This preview has intentionally blurred parts. Sign up to view the full document

View Full Document

Unformatted Document Excerpt

Indicate 04 True/False whether the statement is true or false. ____ ____ ____ ____ ____ ____ ____ ____ ____ 1. The general management of an organization must structure the IT and information security functions to lead a successful defense of the organizations information assets. 2. If you know the enemy and know yourself, you will succumb in every battle." (Sun Tzu) 3. Once the threats have been identified, an assets identification process is undertaken. 4. Identifying human resources, documentation, and data information is less difficult than identifying hardware and software assets. 5. You should adopt naming standards that do not convey information to potential system attackers. 6. Comprehensive means that an information asset should fit in only one category. 7. A certificate authority would be categorized as a software security component. 8. Examples of exceptionally grave damage include 1) armed hostilities against the United States or its allies and 2) disruption of foreign relations vitally affecting the national security. 9. You can use only qualitative measures to rank values. ____ 10. Protocols are activities performed within the organization to improve security. ____ 11. With lattice-based access control, the column of attributes associated with a particular object (such as a printer) are referred to as the access control table. ____ 12. Discretionary controls are managed by a central authority in the organization. ____ 13. The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment. ____ 14. Every organization should have the collective will and budget to manage every threat by applying controls. ____ 15. Organizations should communicate with system users throughout the development of the security program, letting them know that change is occurring. ____ 16. Internal benchmarking can provide the foundation for baselining. ____ 17. One problem with benchmarking is that there are many organizations that are identical. ____ 18. A best practice proposed for a small home office setting is always appropriate to help design control strategies for a multinational company. ____ 19. Best business practices are often called recommended practices. ____ 20. Metrics-based measures are generally less focused on numbers and more strategic than process-based measures. ____ 21. The CBA is solely based on the cost of the proposed control. ____ 22. The amount of money spent to protect an asset is often based in part on the value of the asset. ____ 23. The components of asset valuation include equipment critical to the success of the organization. ____ 24. The value of intellectual property influences asset valuation. ____ 25. When selecting a risk control strategy, one should consider if potential loss could be substantial. ____ 26. Leaving unattended computers on is one of the top information security mistakes made by individuals. ____ 27. Risk control involves selecting an appropriate risk control strategy for each vulnerability. ____ 28. If every vulnerability identified in the organization is handled through mitigation, it may reflect an organizations inability to conduct proactive security activities and an apathetic approach to security in general. ____ 29. Eliminating a threat is an impossible proposition. ____ 30. Some argue that it is virtually impossible to determine the true value of information and information-bearing assets accurately. Modified True/False Indicate whether the statement is true or false. If false, change the identified word or phrase to make the statement true. ____ 31. Risk control is the process of examining and documenting the security posture of an organizations information technology and the risks it faces. _________________________ ____ 32. Establishing a competitive business model, method, or technique allows an organization to provide a product or service that is superior and creates a(n) competitive advantage. _________________________ ____ 33. Mutually exclusive means that all information assets must fit in the list somewhere. _________________________ ____ 34. One way to determine which information assets are critical is by evaluating how much of the organizations revenue depends on a particular asset. _________________________ ____ 35. Each of the threats must be examined to assess its potential to endanger the organization and explore ways to reduce the risk it poses. This examination is known as a threat profile. _________________________ ____ 36. Risk evaluation assigns a risk rating or score to each information asset. _________________________ ____ 37. Likelihood risk is the risk that remains to the information asset even after the existing control has been applied. _________________________ ____ 38. Policies are documents that specify an organizations approach to security. _________________________ ____ 39. In a(n) task-based access control, users are assigned a matrix of authorizations for particular areas of access. _________________________ ____ 40. The most common of the mitigation procedures is the disaster recovery plan. _________________________ ____ 41. Transference is the control approach that attempts to shift the risk to other assets, other processes, or other organizations. _________________________ ____ 42. A(n) Disaster Recovery plan dictates the actions an organization can and perhaps should take while an incident is in progress. _________________________ ____ 43. Benefit is the value that an organization realizes by using controls to prevent losses associated with a specific vulnerability. _________________________ ____ 44. A(n) exposure factor is the expected percentage of loss that would occur from a particular attack. _________________________ ____ 45. ALE determines whether or not the control alternative being evaluated is worth the associated cost incurred to control the specific vulnerability. _________________________ ____ 46. Qualitative-based measures are comparisons based on numerical standards, such as numbers of successful attacks. _________________________ ____ 47. Within best practices, the optimum standard is a subcategory of practices that are typically viewed as the best of the best. _________________________ ____ 48. Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices. _________________________ ____ 49. In information security, benchmarking baselining is the comparison of security activities and events against the organizations future performance. _________________________ ____ 50. Operational feasibility is also known as behavioral feasibility. _________________________ ____ 51. Within organizations, technical feasibility defines what can and cannot occur based on the consensus and relationships between the communities of interest. _________________________ ____ 52. Risk measure defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. _________________________ ____ 53. Major risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of vulnerability reducing safeguards, and (3) an asset less the effect of asset value-reducing safeguards. _________________________ ____ 54. A(n) qualitative assessment is based on characteristics that do not use numerical measures. _________________________ ____ 55. When the organization is pursuing an overall risk management program, it requires a(n) systematic report that enumerates the opportunities for controlling risk. _________________________ Multiple Choice Identify the choice that best completes the statement or answers the question. ____ 56. Risk ____ is the process of applying safeguards to reduce the risks to an organizations data and information systems. a. management c. identification b. control d. security ____ 57. The concept of competitive ____ refers to the need to avoid falling behind the competition. a. disadvantage c. failure b. advantage d. benefit ____ 58. The first phase of risk management is ____. a. risk identification c. risk control b. design d. risk evaluation ____ 59. ____ addresses are sometimes called electronic serial numbers or hardware addresses. a. HTTP c. DHCP b. IP d. MAC ____ 60. When deciding which information assets to track, which of the following asset attributes should be considered? a. People c. Data b. Procedures d. All of the above ____ 61. A(n) ____ is an authorization issued by the equipment manufacturer for the repair, modification, or update of a piece of equipment that is already in service a. IP c. CTO ____ 62. ____ 63. ____ 64. ____ 65. ____ 66. ____ 67. ____ 68. ____ 69. ____ 70. ____ 71. ____ 72. ____ 73. ____ 74. b. FCO d. HTTP In a(n) _____, each information asset is assigned a score for each critical factor. a. OPSEC c. weighted factor analysis b. COMSEC d. data classification scheme The military uses a(n) _____-level classification scheme. a. three c. five b. four d. six In the U.S. military classification scheme, ____ data is any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security. a. confidential c. top secret b. secret d. sensitive Management of classified data includes its storage and ____. a. distribution c. destruction b. portability d. All of the above There are individuals who search trash and recycling a practice known as ____ to retrieve information that could embarrass a company or compromise information security. a. side view c. recycle diving b. dumpster diving d. garbage collection ____ equals likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty. a. Probability c. Possibility b. Risk d. Chance The ____ security policy is an executive-level document that outlines the organizations approach and attitude towards information security and relates the strategic value of information security within the organization. a. general c. issue-specific b. agency d. system-specific The ____ security policy is a planning document that outlines the process of implementing security in the organization. a. program c. issue-specific b. agency d. system-specific Access controls can be ____. a. mandatory c. discretionary b. nondiscretionary d. All of the above In a lattice-based access control structure, the row of attributes associated with a particular subject (such as a user) is referred to as a(n) ____. a. access control list c. lattice table b. capabilities table d. mandatory list ____ are implemented at the discretion or option of the data user. a. c. DAC NAC b. MAC d. SAC The actions an organization can and perhaps should take while the incident is in progress should be defined in a document referred to as the ____. a. BCP c. IRP b. DRP d. BRP ____ usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede. a. IRPs c. BCPs b. DRPs d. BRPs ____ 75. ____ is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. a. Avoidance of risk c. Mitigation b. Transference d. Acceptance of risk ____ 76. The formal process used in decision making regarding the adoption of specific controls is called a(n) ____. a. ARO c. ALE b. CBA d. SLE ____ 77. The probability of a threat occurring is usually a loosely derived table indicating the probability of an attack from each threat type within a given time frame. This value is commonly referred to as the ____. a. ARO c. ALE b. CBA d. SLE ____ 78. When organizations adopt levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as a(n) ____. a. due diligence c. golden standard b. best practices d. standard of due care ____ 79. ____ feasibility addresses user acceptance and support, management acceptance and support, and the overall requirements of the organizations stakeholders. a. Organizational c. Operational b. Technical d. Political ____ 80. Risk ____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. a. benefit c. acceptance b. appetite d. avoidance Completion Complete each statement. 81. ____________________ requires two major undertakings: risk identification and risk control. 82. ____________________ is the process of identifying vulnerabilities in an organizations information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components in the organizations information system. 83. ____________________ are defined as information and the systems that use, store, and transmit information. 84. For hardware devices, the ____________________ number can uniquely identify a specific device. 85. You can calculate the relative importance of each asset using a straightforward process known as ____________________ analysis. 86. Georgia-Pacific Corporation uses a corporate data classification ____________________ throughout the company that helps secure confidentiality and integrity of information. 87. Overriding an individual employees security ____________________ requires that the need-to-know standard be met. 88. A(n) ____________________ desk policy requires that employees secure all information in appropriate storage containers at the end of each day. 89. You can assess the relative risk for each of the vulnerabilities by a process called risk ____________________. 90. ____________________ is the probability that a specific vulnerability within an organization will be successfully attacked. 91. Security ____________________ are the technical implementations of the policies defined by the organization. 92. A(n) ____________________ control specifically addresses admission of a user into a trusted area of the organization. 93. ____________________ access controls are implemented at the discretion or option of the data user. 94. ____________________ is the risk control strategy that attempts to prevent the exploitation of the vulnerability. 95. ____________________ is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. 96. Of the three types of mitigation plans, the ____________________ plan is the most strategic and long term. 97. Cost ____________________ is the process of avoiding the financial impact of an incident by implementing a control. 98. Asset ____________________ is the process of assigning financial value or worth to each information asset. 99. A single loss ____________________ is the calculation of the value associated with the most likely loss from an attack. 100. ____________________ is the process of seeking out and studying the practices used in other organizations that produce results you would like to duplicate in your organization. 101. The difference between an organizations measures and those of others is often referred to as a performance ____________________. 102. Due ____________________ is the demonstration that the organization is diligent in ensuring that the implemented standards continue to provide the required level of protection. 103. A(n) ____________________ is a value or profile of a performance metric against which changes in the performance metric can be usefully compared. 104. Operational ____________________ addresses user acceptance and support, management acceptance and support, and the overall requirements of the organizations stakeholders. 105. Behavioral feasibility is also known as ____________________. Essay 106. Describe five new subdivisions of information system components of SecSDLC/risk management. 107. Describe several different types of access controls. 108. List seven key areas identified by Microsoft as best security practices for home users. 04 Answer Section TRUE/FALSE 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: Register to View AnswerF F F T F T T F F F F T F T F F F T F F T T T T T T F F T PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: 116 118 119 122 122 124 124 130 134 141 142 142 163 162 161 159 159 157 156 155 151 151 125 127-128 150 147 149 149 145 151-152 MODIFIED TRUE/FALSE 31. Register to View Answeridentification PTS: 1 REF: 117 32. Register to View Answer33. Register to View AnswerComprehensive PTS: 1 REF: 124 PTS: 1 REF: 116 34. Register to View Answer35. Register to View Answerassessment PTS: 1 REF: 134 36. Register to View Answerassessment PTS: 1 37. Register to View AnswerResidual PTS: 1 38. Register to View Answer39. Register to View Answerlattice REF: 139 REF: 141 PTS: 1 REF: 126 PTS: 1 REF: 141 PTS: 1 REF: 142 40. Register to View Answer41. Register to View Answer42. Register to View AnswerIncident Response PTS: 43. ANS: 44. ANS: 45. ANS: 1 T T F, CBA REF: 147 PTS: 1 PTS: 1 REF: 147 REF: 146 PTS: 1 PTS: 1 REF: 153 REF: 151 REF: 152 PTS: 1 46. Register to View AnswerMetrics Quantitative PTS: 1 47. Register to View Answergold REF: 154-155 PTS: 1 REF: 157 48. Register to View Answer49. Register to View Answerbaselining PTS: 1 50. Register to View Answer51. Register to View Answerpolitical PTS: 1 52. Register to View Answerappetite PTS: 1 53. Register to View AnswerResidual PTS: 1 54. Register to View Answer55. Register to View AnswerREF: 159 PTS: 1 REF: 156 PTS: 1 REF: 161 REF: 162 REF: 162-163 PTS: 1 PTS: 1 REF: 160 REF: 154 REF: 163 MULTIPLE CHOICE 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. 80. ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: Register to View AnswerA A D D B C C A D B B A A D B A C B D B A D C B PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: 117 116 117 122 120-121 123 128 129 129 131 132 140 141 141 141 142 142 147 147-148 149 151 153 156 160 162 COMPLETION 81. ANS: Risk management PTS: 1 REF: 117 82. ANS: Risk management PTS: 1 83. ANS: Assets PTS: 1 84. ANS: electronic serial MAC address REF: 117 REF: 118 PTS: 1 REF: 122 85. ANS: weighted factor PTS: 1 86. ANS: scheme PTS: 1 87. ANS: clearance PTS: 1 88. ANS: clean PTS: 1 89. ANS: assessment PTS: 1 90. ANS: Likelihood REF: 128 REF: 129 REF: 131 REF: 132 REF: 139 PTS: 1 REF: 140 91. ANS: technologies PTS: 1 92. ANS: access REF: 141 PTS: 1 REF: 141 93. ANS: Discretionary PTS: 1 94. ANS: Avoidance PTS: 1 95. ANS: Mitigation REF: 142 REF: 145 PTS: 1 REF: 147 96. ANS: BC Business Continuity BC (business continuity) business continuity (BC) PTS: 1 97. ANS: avoidance PTS: 1 98. ANS: valuation PTS: 1 99. ANS: expectancy REF: 148 REF: 151 REF: 151 PTS: 1 REF: 152 100. ANS: Benchmarking PTS: 1 101. ANS: gap PTS: 1 102. ANS: diligence PTS: 1 103. ANS: baseline PTS: 1 104. ANS: feasibility REF: 155 REF: 155 REF: 156 REF: 159 PTS: 1 REF: 160 105. ANS: operational feasibility PTS: 1 ESSAY 106. ANS: People include employees and nonemployees. Procedures fall into two categories: IT and business standard procedures, and IT and business sensitive procedures. Data components have been expanded to account for the management of information in all states: transmission, processing, and storage. Software components can be assigned to one of three categories: applications, operating systems, or security components. Hardware is assigned to one of two categories: the usual systems devices and their peripherals, and the devices that are part of information security control systems. Hardware components have been separated into two categories: devices and peripherals, and networks. PTS: 1 REF: 120-121 107. ANS: Access controls can be mandatory, nondiscretionary, or discretionary. Mandatory access controls (MACs): MACs are structured and coordinated with a data classification scheme. Mandatory access controls give users and data owners limited control over access to information resources. Nondiscretionary controls are managed by a central authority in the organization and can be based on an individuals role role-based controls or a specified set of tasks the individual is assignedtask-based controls. Task-based controls can also be based on lists maintained on subjects or objects. Role-based controls are tied to the role a user performs in an organization, and task-based controls are tied to a particular assignment or responsibility. Discretionary access controls (DAC): Discretionary access controls are implemented at the discretion or option of the data user. The ability to share resources in a peer-to-peer configuration allows users to control and possibly provide access to information or resources at their disposal. PTS: 1 REF: 141-142 108. ANS: 1. Use antivirus software. REF: 160 2. Use strong passwords. 3. Verify your software security settings. 4. Update product security. 5. Build personal firewalls. 6. Back up early and often. 7. Protect against power surges and loss. PTS: 1 REF: 158 ... View Full Document

End of Preview

Sign up now to access the rest of the document