SecurityTest2(Ch4-5)
The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation? -11 -13 -15 -18
13
What is NOT one of the three tenets of information security? -Confidentiality -Integrity -Safety -Availability
Safety
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering? -Accuracy -Reaction time -Dynamism -Acceptability
Acceptability
Which one of the following is the best example of an authorization control? -Biometric device -Digital certificate -Access control lists -One-time password
Access control lists
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about? -Identification -Authentication -Authorization -Accountability
Accountability
During which phase of the access control process does the system answer the question,"What can the requestor access?" -Identification -Authentication -Authorization -Accountability
Authorization
Which security model does NOT protect the integrity of information? -Bell-LaPadula -Clark-Wilson -Biba -Brewer and Nash
Bell-LaPadula
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value? -Dictionary attack -Rainbow table attack -Social engineering attack -Brute-force attack
Brute-Force Attack
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort? -Disaster recovery plan (DRP) -Business impact analysis (BIA) -Business continuity plan (BCP) -Service level agreement (SLA)
Business continuity plan (BCP)
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types? -False acceptance rate (FAR) -False rejection rate (FRR) -Crossover error rate (CER) -Reaction time
Crossover error rate (CER)
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices? -Support ownership -Onboarding/offboarding -Forensics -Data ownership
Data ownership
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario? -Discretionary access control (DAC) -Mandatory access control (MAC) -Rule-based access control -Role-based access control (RBAC)
Discretionary access control
What is the first step in a disaster recovery effort? -Respond to the disaster -Follow the disaster recovery plan (DRP) -Communicate with all affected parties -Ensure that everyone is safe.
Ensure that everyone is safe
Which one of the following is an example of a direct cost that might result from a business disruption? -Damaged reputation -Lost market share -Lost customers -Facility repair
Facility repair
What compliance regulation applies specifically to the educational records maintained by schools about students? -Family Education Rights and Privacy Act (FERPA) -Health Insurance Portability and Accountability Act (HIPAA) -Federal Information Security Management Act (FISMA) -Gramm-Leach-Bliley Act (GLBA)
Family Education Rights and Privacy Act (FERPA)
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers? -FFIEC -FISMA -HIPAA -PCI DS
HIPPA
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)? -Secure European System for Applications in a Multi-Vendor Environment (SESAME) -Lightweight Directory Access Protocol (LDAP) -Security Assertion Markup Language (SAML) -Kerberos
Kerberos
Which of the following is NOT a benefit of cloud computing to organizations? -On-demand provisioning -Improved disaster recovery -No need to maintain a data center -Lower dependence on outside vendors
Lower dependence on outside vendors
Which of the following is an example of a hardware security control? -NTFS permission -MAC filtering -ID badge -Security policy
MAC filtering
Which one of the following is an example of a reactive disaster recovery control? -Moving to a warm site -Disk mirroring -Surge suppression -Antivirus software
Moving to a warm site
What is NOT a commonly used endpoint security technique? -Full device encryption -Network firewall -Remote wiping -Application control
Network Firewall
What level of technology infrastructure should you expect to find in a cold site alternative data center facility? -Hardware and data that mirror the primary site -Hardware that mirrors the primary site, but no data -Basic computer hardware -No technology infrastructure
No technology infrastructure
Which type of authentication includes smart cards? -Knowledge -Ownership -Location -Action
Ownership
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario? -Checklist test -Full interruption test -Parallel test -Simulation test
Parallel test
Which one of the following is an example of a logical access control? -Key for a lock -Password -Access card -Fence
Password
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals? -Health Insurance Portability and Accountability Act (HIPAA) -Payment Card Industry Data Security Standard (PCI DSS) -Federal Information Security Management Act (FISMA) -Federal Financial Institutions Examination Council (FFIEC)
Payment Card Industry Data Security Standard (PCI DSS)
Which one of the following is NOT an advantage of biometric systems? -Biometrics require physical presence -Biometrics are hard to fake -Users do not need to remember anything -Physical characteristics may change.
Physical characteristics may change
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining? -Recovery time objective (RTO) -Recovery point objective (RPO) -Business recovery requirements -Technical recovery requirements
Recovery time objective (RTO)
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services? -Remote Authentication Dial-In User Service (RADIUS) -Terminal Access Controller Access Control System Plus ------Redundant Array of Independent Disks (RAID) -DIAMETER
Redundant Array of Independent Disks (RAID)
Which formula is typically used to describe the components of information security risks? -Risk = Likelihood X Vulnerability -Risk = Threat X Vulnerability -Risk = Threat X Likelihood -Risk = Vulnerability X Cost
Risk = Threat X Vulnerability
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use? -Risk Management Guide for Information Technology Systems (NIST SP800-30) -CCTA Risk Analysis and Management Method (CRAMM) -Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) -ISO/IEC 27005, "Information Security Risk Management"
Risk Management Guide for Information Technology Systems (NIST SP800-30)
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register? -Description of the risk -Expected impact -Risk survey results -Mitigation steps
Risk survey results
What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications? -Security Assertion Markup Language (SAML) -Secure European System for Applications in a Multi-Vendor Environment (SESAME) -User Datagram Protocol (UDP) -Password Authentication Protocol (PAP)
Security Assertion Markup Language (SAML)
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control. -Security kernel -CPU -Memory -Co-processor
Security Kernel
Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following? -Least privilege -Security through obscurity -Need to know -Separation of duties
Separation of duties
As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct? -Checklist test -Parallel test -Simulation test -Structured walk-through
Simulation test
Which one of the following is an example of two-factor authentication? -Smart card and personal identification number (PIN) -Personal identification number (PIN) and password -Password and security questions -Token and smart card
Smart card and personal identification number (PIN)
Which one of the following principles is NOT a component of the Biba integrity model? -Subjects cannot read objects that have a lower level of integrity than the subject -Subjects cannot change objects that have a lower integrity level -Subjects at a given integrity level can call up only subjects at the same integrity level or lower -A subject may not ask for service from subjects that have a higher integrity level.
Subjects cannot change objects that have a lower integrity level.
Which one of the following is NOT a commonly accepted best practice for password security? -Use at least six alphanumeric characters. -Do not include usernames in passwords -Include a special character in passwords -Include a mixture of uppercase characters, lowercase characters, and numbers in passwords.
Use at least six alphanumeric characters
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation? -Hot site -Warm site -Cold site -Primary site
Warm Site