CMGT/430 ENTERPRISE SECURITY The Latest Version A+ Study Guide
**********************************************
CMGT 430 Entire Course Link http://www.uopstudy.com/CMGT-430 ********************************************** CMGT 430 Wk 1 - Management of Information Security, Ch. 8 Quiz Complete the Ch. 8 Quiz using the MindTap Access link. Which access control principle limits a user's access to the specific information required to perform the currently assigned task? • Separation of duties • Eyes only • Least privilege • Need-to-know A time-release safe is an example of which type of access control? • Nondiscretionary • Temporal isolation • Content-dependent • Constrained user interface In which form of access control is access to a specific set of information contingent on its subject matter? • Temporal isolation • Content-dependent access controls • None of these • Constrained user interfaces Which type of access controls can be role-based or task-based? • Nondiscretionary
• • •
Constrained Content-dependent Discretionary
Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle? • Task-based access controls • Security clearances • Discretionary access controls • Sensitivity levels Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following? • Access control list • Capabilities table • Access matrix • Sensitivity level Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following? • Deterrent • Preventative • Corrective • Compensating Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones? • Bell-LaPadula • Clark-Wilson • Common Criteria • Biba Which control category discourages an incipient incident? • Compensating • Preventative • Remitting • Deterrent Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary? • Need-to-know • Separation of duties • Least privilege • Eyes only
For More Classes Please Visit
http://www.uopstudy.com/ CMGT 430 Wk 2 - Management of Information Security, Ch. 7 Quiz Complete the Ch. 7 Quiz using the MindTap Access link. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster? • Transference • Mitigation • Acceptance • Avoidance The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________. • probability estimate • asset valuation • cost avoidance • risk acceptance premium Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk? • Evaluation and funding • Monitoring and measurement • Analysis and adjustment • Review and reapplication Strategies to reestablish operations at the primary site after an adverse event threatens continuity of business operations are covered by which of the following plans in the mitigation control approach? • Damage control plan • Business continuity plan • Incident response plan • Disaster recovery plan Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? • Risk appetite • Risk assurance • Residual risk • Risk termination
By multiplying the asset value by the exposure factor, you can calculate which of the following? • Value to adversaries • Annualized cost of the safeguard • Single loss expectancy • Annualized loss expectancy When vulnerabilities have been controlled to the degree possible, there is often remaining risk that has not been completely removed, shifted, or planned for and is called __________. • residual risk • risk assurance • risk appetite • risk tolerance What is the result of subtracting the postcontrol annualized loss expectancy and the ACS from the precontrol annualized loss expectancy? • Annualized rate of occurrence • Single loss expectancy • Cost–benefit analysis • Exposure factor Which of the following determines acceptable practices based on consensus and relationships among the communities of interest? • Operational feasibility • Technical feasibility • Political feasibility • Organizational feasibility What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? • Quantitative valuation of safeguards • Subjective prioritization of controls • Risk analysis estimates • Qualitative assessment of many risk components
For More Classes Please Visit
http://www.uopstudy.com/ CMGT 430 Wk 3 - Management of Information Security, Ch. 9 Quiz Complete the Ch. 9 quiz using the MindTap Access link. The benefits of ISO certification to organizations achieving it include all of the following EXCEPT: • Smoother operations • Reduced costs
• •
Lower taxes from governments Improved public image
Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following? • Baselining • Benchmarking • Best practices • Due diligence Which of the following is not a consideration when selecting recommended best practices? • Organization structure is similar • Same networking architecture • Resource expenditures are practical • Threat environment is similar Which of the following InfoSec measurement specifications makes it possible to define success in the security program? • Prioritization and selection • Development approach • Establishing targets • Measurements templates Problems with benchmarking include all but which of the following? • Recommended practices change and evolve, thus past performance is no indicator of future success. • Organizations being benchmarked are seldom identical. • Organizations don't often share information on successful attacks. • Benchmarking doesn't help in determining the desired outcome of the security process. What are the legal requirements that an organization adopts a standard based on what a prudent organization should do, and then maintain that standard? • Due care and due diligence • Baselining and benchmarking • Best practices • Certification and accreditation Which of the following is not a factor critical to the success of an information security performance measurement program? • Strong upper level management support • Results oriented measurement analysis • High level of employee buy-in • Quantifiable performance measurements
Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence? • Information system faults • Baselining • Benchmarking • Legal liability Which of the following is not a question a CISO should be prepared to answer, about a performance measures program, according to Kovacich? • What affect will measurement collection have on efficiency? • Who will collect these measurements? • Why should these measurements be collected? • Where will these measurements be collected? Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program? • Standards of due care/diligence • Baselining • Performance management • Best practices
For More Classes Please Visit
http://www.uopstudy.com/ CMGT 430 Wk 5 - Post-Course Assessment Quiz Complete the Post-Course Assessment quiz using the MindTap Access link. What tool would you use if you want to collect information as it is being transmitted on the network and analyze the contents for the purpose of solving network problems? • Port scanner • Content filter • Packet sniffer • Vulnerability scanner Which of the following InfoSec positions is responsible for the day-to-day operation of the InfoSec program? • CISO • Security officer • Security manager • Security technician Which of the following can be described as the quantity and nature of risk that
organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? • Risk termination • Risk appetite • Residual risk • Risk assurance Which document must be changed when evidence changes hands or is stored? • Affidavit • Evidentiary material • Search warrant • Chain of custody The • • • •
C.I.A. triad for computer security includes which of these characteristics? Availability Authentication Authorization Accountability
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is not one of them? • Malice • Ignorance • Intent • Accident The type of planning that is used to organize the ongoing, day-to-day performance of tasks is ____________. • organizational • tactical • operational • strategic Which is the first step in the contingency planning process among the options listed here? • Disaster recovery planning • Business impact analysis • Business continuity training • Incident response planning What is the SETA program designed to do? • Reduce the occurrence of accidental security breaches.
• • •
Improve operations. Increase the efficiency of InfoSec staff. Reduce the occurrence of external attacks.
Which type of document is a more detailed statement of what must be done to comply with a policy? • Procedure • Standard • Guideline • Practice