CHAPTER 1 1. Corruption of information can occur only while information is being stored. a. True *b. False
2. The authorization process takes place before the authentication process. a. True *b. False
3. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. *a. True b. False
4. DoS attacks cannot be launched against routers. a. True *b. False
5. The first step in solving problems is to gather facts and make assumptions. a. True *b. False
6. A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. __________ a. True *b. False
7. One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. __________ a. True *b. False
8. When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. __________ a. True *b. False
9. "Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual’s shoulder or viewing the information from a distance. __________ a. True *b. False
10. The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. __________ a. True *b. False
11. The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. __________ a. True *b. False
12. The macro virus infects the key operating system files located in a computer’s start-up sector. __________ a. True *b. False
13. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. __________ *a. True b. False
14. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. __________ *a. True b. False
15. Communications security involves the protection of which of the following? a. radio handsets b. people, physical assets c. the IT department *d. media, technology, and content
16. The protection of voice and data components, connections, and content is known as
__________ security. *a. network b. national c. cyber d. operational
17. The protection of confidentiality, integrity, and availability of data regardless of its
location is known as __________ security. *a. information b. network c. cyber d. operational
18. A model of InfoSec that offers a comprehensive view of security for data while being
stored, processed, or transmitted is the __________ security model. *a. CNSS b. USMC c. USNA d. NPC
19. Which of the following is a C.I.A. triad characteristic that addresses the threat from
corruption, damage, destruction, or other disruption of its authentic state? *a. integrity b. availability c. authentication d. accountability
20. According to the C.I.A. triad, which of the following is the most desirable characteristic for
privacy? *a. confidentiality
b. availability c. integrity d. accountability
21. Which of the following is recognition that data used by an organization should only be used
for the purposes stated by the information owner at the time it was collected? a. accountability b. availability *c. privacy d. confidentiality
22. Which of the following is a C.I.A. triad characteristic that ensures only those with sufficient
privileges and a demonstrated need may access certain information? a. integrity b. availability c. authentication *d. confidentiality
23. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is
an example of which process? a. accountability b. authorization c. identification *d. authentication
24. A process that defines what the user is permitted to do is known as __________. a. identification *b. authorization c. accountability d. authentication
25. What do audit logs that track user activity on an information system provide? a. identification b. authorization *c. accountability d. authentication
26. Any event or circumstance that has the potential to adversely affect operations and assets is
known as a(n) __________. *a. threat b. attack c. exploit d. vulnerability
27. An intentional or unintentional act that can damage or otherwise compromise information
and the systems that support it is known as a(n) __________. a. threat *b. attack c. exploit d. vulnerability
28. A technique used to compromise a system is known as a(n) __________. a. threat b. attack *c. exploit d. vulnerability
29. A potential weakness in an asset or its defensive control system(s) is known as a(n)
__________. a. threat b. attack c. exploit *d. vulnerability
30. The unauthorized duplication, installation, or distribution of copyrighted computer software,
which is a violation of intellectual property, is called __________. *a. software piracy b. copyright infringement c. trademark violation d. data hijacking
31. Technology services are usually arranged with an agreement defining minimum service
levels known as a(n) __________. a. SSL *b. SLA
c. MSL d. MIN
32. A short-term interruption in electrical power availability is known as a __________. *a. fault b. brownout c. blackout d. lag
33. Acts of __________ can lead to unauthorized real or virtual actions that enable information
gatherers to enter premises or systems they have not been authorized to access. a. bypass b. theft *c. trespass d. security
34. An information security professional with authorization to attempt to gain system access in
an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________. *a. penetration tester b. expert hacker c. phreaker d. cracker
35. A hacker who intentionally removes or bypasses software copyright protection designed to
prevent unauthorized duplication or use is known as a(n) __________. a. penetration tester b. expert hacker c. phreaker *d. cracker
36. __________ is the collection and analysis of information about an organization’s business
competitors, often through illegal or unethical means, to gain an unfair edge over them. a. Dumpster diving b. Packet sniffing c. Competitive advantage *d. Industrial espionage
37. The hash values for a wide variety of passwords can be stored in a database known as a(n)
__________, which can be indexed and quickly searched using the hash value, allowing the corresponding plaintext password to be determined. *a. rainbow table b. unicorn table c. rainbow matrix d. poison box
38. Which of the following is NOT an approach to password cracking? *a. ransomware b. brute force c. dictionary attacks d. social engineering attacks
39. Force majeure includes all of the following EXCEPT: *a. armed robbery b. acts of war c. civil disorder d. forces of nature
40. Human error or failure often can be prevented with training and awareness programs,
policy, and __________. a. outsourcing *b. technical controls c. hugs d. ISO 27000
41. “4-1-9” fraud is an example of a __________ attack. *a. social engineering b. virus c. worm d. spam
42. “4-1-9” is one form of a(n) __________ fraud. *a. advance fee b. privilege escalation c. check kiting d. "Spanish Prisoner"
43. Blackmail threat of informational disclosure is an example of which threat category? a. espionage or trespass *b. information extortion c. sabotage or vandalism d. compromises of intellectual property
44. An attack that uses phishing techniques along with specialized forms of malware to encrypt
the victim's data files is known as __________. a. crypto locking *b. ransomware c. jailbreaking d. spam
45. One form of online vandalism is __________, in which individuals interfere with or disrupt
systems to protest the operations, policies, or actions of an organization or government agency. *a. hacktivism b. phreaking c. red teaming d. cyberhacking
46. __________ are malware programs that hide their true nature and reveal their designed
behavior only when activated. a. Viruses b. Worms c. Spam *d. Trojan horses
47. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving
virus __________. a. false alarms b. polymorphisms *c. hoaxes d. urban legends
48. Which of the following is a feature left behind by system designers or maintenance staff that
allows quick access to a system at a later time by bypassing access controls?
a. brute force b. DoS *c. back door d. hoax
49. A __________ is an attack in which a coordinated stream of requests is launched against a
target from many locations at the same time. a. denial of service *b. distributed denial of service c. virus d. spam
50. Which type of attack involves sending a large number of connection or information requests
to a target? a. malicious code *b. denial of service (DoS) c. brute force d. spear fishing
51. In the __________ attack, an attacker monitors (or sniffs) packets from the network,
modifies them, and inserts them back into the network. a. zombie-in-the-middle b. sniff-in-the-middle c. server-in-the-middle *d. man-in-the-middle
52. Which statement defines the differences between a computer virus and a computer worm? a. Worms and viruses are the same. b. Worms can make copies all by themselves on one kind of computer but viruses
can make copies all by themselves on any kind of computer. c. Worms can copy themselves to computers and viruses can copy themselves to smartphones. *d. Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate. 53. Which of the following is not among the "deadly sins of software security"? *a. extortion sins b. implementation sins c. Web application sins
d. networking sins
54. Which of the 12 categories of threats best describes a situation where the adversary removes
data from a victim's computer? *a. theft b. espionage or trespass c. sabotage or vandalism d. information extortion
55. Which of the following is the principle of management that develops, creates, and
implements strategies for the accomplishment of objectives? a. leading b. controlling c. organizing *d. planning
56. Which of the following is the principle of management dedicated to the structuring of
resources to support the accomplishment of objectives? *a. organization b. planning c. controlling d. leading
57. __________ is the set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. *a. Governance b. Controlling c. Leading d. Strategy
58. Which of the following is the first step in the problem-solving process? a. Analyze and compare the possible solutions. b. Develop possible solutions. *c. Recognize and define the problem. d. Select, implement, and evaluate a solution.
59. Which of the following is NOT a step in the problem-solving process? a. Select, implement, and evaluate a solution. b. Analyze and compare possible solutions. *c. Build support among management for the candidate solution. d. Gather facts and make assumptions.
60. Which of the following is NOT a primary function of information security management? a. planning b. protection c. projects *d. performance
61. Which of the following functions of information security management seeks to dictate
certain behavior within the organization through a set of organizational guidelines? a. planning *b. policy c. programs d. people
62. Which function of InfoSec management encompasses security personnel as well as aspects
of the SETA program? a. protection *b. people c. projects d. policy
63. A(n) __________ is a potential weakness in an asset or its defensive control(s). Correct Answer(s): a. vulnerability
64. A(n) __________ is an act against an asset that could result in a loss. Correct Answer(s): a. attack
65. Duplication of software-based intellectual property is more commonly known as software
__________.
Correct Answer(s): a. piracy
66. A(n) __________ hacks the public telephone network to make free calls or disrupt services. Correct Answer(s): a. phreaker
67. A momentary low voltage is called a(n) __________. Correct Answer(s): a. sag
68. Some information gathering techniques are quite legal—for example, using a Web browser
to perform market research. These legal techniques are called, collectively, __________. Correct Answer(s): a. competitive intelligence
69. Attempting to reverse-calculate a password or bypass encryption is called __________. Correct Answer(s): a. cracking
70. ESD is the acronym for __________. Correct Answer(s): a. electrostatic discharge
71. A virus or worm can have a payload that installs a(n) __________ door or trap-door
component in a system, which allows the attacker to access the system at will with special privileges. Correct Answer(s): a. back
72. __________ is unsolicited commercial e-mail. Correct Answer(s): a. Spam
73. A ___________ overflow is an application error that occurs when the system can’t handle
the amount of data that is sent.
Correct Answer(s): a. buffer
74. The three levels of planning are strategic planning, tactical planning, and __________
planning. Correct Answer(s): a. operational
75. The set of organizational guidelines that dictates certain behavior within the organization is
called __________. Correct Answer(s): a. policy
76. Explain the differences between a leader and a manager. Correct Answer:
The distinctions between a leader and a manager arise in the execution of organizational tasks. A leader provides purpose, direction, and motivation to those that follow. By comparison, a manager administers the resources of the organization. He or she creates budgets, authorizes expenditures, and hires employees. 77. List and explain the critical characteristics of information as defined by the C.I.A. triad. Correct Answer:
Confidentiality of information ensures that only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached.
Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state.
Availability is the characteristic of information that enables user access to information without interference or obstruction and in a usable format.
78. List and explain the four principles of management under the contemporary or popular management theory. Briefly define each. Correct Answer:
Popular management theory categorizes the principles of management into planning, organizing, leading, and controlling (POLC). The process that develops, creates, and implements strategies for the accomplishment of objectives is called planning.
The management function dedicated to the structuring of resources to support the accomplishment of objectives is called organization.
Leadership includes supervising employee behavior, performance, attendance, and attitude. Leadership generally addresses the direction and motivation of the human resource.
Monitoring progress toward completion, and making necessary adjustments to achieve desired objectives, requires the exercise of control.
79. List the steps that can be used as a basic blueprint for solving organizational problems. Correct Answer:
1. Recognize and define the problem.2. Gather facts and make assumptions. 3. Develop possible solutions. 4. Analyze and compare possible solutions. 5. Select, implement, and evaluate a solution.
80. What are the three distinct groups of decision makers or communities of interest on an information security team? Correct Answer:
Managers and professionals in the field of information securityManagers and professionals in the field of IT Managers and professionals from the rest of the organization
81. List the specialized areas of security. Correct Answer:
Physical securityOperations security Communications security Network security
82. List the measures that are commonly used to protect the confidentiality of information. Correct Answer:
Information classificationSecure document (and data) storage Application of general security policies Education of information custodians and end users Cryptography (encryption)
83. What is authentication?
Provide some examples.
Correct Answer:
Authentication is the process by which a control establishes whether a user (or system) has the identity it claims to have. Examples include the use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections as well as the use of cryptographic hardware devices— for example, hardware tokens such as RSA’s SecurID. Individual users may disclose a personal identification number (PIN) or a password to authenticate their identities to a computer system. 84. Discuss the planning element of information security. Correct Answer:
Planning in InfoSec management is an extension of the basic planning model. Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of InfoSec strategies within the IT planning environment. The business strategy is translated into the IT strategy. Both the business strategy and the IT strategy are then used to develop the InfoSec strategy. For example, the CIO uses the IT objectives gleaned from the business unit plans to create the organization’s IT strategy. 85. There are 12 general categories of threat to an organization's people, information, and systems. List at least six of the general categories of threat and identify at least one example of those listed. Correct Answer:
Compromises to intellectual propertySoftware attacks Deviations in quality of service Espionage or trespass Forces of nature Human error or failure Information extortion Sabotage or vandalism Theft
Technical hardware failures or errors Technical software failures or errors Technological obsolescence
CHAPTER 2 1. Ethics carry the sanction of a governing authority. a. True *b. False
2. The Secret Service is charged with the detection and arrest of any person who commits a U.S. federal offense relating to computer fraud, as well as false identification crimes. *a. True b. False
3. Deterrence is the best method for preventing an illegal or unethical activity. ____________ *a. True b. False
4. ISACA is a professional association with a focus on authorization, control, and security. ___________ a. True *b. False
5. Information ambiguation occurs when pieces of nonprivate data are combined to create information that violates privacy. _________________________ a. True *b. False
6. The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies. ___________ *a. True b. False
7. To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________ a. True *b. False
8. A(n) compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________ a. True *b. False
9. It is the responsibility of InfoSec professionals to understand state laws and bills. ____________ a. True *b. False
10. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________ *a. True b. False
11. InfraGard began as a cooperative effort between the FBI’s Cleveland field office and local intelligence professionals. ___________ a. True *b. False
12. Which of the following ethical frameworks is the study of the choices that have been made
by individuals in the past? a. Applied ethics *b. Descriptive ethics c. Normative ethics d. Deontological ethics
13. Which of the following is the study of the rightness or wrongness of intentions and motives
as opposed to the rightness or wrongness of the consequences (also known as duty- or obligationbased ethics)? a. Applied ethics b. Meta-ethics c. Normative ethics *d. Deontological ethics
14. Which ethical standard is based on the notion that life in community yields a positive
outcome for the individual, requiring each individual to contribute to that community?
a. utilitarian b. virtue c. fairness or justice *d. common good
15. There are three general categories of unethical behavior that organizations and society
should seek to eliminate. Which of the following is NOT one of them? a. ignorance *b. malice c. accident d. intent
16. Which of the following is the best method for preventing an illegal or unethical activity?
Examples include laws, policies, and technical controls. a. remediation *b. deterrence c. persecution d. rehabilitation
17. Which of the following is NOT a requirement for laws and policies to deter illegal or
unethical activity? a. fear of penalty b. probability of being penalized c. probability of being caught *d. fear of humiliation
18. Which of the following organizations put forth a code of ethics designed primarily for
InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals. *a. (ISC)2 b. ACM c. SANS d. ISACA
19. Which subset of civil law regulates the relationships among individuals and among
individuals and organizations? a. tort
b. criminal *c. private d. public
20. Which of the following is NOT used to categorize some types of law? a. constitutional b. regulatory c. statutory *d. international
21. Which law addresses privacy and security concerns associated with the electronic
transmission of PHI? a. USA PATRIOT Act of 2001 b. American Recovery and Reinvestment Act *c. Health Information Technology for Economic and Clinical Health Act d. National Information Infrastructure Protection Act of 1996
22. The penalties for offenses related to the National Information Infrastructure Protection Act
of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons? a. For purposes of commercial advantage b. For private financial gain *c. For political advantage d. In furtherance of a criminal act
23. Which law requires mandatory periodic training in computer security awareness and
accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system? a. The Telecommunications Deregulation and Competition Act b. National Information Infrastructure Protection Act c. Computer Fraud and Abuse Act *d. The Computer Security Act
24. Which act is a collection of statutes that regulates the interception of wire, electronic, and
oral communications? *a. The Electronic Communications Privacy Act of 1986 b. The Telecommunications Deregulation and Competition Act of 1996 c. National Information Infrastructure Protection Act of 1996 d. Federal Privacy Act of 1974
25. Which act requires organizations that retain health care information to use InfoSec
mechanisms to protect this information, as well as policies and procedures to maintain them? a. ECPA b. Sarbanes-Oxley *c. HIPAA d. Gramm-Leach-Bliley
26. Which law extends protection to intellectual property, which includes words published in
electronic formats? a. Freedom of Information Act *b. U.S. Copyright Law c. Security and Freedom through Encryption Act d. Sarbanes-Oxley Act
27. A more recently created area of law related to information security specifies a requirement
for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law. a. notification *b. breach c. spill d. compromise
28. Which of the following is the result of a U.S. led international effort to reduce the impact of
copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures? a. U.S. Copyright Law b. PCI DSS c. European Council Cybercrime Convention *d. DMCA
29. This collaborative support group began as a cooperative effort between the FBI’s Cleveland
field office and local technology professionals with a focus of protecting critical national infrastructure. *a. InfraGard b. Homeland Security c. CyberWatch d. CyberGard
30. Another key U.S. federal agency is _________, which is responsible for coordinating,
directing, and performing highly specialized activities to protect U.S. information systems and produce foreign intelligence information. a. InfraGard b. Homeland Security *c. the National Security Agency d. the Federal Bureau of Investigation
31. Which of the following is compensation for a wrong committed by an individual or
organization? a. liability *b. restitution c. due diligence d. jurisdiction
32. Any court can impose its authority over an individual or organization if it can establish
which of the following? a. jurisprudence *b. jurisdiction c. liability d. sovereignty
33. Investigations involving the preservation, identification, extraction, documentation, and
interpretation of computer media for evidentiary and root cause analysis are known as _________. *a. digital forensics b. criminal investigation c. crime scene investigation d. e-discovery
34. Also known as “items of potential evidentiary value,” any information that could potentially
support the organization’s legal or policy-based case against a suspect is known as _________. *a. evidentiary material b. digital forensics c. evidence d. e-discovery
35. The coherent application of methodical investigatory techniques to collect, preserve, and
present evidence of crimes in a court or court-like setting is known as _________. a. evidentiary material *b. forensics c. crime scene investigation d. data imaging
36. Permission to search for evidentiary material at a specified location and/or to seize items to
return to the investigator’s lab for examination is known as a(n) _________. a. subpoena b. forensic clue *c. search warrant d. affidavit
37. Sworn testimony that certain facts are in the possession of the investigating officer and that
they warrant the examination of specific items located at a specific place is known as a(n) _________. a. subpoena b. forensic finding c. search warrant *d. affidavit
38. A process focused on the identification and location of potential evidence related to a
specific legal action after it was collected through digital forensics is known as _________. *a. e-discovery b. forensics c. indexing d. root cause analysis
39. Digital forensics can be used for two key purposes: ________ or _________. a. e-discovery; to perform root cause analysis *b. to investigate allegations of digital malfeasance; to perform root cause analysis c. to solicit testimony; to perform root cause analysis d. to investigate allegations of digital malfeasance; to solicit testimony
40. In digital forensics, all investigations follow the same basic methodology once permission to
search and seize is received, beginning with _________. *a. identifying relevant items of evidentiary value
b. acquiring (seizing) the evidence without alteration or damage c. analyzing the data without risking modification or unauthorized access d. investigating allegations of digital malfeasance
41. _________ devices often pose special challenges to investigators because they can be
configured to use advanced encryption and they can be wiped by the user even when the user is not present. *a. Portable b. Desktop computer c. Expansion d. Satellite transceiver
42. The most complex part of an investigation is usually __________. *a. analysis for potential EM b. protecting potential EM c. requesting potential EM d. preventing the destruction of potential EM
43. When an incident violates civil or criminal law, it is the organization’s responsibility to
notify the proper authorities; selecting the appropriate law enforcement agency depends on __________. *a. the type of crime committed b. how many perpetrators were involved c. the network provider the hacker used d. what kind of computer the hacker used
44. Ethics are based on ___________________, which are the relatively fixed moral attitudes or
customs of a societal group. Correct Answer(s): a. cultural mores
45. The branch of philosophy that considers nature, criteria, sources, logic, and the validity
of moral judgment is known as ___________. Correct Answer(s): a. ethics
46. The act of attempting to prevent an unwanted action by threatening punishment
or retaliation on the instigator if the act takes place is known as ___________.
Correct Answer(s): a. deterrence
47. ___________________ is a subset of civil law that allows individuals to seek redress in the
event of personal, physical, or financial injury. Correct Answer(s): a. Tort law
48. Information ____________ occurs when pieces of nonprivate data are combined to
create information that violates privacy. Correct Answer(s): a. aggregation
49. An organization increases its liability if it refuses to take the measures a prudent
organization should; this is known as the standard of _____________. Correct Answer(s): a. due care
50. Investigations involving the preservation, identification, extraction, documentation, and
interpretation of computer media for evidentiary and root cause analysis are known as _________. Correct Answer(s): a. digital forensics
51. _________ devices often pose special challenges to investigators because they can be
configured to use advanced encryption and they can be wiped by the user even when the user is not present. Correct Answer(s): a. Portable
52. A process focused on the identification and location of potential evidence related to a
specific legal action after it was collected through digital forensics is known as _________. Correct Answer(s): a. e-discovery b. ediscovery
53. Sworn testimony that certain facts are in the possession of the investigating officer and that
they warrant the examination of specific items located at a specific place is known as a(n) _________. Correct Answer(s): a. affidavit
54. [f] 1. One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices. [d] 2. Focuses on enhancing the security of the critical infrastructure in the United States. [c] 3. An approach that applies moral codes to actions drawn from realistic situations. [g] 4. A collection of statutes that regulates the interception of wire, electronic, and oral communications. [h] 5. Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. [b] 6. The study of what makes actions right or wrong, also known as moral theory. [a] 7. Addresses violations harmful to society and is actively enforced and prosecuted by the state. [e] 8. Defines socially acceptable behaviors. a. criminal law b. normative ethics c. applied ethics d. Cybersecurity Act e. ethics f. Computer Security Act (CSA) g. Electronic Communications Privacy Act (ECPA) h. public law 55. Describe the foundations and frameworks of ethics. Correct Answer:
Normative ethics—The study of what makes actions right or wrong, also known as moral theory—that is, how should people act?Meta-ethics—The study of the meaning of ethical judgments and properties—that is, what is right? Descriptive ethics—The study of the choices that have been made by individuals in the past—that is, what do others think is right? Applied ethics—An approach that applies moral codes to actions drawn from realistic situations; it seeks to define how we might use ethics in practice. Deontological ethics—The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences; also known as duty-based or obligation-based ethics. This approach seeks to define a person’s ethical duty.
56. Discuss the three general categories of unethical behavior that organizations should try to control. Correct Answer:
Ignorance:Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education. Organizations must design, publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to abide by them. Reminders, training, and awareness programs support retention, and one hopes, compliance.
Accident: Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident. The careful placement of controls can help prevent accidental modification to systems and data.
Intent: Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A legal defense can be built upon whether the accused acted out of ignorance, by accident, or with the intent to cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution, and technical controls. Intent is only one of several factors to consider when determining whether a computer-related crime has occurred.
57. Laws and policies and their associated penalties only deter if three conditions are present. What are these conditions? Correct Answer:
Fear of penalty—Threats of informal reprimand or verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of pay.Probability of being caught—There must be a strong possibility that perpetrators of illegal or unethical acts will be caught. Probability of penalty being administered—The organization must be willing and able to impose the penalty.
58. Briefly describe five different types of laws. Correct Answer:
1. Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations.2. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. 3. Tort law is a subset of civil law that allows individuals to seek recourse against others in the event of personal, physical, or financial injury. 4. Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law.
5. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.
59. The penalty for violating the National Information Infrastructure Protection Act of 1996 depends on the value of the information obtained and whether the offense is judged to have been committed for one of three reasons. What are those reasons? Correct Answer:
For purposes of commercial advantageFor private financial gain In furtherance of a criminal act
60. The Computer Security Act charges the National Bureau of Standards, in cooperation with the National Security Agency (NSA), with the development of five standards and guidelines establishing minimum acceptable security practices. What are three of these principles? Correct Answer:
Standards, guidelines, and associated methods and techniques for computer systems Uniform standards and guidelines for most federal computer systems Technical, management, physical, and administrative standards and guidelines for the costeffective security and privacy of sensitive information in federal computer systems Guidelines for use by operators of federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice Validation procedures for, and evaluation of the effectiveness of, standards and guidelines through research and liaison with other government and private agencies
61. Describe the Freedom of Information Act. apply to federal vs. state agencies?
How does its application
Correct Answer:
All federal agencies are required under the Freedom of Information Act (FOIA) to disclose records requested in writing by any person. However, agencies may withhold information pursuant to nine exemptions and three exclusions contained in the statute. FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each state has its own public access laws that should be consulted for access to state and local records. 62. What is a key difference between law and ethics? Correct Answer:
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not. 63. A key difference between policy and law is that ignorance of policy is a viable defense. What steps must be taken to assure that an organization has a reasonable expectation that policy violations can be appropriately penalized without fear of legal retribution? Correct Answer:
Policies must be: o Effectively written o Distributed to all individuals who are expected to comply with them o Read by all employees o Understood by all employees, with multilingual translations and translations for visually impaired or low-literacy employees o Acknowledged by the employee, usually by means of a signed consent form o Uniformly enforced, with no special treatment for any group (e.g., executives)
CHAPTER 3 1. Because it sets out general business intentions, a mission statement does not need to be concise. a. True *b. False
2. A clearly directed strategy flows from top to bottom rather than from bottom to top. *a. True b. False
3. A maintenance model is intended to focus ongoing maintenance efforts so as to keep systems usable and secure. *a. True b. False
4. A top-down approach to information security usually begins with a systems administrator’s attempt to improve the security of systems. a. True *b. False
5. Today’s InfoSec systems need constant monitoring, testing, modifying, updating, and repairing. *a. True b. False
6. Values statements should be ambitious; after all, they are meant to express the aspirations of an organization. ____________ a. True *b. False
7. A person or organization that has a vested interest in a particular aspect of the planning or operation of an organization is a(n) investiture. ____________ a. True *b. False
8. The ISO 27014:2013 standard promotes five governance processes, which should be adopted by the organization’s executive management and its consultant. ____________ a. True *b. False
9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs. ____________ *a. True b. False
10. According to the CGTF, the organization should treat InfoSec as an integral part of the system life cycle. ____________ *a. True b. False
11. Which of the following explicitly declares the business of the organization and its intended
areas of operations? a. vision statement b. values statement *c. mission statement d. business statement
12. Which type of planning is the primary tool in determining the long-term direction taken by
an organization? *a. strategic b. tactical c. operational d. managerial
13. Which of the following is true about planning? *a. Strategic plans are used to create tactical plans. b. Tactical plans are used to create strategic plans. c. Operational plans are used to create tactical plans. d. Operational plans are used to create strategic plans.
14. Which level of planning breaks down each applicable strategic goal into a series of
incremental objectives?
a. strategic b. operational c. organizational *d. tactical
15. Which type of planning is used to organize the ongoing, day-to-day performance of tasks? a. strategic b. tactical c. organizational *d. operational
16. The basic outcomes of InfoSec governance should include all but which of the following? a. Value delivery by optimizing InfoSec investments in support of organizational
objectives b. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved *c. Time management by aligning resources with personnel schedules and organizational objectives d. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively 17. Internal and external stakeholders, such as customers, suppliers, or employees who interact
with information in support of their organization’s planning and operations, are known as ____________. a. data owners b. data custodians *c. data users d. data generators
18. The National Association of Corporate Directors (NACD) recommends four essential
practices for boards of directors. Which of the following is NOT one of these recommended practices? *a. Hold regular meetings with the CIO to discuss tactical InfoSec planning. b. Assign InfoSec to a key committee and ensure adequate support for that committee. c. Ensure the effectiveness of the corporation’s InfoSec policy through review and
approval. d. Identify InfoSec leaders, hold them accountable, and ensure support for them. 19. Which of the following should be included in an InfoSec governance program?
a. An InfoSec maintenance methodology *b. An InfoSec risk management methodology c. An InfoSec project management assessment d. All of these are components of the InfoSec governance program.
20. According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL
model and framework lays the groundwork for a successful improvement effort? *a. initiating b. establishing c. acting d. learning
21. According to the Corporate Governance Task Force (CGTF), during which phase of the
IDEAL model and framework does the organization plan the specifics of how it will reach its destination? a. initiating *b. establishing c. acting d. learning
22. Which of the following is an information security governance responsibility of the chief
information security officer? a. Develop policies and the program. *b. Set security policy, procedures, programs, and training. c. Brief the board, customers, and the public. d. Implement incident response programs to detect security vulnerabilities and breaches.
23. ISO 27014:2013 is the ISO 27000 series standard for ____________. *a. governance of information security b. information security management c. risk management d. policy management
24. Which of the following is a key advantage of the bottom-up approach to security
implementation? a. strong upper-management support b. a clear planning and implementation process *c. utilizing the technical expertise of the individual administrators
d. coordinated planning from upper management
25. A high-level executive such as a CIO or VP-IT, who will provide political support and
influence for a specific project, is known as a(n) _________. a. sponsor *b. champion c. overseer d. auditor
26. In which SDLC model does the work product from each phase transition into the next phase
to serve as its starting point while allowing movement back to a previous phase should the project require it? a. spiral b. evolutionary prototyping c. agile *d. waterfall
27. Individuals who control, and are therefore responsible for, the security and use of a
particular set of information are known as ____________. *a. data owners b. data custodians c. data users d. data generators
28. What is the first phase of the SecSDLC? a. analysis *b. investigation c. logical design d. physical design
29. The individual responsible for the assessment, management, and implementation of
information-protection activities in the organization is known as a(n) ____________. *a. chief information security officer b. security technician c. security manager d. chief technology officer
30. In which phase of the SecSDLC does the risk management task occur?
a. physical design b. implementation c. investigation *d. analysis
31. An example of a company stakeholder includes all of the following EXCEPT: a. employees *b. the general public c. stockholders d. management
32. A project manager who understands project management, personnel management, and
InfoSec technical requirements is needed to fill the role of a(n) ____________. a. champion b. auditor *c. team leader d. policy developer
33. The individual accountable for ensuring the day-to-day operation of the InfoSec program,
accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________. a. chief information security officer b. security technician *c. security manager d. chief technology officer
34. A senior executive who promotes the project and ensures its support, both financially and
administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team. *a. champion b. project manager c. team leader d. auditor
35. When using the Governing for Enterprise Security (GES) program, an Enterprise Security
Program (ESP) should be structured so that governance activities are driven by the organization’s executive management, and so that it selects key stakeholders as well as the ____________. *a. Board Risk Committee
b. Board Finance Committee c. Board Ethics Committee d. Chairman of the Board
36. A formal approach to solving a problem based on a structured sequence of procedures, the
use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________. *a. methodology b. formula c. approach d. model
37. A 2007 Deloitte report found that enterprise risk management is a valuable approach that
can better align security functions with the __________ while offering opportunities to lower costs. *a. business mission b. joint application design c. security policy review d. disaster recovery planning
38. Which of the following set the direction and scope of the security process and provide
detailed instruction for its conduct? a. system controls b. technical controls c. operational controls *d. managerial controls
39. A person or organization that has a vested interest in a particular aspect of the planning or
operation of an organization—for example, the information assets used in a particular organization—is known as a(n) _________. *a. stakeholder b. investiture c. venture capitalist d. unicorn
40. A clearly directed __________ flows from top to bottom, and a systematic approach is
required to translate it into a program that can inform and lead all members of the organization. *a. strategy b. security program
c. security policy d. maintenance program
41. IT’s focus is the efficient and effective delivery of information and administration of
information resources, while InfoSec’s primary focus is the __________ of all information assets. *a. protection b. valuation c. operation d. availability
42. When creating a __________, each level of each division translates its goals into more
specific goals for the level below it. *a. strategic plan b. security program c. security policy d. maintenance program
43. The first priority of the CISO and the InfoSec management team should be the __________. *a. structure of a strategic plan b. implementation of a risk management program c. development of a security policy d. adoption of an incident response plan
44. The set of responsibilities and practices exercised by the board and executive management
with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly is known as __________. a. leadership b. relevance *c. governance d. management
45. The letters GRC represent an approach to information security strategic guidance from a
board of directors or senior management perspective. The letters stand for __________, __________, and __________. a. government, regulation, classification b. generalization, risk assessment, cryptography *c. governance, risk management, compliance d. governance, risk control, confidentiality
46. The process of integrating the governance of the physical security and information security
efforts is known in the industry as __________. *a. convergence b. combination c. intimation d. optimization
47. The __________ phase of the SecSDLC begins with a directive from upper management
specifying the process, outcomes, and goals of the project as well as its budget and other constraints. *a. investigation b. analysis c. implementation d. justification
48. In the __________ phase of the SecSDLC, the team studies documents and looks at
relevant legal issues that could affect the design of the security solution. a. investigation *b. analysis c. implementation d. justification
49. The __________ phase of the SecSDLC has team members create and develop the blueprint
for security and develop critical contingency plans for incident response. a. investigation b. analysis c. implementation *d. design
50. A qualified individual who is tasked with configuring security technologies and operating
other technical control systems is known as a(n) ____________. a. chief information security officer *b. security technician c. security manager d. chief technology officer
51. The impetus to begin an SDLC-based project may be ____________________—that is, a
response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders. Correct Answer(s): a. event-driven b. event driven
52. _________ resources include people, hardware, and the supporting system elements and
resources associated with the management of information in all its states. Correct Answer(s): a. Physical
53. The __________ phase is the last phase of the SecSDLC, but is also perhaps the most
important. Correct Answer(s): a. maintenance and change
54. A person or organization that has a vested interest in a particular aspect of the planning or
operation of an organization—for example, the information assets used in a particular organization—is known as a(n) _________. Correct Answer(s): a. stakeholder
55. IT’s role is the efficient and effective delivery of information and administration of
information resources, while InfoSec’s primary role is the __________ of all information assets. Correct Answer(s): a. protection
56. Many technology-based controls can be circumvented if an attacker gains __________
access to the devicesbeing controlled. Correct Answer(s): a. physical
57. The __________ phase is the first phase of the SecSDLC and frequently includes the
creation of policy. Correct Answer(s): a. investigation
58. The process of integrating the governance of physical security and information security
efforts is known in the industry as __________. Correct Answer(s): a. convergence
59. The process of defining and specifying the long-term direction (strategy) to be taken by an
organization is known as __________ planning. Correct Answer(s): a. strategic
60. The __________ of InfoSec is a strategic planning responsibility whose importance has
grown rapidly over the past several years. Correct Answer(s): a. governance
61. The __________ approach to security implementation features strong upper-management
support, a dedicated champion, dedicated funding, a clear planning and implementation process, and the ability to influence organizational culture. Correct Answer(s): a. top-down b. top down
62. Information security governance yields significant benefits. List five. Correct Answer:
1. An increase in share value for organizations2. Increased predictability and reduced uncertainty of business operations by lowering information security-related risks to definable and acceptable levels 3. Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care 4. Optimization of the allocation of limited security resources 5. Assurance of effective information security policy and policy compliance 6. A firm foundation for efficient and effective risk management, process improvement, and rapid incident response 7. A level of assurance that critical decisions are not based on faulty information 8. Accountability for safeguarding information during critical business activities, such as
mergers and acquisitions, business process recovery, and regulatory response
63. Describe what happens during each phase of the IDEAL general governance framework. Correct Answer:
Initiating - Lay the groundwork for a successful improvement effort.Diagnosing - Determine where you are relative to where you want to be. Establishing - Plan the specifics of how you will reach your destination. Acting - Do the work according to the plan. Learning - Learn from the experience and improve your ability to adopt new improvements in the future.
64. What is the role of planning in InfoSec management? factors that affect planning?
What are the
Correct Answer:
Planning usually involves many interrelated groups and organizational processes. The groups involved in planning represent the three communities of interest; they may be internal or external to the organization and can include employees, management, stockholders, and other outside stakeholders. Among the factors that affect planning are the physical environment, the political and legal environment, the competitive environment, and the technological environment. 65. What is the values statement and what is its importance to an organization? Correct Answer:
One of the first positions that management must articulate is the values statement. The trust and confidence of stakeholders and the public are important factors for any organization. By establishing a formal set of organizational principles and qualities in a values statement, as well as benchmarks for measuring behavior against these published values, an organization makes its conduct and performance standards clear to its employees and the public. 66. Contrast the vision statement with the mission statement. Correct Answer:
If the vision statement declares where the organization wants to go, the mission statement describes how it wants to get there. 67. How does tactical planning differ from strategic planning? Correct Answer:
Tactical planning has a more short-term focus than strategic planning—usually one to three years. It breaks down each applicable strategic goal into a series of incremental objectives. Each objective should be specific and ideally will have a delivery date within a year. 68. According to the ITGI, what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met? Correct Answer:
Create a culture that recognizes the criticality of information and InfoSec to the organization.Verify that management’s investment in InfoSec is properly aligned with organizational strategies and the organization’s risk environment. Assure that a comprehensive InfoSec program is developed and implemented. Demand reports from the various layers of management on the InfoSec program’s effectiveness and adequacy.
69. Describe the key approaches organizations are using to achieve unified enterprise risk management. Correct Answer:
Combining physical security and InfoSec under one leader as one business functionUsing separate business functions that report to a common senior executive Using a risk council approach to provide a collaborative approach to risk management
70. What is necessary for a top-down approach to the implementation of InfoSec to succeed? Correct Answer:
For any top-down approach to succeed, high-level management must buy into the effort and provide its full support to all departments. Such an initiative must have a champion—ideally,an executive with sufficient influence to move the project forward, ensure that it is properly managed, and push for its acceptance throughout the organization.
CHAPTER 4 1. Policies must specify penalties for unacceptable behavior and define an appeals process. *a. True b. False
2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee’s inappropriate or illegal use of the system. *a. True b. False
3. The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for. a. True *b. False
4. Access control lists regulate who, what, when, where, and why authorized users can access a system. a. True *b. False
5. Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex. a. True *b. False
6. Technology is the essential foundation of an effective information security program. _____________ a. True *b. False
7. Information security policies are designed to provide structure in the workplace and explain the will of the organization’s management. ____________ *a. True b. False
8. Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations. ____________ a. True *b. False
9. Examples of actions that illustrate compliance with policies are known as laws. __________ a. True *b. False
10. The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization. ____________ a. True *b. False
11. Which of the following is NOT one of the basic rules that must be followed when
developing a policy? a. policy should never conflict with law b. policy must be able to stand up in court if challenged *c. policy should be focused on protecting the organization from public embarrassment d. policy must be properly supported and administered
12. Which of the following is a policy implementation model that addresses issues by moving
from the general to the specific and is a proven mechanism for prioritizing complex changes? a. on-target model b. Wood’s model *c. bull’s-eye model d. Bergeron and Berube model
13. Which of the following is NOT among the three types of InfoSec policies based on NIST’s
Special Publication 800-14? a. enterprise information security policy *b. user-specific security policies c. issue-specific security policies d. system-specific security policies
14. Which type of document is a more detailed statement of what must be done to comply with
a policy? a. procedure *b. standard c. guideline d. practice
15. In addition to specifying acceptable and unacceptable behavior, what else must a policy
specify? a. appeals process b. legal recourse c. individual responsible for approval *d. the penalties for violation of the policy
16. Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP *d. EISP
17. The EISP must directly support the organization’s __________. *a. mission statement b. values statement c. financial statement d. public announcements
18. Which of the following is a common element of the enterprise information security policy? a. access control lists *b. information on the structure of the InfoSec organization c. articulation of the organization’s SDLC methodology d. indemnification of the organization against liability
19. Which type of security policy is intended to provide a common understanding of the
purposes for which an employee can and cannot use a resource? *a. issue-specific b. enterprise information c. system-specific
d. user-specific
20. Which of the following sections of the ISSP provides instructions on how to report observed
or suspected policy infractions? *a. Violations of Policy b. Systems Management c. Prohibited Usage of Equipment d. Authorized Access and Usage of Equipment
21. Which section of an ISSP should outline a specific methodology for the review and
modification of the ISSP? *a. Policy Review and Modification b. Limitations of Liability c. Systems Management d. Statement of Purpose
22. Which of the following is a disadvantage of the individual policy approach to creating and
managing ISSPs? *a. can suffer from poor policy dissemination, enforcement, and review b. may skip vulnerabilities otherwise reported c. may be more expensive than necessary d. implementation can be less difficult to manage
23. Which of the following are the two general groups into which SysSPs can be separated? *a. technical specifications and managerial guidance b. business guidance and network guidance c. user specifications and managerial guidance d. technical specifications and business guidance
24. What are the two general approaches for controlling user authorization for the use of a
technology? a. profile lists and configuration tables b. firewall rules and access filters c. user profiles and filters *d. access control lists and capability tables
25. Which of the following is NOT an aspect of access regulated by ACLs?
a. what authorized users can access *b. where the system is located c. how authorized users can access the system d. when authorized users can access the system
26. Which of the following are instructional codes that guide the execution of the system when
information is passing through it? a. access control lists b. user profiles *c. configuration rules d. capability tables
27. Access control list user privileges include all but which of these? a. read b. write *c. operate d. execute
28. Many organizations create a single document that combines elements of the
__________ SysSP and the ___________ SysSP. a. management directive, technical specifications b. management guidance, technical directive *c. management guidance, technical specifications d. management specification, technical directive
29. Policy is only enforceable and legally defensible if it uses a process that assures
repeatable results and conforms to each of the following EXCEPT __________. *a. proper conception b. proper design c. proper development d. proper implementation
30. Writing a policy is not always as easy as it seems. However, the prudent security manager
always scours available resources for __________ that may be adapted to the organization. *a. examples b. legal opinions c. strategic plans d. purchasable policies
31. With policy, the most common distribution methods are hard copy and __________. *a. electronic b. published c. draft d. final
32. To be certain that employees understand the policy, the document must be written at a
reasonable __________, with minimal technical jargon and management terminology. *a. reading level b. level of formatting c. cost d. size
33. Policy __________ means the employee must agree to the policy. *a. compliance b. conformance c. complacency d. consequence
34. The final component of the design and implementation of effective policies is __________. *a. uniform and impartial enforcement b. full comprehension c. complete distribution d. universal distribution
35. A detailed outline of the scope of the policy development project is created during which
phase of the SDLC? a. design b. analysis c. implementation *d. investigation
36. Which phase of the SDLC should see clear articulation of goals? a. design b. analysis c. implementation *d. investigation
37. Which phase of the SDLC should get support from senior management? a. design b. analysis c. implementation *d. investigation
38. A risk assessment is performed during which phase of the SDLC? a. implementation *b. analysis c. design d. investigation
39. A gathering of key reference materials is performed during which phase of the SDLC? a. implementation *b. analysis c. design d. investigation
40. In which phase of the SDLC must the team create a plan to distribute and verify the
distribution of the policies? a. design *b. implementation c. investigation d. analysis
41. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation,
revision, distribution, and storage of the policy? a. policy developer b. policy reviewer c. policy enforcer *d. policy administrator
42. When an organization demonstrates that it is continuously attempting to meet the
requirements of the market in which it operates, what is it ensuring? a. policy administration *b. due diligence
c. adequate security measures d. certification and accreditation
43. Which of the following is NOT one of the three general causes of unethical and illegal
behavior? *a. carelessness b. ignorance c. accident d. intent
44. Laws, policies, and their associated penalties only provide deterrence if three conditions are
present. Which of these is NOT one of them? *a. frequency of review b. probability of being apprehended c. fear of the penalty d. probability of penalty being applied
45. In the bull’s-eye model, the ____________________ layer is the place where threats from
public networks meet the organization’s networking infrastructure. Correct Answer(s): a. Networks
46. The three types of information security policies include the enterprise information security
policy, the issue-specific security policy, and the ____________________ security policy. Correct Answer(s): a. system-specific b. system specific
47. The responsibilities of users and systems administrators with regard to systems
administration duties should be specified in the ____________________ section of the ISSP. Correct Answer(s): a. Systems Management
48. ____________________ include the user access lists, matrices, and capability tables that
govern the rights and privileges of users. Correct Answer(s): a. Access control lists b. ACLs
49. A(n) ____________________, which is usually presented on a screen to the user during
software installation, spells out fair and responsible use of the software being installed. Correct Answer(s): a. end-user license agreement b. end user license agreement c. EULA
50. The champion and manager of the information security policy is called the
____________________. Correct Answer(s): a. policy administrator
51. A __________ is simply a manager’s or other governing body’s statement of intent
regarding employee behavior with respect to the workplace. Correct Answer(s): a. policy
52. A good information security program begins and ends with __________. Correct Answer(s): a. policy
53. __________ are examples of actions that illustrate compliance with policies. Correct Answer(s): a. practices
54. Non-mandatory recommendations the employee may use as a reference in complying with
a policy are known as __________. Correct Answer(s): a. guidelines
55. [g] 1. Step-by-step instructions designed to assist employees in following policies, standards, and guidelines. [b] 2. A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. [i] 3. When issues are addressed by moving from the general to the specific, always starting with policy.
[c] 4. An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. [f] 5. The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts. [j] 6. Specifications of authorization that govern the rights and privileges of users to a particular information asset. [a] 7. A clear declaration that outlines the scope and applicability of a policy. [e] 8. A section of policy that should specify users’ and systems administrators’ responsibilities. [d] 9. Specifies the subjects and objects that users or groups can access. [h] 10. Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. a. statement of purpose b. standard c. ISSP d. capability table e. systems management f. InfoSec policy g. procedures h. SysSP i. bull’s eye model j. access control lists
56. What are the four elements that an EISP document should include? Correct Answer:
An overview of the corporate philosophy on securityInformation on the structure of the InfoSec organization and individuals who fulfill the InfoSec role Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) Fully articulated responsibilities for security that are unique to each role within the organization
57. What should an effective ISSP accomplish? Correct Answer:
It articulates the organization’s expectations about how its technology-based system should be used.It documents how the technology-based system is controlled and identifies the processes and authorities that provide this control. It indemnifies the organization against liability for an employee’s inappropriate or illegal use of the system.
58. List the major components of the ISSP.
Correct Answer:
Statement of PurposeAuthorized Uses Prohibited Uses Systems Management Violations of Policy Policy Review and Modification Limitations of Liability
59. How should a policy administrator facilitate policy reviews? Correct Answer:
To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation. Recommendation methods could include e-mail, office mail, or an anonymous drop box. 60. List the advantages and disadvantages of using a modular approach for creating and managing the ISSP. Correct Answer:
The advantages of the modular ISSP policy are:Often considered an optimal balance between the individual ISSP and the comprehensive ISSP approaches Well controlled by centrally managed procedures, assuring complete topic coverage Clear assignment to a responsible department Written by those with superior subject matter expertise for technology-specific systems
The disadvantages of the modular ISSP policy are: May be more expensive than other alternatives Implementation can be difficult to manage
61. List the significant guidelines used in the formulation of effective information security policy. Correct Answer:
For policies to be effective, they must be properly:1. Developed using industry-accepted practices 2. Distributed or disseminated using all appropriate methods 3. Reviewed or read by all employees
4. Understood by all employees 5. Formally agreed to by act or assertion 6. Uniformly applied and enforced
62. What is a SysSP and what is one likely to include? Correct Answer:
SysSPs often function as standards or procedures to be used when configuring or maintaining systems—for example, to configure and operate a network firewall. Such a document could include: a statement of managerial intent; guidance to network engineers on selecting, configuring, and operating firewalls; and an access control list that defines levels of access for each authorized user. 63. What is the final component of the design and implementation of effective policies? Describe this component. Correct Answer:
The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination—organizations must establish high standards of due care with regard to policy management. 64. In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is this important? Correct Answer:
During the implementation phase, the team must create a plan to distribute and verify the distribution of the policies. Members of the organization must explicitly acknowledge that they have received and read the policy. Otherwise, an employee can claim never to have seen a policy, and unless the manager can produce strong evidence to the contrary, any enforcement action, such as dismissal for inappropriate use of the Web, can be overturned and punitive damages might be awarded to the former employee. 65. What are configuration rules?
Provide examples.
Correct Answer:
Configuration rules are instructional codes that guide the execution of the system when information is passing through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly. Many security systems require specific configuration scripts that dictate which actions to perform on each set of information they process. Examples include firewalls, intrusion detection and prevention systems (IDPSs), and proxy servers. 66. Why is policy so important?
Correct Answer:
Among other reasons, policy may be one of the very few controls or safeguards protecting certain information. Also, properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace. Policy also serves to protect both the employee and the organization from inefficiency and ambiguity.
CHAPTER 5
1. Small organizations spend more per user on security than medium- and large-sized organizations. *a. True b. False
2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT department. a. True *b. False
3. Threats from insiders are more likely in a small organization than in a large one. a. True *b. False
4. The security education, training, and awareness (SETA) program is designed to reduce the occurrence of external security attacks. a. True *b. False
5. On-the-job training can result in substandard work performance while the trainee gets up to speed. *a. True b. False
6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables. a. True *b. False
7. When creating a WBS, planners need to estimate the effort required to complete each task, subtask, or action step. *a. True b. False
8. Using complex project management tools may result in a complication where the project manager creates project diagrams with insufficient detail for the implementation of the project. a. True *b. False
9. Each professional project manager will strive to find the proper balance between the planning and the actual work of the project. *a. True b. False
10. Project management is focused on achieving the objectives of the project. __________ *a. True b. False
11. Establishing performance measures and creating project milestones simplifies project planning. __________ a. True *b. False
12. InfoSec is a continuous series of policies that comprise a process. __________ a. True *b. False
13. Project scope management ensures that the project plan includes only those activities that are necessary to complete it. __________ *a. True b. False
14. Establishing performance measures and creating project way points simplifies project monitoring. __________ a. True *b. False
15. The goal of a security alertness program is to keep information security at the forefront of users’ minds on a daily basis. __________
a. True *b. False
16. Projectitis is a phenomenon in which the project manager spends more time documenting project tasks than in accomplishing meaningful project work. __________ *a. True b. False
17. Which of the following is NOT a part of an information security program? a. technologies used by an organization to manage the risks to its information assets b. activities used by an organization to manage the risks to its information assets c. personnel used by an organization to manage the risks to its information assets *d. All of these are part of an information security program.
18. Which of the following variables is the most influential in determining how to structure an
information security program? a. security capital budget b. competitive environment c. online exposure of organization *d. organizational culture
19. Which of the following functions includes identifying the sources of risk and may include
offering advice on controls that can reduce risk? a. risk treatment *b. risk assessment c. systems testing d. vulnerability assessment
20. Which of the following is true about the security staffing, budget, and needs of a medium-
sized organization? a. It has a larger dedicated (full-time) security staff than a small organization. b. It has a larger security budget (as percent of IT budget) than a small organization. c. It has a smaller security budget (as percent of IT budget) than a large organization. *d. It has larger information security needs than a small organization.
21. Which of the following functions needed to implement the information security program
evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
*a. systems testing b. risk assessment c. incident response d. risk treatment
22. Which function needed to implement the information security program includes researching,
creating, maintaining, and promoting information security plans? a. compliance b. policy *c. planning d. SETA programs
23. Which of the following is NOT among the functions typically performed within the InfoSec
department as a compliance enforcement obligation? a. policy *b. centralized authentication c. compliance/audit d. risk management
24. Larger organizations tend to spend approximately __________ percent of the total IT
budget on security. a. 2 *b. 5 c. 11 d. 20
25. Medium-sized organizations tend to spend approximately __________ percent of the total
IT budget on security. a. 2 b. 5 *c. 11 d. 20
26. Organizations classified as __________ may still be large enough to implement the multitier
approach to security, though perhaps with fewer dedicated groups and more functions assigned to each group. *a. medium-sized b. small-sized
c. large-sized d. super-sized
27. Smaller organizations tend to spend approximately __________ percent of the total IT
budget on security. a. 2 b. 5 c. 11 *d. 20
28. Which of the following describes the primary reason the InfoSec department should NOT
fall under the IT function? a. The average salary of the top security executive typically exceeds that of the typical
IT executive, creating professional rivalries between the two. *b. There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information. c. There is a fundamental difference in the mission of the InfoSec department, which seeks to minimize access to information, and the IT function, which seeks to increase accessibility of information. d. None of the above are reasons the InfoSec department should NOT fall under the IT function.
29. In large organizations, the InfoSec department is often located within a(n) _________
division headed by the _________, who reports directly to the _________. *a. IT, CISO, CIO b. Finance, Comptroller, CFO c. Security, CSO, CIO d. Legal, Corporate Counsel, CEO
30. According to Wood, which of the following is a reason the InfoSec department should
report directly to top management? *a. It fosters objectivity and the ability to perceive what’s truly in the best interest of
the organization as a whole. b. It allows independence in the InfoSec department, especially if it is needed to audit the IT division. c. It prevents InfoSec from becoming a drain on the IT budget. d. It allows the InfoSec executive to dictate security requirements with greater authority to the other business divisions.
31. As noted by Kosutic, options for placing the CISO (and his or her security group) in the
organization are generally driven by organizational size and include all of the following EXCEPT: *a. within a division/department with a conflict of interest b. in a separate group reporting directly to the CEO/president c. under a division/department with no conflict of interest d. as an additional duty for an existing manager/executive
32. The InfoSec needs of an organization are unique to all but which one of the following
organizational characteristics? *a. market b. budget c. size d. culture
33. A specialized security administrator responsible for performing systems development life
cycle (SDLC) activities in the development of a security system is known as __________. a. a security technician *b. a security analyst c. a security consultant d. a security manager
34. Which of the following would most likely be responsible for configuring firewalls and
IDPSs, implementing security software, and diagnosing and troubleshooting problems? *a. security technician b. security analyst c. security consultant d. security manager
35. "GGG security" is a term commonly used to describe which aspect of security? a. technical b. software *c. physical d. policy
36. This person would be responsible for some aspect of information security and report to the
CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.
a. security technician b. security analyst c. security consultant *d. security manager
37. To move the InfoSec discipline forward, organizations should take all of the following steps
EXCEPT: *a. form a committee and approve suggestions from the CISO b. learn more about the requirements and qualifications needed c. learn more about budgetary and personnel needs d. grant the InfoSec function needed influence and prestige
38. Which of the following organizations offers the Certified CISO (C|CISO) certification? a. SANS Institute b. (ISC)2 c. ISACA *d. EC-Council
39. Which of the following organizations is best known for its series of certifications targeted to
information systems audit, information security, risk control, and IT governance? a. SANS Institute b. (ISC)2 *c. ISACA d. EC-Council
40. Which of the following organizations is best known for its series of technical InfoSec
certifications through Global Information Assurance Certification (GIAC)? *a. SANS Institute b. (ISC)2 c. ISACA d. EC-Council
41. The __________ certification, considered to be one of the most prestigious certifications for
security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral. *a. CISSP b. GIAC Security Leadership Certification c. Security +
d. Associate of (ISC)2
42. An (ISC)2 program geared toward individuals who want to take any of its certification
exams before obtaining the requisite experience for certification is the __________. *a. Associate of (ISC)2 b. SSCP c. ISSAP d. ISSMP
43. An ISACA certification targeted at IT professionals who are in careers that link IT
risk management with enterprise risk management is known as the __________. a. CGEIT b. CISM c. CISSP *d. CRISC
44. An ISACA certification targeted at upper-level executives, including CISOs and
CIOs, directors, and consultants with knowledge and experience in IT governance, is known as the __________. *a. CGEIT b. CISM c. CISSP d. CRISC
45. What is the SETA program designed to do? a. reduce the occurrence of external attacks b. improve operations *c. reduce the occurrence of accidental security breaches d. increase the efficiency of InfoSec staff
46. A SETA program consists of three elements: security education, security training, and
which of the following? a. security accountability b. security authentication *c. security awareness d. security authorization
47. The purpose of SETA is to enhance security in all but which of the following ways? a. by building in-depth knowledge *b. by adding barriers c. by developing skills d. by improving awareness
48. There are a number of methods for customizing training for users; two of the most common
involve customizing by __________ and by __________. a. skill level; employee rank b. department; seniority *c. functional background; skill level d. educational level; organizational need
49. Which of the following is the first step in the process of implementing training? a. identify training staff b. identify target audiences *c. identify program scope, goals, and objectives d. motivate management and employees
50. Which of the following is an advantage of the one-on-one method of training? a. trainees can learn from each other b. very cost-effective *c. customized to the needs of the trainee d. maximizes use of company resources
51. Which of the following is a disadvantage of the one-on-one training method? a. inflexible scheduling b. may not be responsive to the needs of all the trainees c. content may not be customized to the needs of the organization *d. resource intensive, to the point of being inefficient
52. Which of the following is an advantage of the formal class method of training? a. increased personal interaction between trainer and trainee b. self-paced; can go as fast or as slow as the trainee needs c. can be scheduled to fit the needs of the trainee *d. interaction with trainer is possible
53. Which of the following is an advantage of the user support group form of training? *a. usually conducted in an informal social setting b. formal training plan c. can be live, or can be archived and viewed at the trainee’s convenience d. can be customized to the needs of the trainee
54. Which of the following is NOT a step in the process of implementing training? a. administer the program *b. hire expert consultants c. motivate management and employees d. identify target audiences
55. __________ is a simple project management planning tool. a. RFP *b. WBS c. ISO 17799 d. SDLC
56. Which of the following is the most cost-effective method for disseminating security
information and news to employees? a. employee seminars b. security-themed Web site c. conference calls *d. e-mailed security newsletter
57. Which of the following is true about a company’s InfoSec awareness Web site? a. It should contain few images to avoid distracting readers. b. Appearance doesn’t matter if the information is there. c. It should be placed on the Internet for public use. *d. It should be tested with multiple browsers.
58. An organization’s information security __________ refers to the entire set of activities,
resources, personnel, and technologies used to manage risks to the organization's information assets. Correct Answer(s): a. program
59. An organization carries out a risk __________ function to evaluate risks present in IT
initiatives and/or systems. Correct Answer(s): a. assessment
60. A study of information security positions found that they can be classified into one of three
types: __________ are the real technical types, who create and install security solutions. Correct Answer(s): a. builders
61. The information security __________ is usually brought in when the organization makes the
decision to outsource one or more aspects of its security program. Correct Answer(s): a. consultant
62. The __________ program is designed to reduce the occurrence of accidental security
breaches by members of the organization. Correct Answer(s): a. security education, training, and awareness b. SETA
63. Project __________ management ensures that the project plan includes only those
activities that are necessary to complete it. Correct Answer(s): a. scope
64. Establishing performance measures and creating project __________ simplifies project
monitoring. Correct Answer(s): a. milestones
65. The __________ is considered the industry best practice as a project management approach. Correct Answer(s): a. PMBOK b. Project Management Body of Knowledge
66. The three methods for selecting or developing advanced technical training are by job
category, by job function, and by __________. Correct Answer(s): a. technology product
67. The goal of a security __________ program is to keep information security at the forefront
of users’ minds on a daily basis. Correct Answer(s): a. awareness
68. __________ is a phenomenon in which the project manager spends more time documenting
project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work. Correct Answer(s): a. Projectitis
69. [i] 1. In larger organizations, the person responsible for some aspect of information security; in smaller organizations, this title may be assigned to the only or senior security administrator. [g] 2. The structure and organization of the effort to manage risks to an organization’s information assets. [c] 3. Occurs when a project manager spends more time working in the project management software than accomplishing meaningful project work. [e] 4. An entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec technology. [h] 5. The technical specialists responsible for the implementation and administration of some security-related technology. [a] 6. A program designed to improve the security of information assets by providing targeted information, skills, and guidance for organizational employees. [f] 7. A diagramming technique designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project. [d] 8. Typically considered the top information security officer in an organization. [j] 9. A way to keep InfoSec at the forefront of users’ minds on a daily basis. [b] 10. The expansion of the quantity or quality of project deliverables from the original project plan. a. SETA b. scope creep c. projectitis d. CISO e. security watchstander
f. critical path method g. InfoSec program h. security technicians i. security manager j. security awareness program
70. Explain the conflict between the goals and objectives of the CIO and the CISO. Correct Answer:
The CIO, as the executive in charge of the organization’s technology, manages the efficiency in the processing and accessing of the organization’s information. Anything that limits access or slows information processing directly contradicts the CIO’s mission. On the other hand, the CISO functions more like an internal auditor, with the information security department examining existing systems to discover information security faults and flaws in technology, software, and employees’ activities and processes. At times, these activities may disrupt the processing and accessing of the organization’s information. 71. What is the security education, training, and awareness program? Describe how the program aims to enhance security. Correct Answer:
The security education, training, and awareness (SETA) program is designed to reduce the occurrence of accidental security breaches by members of the organization. The program aims to enhance security in three ways:- By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems - By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely - By improving awareness of the need to protect system resources
72. List the steps of the seven-step methodology for implementing training. Correct Answer:
The seven-step methodology for implementing training is as follows:Step 1: Identify program scope, goals, and objectives. Step 2: Identify training staff. Step 3: Identify target audiences. Step 4: Motivate management and employees. Step 5: Administer the program. Step 6: Maintain the program. Step 7: Evaluate the program.
73. What are some of the variables that determine how a given organization chooses to construct its InfoSec program? Correct Answer:
Among the variables that determine how a given organization chooses to structure its information security (InfoSec) program are organizational culture, size, security personnel budget, and security capital budget. 74. What are the four areas into which it is recommended to separate the functions of security? Correct Answer:
Functions performed by nontechnology business units outside the IT area of managementcontrol Functions performed by IT groups outside the InfoSec area of management control Functions performed within the InfoSec department as a customer service to the organization and its external partners Functions performed within the InfoSec department as a compliance enforcement obligation
75. Which security functions are normally performed by IT groups outside the InfoSec area of management control? Correct Answer:
Systems security administrationNetwork security administration Centralized authentication
76. What components of the security program are described as preparing for contingencies and disasters? Correct Answer:
Business plan, identify resources, develop scenarios, develop strategies, test and revise plan 77. What is the chief information security officer primarily responsible for? Correct Answer:
The CISO is primarily responsible for the assessment, management, and implementation of the program that secures the organization’s information. 78. What is the role of help desk personnel in the InfoSec team? Correct Answer:
An important part of the InfoSec team is the help desk, which enhances the security team’s ability to identify potential problems. When a user calls the help desk with a complaint about his or her computer, the network, or an Internet connection, the user’s problem may turn out to be related to a bigger problem, such as a hacker, a DoS attack, or a virus.Because help desk technicians perform a specialized role in InfoSec, they need specialized training. These staff members must be prepared to identify and diagnose both traditional technical problems and threats to InfoSec. Their ability to do so may cut precious hours off of an incident response.
79. What is the purpose of a security awareness program? What advantage does an awareness program have for the InfoSec program? Correct Answer:
A security awareness program keeps InfoSec at the forefront of users’ minds on a daily basis. Awareness serves to instill a sense of responsibility and purpose in employees who handle and manage information, and it leads employees to care more about their work environment. 80. What minimum attributes for project tasks does the WBS document? Correct Answer:
Work to be accomplished (activities and deliverables)Individuals (or skill set) assigned to perform the task Start and end dates for the task (when known) Amount of effort required for completion in hours or work days Estimated capital expenses for the task Estimated noncapital expenses for the task Identification of dependencies between and among tasks
CHAPTER 6 1. Having an established risk management program means that an organization's assets are completely protected. a. True *b. False
2. The IT community often takes on the leadership role in addressing risk. a. True *b. False
3. MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof. a. True *b. False
4. Likelihood is the overall rating of the probability that a specific vulnerability will be exploited or attacked. *a. True b. False
5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. *a. True b. False
6. When operating any kind of organization, a certain amount of debt is always involved. __________ a. True *b. False
7. Risk identification, risk analysis, and risk evaluation are part of a single function known as risk protection. __________ a. True *b. False
8. Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. __________
a. True *b. False
9. The recognition, enumeration, and documentation of risks to an organization’s information assets is known as risk control. __________
a. True *b. False
10. An evaluation of the threats to information assets, including a determination of their potential to endanger the organization, is known as exploit assessment. __________ a. True *b. False
11. A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. __________ a. True *b. False
12. The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ___________ a. True *b. False
13. The information technology management community of interest often takes on the leadership role in addressing risk. __________ a. True *b. False
14. A prioritized list of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. __________
a. True *b. False
15. The degree to which a current control can reduce risk is also subject to calculation error. __________ a. True *b. False
16. For an organization to manage its InfoSec risk properly, managers should understand how
information is __________. a. collected b. processed c. transmitted *d. all of these are needed
17. The Risk Management Framework includes all of the following EXCEPT: a. executive governance and support b. framework design *c. process contingency planning d. continuous improvement
18. Which of these denotes the overall structure of the strategic planning and design for the
entirety of the organization’s RM efforts? *a. RM framework b. RM process c. RM initiative d. RM leadership
19. Which of these denotes the identification, analysis, evaluation, and treatment of risk to
information assets? a. RM framework *b. RM process c. RM initiative d. RM leadership
20. Factors that affect the external context and impact the RM process, its goals, and its
objectives include the following EXCEPT: *a. the organization's governance structure
b. the legal/regulatory/compliance environment—laws, regulations, industrystandards c. the business environment—customers, suppliers, competitors d. the threat environment—threats, known vulnerabilities, attack vectors
21. Which of the following is not a role of managers within the communities of interest in
controlling risk? a. general management must structure the IT and InfoSec functions b. IT management must serve the IT needs of the broader organization *c. legal management must develop corporate-wide standards d. InfoSec management must lead the way with skill, professionalism, and flexibility
22. Which of the following is NOT a task performed by the governance group during the
framework design phase, in cooperation with the framework team? a. ensuring compliance with all legal and regulatory statutes and mandates b. guiding the development of, and formally approving, the RM policy c. recommending performance measures for the RM effort and ensuring that theyare
compatible with other performance measures in the organization *d. specifying who will supervise and perform the RM process
23. The __________ converts the instructions and perspectives provided to the RM framework
team into cohesive guidance that structures and directs all subsequent risk management efforts. *a. risk management policy b. enterprise information security policy c. risk control implementation policy d. risk management board directive
24. Once the members of the RM framework team have been identified, the governance group
should communicate all of the following for the overall RM program EXCEPT: *a. its personnel structure b. its desired outcomes c. its priorities d. its intent
25. A well-defined risk appetite should have the following characteristics EXCEPT: *a. It is not limited by stakeholder expectations. b. It acknowledges a willingness and capacity to take on risk. c. It is documented as a formal risk appetite statement. d. It is reflective of all key aspects of the business.
26. The quantity and nature of risk that organizations are willing to accept as they evaluate the
trade-offs between perfect security and unlimited accessibility is known as __________. a. residual risk *b. risk appetite c. risk acceptance d. risk avoidance
27. What is the risk to information assets that remains even after current controls have been
applied? *a. residual risk b. risk appetite c. risk tolerance d. risk avoidance
28. What is the assessment of the amount of risk an organization is willing to accept for a
particular information asset? a. residual risk b. risk appetite *c. risk tolerance d. risk avoidance
29. Which of the following activities is part of the risk identification process? a. determining the likelihood that vulnerable systems will be attacked by specific threats b. calculating the severity of risks to which assets are exposed in their current setting *c. assigning a value to each information asset d. documenting and reporting the findings of risk analysis
30. Which of the following is a network device attribute that may be used in conjunction with
DHCP, making asset identification using this attribute difficult? a. part number b. serial number c. MAC address *d. IP address
31. Factors that affect the internal context and impact the RM process, its goals, and its
objectives include the following EXCEPT:
a. The organization’s governance structure b. The organization’s culture c. The maturity of the organization’s information security program *d. The threat environment—threats, known vulnerabilities, attack vectors
32. Which of the following attributes does NOT apply to software information assets? a. serial number b. controlling entity c. manufacturer name *d. product dimensions
33. Which of the following is an attribute of a network device built into the network interface? a. serial number *b. MAC address c. IP address d. model number
34. Which of the following distinctly identifies an asset and can be vital in later analysis of
threats directed to specific models of certain devices or software components? a. name b. MAC address c. serial number *d. manufacturer’s model or part number
35. Data classification schemes should categorize information assets based on which of the
following? a. value and uniqueness *b. sensitivity and security needs c. cost and replacement value d. ease of reproduction and fragility
36. Classification categories must be mutually exclusive and which of the following? a. repeatable b. documentable *c. comprehensive d. selective
37. What is the final step in the risk identification process?
a. assessing values for information assets b. classifying and categorizing assets c. identifying and inventorying assets *d. ranking assets in order of importance
38. Once an information asset is identified, categorized, and classified, what must also be
assigned to it? a. asset tag *b. relative value c. location ID d. threat risk
39. What should you be armed with to adequately assess potential weaknesses in each
information asset? *a. properly classified inventory b. audited accounting spreadsheet c. intellectual property assessment d. list of known threats
40. Which of the following is an example of a technological obsolescence threat? a. hardware equipment failure b. unauthorized access *c. outdated servers d. malware
41. Rather than making the effort to conduct a detailed assessment of the cost of recovery from
an attack when estimating the danger from possible threats, organizations often __________. *a. create a subjective ranking based on anticipated recovery costs b. estimate cost from past experience c. leave the value empty until later in the process d. use a consultant to calculate an exact value
42. What is defined as specific avenues that threat agents can exploit to attack an information
asset? a. liabilities b. defenses *c. vulnerabilities d. obsolescence
43. Which of the following activities is part of the risk evaluation process? a. creating an inventory of information assets b. classifying and organizing information assets into meaningful groups c. assigning a value to each information asset *d. calculating the severity of risks to which assets are exposed in their current setting
44. What should the prioritized list of assets and their vulnerabilities and the prioritized list of
threats facing the organization be combined to create? a. risk exposure report *b. threats-vulnerabilities-assets worksheet c. costs-risks-prevention database d. threat assessment catalog
45. The organization can perform risk determination using certain risk elements, including all
but which of the following? *a. legacy cost of recovery b. impact (consequence) c. likelihood of threat event (attack) d. element of uncertainty
46. An estimate made by the manager using good judgment and experience can account for
which factor of risk assessment? a. risk determination b. assessing potential loss c. likelihood and consequences *d. uncertainty
47. Which of the following is NOT among the typical columns in the risk rating worksheet? *a. uncertainty percentage b. impact c. risk-rating factor d. likelihood
48. The identification, analysis, and evaluation of risk in an organization describes which of the
following? *a. risk assessment
b. risk determination c. risk management d. risk reduction
49. An understanding of the potential consequences of a successful attack on an
information asset by a threat is known as __________. *a. impact b. likelihood c. uncertainty d. tolerance
50. The state of having limited or imperfect knowledge of a situation, making it less likely that
organizations can successfully anticipate future events or outcomes, is known as __________. a. impact b. likelihood *c. uncertainty d. tolerance
51. The probability that a specific vulnerability within an organization will be attacked by a
threat is known as __________. a. impact *b. likelihood c. uncertainty d. tolerance
52. The risk assessment deliverable titled __________ serves to rank-order each threat to the
organization’s information assets according to criteria developed by the organization. a. information asset value weighted table analysis b. risk ranking worksheet *c. threat severity weighted table analysis d. TVA controls worksheet
53. __________ is the risk assessment deliverable that assigns a value to each TVA
triple, incorporating likelihood, impact, and possibly a measure of uncertainty. a. information asset value weighted table analysis *b. risk ranking worksheet c. threat severity weighted table analysis d. TVA controls worksheet
54. __________ is the risk assessment deliverable that places each information asset into a
ranked list according to its value based on criteria developed by the organization. *a. information asset value weighted table analysis b. risk ranking worksheet c. threat severity weighted table analysis d. TVA controls worksheet
55. In the area of risk management, process communications is the necessary information flow
within and between all of the following EXCEPT: *a. the corporate change control officer b. the governance group c. the RM framework team d. the RM process team during implementation
56. Risk __________ is the process of discovering and assessing the risks to an organization’s
operations and determining how those risks can be mitigated. Correct Answer(s): a. management
57. Assessing risks includes determining the __________ that vulnerable systems will be
attacked by specific threats. Correct Answer(s): a. likelihood b. probability
58. Classification categories must be __________ and mutually exclusive. Correct Answer(s): a. comprehensive
59. As each information asset is identified, categorized, and classified, a __________ value
must also be assigned to it. Correct Answer(s): a. relative
60. As part of the risk identification process, listing the assets in order of importance can be
achieved by using a weighted __________ worksheet.
Correct Answer(s): a. factor analysis b. factor c. table analysis d. table
61. The evaluation and reaction to risk to the entire organization is known as __________. Correct Answer(s): a. enterprise risk management (ERM) b. enterprise risk management c. ERM
62. Risk __________ is an approach to combining risk identification, risk analysis, and
risk evaluation into a single strategy. Correct Answer(s): a. assessment
63. The document designed to regulate organizational efforts related to the identification,
assessment, and treatment of risk to information assets is known as the RM __________. Correct Answer(s): a. policy
64. The quantity and nature of risk that organizations are willing to accept as they evaluate the
trade-offs between perfect security and unlimited availability is known as risk __________. Correct Answer(s): a. appetite
65. The assessment of the amount of risk an organization is willing to accept for a particular
information asset is known as risk __________. Correct Answer(s): a. tolerance
66. The recognition, enumeration, and documentation of risks to an organization’s information
assets is known as risk __________. Correct Answer(s): a. identification
67. An evaluation of the threats to information assets, including a determination of their
likelihood of occurrence and potential impact of an attack, is known as threat __________.
Correct Answer(s): a. assessment
68. [d] 1. Occurs when a manufacturer performs an upgrade to a hardware component at the customer’s premises. [j] 2. The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level. [h] 3. The quantity and nature of risk that organizations are willing to accept. [f] 4. Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair. [i] 5. An approach to combining risk identification, risk analysis, and risk evaluation into a single strategy. [a] 6. Remains even after the current control has been applied. [b] 7. The recognition, enumeration, and documentation of risks to an organization’s information assets. [g] 8. An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization. [c] 9. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures. [e] 10. Labels that must be comprehensive and mutually exclusive. a. residual risk b. risk identification c. qualitative assessment d. field change order e. classification categories f. risk rating worksheet g. threat assessment h. risk appetite i. risk assessment j. risk management
69. Briefly describe any three standard categories of information assets and their respective risk management components. Correct Answer:
- The people asset is divided into internal personnel (employees) and external personnel(nonemployees). Insiders are further divided into those employees who hold trusted roles and therefore have correspondingly greater authority and accountability and those regular staff members who do not have any special privileges. Outsiders consist of other users who have access to the organization’s information assets, some trusted and some untrusted. - Procedures are assets because they are used to create value for the organization. They
are divided into (1) IT and business standard procedures and (2) IT and business-sensitive procedures. - The data asset includes information in all states: transmission, processing, and storage. This is an expanded use of the term “data,” which is usually associated with databases, not the full range of information used by modern organizations. - Software is divided into applications, operating systems, and security components. Software that provides security controls may fall into the operating systems or applications category, but is differentiated by the fact that it is part of the InfoSec control environment and must therefore be protected more thoroughly than other systems components. - Hardware is divided into (1) the usual systems devices and their peripherals and (2) the devices that are part of InfoSec control systems. The latter must be protected more thoroughly than the former. - Networking components include networking devices (such as firewalls, routers, and switches) and the systems software within them, which is often the focal point of attacks. Successful attacks can continue against systems connected to the networks.
70. For the purposes of relative risk assessment, how is risk calculated? Correct Answer:
Risk equals likelihood of vulnerability occurrence multiplied by value (or impact), minus percentage risk already controlled, plus an element of uncertainty. 71. What does it mean to "know the enemy" with respect to risk management? Correct Answer:
Once an organization becomes aware of its weaknesses, managers can take up Sun Tzu’s second dictum: Know the enemy. This means identifying, examining, and understanding the threats facing the organization’s information assets. Managers must be fully prepared to identify those threats that pose risks to the organization and the security of its information assets. 72. What strategic role do the InfoSec and IT communities play in risk management? Explain. Correct Answer:
InfoSec - Because members of the InfoSec community best understand the threats and attacks that introduce risk, they often take a leadership role in addressing risk.
IT - This group must help to build secure systems and ensure their safe operation. For example, IT builds and operates information systems that are mindful of operational risks and have proper controls implemented to reduce risk.
73. What are the included tasks in the identification of risks? Correct Answer:
Creating an inventory of information assetsClassifying and organizing those assets meaningfully Assigning a value to each information asset Identifying threats to the cataloged assets Pinpointing vulnerable assets by tying specific threats to specific assets
74. Describe the use of an IP address when deciding which attributes to track for each information asset. Correct Answer:
This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a relational database and track software instances on specific servers or networking devices. Many larger organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification process very difficult. 75. How should the initial inventory be used when classifying and categorizing assets? Correct Answer:
The inventory should reflect the sensitivity and security priority assigned to each informationasset. A classification scheme should be developed (or reviewed, if already in place) that categorizes these information assets based on their sensitivity and security needs.
76. Why is threat identification so important in the process of risk management? Correct Answer:
Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end. At every step, the manager is called on to exercise good judgment and draw on experience to make the process function smoothly.
CHAPTER 7 1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. *a. True b. False
2. The defense risk treatment strategy may be accomplished by outsourcing to other organizations. a. True *b. False
3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. *a. True b. False
4. Unlike many other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. *a. True b. False
5. The ISO 27005 Standard for InfoSec Risk Management has a five-stage management methodology that includes risk treatment and risk communication. *a. True b. False
6. The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk treatment strategy, also known as the avoidance strategy. __________ a. True *b. False
7. The risk treatment strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk treatment strategy. __________
a. True *b. False
8. The risk treatment strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk treatment strategy. __________ *a. True b. False
9. The risk treatment strategy that indicates the organization is willing to accept the current level of risk and do nothing further to protect an information asset is known as the termination risk treatment strategy. ____________ a. True *b. False
10. The risk treatment strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk treatment strategy. ____________ *a. True b. False
11. In a cost-benefit analysis, the expected frequency of an attack expressed on a per-year basis is known as the annualized risk of likelihood. __________ a. True *b. False
12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization, is known as cost-benefit analysis (CBA). __________ *a. True b. False
13. An examination of how well a particular solution is supportable given the organization’s current technological infrastructure and resources, which include hardware, software, networking, and personnel, is known as operational feasibility. __________ a. True *b. False
14. A progression is a measurement of current performance against which future performance will be compared. __________
a. True *b. False
15. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. __________ *a. True b. False
16. Because even the implementation of new technologies does not necessarily guarantee an
organization can gain or maintain a competitive lead, the concept of __________ has emerged as organizations strive not to fall behind technologically. *a. competitive disadvantage b. future shock c. competitive advantage d. innovation hedge
17. Treating risk begins with which of the following? *a. an understanding of risk treatment strategies b. applying controls and safeguards that eliminate risk c. understanding the consequences of choosing to ignore certain risks d. rethinking how services are offered
18. Application of training and education among other approach elements is a common method
of which risk treatment strategy? a. mitigation *b. defense c. acceptance d. transferal
19. Each of the following is a recommendation from the FDIC when creating a successful SLA
EXCEPT: a. determining objectives *b. forecasting costs c. defining requirements
d. setting measurements
20. Which of the following risk treatment strategies describes an organization’s attempt to shift
risk to other assets, other processes, or other organizations? a. acceptance b. avoidance *c. transference d. mitigation
21. Which of the following risk treatment strategies describes an organization’s efforts to
reduce damage caused by a realized incident or disaster? a. acceptance b. avoidance c. transference *d. mitigation
22. Strategies to reestablish operations at the primary site after an adverse event threatens
continuity of business operations are covered by which of the following plans in the mitigation control approach? a. incident response plan b. business continuity plan *c. disaster recovery plan d. damage control plan
23. The only use of the acceptance strategy that is recognized as valid by industry
practices occurs when the organization has done all but which of the following? a. determined the level of risk posed to the information asset b. performed a thorough cost-benefit analysis *c. determined that the costs to control the risk to an information asset are much lower
than the benefit gained from the information asset d. assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability 24. Which of the following can be described as the quantity and nature of risk that organizations
are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. residual risk *b. risk appetite c. risk assurance
d. risk termination
25. The goal of InfoSec is not to bring residual risk to __________; rather, it is to bring residual
risk in line with an organization’s risk appetite. a. de minimus *b. zero c. its theoretical minimum d. below the cost-benefit break-even point
26. All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT:
a. When a vulnerability exists in an important asset, implement security controls to
reduce the likelihood of a vulnerability being exploited. *b. When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else’s responsibility. c. When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. d. When the potential loss is substantial, apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss. 27. Which of the following is NOT a valid rule of thumb on risk treatment strategy selection? a. When a vulnerability exists: Implement security controls to reduce the likelihood of a
vulnerability being exploited. b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. *c. When the attacker’s potential gain is less than the costs of attack: Apply protections to decrease the attacker’s cost or reduce the attacker’s gain by using technical or operational controls. d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. 28. Once a control strategy has been selected and implemented, what should be done on an
ongoing basis to determine its effectiveness and to estimate the remaining risk? a. analysis and adjustment b. review and reapplication *c. monitoring and measurement d. evaluation and funding
29. When vulnerabilities have been controlled to the degree possible, what is the remaining risk
that has not been completely removed, shifted, or planned for? *a. residual risk b. risk appetite c. risk assurance d. risk tolerance
30. The financial savings from using the defense risk treatment strategy to implement a control
and eliminate the financial ramifications of an incident is known as __________. a. probability estimate *b. cost avoidance c. risk acceptance premium d. asset valuation
31. Also known as an economic feasibility study, the formal assessment and presentation of the
economic expenditures needed for a particular security control, contrasted with its projected value to the organization, is known as __________. a. annualized loss expectancy (ALE) *b. cost-benefit analysis (CBA) c. single loss expectancy (SLE) d. annualized rate of occurrence (ARO)
32. The process of assigning financial value or worth to each information asset is known as
__________. a. probability estimate b. cost estimation c. risk acceptance premium *d. asset valuation
33. Which of the following affects the cost of a control? a. liability insurance b. CBA report c. asset resale *d. maintenance
34. Each of the following is an item that affects the cost of a particular risk treatment strategy
EXCEPT:
a. cost of maintenance (labor expense to verify and continually test, maintain, train, and
update) b. cost of development or acquisition (hardware, software, and services) c. cost of implementation (installing, configuring, and testing hardware, software, and services) *d. cost of IT operations (keeping systems operational during the period of treatment strategy development) 35. By multiplying the asset value by the exposure factor, you can calculate which of the
following? a. annualized cost of the safeguard *b. single loss expectancy c. value to adversaries d. annualized loss expectancy
36. Each of the following is a commonly used quantitative approach for asset valuation
EXCEPT: a. value to owners *b. value to competitors c. value retained from past maintenance d. value to adversaries
37. What is the result of subtracting the postcontrol annualized loss expectancy and the
annualized cost of the safeguard from the precontrol annualized loss expectancy? *a. cost-benefit analysis b. exposure factor c. single loss expectancy d. annualized rate of occurrence
38. Which of the following determines how well a proposed treatment will address user
acceptance and support, management acceptance and support, and the system’s compatibility with the requirements of the organization’s stakeholders? a. behavioral feasibility b. political feasibility c. technical feasibility *d. operational feasibility
39. Which of the following determines acceptable practices based on consensus and
relationships among the communities of interest?
a. organizational feasibility *b. political feasibility c. technical feasibility d. operational feasibility
40. Which of the following determines whether the organization already has or can acquire the
technology necessary to implement and support the proposed treatment? a. organizational feasibility b. political feasibility *c. technical feasibility d. operational feasibility
41. Which of the following determines how well the proposed InfoSec treatment alternatives
will contribute to the efficiency, effectiveness, and overall operation of an organization? *a. organizational feasibility b. political feasibility c. technical feasibility d. behavioral feasibility
42. Which of the following is NOT an alternative to using CBA to justify risk controls? a. benchmarking b. due care and due diligence *c. selective risk avoidance d. the gold standard
43. In which technique does a group rate or rank a set of information, compile the results, and
repeat until everyone is satisfied with the result? a. OCTAVE b. FAIR c. hybrid measures *d. Delphi
44. Which alternative risk management methodology is a process promoted by the Computer
Emergency Response Team (CERT) Coordination Center (www.cert.org) that has three variations for different organizational needs, including one known as ALLEGRO? *a. OCTAVE b. FAIR c. ANDANTE
d. DOLCE
45. The Microsoft Risk Management Approach includes four phases; which of the following is
NOT one of them? a. conducting decision support b. implementing controls *c. evaluating alternative strategies d. measuring program effectiveness
46. Which of the following is not a step in the FAIR risk management framework? a. identify scenario components b. evaluate loss event frequency *c. assess control impact d. derive and articulate risk
47. What does FAIR rely on to build the risk management framework that is unlike many other
risk management frameworks? *a. qualitative assessment of many risk components b. quantitative valuation of safeguards c. subjective prioritization of controls d. risk analysis estimates
48. The ISO 27005 Standard for Information Security Risk Management includes all but which
of the following stages? a. risk assessment b. risk treatment c. risk communication *d. risk determination
49. Which international standard provides a structured methodology for evaluating threats to
economic performance in an organization and was developed using the Australian/New Zealand standard AS/NZS 4360:2004 as a foundation? a. ISO 27001 b. ISO 27005 c. NIST SP 800-39 *d. ISO 31000
50. The NIST risk management approach includes all but which of the following elements?
*a. inform b. assess c. frame d. respond
51. NIST’s Risk Management Framework follows a three-tiered approach, with most
organizations working from the top down, focusing first on aspects that affect the entire organization, such as __________. *a. governance b. information and information flows c. policy d. environment of operation
52. Which of the following is NOT one of the methods noted for selecting the best risk
management model? *a. Use the methodology most similar to what is currently in use. b. Study known approaches and adapt one to the specifics of the organization. c. Hire a consulting firm to provide a proprietary model. d. Hire a consulting firm to develop a proprietary model.
53. To keep up with the competition, organizations must design and create a __________
environment in which business processes and procedures can function and evolve effectively. Correct Answer(s): a. secure
54. The __________ risk treatment strategy attempts to shift the risk to other assets, processes,
or organizations. Correct Answer(s): a. transference b. transfer
55. The risk treatment strategy that seeks to reduce the impact of a successful attack through the
use of IR, DR, and BC plans is __________. Correct Answer(s): a. mitigation b. mitigate
56. The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in
line with an organization’s risk __________. Correct Answer(s): a. appetite
57. When a vulnerability (flaw or weakness) exists in an important asset, implement security
controls to reduce the likelihood of a vulnerability being __________. Correct Answer(s): a. exploited
58. __________ is the financial savings from using the defense risk treatment strategy
to implement a control and eliminate the financial ramifications of an incident. Correct Answer(s): a. Cost avoidance
59. The approach known as the avoidance strategy is more properly known as the __________
risk treatment strategy. Correct Answer(s): a. defense
60. The __________ risk treatment strategy attempts to eliminate or reduce any remaining
uncontrolled risk through the application of additional controls and safeguards in an effort to change the likelihood of a successful attack on an information asset. Correct Answer(s): a. defense
61. The __________ risk treatment strategy indicates the organization is willing to accept the
current level of residual risk. Correct Answer(s): a. acceptance
62. The __________ risk treatment strategy eliminates all risk associated with an information
asset by removing it from service. Correct Answer(s): a. termination
63. In a cost-benefit analysis, the calculated value associated with the most likely loss from an
attack (impact) is known as __________. It is the product of the asset’s value and the exposure factor. Correct Answer(s): a. single loss expectancy (SLE) b. single loss expectancy c. SLE
64. As part of the CBA, __________ is the value to the organization of using controls to
prevent losses associated with a specific vulnerability. Correct Answer(s): a. benefit
65. An examination of how well a particular solution is supportable given the organization’s
current technological infrastructure and resources is known as __________. Correct Answer(s): a. technical feasibility
66. [h] 1. The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization. [a] 2. A risk treatment strategy that indicates the organization is willing to accept the current level of risk, is making a conscious decision to do nothing to protect an information asset from risk, and accepts the outcome from any resulting exploitation. [i] 3. A risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. [f] 4. A process of assigning financial value or worth to each information asset. [d] 5. The quantity and nature of risk that organizations are willing to accept. [g] 6. An examination of how well a particular solution fits within the organization’s strategic planning objectives and goals. [b] 7. A risk treatment strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation. [e] 8. The calculated value associated with the most likely loss from a single attack. [j] 9. The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident. [c] 10. A risk treatment strategy that eliminates all risk associated with an information asset by removing it from service. a. acceptance risk treatment strategy
b. mitigation risk treatment strategy c. termination risk treatment strategy d. risk appetite e. single loss expectancy f. asset valuation g. organizational feasibility h. cost-benefit analysis i. defense risk treatment strategy j. cost avoidance 67. Briefly describe the five basic strategies to control risk that result from vulnerabilities. Correct Answer:
Defense—Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk Transference—Shifting risks to other areas or to outside entities Mitigation—Reducing the impact to information assets should an attacker successfully exploit a vulnerability Acceptance—Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control Termination—Removing or discontinuing the information asset from the organization’s operating environment
68. Explain two practical guidelines to follow in risk treatment strategy selection. Correct Answer:
- When a vulnerability (flaw or weakness) exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.- When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. - When the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the attacker’s cost or reduce the attacker’s gain by using technical or managerial controls. - When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
69. Once an organization has estimated the worth of various assets, what three questions must be asked to calculate the potential loss from the successful exploitation of a vulnerability?
Correct Answer:
What damage could occur, and what financial impact would it have?What would it cost to recover from the attack, in addition to the financial impact of damage? What is the single loss expectancy for each risk?
70. What does the result of a CBA determine? the CBA?
What is the formula for
Correct Answer:
The CBA determines whether the benefit from a control alternative is worth the associated cost of implementing and maintaining the control. The formula for calculating the CBA is:
CBA = ALE (precontrol) - ALE (postcontrol) - ACS where ALE (precontrol) = ALE of the risk before the implementation of the control ALE (postcontrol) = ALE examined after the control has been in place for a period of time ACS = annual cost of the safeguard
71. Describe operational feasibility. Correct Answer:
Operational feasibility refers to user acceptance and support, management acceptance and support, and the system’s compatibility with the requirements of the organization’s stakeholders. Operational feasibility is also known as behavioral feasibility. An important aspect of systems development is obtaining user buy-in on projects. If the users do not accept a new technology, policy, or program, it will inevitably fail. 72. Discuss three alternatives to feasibility analysis. Correct Answer:
- Benchmarking is the process of seeking out and studying the practices used in other organizations that produce the results you desire in your organization. When benchmarking, an organization typically uses either metrics-based or process-based measures.- Due care and due diligence occur when an organization adopts a certain minimum level of security equal to what any prudent organization would do in similar circumstances. - Best business practices are those thought to be among the best in the industry, balancing the need to access information with adequate protection.
- The gold standard is for ambitious organizations in which the best business practices are not sufficient. These organizations aspire to set the standard for their industry, and are thus said to be in pursuit of the gold standard. - Government recommendations and best practices are useful for organizations that operate in industries regulated by governmental agencies. Government recommendations, which are, in effect, requirements, can also serve as excellent sources for information about what some organizations may be doing or are required to do to control information security risks. - A baseline is derived by comparing measured actual performance against established standards for the measured category.
73. Describe the use of hybrid assessment to create a quantitative assessment of asset value. Correct Answer:
The hybrid assessment tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures. Hybrid assessment uses scales rather than specific estimates. For example, a scale might range from 0, representing no chance of occurrence, to 10, representing almost certain occurrence. 74. What is the OCTAVE Method approach to risk management? Correct Answer:
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls. This process can enable an organization to measure itself against known or accepted good security practices and then establish an organization-wide protection strategy and InfoSec risk mitigation plan. 75. What are the four phases of the Microsoft risk management strategy? Correct Answer:
1. Assessing risk2. Conducting decision support 3. Implementing controls 4. Measuring program effectiveness
76. What are the four stages of a basic FAIR analysis? Correct Answer:
Stage 1—Identify Scenario ComponentsStage 2—Evaluate Loss Event Frequency (LEF) Stage 3—Evaluate Probable Loss Magnitude (PLM) Stage 4—Derive and Articulate Risk
CHAPTER 8 1. In information security, a security blueprint is a framework or security model customized to an organization, including implementation details. *a. True b. False
2. The Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. a. True *b. False
3. Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. a. True *b. False
4. Lattice-based access control specifies the level of access each subject has to each object, if any. *a. True b. False
5. Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data at the organization's competitors. a. True *b. False
6. The principle of limiting users’ access privileges to the specific information required to perform their assigned tasks is known as minimal access. a. True *b. False
7. In information security, a framework or security model customized to an organization, including implementation details, is known as a template. __________
a. True *b. False
8. In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. __________ a. True *b. False
9. The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. __________ a. True *b. False
10. The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. __________ a. True *b. False
11. A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. __________ a. True *b. False
12. The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as required privilege. __________ a. True *b. False
13. The principle of limiting users’ access privileges to the specific information required to perform their assigned tasks is known as needto-know. __________ *a. True b. False
14. In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). __________ a. True *b. False
15. A security clearance is an access control model in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. __________ *a. True b. False
16. Dumpster exploitation is an information attack that involves searching through a target organization’s trash and recycling bins for sensitive information. __________ a. True *b. False
17. In information security, a framework or security model customized to an organization,
including implementation details, is a _________. a. security standard b. methodology c. security policy *d. blueprint
18. Which of the following is a generic model for a security program? *a. framework b. methodology c. security standard d. blueprint
19. In information security, a specification of a model to be followed during the design,
selection, and initial and ongoing implementation of all subsequent security controls is known as a __________. *a. framework b. security plan c. security standard d. blueprint
20. Which of the following is the original purpose of ISO/IEC 17799? a. Use within an organization to obtain a competitive advantage b. Implementation of business-enabling information security c. Use within an organization to ensure compliance with laws and regulations *d. To offer guidance for the management of InfoSec to individuals responsible for
their organization’s security programs 21. When the ISO 27002 standard was first proposed, several countries, including the United
States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems; which of the following is NOT one of them? a. It was not as complete as other frameworks. b. The standard lacked the measurement precision associated with a technical standard. c. The standard was hurriedly prepared. *d. It was feared it would lead to government intrusion into business matters.
22. One of the most widely referenced InfoSec management models, known as
Information Technology—Code of Practice for Information Security Management, is also known as __________. *a. ISO 27002 b. IEC 27100 c. NIST SP 800-12 d. IEEE 801
23. The managerial tutorial equivalent of NIST SP 800-12, providing overviews of the roles and
responsibilities of a security manager in the development, administration, and improvement of a security program, is NIST __________. *a. SP 800-100: Information Security Handbook: A Guide for Managers (2007) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal
Information Systems (2006) c. SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996) d. SP 800-110, Rev. 1: Manager's Introduction to Information Security (2016) 24. Which NIST publication describes the philosophical guidelines that the security team should
integrate into the entire InfoSec process, beginning with “Security supports the mission of the organization”? a. SP 800-12, Rev. 1: An Introduction to Information Security (2017) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal
Information Systems (2006)
*c. SP 800-14: Generally Accepted Principles and Practices for Securing Information
Technology Systems (1996) d. SP 800-55, Rev. 1: Performance Measurement Guide for Information Security (2008) 25. This NIST publication provides information on the elements of InfoSec, key roles and
responsibilities, an overview of threats and vulnerabilities, a description of the three NIST security policy categories, and an overview of the NIST RM Framework and its use, among other topics needed for a foundation in InfoSec. *a. SP 800-12, Rev. 1: An Introduction to Information Security (2017) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal
Information Systems (2006) c. SP 800-34, Rev. 1: Contingency Planning Guide for Federal Information Systems (2010) d. SP 800-55, Rev. 1: Performance Measurement Guide for Information Security (2008) e.
26. Which of the following provides advice about the implementation of sound controls and
control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? *a. COBIT b. COSO c. NIST d. ISO
27. Although COBIT was designed to be an IT __________ and management structure, it
includes a framework to support InfoSec requirements and assessment needs. *a. governance b. policy c. auditing d. awareness
28. The COSO framework is built on five interrelated components. Which of the following is
NOT one of them? a. control environment b. risk assessment c. control activities *d. InfoSec governance
29. The Information Technology Infrastructure Library (ITIL) is a collection of methods and
practices primarily for __________.
*a. managing the development and operation of IT infrastructures b. operation of IT control systems to improve security c. managing the security infrastructure d. developing secure Web applications
30. The Information Security __________ is a managerial model provided by an industry
working group, National Cyber Security Partnership, which provides guidance in the development and implementation of organizational InfoSec structures and recommends the responsibilities that various members should have in an organization. *a. Governance Framework b. Security Blueprint c. Risk Model d. Compliance Architecture
31. Which piece of the Trusted Computing Base's security system manages access controls? a. trusted computing base *b. reference monitor c. covert channel d. verification module
32. Which security architecture model is part of a larger series of standards collectively referred
to as the “Rainbow Series”? a. Bell-LaPadula *b. TCSEC c. ITSEC d. Common Criteria
33. Under the Common Criteria, which term describes the user-generated specifications for
security requirements? a. Target of Evaluation (ToE) *b. Protection Profile (PP) c. Security Target (ST) d. Security Functional Requirements (SFRs)
34. Which access control principle specifies that no unnecessary access to data exists by
regulating members so they can perform only the minimum data manipulation necessary? a. need-to-know b. eyes only *c. least privilege
d. separation of duties
35. What is the information security principle that requires significant tasks to be split up so that
more than one individual is required to complete them? a. need-to-know b. eyes only c. least privilege *d. separation of duties
36. Which access control principle limits a user’s access to the specific information required to
perform the currently assigned task? *a. need-to-know b. eyes only c. least privilege d. separation of duties
37. Controls that remedy a circumstance or mitigate damage done during an incident are
categorized as which of the following? a. preventative b. deterrent *c. corrective d. compensating
38. Which of the following is NOT a category of access control? a. preventative *b. mitigating c. deterrent d. compensating
39. Which control category discourages an incipient incident—e.g., video monitoring? a. preventative *b. deterrent c. remitting d. compensating
40. An information attack that involves searching through a target organization’s trash and
recycling bins for sensitive information is known as __________.
a. rubbish surfing b. social engineering *c. dumpster diving d. trash trolling
41. Which of the following is NOT one of the three levels in the U.S. military data classification
scheme for National Security Information? a. confidential b. secret c. top secret *d. for official use only
42. Which of the following specifies the authorization level that each user of an information
asset is permitted to access, subject to the need-to-know principle? a. discretionary access controls b. task-based access controls *c. security clearances d. sensitivity levels
43. Under lattice-based access controls, the column of attributes associated with a particular
object (such as a printer) is referred to as which of the following? *a. access control list b. capabilities table c. access matrix d. sensitivity level
44. Which type of access controls can be role-based or task-based? a. constrained b. content-dependent *c. nondiscretionary d. discretionary
45. In which form of access control is access to a specific set of information contingent on its
subject matter? *a. content-dependent access controls b. constrained user interfaces c. temporal isolation d. none of these
46. An ATM that limits what kinds of transactions a user can perform is an example of which
type of access control? a. content-dependent *b. constrained user interface c. temporal isolation d. nondiscretionary
47. A time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface *c. temporal isolation d. nondiscretionary
48. Which security architecture model is based on the premise that higher levels of integrity are
more worthy of trust than lower ones? a. Clark-Wilson b. Bell-LaPadula c. Common Criteria *d. Biba
49. Which of the following is NOT a change control principle of the Clark-Wilson model? a. no changes by unauthorized subjects b. no unauthorized changes by authorized subjects *c. no changes by authorized subjects without external validation d. the maintenance of internal and external consistency
50. In information security, a framework or security model customized to an organization,
including implementation details, is known as a(n) __________. Correct Answer(s): a. blueprint
51. In information security, a specification of a model to be followed during the design,
selection, and initial and ongoing implementation of all subsequent security controls is known as a(n) __________. Correct Answer(s): a. framework
52. To design a security program, an organization can use a(n) __________, which is a generic
outline of the more thorough and organization-specific blueprint. Correct Answer(s): a. security model b. framework
53. In the COSO framework, __________ activities include those policies and procedures that
support management directives. Correct Answer(s): a. control
54. ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and
how to set up a(n) __________. Correct Answer(s): a. information security management system b. ISMS
55. __________ channels are unauthorized or unintended methods of communications hidden
inside a computer system, including storage and timing channels. Correct Answer(s): a. Covert
56. __________ channels are TCSEC-defined covert channels that communicate by
modifying a stored object, such as in steganography. Correct Answer(s): a. Storage
57. Within TCB, a conceptual piece of the system that manages access controls—in other
words, it mediates all access to objects by subjects—is known as a __________. Correct Answer(s): a. reference monitor
58. Under TCSEC, the combination of all hardware, firmware, and software responsible for
enforcing the security policy is known as the __________. Correct Answer(s): a. trusted computing base (TCB)
b. TCB c. trusted computing base
59. The __________ principle is based on the requirement that people are not allowed to view
data simply because it falls within their level of clearance. Correct Answer(s): a. need to know b. need-to-know
60. The selective method by which systems specify who may use a particular resource and how
they may use it is called __________. Correct Answer(s): a. access control
61. The data access principle that ensures no unnecessary access to data exists by regulating
members so they can perform only the minimum data manipulation necessary is called __________. Correct Answer(s): a. least privilege
62. [e] 1. Controls access to a specific set of information based on its content. [a] 2. A TCSEC-defined covert channel, which transmits information by managing the relative timing of events. [j] 3. Ratings of the security level for a specified collection of information (or user) within a mandatory access control scheme. [g] 4. A framework or security model customized to an organization, including implementation details. [h] 5. A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user. [f] 6. Within TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy. [c] 7. Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion. [b] 8. Controls implemented at the discretion or option of the data user. [d] 9. One of the TCSEC’s covert channels, which communicate by modifying a stored object. [i] 10. Access is granted based on a set of rules specified by the central authority. a. timing channel b. DAC c. separation of duties
d. storage channel e. content-dependent access controls f. TCB g. blueprint h. task-based controls i. rule-based access controls j. sensitivity levels
63. What are the five principles that are focused on the governance and management of IT, as specified by COBIT 5? Correct Answer:
Principle 1: Meeting Stakeholder NeedsPrinciple 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management
64. Access controls are built on three key principles. briefly define them.
List and
Correct Answer:
Least privilege: The principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. Need-to-know: Limits a user’s access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function.
Separation of duties: A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion.
65. According to COSO, internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in what three categories? Correct Answer:
Effectiveness and efficiency of operationsReliability of financial reporting Compliance with applicable laws and regulations
66. There are seven access control methodologies categorized by their inherent characteristics. List and briefly define them.
Correct Answer:
• Directive—Employs administrative controls, such as policy and training, designed to proscribe certain user behavior in the organization • Deterrent—Discourages or deters an incipient incident; an example would be signs that indicate video monitoring • Preventative—Helps an organization avoid an incident; an example would be the requirement for strong authentication in access controls • Detective—Detects or identifies an incident or threat when it occurs; for example, anti-malware software • Corrective—Remedies a circumstance or mitigates damage done during an incident; for example, changes to a firewall to block the recurrence of a diagnosed attack • Recovery—Restores operating conditions back to normal; for example, data backup and recovery software • Compensating—Resolves shortcomings, such as requiring the use of encryption for transmission of classified data over unsecured networks
67. One approach used to categorize access control methodologies is based on the controls' operational impact on the organization. What are these categories, as described by NIST? Correct Answer:
ManagementOperational (or administrative) Technical
68. What is the data classification for information deemed to be National Security Information for the U.S. military, as specified in 2009 by Executive Order 13526? Correct Answer:
The U.S. military uses a three-level classification scheme for information deemed to be National Security Information (NSI), as defined in Executive Order 13526 in 2009. Here are the classifications along with descriptions from the document: 1) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe. 2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. 3) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.
69. When copies of classified information are no longer valuable or too many copies exist, what steps should be taken to destroy them properly? Why? Correct Answer:
When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly, usually after double signature verification. Documents should be destroyed by means of shredding, burning, or transfer to a service offering authorized document destruction. Policy should ensure that no classified information is inappropriately disposed of in trash or recycling areas. Otherwise, people who engage in dumpster diving, the retrieval of information from refuse or recycling bins, may compromise the security of the organization’s information assets. 70. Lattice-based access controls use a two-dimensional matrix to assign authorizations. What are the two dimensions and what are they called? Correct Answer:
Lattice-based access control specifies the level of access each subject has to each object, if any. With this type of control, the column of attributes associated with a particular object (such as a printer) is referred to as an access control list (ACL). The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table. 71. Under what circumstances should access controls be centralized as opposed to decentralized? Correct Answer:
One area of discussion among practitioners is whether access controls should be centralized or decentralized. A collection of users with access to the same data typically has a centralized access control authority, even under a DAC model. The level of centralization appropriate to a given situation varies by organization and the type of information protected. The less critical the protected information, the more controls tend to be decentralized. When critical information assets are being protected, the use of a highly centralized access control toolset is indicated. 72. What are the two primary access modes of the Bell-LaPadula model and what do they restrict? Correct Answer:
BLP access modes can be one of two types: simple security and the * (star) property. Simple security (also called the read property) prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (no read up).
The * property (the write property), on the other hand, prohibits a high-level subject from sending messages to a lower-level object. In short, subjects can read down and objects can write or append up (no write down).
CHAPTER 9
1. Temporary workers—often called temps—may not be subject to the contractual obligations or general policies that govern other employees. *a. True b. False
2. Using a practice called baselining, you are able to compare your organization’s efforts to those of other organizations you feel are similar in size, structure, or industry. a. True *b. False
3. A company striving for “best security practices” makes every effort to establish security program elements that meet every minimum standard in their industry. a. True *b. False
4. One question you should ask when choosing among recommended practices is “Can your organization afford to implement the recommended practice?” *a. True b. False
5. Performance measurements are seldom required in today’s regulated InfoSec environment. a. True *b. False
6. ISO 27001 certification is only available to companies that do business internationally. a. True *b. False
7. One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured. __________
*a. True b. False
8. The biggest barrier to baselining in InfoSec is the fact that many organizations do not share information about their attacks with other organizations. __________ a. True *b. False
9. Collusion is the requirement that every employee be able to perform the work of at least one other employee. __________ a. True *b. False
10. Standardization is an attempt to improve information security practices by comparing an organization’s efforts against those of a similar organization or an industry-developed standard to produce results it would like to duplicate. __________ a. True *b. False
11. Two-person control is the requirement that all critical tasks can be performed by multiple individuals. _________ a. True *b. False
12. Recommended or best practices are those security efforts that seek to provide a superior level of performance in the protection of information. __________ *a. True b. False
13. A security metric is an assessment of the performance of some action or process against which future performance is assessed. __________ a. True *b. False
14. A standard of due process is a legal standard that requires an organization and its employees to act as a “reasonable and prudent”
individual or organization would under similar circumstances. __________ a. True *b. False
15. Data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial— implemented in the organization are known as progress measurements. __________ a. True *b. False
16. A requirement that all employees take time off from work, which allows the organization to audit the individual’s areas of responsibility, is known as a mandatory vacation policy. __________ *a. True b. False
17. A(n) credit check can uncover past criminal behavior or other information that suggests a potential for future misconduct or a vulnerability that might render a job candidate susceptible to coercion or blackmail. __________ a. True *b. False
18. A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions is known as racketeering. __________ a. True *b. False
19. When hiring security personnel, which of the following should be conducted before the
organization extends an offer to any candidate, regardless of job level? a. new hire orientation b. covert surveillance c. organizational tour *d. background check
20. Which of the following is NOT a common type of background check that may be performed
on a potential employee?
a. identity *b. political activism c. motor vehicle records d. drug history
21. Employees pay close attention to job __________, and including InfoSec tasks in them will
motivate employees to take more care when performing these tasks. *a. performance evaluations b. descriptions c. quarterly reports d. vacation requests
22. Employees new to an organization should receive an extensive InfoSec briefing that
includes all of the following EXCEPT: *a. signing the employment contract b. security policies c. security procedures d. access levels
23. Incorporating InfoSec components into periodic employee performance evaluations can
__________. *a. heighten InfoSec awareness b. frighten employees c. demotivate workers d. reduce compliance to policy
24. Which of the following is NOT a task that must be performed if an employee is terminated? a. former employee must return all media *b. former employee’s home computer must be audited c. former employee’s office computer must be secured d. former employee should be escorted from the premises
25. Which of the following policies requires that every employee be able to perform the work of
at least one other staff member? a. collusion *b. job rotation c. two-person control d. separation of duties
26. Which of the following policies requires that two individuals review and approve each
other’s work before the task is considered complete? a. task rotation *b. two-person control c. separation of duties d. job rotation
27. Which of the following policies makes it difficult for an individual to violate InfoSec and is
quite useful in monitoring financial affairs? a. task rotation b. mandatory vacations *c. separation of duties d. job rotation
28. Organizations are required by privacy laws to protect sensitive or personal
employee information, including __________. *a. personally identifiable information (PII) b. corporate financial information c. internal business contact information d. employee salaries
29. Contract employees—or simply contractors—should not be allowed to do what? a. Work on the premises. *b. Wander freely in and out of facilities. c. Visit the facility without an escort. d. Be compensated based on hourly rates.
30. Workers typically hired to perform specific services for the organization and hired via a
third-party organization are known as __________. a. temporary workers b. consultants *c. contract employees d. business partners
31. If a temporary worker (temp) violates a policy or causes a problem, what is the strongest
action that the host organization can usually take, depending on the SLA? a. Nothing, the organization has no control over temps.
*b. Terminate the relationship with the individual and request that he or she be
censured. c. Fine the temp or force the temp to take unpaid leave, like permanent employees. d. Sue the temp agency for cause, demanding reparations for the actions of the temp. 32. Which of the following terms is described as the process of designing, implementing, and
managing the use of the collected data elements to determine the effectiveness of the overall security program? *a. performance management b. baselining c. best practices d. standards of due care/diligence
33. Organizations must consider all but which of the following during development and
implementation of an InfoSec measurement program? a. Measurements must yield quantifiable information. b. Data that supports the measures needs to be readily obtainable. c. Only repeatable InfoSec processes should be considered for measurement. *d. Measurements must be useful for tracking non-compliance by internal personnel.
34. Which of the following is NOT a factor critical to the success of an information security
performance program? a. strong upper-level management support *b. high level of employee buy-in c. quantifiable performance measurements d. results-oriented measurement analysis
35. Which of the following is NOT one of the types of InfoSec performance measures used by
organizations? a. those that determine the effectiveness of the execution of InfoSec policy b. those that determine the effectiveness and/or efficiency of the delivery of InfoSec
services *c. those that evaluate the frequency with which employees access internal security documents d. those that assess the impact of an incident or other security event on the organizationor its mission
36. Which of the following is NOT a question a CISO should be prepared to answer before
beginning the process of designing, collecting, and using performance measurements, according to Kovacich? a. Why should these measurements be collected? b. Where will these measurements be collected? *c. What affect will measurement collection have on efficiency? d. Who will collect these measurements?
37. The InfoSec measurement development process recommended by NIST is divided into two
major activities. Which of the following is one of them? a. development and selection of qualified personnel to gauge the implementation,
effectiveness, efficiency, and impact of the security controls *b. identification and definition of the current InfoSec program c. maintenance of the vulnerability management program d. comparison of organizational practices against similar organizations 38. InfoSec measurements collected from production statistics depend greatly on which of the
following factors? a. types of performance measures developed *b. number of systems and users of those systems c. number of monitored threats and attacks d. activities and goals implemented by the business unit
39. Which of the following is NOT a phase in the NIST InfoSec performance measures
development process? *a. Identify relevant stakeholders and their interests in InfoSec measurement. b. Integrate the organization’s process improvement activities across all business areas. c. Identify and document the InfoSec performance goals and objectives that
would guide security control implementation for the InfoSec program. d. Review any existing measurements and data repositories that can be used toderive measurement data.
40. One of the fundamental challenges in InfoSec performance measurement is defining what? a. interested stakeholders *b. effective security c. appropriate performance measures d. the proper assessment schedule
41. NIST recommends the documentation of performance measurements in a standardized
format to ensure ____________. a. the suitability of performance measure selection b. the effectiveness of performance measure corporate reporting *c. the repeatability of measurement development, customization, collection, and
reporting activities d. the acceptability of the performance measurement program by upper management 42. Which of the following is a possible result of failure to establish and maintain standards of
due care and due diligence? a. baselining *b. legal liability c. competitive disadvantage d. certification revocation
43. Which of the following is NOT a consideration when selecting recommended best
practices? a. threat environment is similar b. resource expenditures are practical c. organization structure is similar *d. same certification and accreditation agency or standard
44. Creating a blueprint by looking at the paths taken by organizations similar to the one whose
plan you are developing is known as which of the following? *a. benchmarking b. corporate espionage c. baselining d. due diligence
45. What do you call the legal requirements that an organization must adopt a standard based on
what a prudent organization should do, and then maintain that standard? a. certification and accreditation b. best practices *c. due care and due diligence d. baselining and benchmarking
46. Problems with benchmarking include all but which of the following? a. Organizations don’t often share information on successful attacks.
b. Organizations being benchmarked are seldom identical. c. Recommended practices change and evolve, so past performance is no indicator of
future success. *d. Benchmarking doesn’t help in determining the desired outcome of the security process. 47. Which of the following is NOT a question to be used as a self-assessment for recommended
security practices in the category of people? a. Do you perform background checks on all employees with access to sensitive
data,areas, or access points? *b. Are the user accounts of former employees immediately removed on termination? c. Would the typical employee recognize a security issue? d. Would the typical employee know how to report a security issue to the right people?
48. The ISO certification process takes approximately six to eight weeks and involves all of the
following steps EXCEPT: *a. rejection of the certification application based on lack of compliance or failure to
remediate shortfalls b. initial assessment of the candidate organization’s InfoSec management systems, procedures, policies, and plans c. writing of a manual documenting all procedural compliance d. presentation of certification by the certification organization
49. The benefits of ISO certification to organizations include all of the following EXCEPT: *a. increased opportunities for government contracts b. reduced costs associated with incidents c. smoother operations resulting from more clearly defined processes and
responsibilities d. improved public image of the organization, as certification implies increased trustworthiness
50. The benefits of ISO certification to an organization's employees include all of the following
EXCEPT: *a. reduced employee turnover due to misinterpreted security policies and practices b. lower risk of accidents and incidents associated with critical or sensitive information c. employee confidence in organizational security practices d. improved productivity and job satisfaction from more clearly defined InfoSec roles
and responsibilities
51. The organization of a task or process so it requires at least two individuals to work together
to complete is known as __________ control. Correct Answer(s): a. two-person b. two person c. two man d. two-man
52. A conspiracy or cooperation between two or more individuals or groups to commit illegal or
unethical actions is known as __________. Correct Answer(s): a. collusion
53. The requirement that all critical tasks can be performed by multiple individuals is known as
__________. Correct Answer(s): a. task rotation
54. The requirement that every employee be able to perform the work of at least one other
employee is known as __________. Correct Answer(s): a. job rotation
55. A requirement that all employees take time off from work, which allows the organization to
audit the individual’s areas of responsibility, is known as __________ vacation policy. Correct Answer(s): a. mandatory
56. Best security practices balance the need for user __________ to information with the need
for adequate protection while simultaneously demonstrating fiscal responsibility. Correct Answer(s): a. access
57. A practice related to benchmarking is __________, which is a measurement against a prior
assessment or an internal goal. Correct Answer(s): a. baselining
58. __________ encompasses a requirement that the implemented standards continue to provide
the required level of protection. Correct Answer(s): a. Due diligence
59. A goal of 100 percent employee InfoSec training as an objective for the training program is
an example of a performance __________. Correct Answer(s): a. target b. measure c. metric
60. The last phase in NIST performance measures implementation is to apply __________
actions, which closes the gap found in Phase 2. Correct Answer(s): a. corrective
61. [g] 1. The actions that demonstrate that an organization has made a valid effort to protect others and that the implemented standards continue to provide the required level of protection. [i] 2. A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions. [a] 3. A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances. [j] 4. The requirement that every employee be able to perform the work of at least one other employee. [h] 5. The requirement that all critical tasks can be performed by multiple individuals. [d] 6. The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization. [f] 7. An attempt to improve information security practices by comparing an organization’s efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate. [b] 8. Workers brought in by organizations to fill positions for a short time or to supplement the existing workforce. [e] 9. Workers hired to perform specific services for the organization. [c] 10. An assessment of the performance of some action or process against which future performance is assessed. a. standard of due care
b. temporary workers c. baseline d. performance measurements e. contract employees f. benchmarking g. due diligence h. task rotation i. collusion j. job rotation
62. When choosing from recommended practices, an organization should consider a number of questions. List four. Correct Answer:
Does your organization resemble the target organization of the recommended practice?Are you in a similar industry as the target of the recommended practice? Do you face similar challenges as the target of the recommended practice? Is your organizational structure similar to the target of the recommended practice? Can your organization expend resources at the level required by the recommended practice? Is your threat environment similar to the one assumed by the recommended practice?
63. List the four factors critical to the success of an InfoSec performance program, according to NIST SP 800-55, Rev. 1. Correct Answer:
Strong upper-level management supportPractical InfoSec policies and procedures Quantifiable performance measurements Results-oriented measurement analysis
64. Before beginning the process of designing, collecting, and using measures, the CISO should be prepared to answer several questions posed by Kovacich. List four of these questions. Correct Answer:
Why should these statistics be collected?What specific statistics will be collected? How will these statistics be collected? When will these statistics be collected? Who will collect these statistics? At what point in the function’s process will these statistics be collected?
65. The process of implementing a performance measures program recommended by NIST involves six phases. List and describe them. Correct Answer:
Phase 1: Prepare for data collection; identify, define, develop, and select information security measures.Phase 2: Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis). Phase 3: Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in Phase 2. This includes determining the range of corrective actions, prioritizing corrective actions based on overall risk mitigation goals, and selecting the most appropriate corrective actions. Phase 4: Develop the business case. Phase 5: Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in Phase 3. Phase 6: Apply corrective actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls.
66. What are the two major activities into which the InfoSec measurement development process recommended by NIST is divided? Correct Answer:
1. Identification and definition of the current InfoSec program2. Development and selection of specific measurements to gauge the implementation, effectiveness, efficiency, and impact of the security controls
67. On what elements do measurements collected from production statistics greatly depend? Explain your answer. Correct Answer:
Measurements collected from production statistics depend greatly on the number of systemsand the number of users of those systems. As the number of systems changes and/or the number of system users changes, the effort to maintain the same level of service will vary.
68. Why is measurement prioritization and selection important? it be achieved?
How can
Correct Answer:
Because organizations seem to better manage what they measure, it is important to ensure that individual metrics are prioritized in the same manner as the processes that they measure. This can be achieved with a simple low-, medium-, or high-priority ranking system or a weighted scale approach, which would involve assigning values to each measurement based on its importance in the context of the overall InfoSec program and in the overall risk-mitigation goals and criticality of the systems.
69. Why must you do more than simply list the InfoSec measurements collected when reporting them? Explain. Correct Answer:
In most cases, simply listing the measurements collected does not adequately convey their meaning. For example, a line chart showing the number of malicious code attacks occurring per day may communicate a basic fact, but unless the reporting mechanism can provide the context— for example, the number of new malicious code variants on the Internet in that time period—the measurement will not serve its intended purpose. In addition, you must make decisions about how to present correlated metrics—whether to use pie, line, bar, or scatter charts, and which colors denote which kinds of results. 70. Briefly describe at least five types of background checks. Correct Answer:
- Identity checks: personal identity validation- Education and credential checks: institutions attended, degrees and certifications earned, and certification status - Previous employment verification: where candidates worked, why they left, what they did, and for how long - Reference checks: validity of references and integrity of reference sources - Worker’s compensation history: claims from worker’s compensation - Motor vehicle records: driving records, suspensions, and other items noted in the applicant’s public record - Drug history: drug screening and drug usage, past and present - Medical history: current and previous medical conditions, usually associated with physical capability to perform the work in the specified position - Credit history: credit problems, financial problems, and bankruptcy - Civil court history: involvement as the plaintiff or defendant in civil suits - Criminal court history: criminal background, arrests, convictions, and time served
71. Briefly describe the two outprocessing methods of handling employees who leave their positions at a company. Correct Answer:
Hostile departure (usually involuntary), including termination, downsizing, lay-off, or quitting: Security cuts off all logical and keycard access before the employee is terminated. As soon as the employee reports for work, he or she is escorted into the supervisor’s office to receive the bad news. The individual is then escorted from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects under supervision. No organizational property is allowed to leave the premises, including diskettes, pens, papers, or books. Terminated employees can submit, in writing, a list of the property they wish to retain, stating their reasons for doing so. Once personal
property has been gathered, the employee is asked to surrender all keys, keycards, and other organizational identification and access devices, PDAs, pagers, cell phones, and all remaining company property, and is then escorted from the building. Friendly departure (voluntary) for retirement, promotion, or relocation: The employee may have tendered notice well in advance of the actual departure date, which can make it much more difficult for security to maintain positive control over the employee’s access and information usage. Employee accounts are usually allowed to continue, with a new expiration date. The employee can come and go at will and usually collects any belongings and leaves without escort. The employee is asked to drop off all organizational property before departing.
CHAPTER 10
1. In most organizations, the COO is responsible for creating the IR plan. a. True *b. False
2. When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan. a. True *b. False
3. A hot site is a fully configured computing facility that includes all services, communications links, and physical plant operations. *a. True b. False
4. In a cold site there are only rudimentary services, with no computer hardware or peripherals. *a. True b. False
5. Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster. a. True *b. False
6. When performing full-interruption testing, normal operations of the business are not impacted. a. True *b. False
7. The simplest kind of validation, the desk check, involves distributing copies of the appropriate plans to all individuals who will be assigned roles during an actual incident or disaster. *a. True b. False
8. An alert digest is a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. __________ a. True *b. False
9. A(n) wrap-up review is a detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery. __________ a. True *b. False
10. Patch and proceed is an organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker’s identification and prosecution. __________ *a. True b. False
11. A slow-onset disaster occurs over time and gradually degrades the capacity of an organization to withstand its effects. __________ *a. True b. False
12. Disaster classification is the process of examining an adverse event or incident and determining whether it constitutes an actual disaster. __________ *a. True b. False
13. The Hartford insurance company estimates that, on average, __________ businesses that
don’t have a disaster plan go out of business after a major loss like a fire, a break-in, or a storm. *a. over 40 percent of b. at least 60 percent of c. about 20 percent of d. two percent of
14. Contingency planning is primarily focused on developing __________.
*a. plans for unexpected adverse events b. policies for breach notifications c. plans for normal operations d. policies for normal operation
15. The actions taken by senior management to specify the organization’s efforts and actions if
an adverse event becomes an incident or disaster are known as __________. a. risk management *b. contingency planning c. business impact d. disaster readiness
16. Which of the following is the first component in the contingency planning process? a. business continuity training b. disaster recovery planning *c. business impact analysis d. incident response planning
17. The team responsible for designing and managing the IR plan by specifying the
organization’s preparation, reaction, and recovery from incidents is known as the __________. a. contingency planning management team (CPMT) b. disaster recovery planning team (DRPT) *c. computer security incident response team (CSIRT) d. incident response planning team (IRPT)
18. The group of senior managers and project members organized to conduct and lead all CP
efforts is known as the __________. a. contingency planning management team (CPMT) b. disaster recovery planning team (DRPT) *c. crisis management planning team (CMPT) d. incident response planning team (IRPT)
19. What is the final stage of the business impact analysis when using the NIST SP 800-34
approach? a. Identify resource requirements. b. Identify business processes. c. Determine mission/business processes and recovery criticality. *d. Identify recovery priorities for system resources.
20. Which of the following is a mathematical tool that is useful in assessing the relative
importance of business functions based on criteria selected by the organization? *a. weighted table analysis b. BIA questionnaire c. recovery time organizer d. MTD comparison
21. At what point in the incident life cycle is the IR plan initiated? a. before an incident takes place b. after the DRP is activated *c. when an incident is detected that affects the organization d. after the BCP is activated
22. Which of the following is NOT a major component of contingency planning? a. incident response b. disaster recovery c. business continuity *d. threat assessment
23. According to NIST’s SP 800-34, Rev. 1, which of the following is NOT one of the stages of
the business impact assessment? *a. Calculate asset valuation and combine with the likelihood and impact of potential
attacks in a TVA worksheet. b. Determine mission/business processes and recovery criticality. c. Identify resource requirements. d. Identify recovery priorities for system resources.
24. The total amount of time the system owner or authorizing official is willing to accept for a
business process outage or disruption, including all impact considerations, is known as __________. *a. maximum tolerable downtime (MTD) b. recovery point objective (RPO) c. work recovery time (WRT) d. recovery time objective (RTO)
25. The maximum amount of time that a system resource can remain unavailable before there is
an unacceptable impact on other system resources and supported business processes is known as __________.
a. maximum tolerable downtime (MTD) b. recovery point objective (RPO) c. work recovery time (WRT) *d. recovery time objective (RTO)
26. A useful tool for resolving the issue of what business function is the most critical, based on
criteria selected by the organization, is the __________. *a. weighted table analysis or weighted factor analysis b. threats-vulnerability-assets worksheet or TVA c. business impact assessment or BIA d. critical patch method assessment or CPMA
27. Which of the following is the first major task in the BIA, according to NIST SP 800-34,
Rev. 1? a. Calculate asset valuation and combine with the likelihood and impact of potential
attacks in a TVA worksheet. *b. Determine mission/business processes and recovery criticality. c. Identify resource requirements. d. Identify recovery priorities for system resources.
28. The amount of effort (expressed as elapsed time) needed to make business functions work
again after the technology element is recovered is known as __________. a. minimum tolerable downtime (MTD) b. recovery point objective (RPO) *c. work recovery time (WRT) d. recovery time objective (RTO)
29. Which of the following NIST Cybersecurity Framework (CSF) stages relates to reacting to
an incident? a. Identify b. Detect *c. Respond d. Protect
30. Which of the following NIST Cybersecurity Framework (CSF) stages relates to
implementation of effective security controls (policy, education, training and awareness, and technology)? a. Identify
b. Detect c. Respond *d. Protect
31. Which of the following is NOT a stage in the NIST Cybersecurity Framework (CSF)? a. Identify b. Detect c. Recover *d. React
32. Which of the following is a backup method that uses bulk batch transfer of data to an off-
site facility and is usually conducted via leased lines or secure Internet connections? a. database shadowing b. timesharing c. traditional backups *d. electronic vaulting
33. Which of the following refers to the backup of data to an off-site facility in close to real
time based on transactions as they occur? *a. remote journaling b. electronic vaulting c. database shadowing d. timesharing
34. Which of the following is the process of examining a possible incident and determining
whether it constitutes an actual incident? *a. incident classification b. incident identification c. incident registration d. incident verification
35. Which of the following is a "possible" indicator of an actual incident, according to Donald
Pipkin? *a. unusual consumption of computing resources b. activities at unexpected times c. presence of hacker tools d. reported attacks
36. Which of the following is a definite indicator of an actual incident, according to Donald
Pipkin? a. unusual system crashes b. reported attack c. presence of new accounts *d. use of dormant accounts
37. The steps in IR are designed to: *a. stop the incident, mitigate incident effects, provide information for recovery from
the incident b. control legal exposure, avoid unfavorable media attention, and minimize impact on stock prices c. delay the incident progress, backtrack the attack to its source IP, and apprehend the intruder d. stop the incident, inventory affected systems, and determine appropriate losses for insurance settlement 38. Which of the following determines the scope of the breach of confidentiality, integrity, and
availability of information and information assets? a. incident report *b. incident damage assessment c. information loss assessment d. damage report
39. Which of the following is an organizational CP philosophy for overall approach to
contingency planning reactions? *a. protect and forget b. pre-action review c. transfer to local/state/federal law enforcement d. track, hack, and prosecute
40. Which of the following is a part of the incident recovery process? *a. identifying the vulnerabilities that allowed the incident to occur and spread b. determining the event’s impact on normal business operations and, if necessary,
making a disaster declaration c. supporting personnel and their loved ones during the crisis d. keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise
41. After an incident, but before returning to its normal duties, the CSIRT must do which of the
following? a. Create the incident damage assessment. *b. Conduct an after-action review. c. Restore data from backups. d. Restore services and processes in use.
42. Which of the following is the best example of a rapid-onset disaster? *a. flood b. hurricane c. famine d. environmental degradation
43. When a disaster renders the current business location unusable, which plan is put into
action? *a. business continuity b. crisis management c. incident response d. business impact analysis
44. In the event of an incident or disaster, which planning element is used to guide off-site
operations? a. project management *b. business continuity c. disaster recovery d. incident response
45. Which of the following is true about a hot site? a. It is an empty room with standard heating, air conditioning, and electrical service. b. It includes computing equipment and peripherals with servers but not client
workstations. *c. It duplicates computing resources, peripherals, phone systems, applications, and workstations. d. All communications services must be installed after the site is occupied. 46. In which type of site are no computer hardware or peripherals provided? *a. cold site b. warm site
c. timeshare d. hot site
47. Which of the following is a responsibility of the crisis management team? a. restoring the data from backups b. evaluating monitoring capabilities *c. keeping the public informed about the event and the actions being taken d. restoring the services and processes in use
48. In which contingency plan testing strategy do individuals follow each and every IR/DR/BC
procedure, including the disruption of service, restoration of data from backups, and notification of appropriate individuals? a. desk check b. simulation c. structured walk-through *d. full-interruption
49. In which contingency plan testing strategy do individuals participate in a role-playing
exercise in which the CP team is presented with a scenario of an actual incident or disaster and expected to react as if it had occurred? a. desk check *b. simulation c. structured walk-through d. parallel testing
50. A(n) __________ is an event with negative consequences that could threaten the
organization’s information assets or operations. Correct Answer(s): a. adverse event b. incident candidate
51. Effective contingency planning begins with effective __________. Correct Answer(s): a. policy
52. The four components of contingency planning are the __________, the incident response
plan, the disaster recovery plan, and the business continuity plan.
Correct Answer(s): a. BIA b. business impact analysis
53. A(n) __________ process is a task performed by an organization or one of its units in
support of the organization’s overall mission. Correct Answer(s): a. business
54. The __________ is the point in time before a disruption or system outage to which business
process data can be recovered after the outage, given the most recent backup copy of the data. Correct Answer(s): a. recovery point objective (RPO) b. recovery point objective c. RPO
55. If operations at the primary site cannot be quickly restored, the __________ occurs
concurrently with the DR plan, enabling the business to continue at an alternate site. Correct Answer(s): a. BCP b. business continuity plan c. BC plan
56. The __________ plan is a detailed set of processes and procedures that anticipate, detect,
and mitigate the effects of an unexpected event that might compromise information resources and assets. Correct Answer(s): a. incident response b. IR
57. A(n) __________ occurs when an attack affects information resources and/or assets,
causing actual damage or other disruptions. Correct Answer(s): a. incident
58. __________ is a backup technique that stores duplicate online transaction data along with
duplicate databases at the remote site on a redundant server. Correct Answer(s): a. Database shadowing
59. The bulk batch transfer of data to an off-site facility is known as __________. Correct Answer(s): a. electronic vaulting
60. The process of examining an adverse event or incident candidate and determining whether it
constitutes an actual incident is known as incident __________. Correct Answer(s): a. classification
61. A(n) __________ is a document containing contact information of the individuals to notify
in the event of an actual incident. Correct Answer(s): a. alert roster
62. A(n) _________ is a description of the incident or disaster that usually contains just
enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. Correct Answer(s): a. alert message
63. When dealing with an incident, the incident response team must conduct a(n) __________,
which entails a detailed examination of the events that occurred from first detection to final recovery. Correct Answer(s): a. after action review b. after-action review c. AAR
64. __________ planning ensures that critical business functions can continue if a disaster
occurs. Correct Answer(s): a. Business continuity b. BC
65. A(n) __________ is an agency that provides physical facilities for a fee, in the case of
DR/BC planning.
Correct Answer(s): a. service bureau
66. In __________ testing of contingency plans, the individuals follow each and every
procedure, including interruption of service, restoration of data from backups, and notification of appropriate individuals. Correct Answer(s): a. full-interruption b. full interruption
67. What are the major components of contingency planning? Correct Answer:
Business impact analysis (BIA)Incident response plan (IR plan) Disaster recovery plan (DR plan) Business continuity plan (BC plan)
68. What teams are involved in contingency planning and contingency operations? Correct Answer:
Contingency planning management teamIncident response team Disaster recovery team Business continuity team
69. Explain the difference between a business impact analysis and the risk management process. Correct Answer:
One of the fundamental differences between a BIA and the risk management process is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect the information. The BIA assumes that these controls have been bypassed, have failed, or have otherwise proved ineffective, that the attack succeeded, and that the adversity being defended against has come to fruition. 70. When undertaking the BIA, what should the organization consider? Correct Answer:
ScopePlan Balance Objective
Follow-up
71. List four of the eight key components of a typical IR policy. Correct Answer:
The key components of a typical IR policy are: - Statement of management commitment - Purpose and objectives of the policy - Scope of the policy - Definition of InfoSec incidents and related items - Organizational structure and delineation of roles, responsibilities, and levels of authorities - Prioritization of severity ratings of incidents - Performance measures - Reporting and contact forms
72. List the seven steps of the incident recovery process, according to Donald Pipkin. Correct Answer:
The incident recovery process involves the following steps:- Identify the vulnerabilities that allowed the incident to occur and spread. Resolve them. - Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place. Install, replace, or upgrade them. - Evaluate monitoring capabilities (if present). Improve detection and reporting methods, or install new monitoring capabilities. - Restore the data from backups. - Restore the services and processes in use. - Continuously monitor the system. - Restore the confidence of the organization’s communities of interest.
73. There are six key elements that the CP team must build into the DR plan. What are three of them? Correct Answer:
The key elements that the CP team must build in the DRP are:- Clear delegation of roles and responsibilities - Execution of the alert roster and notification of key personnel - Clear establishment of priorities - Procedures for documentation of the disaster - Action steps to mitigate the impact of the disaster on the operations of the organization
- Alternative implementations for the various systems components, should primary versions be unavailable
74. Compare and contrast a hot site, a warm site, and a cold site. Correct Answer:
Hot site—A hot site is a fully configured computer facility, with all services, communicationslinks, and physical plant operations. It duplicates computing resources, peripherals, phone systems, applications, and workstations. Essentially, this duplicate facility needs only the latest data backups and the personnel to function. If the organization uses an effective data service, a hot site can be fully functional within minutes.
Warm site—A warm site provides many of the same services and options as the hot site, but typically software applications are not included or are not installed and configured. A warm site frequently includes computing equipment and peripherals with servers but not client workstations. Overall, it offers many of the advantages of a hot site at a lower cost. The disadvantage is that several hours or days are required to make a warm site fully functional.
Cold site—A cold site provides only rudimentary services and facilities. No computer hardware or peripherals are provided. All communications services must be installed after the site is occupied. A cold site is an empty room with standard heating, air conditioning, and electrical service. Everything else is an added-cost option. Despite these disadvantages, a cold site may be better than nothing. Its primary advantage is its low cost.
75. What are the three roles performed by the crisis management team? Correct Answer:
Supporting personnel and their loved ones during the crisisKeeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties
76. Discuss three of the five strategies that can be used to test contingency strategies. Correct Answer:
Desk check: The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster; each individual reviews the plan and validates its components.
Full-interruption testing: The CP testing strategy in which all team members follow each IR/DR/
BC procedure, including those for interruption of service, restoration of data from backups, and notification of appropriate individuals.
Simulation: The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred. The CP team is presented with a scenario in which all members must specify how they would react and communicate their efforts.
Structured walk-through: The CP testing strategy in which all involved individuals walk through a site and discuss the steps they would take during an actual CP event. A walk-through can also be conducted as a conference room talk-through.
Talk-through: A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization.
CHAPTER 11
1. If an organization deals successfully with change and has created procedures and systems that can be adjusted to the environment, the existing security improvement program will probably continue to work well. *a. True b. False
2. Over time, policies and procedures may become inadequate due to changes in the organization's mission and operational requirements, threats, or the environment. *a. True b. False
3. An effective information security governance program requires no ongoing review once it is well established. a. True *b. False
4. A general guideline for performance of hard drives suggests that when the amount of data stored on a particular hard drive averages 95% of available capacity for a prolonged period, you should consider an upgrade for the drive. a. True *b. False
5. Documentation procedures are not required for configuration and change management processes. a. True *b. False
6. A management model such as the ISO 27000 series deals with methods to maintain systems. a. True *b. False
7. External monitoring entails forming intelligence from various data sources and then giving that intelligence context and meaning for use by decision makers within the organization. *a. True b. False
8. US-CERT is generally viewed as the definitive authority for computer emergency response teams. *a. True b. False
9. Intelligence for external monitoring can come from a number of sources: vendors, CERT organizations, public network sources, and membership sites. *a. True b. False
10. Over time, external monitoring processes should capture information about the external environment in a format that can be referenced across the organization as threats emerge and for historical use. *a. True b. False
11. The internal monitoring domain is the component of the maintenance model that focuses on identifying, assessing, and managing the physical security of assets in an organization. a. True *b. False
12. Inventory characteristics for hardware and software assets that record the manufacturer and versions are related to technical functionality, and should be highly accurate and updated each time there is a change. *a. True b. False
13. The target selection step of Internet vulnerability assessment involves using the external monitoring intelligence to configure a test engine (such as Nessus) for the tests to be performed. a. True *b. False
14. An intranet vulnerability scan starts with the scan of the organization's default Internet search engine. a. True *b. False
15. All systems that are mission critical should be enrolled in platform security validation (PSV) measurement. *a. True b. False
16. Wireless vulnerability assessment begins with the planning, scheduling, and notification of all Internet connections, using software such as Wireshark. a. True *b. False
17. Remediation of vulnerabilities can be accomplished by accepting or transferring the risk, removing the threat, or repairing the vulnerability. *a. True b. False
18. The vulnerability database, like the risk, threat, and attack database, both stores and tracks information. *a. True b. False
19. In some instances, risk is acknowledged as being part of an organization’s business process. *a. True b. False
20. Threats cannot be removed without requiring a repair of the vulnerability. a. True *b. False
21. Policy needs to be reviewed and refreshed from time to time to ensure that it’s providing a current foundation for the information security program. *a. True b. False
22. Major planning components should be reviewed on a periodic basis to ensure that they are current, accurate, and appropriate. *a. True b. False
23. Rehearsal adds value by exercising the procedures, identifying shortcomings, and providing security personnel the opportunity to improve the security plan before it is needed. *a. True b. False
24. An effective information security governance program requires constant change. __________ a. True *b. False
25. The NIST SP 800-100 Information Security Handbook provides technical guidance for the establishment and implementation of an information security program. __________ a. True *b. False
26. The systems development life cycle (SDLC) is the overall process of developing, implementing, and retiring information systems through a multistep approach—from initiation to use. __________ a. True *b. False
27. For configuration management and control, it is important to document the proposed or actual changes in the system security plan. __________ *a. True b. False
28. Tracking monitoring involves assessing the status of the program as indicated by the database information and mapping it to standards established by the agency. __________ a. True *b. False
29. A user ticket is opened when a user calls about an issue. __________ a. True *b. False
30. In some organizations, asset management is the identification, inventory, and documentation of the current information system's status—hardware, software, and networking configurations. __________ a. True *b. False
31. CM assists in streamlining change management processes and prevents changes that could detrimentally affect the security posture of a system before they happen. __________ *a. True b. False
32. CERT stands for "computer emergency recovery team." __________ a. True *b. False
33. US-CERT is a set of moderated mailing lists full of detailed, fulldisclosure discussions and announcements about computer security vulnerabilities. It is sponsored in part by SecurityFocus. __________ a. True *b. False
34. Specific warning bulletins are issued when developing threats and specific assets pose a measurable risk to the organization. __________ a. True *b. False
35. The basic function of the external monitoring process is to monitor activity, report results, and escalate warnings. __________
*a. True b. False
36. The primary goal of the external monitoring domain is to maintain an informed awareness of the state of all the organization’s networks, information systems, and information security defenses. __________ a. True *b. False
37. Organizations should have a carefully planned and fully populated inventory of all their network devices, communication channels, and computing devices. __________ *a. True b. False
38. To be put to the most effective use, the information that comes from the IDPS must be integrated into the inventory process. __________ a. True *b. False
39. An example of the type of vulnerability exposed via traffic analysis occurs when an organization is trying to determine if all its device signatures have been adequately masked. __________ *a. True b. False
40. The process of identifying and documenting specific and provable flaws in the organization’s information asset environment is called vulnerability assessment (VA). __________ *a. True b. False
41. The internal vulnerability assessment is usually performed against every device that is exposed to the Internet, using every possible penetration testing approach. __________ a. True *b. False
42. You can document the results of the verification of a vulnerability by saving the results in what is called a(n) profile. __________
a. True *b. False
43. WLAN stands for "wide local area network." __________ a. True *b. False
44. The final process in the vulnerability assessment and remediation domain is the maintenance phase. __________ a. True *b. False
45. The best method of remediation in most cases is to repair a vulnerability. __________ *a. True b. False
46. The CISO uses the results of maintenance activities and the review of the information security program to determine if the status quo can adequately meet the threats at hand. __________ *a. True b. False
47. When possible, major incident response plan elements should be rehearsed. __________ *a. True b. False
48. A(n) war game puts a subset of plans in place to create a realistic test environment. __________ *a. True b. False
49. An affidavit is used as permission to search for evidentiary material at a specified location and/or to seize items to return to an investigator’s lab for examination after being signed by an approving authority. __________ a. True *b. False
50. __________ are a component of the "security triple." a. Threats b. Assets c. Vulnerabilities *d. All of the above
51. A(n) __________ item is a hardware or software item that is to be modified and revised
throughout its life cycle. a. revision b. update c. change *d. configuration
52. A __________ is the recorded condition of a particular revision of a software or hardware
configuration item. a. state *b. version c. configuration d. baseline
53. To maintain optimal performance, one typical recommendation suggests that when the
memory usage associated with a particular CPU-based system averages __________% or more over prolonged periods, you should consider adding more memory. a. 40 *b. 60 c. 10 d. 100
54. To evaluate the performance of a security system, administrators must establish system
performance __________. *a. baselines b. profiles c. maxima d. means
55. Control __________ baselines are established for network traffic and for firewall
performance and IDPS performance.
a. system b. application *c. performance d. environment
56. A primary mailing list for new vulnerabilities, called simply __________, provides time-
sensitive coverage of emerging vulnerabilities, documenting how they are exploited and reporting on how to remediate them. Individuals can register for the flagship mailing list or any one of the entire family of its mailing lists. a. Bugs b. Bugfix c. Buglist *d. Bugtraq
57. The __________ is a center of Internet security expertise and is located at the Software
Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. a. US-CERT b. Bugtraq c. CM-CERT *d. CERT/CC
58. The __________ Web site is home to the leading free network exploration tool, Nmap. *a. insecure.org b. Packet Storm c. Security Focus d. Snort-sigs
59. The __________ commercial site focuses on current security tool resources. a. Nmap-hackerz *b. Packet Storm c. Security Laser d. Snort-SIGs
60. The __________ mailing list includes announcements and discussion of a leading open-
source IDPS. a. Nmap-hackers b. Packet Storm
c. Security Focus *d. Snort
61. The optimum approach for escalation is based on a thorough integration of the monitoring
process into the __________. a. IDE b. CERT c. ERP *d. IRP
62. Detailed __________ on the highest risk warnings can include identifying which vendor
updates apply to which vulnerabilities as well as which types of defenses have been found to work against the specific vulnerabilities reported. a. escalation *b. intelligence c. monitoring d. elimination
63. A process called __________ examines the traffic that flows through a system and its
associated devices to identify the most frequently used devices. a. difference analysis *b. traffic analysis c. schema analysis d. data flow assessment
64. One approach that can improve the situational awareness of the information security
function is to use a process known as __________ to quickly identify changes to the internal environment. a. baselining *b. difference analysis c. differentials d. revision
65. __________ is used to respond to network change requests and network architectural design
proposals. *a. Network connectivity RA b. Dialed modem RA c. Application RA d. Vulnerability RA
66. The __________ is a statement of the boundaries of the RA. *a. scope b. disclaimer c. footer d. head
67. The __________ process is designed to find and document vulnerabilities that may be
present because there are misconfigured systems in use within the organization. a. ASP b. ISP c. SVP *d. PSV
68. __________, a level beyond vulnerability testing, is a set of security tests and evaluations
that simulate attacks by a malicious external source (hacker). *a. Penetration testing b. Penetration simulation c. Attack simulation d. Attack testing
69. Common vulnerability assessment processes include: a. Internet VA b. wireless VA c. intranet VA *d. all of these
70. __________ penetration testing is usually used when a specific system or network segment
is suspect and the organization wants the pen tester to focus on a particular aspect of the target. *a. White box b. Black box c. Gray box d. Green box
71. A step commonly used for Internet vulnerability assessment includes __________, which
occurs when the penetration test engine is unleashed at the scheduled time using the planned target list and test selection.
*a. scanning b. subrogation c. delegation d. targeting
72. The __________ vulnerability assessment is a process designed to find and document
selected vulnerabilities that are likely to be present on the organization's internal network. *a. intranet b. Internet c. LAN d. WAN
73. The __________ vulnerability assessment is designed to find and document vulnerabilities
that may be present in the organization’s wireless local area networks. *a. wireless b. phone-in c. battle-dialing d. network
74. __________ allows for major security control components to be reviewed on a periodic
basis to ensure that they are current, accurate, and appropriate. a. System review b. Project review *c. Program review d. Application review
75. Almost all aspects of a company’s environment are __________, meaning threats that were
originally assessed in the early stages of the project’s systems development life cycle have probably changed and new priorities have emerged. Correct Answer(s): a. dynamic
76. __________ is the process of reviewing the use of a system, not to check performance but to
determine if misuse or malfeasance has occurred. Correct Answer(s): a. Auditing
77. Organizations should perform a(n) __________ assessment of their information security
programs.
Correct Answer(s): a. periodic
78. A __________ configuration is a current record of the configuration of the information
system for use in comparisons to future states. Correct Answer(s): a. baseline
79. As the help desk personnel screen problems, they must also track the activities involved in
resolving each complaint in a help desk __________ system. Correct Answer(s): a. information
80. The objective of the external __________ domain within the maintenance model is to
provide early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that the organization needs in order to mount an effective and timely defense. Correct Answer(s): a. monitoring
81. When an organization uses specific hardware and software products as part of its
information security program, the __________ external intelligence source often provides either direct support or indirect tools that allow user communities to support each other. Correct Answer(s): a. vendors b. vendor
82. The primary goal of the __________ monitoring domain is an informed awareness of the
state of all the organization’s networks, information systems, and information security defenses. Correct Answer(s): a. internal
83. The process of collecting detailed information about devices in a network is often referred
to as __________. Correct Answer(s): a. characterization
84. __________ interconnections are the network devices, communications channels, and
applications that may not be owned by the organization but are essential to the organization’s cooperation with another company. Correct Answer(s): a. Partner
85. A(n) __________ analysis is a procedure that compares the current state of a network
segment (the systems and services it offers) against a known previous state of that same network segment (the baseline of systems and services). Correct Answer(s): a. difference
86. The primary objective of the planning and __________ domain is to keep a lookout over the
entire information security program. Correct Answer(s): a. risk assessment
87. As each project nears completion, a(n) __________ risk assessment group reviews the
impact of the project on the organization’s risk profile. Correct Answer(s): a. operational
88. The primary goal of the vulnerability assessment and __________ domain is to identify
specific, documented vulnerabilities and remediate them in a timely fashion. Correct Answer(s): a. remediation
89. The __________ tester’s ultimate responsibility is to identify weaknesses in the security of
the organization’s systems and networks and then present findings to the system owners in a detailed report. Correct Answer(s): a. pen b. penetration
90. The __________ vulnerability assessment is designed to find and document vulnerabilities
that may be present in the organization's public network. Correct Answer(s): a. Internet
91. The analysis step of an Internet vulnerability assessment occurs when a knowledgeable and
experienced vulnerability analyst screens test results for __________ vulnerabilities logged during scanning. Correct Answer(s): a. candidate
92. A(n) __________ risk is one that is higher than the risk appetite of the organization. Correct Answer(s): a. significant
93. Proven cases of real vulnerabilities can be considered vulnerability __________. Correct Answer(s): a. instances
94. The __________ step in the intranet vulnerability assessment is identical to the one
followed in Internet vulnerability analysis. Correct Answer(s): a. record-keeping
95. The __________ vulnerability assessment is designed to find and document vulnerabilities
that may be present in the organization's wireless local area networks. Correct Answer(s): a. wireless
96. In __________ selection, all areas of the organization’s premises should be scanned with a
portable wireless network scanner. Correct Answer(s): a. target
97. An attacker's use of a laptop while driving around looking for open wireless connections is
often called war __________. Correct Answer(s): a. driving
98. The primary goal of the readiness and __________ domain is to keep the information
security program functioning as designed and improve it continuously over time. Correct Answer(s): a. review
99. Rehearsals that use plans as realistically as possible are called __________ games. Correct Answer(s): a. war
100. Why should agencies monitor the status of their programs? Correct Answer:
Agencies should monitor the status of their programs to ensure that:- Ongoing information security activities are providing appropriate support to the agency mission - Policies and procedures are current and aligned with evolving technologies, if appropriate - Controls are accomplishing their intended purpose
101. List the four steps to developing a CM plan. Correct Answer:
The four steps in developing the CM plan are:- Establish baselines - Identify configuration - Describe the configuration control process - Identify a schedule for configuration audits
102. List the five domains of the security maintenance model. Correct Answer:
The security maintenance model is based on five subject areas or domains:- External monitoring - Internal monitoring - Planning and risk assessment - Vulnerability assessment and remediation - Readiness and review
CHAPTER 12
1. Technical controls alone, when properly configured, can secure an IT environment. a. True *b. False
2. The “something a person has” authentication mechanism takes advantage of something inherent in the user that is evaluated using biometrics. a. True *b. False
3. A firewall is any device that prevents a specific type of information from moving between the untrusted network and the trusted network. *a. True b. False
4. Secure Shell (SSH) provides security for remote access connections over public networks by creating a secure and persistent connection. *a. True b. False
5. The KDC component of Kerberos knows the secret keys of all clients and servers on the network. *a. True b. False
6. Biometrics are the use of physiological characteristics to provide authentication of an identification. __________ *a. True b. False
7. A smart chip is an authentication component, similar to a dumb card, that contains a computer chip to verify and validate several pieces of information instead of just a PIN. __________ a. True
*b. False
8. The false accept rate is the rate at which fraudulent users or nonusers are allowed access to systems or areas as a result of a failure in the biometric device. __________ *a. True b. False
9. Boundary controls regulate the admission of users into trusted areas of the organization. __________ a. True *b. False
10. A password should be difficult to guess.
__________
*a. True b. False
11. A bollard host is a device placed between an external, untrusted network and an internal, trusted network. __________ a. True *b. False
12. Intense packet inspection is a firewall function that involves examining multiple protocol headers and even content of network traffic, all the way through the TCP/IP layers and including encrypted, compressed, or encoded data. __________ a. True *b. False
13. A packet filtering firewall is a networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules. __________ *a. True b. False
14. A validity table is a tabular record of the state and context of each packet in a conversation between an internal and external user or system. __________
a. True *b. False
15. The action level is a predefined assessment level of an IDPS that triggers a predetermined response when surpassed. __________ a. True *b. False
16. In an IDPS, a sensor is a piece of software that resides on a system and reports back to a management server. __________ *a. True b. False
17. In wireless networking, the waveprint is the geographic area in which there is sufficient signal strength to make a network connection. __________ a. True *b. False
18. A wireless access point is a device used to connect wireless networking users and their devices to the rest of the organization’s network(s). __________ *a. True b. False
19. In e-commerce situations, some cryptographic tools can be used for misrepresentation in order to assure that parties to the transaction are authentic, and that they cannot later deny having participated in a transaction. __________ a. True *b. False
20. A semialphabetic substitution cipher is one that incorporates two or more alphabets in the encryption process. __________ a. True *b. False
21. Which of the following access control processes confirms the identity of the entity seeking
access to a logical or physical area? a. identification
*b. authentication c. authorization d. accountability
22. Which of the following is NOT among the three types of authentication mechanisms? a. something a person knows b. something a person has *c. something a person says d. something a person can produce
23. Which of the following characteristics currently used for authentication purposes is the
LEAST unique? a. fingerprints b. iris c. retina *d. face geometry
24. The rate at which authentic users are denied or prevented access to authorized areas as a
result of a failure in the biometric device is known as the __________. a. reset error ratio *b. false reject rate c. crossover error rate d. false accept rate
25. Which of the following is a commonly used criterion for comparing and evaluating
biometric technologies? a. false accept rate *b. crossover error rate c. false reject rate d. valid accept rate
26. Which of the following biometric authentication systems is considered to be truly unique,
suitable for use, and currently cost-effective? a. gait recognition b. signature recognition c. voice pattern recognition *d. fingerprint recognition
27. Which of the following biometric authentication systems is the most accepted by users? a. keystroke pattern recognition b. fingerprint recognition *c. signature recognition d. retina pattern recognition
28. Which type of firewall keeps track of each network connection established between internal
and external systems? a. packet filtering *b. stateful packet inspection c. application layer d. cache server
29. The combination of a system's TCP/IP address and a service port is known as a
__________. a. portlet b. NAT c. packet *d. socket
30. Which type of device exists to intercept requests for information from external users and
provide the requested information by retrieving it from an internal server? a. dynamic packet filtering firewall *b. proxy server c. intrusion detection system d. application layer firewall
31. The intermediate area between trusted and untrusted networks is referred to as which of the
following? a. unfiltered area b. semi-trusted area *c. demilitarized zone d. proxy zone
32. Which type of device can react to network traffic and create or modify configuration rules to
adapt? *a. dynamic packet filtering firewall b. proxy server
c. intrusion detection system d. application layer firewall
33. Which technology employs sockets to map internal private network addresses to a public
address using one-to-many mapping? a. network-address translation b. screened-subnet firewall *c. port-address translation d. private address mapping
34. The bastion host is usually implemented as a __________, as it contains two network
interfaces: one that is connected to the external network and one that is connected to the internal network, such that all traffic must go through the device to move between the internal and external networks. a. state-linked firewall b. screened-subnet firewall *c. dual-homed host d. double bastion host
35. In the _________ firewall architecture, a single device configured to filter packets serves as
the sole security point between the two networks. a. state-managed firewall b. screened-subnet firewall c. single-homed firewall *d. single bastion host
36. Which of the following is true about firewalls and their ability to adapt in a network? a. Firewalls can interpret human actions and make decisions outside their programming. b. Because firewalls are not programmed like a computer, they are less error prone. c. Firewalls are flexible and can adapt to new threats. *d. Firewalls deal strictly with defined patterns of measured observation.
37. Which of the following is NOT one of the administrative challenges to the operation of
firewalls? a. training b. uniqueness *c. replacement d. responsibility
38. Which of the following is NOT a method employed by IDPSs to prevent an attack from
succeeding? *a. sending DoS packets to the source b. terminating the network connection c. reconfiguring network devices d. changing the attack’s content
39. Which type of IDPS is also known as a behavior-based intrusion detection system? a. network-based *b. anomaly-based c. host-based d. signature-based
40. In an IDPS, a piece of software that resides on a system and reports back to a management
server is known as a(n) __________. a. agent b. sensor *c. Both of these are correct. d. Neither of these is correct.
41. Which type of IDPS works like antivirus software? a. network-based b. anomaly-based c. host-based *d. signature-based
42. Which tool can best identify active computers on a network? a. packet sniffer *b. port scanner c. trap and trace d. honey pot
43. What is the next phase of the pre-attack data gathering process after an attacker has
collected all of an organization’s Internet addresses? a. footprinting b. content filtering c. deciphering
*d. fingerprinting
44. What tool would you use if you want to collect information as it is being transmitted on the
network and analyze the contents for the purpose of solving network problems? a. port scanner *b. packet sniffer c. vulnerability scanner d. content filter
45. What is an application that entices individuals who are illegally perusing the internal areas
of a network by providing simulated rich content areas while the software notifies the administrator of the intrusion? a. port scanner b. sacrificial host *c. honey pot d. content filter
46. What is the organized research and investigation of Internet addresses owned or controlled
by a target organization? *a. footprinting b. content filtering c. deciphering d. fingerprinting
47. When an information security team is faced with a new technology, which of the following
is NOT a recommended approach? a. Determine if the benefits of the proposed technology justify the expected costs. b. Include costs for any additional risk control requirements that are mandated by the
new technology. c. Consider how the proposed solution will affect the organization’s risk exposure. *d. Evaluate how the new technology will enhance employee skills. 48. Which of the following is used in conjunction with an algorithm to make computer data
secure from anybody except the intended recipient of the data? *a. key b. plaintext c. cipher d. cryptosystem
49. In which cipher method are values rearranged within a block to create the ciphertext? *a. permutation b. Vernam c. substitution d. monoalphabetic
50. Which of the following is true about symmetric encryption? *a. It uses a secret key to encrypt and decrypt. b. It uses a private and public key. c. It is also known as public key encryption. d. It requires four keys to hold a conversation.
51. Which technology has two modes of operation: transport and tunnel? a. Secure Hypertext Transfer Protocol b. Secure Shell *c. IP Security Protocol d. Secure Sockets Layer
52. Which of the following provides an identification card of sorts to clients who request
services in a Kerberos system? *a. ticket granting service b. authentication server c. authentication client d. key distribution center
53. Which of the following is a Kerberos service that initially exchanges information with the
client and server by using secret keys? a. authentication server b. authentication client *c. key distribution center d. ticket granting service
54. What is most commonly used for the goal of nonrepudiation in cryptography? a. block cipher b. digital certificate c. PKI
*d. digital signature
55. The process of obtaining the plaintext message from a ciphertext message without knowing
the keys used to perform the encryption is known as __________. *a. cryptanalysis b. cryptology c. cryptography d. nonrepudiation
56. __________ is the determination of actions that an entity can perform in a physical or
logical area. Correct Answer(s): a. Authorization
57. A(n) __________ is a secret word or combination of characters known only by the user. Correct Answer(s): a. password
58. ________ recognition authentication captures the analog waveforms of human speech. Correct Answer(s): a. Voice
59. A(n) __________ token uses a challenge-response system in which the server challenges the
user with a number, which when entered into the token provides a response that allows access. Correct Answer(s): a. asynchronous
60. A(n) __________ is any device that prevents a specific type of information from moving
between an untrusted network and a trusted network. Correct Answer(s): a. firewall
61. You might put a proxy server in the __________, which is exposed to the outside world,
between the trusted network and the untrusted network. Correct Answer(s): a. demilitarized zone b. DMZ
62. __________ is a technology in which multiple real, routable external IP addresses are
converted to special ranges of internal IP addresses, usually on a one-to-one basis. Correct Answer(s): a. Network-address translation b. Network address translation c. NAT
63. The process of reversing public key encryption to verify that a message was sent by a
specific sender and thus cannot be refuted is known as __________. Correct Answer(s): a. digital signatures b. digital signature
64. The process of making and using codes to secure information is known as __________. Correct Answer(s): a. cryptography
65. The process of hiding messages, usually within image files, is known as __________. Correct Answer(s): a. steganography
66. The information used in conjunction with the encryption process to create the
ciphertext from the plaintext is known as a(n) __________. Correct Answer(s): a. key b. cryptovariable
67. The process of converting an original message (plaintext) into a form that cannot be used by
unauthorized individuals (ciphertext) is known as __________. Correct Answer(s): a. encryption
68. __________ presents a threat to wireless communications, and is therefore a practice that
makes it prudent to use a wireless encryption protocol to prevent unauthorized use of your Wi-Fi network. Correct Answer(s): a. War driving
69. The __________ wireless security protocol was replaced by stronger protocols due to
several vulnerabilities found in the early 2000s. Correct Answer(s): a. WEP b. wired equivalent privacy
70. The Ticket Granting Service (TGS) is one of three services in the __________ system,
and provides tickets to clients who request services. Correct Answer(s): a. Kerberos
71. [e] 1. An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates. [g] 2. A cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message. [a] 3. The organized research and investigation of Internet addresses owned or controlled by a target organization. [i] 4. In IPSec, an encryption method in which only a packet’s IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses. [f] 5. A cryptographic technique developed at AT&T and known as the “one-time pad,” this cipher uses a set of characters for encryption operations only one time and then discards it. [d] 6. Was developed by Netscape in 1994 to provide security for online e-commerce transactions. [b] 7. A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network—for example, restricting user access to Web sites with material that is not related to business, such as pornography or entertainment. [c] 8. A private, secure network operated over a public and insecure network. [h] 9. A cryptographic operation that involves simply rearranging the values within a block based on an established pattern. [j] 10. Public key container files that allow PKI system components and end users to validate a public key and identify its owner. a. footprinting b. content filter c. VPN d. SSL e. PKI f. Vernam cipher g. asymmetric encryption
h. transposition cipher i. transport mode j. digital certificate
72. Describe and provide an example for each of the three types of authentication mechanisms. Correct Answer:
There are three types of authentication mechanisms:- Something a person knows (for example, passwords and passphrases) - Something a person has (such as cryptographic tokens and smart cards) - Something a person produces (such as voice and signature pattern recognition, fingerprints, palm prints, hand topography, hand geometry, and retina and iris scans)
73. Briefly describe how biometric technologies are generally evaluated. Correct Answer:
Biometric technologies are generally evaluated according to three basic criteria:- False reject rate: the percentage of authorized users who are denied access - False accept rate: the percentage of unauthorized users who are allowed access - Crossover error rate: the point at which the number of false rejections equals the number of false acceptances
74. What should you look for when selecting a firewall for your network? Correct Answer:
1. What type of firewall technology offers the right balance between protection and cost for the needs of the organization?2. What features are included in the base price? What features are available at extra cost? Are all cost factors known? 3. How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently configure the firewall? 4. Can the candidate firewall adapt to the growing network in the target organization?
75. List the most common firewall implementation architectures. Correct Answer:
Three architectural implementations of firewalls are especially common: single bastion hosts, screened-host firewalls, and screened-subnet firewalls.
76. What are NAT and PAT?
Describe these technologies.
Correct Answer:
NAT is a method of converting multiple real, routable external IP addresses to special ranges of internal IP addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned internal address. A related approach, called port-address translation (PAT), converts a single real, valid, external IP address to special ranges of internal IP addresses—that is, a one-to-many approach in which one address is mapped dynamically to a range of internal addresses by adding a unique port number when traffic leaves the private network and is placed on the public network. 77. There are six recommended best practices for firewall use according to Laura Taylor. List three of them. Correct Answer:
All traffic from the trusted network is allowed out. The firewall device is never accessible directly from the public network. Simple Mail Transport Protocol (SMTP) data is allowed to pass through the firewall, but all of it is routed to a well-configured SMTP gateway to filter and route messaging traffic securely. All Internet Control Message Protocol (ICMP) data is denied. Telnet/terminal emulation access to all internal servers from the public networks is blocked. When Web services are offered outside the firewall, HTTP traffic is prevented from reaching your internal networks via the implementation of some form of proxy access or DMZ architecture.
78. Describe in basic terms what an IDPS is. Correct Answer:
Intrusion detection and prevention systems (IDPSs) work like burglar alarms. When the system detects a violation—the IT equivalent of an opened or broken window—it activates the alarm. This alarm can be audible and visible (noise and lights), or it can be a silent alarm that sends a message to a monitoring company. 79. What is WEP and why is it no longer in favor? Correct Answer:
WEP is designed to provide a basic level of security protection to Wi-Fi networks, to prevent unauthorized access or eavesdropping. However, WEP, like a traditional wired network, does not protect users from each other; it only protects the network from unauthorized users. In the early
2000s, cryptologists found several fundamental flaws in WEP, resulting in vulnerabilities that can be exploited to gain access. These vulnerabilities ultimately led to the replacement of WEP as the industry standard with WPA. 80. What is a packet sniffer and how can it be used for good or nefarious purposes? Correct Answer:
A packet sniffer is a network tool that collects and analyzes copies of packets from the network. It can provide a network administrator with valuable information to help diagnose and resolve networking issues. In the wrong hands, it can be used to eavesdrop on network traffic. 81. What is asymmetric encryption? Correct Answer:
Asymmetric encryption is also known as public key encryption. Whereas symmetric encryption systems use a single key both to encrypt and decrypt a message, asymmetric encryption uses two different keys. Either key can be used to encrypt or decrypt the message, but not both for the same message.