SRA111 PreQuiz4

Card Set Information

Author:
guntoro
ID:
245285
Filename:
SRA111 PreQuiz4
Updated:
2013-12-07 11:31:23
Tags:
SRA111 PreQuiz4
Folders:

Description:
SRA111 PreQuiz4
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user guntoro on FreezingBlue Flashcards. What would you like to do?


  1. 1. The general management of an organization must structure the IT and information security functions to defend the organization’s information assets. (T/F)
    True
  2. 2. “If you realize you do not know the enemy, you will gain an advantage in every battle." (Sun Tzu).  (T/F)
    False – If you know your enemy
  3. 3. Risk control is the application of controls to reduce the risks to an organization’s data and information systems. (T/F)
    True
  4. 4. Know yourself means identifying, examining, and understanding the threats facing the organization. (T/F)
    False – Know the enemy
  5. 5. Once the organizational threats have been identified, an assets identification process is undertaken. (T/F)
    False – Once the asset have been identified
  6. 6. Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets. (T/F)
    False – is more difficult
  7. 7. You should adopt naming standards that do not convey information to potential system attackers. (T/F)
    True
  8. 8. When determining the relative importance of each asset, refer to the organization’s mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts. (T/F)
    True
  9. 9. The amount of money spent to protect an asset is based in part on the value of the asset. (T/F)
    True
  10. 10. The value of intellectual property influences asset valuation. (T/F)
    True
  11. 11. You cannot use qualitative measures to rank values. (T/F)
    False - you can
  12. 12. Protocols are activities performed within the organization to improve security. (T/F)
    False – Programs are activities..
  13. 13. Eliminating a threat is an impossible proposition. (T/F)
    False - Possible but difficult
  14. 14. To determine if the risk is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited. (T/F)
    True
  15. 15. Leaving unattended computers on is one of the top information security mistakes made by individuals. (T/F)
    True
  16. 16. Some argue that it is virtually impossible to determine the true value of information and information-bearing assets. (T/F)
    True
  17. 17. CBAs cannot be calculated after controls have been functioning for a time. (T/F)
    False – CBA can (after & before)
  18. 18. Metrics-based measures are generally less focused on numbers and more strategic than process-based measures. (T/F)
    False – Metrics-based measures are generally more focused on numbers
  19. 19. Best business practices are often called recommended practices. (T/F)
    True
  20. 20. Organizations should communicate with system users throughout the development of the security program, letting them know that change are coming. (T/F)
    True
  21. 21. The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment. (T/F)
    True
  22. 22. Establishing a competitive business model, method, or technique enabled an organization to provide a product or service that was superior and created a(n) competitive advantage. (T/F)
    True
  23. 23. Risk control is the examination and documenting of the security posture of an organization’s information technology and the risks it faces. (T/F)
    False - Risk Identification is
  24. 24. Mutually exclusive means that all information assets must fit in the list somewhere. (T/F)
    False – Comprehensive means that all information assets …
  25. 25. One way to determine which information assets are critical is by evaluating how much of the organization’s revenue depends on a particular asset. (T/F)
    True
  26. 26. Each of the threats faced by an organization must be examined to assess its potential to endanger the organization and this examination is known as a threat profile. (T/F)
    False - is known as a threat assessment
  27. 27. Risk evaluation assigns a risk rating or score to each information asset. (T/F)
    False – Risk assessment
  28. 28. Policies are documents that specify an organization’s approach to security. (T/F)
    True
  29. 29. Program-specific policies address the specific implementations or applications of which users should be aware. (T/F)
    False - Issue-specific policies
  30. 30. The most common of the mitigation procedures is the disaster recovery plan. (T/F)
    True
  31. 31. The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. (T/F)
    True
  32. 32. Likelihood risk is the risk to the information asset that remains even after the application of controls. (T/F)
    False - Residual risk is
  33. 33. Benefit is the value that an organization realizes by using controls to prevent losses associated with a specific vulnerability. (T/F)
    True
  34. 34. ALE determines whether or not a particular control alternative is worth its cost. (T/F)
    False - CBA determines….
  35. 35. A(n) qualitative assessment is based on characteristics that do not use numerical measures. (T/F)
    True
  36. 36. Qualitative-based measures are comparisons based on numerical standards, such as numbers of successful attacks. (T/F)
    False – Metrics-based measures
  37. 37. Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices. (T/F)
    True
  38. 38. In information security, benchmarking is the comparison of security activities and events against the organization’s future performance. (T/F)
    False – baselining is
  39. 39. Within organizations, technical feasibility defines what can and cannot occur based on the consensus and relationships between the communities of interest. (T/F)
    False - political feasibility
  40. 40. Risk measure defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. (T/F)
    False – Risk appetite
  41. 41. Risk ____ is the application of controls to reduce the risks to an organization’s data and information systems.
    A) management
    B) control
    C) identification
    D) security
    B
  42. 42. The concept of competitive ____ refers to falling behind the competition.
    A) disadvantage
    B) drawback
    C) failure
    D) shortcoming
    A
  43. 43. The first phase of risk management is ____.
    A) risk identification
    B) design
    C) risk control
    D) risk evaluation
    A
  44. 44.____ addresses are sometimes called electronic serial numbers or hardware addresses.
    A) HTTP
    B) IP
    C) DHCP
    D) MAC
    D
  45. 45. Many corporations use a ____ to help secure the confidentiality and integrity of information.
    A) system classification scheme
    B) data restoration scheme
    C) data hierarchy
    D) data classification scheme
    D
  46. 46. A(n) ____ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.
    A) IP
    B) FCO
    C) CTO
    D) HTTP
    B
  47. 47. The military uses a ____-level classification scheme.
    A) three
    B) four
    C) five
    D) six
    C
  48. 48. In the U.S. military classification scheme, ____ data is any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.
    A) confidential
    B) secret
    C) top secret
    D) sensitive
    A
  49. 49. Management of classified data includes its storage and ____.
    A) distribution
    B) portability
    C) destruction
    D) All of the above
    D
  50. 50. There are individuals who search trash and recycling — a practice known as ____ — to retrieve information that could embarrass a company or compromise information security.
    A) side view
    B) dumpster diving
    C) recycle diving
    D) garbage collection
    B
  51. 51. In a(n) ____, each information asset is assigned a score for each of a set of assigned critical factor.
    A) OPSEC
    B) COMSEC
    C) weighted factor analysis
    D) data classification scheme
    C
  52. 52.____ equals likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty.
    A) Probability
    B) Risk
    C) Possibility
    D) Chance
    B
  53. 53. The ____ security policy is an executive-level document that outlines the organization’s approach and attitude towards information security and relates the strategic value of information security within the organization.
    A) general
    B) agency
    C) issue-specific
    D) system-specific
    A
  54. 54. The ____ security policy is a planning document that outlines the process of implementing security in the organization.
    A) program
    B) agency
    C) issue-specific
    D) system-specific
    A
  55. 55.____ policies address the particular use of certain systems.
    A) Systems-specific
    B) General
    C) Network-specific
    D) Platform-specific
    A
  56. 56. The ____ strategy attempts to prevent the exploitation of the vulnerability.
    A) suspend control
    B) defend control
    C) transfer control
    D) defined control
    B
  57. 57. The ____ strategy attempts to shift risk to other assets, other processes, or other organizations.
    A) transfer control
    B) defend control
    C) accept control
    D) mitigate control
    A
  58. 58. The actions an organization can and perhaps should take while an incident is in progress should be specified in a document called the ____ plan.
    A) BC
    B) DR
    C) IR
    D) BR
    C
  59. 59.____ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede.
    A) IR
    B) DR
    C) BC
    D) BR
    B
  60. 60. The ____ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
    A) avoidance of risk
    B) transference
    C) mitigation
    D) accept control
    D
  61. 61. The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) ____.
    A) ARO
    B) CBA
    C) ALE
    D) SLE
    B
  62. 62.____ is simply how often you expect a specific type of attack to occur.
    A) ARO
    B) CBA
    C) ALE
    D) SLE
    A
  63. 63. When organizations adopt levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as a(n) ____.
    A) due diligence action
    B) best practice
    C) golden standard action
    D) standard of due care
    D
  64. 64.____ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization’s stakeholders.
    A) Organizational
    B) Technical
    C) Operational
    D) Political
    C
  65. 65. Risk ____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.
    A) benefit
    B) appetite
    C) acceptance
    D) avoidance
    B
  66. 66. ____________________ involves three major undertakings: risk identification, risk assessment, and risk control.
    Risk management
  67. 67. ____________________ is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level.
    Risk management
  68. 68.____________________ are defined as information and the systems that use, store, and transmit information.
    Assets
  69. 69.____________________ components account for the management of information in all its states: transmission, processing, and storage.
    Data
  70. 70. For hardware devices, the ____________________ number is used by the network operating system to identify a specific network device.
    MAC address
  71. 71. All information that has been approved by management for public release has a(n) ____________________ classification.
    External
  72. 72.Overriding an employee’s security ____________________ requires that the need-to-know standard be met.
    clearance
  73. 73. A(n) ____________________ desk policy requires that employees secure all information in appropriate storage containers at the end of each day.
    clean
  74. 74. Once the inventory and value assessment are complete, you can prioritize each asset using a straightforward process known as ____________________ analysis.
    Weighted factor
  75. 75. After identifying and performing the preliminary classification of an organization’s information assets, the analysis phase moves on to an examination of the ____________________ facing the organization.
    threats
  76. 76. You can assess the relative risk for each of the vulnerabilities by a process called risk ____________________.
    assessment
  77. 77.____________________ is the probability that a specific vulnerability within an organization will be successfully attacked.
    likelihood
  78. 78. Security ____________________ are the technical implementations of the policies defined by the organization.
    technologies
  79. 79. The ____________________ strategy is the risk control strategy that attempts to prevent the exploitation of the vulnerability.
    Defend control
  80. 80. The ____________________ control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
    mitigation
  81. 81. Of the three types of mitigation plans, the _________________________ plan is the most strategic and long term.
    Business continuity
  82. 82. Cost ____________________ is the process of preventing the financial impact of an incident by implementing a control.
    avoidance
  83. 83. Asset ____________________ is the process of assigning financial value or worth to each information asset.
    valuation
  84. 84. A single loss ____________________ is the calculation of the value associated with the most likely loss from an attack.
    expectancy
  85. 85.____________________ is the process of seeking out and studying the practices used in other organizations that produce results you would like to duplicate in your organization.
    benchmarking
  86. 86. The difference between an organization’s measures and those of others is often referred to as a performance ____________________.
    gap
  87. 87. Due ____________________ is the demonstration that the organization is diligent in ensuring that the implemented standards continue to provide the required level of protection.
    diligence
  88. 88. A(n) ____________________ is a “value or profile of a performance metric against which changes in the performance metric can be usefully compared.”
    baseline
  89. 89. Operational ____________________ analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization’s stakeholders.
    feasibility
  90. 90. Behavioral feasibility is also known as _________________________.
    Operational feasibility

What would you like to do?

Home > Flashcards > Print Preview