SRA111 PreQuiz 1-5

Card Set Information

Author:
guntoro
ID:
251826
Filename:
SRA111 PreQuiz 1-5
Updated:
2013-12-08 21:13:04
Tags:
SRA111 PreQuiz
Folders:

Description:
SRA111 PreQuiz 1-5
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user guntoro on FreezingBlue Flashcards. What would you like to do?


  1. 1.Policies are written instructions for accomplishing a specific task. (T/F)
    False - Procedures
  2. 2.In general, protection is “the quality or state of being secure—to be free from danger.” (T/F)
    False - Security is
  3. 3.The implementation phase is the longest and most expensive phase of the systems development life cycle (SDLC). (T/F)
    False
  4. 4.The primary threats to security during the early years of computers were physical theft of equipment, espionage against the products of the systems, and sabotage. (T/F)
    True
  5. 5.A(n) project team should consist of a number of individuals who are experienced in one or multiple facets of the technical and nontechnical areas. (T/F)
    True
  6. 6.Confidentiality ensures that only those with the rights and privileges to access information are able to do so. (T/F)
    True
  7. 7.A famous study entitled “Protection Analysis: Final Report” was published in ____.
    A) 1978
    B) 1998
    C) 1988
    D) 1868
    A) 1978
    (this multiple choice question has been scrambled)
  8. 8.The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.
    A) ISO
    B) CISO
    C) CTO
    D) CIO
    B) CISO
    (this multiple choice question has been scrambled)
  9. 9.____ is the predecessor to the Internet.
    A) DES
    B) FIPS
    C) ARPANET
    D) NIST
    C) ARPANET
    (this multiple choice question has been scrambled)
  10. 10.A(n) ____________ is a formal approach to solving a problem by means of a structured sequence of procedures.
    methodology
  11. 11.____ of information is the quality or state of being genuine or original.
    A) Spoofing
    B) Confidentiality
    C) Authorization
    D) Authenticity
    D) Authenticity
    (this multiple choice question has been scrambled)
  12. 12.An information system is the entire set of ____, people, procedures, and networks that make possible the use of information resources in the organization.
    A) data
    B) hardware
    C) all of the above
    D) software
    C) all of the above
  13. 13.Of the two approaches to information security implementation, the top-down approach has a higher probability of success. (T/F)
    True
  14. 14.____ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.
    A) Standard
    B) Object
    C) Personal
    D) Physical
    D) Physical
    (this multiple choice question has been scrambled)
  15. 15.____________enables authorized users — persons or computer systems — to access information without interference or obstruction and to receive it in the required format.
    Availability
  16. 16.The Security Development Life Cycle (SDLC) is a methodology for the design and implementation of an information system (T/F)
    False - System Development Life Cycle (SDLC)
  17. 17.During the ____ phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design.
    A) investigation
    B) physical design
    C) implementation
    D) analysis
    B) physical design
    (this multiple choice question has been scrambled)
  18. 18.Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems, which is often referred to as a bottom-up approach. (T/F)
    True
  19. 19.The bottom-up approach to information security has a higher probability of success than the top-down approach. (T/F)
    False
  20. 20.In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that taking more would be noticed — but eventually the employee gets something complete or useable. (T/F)
    True
  21. 21.A breach of possession always results in a breach of confidentiality. (T/F)
    False
  22. 22.The CNSS model of information security evolved from a concept developed by the computer security industry known as the _______________ triangle.
    CIA
  23. 23. _________________ of information is the quality or state of being genuine or original, rather than a reproduction or fabrication.
    Authenticity
  24. 24.The value of information comes from the characteristics it possesses. (T/F)
    True
  25. 25.The ________________ phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems.
    analysis
  26. 1.The ____ data file contains the hashed representation of the user’s password.
    A) FBI
    B) SNMP
    C) SLA
    D) SAM (Security Account Manager)
    D) SAM
    (this multiple choice question has been scrambled)
  27. 2.A firewall is a mechanism that keeps certain kinds of network traffic out of a private network. (T/F)
    True
  28. 3.An act of theft performed by a hacker falls into the category of “theft,” but is also often accompanied by defacement actions to delay discovery and thus may also be placed within the category of “forces of nature.” (T/F)
    False - Deliberate acts of sabotage or vandalism
  29. 4.A timing attack involves the interception of cryptographic elements to determine keys and encryption algorithms. (T/F)
    True
  30. 5.Once a(n)________________ has infected a computer, it can redistribute itself to all e-mail addresses found on the infected system.
    Virus
  31. 6.____ are machines that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack.
    A) Drones
    B) Servants
    C) Helpers
    D) Zombies
    D) Zombies
    (this multiple choice question has been scrambled)
  32. 7.Web hosting services are usually arranged with an agreement providing minimum service levels known as a(n) ____.
    A) SSL
    B) SLA (Software License Agreement)
    C) MIN
    D) MSL
    B) SLA
    (this multiple choice question has been scrambled)
  33. 8.One form of e-mail attack that is also a DoS is called a mail _________ , in which an attacker routes large quantities of e-mail to the target.
    bomb
  34. 9.The shoulder _________________ technique is used in public or semipublic settings when individuals gather information they are not authorized to have by looking over another individual’s shoulder or viewing the information from a distance.
    surfing
  35. 10.A sniffer program shows all the data going by on a network segment including passwords, the data inside files—such as word-processing documents—and screens full of sensitive data from applications. (T/F)
    True
  36. 11.The application of computing and network resources to try every possible combination of options of a password is called a brute ______________ attack.
    force
  37. 12.Information security’s primary mission is to ensure that systems and their contents retain their confidentiality at all costs. (T/F)
    False
  38. 13.ESD means electrostatic ____________________.
    discharge
  39. 14.A(n) ____________________ is an object, person, or other entity that represents an ongoing danger to an asset.
    threat
  40. 15.____________________ is a technique used to gain unauthorized access to computers, wherein the intruder sends messages with a source IP address that has been forged to indicate that the messages are coming from a trusted host.
    Spoofing
  41. 16.The ____ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network.
    A) WWW
    B) HTTP
    C) FTP
    D) TCP
    D) TCP
    (this multiple choice question has been scrambled)
  42. 17.A(n) ____________________ is an identified weakness in a controlled system, where controls are not present or are no longer effective.
    vulnerability
  43. 18.One form of online vandalism is ____ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
    A) hactivist
    B) phvist
    C) hackcyber
    D) cyberhack
    A) hactivist
    (this multiple choice question has been scrambled)
  44. 19.A worm can deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. (T/F)
    True
  45. 20.A momentary low voltage is called a(n) ____________________.
    sag
  46. 21.In the well-known ____ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
    A) sniff-in-the-middle
    B) man-in-the-middle
    C) zombie-in-the-middle
    D) server-in-the-middle
    B) man-in-the-middle
    (this multiple choice question has been scrambled)
  47. 22.A(n) ____________________ is an act that takes advantage of a vulnerability to compromise a controlled system.
    attack
  48. 23.A worm requires that another program is running before it can begin functioning. (T/F)
    False - worm don't need other program
  49. 24.A ____ is an attack in which a coordinat
    A) virus
    B) spam
    C) distributed denial-of-service
    D) denial-of-service
    C) distributed denial-of-service
    (this multiple choice question has been scrambled)
  50. 25.A virus or worm can have a payload that installs a(n) ____________________ door or trap door component in a system, which allows the attacker to access the system at will with special privileges.
    back
  51. 26.____ is an integrated system of software, encryption methodologies, and legal agreements that can be used to support the entire information infrastructure of an organization.
    A) SSL
    B) SIS
    C) PKI (Public Key Infrastructure)
    D) PKC
    C) PKI
    (this multiple choice question has been scrambled)
  52. 27.A __________________ threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.
    polymorphic
  53. 28.The ___________ virus infects the key operating system files located in a computer’s boot sector.
    boot
  54. 29.DoS attacks cannot be launched against routers. (T/F)
    False
  55. 30.Packet _____________ use automated exploits to engage in distributed denial-of-service attacks.
    monkeys
  56. 31.A number of technical mechanisms—digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media—have been used to enforce copyright laws. (T/F)
    True
  57. 32.Acts of ____ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
    A) security
    B) trespass
    C) bypass
    D) nature
    B) trespass
    (this multiple choice question has been scrambled)
  58. 33.Complete loss of power for a moment is known as a ____.
    A) blackout
    B) sag
    C) fault
    D) brownout
    C) fault
    (this multiple choice question has been scrambled)
  59. 34.Attacks conducted by scripts are usually unpredictable. (T/F)
    False
  60. 35.The timing attack explores the contents of a Web browser’s ____________________.
    cache
  61. 36.The term _______________ is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication.
    cracker
  62. 37.Script ____________________ are hackers of limited skill who use expertly written software to attack a system.
    kiddies
  63. 38.A(n) ____________________ is an application error that occurs when more data is sent to a program buffer than it is designed to handle.
    buffer overflow
  64. 39.A(n) ____________________ hacks the public telephone network to make free calls or disrupt services.
    phreaker
  65. 40.Which of the following functions does information security perform for an organization?
    A) Protecting the organization's ability to function.
    B) Enabling the safe operation of applications implemented on the organization's IT systems.
    C) All of the above.
    D) Protecting the data the organization collects and uses.
    C) All of the above.
    (this multiple choice question has been scrambled)
  66. 41.Forces of nature, force majeure, or acts of God can present some of the most dangerous threats, because they are usually occur with very little warning and are beyond the control of people. (T/F)
    True
  67. 42.Sniffers often work on TCP/IP networks, where they’re sometimes called __________________ sniffers.
    packet
  68. 43.____ is any technology that aids in gathering information about a person or organization without their knowledge.
    A) Spyware
    B) Trojan
    C) Worm
    D) A bot
    A) Spyware
    (this multiple choice question has been scrambled)
  69. 44.A(n) ____________________ is a malicious program that replicates itself constantly, without requiring another program environment.
    worm
  70. 45.When voltage levels ____________ (experience a momentary increase), the extra voltage can severely damage or destroy equipment.
    spike
  71. 46.____ are software programs that hide their true nature, and reveal their designed behavior only when activated.
    A) Spam
    B) Viruses
    C) Worms
    D) Trojan Horses
    D) Trojan Horses
    (this multiple choice question has been scrambled)
  72. 47.“4-1-9” fraud is an example of a ____ attack.
    A) spam
    B) social engineering
    C) worm
    D) virus
    B) social engineering
    (this multiple choice question has been scrambled)
  73. 48.With the removal of copyright protection, software can be easily distributed and installed. (T/F)
    True
  74. 1.The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not. (T/F)
    False - Law carry the authority of a governing body, Ethic DON'T
  75. 2.Due care requires that an organization make a valid effort to protect others and continually maintain this level of effort. (T/F)
    False - Due Diligence
  76. 3.HIPAA specifies particular security technologies for each of the security requirements to ensure the privacy of the health-care information. (T/F)
    False - HIPAA not specifies specific technologies
  77. 4.Every state has implemented uniform laws and regulations placed on organizational use of computer technology. (T/F)
    False - Not Uniform
  78. 5.The United States has implemented a version of the DMCA law called the Database Right, in order to comply with Directive 95/46/EC. (T/F)
    False - Database Right = UK
  79. 6.The Association for Computing Machinery and the Information Systems Security Association have the authority to banish violators of their ethical standards from practicing their trade. (T/F)
    False - Not to banish violators
  80. 7.Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality’s ethical behavior violates the ethics of another national group. (T/F)
    True
  81. 8.Studies have reported that the Pacific Rim countries of Singapore and Hong Kong are hotbeds of software piracy. (T/F)
    True
  82. 9.The difference between a policy and a law is that ignorance of a law is an acceptable defense. (T/F)
    False - Ignorance of Policy is an acceptable defense
  83. 10.The Department of Homeland Security is the only U.S. federal agency charged with the protection of American information resources and the investigation of threats to, or attacks on, the resources. (T/F)
    False - DHS, FBI, NSA & Secret Service
  84. 11.Ethics define socially acceptable behaviors. (T/F)
    True
  85. 12.Civil law addresses activities and conduct harmful to society and is actively enforced by the state. (T/F)
    False - Criminal Law
  86. 13.The Federal Privacy Act of 1974 regulates government agencies and holds them accountable if they release information about national security. (T/F)
    False - Individual & business information
  87. 14.Intellectual privacy is recognized as a protected asset in the United States. (T/F)
    False - Intellectual Property
  88. 15.In a study on software licence infringement, those from United States were significantly more permissive. (T/F)
    False - Netherlands
  89. 16.The Department of Homeland Security was created in 1999. (T/F)
    False - 2003
  90. 17.The Federal Bureau of Investigation’s National InfraGard Program serves its members in four basic ways: Maintains an intrusion alert network using encrypted e-mail; Maintains a secure Web site for communication about suspicious activity or intrusions; Sponsors local chapter activities; Operates a help desk for questions. (T/F)
    True
  91. 18.The U.S. Secret Service is a department within the Department of the Interior. (T/F)
    False - Department of Treasury
  92. 19.The communications networks of the United States carry more funds than all of the armored cars in the world combined. (T/F)
    True
  93. 20.Deterrence can prevent an illegal or unethical activity from occurring. (T/F)
    True
  94. 21.____ law comprises a wide variety of laws that govern a nation or state.
    A) Public
    B) Civil
    C) Private
    D) Criminal
    B) Civil
    (this multiple choice question has been scrambled)
  95. 22.____ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.
    A) Public
    B) Criminal
    C) Civil
    D) Private
    A) Public
    (this multiple choice question has been scrambled)
  96. 23.The Computer ____ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts.
    A) Usage
    B) Theft
    C) Violence
    D) Fraud
    D) Fraud
    (this multiple choice question has been scrambled)
  97. 24.According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depends on the value of the information obtained and whether the offense is judged to have been committed for each of the following except ____.
    A) to harass
    B) for private financial gain
    C) for purposes of commercial advantage
    D) in furtherance of a criminal act
    A) to harass
    (this multiple choice question has been scrambled)
  98. 25.The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any ____ purposes.
    A) billing
    B) marketing
    C) troubleshooting
    D) customer service
    B) marketing
    (this multiple choice question has been scrambled)
  99. 26.The ____ Portability and Accountability Act Of 1996, also known as the Kennedy-Kassebaum Act, protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.
    A) Telecommunications
    B) Health Insurance
    C) Computer
    D) Customer
    B) Health Insurance
    (this multiple choice question has been scrambled)
  100. 27.What is the subject of the Computer Security Act?
    A) Federal Agency Information Security
    B) Telecommunications Common Carriers
    C) Cryptography Software Vendors
    D) Banking Industry
    A) Federal Agency Information Security
    (this multiple choice question has been scrambled)
  101. 28.The ____ of 1999 provides guidance on the use of encryption and provides protection from government intervention.
    A) Gramm-Leach-Bliley Act
    B) Security and Freedom through Encryption Act
    C) Sarbanes-Oxley Act
    D) U.S.A. Patriot Act
    B) Security and Freedom through Encryption Act
    (this multiple choice question has been scrambled)
  102. 29.Which of the following countries reported generally intolerant attitudes toward personal use of organizational computing resources?
    A) United States
    B) Singapore
    C) Australia
    D) Sweden
    B) Singapore
    (this multiple choice question has been scrambled)
  103. 30.Criminal or unethical ____ goes to the state of mind of the individual performing the act.
    A) attitude
    B) intent
    C) accident
    D) ignorance
    B) intent
    (this multiple choice question has been scrambled)
  104. 31.____________________ are rules that mandate or prohibit certain behavior in society.
    Laws
  105. 32.Guidelines that describe acceptable and unacceptable employee behaviors in the workplace are known as ____________________.
    Policies
  106. 33.Family law, commercial law, and labor law are all encompassed by ____________________ law.
    Private
  107. 34.The ____________________ Act of 2001 provides law enforcement agencies with broader latitude in order to combat terrorism-related activities.
    USA Patriot
  108. 35.____________________ information is created by combining pieces of non-private data—often collected during software updates, and via cookies—that when combined may violate privacy.
    Aggregate
  109. 36.The ________________________________________ is the American contribution to an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially when accomplished via the removal of technological copyright protection measures.
    Digital Millenium Copyright Act (DMCA)
  110. 37.The low overall degree of tolerance for ____________________ system use may be a function of the easy association between the common crimes of breaking and entering, trespassing, theft, and destruction of property to their computer-related counterparts.
    illicit
  111. 38.Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is ____________________.
    education
  112. 39.The ___________________________________ is a respected professional society that was established in 1947 as “the world’s first educational and scientific computing society.”
    Association of Computing Machinery (ACM)
  113. 40.The ________________________________________ Association is a professional association that focuses on auditing, control, and security and whose membership comprises both technical and managerial professionals.
    Information Systems Audit and Control (ISACA)
  114. 1. The general management of an organization must structure the IT and information security functions to defend the organization’s information assets. (T/F)
    True
  115. 2. “If you realize you do not know the enemy, you will gain an advantage in every battle." (Sun Tzu).  (T/F)
    False – If you know your enemy
  116. 3. Risk control is the application of controls to reduce the risks to an organization’s data and information systems. (T/F)
    True
  117. 4. Know yourself means identifying, examining, and understanding the threats facing the organization. (T/F)
    False – Know the enemy
  118. 5. Once the organizational threats have been identified, an assets identification process is undertaken. (T/F)
    False – Once the asset have been identified
  119. 6. Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets. (T/F)
    False – is more difficult
  120. 7. You should adopt naming standards that do not convey information to potential system attackers. (T/F)
    True
  121. 8. When determining the relative importance of each asset, refer to the organization’s mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts. (T/F)
    True
  122. 9. The amount of money spent to protect an asset is based in part on the value of the asset. (T/F)
    True
  123. 10. The value of intellectual property influences asset valuation. (T/F)
    True
  124. 11. You cannot use qualitative measures to rank values. (T/F)
    False - you can
  125. 12. Protocols are activities performed within the organization to improve security. (T/F)
    False – Programs are activities..
  126. 13. Eliminating a threat is an impossible proposition. (T/F)
    False - Possible but difficult
  127. 14. To determine if the risk is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited. (T/F)
    True
  128. 15. Leaving unattended computers on is one of the top information security mistakes made by individuals. (T/F)
    True
  129. 16. Some argue that it is virtually impossible to determine the true value of information and information-bearing assets. (T/F)
    True
  130. 17. CBAs cannot be calculated after controls have been functioning for a time. (T/F)
    False – CBA can (after & before)
  131. 18. Metrics-based measures are generally less focused on numbers and more strategic than process-based measures. (T/F)
    False – Metrics-based measures are generally more focused on numbers
  132. 19. Best business practices are often called recommended practices. (T/F)
    True
  133. 20. Organizations should communicate with system users throughout the development of the security program, letting them know that change are coming. (T/F)
    True
  134. 21. The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment. (T/F)
    True
  135. 22. Establishing a competitive business model, method, or technique enabled an organization to provide a product or service that was superior and created a(n) competitive advantage. (T/F)
    True
  136. 23. Risk control is the examination and documenting of the security posture of an organization’s information technology and the risks it faces. (T/F)
    False - Risk Identification is
  137. 24. Mutually exclusive means that all information assets must fit in the list somewhere. (T/F)
    False – Comprehensive means that all information assets …
  138. 25. One way to determine which information assets are critical is by evaluating how much of the organization’s revenue depends on a particular asset. (T/F)
    True
  139. 26. Each of the threats faced by an organization must be examined to assess its potential to endanger the organization and this examination is known as a threat profile. (T/F)
    False - is known as a threat assessment
  140. 27. Risk evaluation assigns a risk rating or score to each information asset. (T/F)
    False – Risk assessment
  141. 28. Policies are documents that specify an organization’s approach to security. (T/F)
    True
  142. 29. Program-specific policies address the specific implementations or applications of which users should be aware. (T/F)
    False - Issue-specific policies
  143. 30. The most common of the mitigation procedures is the disaster recovery plan. (T/F)
    True
  144. 31. The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. (T/F)
    True
  145. 32. Likelihood risk is the risk to the information asset that remains even after the application of controls. (T/F)
    False - Residual risk is
  146. 33. Benefit is the value that an organization realizes by using controls to prevent losses associated with a specific vulnerability. (T/F)
    True
  147. 34. ALE determines whether or not a particular control alternative is worth its cost. (T/F)
    False - CBA determines….
  148. 35. A(n) qualitative assessment is based on characteristics that do not use numerical measures. (T/F)
    True
  149. 36. Qualitative-based measures are comparisons based on numerical standards, such as numbers of successful attacks. (T/F)
    False – Metrics-based measures
  150. 37. Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices. (T/F)
    True
  151. 38. In information security, benchmarking is the comparison of security activities and events against the organization’s future performance. (T/F)
    False – baselining is
  152. 39. Within organizations, technical feasibility defines what can and cannot occur based on the consensus and relationships between the communities of interest. (T/F)
    False - political feasibility
  153. 40. Risk measure defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. (T/F)
    False – Risk appetite
  154. 41. Risk ____ is the application of controls to reduce the risks to an organization’s data and information systems.
    A) management
    B) control
    C) identification
    D) security
    B
  155. 42. The concept of competitive ____ refers to falling behind the competition.
    A) disadvantage
    B) drawback
    C) failure
    D) shortcoming
    A
  156. 43. The first phase of risk management is ____.
    A) risk identification
    B) design
    C) risk control
    D) risk evaluation
    A
  157. 44.____ addresses are sometimes called electronic serial numbers or hardware addresses.
    A) HTTP
    B) IP
    C) DHCP
    D) MAC
    D
  158. 45. Many corporations use a ____ to help secure the confidentiality and integrity of information.
    A) system classification scheme
    B) data restoration scheme
    C) data hierarchy
    D) data classification scheme
    D
  159. 46. A(n) ____ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.
    A) IP
    B) FCO
    C) CTO
    D) HTTP
    B
  160. 47. The military uses a ____-level classification scheme.
    A) three
    B) four
    C) five
    D) six
    C
  161. 48. In the U.S. military classification scheme, ____ data is any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.
    A) confidential
    B) secret
    C) top secret
    D) sensitive
    A
  162. 49. Management of classified data includes its storage and ____.
    A) distribution
    B) portability
    C) destruction
    D) All of the above
    D
  163. 50. There are individuals who search trash and recycling — a practice known as ____ — to retrieve information that could embarrass a company or compromise information security.
    A) side view
    B) dumpster diving
    C) recycle diving
    D) garbage collection
    B
  164. 51. In a(n) ____, each information asset is assigned a score for each of a set of assigned critical factor.
    A) OPSEC
    B) COMSEC
    C) weighted factor analysis
    D) data classification scheme
    C
  165. 52.____ equals likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty.
    A) Probability
    B) Risk
    C) Possibility
    D) Chance
    B
  166. 53. The ____ security policy is an executive-level document that outlines the organization’s approach and attitude towards information security and relates the strategic value of information security within the organization.
    A) general
    B) agency
    C) issue-specific
    D) system-specific
    A
  167. 54. The ____ security policy is a planning document that outlines the process of implementing security in the organization.
    A) program
    B) agency
    C) issue-specific
    D) system-specific
    A
  168. 55.____ policies address the particular use of certain systems.
    A) Systems-specific
    B) General
    C) Network-specific
    D) Platform-specific
    A
  169. 56. The ____ strategy attempts to prevent the exploitation of the vulnerability.
    A) suspend control
    B) defend control
    C) transfer control
    D) defined control
    B
  170. 57. The ____ strategy attempts to shift risk to other assets, other processes, or other organizations.
    A) transfer control
    B) defend control
    C) accept control
    D) mitigate control
    A
  171. 58. The actions an organization can and perhaps should take while an incident is in progress should be specified in a document called the ____ plan.
    A) BC
    B) DR
    C) IR
    D) BR
    C
  172. 59.____ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede.
    A) IR
    B) DR
    C) BC
    D) BR
    B
  173. 60. The ____ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
    A) avoidance of risk
    B) transference
    C) mitigation
    D) accept control
    D
  174. 61. The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) ____.
    A) ARO
    B) CBA
    C) ALE
    D) SLE
    B
  175. 62.____ is simply how often you expect a specific type of attack to occur.
    A) ARO
    B) CBA
    C) ALE
    D) SLE
    A
  176. 63. When organizations adopt levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as a(n) ____.
    A) due diligence action
    B) best practice
    C) golden standard action
    D) standard of due care
    D
  177. 64.____ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization’s stakeholders.
    A) Organizational
    B) Technical
    C) Operational
    D) Political
    C
  178. 65. Risk ____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.
    A) benefit
    B) appetite
    C) acceptance
    D) avoidance
    B
  179. 66. ____________________ involves three major undertakings: risk identification, risk assessment, and risk control.
    Risk management
  180. 67. ____________________ is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level.
    Risk management
  181. 68.____________________ are defined as information and the systems that use, store, and transmit information.
    Assets
  182. 69.____________________ components account for the management of information in all its states: transmission, processing, and storage.
    Data
  183. 70. For hardware devices, the ____________________ number is used by the network operating system to identify a specific network device.
    MAC address
  184. 71. All information that has been approved by management for public release has a(n) ____________________ classification.
    External
  185. 72.Overriding an employee’s security ____________________ requires that the need-to-know standard be met.
    clearance
  186. 73. A(n) ____________________ desk policy requires that employees secure all information in appropriate storage containers at the end of each day.
    clean
  187. 74. Once the inventory and value assessment are complete, you can prioritize each asset using a straightforward process known as ____________________ analysis.
    Weighted factor
  188. 75. After identifying and performing the preliminary classification of an organization’s information assets, the analysis phase moves on to an examination of the ____________________ facing the organization.
    threats
  189. 76. You can assess the relative risk for each of the vulnerabilities by a process called risk ____________________.
    assessment
  190. 77.____________________ is the probability that a specific vulnerability within an organization will be successfully attacked.
    likelihood
  191. 78. Security ____________________ are the technical implementations of the policies defined by the organization.
    technologies
  192. 79. The ____________________ strategy is the risk control strategy that attempts to prevent the exploitation of the vulnerability.
    Defend control
  193. 80. The ____________________ control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
    mitigation
  194. 81. Of the three types of mitigation plans, the _________________________ plan is the most strategic and long term.
    Business continuity
  195. 82. Cost ____________________ is the process of preventing the financial impact of an incident by implementing a control.
    avoidance
  196. 83. Asset ____________________ is the process of assigning financial value or worth to each information asset.
    valuation
  197. 84. A single loss ____________________ is the calculation of the value associated with the most likely loss from an attack.
    expectancy
  198. 85.____________________ is the process of seeking out and studying the practices used in other organizations that produce results you would like to duplicate in your organization.
    benchmarking
  199. 86. The difference between an organization’s measures and those of others is often referred to as a performance ____________________.
    gap
  200. 87. Due ____________________ is the demonstration that the organization is diligent in ensuring that the implemented standards continue to provide the required level of protection.
    diligence
  201. 88. A(n) ____________________ is a “value or profile of a performance metric against which changes in the performance metric can be usefully compared.”
    baseline
  202. 89. Operational ____________________ analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization’s stakeholders.
    feasibility
  203. 90. Behavioral feasibility is also known as _________________________.
    Operational feasibility
  204. 1. A standard is a plan or course of action that conveys instructions from an organization’s senior management to those who make decisions, take actions, and perform other duties. (T/F)
    False - Policy
  205. 2. Quality security programs begin and end with policy. (T/F)
    True
  206. 3. The ISSP sets out the requirements that must be met by the information security blueprint or framework. (T/F)
    False - EISP
  207. 4. You can create a single comprehensive ISSP document covering all information security issues. (T/F)
    True
  208. 5. Each policy should contain procedures and a timetable for periodic review. (T/F)
    True
  209. 6. A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee’s actions. (T/F)
    False - company will not protect them
  210. 7. ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly. (T/F)
    False - Rule-based policies are more specific than ACLs
  211. 8. To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date. (T/F)
    True
  212. 9. The policy administrator is responsible for the creation, revision, distribution, and storage of the policy. (T/F)
    True
  213. 10. The security framework is a more detailed version of the security blueprint. (T/F)
    False - The security blueprint is a more detailed version of the security framework
  214. 11. Failure to develop an information security system based on the organization’s mission, vision, and culture guarantees the failure of the information security program. (T/F)
    True
  215. 12. Information security safeguards provide two levels of control: managerial and remedial. (T/F)
    False - 3 levels of control: managerial, operational, and technical
  216. 13. Management controls address the design and implementation of the security planning process and security program management. (T/F)
    True
  217. 14. Informational controls guide the development of education, training, and awareness programs for users, administrators, and management. (T/F)
    False - Operational controls
  218. 15. The gateway router can be used as the front-line defense against attacks, as it can be configured to allow only set types of protocols to enter. (T/F)
    True
  219. 16. Every member of the organization needs a formal degree or certificate in information security. (T/F)
    False - Not every member need formal degree, they need to be trained and made aware of information security
  220. 17. Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely. (T/F)
    True
  221. 18. A disaster recovery plan addresses the preparation for and recovery from a disaster, whether natural or man-made. (T/F)
    True
  222. 19. A cold site provides many of the same services and options of a hot site. (T/F)
    False - Warm Sites provides same services as hot site. Cold sites provides only rudimentary services and facilities
  223. 20. Disaster recovery personnel must know their roles without supporting documentation. (T/F)
    True
  224. 21. Database shadowing only processes a duplicate in real-time data storage but does not duplicate the databases at the remote site. (T/F)
    False - NOT ONLY, also duplicates the database at remote site to multiple servers.
  225. 22. The Federal Bureau of Investigation deals with many computer crimes that are categorized as felonies. (T/F)
    True
  226. 23. Strategic planning is the process of moving the organization towards its ____.
    A) standard
    B) vision
    C) mission
    D) policy
    B) vision
    (this multiple choice question has been scrambled)
  227. 24. Standards may be published, scrutinized, and ratified by a group, as in formal or ____ standards.
    A) de public
    B) de facto
    C) de jure
    D) de formale
    C) de jure
    (this multiple choice question has been scrambled)
  228. 25. A security ____ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
    A) mission
    B) plan
    C) framework
    D) blanket
    C) framework
    (this multiple choice question has been scrambled)
  229. 26. Effective management includes planning and ____.
    A) organizing
    B) leading
    C) controlling
    D) all of the above
    D) all of the above
  230. 27. The spheres of ____ are the foundation of the security framework and illustrate how information is under attack from a variety of sources.
    A) defense
    B) information
    C) security
    D) assessment
    C) security
    (this multiple choice question has been scrambled)
  231. 28. ____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
    A) Informational
    B) Operational
    C) Technical
    D) Managerial
    D) Managerial
    (this multiple choice question has been scrambled)
  232. 29. Redundancy can be implemented at a number of points throughout the security architecture, such as in ____.
    A) firewalls
    B) proxy servers
    C) access controls
    D) all of the above
    D) all of the above
  233. 30. ____ controls address personnel security, physical security, and the protection of production inputs and outputs.
    A) Operational
    B) Informational
    C) Technical
    D) Managerial
    A) Operational
    (this multiple choice question has been scrambled)
  234. 31. Security ____ are the areas of trust within which users can freely communicate.
    A) layers
    B) perimeters
    C) domains
    D) rectangles
    C) domains
    (this multiple choice question has been scrambled)
  235. 32. A buffer against outside attacks is frequently referred to as a(n) ____.
    A) proxy server
    B) firewall
    C) DMZ
    D) no-man's land
    C) DMZ
    (this multiple choice question has been scrambled)
  236. 33. ____-based IDPSs look at patterns of network traffic and attempt to detect unusual activity based on previous baselines.
    A) Firewall
    B) Domain
    C) Host
    D) Network
    D) Network
    (this multiple choice question has been scrambled)
  237. 34. A(n) ____ plan deals with the identification, classification, response, and recovery from an incident.
    A) BC (Business Continuity)
    B) DR (Disaster Recovery)
    C) CM
    D) IR (Incident Response)
    D) IR (Incident Response)
    (this multiple choice question has been scrambled)
  238. 35. The first phase in the development of the contingency planning process is the ____.
    A) BRP
    B) DP9
    C) IRP (Incident Response Planning)
    D) BIA (Business Impact Analysis)
    D) BIA (Business Impact Analysis)
    (this multiple choice question has been scrambled)
  239. 36. An alert ____ is a document containing contact information for the people to be notified in the event of an incident.
    A) plan
    B) message
    C) roster
    D) list
    C) roster
    (this multiple choice question has been scrambled)
  240. 37. Incident damage ____ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.
    A) assessment
    B) evaluation
    C) plan
    D) recovery
    A) assessment
    (this multiple choice question has been scrambled)
  241. 38. RAID ____ drives can be hot swapped.
    A) 5
    B) 2
    C) 3
    D) 4
    A) 5
    (this multiple choice question has been scrambled)
  242. 39. A ____ site provides only rudimentary services and facilities.
    A) cold
    B) hot
    C) cool
    D) warm
    A) cold
    (this multiple choice question has been scrambled)
  243. 40. The transfer of large batches of data to an off-site facility is called ____.
    A) database shadowing
    B) remote journaling
    C) electronic vaulting
    D) security perimter
    C) electronic vaulting
    (this multiple choice question has been scrambled)

What would you like to do?

Home > Flashcards > Print Preview