Security Principles: Exam 1 (T/F)

A recovery time objective (RTO) is the total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption.

False - A recovery time objective (RTO) is the target time within which an organization aims to restore its critical business functions or IT systems following an outage or disruption.

ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.

False - ACLs are more specific and are typically applied to individual resources or groups of resources. Rule-based policies are more general and are typically applied to a wider range of resources.

A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company will provide for the employee's legal defense.

False - Companies don't want to encourage employees to violate company policies/laws, or they may not have the funding to provide defense teams for all their employees.

A data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict when people who can it.

False - Data classification is a way of organizing information, while access control is a way of controlling access to information.

The role of the project manager - typically an executive such as a chief information officer (CIO) or the vice president of information technology (VP-IT) - in this effort cannot be overstated

False - Executives like CIOs and VP-ITs provide guidance and support to the project manager

A(n) hardware system is the entire set of people, procedures, and technology that enable business to use information.

False - Hardware is the physical infrastructure that allows software to run and data to be stored

Identifying human resources, documentation, and data information assets of an organization is easier than identifying hardware and software assets.

False - Human resources, documentation, and data information assets are often intangible and can be spread across different locations and departments

Within a data classification scheme, "comprehensive" means that an information asset should fit in only one category.

False - Information asset can fit into multiple categories depending on its sensitivity and value

Information has redundancy when it is free from mistakes or errors and it has the value that the end user expects

False - Information has redundancy when it is duplicated or repeated.

Information security's primary mission is to ensure that systems and their contents retain their confidentiality at any costs.

False - Information security's primary mission is to ensure that systems and their contents retain their confidentiality, integrity, and availability (CIA).

An external event is an event with negative consequences that could threaten the organization's information assets or operations; also referred to as an incident candidate.

False - It is not referred to as an incident candidate

The total time needed to place the business function back in service must be longer than the maximum tolerable downtime.

False - It should NOT be longer than the maximum tolerable downtime

Knowing yourself means identifying, examining, and understanding the threats facing the organization.

False - Knowing yourself refers to the process of understanding your own strengths, weaknesses, values, and motivations

Media are items of fact collected by an organization and include raw numbers, facts, and words.

False - Media refers to the physical or digital storage devices used to store and transmit information

Residual risk is the risk that organizations are willing to accept even after current controls have been applied.

False - Residual risk is the unacceptable risk that remains after all possible security measures have been implemented

Attacks conducted by scripts are usually unpredictable.

False - Scripts are simply pre-written programs that follow a set of instructions

A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior.

False - Standards are more comprehensive documents that outline the organization's expectations for behavior and provide examples of how to meet those expectations

The continuity planning management team (CPMT) is the group of senior managers and project members organized to conduct and lead all contingency planning efforts.

False - The CPMT is responsible for overseeing all contingency planning efforts, but it is not typically responsible for conducting and leading those efforts.

The ISSP (Information System Security Plan) is a plan that sets out the requirements that must be met by the information security blueprint or framework.

False - The ISSP and the information security blueprint or framework are complementary documents that serve different purposes.

A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.

False - The managerial guidance document is typically created by management itself, in collaboration with IT and other stakeholders.

According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to be successful in an engagement.

False - You have more than an average chance

A business influence analysis (BIA) is an investigation and assessment of adverse events that can affect the organization.

True

A business process is a task performed by an organization or one of its units in support of the organization's overall mission and operations.

True

A number of technical mechanisms - digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media - have been used to deter or prevent the theft of software intellectual property.

True

A(n) project team should consist of a number of individuals who are experienced in one or multiple facets of the technical and nontechnical areas.

True

As an organization grows, it must often use more robust technology to replace the security technologies it may have outgrown

True

Confidentiality ensures that only those with the rights and privileges to access information are able to do so

True

Each policy should contain procedures and a timetable for periodic review.

True

Expert hackers are extremely talented individuals who usually devote lots of time and energy to attempting to break into other people's information systems.

True

Good security programs begin and end with policy.

True

Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system.

True

In addition to their other responsibilities, the three communities of interest are responsible for determining which control operations are cost-effective for the organization.

True

Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat.

True

Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems, often referred to as the bottom-up approach.

True

Media as a subset of information assets are the systems and networks that store, process, and transmit information.

True

Of the two approaches to information security implementation, the top-down approach has a higher probability of success.

True

Prior to the development of each of the types of contingency planning documents, the CP team should work to develop the policy environment.

True

Risk control, also known as risk treatment, is the application of controls that reduce the risks to an organization's information assets to an acceptable level.

True

The business impact analysis is a preparatory activity common to both CP and risk management.

True

The disaster recovery planning team (DRPT) is the team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recovery from disasters.

True

The information security function in an organization safeguards its technology assets

True

The organization should adopt naming standards that do not convey information to potential system attackers.

True

The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.

True

The upper management of an organization must structure the IT and information security functions to defend the organization's information assets.

True

The work recovery time (WRT) is the amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered.

True

To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates.

True

Two watchdog organizations that investigate allegations of software abuse are the Software & Information Industry Association (SIIA) and National Security Agency (NSA).

True

When unauthorized individuals or systems can view information, confidentiality is breached.

True

With the removal of copyright protection mechanisms, software can be easily distributed and installed.

True

You can create a single, comprehensive ISSP document covering all information security issues.

True