-
Notifications
You must be signed in to change notification settings - Fork 208
/
IAP301.txt
977 lines (976 loc) · 114 KB
/
IAP301.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
John works in the accounting department but travels to other company locations. He must present the past quarter's figures to the chief executive officer (CEO) in the morning. He forgot to update the PowerPoint presentation on his desktop computer at the main office. What is at issue here? | Availability of the data
Governance is the practice of ensuring an entity is in conformance to policies, regulations, ________, and procedures. | Standards
COBIT is a widely accepted international best practices policy framework. | True
Which of the following are generally accepted as IA tenets but not ISS tenets? (Select two.) | Authentication E.Nonrepudiation
Greg has developed a document on how to operate and back up the new financial sections storage area network. In it, he lists the steps required for powering up and down the system as well as configuring the backup tape unit. Greg has written a ________. | Procedure
When should a wireless security policy be initially written? | After a company decides to implement wireless and before it is installed
A toy company is giving its Web site a much-needed facelift. The new Web site is ready to be deployed. It's late October, and the company wants to have the site ready for the holiday rush. The year-end holiday season accounts for 80 percent of its annual revenue. What process would be of particular importance to the toy company at this time | Change management
Implementation and enforcement of policies is a challenge. The biggest hindrance to implementation of policies is the ________ factor. | Human
Information systems security policies should support business operations. These policies focus on providing consistent protection of information in the system. This happens by controlling multiple aspects of the information system that directly or indirectly affect normal operations at some point. While there are many different benefits to supporting operations, some are more prevalent than others. Which of the following are aspects of ISS policies that extend to support business operations? | All the above
Ted is an administrator in the server backup area. He is reviewing the contract for the offsite storage facility for validity. This contract includes topics such as the amount of storage space required, the pickup and delivery of media, response times during an outage, and security of media within the facility. This contract is an example of information security. | false
A weakness is found in a system's configuration which could expose client data to unauthorized users. Which of the following best describes the problem? | A new vulnerability was discovered. A new risk was discovered.
What is policy compliance? | Adherence to an organization's policy
What is an automated control? | A control that stops behavior immediately and does not rely on human decisions
Which of the following is not a business driver? | Ability to acquire the newest technology
A firewall is generally considered an example of a ________ control. | Preventive
What is an information security policy? | A policy that defines how to protect information in any form
Which of the following is not a type of security control? | Correlative
Tone at the top refers to: | All of the above
Privacy regulations involve two important principles: full disclosure and data encryption. | true
What are the benefits to having a security awareness program emphasize the business risk? | All of the above
Which of the following is not a guideline to be considered when developing policy to secure PII date? | Resiliency�Policies provide guidelines for the unexpected
Information used to open or access a bank account is generally considered PII data. | True
Which of the following is not a benefit of having an acceptable use policy? | Prevents employees from misusing the Internet
Mitigating controls always meet the full intent of the policy. | False
Which of the following do you need to measure to achieve operational consistency? | All of the above
Well-defined and properly implemented security policies help the business in which of the following ways? | All of the above
When creating laws and regulations, the government's sole concern is the privacy of the individual. | False
Which of the following are pressures on creating security policies? | All of the above
Which of the following laws require proper security controls for handling privacy data? | All of the above
Which of the following are control objectives for PCI DSS? | A and B only. Maintain an information security policy. Protect cardholder data
Nation-state attacks that try to disrupt the country's critical infrastructure are sometimes referred to as ________. | Cyberterrorism or cyberwarfare
Health care providers are those that process and facilitate billing | false
The law that attempts to limit children's exposure to sexually explicit material is ________. | CIPA
The only consideration in protecting personal customer information is legal requirements. | false
You should always write new security policies each time a new regulation is issued. | false
What should you ask for to gain confidence that a vendor's security controls are adequate? | An SSAE16 Type II audit
Why is it important to map regulatory requirements to policies and controls? | All of the above
Who typically writes a report to the board of directors on the current state of information security within a company? | A and B. Chief risk officer.Chief information officer
Private WANs must be encrypted at all times. | false
Which of the following attempts to identify where sensitive data is currently stored? | Data Leakage Protection Inventory
Voice over Internet Protocol (VoIP) can be used over which of the following? | both
Which of the following is not one of the seven domains of typical IT infrastructure? | World Area Network Domain
Which of the seven domains refers to the technical infrastructure that connects the organization's LAN to a WAN and allows end users to surf the Internet? | LAN-to-WAN Domain
One key difference between RBAC and ABAC is which of the following? | ABAC is dynamic and RBAC is static.
A ________ is a term that refers to a network that limits what and how computers are able to talk to each other. | Segmented network
A LAN is efficient for connecting computers within an office or groups of buildings. | True
What policy generally requires that employees lock up all documents and digital media at the end of a workday and when not in use? | Clean desk policy
What employees learn in awareness training influences them more than what they see within their department. | false
What kind of workstation management refers to knowing what software is installed? | Discovery management
Always applying the most strict authentication method is the best way to protect the business and ensure achievement of goals. | false
Generally, remote authentication provides which of the following? | More controls than if you were in the office
Remote access does not have to be encrypted if strong authentication is used | false
Where is a DMZ usually located? | Between the private LAN and public WAN
Dedicated network devices whose only function is to create and manage VPN traffic are called VPN ________. | Concentrators
What is a botnet? | A piece of software a hacker loads onto a device without user knowledge
The minimum standard in authentication for businesses is the use of ________. | IDs and Passwords
Which of the following is a basic element of motivation? | All of the above
Which personality type often breaks through barriers that previously prevented success? | Commanders
Avoiders like to ________ and will do _______ but not much more. | Be in the background; precisely what is asked of them
As the number of specialties increases so does ________. | The cost of business
In hierarchical organizations, the leaders are close to the workers that deliver products and services. | false
User apathy often results in an employee just going through the motions | True
Which of the following is a method for overcoming apathy? | Engaging in communication
which departments should review policies and standards before official approval | legal
Why is HR policy language often intentionally vague? | To avoid being interpreted as an unintended promise
In the case of policies, it is important to demonstrate to business how polices will reduce risk and will be derived in a way that keeps costs low. | True
An ideal time to refresh security policies is during a reduction in force | false
Kotter's Eight-Step Change Model can help an organization gain support for _______ changes. | Security policy
When a catastrophic security breach occurs, who is ultimately held accountable by regulators and the public? | Company officers
Which of the following are attributes of entrepreneurs? | a and c. Innovators. More likely to take risks
A control partner's role includes analysis of proposed policy changes and providing an opinion on their viability. | True
Which of the following is the best measure of success for a security policy? | Reduction in risk
A change agent typically will | Challenge whether a company's existing processes represent the best approach
An IT policy framework charter includes which of the following? | A, B, C, and D
Which of the following is the first step in establishing an information security program? | Adoption of an information security policy framework or charter
Which of the following are generally accepted and widely used policy frameworks? (Select three.) | k chon NIPP
Security policies provide the "what" and "why" of security measures. | true
________ are best defined as high-level statements, beliefs, goals, and objectives. | Policies
Which of the following is not mandatory | Guideline
COBIT is widely accepted international best practices policy framework | True
Which of the following includes all of the detailed actions and tasks that personnel are required to follow? | Procedure
Accounts that have not been accessed for a extended period of time are often referred to as ________. | Dormant accounts
List the five tenets of information assurance that you should consider when building an IT policy framework. ________ | Confidentiality, integrity, availability, authorization, and nonrepudiation
The purpose of a consequence model is to discipline an employee in order to ensure future compliance with information security policies. | false
When building a policy framework, which of the following information systems factors should be considered? | all
What is the difference between risk appetite and risk tolerance? | Risk appetite measures impact and likelihood, while risk tolerance measures variance from a target goal.
A mitigating control eliminates the risk by achieving the policy goal in a different way. | false
When writing policies and standards, you should address the six key questions who, what, where, when, why, and how. | true
which of the following are important to consider before a policy? | a and b.Architecture operating model. Intent
Guideline documents are often tied to a specific control standard. | true
which of the following is not an administrative control? | Logical access control mechanisms
Which of the following are common steps taken in the development of documents such as security policies, standards, and procedures? | Initiation, evaluation, development, approval, publication, implementation, and maintenance
The sole purpose of an architecture operating model is to define how all the businesses technology will be implemented. | false
Exceptions or waivers to security policies are a bad idea and should never be approved. | false
Which type of control is associated with responding to and fixing a security incident? | Corrective
List examples of physical security control items. ________ | Answers may include devices and processes used to control physical access; examples include fences, security guards, locked doors, motion detectors, and alarms
A process to refresh policies as needed based on a major event uses the principle called | Lessons learned
A(n) ________ is a plan or course of action used by an organization to convey instructions from its senior-most management to those who make decisions, take actions, and perform other duties on behalf of the organization. | Policy
The principle that states security is improved when it is implemented as a series of overlapping controls is called | Defense in depth
Security principles are needed in the absence of complete information to make high-quality security decisions. | True
"Access to all Organization information resources connected to the <Organization> network must be controlled by using user IDs and appropriate authentication" is a statement you might find in a procedure document | false
Which of the following does a policy change control board do? | (2)Assesses policies and standards and makes recommendations for change_Reviews requested changes to the policy framework
Which of the following is not an IT security policy framework? | ERM
The security committee is the key committee for the CISO. | True
Which of the following are PCI DSS network requirements? | All of the above
Which of the following are common IT framework characteristics? | All of the above
Which of the following applies to both GRC and ERM? | Defines an approach to reduce risk
The underlying concept of SOD is that individuals execute high-risk transactions as they receive pre-approval. | false
A risk management and metrics team is generally the first team to respond to an incident. | false
Once you decide not to eliminate a risk but to accept it, you can ignore the risk. | false
Which of the following is not a key area of improvement noted after COBIT implementation? | Decentralization of the risk function
A security team's organizational structure defines the team's ________. | Priorities or specialties
implementing a governance framework can allow an organization to systemically identify and prioritize risks. | True
The more layers of approval required for SOD, the more ________ it is to implement the process. | Expensive or burdensome
Asking to borrow someone's keycard could be an example of ________. | Social engineering
All organizations should have a full-time team dedicated to collecting, reviewing, and reporting to demonstrate adherence to regulations. | false
Pretexting is what happens when a hacker breaks into a firewall. | false
You can use a _______ process to grant temporary elevated rights. | Firecall-ID
Security awareness is required by which of the following? | law
A(n) _______ looks at risk and issues an independent opinion. | Auditor
A privileged-level access agreement (PAA) prevents an administrator from abusing elevated rights. | false
Which of the following does an acceptable use policy relate to? | Users accessing the Internet
A(n) _______ has inside information on how an organization operates. | Insider
Social engineering occurs when a hacker posts her victories on a social Website. | false
Typically in large organizations all administrators have the same level of authority. | false
A CISO must _______ risks if the business unit is not responsive. | Escalate
What is the difference between least access privileges and best fit access privileges? | A and B
System accounts are also referred to as _______ accounts. | Service
An interactive service account typically does not have a password. | false
The steps to implement security controls on a firewall would be documented within which of the following? | Procedure
A DMZ separates a LAN from which of the following? | Internet
Visitor control is an aspect of which of the following? | Physical security
Which of the following can you use to segment LANs? | Routers and firewalls
Without a policy that leads to controls that restrict employees from installing their own software on a company workstation, a company could suffer which of the following consequences? | All of the above
Good sources for security policies and standards include which of the following? | All of the above
Two-factor authentication is a typical control used by employees to remotely access which of the following? | LAN
Which document outlines the specific controls that a technology device needs to support? | Baseline standard
EDM typically refers in information security to ________. | Enterprise data management
The content for the documents in the policies and standards library should be written so they are ________ and________. | Cohesive, coherent
Production data should be sanitized before being used in a test environment. | true
Organizations should always create new policies tailored to their needs rather than adopt industry norms found on the Internet. | false
An owner of the data must obtain approval from the custodian of the resource to use the data. | false
What is the difference between a stateless firewall and a stateful one? | A stateless firewall looks at each packet individually and a stateful firewall examines the packet in context the connection and other packets.
Which of the following is not a common need for most organizations to classify data? | Sell information
Authorization is the process used to prove the identity of the person accessing systems, applications, and data. | false
You need to retain data for what major reasons? | All of the above
What qualities should the data owner possess? | All of the above
In all businesses you will always have data that needs to be protected | true
Risk exposure is best-guess professional judgment using a qualitative technique. | false
The lowest federal government data classification rating for classified material is ________. | Confidential
Federal agencies can customize their own data classification scheme. | false
What is a process to understand business leaders' perspective of risk called? | RCSA
Quality assurance is typically a detective control. | false
Generally, having five to 10 data classifications works best to cover all the possible data needs of an organization | false
Risk exposure can be expressed in the following manner: ________ = ________ � ________. | Risk exposure [=] Likelihood the event will occur [�] Impact if the event occurs
Data in transit is what type of data? | Data traversing a network
Encryption protects data at rest from all type of breaches. | false
All incidents regardless of how small should be handled by an incident response team. | false
Which of the following should not be in an information response team charter? | Detailed line budget
Which of the following IRT members should be consulted before communicating to the public about an incident? | All of the above
As defined by this chapter, what is not a step in responding to an incident? | Creating a budget to compare options
A method outlined in this chapter to determine if an incident is major or minor is to classify an incident with a _______ rating. | Severity
When containing an incident, you should always apply a long-term preventive solution. | false
The IRT starts recording events once an __________. | Incident is declared
During the containment step, you should also gather as much evidence as reasonably possible about the incident. | True
To clean up after an incident, you should always wipe the affected machine clean and rebuild it from scratch. | false
What value does a forensic tool bring? | All of the above
How important is it to identify the attacker before issuing a final IRT report? | Moderately important; nice to have but issue the report if not available
When analyzing an incident, you must try to determine which of the following? | All of the above
Which IRT member is responsible for handling the media? | Public relations
The Business Impact analysis (BIA) is created after the business has created a Business Continuity Plan (BCP). | false
What is the difference between a BCP and a DRP? | A BCP focuses on the business recovery and DRP focuses on technology recovery.
The BIA assessment is created by the IRT team primarily for use during a security incident. | false
Which of the following indicate that the culture of an organization is adopting IT security policies? | All of the above
Effective security policies require that everyone in the organization be accountable for policy implementation. | true
A control environment is defined as: | A term describing the overall way in which the organization's controls are governed and executed
Deliberate acts and malicious behavior by employees are easy to control, especially when proper deterrents are installed. | false
Which of the following is not an organizational challenge when implementing security policies? | Surplus of funding
Which type of plan is critical to ensuring security awareness reaches specific types of users? | Communications plan
Why should a security policy implementation be flexible to allow for updates? | A and C
Which of the following is the least objectionable when dealing with policies with regard to outdated technology? | Write security policies to best practices and issue a policy waiver for outdated technology that inherently cannot comply.
What is a strong indicator that awareness training is not effective? | Sharing your password with a supervisor
A target state is generally defined as: | All of the above
Classroom training for security policy awareness is always the superior option to other alternatives, such as online training. | false
To get employees to comply and accept security policies, the organization must understand the employees' ________ | Motivations or needs
A brown bag session is a formal training event with a tightly controlled agenda. | false
What is the best way to disseminate a new policy? | Intranet
Which of the following is not an organizational gateway committee? | Internal connection committee
A formal communication plan is ________when implementing major security policies. | Always needed
________ often focuses on enterprise risk management across multiple lines | of business to resolve strategic business issues
The security compliance committee has one role, which is to identify when violations of policies occur. | false
Which of the following is not an access control? | Decryption
In which of the following areas might a company monitor its employees' actions? | All of the above
________ establish how the organization achieves regulatory requirements. | Security policies
Laws define the specific internal IT processes needed to be compliant | false
What is not required in modern-day CISO positions? | Needs to have strong law enforcement background
What is an example of a manual control? | A and C. Background checks. Access rights reviews
A breach of a single customer record cannot be considered a pervasive control weakness. | False�any breach can be a pervasive control weakness, depending on the control that failed.
Connecting a personal device to the company network can create legal implications. | true
Line management does which of the following to make policies operational? | All of the above
In which process would you place quality assurance controls? | Management processes
Which of the following is not reviewed when monitoring a user's e-mail and Internet activity? | Network performance
When testing for security in an application code, the quality assurance process tests ________ the code is in production and quality control tests ________ the code is in production. | Before, after
The operational risk function is responsible for ensuring that the business operates within risk ________ and risk ________. | Appetite, tolerance
An operating system and different applications are installed on a system. The system is then locked down with various settings. You want the same operating system, applications, and settings deployed to 50 other computers. What's the easiest way? | Imaging
After a set of security settings has been applied to a system, there is no need to recheck these settings on the system. | false
The time between when a new vulnerability is discovered and when software developers start writing a patch is known as a ________. | Vulnerability window or security gap
Your organization wants to automate the distribution of security policy settings. What should be considered? | All of the above
Several tools are available to automate the deployment of security policy settings. Some tools can deploy baseline settings. Other tools can deploy changes in security policy settings. | True
An organization uses a decentralized IT model with a central IT department for core services and security. The organization wants to ensure that each department is complying with primary security requirements. What can be used to verify compliance? | Random audits
Change requests are tracked in a control work order database. Approved changes are also recorded in a CMDB. | True
An organization wants to maintain a database of system settings. The database should include the original system settings and any changes. What should be implemented within the organization? | Configuration management
An organization wants to reduce the possibility of outages when changes are implemented on the network. What should the organization use? | Change management
A security baseline image of a secure configuration that is then replicated during the deployment process is sometimes call a ________. | Gold master
Microsoft created the Web-Based Enterprise Management (WBEM) technologies for Microsoft products. | false
A common method of scoring risk is reflected in the formula as follows, Risk ________ � ________. | Likelihood � Impact
What is a valid approach for validating compliance to security baseline? | a and b
It is important to protect your gold master because an infected copy could quickly result in widespread infection with malware. | true
A ________ can be used with a downloaded file. It offers verification that the file was provided by a specific entity. It also verifies the file has not been modified. | Digital signature
If an organization implements the COSO internal control framework, then it cannot implement another controls framework like COBIT. | false
Which phase in ISS management life cycle requires regular meetings and good communications with your vendor? | Deliver, Service and Support
Which of the following is NOT a situation when business liability occurs? | When a company violated law
If you are small merchant, you can perform a Qualified Security Assessor (QSA) | false
Which policy sets rules on what type of website browsing is permitted or if personal e-mails over the Internet are allowed? | Acceptable use policy
Which of the following personality type are well-suited to listening to all stakeholders and crafting security policies that meet both security and business needs? | Achievers
The __________ usually approves and signs the charter. | CEO
The objective of the policy control board are to | All- Assess policies and standards and make recommendations-Coordinate requests for changes-Review requested changes to the policy framework
COBIT is often silent on how to implement specific controls | true
Pretending to be from the IT department is called ___________ | Pretexting
Firewall controls, denial of service protection and Wi-Fi security control are examples of control standards for | LAN Domain
Customer records should be kept in | 5 years
Techniques may include questionnaires, interviews and working in groups. | Qualitative techniques
Help analyze the threat and recommend immediate response. | System administrators
Security personnel are either directly or indirectly involved in all of the following activities EXCEPT | Reconstruction
Executive management support is critical in overcoming hindrances. | true
While writing policy, we should use "should" or "expected" statements. | false
How employees often react when they see coworkers ignoring policies without consequences from managers and supervisors? | They do the same thing
Security policies are legal interpretation of the law. | false
Administrators commonly measure server performance by measuring four core resources, those are: | The processor, the memory, the disk and the network interface
The SNMP is used to manage and query network device. SNMP commonly manges | All of the other choices
what is the complex descriptive conceptual model? | stochastic
which best describes physical model | a tangible representation of something
which of the following is a graphical powerful tool for analytics | Wigmore's charting method
what does NIH stand for | not-invented-here
which of the following is not a relationship model | tree
what is a SIGINT denial | emissions control
what is the finished step in a cycle of the traditional intelligence cycle | dissemination
which of the following is a drawback of the traditional intelligence cycle | a gap exists between dissemination and needs
what is occam's razor principle | explain your observations with the fewest possible hypotheses
which of the following is not IT tool for analytics | Microsoft project
what is the most complex system | narcotics distribution system
what is the main reason of the vividness weighting problem | the channel for communication of intelligence is too short
what is the framing effect | awareness of the problems in a certain frame
the network perspective suggests that the power of an individual actor arises from relationships with other actors. this concept is called: | equivalence
which of the following is a projection technique | influence trees
which of the following is not a level of conflict | statistical
in social network analysis, what is the source to evaluate the centrality concept | degree, closeness and betweenness
what is the first step of collection strategy | examining the relationship
which of the following is not a characteristic of the complex problems | only one stakeholder
what is the deterrence level | it focuses on an opponent's potential actions as a way to resolve an already unfavorable situation
what is tradecraft | the techniques are standardized in business intelligence
crisis management is activity called for which of the following levels | defeat
what is the first of the traditional intelligence cycle | requirements or needs
what is a passive deception | decoys
In wigmoire's charting method, question marks mean like | doubt about the probative effect of the evidence
which of the following is a positive government regulatory force | intervention
what is a cumulative redundancy | the report does not duplicate information, but it adds credibility to the other reports
what is the first step of the predictive approach | determine the forces that acted on the entity to bring it to its present state
which of the following is not the predictive mechanism | bayesian
what are enigmas | something that the analyst knows exists with physical evidence
which of the following is correct pertaining to the stochastic model | a model that has any uncertainty incorporated into it
what is not SIGINT | imint
what is the top stage of the generic target model has been used for describing the development of a technology or product | production prototype
in statement of the problem, what is the result needed | written reports(increasingly in electronic form)
geospatial intelligence is an example of | imint
what is SIGINT | intelligence derived from deliberate electronic transmission
what is not an open source in technology assessment | license
Which one is the order of steps of the Risk Identification Techniques | Identify Asset Value, Identify threats, Identify vulnerabilities, Identify consequences
Total Risk = ? | Threat Vulnerability Asset Value
What is the kind of Intrusion detection system ? | NIDS and HIDS
The SQL injection attacks is a technique that allows an attacker to insert SQL code into data sent to the server and is implemented on the database server. | True
What is US-based Laws ? | Federal Information Security Management Act (FISMA) 2002
If your company is involved with the sale or trade of securities, what laws do you should be aware of ? | All of them
A milestone plan chart is a simple graphical representation of major milestones. It shows the major milestones laid out in a graphical format. | true
What is stakeholder ? | Is an individual or group that has a stake, or interest, in the success of a project
A risk assessment (RA) is ? | All of them
Which one is Critical Components of Risk Assessment ? | Identify scope, Identify critical areas, Identify team
What is the Asset valuation ? | Is the process of determining the fair market value of an asset
Threat modeling allows you to prioritize attacks based on their probability of occurring and the potential harm. | true
The system testing include ? | Both of them
What is Functionality Testing ? | Is primarily used with software development. It helps ensure that a product meets the functional requirements or specifications defined for the product
Technical controls protect the physical environment. They include basics such as locks to protect access to secure areas. They also include environmental controls. | False
A router can filter traffic based on ? | All of above
HIPAA is ? | Requires the protection of any health-related data
What Is the Scope of Risk Management for Your Organization ? | All of above
How many categories of Data and information assets ? | 4
Which of following NOT true about Risk Management Techniques ? | Performance
Training help ? | Employees understand that security is everyone's responsibility
GLBA on US-based Laws is ? | Gramm-Leach-Bliley Act 1999
What does a quantitative RA use to prioritize a risk ? | SLE, ARO, and ALE
Of the following choices, what would be considered an asset ? | All of the below
Quantitative risk assessment is objective. It uses data that can be verified. | true
What is created with a risk assessment to track the implementation of the controls ? | POAM
How many Technical Controls in the NIST SP 800-53 ? | 4
What are properties of IA ? | all of them
Two primary assessments to identify and evaluate vulnerabilities | all of them
Techniques for Identifying Threats ? | Review Historical Data
How many Legal Requirements, Compliance Laws, Regulations, and Mandates ? | 6
The primary purpose of countermeasures, safeguards, or controls is to mitigate risk ? | Reducing the impact of threats and a vulnerability to an acceptable level
How many preliminary actions that need to complete before progressing with the RA ? | 2
How many elements to consider when Identifying Assets and Activities Within Risk Assessment Boundaries ? | 6
A vulnerability assessment may have multiple goals, such as ? | All of them
Which of the following methods is methods to Identify Assets and Activities to Be Protected ? | Manual
What is 3rd step of Business impact analysis planning ? | Identify mission-critical business functions and processes
A __________ assessment is used to identify vulnerabilities within an organization | Vulnerability
Who should perform vulnerability assessments ? | Either internal or external security professionals, or both
What is the name of a common tool used to perform an automated vulnerability assessment scan ? | Nessus
What is a common drawback or weakness of a vulnerability scanner ? | A high false-positive error rate
Your organization wants to check compliance with internal rules and guidelines. They want to ensure that existing policies are being followed. What should be performed ? | An audit trail
What management program can be implemented to ensure that the configuration of systems is not modified without a formal approval ? | Change management
Configuration management ensures that changes are not made to a system without formal approval. | false
Controls can be identified based on their function. The functions are preventative, detective, and corrective. | true
What are the primary objectives of a control ? | Prevent, recover, detect
Logon identifiers help ensure that users cannot deny taking a specific action such as deleting a file. What is this called ? | Non-repudation
What should you use to ensure that users understand what they can and cannot do on systems within the network ? | Rules of behavior
What can be used to ensure confidentiality of sensitive data ? | Encryption
What should be logged in an audit log ? | Who, what, when, and where details of an event
Which of the following should you match with a control to mitigate a relevant risk ? | Threat/vulnerability pair
What does a qualitative RA use to prioritize a risk ? | Probability and impact
An organization wants to ensure they can continue mission-critical operations in the event of a disaster. What should they use ? | BCP
An organization wants to ensure they can recover a system in the event of a disaster. What should they use ? | DRP
Of the following, what should be included in a cost-benefit analysis report ? | All of the below
What would an account management policy include ? | All of the below
What can be used to help identify mission-critical systems ? | Critical business functions
When identifying hardware assets in your organization, what information should you include ? | all of them
A BCP and DRP are the same thing. | false
Which statement is incorrect about Risk Assessment ? | Risk Assessment are not relevant to Risk Management program
Which controls is not belong to Control Categories when identifying and evaluating the countermeasures ? | In-Place and Planned controls
Which definition is true about Planned controls ? | These are controls that have a specified implementation date.
Which statement is true about Physical security controls ? | Physical security controls includes controls such as locks and guards to restrict physical access
Which statement is true about ARO ? | The number of times an incident is expected to occur in a year
When evaluating this type of automated method, there are several other things to consider, such as the following? | Value to the customers
According to Maylor, what are traditionally the core three risk categories ? | Cost, schedule, and quality
What are the three stages of cyclical risk management ? | Identification, analysis, and monitoring and control (Missed)
What is one way that you can help to reduce safety risks for your organization's activities and events ? | Properly plan by thoroughly thinking through events and activities
How many element in system access and availability ? | 4
Which of following is NOT a type of risk management techniques ? | Against
What is included in an RA that helps justify the cost of a control ? | CBA
Which of the following is a physical control ? | CCTV
What is a full-scale exercise ? | More realistic than either tabletop or functional exercises
What their actual responsibilities are when the BCP is ? | Activated
NIST SP 800-53 identifies controls in three primary classes. What are they ? | All of the below
A PTZ camera is used within a CCTV system. It can pan, tilt, and zoom. | true
A(n) __________ countermeasure has been approved and has a date for implementation. | In-place
MAO is the minimal acceptable outage that a system or service can have before affecting the mission. | false
Your organization wants to have an agreement with a vendor for an expected level of performance for a service. You want to ensure that monetary penalties are assessed if the minimum uptime requirements are not met. What should you use ? | SLA
Routers have __________ to control what traffic is allowed through them. | ACLs
How much can an organization be fined in a year for mistakes that result in noncompliance ? | $25,000
The formula for risk is Risk ? | Threat * Vulnerability
What is not risk identification techniques ? | Identify cost of Risk
What is not risk management techniques ? | Prevent
What is the best for Managing Threats within Your IT infrastructure ? | Use accesses control
The Federal Information Security Management Act (FISMA) assigns specific agencies are responsible for ? | Protecting system and data
Risk assessments are a continuous process. | TRUE
You are evaluating two possible countermeasures to mitigate the risk. Management only wants to purchase one. What can you use to determine which countermeasure provides the best cost benefits ? | CBA
An acceptable use policy is an example of an __________ security control. | Administrative
Which one of the following properly defines risk? | Threat X Vulnerability
Which of the following are accurate pairing of threat categories? | External and internal, Intentional and accidental
A loss of client confidence or public trust is an example of a loss of the following category? | Intangible Value
What is the primary goal of an information security program? | Reduce losses related to loss of confidentiality, integrity, and availability
Which of the following is an industry recognized standard list of common vulnerabilities? | CVE
Which of the following is a goal of a risk management? | Identify the correct cost balance between risk and controls
If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing one which of the following work? | CBA Costs Business Analysis
You have applied controls to minimize risk in the environment. What is the remaining risk called? | Residual risk
Which of the following is NOT the risk management technique? | Migrate
A company decides to reduce losses of a threat by purchasing insurance. The way it is kind of risk management techniques of the following? | Risk Transfer
What is a security policy? | A document created by senior management that identifies the role of security in the organization
You want to ensure that users are granted only the rights to perform actions required for their jobs. What should you use? | Principle of least privilege
You want to ensure that users are granted only the permissions needed to access data required to perform their jobs. What should you use? | Principle of need to know
Which of the following security principles divides job responsibilities to reduce fraud? | Separation of duties
What can you use to ensure that unauthorized changes are not made to systems? | Configuration management
What are two types of intrusion detection systems? | Host-based and network-based
A DMZ, or demilitarized zone, is used in a networking context for what primary purpose? | to provide a high level of security for the private network
Why should employers make sure employees take their vacations? | It is a way that fraud can be uncovered.
Which of the following best describes separation of duties and job rotation? | Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position.
If a programmer is restricted from updating and modifying production code, what is this an example of? | Separation of duties
What is a stakeholder? | An individual or group that has an interest in the project
What three elements should be included in the findings of the risk management report? | Causes, Criteria, and effects
What is a primary tool used to identify the financial significance of a mitigation tool? | CBA
What is a POAM? | Plan of action and milestones
A POAM is used to track the progress of a project. What type of chart is commonly used to assist with tracking? | GANTT chart
A risk management plan project manager oversees the entire plan. What is the project manager responsible for? | Ensuring costs are controlled -Ensuring the project stays on
What will the scope of a risk management plan define? | Boundaries
What are valid contents of a risk management plan? | Objectives, Scope, Recommendations, POAM
What should be included in the objectives of a risk management plan | A list of threats, vulnerabilities, Costs associated with risks, cba
What problem can occur if the scope of a risk management plan is not defined? | Scope creep
Which of the following is a major component of a risk management plan? | A risk Assessment
What elements are included in a qualitative analysis? | Probability and Impact
One of the challenges facing risk assessments is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data? | Uncertainty level
You are working on a qualitative risk assessment for your company. You are thinking about the final report. What should you consider when providing the results and recommendations? | Resource Allocation -Risk Acceptance
Of the following, what would be considered a best practice when performing risk assessments? | ALL OF THE BELOW
What must you define when performing a qualitative risk assessment? | Scales used to define probability and impact
What is an ARO? | Annualized Rate of Occurrence
Which choice MOST closely depicts the difference between qualitative and quantitative risk analysis? | Aquantitative RAuses less guesswork than a qualitative RA.
A company needs to determine its security budget for the next year. It interviews users, administrators, and managers in the information technology division, who render opinions and recommendations based upon their perceptions of security risk. This is an example of what kind of approach to risk analysis? | Qualitative
When reviewing historical data, you can look some events. They are... | Attack, Accident, Natural Event, Equipment failures
Laura and her team are diligently working on a company-wide risk assessment initiative. At the conclusion of her team's work, all of the following goals could be met, except: | Countermeasures have been put into place and communicated to the appropriate personnel
Risk assessment is not always met with open arms by management for all of the following reasons except: | Due care and due diligence
Larry is in charge of presenting risk assessment calculations to his boss by the end of the week. He concludes that a server with heavy traffic has an annualized loss expectancy (ALE) of $15,000 with an annualized rate of occurrence (ARO) of 5. What is the server's single loss expectancy (SLE) value? | $3,000
Shirley is in charge of asset identification and classification as part of a risk assessment initiative. In going through an inventory list, she must decide if an asset is tangible or intangible. Which of the following should she mark as intangible? | Reputation
What is a single point of failure? | Any single part of a system that can cause the entire system to fail, if it fails
Intellectual Property is a example of | organization's data or information assets
A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset? | The level of insurance required to cover the asset
Corruption/modification is one of the biggest threats to an operations environment. Which of the following is the typical culprit in this type of threat? | Employees
Which of the following is an internal threat? | User accidentally deletes new product designs.
Which of the following is NOT a result of a penetration test? | Modify access control permissions
A program that receives too much data so that it cannot execute instructions properly has been exploited by which of the following attacks? | Buffer overflow
Mary is creating malicious code that will steal a user's cookies by modifying the original client-side Javascript. What type of cross-site scripting vulnerability is she exploiting? | DOM-based
What is the first step in an exploit assessment? | The first step in an exploit assessment is to perform a vulnerability test.
When performing exploit assessments, best practice is: | Get permission first, identify as many as exploits, Use a gap analysis
You want to identify if any of the discovered vulnerabilities can be exploited. What should you perform? | Exploit assessment
You want to know if users are granted the rights and permissions needed to do their job only, and no more. You should perform which of the following tests? | Access controls
Which of the following is NOT a domain of the COBIT categories? | Support and Monitor
What should you use to ensure that users understand what they can and cannot do on systems within the network? | Rules of behavior
Which of the following is used to identify the impact on an organization if a risk occurs? | Business Impact Analysis (BIA)
What is the scope of risk management for System/Application Domain? | System/Application Domain - A primary requirement to keep these systems secure is to ensure administrators have adequate training and knowledge. Additionally, configuration and change management practices are helpful. Configuration management ensures the systems are configured using sound security practices.
What determines if an organization is governed by FERPA? | If it is a federal agency
Which of the strategies below can help to reduce security gaps even if a security control fails? | Defense in depth
What can be used to remind users of the contents of the AUP? | Logon banners -Posters -E-mails
Which of the following is accurate pairing of threat categories? | External and internal, intentional and accidental
Which of the following is an industry recognized standard list of common vulnerabilities ? | CVE
Which of the following statement is correct when referring to qualitative risk assessment | All statement are correct
What is the recovery value? | This is the cost to get the asset operational after a failure
When reviewing historical data, you can look some events. Which of the following is not one of them? | Attacks,natural events,accidents,equipment failure
Which of the following is an example of the administrative security control? | Policies and procedures, Security plans, Insurance, Personnel checks, Awareness and training, Rules of behavior
Which of the following is an example of the technical security control? | Login identifier, Session timeout, System log, Audit trails, Input validation, Firewalls, Encryption
Awareness and training is an example of | Administrative Control
Laura and her team are diligently working on a company-wide risk assessment initiative. At the conclusion of her team's work, all of the following goals could be met, except: | Countermeasures have been put into place and communicated to the appropriate personnel.
Which of the following is NOT a type of assets? | installed components, hardware peripherals, installed software, update versions, and more
What is the information you need to know hardware assets? | Hardware assets are any assets that you can physically touch. This includes computers such as laptops, workstations, and servers. It also includes network devices such as routers, switches, and firewalls
What is "five nine"? | 99.999 percent up time, is sometimes needed for certain services
What is a single point of failure? | A single point of failure is any part of a system that can cause an entire system to fail, if it fails
What is the risk of the assets in Workstation Domain? | Theft, Update
A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset? | Replacement value - This is the cost to purchase a new asset in its place, Recovery value - This is the cost to get the asset operational after a failure.
In best practices for exploit assessments, what is a solution for legal compliance? | Use a gap analysis
Contingency Planning(CP) is an example of | NIST SP 800-53 Operational Controls
Which best describes System and Services Acquisition (SA) control? | The SA family includes many controls related to the purchase of products and services. It also includes controls related to software usage and user installed software
Which best describes Technical controls? | Technical controls are software tools that automate protection. A technical control is enforced using technology
What is a proximity card? | A proximity card is a small credit-card sized device. It includes electronics that will activate when it is close to a proximity reader. The card sends a signal to the reader identifying it. If the card is authorized, the door will open
What is an AUP? | Acceptable use policy (AUP)�An AUP defines acceptable use of systems. It identifies what a user can and cannot do on a system. It is sometimes referred to as Rules of Behavior
Which of the following is used to identify the impact on an organization if a risk occurs? | BIA
What is the MAO? | Maximum acceptable outage (MAO)
Which of the following is a valid formula used to identify the projected benefits of a control? | Loss before control - Loss after control = Projected benefits
What is the impact of legal and compliance implications on the LAN-to-WAN Domain? | LAN-to-WAN Domain�A firewall is used to protect a network here. PCI DSS specifically requires a firewall. A library may use a proxy server as a TPM to comply with CIPA. A proxy server has access to the Internet and the internet. It would need additional security to protect it from external attacks.
What determines if an organization is governed by FERPA? | FERPA mandates access to educational records by students or parents. If the school has a large volume of these requests, it could affect regular operations. The school could choose to limit when access to records is granted.
If your organization is governed by FISMA. What is one of the important issues to understand first? | The Federal Information Security Management Act (FISMA) was passed in 2002. Its purpose is to ensure that federal agencies protect their data. It assigns specific responsibilities for federal agencies.
What can be used to remind users of the contents of the AUP? | Companies also sometimes use banners and logon screens to remind personnel of the policy
What is the ROI? | the return on investment
Which of the following is NOT valid contents of a risk management plan? | Objectives, Scope, Recommendations, POAM
Which of the following is NOT included in the objectives of a risk management plan? | A list of threats, vulnerabilities, Costs associated with risks, cba
Which one of the following properly defines total risk? | Threat � Vulnerability � Asset Value
You can completely eliminate risk in an IT environment. | false
Which of the following are accurate pairings of threat categories? (Select two.) | Computer and user
A loss of client confidence or public trust is an example of a loss of ________. | Intangible value
As long as a company is profitable, it does not need to consider survivability. | fasle
What is the primary goal of an information security program? | To reduce losses related to loss of confidentiality, integrity, and availability
The ________ is an industry-recognized standard list of common vulnerabilities. | CVE
Which of the following is a goal of risk management? | To identify the correct cost balance between risk and controls
If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing a ________. | CBA or cost-benefit analysis
A company decides to reduce losses of a threat by purchasing insurance. This is known as risk ________. | Transfer
What can you do to manage risk? (Select three.) | Accept, Transfer, Avoid
Who is ultimately responsible for losses resulting from residual risk? | Senior management
You want to ensure that users are granted only the rights to perform actions required for their jobs. What should you use? A technical control prevents unauthorized personnel from having physical access to a secure area or secure system. | false
What allows an attacker to gain additional privileges on a system by sending unexpected code to the system? | Buffer overflow
What is hardening a server? | Securing it from the default configuration
Which of the following steps could be taken to harden a server? | All of the above
Which government agency includes the Information Technology Laboratory and publishes SP 800-30? | NIST
ITL and ITIL are different names for the same thing. | false
Which U.S. government agency regularly publishes alerts and bulletins related to security threats? | US-CERT
The CVE list is maintained by ________. | The MITRE Corporation
What is the standard used to create Information Security Vulnerability names? | CVE
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization? | Annually
What law applies to organizations handling health care information? | HIPAA
CEOs and CFOs can go to jail if financial statements are inaccurate. What law is this from? | SOX
What law requires schools and libraries to limit offensive content on their computers? | CIPA
Employees in some companies are often required to take an annual vacation of at least five consecutive days. The purpose is to reduce fraud and embezzlement. What is this called? | Job rotation
Fiduciary refers to a relationship of trust. | true
Merchants that handle credit cards are expected to implement data security. What standard should they follow? | PCI DSS
The National Institute of Standards and Technology published Special Publication 800-30. What does this cover? | Risk assessments
The COBIT framework refers to IT governance. Of the following choices, what best describes IT governance? | Processes to manage IT resources
This standard is focused on maintaining a balance between benefits, risk, and asset use. It is based on five principles and seven enablers. What is this standard? | COBIT
Which of the following ISO standards can be used to verify that an organization meets certain requirements? Part I identifies objectives and controls. Part II is used for certification. | ISO 27002 Information Technology Security Techniques
Which of the following ISO documents provides generic guidance on risk management? | ISO 31000 Risk Management Principles and Guidelines
ITIL is a group of five books developed by the United Kingdom's Office of Government Commerce. | true
In the CMMI, level ______ indicates the highest level of maturity. | 5
The DIACAP is a risk management process applied to IT systems. What happens after a system is accredited? | It receives authority to operate.
What should be included in the objectives of a risk management plan? | All of the above
A key stakeholder should have authority to make decisions about a project. This includes authority to provide additional resources. | true
A risk management plan project manager oversees the entire plan. What is the project manager responsible for? (Select two.) | Ensuring costs are controlled,Ensuring the project stays on schedule
A risk management plan includes steps to mitigate risks. Who is responsible for choosing what steps to implement? | Management
A risk management plan includes a list of findings in a report. The findings identify threats and vulnerabilities. What type of diagram can document some of the findings? | Cause and effect diagram
What three elements should be included in the findings of the risk management report? | Causes, criteria, and effects
A fishbone diagram can link causes with effects. | True
You present management with recommendations from a risk management plan. What can management choose to do? | Accept, defer, or modify the recommendations
What can you use to help quantify risks? | All of the above
A risk ________ is a major component of a risk management plan. | Assessment
A ________ risk assessment uses SLE. | Quantitative
What elements are included in a quantitative analysis? | SLE, ALE, ARO
Qualitative analysis is more time consuming than quantitative analysis. | false
You are trying to decide what type of risk assessment methodology to use. A primary benefit of a ________ risk assessment is that it can be completed more quickly than other methods. | Quantitative
You are trying to decide what type of risk assessment methodology to use. A primary benefit of a ________ risk assessment is that it includes details for a cost-benefit analysis. | Quantitative
A ________ risk assessment is objective. It uses data that can be verified. | Quantitative
A ________ risk assessment is subjective. It relies on the opinions of experts | Quantitative
You are working on a qualitative risk assessment for your company. You are thinking about the final report. What should you consider when providing the results and recommendations? (Select two.) | Resource allocation, Risk acceptance
Of the following, what would be considered a best practice when performing risk assessments? | All of the above
You are beginning an RA for a system. You should define both the operational characteristics and the mission of the system in the early stages of the RA. | true
Which of the following should you identify during a risk assessment? | All of the above
Of the following choices, what would be considered an asset? | All of the above
When defining the system for the risk assessment, what should you ensure is included? | The current configuration of the system
What can you use to identify relevant vulnerabilities? | A and B only
Which type of assessment can you perform to identify weaknesses in a system without exploiting the weaknesses? | Vulnerability assessment
An acceptable use policy is an example of a(n) ________ control. | Administrative
Your organization requires users to log on with smart cards. This is an example of a(n) ________ control. | Technical
You use video cameras to monitor the entrance of secure areas of your building. This is an example of a(n) ________ control. | Physical
Which of the following should you match with a control to mitigate a relevant risk? | Threat/vulnerability pair
Your organization purchased a control and installed it on several servers. This control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased? | The operational impact of the control
What is included in an RA that helps justify the cost of a control? | CBA
What is created with a risk assessment to track the implementation of the controls? | POAM
It is possible to ensure a service is operational 99.999 percent of the time even if a server needs to be regularly rebooted. | true
When identifying the assets you have in your organization, what would you include? | A, B, and C
When identifying hardware assets in your organization, what information should you include? | Model and manufacturer,Serial number,Location
An organization may use a ________ rotation policy to help discover dangerous shortcuts or fraudulent activity. | Job
What type of data should be included when identifying an organization's data or information assets? | Organizational data,Customer data,Intellectual property
What is a data warehouse? | A database created by combining multiple databases into a central database
What is data mining? | The process of retrieving relevant data from a data warehouse
You are reviewing your organization's asset management data. You want to ensure that all elements of the organization are included. What can you compare the asset management system against to ensure the entire organization is covered? | The seven domains of a typical IT infrastructure
You are tasked with updating your organization's business continuity plans. When completing this process, you should only include ________ systems. | Mission-critical
What can you use to share or transfer risk associated with potential disasters? | Insurance
An organization wants to determine what the impact will be if a specific IT server fails. What should it use? | BIA
An organization wants to ensure it can continue mission-critical operations in the event of a disaster. What should it use? | BCP
An organization wants to ensure it can recover a system in the event of a disaster. What should it use? | DRP
The two major categories of threats are human and ________. | Natural
A threat is any activity that represents a possible danger, with the potential to affect confidentiality, integrity, or availability. | true
Which of the following methods can be used to identify threats? | Both A and B
What are some sources of internal threats? (Select all that apply.) | Disgruntled employee ,Equipment failure,Software failure,Data loss
Which of the following choices is not considered a best practice when identifying threats? | Assume the systems have not changed since the last threat assessment.
A ________ assessment is used to identify vulnerabilities within an organization. | Vulnerability
Who should perform vulnerability assessments? | Either internal or external security professionals, or both
What is the name of a common tool used to perform an automated vulnerability assessment scan? | Nessus
What is a common drawback or weakness of a vulnerability scanner? | A high false-positive error rate
Your organization wants to check compliance with internal rules and guidelines. The organization wants to ensure that existing policies are being followed. What should be performed? | An audit
You want to know if users are granted the rights and permissions needed to do their job only, and no more. You should perform a(n) ________ test. | Access controls
Your organization is governed by HIPAA. You suspect that your organization is not in compliance. What would document the differences between what is required and what is currently implemented? | Gap analysis
What management program can be implemented to ensure that the configuration of systems is not modified without a formal approval? | Change management
Once you have deployed countermeasures, it's not necessary to retest to ensure that the exploit has been mitigated. | false
A ________ will reduce or eliminate a threat or vulnerability. | Control or countermeasure
Controls can be identified based on their function. The functions are preventive, detective, and corrective. | true
What are the primary objectives of a control? | Prevent, recover, and detect
What type of control is an intrusion detection system (IDS)? | Detective
Controls are often categorized based on how they are implemented. What are the three common methods of implementing controls? | Procedural, technical, and physical
What can be used to ensure confidentiality of sensitive data? | Encryption
What should be logged in an audit log? | Who, what, when, and where details of an event
Your organization wants to issue certificates for internal systems such as an internal Web server. You'll need to install a ________ to issue and manage certificates. | Certification authority (CA)
Which of the following is a procedural control? | DRP
Which of the following is a technical control? | PKI
Which of the following is a physical control? | CCTV
A ________ is used to identify the impact on an organization if a risk occurs. | Business impact analysis (BIA)
Your organization wants to have an agreement with a vendor for an expected level of performance for a service. You want to ensure that monetary penalties are assessed if the minimum uptime requirements are not met. What should you use? | SLA
What would you used to identify mission-critical systems? | Critical business functions
What can an organization use to remind users of AUP contents? | All of the above
Routers have ________ to control what traffic is allowed through them. | Access control lists (ACLs)
Which of the following strategies helps reduce security gaps even if a security control fails? | Defense in depth
How much can an organization be fined in a year for HIPAA-related mistakes? | $25,000
What determines if an organization is governed by FISMA? | If it is a federal agency
What determines if an organization is governed by HIPAA? | If employees handle health-related information
What determines if an organization is governed by SOX? | If it is registered with the Securities and Exchange commission
What determines if an organization is governed by CIPA? | If it receives E-Rate funding
You've performed a CBA on a prospective control. The CBA indicates the cost of the control is about the same as the projected benefits. What should you do? | Purchase the control.
A CBA can be used to justify the purchase of a control. | True
A(n) ________ countermeasure has been approved and has a date for implementation. | In-place
A single risk can be mitigated by more than one countermeasure. | true
The formula for risk is Risk ________. | Threat � Vulnerability
What would an account management policy include? | A, B, and C
The ________ plan will include details on how and when to implement approved countermeasures. | Mitigation
You are reviewing a countermeasure to add to the mitigation plan. What costs should be considered? | All of the above
Which of the following are considered facility costs for the implementation of a countermeasure? | Power and air conditioning
An account management policy needs to be created as a mitigation countermeasure. You will write the policy. What's a reasonable amount of time for the written policy to be completed and approved? | One month
What can you use to determine the priority of countermeasures? | Threat/likelihood-impact matrix
A risk assessment was completed three months ago. It has recently been approved, and you're tasked with implementing a mitigation plan. What should you do first? | Verify risk elements.
You are evaluating two possible countermeasures to mitigate a risk. Management only wants to purchase one. What can you use to determine which countermeasure provides the best cost benefits? | CBA
You are performing a cost-benefit analysis. You want to determine if a countermeasure should be used. Which of the following formulas should you apply? | Projected Benefits Cost of Countermeasure
Of the following, what should be included in a cost-benefit analysis report? | A, B, C, and D
A POAM can be used to follow up on a risk mitigation plan. | true
The ________ identifies the maximum acceptable downtime for a system. | Maximum acceptable outage (MAO)
Stakeholders can determine what functions are considered critical business functions. | true
The BIA is a part of the ________. | Business continuity plan (BCP)
What defines the boundaries of a business impact analysis? | Scope
What are two objectives of a BIA? (Select two.) | Identify critical resources.Identify critical business functions.
You are working on a BIA. You are calculating costs to determine the impact of an outage for a specific system. When calculating the costs, you should calculate the direct and ________ costs. | Indirect
You are working on a BIA. You want to identify the maximum amount of data loss an organization can accept. What is this called? | Recovery point objectives
You have identified the MAO for a system. You now want to specify the time required for a system to be recovered. What is this called? | Recovery time objectives
Which of the following statements is true? | The RTO applies to any systems or functions. However, the RPO only refers to data housed in databases.
You are working on a BIA. You are calculating costs to determine the impact of an outage for a specific system. Which one of the following is a direct cost? | Loss of sales
What type of approach does a BIA use? | Top-down approach where CBFs are examined first
Mission-critical business functions are considered vital to an organization. What are they derived from? | Critical success factors
You are performing a BIA for an organization. What should you map the critical business functions to? | IT systems
Of the following choices, what are considered best practices related to a BIA? | Use different data collection methods.
A cost-benefit analysis is an important part of a BIA. | false
A(n) ________ is a plan that helps an organization continue to operate during and after a disruption or disaster. | BCP or business continuity plan
Business continuity and disaster recovery are the same thing. | False
You want to ensure that a BCP includes specific locations, systems, employees, and vendors. You should identify these requirements in the ________ statement. | Scope
What is the purpose of a BCP? | To ensure mission-critical elements of an organization continue to operate after a disruption
What does a BCP help to protect during and after a disruption or disaster? | Confidentiality, integrity, and availability
The ________ is responsible for declaring an emergency and activating the BCP. | BCP coordinator
After a BCP has been activated, who has overall authority for the recovery of systems? | EMT
After a BCP has been activated, who will assess the damages? | DAT
After a BCP has been activated, who will recover and restore critical IT services? | TRT
What are the three phases of a BCP? | Notification/activation, recovery, reconstitution
A major disruption has forced you to move operations to an alternate location. The disruption is over and you need to begin normalizing operations. What operations should you move back to the original location first? | Least critical business functions
A major disruption has forced you to move operations to an alternate location. The disruption is over and you need to begin normalizing operations. You have rebuilt several servers at the primary location. What should you do? | Run the servers concurrently with the alternate location for three to five days.
What can you do to show that the BCP will work as planned? | BCP testing
What types of exercises can demonstrate a BCP in action? (Select three.) | Tabletop exercises,Functional exercises,Full-scale exercises
Once a BCP has been developed, it should be reviewed and updated on a regular basis, such as annually. | true
A(n) ________ is a plan used to restore critical business functions to operation after a disruption or disaster. | Disaster recovery plan (DRP)
A DRP has multiple purposes. This includes saving lives, ensuring business continuity, and recovering after a disaster. | true
Disaster recovery and fault tolerance are the same thing. | false
A ________ is an element necessary for success. For example, the success of a DRP depends on elements such as management support and a disaster recovery budget. | Critical success factor (CSF)
A business impact analysis (BIA) includes a maximum acceptable outage (MAO). The MAO is used to determine the amount of time in which a system must be recovered. What term is used in the DRP instead of the MAO? | Recovery time objective (RTO)
A certain DRP covers a system that hosts a large database. You want to ensure that the data is copied to an off-site location. What could you use? | All of the above
A copy of backups should be stored ________ to ensure the organization can survive a catastrophic disaster to the primary location. | Off-site
You are considering an alternate location for a DRP. You want to minimize costs for the site. What type of site would you choose? | Cold site
You are considering an alternate location for a DRP. You want to ensure the alternate location can be brought online as quickly as possible. What type of site would you choose? | Hot site
You are considering an alternate location for a DRP. You want to use a business location that is already running noncritical business functions as the alternate location. This location has most of the equipment needed. What type of site is this? | Warm site
Which of the following elements are commonly included in a DRP? | Purpose, scope, communications, recovery procedures
You are considering using a hot site as an alternate location. You want to consider different technologies to keep the data updated and decrease the time it will take for the hot site to become operational. What are some technologies that may help? | All of the above
Of the following, what is critical for any DRP? | Budget
Your organization has created a DRP but it hasn't been tested. Which of the following methods can you use to test it? | All of the above
Once a DRP has been created, it's not necessary to update it. | false
A(n) ________ is a violation of a security policy or security practice. | Computer incident or computer security incident
All events on a system or network are considered computer security incidents. | true
An administrator has discovered that a Web server is responding very slowly. Investigation shows that the processor, memory, and network resources are being consumed by outside attackers. This is a ________________attack. | Denial of service (DoS) or distributed DoS (DDoS)
A user has installed P2P software on a system. The organization's policy specifically states this is unauthorized. An administrator discovered the software on the user's system. Is this a computer security incident? If so, what type? | This is a form of inappropriate usage.
A malicious virus is replicating and causing damage to computers. How do security professionals refer to the virus? | In the wild
What is the greatest risk to an organization when peer-to-peer software is installed on a user's system? | Data leakage
Only police or other law enforcement personnel are allowed to do computer forensics investigations. | false
A log has shown that a user has copied proprietary data to his computer. The organization wants to take legal action against the user. You are tasked with seizing the computer as evidence. What should you establish as soon as you seize the computer? | All of the above
Many steps are taken before, during, and after an incident. Of the following choices, what accurately identifies the incident response life cycle? | Preparation, detection and analysis, containment, eradication and recovery, and post-incident recovery
In general, it's acceptable for members of a CIRT to take actions to attack attackers. This is one of the normal responsibilities of a CIRT. | false
After an incident has been verified, you need to ensure that it doesn't spread to other systems. What is this called? | containment
Which of the following may be included in a CIRT plan? | All of the above
Attackers attempt a DoS attack on servers in your organization. The CIRT responds and mitigates the attack. What should be the last step that the CIRT will complete in response to this incident? | Document the incident.
Several types of malicious code exist. Malware that appears to be one thing but is actually something else is ________. | A Trojan horse
Which of following is the most serious attacker? | Disgrunted employess
Although there threats are unintentional, you can address them with a risk management plan. Which of following is a method do that? | Managing environmental threats
A company issues laptop computer to employees. The value of each laptop is $1500.About 100 laptops are being used at anytime. In the past two years, the company has lost an average of one laptop per quarter. The company provides hardware locks for the laptops in bulk at a cost of $10 each, the ARO will decrease to 1. What is saving with control? | $4,500
Which of the following elements is commonly included in any CBA report for a countermeasure? | Risk to be mitigated
Which of the following is not purpose of the DRP? | Identity business impact
What does ELT stand for? | Extract, Load and Transform
Which of the following is not a key objectives that directly support the BCP? | Identify critical threats
Which of the following is an best example of internal threat? | Unintentional access
Which of the following tests verifies user rights and permissions? | Access controls testing
There are the major categories of reporting requirements except: | BIA report
Which correct describes the audit trail? | It is a series of events recorded in one or more logs.
Business processed can survive without the business functions for one or more days. What is this impact value level? | level 2
Which of the following has an incorrect definition assigned to term? | Baseline = a description of what the environment will look like, a standard of measure, after security in implemented
Some malware can execute on a user's system alter the user accessed a website. The malware executes from within the Web browser. What type of malware is this? | Mobile code
Companies that pratice "separation of duties" force two or more employees to carry out which of the following in order to carry out fraud? | Collusion
What is the category of intellectual property? | Industrial property
Which of the following is the intangible value? | Customer influence
After an incident has been verified, you need to ensure that it doesn't spread other systems. What is this called? | Incident response
Which of the following is not consideration when developing the mitigation plan? | Time to approve the countermeasures
Bussiness continuity plans address all of the following except: | The protection of cold sites at a remote location
What dost TPM stand for? | Technology Protection Measure
What is the responsible of risk management PM? | Tracking and managing all project issues
When identify assets, your asset inventory could have resulted in the high priority with: | Network infrastructure
The risk management plan specifies responsibilities. You can assign responsibilities to all except: | Staffs and customers
Before progressing with the RA, you need to complete which of the following actions? | Define the assessment
Which of the following is critical success factor of the DRP? | Knowledge and authority for DRP developers
What is the RTO? | The time when a system or function must be recoverd.
Which of the following information is not provided by threat model? | Threat controls
What is the second step of the incident response life cycle? | Detection and analysis
What is the greatest risk loan organization when peer-to-peer software is installed on a user's system? | Data leakage
Which of the following is the de facto standart of best practices for IT service management. It was created because of the increased dependence on the information technology to meet business needs. | COBIT
Which of the following is an example of operational control? | Personal Security (PS)
At the suggestion of NIST SP 800-30, if a threat exploits the vulnerability the medium impact is: | Result in human injury
Which is the most valuable technique when determining if a specific security control should be implemented? | Cost/benefits analysis
What is the second step of a BIA process? | Identify stakeholders.
DRP mean essentially the same thing all but which of following? | Business continuity plan
When review the previous findings, the items especially worth investigating are all except: | Obsolete proposals
Which of the following is a CBF? | Sales from the Web site
What would be an appropriate difference between a qualitative and a quantitative risk analysis? | Quantitative approach indicates the total cost of security implemented for protection, while qualitative identifies the expected acceptance of the security policy from the organization.
What is a certification authority (CA)? | It issues and manages certificates
what elements are included in a qualitative analysis? | probability and impact
which of the following statement is correct when referring to qualitative risk assessment? | is objective
which of the following statement is correct when referring to quantitative risk assessment? | is objective
which of the following is accurate pairing of threat categories? | intentional and accidental
You have applied controls to minimize risk in the environment. what is the remaining risk called? | residual risk
which of the following is not the risk management technique? | prevent
a company decides to reduce losses of a threat by purchasing insurance. | transfer
if a programmer is restricted from updating and modifying production code, what is an example of? | Separation of duties
why is it important to control and audit input and output values? | incorrect values can cause mistakes in data processing and be evidence of fraud
what is the difference between least privilege and need to know? | A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she has a need to know
if sensitive data are stored on a CD-ROM and are no longer needed, which would be the proper way of disposing of the data? | Physical destruction
what is the purpose of smtp? | to transmit mail messages from the client to the mail sever
if a company has been contacted because its mail sever has been used to spread spam, what is most likely the problem? | the mail server has e-mail replaying misconfigured
which of the following is not a reason fax servers are used in many companies? | they increase the need for other communication security mechanisms
which type of intelligence relates to internet | sigint
what is enigmas? | Something that the analyst knows exists with physical evidence.
what is the target system? | complex system
what is the correlation of extrapolation technique? | a statement based only on past observations of what is expected to happen
which of the nations following rely heavily on implicitly understood communications? | Arab
which of the following is a extrapolation technique? | Probability estimate
which best describes of the substitutability? | Two object and person equivalence and converse
which of the following is not an element of the influence net? | node
a relationship model represented as table. what is model? | Matrix
what are the collectors? | infomation source
geospatial intelligence is an example of? | imint
which below is relationship models? | all of above
what is incorrect describes of gap analysis process? | incoherent
what are questions used for evaluating the credentials of evidence | all of above
what are the common types of generic model | Description
which below is not pattern models | statistical
which of the following is not a factor of force analysis according to Sun Tzu? | fire
which best describes the collateral model? | matrix
what are the types of a model | uncertainly
what is sigint denial? | Emission control
what is the system which has best accuracy of message for going through? | system with 4 nodes of communication
to switch from extrapolated future state model to projected future state model, you need to do? | determine the historical forces continued
who is ultimately responsible for ensuring that data is protected? | management of the organisation
who is ultimately accountable for Risk, Threats, and vulnerABILITIES? | executive management
Governance is the practice of ensuring an entity is in conformance to policies, regulations, _______, and procedures. | Standards
Which of the following are generally accepted as IA tenets but not ISS tenets? (Select two.) | Authentication - Nonrepudiation
Greg has developed a document on how to operate and back up the new financial sections storage area network. In it, he lists the steps required for powering up and down the system as well as configuring the backup tape unit. Greg has written a _______. | Procedure
A toy company is developing the next generation of children's reading aids. They already produced a comparable product, but the new one will not be available on shelves for another two years. What process would drive policies related to the new product's information systems security? | Business process reengineering
Implementation and enforcement of policies is a challenge. The biggest hindrance to implementation of policies is the _______ factor. | Human
Ted is an administrator in the server backup area. He is reviewing the contract for the offsite storage facility for validity. This contract includes topics such as the amount of storage space required, the pickup and delivery of media, response times during an outage, and security of media within the facility. This contract is an example of information security. | False
A firewall is generally considered an example of a _______ control. | Preventive
Security awareness programs have two enforcement components: the _______ and the _______. | Carrot, stick
Most security policies require that a label be applied when a document is classified. | False
Within which of the following do security policies need to define PII legal requirements? | The context of the business and location
Which of the following is not a benefit of having an acceptable use policy? | Prevents employees from misusing the Internet | Lower risk exposure can be perceived only through actual measurement. | False
Which of the following are control objectives for PCI DSS? | A and B only
A SAS 70 audit is popular because it allows a service auditor to review an organization's _______ and issue an independent opinion. | Control environment
Health care providers are those that process and facilitate billing. | False
The law that attempts to limit children's exposure to sexually explicit material is _______. | CIPA
It's easier to quantify leading practices than best practices. | True
You should always write new security policies each time a new regulation is issued. | False
What should you ask for to gain confidence that a vendor's security controls are adequate? | A SAS 70 Type II audit
Private WANs must be encrypted at all times. | False
Voice over Internet Protocol (VoIP) can be used over which of the following? | Both
Many of the business benefits of Internet access over mobile devices include which of the following? | A and B only
A _______ is a term that refers to a network that limits what and how computers are able to talk to each other. | Segmented network
What employees learn in awareness training influences them more than what they see within their department. | False
Always applying the most strict authentication method is the best way to protect the business and ensure achievement of goals. | False
Remote access does not have to be encrypted if strong authentication is used. | False
Avoiders like to _______ and will do _______ but not much more. | Be in the background; precisely what is asked of them
As the number of specialties increases so does _______. | The cost of business
In hierarchical organizations, the leaders are close to the workers that deliver products and services. | False
User apathy often results in an employee just going through the motions. | True
Why is HR policy language often intentionally vague? | avoid contract, promise
Interpreting security policies against new business situations and new technologies ensures the business gets the maximum benefit from the policies over time. | True
Which of the following are attributes of entrepreneurs? | Innovators and morelikely to take risks
A company can have two sets of enterprise security polices, if necessary, to address the needs of individual business units. | False
An IT policy framework charter includes which of the following? | All
Which of the following are generally accepted and widely used policy frameworks? (Select three.) | COBIT - ISO/IEC 2 7002 - NIST SP 800-53
Security policies provide the "what" and "why" of security measures. | True
_______ are best defined as high-level statements, beliefs, goals, and objectives. | Policies
Which of the following is not mandatory? | Guideline
Risk management is the process of reducing risk to an acceptable level. | True
List the five tenets of information assurance that you should consider when building an IT policy framework _______. | Confidentiality, integrity, availability, authorization, and nonrepudiation
Preservation of confidentiality in information systems requires that the information not be disclosed to _______. | Unauthorized persons or processes
When building a policy framework, which of the following information systems factors should be considered? | All
When writing policies and standards, you should address the six key questions who, what, where, when, why, and how. | True
All policy and standards libraries follow a universal numbering scheme for consistency between organizations. | False
Guideline documents are often tied to a specific control standard. | True
Which of the following is not an administrative control? | Logical access control mechanisms
Which departments should review policies and standards before official approval? (Select four.) | Technical Legal and HR Audit
Controls are implemented to do which of the following? | Protect systems from attacks on the confidentiality, integrity, and availability of the system.
Which type of control is associated with responding to and fixing a security incident? | Corrective ( khac phuc)
List examples of physical security control items. _______ | fences, security guards, locked doors, motion detectors, and alarms
Security _______ are the technical implementations of the policies defined by the organization. | Procedures
A(n) _______ is a plan or course of action used by an organization to convey instructions from its senior-most management to those who make decisions, take actions, and perform other duties on behalf of the organization. | Policy
The principle that states security is improved when it is implemented as a series of overlapping controls is called _______ | Defense in depth
"Access to all Organization information resources connected to the <Organization> network must be controlled by using user IDs and appropriate authentication" is a statement you might find in a procedure document. | False
Which of the following does a policy change control board do? (Select two.) | Assesses recommendations for change , Reviews framework changes to the policy framework
Which of the following are PCIDSS network requirements? | All of the above
The underlying concept of SOD is that individuals execute high-risk transactions as they receive pre-approval. | False
A risk management and metrics team is generally the first team to respond to an incident. | False
Which of the following approves business access to data? | Data steward
A security team's organizational structure defines the team's _______. | Priorities or specialties
Implementing a governance framework can allow an organization to systemically identify and prioritize risks | True
The more layers of approval required for SOD, the more _______ it is to implement the process. | Expensive or burdensome
Monitoring detects which of the following? | A and B
All organizations should have a full-time team dedicated to collecting, reviewing, and reporting to demonstrate adherence to regulations. | False
Pretexting is when a hacker breaks into a firewall. | False
What can keylogger software capture? | All of the above
Security awareness is required by which of the following? | Law
A privileged-level access agreement (PAA) prevents an administrator from abusing elevated rights. | False
Social engineering occurs when a hacker posts her victories on a social Web site. | False
Typically in large organizations all administrators have the same level of authority. | False
5) Without a policy that leads to controls that restrict employees from installing their own software on a company workstation, a company could suffer which of the following consequences? | All of the above
6) Good sources for security policies and standards include which of the following? | All of the above
7) Two-factor authentication is a typical control used by employees to remotely access which of the following? | LAN
8) Which document outlines the specific controls that a technology device needs to support? | Baseline standard
9) The User Proxy control standard is needed for the _______ domain. | LAN to WAN
10) The content for the documents in the policies and standards library should be written so they are _______ and _______. | Cohesive, coherent
11) Production data should be sanitized before being used in a test environment. | True
12) Organizations should always create new policies tailored to their needs rather than adopt industry norms found on the Internet. | False
1) Which of the following is not a common need for most organizations to classify data? | Sell information
2) Authorization is the process used to prove the identity of the person accessing systems, applications, and data. | False
3) You need to retain data for what major reasons? | All of the above
4) What qualities should the data owner possess? | All of the above
5) In all businesses you will always have data that needs to be protected | True
6) Risk exposure is best-guess professional judgment using a qualitative technique. | False
7) The lowest federal government data classification rating for classified material is _______. | Confidential
8) Federal agencies can customize their own data classification scheme. | False
9) A BIA identifies which of the following? | All of the above
10) A BIA is not required when creating a BCP. | False
11) What does RTO stand for? | Recovery time objective
12) A man-made disaster is easier to plan for than a natural disaster. | False
13) Data in transit refers to what type of data? | Data traversing a network
14) Encryption protects data at rest from all type of breaches. | False
1) All incidents regardless of how small should be handled by an incident response team. | False
2) Which of the following should not be in an information response team charter? | Detailed line budget
3) Which of the following IRT members should be consulted before communicating to the public about an incident? | All of the above
4) As defined by this chapter, what is not a step in responding to an incident? | Creating a budget to compare options | Analyzing an incident response
5) A method outlined in this chapter to determine if an incident is major or minor is to classify an incident with a _______ rating. | Severity
6) When containing an incident, you should always apply a long-term preventive solution. | False
7) The IRT starts recording events once an _______. | Incident is declared
8) During the containment step, you should also gather as much evidence as reasonably possible about the incident. | True
9) To clean up after an incident, you should always wipe the affected machine clean and rebuild it from scratch. | False
10) What value does a forensic tool bring? | All of the above
11) How important is it to identify the attacker before issuing a final IRT report? | Moderately important; nice to have but issue the report if not available
12) When analyzing an incident, you must try to determine which of the following? | All of the above
13) Which IRT member is responsible for handling the media? | Public relations
14) It is a best practice to test the IRT capability at least once a year. | True
15) A federal agency is not required by law to report a security incident. | False
1) Which of the following indicate that the culture of an organization is adopting IT security policies? | All of the above
2) Effective security policies require that everyone in the organization be accountable for policy implementation. | True
3) A quick indicator of whether a risk committee has discussed security policies or if the topic has been delegated to lower levels is by looking at _______. | Committee meeting minutes
4) Deliberate acts and malicious behavior by employees are easy to control, especially when proper deterrents are installed. | False
5) Which of the following is not an organizational challenge when implementing security policies? | Tight schedules
6) Which type of plan is critical to ensuring security awareness reaches specific types of users? | Rollout plan ( trien khai)
7) Why should a security policy implementation be flexible to allow for updates? | A and C
8) Which of the following is the least objectionable when dealing with policies in regards to outdated technology? | Write security policies to best practices and issue a policy waiver ( tu bo) for outdated technology that inherently cannot comply.
9) What is a strong indicator that awareness training is not effective? | Sharing your password with a supervisor
10) Which of the following is a common cause of security breaches? | Inadequate management and user decisions
11) Classroom training for security policy awareness is always the superior option to other alternatives, such as online training. | False
12) To get employees to comply and accept security policies, the organization must understand the employees' _______ | Motivation for needs
13) A brown bag session is a formal training event with a tightly controlled agenda. | False
14) What is the best way to disseminate a new policy? | Intranet
15) Without _______, implementation of IT security policies is impossible. | Excutive support
1) Which of the following is not an organizational gateway committee? | Internal connection committee
2) _______ often focuses on enterprise risk management across multiple lines of business to resolve strategic business issues. | Executive management
3) The security compliance committee has one role, which is to identify when violations of policies occur. | False
4) Which of the following is not an access control? | Decryption
5) In which of the following areas might a company monitor its employees' actions? | All of the above
6) _______ establish how the organization achieves regulatory requirements. | Security policies
7) Laws define the specific internal IT processes needed to be compliant. | False
8) What is not required in modern-day CISO positions? | Needs to have strong law enforcement background
9) What is an example of a manual control? | A and C
10) Which of the following is not a reason to monitor employee computer activity? | Finding out whom the employee knows
11) Connecting a personal device to the company network can create legal implications. | True
12) Line management does which of the following to make policies operational? | All of the above
13) The major challenge in implementing automated security controls is in the deployment of the control. | True
14) Which of the following is not reviewed when monitoring a user's e-mail and Internet activity? | Network performance
1) A _______ is a starting point or standard. Within IT, it provides a standard focused on a specific technology used within an organization. | Baseline
2) An operating system and different applications are installed on a system. The system is then locked down with various settings. You want the same operating system, applications, and settings deployed to 50 other computers. What's the easiest way? | Imaging
3) After a set of security settings has been applied to a system, there is no need to recheck these settings on the system. | False
4) The time between when a new vulnerability is discovered and when software developers start writing a patch is known as a _______. | Vulnerability windows or security gap
5) Your organization wants to automate the distribution of security policy settings. What should be considered? | All of the above
6) Several tools are available to automate the deployment of security policy settings. Some tools can deploy baseline settings. Other tools can deploy changes in security policy settings. | True
7) An organization uses a decentralized IT model with a central IT department for core services and security. The organization wants to ensure that each department is complying with primary security requirements. What can be used to verify compliance? | Random audits
8) Change requests are tracked in a control work order database. Approved changes are also recorded in a CMDB. | True
9) An organization wants to maintain a database of system settings. The database should include the original system settings and any changes. What should be implemented within the organization? | Configuration management
10) An organization wants to reduce the possibility of outages when changes are implemented on the network. What should the organization use? | Change management
11) Which NIST standard was developed for different scanning and vulnerability assessment tools, and comprises six specifications including XCCDF? | SCAP
12) Microsoft created the Web-Based Enterprise Management (WBEM) technologies for Microsoft products. | False
13) Which of the following specifications is used exclusively in Microsoft products to query and configure systems in the network? | WMI
14) Which of the following is used to manage and query network devices such as routers and switches? | SNMP
15) A _______ can be used with a downloaded file. It offers verification that the file was provided by a specific entity. It also verifies the file has not been modified. | Digital signature
When should a wireless security policy be initially written? | D. After a company decides to implement wireless and before it is installed
A toy company is giving its Web site a much-needed facelift. The new Web site is ready to be deployed. It's late October, and the company wants to have the site ready for the holiday rush. The year-end holiday season accounts for 80 percent of its annual revenue. What process would be of particular importance to the toy company at this time? | Change management
Information used to open or access a bank account is generally considered PII data. | true
Mitigating controls always meet the full intent of the policy. | false
When creating laws and regulations, the government's sole concern is the privacy of the individual. | false
A LAN is efficient for connecting computers within an office or groups of buildings. | true
User apathy often results in an employee just going through the motions | true
In the case of policies, it is important to demonstrate to business how polices will reduce risk and will be derived in a way that keeps costs low. | true
A control partner's role includes analysis of proposed policy changes and providing an opinion on their viability. | true
When building a policy framework, which of the following information systems factors should be considered? | A, B, C, D, and E
which of the flowing are important to consider before a policy? | a and b.Architecture operating model. Intent
A process to refresh policies as needed based on a major event uses the principle called ________. | Lessons learned
The principle that states security is improved when it is implemented as a series of overlapping controls is called ________ | Defense in depth
Security principles are needed in the absence of complete information to make high-quality security decisions. | true
The security committee is the key committee for the CISO. | true
Once you decide not to eliminate a risk but to accept it, you can ignore the risk. | False
implementing a governance framework can allow an organization to systemically identify and prioritize risks. | true
Security awareness is required by which of the following ? | law
Social engineering occurs when a hacker posts her victories on a social Web site. | false
During the containment step, you should also gather as much evidence as reasonably possible about the incident. | true
The BIA assessment is created by the IRT team primarily for use during a security incident. | fasle
________ often focuses on enterprise risk management across multiple lines | of business to resolve strategic business issues.
A ________ is a starting point or standard. Within IT, it provides a standard focused on a specific technology used within an organization. | Baseline
Several tools are available to automate the deployment of security policy settings. Some tools can deploy baseline settings. Other tools can deploy changes in security policy settings. | true
Change requests are tracked in a control work order database. Approved changes are also recorded in a CMDB. | true
Which of the following is NOT a situation when business liability occurs? | When a company violated th law
If you are small merchant, you can perform a Qualified Security Assessor (QSA). | False
Which policy sets rules on what type of web site browsing is permitted or if personal e-mails over the Internet are allowed? | Acceptable use policy
The objective of the policy control board are to: | All of the other choices
COBIT is often silent on how to implement specific controls | True
Firewall controls, denial of service protection and Wi-Fi security control are examples of control standards for _________. | LAN Domain
Customer records should be kept in __________. | 5 years
___________ techniques may include questionaires, interviews and working in groups. | Qualitative techniques
___________ help analyze the threat and recommend immediate response. | System administrators
Security personnel are either directly or indirectly involved in all of the following activities EXCEPT _____________. | Reconstruction
Executive management support is critical in overcoming hindrances. | True
While writing policy, we should use "should" or "expected" statements. | False
Security policies are legal interpretation of the law. | False
The SNMP is used to manage and query network device. SNMP commonly manges _______ | All of the other choices
2. Which of the following does a policy change control board do? | Assesses policies + Reviews
3. When building a policy framework, which of the following information systems factors should be considered? | ALL
4. Which of the following is the best measure of success for a security policy? | Reduction in risk
5. Generally, remote authentication provides which of the following? | More controls than if you were in the office
6. Which departments should review policies and standards before official approval? | All
7. COBIT is a widely accepted international best practices policy framework | True
8. Private WANs must be encryped at all times | False
9. Which type of control is associated with responding to and fixing a security incident | Corrective
11. Which of the following is not mandatory? | Guideline
12. Where is the DMZ usually located? | Between the private LAN and public WAN
13. Remote access does not have to be encrypted if strong authentication is used | False
14. Which of the following includes all of the detailed actions and tasks that personnel are required to follow | Procedure
15. What policy generally requires that employees lock up all documents and digital media at the end of a workday and when not in use? | Clean desk policy
16. When should a wireless security policy be initially written? | D. After a company decides to implement wireless and before it is installed
17. In hierarchical organizations, the leader are close to the workers that deliver products and services. | False
18. What kind of workstation management refers to knowing what software is installed? | Discovery management
19. Which of the following are common IT framework characteristics? | All of the others
20. An IT policy framework charter includes which of the following? | All
21. Controls are implemented to do which of the following? | Protect systems from attacks on the confidentiality, integrity, and availability of the system.
22. When a catastrophic security breach occurs, who is ultimately held accountable by regulator and the public? | Company officers
23. Which of the following are common steps taken in the development of documents such as security policies, standards, and procedures | Initiation, evaluation, development, approval, publication, implementation, and maintenance
24. Which of the following are generally accepted and widely used policy frameworks? | All
25. Which of the following are PCIDSS network requirements? | All
26. A toy company is developing the next generation of children's reading aids. they already produced a comparable product, but the new one will not be available on shevels for another years. What process would drive policies related to the new products information system? | Business process reengineering
27. Which of the following is not one of the seven domains of typical IT infrastructure? | World Area Network Domain
28. which of the following are attributes of entrepreneurs? | A and C
29. Which of the following is not an administrative control? | Logical access control mechanisms
30. One key difference between RBAC and ABAC is which of the following? | ABAC is dynamic and RBAC is static
31. Which of the following is not an IT security policy framework? | ERM
32. Which of the following applies to both GRC and ERM? | Defines an approach to reduce risk
33. A LAN is efficient for connecting computers within an office or groups of buildings | True
34. What employees learn in awareness training influences them more than what they see within their department | False
35. Which of the following is a basic element of motivation? | All
36. Which personality type often breaks through barriers that previously prevented success | Commander
37. John works in the accounting department but travels to other company locations. He must present the past quarter's figures to the chief executive officer (CEO) in the morning. He forgot to update the PowerPoint presentation on his desktop computer at the main office. What is at issue here? | Availability of the data
38. Always applying the most strict authentication method is the best way to protect the business and ensure achievement of goals | False
39. Which of the following is the first step in establishing an information security program | Adoption of an information security policy framework or charter
40. Which of the following is a method for overcoming apathy | CEngaging in communication
41. Which of the following attempts to identify where sensitive data is currently stored | Data Leakage Protection Inventory
Here are a few challenges you can expect without policies: | All
Risk assessment: The NIST standards require risk assessments to be performed. Risk assessments are an essential part of a risk-based security approach. The risk assessment results drive the type of security controls to be applied | True
Why is it important to map regulatory requirements to policies and controls? | All
Authorization is especially important in large complex organizations with thousands of employees and hundreds of systems. The authorization method must clearly define who should have access to what. One popular method is rule based access control | False
Mobile devices and broadband are becoming very reliable. However, the speed and reliability with which they can access and exchange data depend on location and carrier. However, despite their drawbacks, mobile devices offer many business benefits, including: | All
Like to fly under the radar and be in the background. They tend not to take chances or do anything that brings attention on them.?: | Avoider
Control Objectives for Information and related Technology (COBIT): A widely accepted set of documents that is commonly used as the basis for an information security program. | True
________ help you respond to and fix a security incident | Corrective controls
The frame-works reduce surprises. They ensure risks are systematically identified and reduced, eliminated, or accepted. The ISACA Risk IT framework extends COBIT and is a good example of a comprehensive risk management approach. The Risk IT framework is built on ________ domains: | 3
Good security policies make clear that individuals have only the access needed for their jobs. Security policies outline how rights are assigned and approved. This includes the removal of prior access that is no longer needed. This accomplishes the following? | All of the above
________Describe how to write and test security of applications? | Developer Coding Standards
Quality assurance� An evaluation to indicate needed corrective responses; the act of guiding a process in which variability is attributable to a constant system of chance causes | False
The Business Impact analysis assessment is created by the IRT team primarily for use during a security incident. | False
Outdated technology is hardware or software that, because obsolete, makes it difficult to implement best practices consistently. Outdated technology generally does not adhere to current best practices. When that occurs, you must decide how to address the lack of security controls within policies. You have basic ________choices? | 4
A law is any rule prescribed under the authority of a government entity. A regulatory agency may be granted the authority under the law to establish regulations. Regulations inherit their authority from the original law. The distinction between laws, regulations, and security policies is as follows: | All
Common Vulnerabilities and Exposures (CVE)� This provides an open specification to measure the relative severity of software flaw vulnerabilities. It provides formulas using standard measurements. The resulting score is from zero to 10 with 10 being the most severe. | False
The Simple Network Management Protocol (SNMP) is used to manage and query network devices. SNMP commonly manages routers, switches, and other intelligent devices on the network with IP addresses. SNMP was improved with versions 2 and 3. Version 3 provides three primary improvements. | Confidentiality; Integrity; Authentication