Test 2 Management of InfoSec/Forensics

Ace your homework & exams now with Quizwiz!

Likelihood

Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.

Single Loss Expectancy

By multiplying the asset value by the exposure factor, you can calculate ________________.

Control

In the COSO framework, ___________ activities include those policies and procedures that support management directives.

False

MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof. True or False?

True

The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack. True or False

True

Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. True or False?

Disaster Recovery Plan

Strategies to limit losses before and during a disaster is covered by what plan in the mitigation control approach?

Inform

The NIST risk management approach includes all but what element?

Appetite

The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.

Maintenance

What affects the cost of a control?

Risk Appetie

What can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?

Mitigation

What describes an organization's efforts to reduce damage caused by a realized incident or disaster?

Manufacturer's Part Number

What distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

qualitative assessment of many risk components

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

Interaction with trainer is possible

What is a advantage of the formal class method of training?

Resource intensive, to the point of being inefficient

What is a disadvantage of the one-on-one training method?

MAC address

What is a network device attribute that is tied to the network interface?

IP Address

What is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?

Estimate Control Strength

What is a step in Stage 2 - Evaluate Loss Event Frequency of the FAIR risk management framework?

Outdated Servers

What is an example of a technological obsolescence threat?

Vulnerabilities

What is defined as specific avenues that threat agents can exploit to attack an information asset?

Hire expert consultants

What is not a step in the process of implementing training?

Reduce the incidence of accidental security breaches

What is the SETA program designed to do?

Identify program scope, goals, and objectives

What is the first step in the process of implementing training?

Security Newsletter

What is the most cost-effective method for disseminating security information and news to employees.

Organizational Culture.

What is the most influential in determining how to structure an information security program?

Cost-Benefit analysis

What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?

Exploted

When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.

It should be tested wih multiple browsers

Which of the following is true about a company's InfoSec awareness Web site?

Discretionary access controls

Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle?

Delphi

In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?

threat

The __________ level and an asset's value should be a major factor in the risk control strategy selection.

Need-to-know

The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.

Compliance/Audit

Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?

Biba

Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones.

Defense

Application of training and education is a common method of which risk control strategy?

Relative

As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.

factor analysis

As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.

Corrective

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?

Cost of Prevention

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?

Executive management must develop corporate-wide policies

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, what isn't one of them?

False

Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. True or False

True

Lattice-based access control specifies the level of access each subject has to each object, if any. True or False?

False

Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.

Management

Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

True

Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. True or False

False

Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. True or False?

True

Small organizations spend more per user on security than medium- and large-sized organizations. True or False?

True

The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. True or False?

Risk Determination

The ISO 27005 Standard for Information Security Risk Management includes five stages including all but what?

Infosec Community Analysis

The Microsoft Risk Management Approach includes four phases. What is NOT one of them?

Transferal

The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.

SETA

The ____________________________ program is designed to reduce the incidence of accidental security breaches by members of the organization.

True

The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. True or False?

Awareness

The goal of a security ____________________ program is to keep information security at the forefront of users' minds on a daily basis.

Risk Analysis

The identification and assessment of levels of risk in an organization describes _______________________________.

Consultant

The information security ____________________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program.

Calculating the risks to which assets are exposed in their current setting

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?

Access Control Lists

Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?

False

Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data in the outside world. True or False?

True

Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. True or False?

No changes by authorized subjects without external validation

What is NOT a change control principle of the Clark-Wilson model?

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

What is NOT a valid rule of thumb on risk control strategy selection?

Uncertainty Percentage

What is NOT among the typical columns in the ranked vulnerability risk worksheet?

Listing assets in order of importance

What is the final step in the risk identification process?

Benefit

What is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk, and how much risk exists for the asset.

Documented control strategy

What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?

Risk assessment

Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

Security Model

Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?

COBIT

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec. and was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute?

TCSEC

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?

Security Awareness

A SETA program consists of three elements: security education, security training, and _____________________________.

False

A security blueprint is the outline of the more thorough security framework. True or False?

Builders

A study of information security positions can be classifies into one of three types:___________________________ are the real technical types, who create and install security solutions.

Uncertainty

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?

Assessment

An organization carries out a risk ______________________ function to evaluate risks present in IT initiatives and/or systems.

Assets

An organization's information security program refers to the structure and organization of the effort that strives to contain the risks to the information __________________ of the organization.

Comprehensive

Classification categories must be ____________________ and mutually exclusive.

Comprehensive

Classification categories must be mutually exclusive and _________________________.

PhysicaL

GGG security is commonly used to describe which aspect of security?

False

Having an established risk management program means that an organization's assets are completely protected. True or False?

Risk assessment factors

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability is the definition of __________________________________.

By adding barriers

The purpose of SETA is to enhance security. What is not one of them?

Mitigation

The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ____________________ .

False

The security education, training, and awareness (SETA) program is designed to reduce the incidence of external security attacks. True or False?

Technology product

The three methods for selecting or developing advanced technical training are by job category, by job function, and by _____________________________.

False

Threats from insiders are more likely in a small organization than in a large one. True or False?

Security Model

To design a security blueprint, an organization can use a(n) ____________________, which is a generic blueprint offered by a service organization.

Need-to-know

Which access control principle limits a user's access to the specific information required to perform the currently assigned task?

Least Privilege

Which access control principle specifies that members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties?

Planning

Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?

Private

Which of the following is NOT one of the five levels in the U.S. military data classification scheme?

Covert

____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels.

Assigning a value to each information asset

Two of the activities involved in risk management include identifying risks and assessing risks. What activity is part of the risk identification process?

Physical Location

What does NOT apply to software information assets?

Nondiscretionary

Which type of access controls can be role-based or task-based?


Related study sets

9.1 Non-malignant leucocytes disorders

View Set

Geophysics final (multiple choice questions)

View Set

Civil rights and Modern Georgia test

View Set

CPA - FAR - 18, 19, 20 - Accounting Changes & Error Corrections; Interim Financial Reporting; Segment Reporting

View Set

Biology 101 Chapter 1 Study Guide

View Set

BSC 2085 and L Midterm Review Start through Integumentary System

View Set