of the _______________ committee, however, are leaders across the organization.
executive, security
An organization's _______________________ is a particular group of differently skilled individuals who are responsible for attending to serious security situations.
incident response team (IRT)
Baseline LAN standards are concerned with network traffic monitoring because no matter how good firewalls and routers can be, they are still not 100% effective. Thus, _________________ offer a wide range of protection because they seek out patterns of attack.
intrusion systems
A risk exposure is defined as the impact to the organization when a situation transpires. The widely accepted formula for calculating exposure is as follows: Risk exposure =________________ the event will occur + ____________ if the event occurs
likelihood, impact
The scope of security awareness training must be customized based on the type of user assigned to each role in an organization. For instance, it is important that ________________ receives training in security basic requirement, regulatory and legal requirement, detail policy review, and reporting suspicious activity.
middle management
Despite the fact that there exists no mandatory scheme of data classification for private industry, there are four classifications used most frequently. Which of the following is not one of the four?
moderately sensitive
In order to build security policy implementation awareness across the organization, there should be ____________________ who partner with other team and departments to promote IT security through different communication channels.
multiple executive supporters