Management of Information Security 6th Edition Michael E. Whitman, Herbert Test Bank

Page 1


CHAPTER 1 1. Corruption of information can occur only while information is being stored. a. True *b. False

2. The authorization process takes place before the authentication process. a. True *b. False

3. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. *a. True b. False

4. DoS attacks cannot be launched against routers. a. True *b. False

5. The first step in solving problems is to gather facts and make assumptions. a. True *b. False

6. A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. __________ a. True *b. False

7. One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. __________ a. True *b. False


8. When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. __________ a. True *b. False

9. "Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual’s shoulder or viewing the information from a distance. __________ a. True *b. False

10. The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. __________ a. True *b. False

11. The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. __________ a. True *b. False

12. The macro virus infects the key operating system files located in a computer’s start-up sector. __________ a. True *b. False

13. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. __________ *a. True b. False

14. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. __________ *a. True b. False


15. Communications security involves the protection of which of the following? a. radio handsets b. people, physical assets c. the IT department *d. media, technology, and content

16. The protection of voice and data components, connections, and content is known as

__________ security. *a. network b. national c. cyber d. operational

17. The protection of confidentiality, integrity, and availability of data regardless of its

location is known as __________ security. *a. information b. network c. cyber d. operational

18. A model of InfoSec that offers a comprehensive view of security for data while being

stored, processed, or transmitted is the __________ security model. *a. CNSS b. USMC c. USNA d. NPC

19. Which of the following is a C.I.A. triad characteristic that addresses the threat from

corruption, damage, destruction, or other disruption of its authentic state? *a. integrity b. availability c. authentication d. accountability

20. According to the C.I.A. triad, which of the following is the most desirable characteristic for

privacy? *a. confidentiality


b. availability c. integrity d. accountability

21. Which of the following is recognition that data used by an organization should only be used

for the purposes stated by the information owner at the time it was collected? a. accountability b. availability *c. privacy d. confidentiality

22. Which of the following is a C.I.A. triad characteristic that ensures only those with sufficient

privileges and a demonstrated need may access certain information? a. integrity b. availability c. authentication *d. confidentiality

23. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is

an example of which process? a. accountability b. authorization c. identification *d. authentication

24. A process that defines what the user is permitted to do is known as __________. a. identification *b. authorization c. accountability d. authentication

25. What do audit logs that track user activity on an information system provide? a. identification b. authorization *c. accountability d. authentication


26. Any event or circumstance that has the potential to adversely affect operations and assets is

known as a(n) __________. *a. threat b. attack c. exploit d. vulnerability

27. An intentional or unintentional act that can damage or otherwise compromise information

and the systems that support it is known as a(n) __________. a. threat *b. attack c. exploit d. vulnerability

28. A technique used to compromise a system is known as a(n) __________. a. threat b. attack *c. exploit d. vulnerability

29. A potential weakness in an asset or its defensive control system(s) is known as a(n)

__________. a. threat b. attack c. exploit *d. vulnerability

30. The unauthorized duplication, installation, or distribution of copyrighted computer software,

which is a violation of intellectual property, is called __________. *a. software piracy b. copyright infringement c. trademark violation d. data hijacking

31. Technology services are usually arranged with an agreement defining minimum service

levels known as a(n) __________. a. SSL *b. SLA


c. MSL d. MIN

32. A short-term interruption in electrical power availability is known as a __________. *a. fault b. brownout c. blackout d. lag

33. Acts of __________ can lead to unauthorized real or virtual actions that enable information

gatherers to enter premises or systems they have not been authorized to access. a. bypass b. theft *c. trespass d. security

34. An information security professional with authorization to attempt to gain system access in

an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________. *a. penetration tester b. expert hacker c. phreaker d. cracker

35. A hacker who intentionally removes or bypasses software copyright protection designed to

prevent unauthorized duplication or use is known as a(n) __________. a. penetration tester b. expert hacker c. phreaker *d. cracker

36. __________ is the collection and analysis of information about an organization’s business

competitors, often through illegal or unethical means, to gain an unfair edge over them. a. Dumpster diving b. Packet sniffing c. Competitive advantage *d. Industrial espionage


37. The hash values for a wide variety of passwords can be stored in a database known as a(n)

__________, which can be indexed and quickly searched using the hash value, allowing the corresponding plaintext password to be determined. *a. rainbow table b. unicorn table c. rainbow matrix d. poison box

38. Which of the following is NOT an approach to password cracking? *a. ransomware b. brute force c. dictionary attacks d. social engineering attacks

39. Force majeure includes all of the following EXCEPT: *a. armed robbery b. acts of war c. civil disorder d. forces of nature

40. Human error or failure often can be prevented with training and awareness programs,

policy, and __________. a. outsourcing *b. technical controls c. hugs d. ISO 27000

41. “4-1-9” fraud is an example of a __________ attack. *a. social engineering b. virus c. worm d. spam

42. “4-1-9” is one form of a(n) __________ fraud. *a. advance fee b. privilege escalation c. check kiting d. "Spanish Prisoner"


43. Blackmail threat of informational disclosure is an example of which threat category? a. espionage or trespass *b. information extortion c. sabotage or vandalism d. compromises of intellectual property

44. An attack that uses phishing techniques along with specialized forms of malware to encrypt

the victim's data files is known as __________. a. crypto locking *b. ransomware c. jailbreaking d. spam

45. One form of online vandalism is __________, in which individuals interfere with or disrupt

systems to protest the operations, policies, or actions of an organization or government agency. *a. hacktivism b. phreaking c. red teaming d. cyberhacking

46. __________ are malware programs that hide their true nature and reveal their designed

behavior only when activated. a. Viruses b. Worms c. Spam *d. Trojan horses

47. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving

virus __________. a. false alarms b. polymorphisms *c. hoaxes d. urban legends

48. Which of the following is a feature left behind by system designers or maintenance staff that

allows quick access to a system at a later time by bypassing access controls?


a. brute force b. DoS *c. back door d. hoax

49. A __________ is an attack in which a coordinated stream of requests is launched against a

target from many locations at the same time. a. denial of service *b. distributed denial of service c. virus d. spam

50. Which type of attack involves sending a large number of connection or information requests

to a target? a. malicious code *b. denial of service (DoS) c. brute force d. spear fishing

51. In the __________ attack, an attacker monitors (or sniffs) packets from the network,

modifies them, and inserts them back into the network. a. zombie-in-the-middle b. sniff-in-the-middle c. server-in-the-middle *d. man-in-the-middle

52. Which statement defines the differences between a computer virus and a computer worm? a. Worms and viruses are the same. b. Worms can make copies all by themselves on one kind of computer but viruses

can make copies all by themselves on any kind of computer. c. Worms can copy themselves to computers and viruses can copy themselves to smartphones. *d. Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate. 53. Which of the following is not among the "deadly sins of software security"? *a. extortion sins b. implementation sins c. Web application sins


d. networking sins

54. Which of the 12 categories of threats best describes a situation where the adversary removes

data from a victim's computer? *a. theft b. espionage or trespass c. sabotage or vandalism d. information extortion

55. Which of the following is the principle of management that develops, creates, and

implements strategies for the accomplishment of objectives? a. leading b. controlling c. organizing *d. planning

56. Which of the following is the principle of management dedicated to the structuring of

resources to support the accomplishment of objectives? *a. organization b. planning c. controlling d. leading

57. __________ is the set of responsibilities and practices exercised by the board and

executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. *a. Governance b. Controlling c. Leading d. Strategy

58. Which of the following is the first step in the problem-solving process? a. Analyze and compare the possible solutions. b. Develop possible solutions. *c. Recognize and define the problem. d. Select, implement, and evaluate a solution.


59. Which of the following is NOT a step in the problem-solving process? a. Select, implement, and evaluate a solution. b. Analyze and compare possible solutions. *c. Build support among management for the candidate solution. d. Gather facts and make assumptions.

60. Which of the following is NOT a primary function of information security management? a. planning b. protection c. projects *d. performance

61. Which of the following functions of information security management seeks to dictate

certain behavior within the organization through a set of organizational guidelines? a. planning *b. policy c. programs d. people

62. Which function of InfoSec management encompasses security personnel as well as aspects

of the SETA program? a. protection *b. people c. projects d. policy

63. A(n) __________ is a potential weakness in an asset or its defensive control(s). Correct Answer(s): a. vulnerability

64. A(n) __________ is an act against an asset that could result in a loss. Correct Answer(s): a. attack

65. Duplication of software-based intellectual property is more commonly known as software

__________.


Correct Answer(s): a. piracy

66. A(n) __________ hacks the public telephone network to make free calls or disrupt services. Correct Answer(s): a. phreaker

67. A momentary low voltage is called a(n) __________. Correct Answer(s): a. sag

68. Some information gathering techniques are quite legal—for example, using a Web browser

to perform market research. These legal techniques are called, collectively, __________. Correct Answer(s): a. competitive intelligence

69. Attempting to reverse-calculate a password or bypass encryption is called __________. Correct Answer(s): a. cracking

70. ESD is the acronym for __________. Correct Answer(s): a. electrostatic discharge

71. A virus or worm can have a payload that installs a(n) __________ door or trap-door

component in a system, which allows the attacker to access the system at will with special privileges. Correct Answer(s): a. back

72. __________ is unsolicited commercial e-mail. Correct Answer(s): a. Spam

73. A ___________ overflow is an application error that occurs when the system can’t handle

the amount of data that is sent.


Correct Answer(s): a. buffer

74. The three levels of planning are strategic planning, tactical planning, and __________

planning. Correct Answer(s): a. operational

75. The set of organizational guidelines that dictates certain behavior within the organization is

called __________. Correct Answer(s): a. policy

76. Explain the differences between a leader and a manager. Correct Answer:

The distinctions between a leader and a manager arise in the execution of organizational tasks. A leader provides purpose, direction, and motivation to those that follow. By comparison, a manager administers the resources of the organization. He or she creates budgets, authorizes expenditures, and hires employees. 77. List and explain the critical characteristics of information as defined by the C.I.A. triad. Correct Answer:

Confidentiality of information ensures that only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached.

Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state.

Availability is the characteristic of information that enables user access to information without interference or obstruction and in a usable format.

78. List and explain the four principles of management under the contemporary or popular management theory. Briefly define each. Correct Answer:


Popular management theory categorizes the principles of management into planning, organizing, leading, and controlling (POLC). The process that develops, creates, and implements strategies for the accomplishment of objectives is called planning.

The management function dedicated to the structuring of resources to support the accomplishment of objectives is called organization.

Leadership includes supervising employee behavior, performance, attendance, and attitude. Leadership generally addresses the direction and motivation of the human resource.

Monitoring progress toward completion, and making necessary adjustments to achieve desired objectives, requires the exercise of control.

79. List the steps that can be used as a basic blueprint for solving organizational problems. Correct Answer:

1. Recognize and define the problem.2. Gather facts and make assumptions. 3. Develop possible solutions. 4. Analyze and compare possible solutions. 5. Select, implement, and evaluate a solution.

80. What are the three distinct groups of decision makers or communities of interest on an information security team? Correct Answer:

Managers and professionals in the field of information securityManagers and professionals in the field of IT Managers and professionals from the rest of the organization

81. List the specialized areas of security. Correct Answer:

Physical securityOperations security Communications security Network security


82. List the measures that are commonly used to protect the confidentiality of information. Correct Answer:

Information classificationSecure document (and data) storage Application of general security policies Education of information custodians and end users Cryptography (encryption)

83. What is authentication?

Provide some examples.

Correct Answer:

Authentication is the process by which a control establishes whether a user (or system) has the identity it claims to have. Examples include the use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections as well as the use of cryptographic hardware devices— for example, hardware tokens such as RSA’s SecurID. Individual users may disclose a personal identification number (PIN) or a password to authenticate their identities to a computer system. 84. Discuss the planning element of information security. Correct Answer:

Planning in InfoSec management is an extension of the basic planning model. Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of InfoSec strategies within the IT planning environment. The business strategy is translated into the IT strategy. Both the business strategy and the IT strategy are then used to develop the InfoSec strategy. For example, the CIO uses the IT objectives gleaned from the business unit plans to create the organization’s IT strategy. 85. There are 12 general categories of threat to an organization's people, information, and systems. List at least six of the general categories of threat and identify at least one example of those listed. Correct Answer:

Compromises to intellectual propertySoftware attacks Deviations in quality of service Espionage or trespass Forces of nature Human error or failure Information extortion Sabotage or vandalism Theft


Technical hardware failures or errors Technical software failures or errors Technological obsolescence


CHAPTER 2 1. Ethics carry the sanction of a governing authority. a. True *b. False

2. The Secret Service is charged with the detection and arrest of any person who commits a U.S. federal offense relating to computer fraud, as well as false identification crimes. *a. True b. False

3. Deterrence is the best method for preventing an illegal or unethical activity. ____________ *a. True b. False

4. ISACA is a professional association with a focus on authorization, control, and security. ___________ a. True *b. False

5. Information ambiguation occurs when pieces of nonprivate data are combined to create information that violates privacy. _________________________ a. True *b. False

6. The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies. ___________ *a. True b. False

7. To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________ a. True *b. False


8. A(n) compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________ a. True *b. False

9. It is the responsibility of InfoSec professionals to understand state laws and bills. ____________ a. True *b. False

10. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________ *a. True b. False

11. InfraGard began as a cooperative effort between the FBI’s Cleveland field office and local intelligence professionals. ___________ a. True *b. False

12. Which of the following ethical frameworks is the study of the choices that have been made

by individuals in the past? a. Applied ethics *b. Descriptive ethics c. Normative ethics d. Deontological ethics

13. Which of the following is the study of the rightness or wrongness of intentions and motives

as opposed to the rightness or wrongness of the consequences (also known as duty- or obligationbased ethics)? a. Applied ethics b. Meta-ethics c. Normative ethics *d. Deontological ethics

14. Which ethical standard is based on the notion that life in community yields a positive

outcome for the individual, requiring each individual to contribute to that community?


a. utilitarian b. virtue c. fairness or justice *d. common good

15. There are three general categories of unethical behavior that organizations and society

should seek to eliminate. Which of the following is NOT one of them? a. ignorance *b. malice c. accident d. intent

16. Which of the following is the best method for preventing an illegal or unethical activity?

Examples include laws, policies, and technical controls. a. remediation *b. deterrence c. persecution d. rehabilitation

17. Which of the following is NOT a requirement for laws and policies to deter illegal or

unethical activity? a. fear of penalty b. probability of being penalized c. probability of being caught *d. fear of humiliation

18. Which of the following organizations put forth a code of ethics designed primarily for

InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals. *a. (ISC)2 b. ACM c. SANS d. ISACA

19. Which subset of civil law regulates the relationships among individuals and among

individuals and organizations? a. tort


b. criminal *c. private d. public

20. Which of the following is NOT used to categorize some types of law? a. constitutional b. regulatory c. statutory *d. international

21. Which law addresses privacy and security concerns associated with the electronic

transmission of PHI? a. USA PATRIOT Act of 2001 b. American Recovery and Reinvestment Act *c. Health Information Technology for Economic and Clinical Health Act d. National Information Infrastructure Protection Act of 1996

22. The penalties for offenses related to the National Information Infrastructure Protection Act

of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons? a. For purposes of commercial advantage b. For private financial gain *c. For political advantage d. In furtherance of a criminal act

23. Which law requires mandatory periodic training in computer security awareness and

accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system? a. The Telecommunications Deregulation and Competition Act b. National Information Infrastructure Protection Act c. Computer Fraud and Abuse Act *d. The Computer Security Act

24. Which act is a collection of statutes that regulates the interception of wire, electronic, and

oral communications? *a. The Electronic Communications Privacy Act of 1986 b. The Telecommunications Deregulation and Competition Act of 1996 c. National Information Infrastructure Protection Act of 1996 d. Federal Privacy Act of 1974


25. Which act requires organizations that retain health care information to use InfoSec

mechanisms to protect this information, as well as policies and procedures to maintain them? a. ECPA b. Sarbanes-Oxley *c. HIPAA d. Gramm-Leach-Bliley

26. Which law extends protection to intellectual property, which includes words published in

electronic formats? a. Freedom of Information Act *b. U.S. Copyright Law c. Security and Freedom through Encryption Act d. Sarbanes-Oxley Act

27. A more recently created area of law related to information security specifies a requirement

for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law. a. notification *b. breach c. spill d. compromise

28. Which of the following is the result of a U.S. led international effort to reduce the impact of

copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures? a. U.S. Copyright Law b. PCI DSS c. European Council Cybercrime Convention *d. DMCA

29. This collaborative support group began as a cooperative effort between the FBI’s Cleveland

field office and local technology professionals with a focus of protecting critical national infrastructure. *a. InfraGard b. Homeland Security c. CyberWatch d. CyberGard


30. Another key U.S. federal agency is _________, which is responsible for coordinating,

directing, and performing highly specialized activities to protect U.S. information systems and produce foreign intelligence information. a. InfraGard b. Homeland Security *c. the National Security Agency d. the Federal Bureau of Investigation

31. Which of the following is compensation for a wrong committed by an individual or

organization? a. liability *b. restitution c. due diligence d. jurisdiction

32. Any court can impose its authority over an individual or organization if it can establish

which of the following? a. jurisprudence *b. jurisdiction c. liability d. sovereignty

33. Investigations involving the preservation, identification, extraction, documentation, and

interpretation of computer media for evidentiary and root cause analysis are known as _________. *a. digital forensics b. criminal investigation c. crime scene investigation d. e-discovery

34. Also known as “items of potential evidentiary value,” any information that could potentially

support the organization’s legal or policy-based case against a suspect is known as _________. *a. evidentiary material b. digital forensics c. evidence d. e-discovery


35. The coherent application of methodical investigatory techniques to collect, preserve, and

present evidence of crimes in a court or court-like setting is known as _________. a. evidentiary material *b. forensics c. crime scene investigation d. data imaging

36. Permission to search for evidentiary material at a specified location and/or to seize items to

return to the investigator’s lab for examination is known as a(n) _________. a. subpoena b. forensic clue *c. search warrant d. affidavit

37. Sworn testimony that certain facts are in the possession of the investigating officer and that

they warrant the examination of specific items located at a specific place is known as a(n) _________. a. subpoena b. forensic finding c. search warrant *d. affidavit

38. A process focused on the identification and location of potential evidence related to a

specific legal action after it was collected through digital forensics is known as _________. *a. e-discovery b. forensics c. indexing d. root cause analysis

39. Digital forensics can be used for two key purposes: ________ or _________. a. e-discovery; to perform root cause analysis *b. to investigate allegations of digital malfeasance; to perform root cause analysis c. to solicit testimony; to perform root cause analysis d. to investigate allegations of digital malfeasance; to solicit testimony

40. In digital forensics, all investigations follow the same basic methodology once permission to

search and seize is received, beginning with _________. *a. identifying relevant items of evidentiary value


b. acquiring (seizing) the evidence without alteration or damage c. analyzing the data without risking modification or unauthorized access d. investigating allegations of digital malfeasance

41. _________ devices often pose special challenges to investigators because they can be

configured to use advanced encryption and they can be wiped by the user even when the user is not present. *a. Portable b. Desktop computer c. Expansion d. Satellite transceiver

42. The most complex part of an investigation is usually __________. *a. analysis for potential EM b. protecting potential EM c. requesting potential EM d. preventing the destruction of potential EM

43. When an incident violates civil or criminal law, it is the organization’s responsibility to

notify the proper authorities; selecting the appropriate law enforcement agency depends on __________. *a. the type of crime committed b. how many perpetrators were involved c. the network provider the hacker used d. what kind of computer the hacker used

44. Ethics are based on ___________________, which are the relatively fixed moral attitudes or

customs of a societal group. Correct Answer(s): a. cultural mores

45. The branch of philosophy that considers nature, criteria, sources, logic, and the validity

of moral judgment is known as ___________. Correct Answer(s): a. ethics

46. The act of attempting to prevent an unwanted action by threatening punishment

or retaliation on the instigator if the act takes place is known as ___________.


Correct Answer(s): a. deterrence

47. ___________________ is a subset of civil law that allows individuals to seek redress in the

event of personal, physical, or financial injury. Correct Answer(s): a. Tort law

48. Information ____________ occurs when pieces of nonprivate data are combined to

create information that violates privacy. Correct Answer(s): a. aggregation

49. An organization increases its liability if it refuses to take the measures a prudent

organization should; this is known as the standard of _____________. Correct Answer(s): a. due care

50. Investigations involving the preservation, identification, extraction, documentation, and

interpretation of computer media for evidentiary and root cause analysis are known as _________. Correct Answer(s): a. digital forensics

51. _________ devices often pose special challenges to investigators because they can be

configured to use advanced encryption and they can be wiped by the user even when the user is not present. Correct Answer(s): a. Portable

52. A process focused on the identification and location of potential evidence related to a

specific legal action after it was collected through digital forensics is known as _________. Correct Answer(s): a. e-discovery b. ediscovery


53. Sworn testimony that certain facts are in the possession of the investigating officer and that

they warrant the examination of specific items located at a specific place is known as a(n) _________. Correct Answer(s): a. affidavit

54. [f] 1. One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices. [d] 2. Focuses on enhancing the security of the critical infrastructure in the United States. [c] 3. An approach that applies moral codes to actions drawn from realistic situations. [g] 4. A collection of statutes that regulates the interception of wire, electronic, and oral communications. [h] 5. Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. [b] 6. The study of what makes actions right or wrong, also known as moral theory. [a] 7. Addresses violations harmful to society and is actively enforced and prosecuted by the state. [e] 8. Defines socially acceptable behaviors. a. criminal law b. normative ethics c. applied ethics d. Cybersecurity Act e. ethics f. Computer Security Act (CSA) g. Electronic Communications Privacy Act (ECPA) h. public law 55. Describe the foundations and frameworks of ethics. Correct Answer:

Normative ethics—The study of what makes actions right or wrong, also known as moral theory—that is, how should people act?Meta-ethics—The study of the meaning of ethical judgments and properties—that is, what is right? Descriptive ethics—The study of the choices that have been made by individuals in the past—that is, what do others think is right? Applied ethics—An approach that applies moral codes to actions drawn from realistic situations; it seeks to define how we might use ethics in practice. Deontological ethics—The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences; also known as duty-based or obligation-based ethics. This approach seeks to define a person’s ethical duty.


56. Discuss the three general categories of unethical behavior that organizations should try to control. Correct Answer:

Ignorance:Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education. Organizations must design, publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to abide by them. Reminders, training, and awareness programs support retention, and one hopes, compliance.

Accident: Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident. The careful placement of controls can help prevent accidental modification to systems and data.

Intent: Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A legal defense can be built upon whether the accused acted out of ignorance, by accident, or with the intent to cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution, and technical controls. Intent is only one of several factors to consider when determining whether a computer-related crime has occurred.

57. Laws and policies and their associated penalties only deter if three conditions are present. What are these conditions? Correct Answer:

Fear of penalty—Threats of informal reprimand or verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of pay.Probability of being caught—There must be a strong possibility that perpetrators of illegal or unethical acts will be caught. Probability of penalty being administered—The organization must be willing and able to impose the penalty.

58. Briefly describe five different types of laws. Correct Answer:

1. Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations.2. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. 3. Tort law is a subset of civil law that allows individuals to seek recourse against others in the event of personal, physical, or financial injury. 4. Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law.


5. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.

59. The penalty for violating the National Information Infrastructure Protection Act of 1996 depends on the value of the information obtained and whether the offense is judged to have been committed for one of three reasons. What are those reasons? Correct Answer:

For purposes of commercial advantageFor private financial gain In furtherance of a criminal act

60. The Computer Security Act charges the National Bureau of Standards, in cooperation with the National Security Agency (NSA), with the development of five standards and guidelines establishing minimum acceptable security practices. What are three of these principles? Correct Answer:

Standards, guidelines, and associated methods and techniques for computer systems Uniform standards and guidelines for most federal computer systems Technical, management, physical, and administrative standards and guidelines for the costeffective security and privacy of sensitive information in federal computer systems Guidelines for use by operators of federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice Validation procedures for, and evaluation of the effectiveness of, standards and guidelines through research and liaison with other government and private agencies

61. Describe the Freedom of Information Act. apply to federal vs. state agencies?

How does its application

Correct Answer:

All federal agencies are required under the Freedom of Information Act (FOIA) to disclose records requested in writing by any person. However, agencies may withhold information pursuant to nine exemptions and three exclusions contained in the statute. FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each state has its own public access laws that should be consulted for access to state and local records. 62. What is a key difference between law and ethics? Correct Answer:


The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not. 63. A key difference between policy and law is that ignorance of policy is a viable defense. What steps must be taken to assure that an organization has a reasonable expectation that policy violations can be appropriately penalized without fear of legal retribution? Correct Answer:

Policies must be: o Effectively written o Distributed to all individuals who are expected to comply with them o Read by all employees o Understood by all employees, with multilingual translations and translations for visually impaired or low-literacy employees o Acknowledged by the employee, usually by means of a signed consent form o Uniformly enforced, with no special treatment for any group (e.g., executives)


CHAPTER 3 1. Because it sets out general business intentions, a mission statement does not need to be concise. a. True *b. False

2. A clearly directed strategy flows from top to bottom rather than from bottom to top. *a. True b. False

3. A maintenance model is intended to focus ongoing maintenance efforts so as to keep systems usable and secure. *a. True b. False

4. A top-down approach to information security usually begins with a systems administrator’s attempt to improve the security of systems. a. True *b. False

5. Today’s InfoSec systems need constant monitoring, testing, modifying, updating, and repairing. *a. True b. False

6. Values statements should be ambitious; after all, they are meant to express the aspirations of an organization. ____________ a. True *b. False

7. A person or organization that has a vested interest in a particular aspect of the planning or operation of an organization is a(n) investiture. ____________ a. True *b. False


8. The ISO 27014:2013 standard promotes five governance processes, which should be adopted by the organization’s executive management and its consultant. ____________ a. True *b. False

9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs. ____________ *a. True b. False

10. According to the CGTF, the organization should treat InfoSec as an integral part of the system life cycle. ____________ *a. True b. False

11. Which of the following explicitly declares the business of the organization and its intended

areas of operations? a. vision statement b. values statement *c. mission statement d. business statement

12. Which type of planning is the primary tool in determining the long-term direction taken by

an organization? *a. strategic b. tactical c. operational d. managerial

13. Which of the following is true about planning? *a. Strategic plans are used to create tactical plans. b. Tactical plans are used to create strategic plans. c. Operational plans are used to create tactical plans. d. Operational plans are used to create strategic plans.

14. Which level of planning breaks down each applicable strategic goal into a series of

incremental objectives?


a. strategic b. operational c. organizational *d. tactical

15. Which type of planning is used to organize the ongoing, day-to-day performance of tasks? a. strategic b. tactical c. organizational *d. operational

16. The basic outcomes of InfoSec governance should include all but which of the following? a. Value delivery by optimizing InfoSec investments in support of organizational

objectives b. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved *c. Time management by aligning resources with personnel schedules and organizational objectives d. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively 17. Internal and external stakeholders, such as customers, suppliers, or employees who interact

with information in support of their organization’s planning and operations, are known as ____________. a. data owners b. data custodians *c. data users d. data generators

18. The National Association of Corporate Directors (NACD) recommends four essential

practices for boards of directors. Which of the following is NOT one of these recommended practices? *a. Hold regular meetings with the CIO to discuss tactical InfoSec planning. b. Assign InfoSec to a key committee and ensure adequate support for that committee. c. Ensure the effectiveness of the corporation’s InfoSec policy through review and

approval. d. Identify InfoSec leaders, hold them accountable, and ensure support for them. 19. Which of the following should be included in an InfoSec governance program?


a. An InfoSec maintenance methodology *b. An InfoSec risk management methodology c. An InfoSec project management assessment d. All of these are components of the InfoSec governance program.

20. According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL

model and framework lays the groundwork for a successful improvement effort? *a. initiating b. establishing c. acting d. learning

21. According to the Corporate Governance Task Force (CGTF), during which phase of the

IDEAL model and framework does the organization plan the specifics of how it will reach its destination? a. initiating *b. establishing c. acting d. learning

22. Which of the following is an information security governance responsibility of the chief

information security officer? a. Develop policies and the program. *b. Set security policy, procedures, programs, and training. c. Brief the board, customers, and the public. d. Implement incident response programs to detect security vulnerabilities and breaches.

23. ISO 27014:2013 is the ISO 27000 series standard for ____________. *a. governance of information security b. information security management c. risk management d. policy management

24. Which of the following is a key advantage of the bottom-up approach to security

implementation? a. strong upper-management support b. a clear planning and implementation process *c. utilizing the technical expertise of the individual administrators


d. coordinated planning from upper management

25. A high-level executive such as a CIO or VP-IT, who will provide political support and

influence for a specific project, is known as a(n) _________. a. sponsor *b. champion c. overseer d. auditor

26. In which SDLC model does the work product from each phase transition into the next phase

to serve as its starting point while allowing movement back to a previous phase should the project require it? a. spiral b. evolutionary prototyping c. agile *d. waterfall

27. Individuals who control, and are therefore responsible for, the security and use of a

particular set of information are known as ____________. *a. data owners b. data custodians c. data users d. data generators

28. What is the first phase of the SecSDLC? a. analysis *b. investigation c. logical design d. physical design

29. The individual responsible for the assessment, management, and implementation of

information-protection activities in the organization is known as a(n) ____________. *a. chief information security officer b. security technician c. security manager d. chief technology officer

30. In which phase of the SecSDLC does the risk management task occur?


a. physical design b. implementation c. investigation *d. analysis

31. An example of a company stakeholder includes all of the following EXCEPT: a. employees *b. the general public c. stockholders d. management

32. A project manager who understands project management, personnel management, and

InfoSec technical requirements is needed to fill the role of a(n) ____________. a. champion b. auditor *c. team leader d. policy developer

33. The individual accountable for ensuring the day-to-day operation of the InfoSec program,

accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________. a. chief information security officer b. security technician *c. security manager d. chief technology officer

34. A senior executive who promotes the project and ensures its support, both financially and

administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team. *a. champion b. project manager c. team leader d. auditor

35. When using the Governing for Enterprise Security (GES) program, an Enterprise Security

Program (ESP) should be structured so that governance activities are driven by the organization’s executive management, and so that it selects key stakeholders as well as the ____________. *a. Board Risk Committee


b. Board Finance Committee c. Board Ethics Committee d. Chairman of the Board

36. A formal approach to solving a problem based on a structured sequence of procedures, the

use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________. *a. methodology b. formula c. approach d. model

37. A 2007 Deloitte report found that enterprise risk management is a valuable approach that

can better align security functions with the __________ while offering opportunities to lower costs. *a. business mission b. joint application design c. security policy review d. disaster recovery planning

38. Which of the following set the direction and scope of the security process and provide

detailed instruction for its conduct? a. system controls b. technical controls c. operational controls *d. managerial controls

39. A person or organization that has a vested interest in a particular aspect of the planning or

operation of an organization—for example, the information assets used in a particular organization—is known as a(n) _________. *a. stakeholder b. investiture c. venture capitalist d. unicorn

40. A clearly directed __________ flows from top to bottom, and a systematic approach is

required to translate it into a program that can inform and lead all members of the organization. *a. strategy b. security program


c. security policy d. maintenance program

41. IT’s focus is the efficient and effective delivery of information and administration of

information resources, while InfoSec’s primary focus is the __________ of all information assets. *a. protection b. valuation c. operation d. availability

42. When creating a __________, each level of each division translates its goals into more

specific goals for the level below it. *a. strategic plan b. security program c. security policy d. maintenance program

43. The first priority of the CISO and the InfoSec management team should be the __________. *a. structure of a strategic plan b. implementation of a risk management program c. development of a security policy d. adoption of an incident response plan

44. The set of responsibilities and practices exercised by the board and executive management

with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly is known as __________. a. leadership b. relevance *c. governance d. management

45. The letters GRC represent an approach to information security strategic guidance from a

board of directors or senior management perspective. The letters stand for __________, __________, and __________. a. government, regulation, classification b. generalization, risk assessment, cryptography *c. governance, risk management, compliance d. governance, risk control, confidentiality


46. The process of integrating the governance of the physical security and information security

efforts is known in the industry as __________. *a. convergence b. combination c. intimation d. optimization

47. The __________ phase of the SecSDLC begins with a directive from upper management

specifying the process, outcomes, and goals of the project as well as its budget and other constraints. *a. investigation b. analysis c. implementation d. justification

48. In the __________ phase of the SecSDLC, the team studies documents and looks at

relevant legal issues that could affect the design of the security solution. a. investigation *b. analysis c. implementation d. justification

49. The __________ phase of the SecSDLC has team members create and develop the blueprint

for security and develop critical contingency plans for incident response. a. investigation b. analysis c. implementation *d. design

50. A qualified individual who is tasked with configuring security technologies and operating

other technical control systems is known as a(n) ____________. a. chief information security officer *b. security technician c. security manager d. chief technology officer


51. The impetus to begin an SDLC-based project may be ____________________—that is, a

response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders. Correct Answer(s): a. event-driven b. event driven

52. _________ resources include people, hardware, and the supporting system elements and

resources associated with the management of information in all its states. Correct Answer(s): a. Physical

53. The __________ phase is the last phase of the SecSDLC, but is also perhaps the most

important. Correct Answer(s): a. maintenance and change

54. A person or organization that has a vested interest in a particular aspect of the planning or

operation of an organization—for example, the information assets used in a particular organization—is known as a(n) _________. Correct Answer(s): a. stakeholder

55. IT’s role is the efficient and effective delivery of information and administration of

information resources, while InfoSec’s primary role is the __________ of all information assets. Correct Answer(s): a. protection

56. Many technology-based controls can be circumvented if an attacker gains __________

access to the devicesbeing controlled. Correct Answer(s): a. physical

57. The __________ phase is the first phase of the SecSDLC and frequently includes the

creation of policy. Correct Answer(s): a. investigation


58. The process of integrating the governance of physical security and information security

efforts is known in the industry as __________. Correct Answer(s): a. convergence

59. The process of defining and specifying the long-term direction (strategy) to be taken by an

organization is known as __________ planning. Correct Answer(s): a. strategic

60. The __________ of InfoSec is a strategic planning responsibility whose importance has

grown rapidly over the past several years. Correct Answer(s): a. governance

61. The __________ approach to security implementation features strong upper-management

support, a dedicated champion, dedicated funding, a clear planning and implementation process, and the ability to influence organizational culture. Correct Answer(s): a. top-down b. top down

62. Information security governance yields significant benefits. List five. Correct Answer:

1. An increase in share value for organizations2. Increased predictability and reduced uncertainty of business operations by lowering information security-related risks to definable and acceptable levels 3. Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care 4. Optimization of the allocation of limited security resources 5. Assurance of effective information security policy and policy compliance 6. A firm foundation for efficient and effective risk management, process improvement, and rapid incident response 7. A level of assurance that critical decisions are not based on faulty information 8. Accountability for safeguarding information during critical business activities, such as


mergers and acquisitions, business process recovery, and regulatory response

63. Describe what happens during each phase of the IDEAL general governance framework. Correct Answer:

Initiating - Lay the groundwork for a successful improvement effort.Diagnosing - Determine where you are relative to where you want to be. Establishing - Plan the specifics of how you will reach your destination. Acting - Do the work according to the plan. Learning - Learn from the experience and improve your ability to adopt new improvements in the future.

64. What is the role of planning in InfoSec management? factors that affect planning?

What are the

Correct Answer:

Planning usually involves many interrelated groups and organizational processes. The groups involved in planning represent the three communities of interest; they may be internal or external to the organization and can include employees, management, stockholders, and other outside stakeholders. Among the factors that affect planning are the physical environment, the political and legal environment, the competitive environment, and the technological environment. 65. What is the values statement and what is its importance to an organization? Correct Answer:

One of the first positions that management must articulate is the values statement. The trust and confidence of stakeholders and the public are important factors for any organization. By establishing a formal set of organizational principles and qualities in a values statement, as well as benchmarks for measuring behavior against these published values, an organization makes its conduct and performance standards clear to its employees and the public. 66. Contrast the vision statement with the mission statement. Correct Answer:

If the vision statement declares where the organization wants to go, the mission statement describes how it wants to get there. 67. How does tactical planning differ from strategic planning? Correct Answer:


Tactical planning has a more short-term focus than strategic planning—usually one to three years. It breaks down each applicable strategic goal into a series of incremental objectives. Each objective should be specific and ideally will have a delivery date within a year. 68. According to the ITGI, what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met? Correct Answer:

Create a culture that recognizes the criticality of information and InfoSec to the organization.Verify that management’s investment in InfoSec is properly aligned with organizational strategies and the organization’s risk environment. Assure that a comprehensive InfoSec program is developed and implemented. Demand reports from the various layers of management on the InfoSec program’s effectiveness and adequacy.

69. Describe the key approaches organizations are using to achieve unified enterprise risk management. Correct Answer:

Combining physical security and InfoSec under one leader as one business functionUsing separate business functions that report to a common senior executive Using a risk council approach to provide a collaborative approach to risk management

70. What is necessary for a top-down approach to the implementation of InfoSec to succeed? Correct Answer:

For any top-down approach to succeed, high-level management must buy into the effort and provide its full support to all departments. Such an initiative must have a champion—ideally,an executive with sufficient influence to move the project forward, ensure that it is properly managed, and push for its acceptance throughout the organization.


CHAPTER 4 1. Policies must specify penalties for unacceptable behavior and define an appeals process. *a. True b. False

2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee’s inappropriate or illegal use of the system. *a. True b. False

3. The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for. a. True *b. False

4. Access control lists regulate who, what, when, where, and why authorized users can access a system. a. True *b. False

5. Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex. a. True *b. False

6. Technology is the essential foundation of an effective information security program. _____________ a. True *b. False

7. Information security policies are designed to provide structure in the workplace and explain the will of the organization’s management. ____________ *a. True b. False


8. Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations. ____________ a. True *b. False

9. Examples of actions that illustrate compliance with policies are known as laws. __________ a. True *b. False

10. The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization. ____________ a. True *b. False

11. Which of the following is NOT one of the basic rules that must be followed when

developing a policy? a. policy should never conflict with law b. policy must be able to stand up in court if challenged *c. policy should be focused on protecting the organization from public embarrassment d. policy must be properly supported and administered

12. Which of the following is a policy implementation model that addresses issues by moving

from the general to the specific and is a proven mechanism for prioritizing complex changes? a. on-target model b. Wood’s model *c. bull’s-eye model d. Bergeron and Berube model

13. Which of the following is NOT among the three types of InfoSec policies based on NIST’s

Special Publication 800-14? a. enterprise information security policy *b. user-specific security policies c. issue-specific security policies d. system-specific security policies


14. Which type of document is a more detailed statement of what must be done to comply with

a policy? a. procedure *b. standard c. guideline d. practice

15. In addition to specifying acceptable and unacceptable behavior, what else must a policy

specify? a. appeals process b. legal recourse c. individual responsible for approval *d. the penalties for violation of the policy

16. Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP *d. EISP

17. The EISP must directly support the organization’s __________. *a. mission statement b. values statement c. financial statement d. public announcements

18. Which of the following is a common element of the enterprise information security policy? a. access control lists *b. information on the structure of the InfoSec organization c. articulation of the organization’s SDLC methodology d. indemnification of the organization against liability

19. Which type of security policy is intended to provide a common understanding of the

purposes for which an employee can and cannot use a resource? *a. issue-specific b. enterprise information c. system-specific


d. user-specific

20. Which of the following sections of the ISSP provides instructions on how to report observed

or suspected policy infractions? *a. Violations of Policy b. Systems Management c. Prohibited Usage of Equipment d. Authorized Access and Usage of Equipment

21. Which section of an ISSP should outline a specific methodology for the review and

modification of the ISSP? *a. Policy Review and Modification b. Limitations of Liability c. Systems Management d. Statement of Purpose

22. Which of the following is a disadvantage of the individual policy approach to creating and

managing ISSPs? *a. can suffer from poor policy dissemination, enforcement, and review b. may skip vulnerabilities otherwise reported c. may be more expensive than necessary d. implementation can be less difficult to manage

23. Which of the following are the two general groups into which SysSPs can be separated? *a. technical specifications and managerial guidance b. business guidance and network guidance c. user specifications and managerial guidance d. technical specifications and business guidance

24. What are the two general approaches for controlling user authorization for the use of a

technology? a. profile lists and configuration tables b. firewall rules and access filters c. user profiles and filters *d. access control lists and capability tables

25. Which of the following is NOT an aspect of access regulated by ACLs?


a. what authorized users can access *b. where the system is located c. how authorized users can access the system d. when authorized users can access the system

26. Which of the following are instructional codes that guide the execution of the system when

information is passing through it? a. access control lists b. user profiles *c. configuration rules d. capability tables

27. Access control list user privileges include all but which of these? a. read b. write *c. operate d. execute

28. Many organizations create a single document that combines elements of the

__________ SysSP and the ___________ SysSP. a. management directive, technical specifications b. management guidance, technical directive *c. management guidance, technical specifications d. management specification, technical directive

29. Policy is only enforceable and legally defensible if it uses a process that assures

repeatable results and conforms to each of the following EXCEPT __________. *a. proper conception b. proper design c. proper development d. proper implementation

30. Writing a policy is not always as easy as it seems. However, the prudent security manager

always scours available resources for __________ that may be adapted to the organization. *a. examples b. legal opinions c. strategic plans d. purchasable policies


31. With policy, the most common distribution methods are hard copy and __________. *a. electronic b. published c. draft d. final

32. To be certain that employees understand the policy, the document must be written at a

reasonable __________, with minimal technical jargon and management terminology. *a. reading level b. level of formatting c. cost d. size

33. Policy __________ means the employee must agree to the policy. *a. compliance b. conformance c. complacency d. consequence

34. The final component of the design and implementation of effective policies is __________. *a. uniform and impartial enforcement b. full comprehension c. complete distribution d. universal distribution

35. A detailed outline of the scope of the policy development project is created during which

phase of the SDLC? a. design b. analysis c. implementation *d. investigation

36. Which phase of the SDLC should see clear articulation of goals? a. design b. analysis c. implementation *d. investigation


37. Which phase of the SDLC should get support from senior management? a. design b. analysis c. implementation *d. investigation

38. A risk assessment is performed during which phase of the SDLC? a. implementation *b. analysis c. design d. investigation

39. A gathering of key reference materials is performed during which phase of the SDLC? a. implementation *b. analysis c. design d. investigation

40. In which phase of the SDLC must the team create a plan to distribute and verify the

distribution of the policies? a. design *b. implementation c. investigation d. analysis

41. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation,

revision, distribution, and storage of the policy? a. policy developer b. policy reviewer c. policy enforcer *d. policy administrator

42. When an organization demonstrates that it is continuously attempting to meet the

requirements of the market in which it operates, what is it ensuring? a. policy administration *b. due diligence


c. adequate security measures d. certification and accreditation

43. Which of the following is NOT one of the three general causes of unethical and illegal

behavior? *a. carelessness b. ignorance c. accident d. intent

44. Laws, policies, and their associated penalties only provide deterrence if three conditions are

present. Which of these is NOT one of them? *a. frequency of review b. probability of being apprehended c. fear of the penalty d. probability of penalty being applied

45. In the bull’s-eye model, the ____________________ layer is the place where threats from

public networks meet the organization’s networking infrastructure. Correct Answer(s): a. Networks

46. The three types of information security policies include the enterprise information security

policy, the issue-specific security policy, and the ____________________ security policy. Correct Answer(s): a. system-specific b. system specific

47. The responsibilities of users and systems administrators with regard to systems

administration duties should be specified in the ____________________ section of the ISSP. Correct Answer(s): a. Systems Management

48. ____________________ include the user access lists, matrices, and capability tables that

govern the rights and privileges of users. Correct Answer(s): a. Access control lists b. ACLs


49. A(n) ____________________, which is usually presented on a screen to the user during

software installation, spells out fair and responsible use of the software being installed. Correct Answer(s): a. end-user license agreement b. end user license agreement c. EULA

50. The champion and manager of the information security policy is called the

____________________. Correct Answer(s): a. policy administrator

51. A __________ is simply a manager’s or other governing body’s statement of intent

regarding employee behavior with respect to the workplace. Correct Answer(s): a. policy

52. A good information security program begins and ends with __________. Correct Answer(s): a. policy

53. __________ are examples of actions that illustrate compliance with policies. Correct Answer(s): a. practices

54. Non-mandatory recommendations the employee may use as a reference in complying with

a policy are known as __________. Correct Answer(s): a. guidelines

55. [g] 1. Step-by-step instructions designed to assist employees in following policies, standards, and guidelines. [b] 2. A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. [i] 3. When issues are addressed by moving from the general to the specific, always starting with policy.


[c] 4. An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. [f] 5. The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts. [j] 6. Specifications of authorization that govern the rights and privileges of users to a particular information asset. [a] 7. A clear declaration that outlines the scope and applicability of a policy. [e] 8. A section of policy that should specify users’ and systems administrators’ responsibilities. [d] 9. Specifies the subjects and objects that users or groups can access. [h] 10. Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. a. statement of purpose b. standard c. ISSP d. capability table e. systems management f. InfoSec policy g. procedures h. SysSP i. bull’s eye model j. access control lists

56. What are the four elements that an EISP document should include? Correct Answer:

An overview of the corporate philosophy on securityInformation on the structure of the InfoSec organization and individuals who fulfill the InfoSec role Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) Fully articulated responsibilities for security that are unique to each role within the organization

57. What should an effective ISSP accomplish? Correct Answer:

It articulates the organization’s expectations about how its technology-based system should be used.It documents how the technology-based system is controlled and identifies the processes and authorities that provide this control. It indemnifies the organization against liability for an employee’s inappropriate or illegal use of the system.

58. List the major components of the ISSP.


Correct Answer:

Statement of PurposeAuthorized Uses Prohibited Uses Systems Management Violations of Policy Policy Review and Modification Limitations of Liability

59. How should a policy administrator facilitate policy reviews? Correct Answer:

To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation. Recommendation methods could include e-mail, office mail, or an anonymous drop box. 60. List the advantages and disadvantages of using a modular approach for creating and managing the ISSP. Correct Answer:

The advantages of the modular ISSP policy are:Often considered an optimal balance between the individual ISSP and the comprehensive ISSP approaches Well controlled by centrally managed procedures, assuring complete topic coverage Clear assignment to a responsible department Written by those with superior subject matter expertise for technology-specific systems

The disadvantages of the modular ISSP policy are: May be more expensive than other alternatives Implementation can be difficult to manage

61. List the significant guidelines used in the formulation of effective information security policy. Correct Answer:

For policies to be effective, they must be properly:1. Developed using industry-accepted practices 2. Distributed or disseminated using all appropriate methods 3. Reviewed or read by all employees


4. Understood by all employees 5. Formally agreed to by act or assertion 6. Uniformly applied and enforced

62. What is a SysSP and what is one likely to include? Correct Answer:

SysSPs often function as standards or procedures to be used when configuring or maintaining systems—for example, to configure and operate a network firewall. Such a document could include: a statement of managerial intent; guidance to network engineers on selecting, configuring, and operating firewalls; and an access control list that defines levels of access for each authorized user. 63. What is the final component of the design and implementation of effective policies? Describe this component. Correct Answer:

The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination—organizations must establish high standards of due care with regard to policy management. 64. In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is this important? Correct Answer:

During the implementation phase, the team must create a plan to distribute and verify the distribution of the policies. Members of the organization must explicitly acknowledge that they have received and read the policy. Otherwise, an employee can claim never to have seen a policy, and unless the manager can produce strong evidence to the contrary, any enforcement action, such as dismissal for inappropriate use of the Web, can be overturned and punitive damages might be awarded to the former employee. 65. What are configuration rules?

Provide examples.

Correct Answer:

Configuration rules are instructional codes that guide the execution of the system when information is passing through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly. Many security systems require specific configuration scripts that dictate which actions to perform on each set of information they process. Examples include firewalls, intrusion detection and prevention systems (IDPSs), and proxy servers. 66. Why is policy so important?


Correct Answer:

Among other reasons, policy may be one of the very few controls or safeguards protecting certain information. Also, properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace. Policy also serves to protect both the employee and the organization from inefficiency and ambiguity.


CHAPTER 5

1. Small organizations spend more per user on security than medium- and large-sized organizations. *a. True b. False

2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT department. a. True *b. False

3. Threats from insiders are more likely in a small organization than in a large one. a. True *b. False

4. The security education, training, and awareness (SETA) program is designed to reduce the occurrence of external security attacks. a. True *b. False

5. On-the-job training can result in substandard work performance while the trainee gets up to speed. *a. True b. False

6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables. a. True *b. False

7. When creating a WBS, planners need to estimate the effort required to complete each task, subtask, or action step. *a. True b. False


8. Using complex project management tools may result in a complication where the project manager creates project diagrams with insufficient detail for the implementation of the project. a. True *b. False

9. Each professional project manager will strive to find the proper balance between the planning and the actual work of the project. *a. True b. False

10. Project management is focused on achieving the objectives of the project. __________ *a. True b. False

11. Establishing performance measures and creating project milestones simplifies project planning. __________ a. True *b. False

12. InfoSec is a continuous series of policies that comprise a process. __________ a. True *b. False

13. Project scope management ensures that the project plan includes only those activities that are necessary to complete it. __________ *a. True b. False

14. Establishing performance measures and creating project way points simplifies project monitoring. __________ a. True *b. False

15. The goal of a security alertness program is to keep information security at the forefront of users’ minds on a daily basis. __________


a. True *b. False

16. Projectitis is a phenomenon in which the project manager spends more time documenting project tasks than in accomplishing meaningful project work. __________ *a. True b. False

17. Which of the following is NOT a part of an information security program? a. technologies used by an organization to manage the risks to its information assets b. activities used by an organization to manage the risks to its information assets c. personnel used by an organization to manage the risks to its information assets *d. All of these are part of an information security program.

18. Which of the following variables is the most influential in determining how to structure an

information security program? a. security capital budget b. competitive environment c. online exposure of organization *d. organizational culture

19. Which of the following functions includes identifying the sources of risk and may include

offering advice on controls that can reduce risk? a. risk treatment *b. risk assessment c. systems testing d. vulnerability assessment

20. Which of the following is true about the security staffing, budget, and needs of a medium-

sized organization? a. It has a larger dedicated (full-time) security staff than a small organization. b. It has a larger security budget (as percent of IT budget) than a small organization. c. It has a smaller security budget (as percent of IT budget) than a large organization. *d. It has larger information security needs than a small organization.

21. Which of the following functions needed to implement the information security program

evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?


*a. systems testing b. risk assessment c. incident response d. risk treatment

22. Which function needed to implement the information security program includes researching,

creating, maintaining, and promoting information security plans? a. compliance b. policy *c. planning d. SETA programs

23. Which of the following is NOT among the functions typically performed within the InfoSec

department as a compliance enforcement obligation? a. policy *b. centralized authentication c. compliance/audit d. risk management

24. Larger organizations tend to spend approximately __________ percent of the total IT

budget on security. a. 2 *b. 5 c. 11 d. 20

25. Medium-sized organizations tend to spend approximately __________ percent of the total

IT budget on security. a. 2 b. 5 *c. 11 d. 20

26. Organizations classified as __________ may still be large enough to implement the multitier

approach to security, though perhaps with fewer dedicated groups and more functions assigned to each group. *a. medium-sized b. small-sized


c. large-sized d. super-sized

27. Smaller organizations tend to spend approximately __________ percent of the total IT

budget on security. a. 2 b. 5 c. 11 *d. 20

28. Which of the following describes the primary reason the InfoSec department should NOT

fall under the IT function? a. The average salary of the top security executive typically exceeds that of the typical

IT executive, creating professional rivalries between the two. *b. There is a misalignment between the goals of the InfoSec department, which focuses on protecting information, and the IT function, which focuses on efficiency in processing and accessing information. c. There is a fundamental difference in the mission of the InfoSec department, which seeks to minimize access to information, and the IT function, which seeks to increase accessibility of information. d. None of the above are reasons the InfoSec department should NOT fall under the IT function.

29. In large organizations, the InfoSec department is often located within a(n) _________

division headed by the _________, who reports directly to the _________. *a. IT, CISO, CIO b. Finance, Comptroller, CFO c. Security, CSO, CIO d. Legal, Corporate Counsel, CEO

30. According to Wood, which of the following is a reason the InfoSec department should

report directly to top management? *a. It fosters objectivity and the ability to perceive what’s truly in the best interest of

the organization as a whole. b. It allows independence in the InfoSec department, especially if it is needed to audit the IT division. c. It prevents InfoSec from becoming a drain on the IT budget. d. It allows the InfoSec executive to dictate security requirements with greater authority to the other business divisions.


31. As noted by Kosutic, options for placing the CISO (and his or her security group) in the

organization are generally driven by organizational size and include all of the following EXCEPT: *a. within a division/department with a conflict of interest b. in a separate group reporting directly to the CEO/president c. under a division/department with no conflict of interest d. as an additional duty for an existing manager/executive

32. The InfoSec needs of an organization are unique to all but which one of the following

organizational characteristics? *a. market b. budget c. size d. culture

33. A specialized security administrator responsible for performing systems development life

cycle (SDLC) activities in the development of a security system is known as __________. a. a security technician *b. a security analyst c. a security consultant d. a security manager

34. Which of the following would most likely be responsible for configuring firewalls and

IDPSs, implementing security software, and diagnosing and troubleshooting problems? *a. security technician b. security analyst c. security consultant d. security manager

35. "GGG security" is a term commonly used to describe which aspect of security? a. technical b. software *c. physical d. policy

36. This person would be responsible for some aspect of information security and report to the

CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.


a. security technician b. security analyst c. security consultant *d. security manager

37. To move the InfoSec discipline forward, organizations should take all of the following steps

EXCEPT: *a. form a committee and approve suggestions from the CISO b. learn more about the requirements and qualifications needed c. learn more about budgetary and personnel needs d. grant the InfoSec function needed influence and prestige

38. Which of the following organizations offers the Certified CISO (C|CISO) certification? a. SANS Institute b. (ISC)2 c. ISACA *d. EC-Council

39. Which of the following organizations is best known for its series of certifications targeted to

information systems audit, information security, risk control, and IT governance? a. SANS Institute b. (ISC)2 *c. ISACA d. EC-Council

40. Which of the following organizations is best known for its series of technical InfoSec

certifications through Global Information Assurance Certification (GIAC)? *a. SANS Institute b. (ISC)2 c. ISACA d. EC-Council

41. The __________ certification, considered to be one of the most prestigious certifications for

security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral. *a. CISSP b. GIAC Security Leadership Certification c. Security +


d. Associate of (ISC)2

42. An (ISC)2 program geared toward individuals who want to take any of its certification

exams before obtaining the requisite experience for certification is the __________. *a. Associate of (ISC)2 b. SSCP c. ISSAP d. ISSMP

43. An ISACA certification targeted at IT professionals who are in careers that link IT

risk management with enterprise risk management is known as the __________. a. CGEIT b. CISM c. CISSP *d. CRISC

44. An ISACA certification targeted at upper-level executives, including CISOs and

CIOs, directors, and consultants with knowledge and experience in IT governance, is known as the __________. *a. CGEIT b. CISM c. CISSP d. CRISC

45. What is the SETA program designed to do? a. reduce the occurrence of external attacks b. improve operations *c. reduce the occurrence of accidental security breaches d. increase the efficiency of InfoSec staff

46. A SETA program consists of three elements: security education, security training, and

which of the following? a. security accountability b. security authentication *c. security awareness d. security authorization


47. The purpose of SETA is to enhance security in all but which of the following ways? a. by building in-depth knowledge *b. by adding barriers c. by developing skills d. by improving awareness

48. There are a number of methods for customizing training for users; two of the most common

involve customizing by __________ and by __________. a. skill level; employee rank b. department; seniority *c. functional background; skill level d. educational level; organizational need

49. Which of the following is the first step in the process of implementing training? a. identify training staff b. identify target audiences *c. identify program scope, goals, and objectives d. motivate management and employees

50. Which of the following is an advantage of the one-on-one method of training? a. trainees can learn from each other b. very cost-effective *c. customized to the needs of the trainee d. maximizes use of company resources

51. Which of the following is a disadvantage of the one-on-one training method? a. inflexible scheduling b. may not be responsive to the needs of all the trainees c. content may not be customized to the needs of the organization *d. resource intensive, to the point of being inefficient

52. Which of the following is an advantage of the formal class method of training? a. increased personal interaction between trainer and trainee b. self-paced; can go as fast or as slow as the trainee needs c. can be scheduled to fit the needs of the trainee *d. interaction with trainer is possible


53. Which of the following is an advantage of the user support group form of training? *a. usually conducted in an informal social setting b. formal training plan c. can be live, or can be archived and viewed at the trainee’s convenience d. can be customized to the needs of the trainee

54. Which of the following is NOT a step in the process of implementing training? a. administer the program *b. hire expert consultants c. motivate management and employees d. identify target audiences

55. __________ is a simple project management planning tool. a. RFP *b. WBS c. ISO 17799 d. SDLC

56. Which of the following is the most cost-effective method for disseminating security

information and news to employees? a. employee seminars b. security-themed Web site c. conference calls *d. e-mailed security newsletter

57. Which of the following is true about a company’s InfoSec awareness Web site? a. It should contain few images to avoid distracting readers. b. Appearance doesn’t matter if the information is there. c. It should be placed on the Internet for public use. *d. It should be tested with multiple browsers.

58. An organization’s information security __________ refers to the entire set of activities,

resources, personnel, and technologies used to manage risks to the organization's information assets. Correct Answer(s): a. program


59. An organization carries out a risk __________ function to evaluate risks present in IT

initiatives and/or systems. Correct Answer(s): a. assessment

60. A study of information security positions found that they can be classified into one of three

types: __________ are the real technical types, who create and install security solutions. Correct Answer(s): a. builders

61. The information security __________ is usually brought in when the organization makes the

decision to outsource one or more aspects of its security program. Correct Answer(s): a. consultant

62. The __________ program is designed to reduce the occurrence of accidental security

breaches by members of the organization. Correct Answer(s): a. security education, training, and awareness b. SETA

63. Project __________ management ensures that the project plan includes only those

activities that are necessary to complete it. Correct Answer(s): a. scope

64. Establishing performance measures and creating project __________ simplifies project

monitoring. Correct Answer(s): a. milestones

65. The __________ is considered the industry best practice as a project management approach. Correct Answer(s): a. PMBOK b. Project Management Body of Knowledge


66. The three methods for selecting or developing advanced technical training are by job

category, by job function, and by __________. Correct Answer(s): a. technology product

67. The goal of a security __________ program is to keep information security at the forefront

of users’ minds on a daily basis. Correct Answer(s): a. awareness

68. __________ is a phenomenon in which the project manager spends more time documenting

project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work. Correct Answer(s): a. Projectitis

69. [i] 1. In larger organizations, the person responsible for some aspect of information security; in smaller organizations, this title may be assigned to the only or senior security administrator. [g] 2. The structure and organization of the effort to manage risks to an organization’s information assets. [c] 3. Occurs when a project manager spends more time working in the project management software than accomplishing meaningful project work. [e] 4. An entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec technology. [h] 5. The technical specialists responsible for the implementation and administration of some security-related technology. [a] 6. A program designed to improve the security of information assets by providing targeted information, skills, and guidance for organizational employees. [f] 7. A diagramming technique designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project. [d] 8. Typically considered the top information security officer in an organization. [j] 9. A way to keep InfoSec at the forefront of users’ minds on a daily basis. [b] 10. The expansion of the quantity or quality of project deliverables from the original project plan. a. SETA b. scope creep c. projectitis d. CISO e. security watchstander


f. critical path method g. InfoSec program h. security technicians i. security manager j. security awareness program

70. Explain the conflict between the goals and objectives of the CIO and the CISO. Correct Answer:

The CIO, as the executive in charge of the organization’s technology, manages the efficiency in the processing and accessing of the organization’s information. Anything that limits access or slows information processing directly contradicts the CIO’s mission. On the other hand, the CISO functions more like an internal auditor, with the information security department examining existing systems to discover information security faults and flaws in technology, software, and employees’ activities and processes. At times, these activities may disrupt the processing and accessing of the organization’s information. 71. What is the security education, training, and awareness program? Describe how the program aims to enhance security. Correct Answer:

The security education, training, and awareness (SETA) program is designed to reduce the occurrence of accidental security breaches by members of the organization. The program aims to enhance security in three ways:- By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems - By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely - By improving awareness of the need to protect system resources

72. List the steps of the seven-step methodology for implementing training. Correct Answer:

The seven-step methodology for implementing training is as follows:Step 1: Identify program scope, goals, and objectives. Step 2: Identify training staff. Step 3: Identify target audiences. Step 4: Motivate management and employees. Step 5: Administer the program. Step 6: Maintain the program. Step 7: Evaluate the program.


73. What are some of the variables that determine how a given organization chooses to construct its InfoSec program? Correct Answer:

Among the variables that determine how a given organization chooses to structure its information security (InfoSec) program are organizational culture, size, security personnel budget, and security capital budget. 74. What are the four areas into which it is recommended to separate the functions of security? Correct Answer:

Functions performed by nontechnology business units outside the IT area of managementcontrol Functions performed by IT groups outside the InfoSec area of management control Functions performed within the InfoSec department as a customer service to the organization and its external partners Functions performed within the InfoSec department as a compliance enforcement obligation

75. Which security functions are normally performed by IT groups outside the InfoSec area of management control? Correct Answer:

Systems security administrationNetwork security administration Centralized authentication

76. What components of the security program are described as preparing for contingencies and disasters? Correct Answer:

Business plan, identify resources, develop scenarios, develop strategies, test and revise plan 77. What is the chief information security officer primarily responsible for? Correct Answer:

The CISO is primarily responsible for the assessment, management, and implementation of the program that secures the organization’s information. 78. What is the role of help desk personnel in the InfoSec team? Correct Answer:


An important part of the InfoSec team is the help desk, which enhances the security team’s ability to identify potential problems. When a user calls the help desk with a complaint about his or her computer, the network, or an Internet connection, the user’s problem may turn out to be related to a bigger problem, such as a hacker, a DoS attack, or a virus.Because help desk technicians perform a specialized role in InfoSec, they need specialized training. These staff members must be prepared to identify and diagnose both traditional technical problems and threats to InfoSec. Their ability to do so may cut precious hours off of an incident response.

79. What is the purpose of a security awareness program? What advantage does an awareness program have for the InfoSec program? Correct Answer:

A security awareness program keeps InfoSec at the forefront of users’ minds on a daily basis. Awareness serves to instill a sense of responsibility and purpose in employees who handle and manage information, and it leads employees to care more about their work environment. 80. What minimum attributes for project tasks does the WBS document? Correct Answer:

Work to be accomplished (activities and deliverables)Individuals (or skill set) assigned to perform the task Start and end dates for the task (when known) Amount of effort required for completion in hours or work days Estimated capital expenses for the task Estimated noncapital expenses for the task Identification of dependencies between and among tasks


CHAPTER 6 1. Having an established risk management program means that an organization's assets are completely protected. a. True *b. False

2. The IT community often takes on the leadership role in addressing risk. a. True *b. False

3. MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof. a. True *b. False

4. Likelihood is the overall rating of the probability that a specific vulnerability will be exploited or attacked. *a. True b. False

5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. *a. True b. False

6. When operating any kind of organization, a certain amount of debt is always involved. __________ a. True *b. False

7. Risk identification, risk analysis, and risk evaluation are part of a single function known as risk protection. __________ a. True *b. False


8. Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. __________

a. True *b. False

9. The recognition, enumeration, and documentation of risks to an organization’s information assets is known as risk control. __________

a. True *b. False

10. An evaluation of the threats to information assets, including a determination of their potential to endanger the organization, is known as exploit assessment. __________ a. True *b. False

11. A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. __________ a. True *b. False

12. The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ___________ a. True *b. False

13. The information technology management community of interest often takes on the leadership role in addressing risk. __________ a. True *b. False

14. A prioritized list of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. __________


a. True *b. False

15. The degree to which a current control can reduce risk is also subject to calculation error. __________ a. True *b. False

16. For an organization to manage its InfoSec risk properly, managers should understand how

information is __________. a. collected b. processed c. transmitted *d. all of these are needed

17. The Risk Management Framework includes all of the following EXCEPT: a. executive governance and support b. framework design *c. process contingency planning d. continuous improvement

18. Which of these denotes the overall structure of the strategic planning and design for the

entirety of the organization’s RM efforts? *a. RM framework b. RM process c. RM initiative d. RM leadership

19. Which of these denotes the identification, analysis, evaluation, and treatment of risk to

information assets? a. RM framework *b. RM process c. RM initiative d. RM leadership

20. Factors that affect the external context and impact the RM process, its goals, and its

objectives include the following EXCEPT: *a. the organization's governance structure


b. the legal/regulatory/compliance environment—laws, regulations, industrystandards c. the business environment—customers, suppliers, competitors d. the threat environment—threats, known vulnerabilities, attack vectors

21. Which of the following is not a role of managers within the communities of interest in

controlling risk? a. general management must structure the IT and InfoSec functions b. IT management must serve the IT needs of the broader organization *c. legal management must develop corporate-wide standards d. InfoSec management must lead the way with skill, professionalism, and flexibility

22. Which of the following is NOT a task performed by the governance group during the

framework design phase, in cooperation with the framework team? a. ensuring compliance with all legal and regulatory statutes and mandates b. guiding the development of, and formally approving, the RM policy c. recommending performance measures for the RM effort and ensuring that theyare

compatible with other performance measures in the organization *d. specifying who will supervise and perform the RM process

23. The __________ converts the instructions and perspectives provided to the RM framework

team into cohesive guidance that structures and directs all subsequent risk management efforts. *a. risk management policy b. enterprise information security policy c. risk control implementation policy d. risk management board directive

24. Once the members of the RM framework team have been identified, the governance group

should communicate all of the following for the overall RM program EXCEPT: *a. its personnel structure b. its desired outcomes c. its priorities d. its intent

25. A well-defined risk appetite should have the following characteristics EXCEPT: *a. It is not limited by stakeholder expectations. b. It acknowledges a willingness and capacity to take on risk. c. It is documented as a formal risk appetite statement. d. It is reflective of all key aspects of the business.


26. The quantity and nature of risk that organizations are willing to accept as they evaluate the

trade-offs between perfect security and unlimited accessibility is known as __________. a. residual risk *b. risk appetite c. risk acceptance d. risk avoidance

27. What is the risk to information assets that remains even after current controls have been

applied? *a. residual risk b. risk appetite c. risk tolerance d. risk avoidance

28. What is the assessment of the amount of risk an organization is willing to accept for a

particular information asset? a. residual risk b. risk appetite *c. risk tolerance d. risk avoidance

29. Which of the following activities is part of the risk identification process? a. determining the likelihood that vulnerable systems will be attacked by specific threats b. calculating the severity of risks to which assets are exposed in their current setting *c. assigning a value to each information asset d. documenting and reporting the findings of risk analysis

30. Which of the following is a network device attribute that may be used in conjunction with

DHCP, making asset identification using this attribute difficult? a. part number b. serial number c. MAC address *d. IP address

31. Factors that affect the internal context and impact the RM process, its goals, and its

objectives include the following EXCEPT:


a. The organization’s governance structure b. The organization’s culture c. The maturity of the organization’s information security program *d. The threat environment—threats, known vulnerabilities, attack vectors

32. Which of the following attributes does NOT apply to software information assets? a. serial number b. controlling entity c. manufacturer name *d. product dimensions

33. Which of the following is an attribute of a network device built into the network interface? a. serial number *b. MAC address c. IP address d. model number

34. Which of the following distinctly identifies an asset and can be vital in later analysis of

threats directed to specific models of certain devices or software components? a. name b. MAC address c. serial number *d. manufacturer’s model or part number

35. Data classification schemes should categorize information assets based on which of the

following? a. value and uniqueness *b. sensitivity and security needs c. cost and replacement value d. ease of reproduction and fragility

36. Classification categories must be mutually exclusive and which of the following? a. repeatable b. documentable *c. comprehensive d. selective

37. What is the final step in the risk identification process?


a. assessing values for information assets b. classifying and categorizing assets c. identifying and inventorying assets *d. ranking assets in order of importance

38. Once an information asset is identified, categorized, and classified, what must also be

assigned to it? a. asset tag *b. relative value c. location ID d. threat risk

39. What should you be armed with to adequately assess potential weaknesses in each

information asset? *a. properly classified inventory b. audited accounting spreadsheet c. intellectual property assessment d. list of known threats

40. Which of the following is an example of a technological obsolescence threat? a. hardware equipment failure b. unauthorized access *c. outdated servers d. malware

41. Rather than making the effort to conduct a detailed assessment of the cost of recovery from

an attack when estimating the danger from possible threats, organizations often __________. *a. create a subjective ranking based on anticipated recovery costs b. estimate cost from past experience c. leave the value empty until later in the process d. use a consultant to calculate an exact value

42. What is defined as specific avenues that threat agents can exploit to attack an information

asset? a. liabilities b. defenses *c. vulnerabilities d. obsolescence


43. Which of the following activities is part of the risk evaluation process? a. creating an inventory of information assets b. classifying and organizing information assets into meaningful groups c. assigning a value to each information asset *d. calculating the severity of risks to which assets are exposed in their current setting

44. What should the prioritized list of assets and their vulnerabilities and the prioritized list of

threats facing the organization be combined to create? a. risk exposure report *b. threats-vulnerabilities-assets worksheet c. costs-risks-prevention database d. threat assessment catalog

45. The organization can perform risk determination using certain risk elements, including all

but which of the following? *a. legacy cost of recovery b. impact (consequence) c. likelihood of threat event (attack) d. element of uncertainty

46. An estimate made by the manager using good judgment and experience can account for

which factor of risk assessment? a. risk determination b. assessing potential loss c. likelihood and consequences *d. uncertainty

47. Which of the following is NOT among the typical columns in the risk rating worksheet? *a. uncertainty percentage b. impact c. risk-rating factor d. likelihood

48. The identification, analysis, and evaluation of risk in an organization describes which of the

following? *a. risk assessment


b. risk determination c. risk management d. risk reduction

49. An understanding of the potential consequences of a successful attack on an

information asset by a threat is known as __________. *a. impact b. likelihood c. uncertainty d. tolerance

50. The state of having limited or imperfect knowledge of a situation, making it less likely that

organizations can successfully anticipate future events or outcomes, is known as __________. a. impact b. likelihood *c. uncertainty d. tolerance

51. The probability that a specific vulnerability within an organization will be attacked by a

threat is known as __________. a. impact *b. likelihood c. uncertainty d. tolerance

52. The risk assessment deliverable titled __________ serves to rank-order each threat to the

organization’s information assets according to criteria developed by the organization. a. information asset value weighted table analysis b. risk ranking worksheet *c. threat severity weighted table analysis d. TVA controls worksheet

53. __________ is the risk assessment deliverable that assigns a value to each TVA

triple, incorporating likelihood, impact, and possibly a measure of uncertainty. a. information asset value weighted table analysis *b. risk ranking worksheet c. threat severity weighted table analysis d. TVA controls worksheet


54. __________ is the risk assessment deliverable that places each information asset into a

ranked list according to its value based on criteria developed by the organization. *a. information asset value weighted table analysis b. risk ranking worksheet c. threat severity weighted table analysis d. TVA controls worksheet

55. In the area of risk management, process communications is the necessary information flow

within and between all of the following EXCEPT: *a. the corporate change control officer b. the governance group c. the RM framework team d. the RM process team during implementation

56. Risk __________ is the process of discovering and assessing the risks to an organization’s

operations and determining how those risks can be mitigated. Correct Answer(s): a. management

57. Assessing risks includes determining the __________ that vulnerable systems will be

attacked by specific threats. Correct Answer(s): a. likelihood b. probability

58. Classification categories must be __________ and mutually exclusive. Correct Answer(s): a. comprehensive

59. As each information asset is identified, categorized, and classified, a __________ value

must also be assigned to it. Correct Answer(s): a. relative

60. As part of the risk identification process, listing the assets in order of importance can be

achieved by using a weighted __________ worksheet.


Correct Answer(s): a. factor analysis b. factor c. table analysis d. table

61. The evaluation and reaction to risk to the entire organization is known as __________. Correct Answer(s): a. enterprise risk management (ERM) b. enterprise risk management c. ERM

62. Risk __________ is an approach to combining risk identification, risk analysis, and

risk evaluation into a single strategy. Correct Answer(s): a. assessment

63. The document designed to regulate organizational efforts related to the identification,

assessment, and treatment of risk to information assets is known as the RM __________. Correct Answer(s): a. policy

64. The quantity and nature of risk that organizations are willing to accept as they evaluate the

trade-offs between perfect security and unlimited availability is known as risk __________. Correct Answer(s): a. appetite

65. The assessment of the amount of risk an organization is willing to accept for a particular

information asset is known as risk __________. Correct Answer(s): a. tolerance

66. The recognition, enumeration, and documentation of risks to an organization’s information

assets is known as risk __________. Correct Answer(s): a. identification

67. An evaluation of the threats to information assets, including a determination of their

likelihood of occurrence and potential impact of an attack, is known as threat __________.


Correct Answer(s): a. assessment

68. [d] 1. Occurs when a manufacturer performs an upgrade to a hardware component at the customer’s premises. [j] 2. The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level. [h] 3. The quantity and nature of risk that organizations are willing to accept. [f] 4. Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair. [i] 5. An approach to combining risk identification, risk analysis, and risk evaluation into a single strategy. [a] 6. Remains even after the current control has been applied. [b] 7. The recognition, enumeration, and documentation of risks to an organization’s information assets. [g] 8. An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization. [c] 9. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures. [e] 10. Labels that must be comprehensive and mutually exclusive. a. residual risk b. risk identification c. qualitative assessment d. field change order e. classification categories f. risk rating worksheet g. threat assessment h. risk appetite i. risk assessment j. risk management

69. Briefly describe any three standard categories of information assets and their respective risk management components. Correct Answer:

- The people asset is divided into internal personnel (employees) and external personnel(nonemployees). Insiders are further divided into those employees who hold trusted roles and therefore have correspondingly greater authority and accountability and those regular staff members who do not have any special privileges. Outsiders consist of other users who have access to the organization’s information assets, some trusted and some untrusted. - Procedures are assets because they are used to create value for the organization. They


are divided into (1) IT and business standard procedures and (2) IT and business-sensitive procedures. - The data asset includes information in all states: transmission, processing, and storage. This is an expanded use of the term “data,” which is usually associated with databases, not the full range of information used by modern organizations. - Software is divided into applications, operating systems, and security components. Software that provides security controls may fall into the operating systems or applications category, but is differentiated by the fact that it is part of the InfoSec control environment and must therefore be protected more thoroughly than other systems components. - Hardware is divided into (1) the usual systems devices and their peripherals and (2) the devices that are part of InfoSec control systems. The latter must be protected more thoroughly than the former. - Networking components include networking devices (such as firewalls, routers, and switches) and the systems software within them, which is often the focal point of attacks. Successful attacks can continue against systems connected to the networks.

70. For the purposes of relative risk assessment, how is risk calculated? Correct Answer:

Risk equals likelihood of vulnerability occurrence multiplied by value (or impact), minus percentage risk already controlled, plus an element of uncertainty. 71. What does it mean to "know the enemy" with respect to risk management? Correct Answer:

Once an organization becomes aware of its weaknesses, managers can take up Sun Tzu’s second dictum: Know the enemy. This means identifying, examining, and understanding the threats facing the organization’s information assets. Managers must be fully prepared to identify those threats that pose risks to the organization and the security of its information assets. 72. What strategic role do the InfoSec and IT communities play in risk management? Explain. Correct Answer:

InfoSec - Because members of the InfoSec community best understand the threats and attacks that introduce risk, they often take a leadership role in addressing risk.


IT - This group must help to build secure systems and ensure their safe operation. For example, IT builds and operates information systems that are mindful of operational risks and have proper controls implemented to reduce risk.

73. What are the included tasks in the identification of risks? Correct Answer:

Creating an inventory of information assetsClassifying and organizing those assets meaningfully Assigning a value to each information asset Identifying threats to the cataloged assets Pinpointing vulnerable assets by tying specific threats to specific assets

74. Describe the use of an IP address when deciding which attributes to track for each information asset. Correct Answer:

This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a relational database and track software instances on specific servers or networking devices. Many larger organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification process very difficult. 75. How should the initial inventory be used when classifying and categorizing assets? Correct Answer:

The inventory should reflect the sensitivity and security priority assigned to each informationasset. A classification scheme should be developed (or reviewed, if already in place) that categorizes these information assets based on their sensitivity and security needs.

76. Why is threat identification so important in the process of risk management? Correct Answer:

Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end. At every step, the manager is called on to exercise good judgment and draw on experience to make the process function smoothly.


CHAPTER 7 1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. *a. True b. False

2. The defense risk treatment strategy may be accomplished by outsourcing to other organizations. a. True *b. False

3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. *a. True b. False

4. Unlike many other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. *a. True b. False

5. The ISO 27005 Standard for InfoSec Risk Management has a five-stage management methodology that includes risk treatment and risk communication. *a. True b. False

6. The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk treatment strategy, also known as the avoidance strategy. __________ a. True *b. False

7. The risk treatment strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk treatment strategy. __________


a. True *b. False

8. The risk treatment strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk treatment strategy. __________ *a. True b. False

9. The risk treatment strategy that indicates the organization is willing to accept the current level of risk and do nothing further to protect an information asset is known as the termination risk treatment strategy. ____________ a. True *b. False

10. The risk treatment strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk treatment strategy. ____________ *a. True b. False

11. In a cost-benefit analysis, the expected frequency of an attack expressed on a per-year basis is known as the annualized risk of likelihood. __________ a. True *b. False

12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization, is known as cost-benefit analysis (CBA). __________ *a. True b. False

13. An examination of how well a particular solution is supportable given the organization’s current technological infrastructure and resources, which include hardware, software, networking, and personnel, is known as operational feasibility. __________ a. True *b. False


14. A progression is a measurement of current performance against which future performance will be compared. __________

a. True *b. False

15. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. __________ *a. True b. False

16. Because even the implementation of new technologies does not necessarily guarantee an

organization can gain or maintain a competitive lead, the concept of __________ has emerged as organizations strive not to fall behind technologically. *a. competitive disadvantage b. future shock c. competitive advantage d. innovation hedge

17. Treating risk begins with which of the following? *a. an understanding of risk treatment strategies b. applying controls and safeguards that eliminate risk c. understanding the consequences of choosing to ignore certain risks d. rethinking how services are offered

18. Application of training and education among other approach elements is a common method

of which risk treatment strategy? a. mitigation *b. defense c. acceptance d. transferal

19. Each of the following is a recommendation from the FDIC when creating a successful SLA

EXCEPT: a. determining objectives *b. forecasting costs c. defining requirements


d. setting measurements

20. Which of the following risk treatment strategies describes an organization’s attempt to shift

risk to other assets, other processes, or other organizations? a. acceptance b. avoidance *c. transference d. mitigation

21. Which of the following risk treatment strategies describes an organization’s efforts to

reduce damage caused by a realized incident or disaster? a. acceptance b. avoidance c. transference *d. mitigation

22. Strategies to reestablish operations at the primary site after an adverse event threatens

continuity of business operations are covered by which of the following plans in the mitigation control approach? a. incident response plan b. business continuity plan *c. disaster recovery plan d. damage control plan

23. The only use of the acceptance strategy that is recognized as valid by industry

practices occurs when the organization has done all but which of the following? a. determined the level of risk posed to the information asset b. performed a thorough cost-benefit analysis *c. determined that the costs to control the risk to an information asset are much lower

than the benefit gained from the information asset d. assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability 24. Which of the following can be described as the quantity and nature of risk that organizations

are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. residual risk *b. risk appetite c. risk assurance


d. risk termination

25. The goal of InfoSec is not to bring residual risk to __________; rather, it is to bring residual

risk in line with an organization’s risk appetite. a. de minimus *b. zero c. its theoretical minimum d. below the cost-benefit break-even point

26. All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT:

a. When a vulnerability exists in an important asset, implement security controls to

reduce the likelihood of a vulnerability being exploited. *b. When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else’s responsibility. c. When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. d. When the potential loss is substantial, apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss. 27. Which of the following is NOT a valid rule of thumb on risk treatment strategy selection? a. When a vulnerability exists: Implement security controls to reduce the likelihood of a

vulnerability being exploited. b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. *c. When the attacker’s potential gain is less than the costs of attack: Apply protections to decrease the attacker’s cost or reduce the attacker’s gain by using technical or operational controls. d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. 28. Once a control strategy has been selected and implemented, what should be done on an

ongoing basis to determine its effectiveness and to estimate the remaining risk? a. analysis and adjustment b. review and reapplication *c. monitoring and measurement d. evaluation and funding


29. When vulnerabilities have been controlled to the degree possible, what is the remaining risk

that has not been completely removed, shifted, or planned for? *a. residual risk b. risk appetite c. risk assurance d. risk tolerance

30. The financial savings from using the defense risk treatment strategy to implement a control

and eliminate the financial ramifications of an incident is known as __________. a. probability estimate *b. cost avoidance c. risk acceptance premium d. asset valuation

31. Also known as an economic feasibility study, the formal assessment and presentation of the

economic expenditures needed for a particular security control, contrasted with its projected value to the organization, is known as __________. a. annualized loss expectancy (ALE) *b. cost-benefit analysis (CBA) c. single loss expectancy (SLE) d. annualized rate of occurrence (ARO)

32. The process of assigning financial value or worth to each information asset is known as

__________. a. probability estimate b. cost estimation c. risk acceptance premium *d. asset valuation

33. Which of the following affects the cost of a control? a. liability insurance b. CBA report c. asset resale *d. maintenance

34. Each of the following is an item that affects the cost of a particular risk treatment strategy

EXCEPT:


a. cost of maintenance (labor expense to verify and continually test, maintain, train, and

update) b. cost of development or acquisition (hardware, software, and services) c. cost of implementation (installing, configuring, and testing hardware, software, and services) *d. cost of IT operations (keeping systems operational during the period of treatment strategy development) 35. By multiplying the asset value by the exposure factor, you can calculate which of the

following? a. annualized cost of the safeguard *b. single loss expectancy c. value to adversaries d. annualized loss expectancy

36. Each of the following is a commonly used quantitative approach for asset valuation

EXCEPT: a. value to owners *b. value to competitors c. value retained from past maintenance d. value to adversaries

37. What is the result of subtracting the postcontrol annualized loss expectancy and the

annualized cost of the safeguard from the precontrol annualized loss expectancy? *a. cost-benefit analysis b. exposure factor c. single loss expectancy d. annualized rate of occurrence

38. Which of the following determines how well a proposed treatment will address user

acceptance and support, management acceptance and support, and the system’s compatibility with the requirements of the organization’s stakeholders? a. behavioral feasibility b. political feasibility c. technical feasibility *d. operational feasibility

39. Which of the following determines acceptable practices based on consensus and

relationships among the communities of interest?


a. organizational feasibility *b. political feasibility c. technical feasibility d. operational feasibility

40. Which of the following determines whether the organization already has or can acquire the

technology necessary to implement and support the proposed treatment? a. organizational feasibility b. political feasibility *c. technical feasibility d. operational feasibility

41. Which of the following determines how well the proposed InfoSec treatment alternatives

will contribute to the efficiency, effectiveness, and overall operation of an organization? *a. organizational feasibility b. political feasibility c. technical feasibility d. behavioral feasibility

42. Which of the following is NOT an alternative to using CBA to justify risk controls? a. benchmarking b. due care and due diligence *c. selective risk avoidance d. the gold standard

43. In which technique does a group rate or rank a set of information, compile the results, and

repeat until everyone is satisfied with the result? a. OCTAVE b. FAIR c. hybrid measures *d. Delphi

44. Which alternative risk management methodology is a process promoted by the Computer

Emergency Response Team (CERT) Coordination Center (www.cert.org) that has three variations for different organizational needs, including one known as ALLEGRO? *a. OCTAVE b. FAIR c. ANDANTE


d. DOLCE

45. The Microsoft Risk Management Approach includes four phases; which of the following is

NOT one of them? a. conducting decision support b. implementing controls *c. evaluating alternative strategies d. measuring program effectiveness

46. Which of the following is not a step in the FAIR risk management framework? a. identify scenario components b. evaluate loss event frequency *c. assess control impact d. derive and articulate risk

47. What does FAIR rely on to build the risk management framework that is unlike many other

risk management frameworks? *a. qualitative assessment of many risk components b. quantitative valuation of safeguards c. subjective prioritization of controls d. risk analysis estimates

48. The ISO 27005 Standard for Information Security Risk Management includes all but which

of the following stages? a. risk assessment b. risk treatment c. risk communication *d. risk determination

49. Which international standard provides a structured methodology for evaluating threats to

economic performance in an organization and was developed using the Australian/New Zealand standard AS/NZS 4360:2004 as a foundation? a. ISO 27001 b. ISO 27005 c. NIST SP 800-39 *d. ISO 31000

50. The NIST risk management approach includes all but which of the following elements?


*a. inform b. assess c. frame d. respond

51. NIST’s Risk Management Framework follows a three-tiered approach, with most

organizations working from the top down, focusing first on aspects that affect the entire organization, such as __________. *a. governance b. information and information flows c. policy d. environment of operation

52. Which of the following is NOT one of the methods noted for selecting the best risk

management model? *a. Use the methodology most similar to what is currently in use. b. Study known approaches and adapt one to the specifics of the organization. c. Hire a consulting firm to provide a proprietary model. d. Hire a consulting firm to develop a proprietary model.

53. To keep up with the competition, organizations must design and create a __________

environment in which business processes and procedures can function and evolve effectively. Correct Answer(s): a. secure

54. The __________ risk treatment strategy attempts to shift the risk to other assets, processes,

or organizations. Correct Answer(s): a. transference b. transfer

55. The risk treatment strategy that seeks to reduce the impact of a successful attack through the

use of IR, DR, and BC plans is __________. Correct Answer(s): a. mitigation b. mitigate


56. The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in

line with an organization’s risk __________. Correct Answer(s): a. appetite

57. When a vulnerability (flaw or weakness) exists in an important asset, implement security

controls to reduce the likelihood of a vulnerability being __________. Correct Answer(s): a. exploited

58. __________ is the financial savings from using the defense risk treatment strategy

to implement a control and eliminate the financial ramifications of an incident. Correct Answer(s): a. Cost avoidance

59. The approach known as the avoidance strategy is more properly known as the __________

risk treatment strategy. Correct Answer(s): a. defense

60. The __________ risk treatment strategy attempts to eliminate or reduce any remaining

uncontrolled risk through the application of additional controls and safeguards in an effort to change the likelihood of a successful attack on an information asset. Correct Answer(s): a. defense

61. The __________ risk treatment strategy indicates the organization is willing to accept the

current level of residual risk. Correct Answer(s): a. acceptance

62. The __________ risk treatment strategy eliminates all risk associated with an information

asset by removing it from service. Correct Answer(s): a. termination


63. In a cost-benefit analysis, the calculated value associated with the most likely loss from an

attack (impact) is known as __________. It is the product of the asset’s value and the exposure factor. Correct Answer(s): a. single loss expectancy (SLE) b. single loss expectancy c. SLE

64. As part of the CBA, __________ is the value to the organization of using controls to

prevent losses associated with a specific vulnerability. Correct Answer(s): a. benefit

65. An examination of how well a particular solution is supportable given the organization’s

current technological infrastructure and resources is known as __________. Correct Answer(s): a. technical feasibility

66. [h] 1. The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization. [a] 2. A risk treatment strategy that indicates the organization is willing to accept the current level of risk, is making a conscious decision to do nothing to protect an information asset from risk, and accepts the outcome from any resulting exploitation. [i] 3. A risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. [f] 4. A process of assigning financial value or worth to each information asset. [d] 5. The quantity and nature of risk that organizations are willing to accept. [g] 6. An examination of how well a particular solution fits within the organization’s strategic planning objectives and goals. [b] 7. A risk treatment strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation. [e] 8. The calculated value associated with the most likely loss from a single attack. [j] 9. The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident. [c] 10. A risk treatment strategy that eliminates all risk associated with an information asset by removing it from service. a. acceptance risk treatment strategy


b. mitigation risk treatment strategy c. termination risk treatment strategy d. risk appetite e. single loss expectancy f. asset valuation g. organizational feasibility h. cost-benefit analysis i. defense risk treatment strategy j. cost avoidance 67. Briefly describe the five basic strategies to control risk that result from vulnerabilities. Correct Answer:

Defense—Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk Transference—Shifting risks to other areas or to outside entities Mitigation—Reducing the impact to information assets should an attacker successfully exploit a vulnerability Acceptance—Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control Termination—Removing or discontinuing the information asset from the organization’s operating environment

68. Explain two practical guidelines to follow in risk treatment strategy selection. Correct Answer:

- When a vulnerability (flaw or weakness) exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.- When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. - When the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the attacker’s cost or reduce the attacker’s gain by using technical or managerial controls. - When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.

69. Once an organization has estimated the worth of various assets, what three questions must be asked to calculate the potential loss from the successful exploitation of a vulnerability?


Correct Answer:

What damage could occur, and what financial impact would it have?What would it cost to recover from the attack, in addition to the financial impact of damage? What is the single loss expectancy for each risk?

70. What does the result of a CBA determine? the CBA?

What is the formula for

Correct Answer:

The CBA determines whether the benefit from a control alternative is worth the associated cost of implementing and maintaining the control. The formula for calculating the CBA is:

CBA = ALE (precontrol) - ALE (postcontrol) - ACS where ALE (precontrol) = ALE of the risk before the implementation of the control ALE (postcontrol) = ALE examined after the control has been in place for a period of time ACS = annual cost of the safeguard

71. Describe operational feasibility. Correct Answer:

Operational feasibility refers to user acceptance and support, management acceptance and support, and the system’s compatibility with the requirements of the organization’s stakeholders. Operational feasibility is also known as behavioral feasibility. An important aspect of systems development is obtaining user buy-in on projects. If the users do not accept a new technology, policy, or program, it will inevitably fail. 72. Discuss three alternatives to feasibility analysis. Correct Answer:

- Benchmarking is the process of seeking out and studying the practices used in other organizations that produce the results you desire in your organization. When benchmarking, an organization typically uses either metrics-based or process-based measures.- Due care and due diligence occur when an organization adopts a certain minimum level of security equal to what any prudent organization would do in similar circumstances. - Best business practices are those thought to be among the best in the industry, balancing the need to access information with adequate protection.


- The gold standard is for ambitious organizations in which the best business practices are not sufficient. These organizations aspire to set the standard for their industry, and are thus said to be in pursuit of the gold standard. - Government recommendations and best practices are useful for organizations that operate in industries regulated by governmental agencies. Government recommendations, which are, in effect, requirements, can also serve as excellent sources for information about what some organizations may be doing or are required to do to control information security risks. - A baseline is derived by comparing measured actual performance against established standards for the measured category.

73. Describe the use of hybrid assessment to create a quantitative assessment of asset value. Correct Answer:

The hybrid assessment tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures. Hybrid assessment uses scales rather than specific estimates. For example, a scale might range from 0, representing no chance of occurrence, to 10, representing almost certain occurrence. 74. What is the OCTAVE Method approach to risk management? Correct Answer:

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls. This process can enable an organization to measure itself against known or accepted good security practices and then establish an organization-wide protection strategy and InfoSec risk mitigation plan. 75. What are the four phases of the Microsoft risk management strategy? Correct Answer:

1. Assessing risk2. Conducting decision support 3. Implementing controls 4. Measuring program effectiveness

76. What are the four stages of a basic FAIR analysis? Correct Answer:

Stage 1—Identify Scenario ComponentsStage 2—Evaluate Loss Event Frequency (LEF) Stage 3—Evaluate Probable Loss Magnitude (PLM) Stage 4—Derive and Articulate Risk


CHAPTER 8 1. In information security, a security blueprint is a framework or security model customized to an organization, including implementation details. *a. True b. False

2. The Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. a. True *b. False

3. Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. a. True *b. False

4. Lattice-based access control specifies the level of access each subject has to each object, if any. *a. True b. False

5. Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data at the organization's competitors. a. True *b. False

6. The principle of limiting users’ access privileges to the specific information required to perform their assigned tasks is known as minimal access. a. True *b. False

7. In information security, a framework or security model customized to an organization, including implementation details, is known as a template. __________


a. True *b. False

8. In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. __________ a. True *b. False

9. The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. __________ a. True *b. False

10. The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. __________ a. True *b. False

11. A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. __________ a. True *b. False

12. The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as required privilege. __________ a. True *b. False

13. The principle of limiting users’ access privileges to the specific information required to perform their assigned tasks is known as needto-know. __________ *a. True b. False


14. In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). __________ a. True *b. False

15. A security clearance is an access control model in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. __________ *a. True b. False

16. Dumpster exploitation is an information attack that involves searching through a target organization’s trash and recycling bins for sensitive information. __________ a. True *b. False

17. In information security, a framework or security model customized to an organization,

including implementation details, is a _________. a. security standard b. methodology c. security policy *d. blueprint

18. Which of the following is a generic model for a security program? *a. framework b. methodology c. security standard d. blueprint

19. In information security, a specification of a model to be followed during the design,

selection, and initial and ongoing implementation of all subsequent security controls is known as a __________. *a. framework b. security plan c. security standard d. blueprint


20. Which of the following is the original purpose of ISO/IEC 17799? a. Use within an organization to obtain a competitive advantage b. Implementation of business-enabling information security c. Use within an organization to ensure compliance with laws and regulations *d. To offer guidance for the management of InfoSec to individuals responsible for

their organization’s security programs 21. When the ISO 27002 standard was first proposed, several countries, including the United

States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems; which of the following is NOT one of them? a. It was not as complete as other frameworks. b. The standard lacked the measurement precision associated with a technical standard. c. The standard was hurriedly prepared. *d. It was feared it would lead to government intrusion into business matters.

22. One of the most widely referenced InfoSec management models, known as

Information Technology—Code of Practice for Information Security Management, is also known as __________. *a. ISO 27002 b. IEC 27100 c. NIST SP 800-12 d. IEEE 801

23. The managerial tutorial equivalent of NIST SP 800-12, providing overviews of the roles and

responsibilities of a security manager in the development, administration, and improvement of a security program, is NIST __________. *a. SP 800-100: Information Security Handbook: A Guide for Managers (2007) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal

Information Systems (2006) c. SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996) d. SP 800-110, Rev. 1: Manager's Introduction to Information Security (2016) 24. Which NIST publication describes the philosophical guidelines that the security team should

integrate into the entire InfoSec process, beginning with “Security supports the mission of the organization”? a. SP 800-12, Rev. 1: An Introduction to Information Security (2017) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal

Information Systems (2006)


*c. SP 800-14: Generally Accepted Principles and Practices for Securing Information

Technology Systems (1996) d. SP 800-55, Rev. 1: Performance Measurement Guide for Information Security (2008) 25. This NIST publication provides information on the elements of InfoSec, key roles and

responsibilities, an overview of threats and vulnerabilities, a description of the three NIST security policy categories, and an overview of the NIST RM Framework and its use, among other topics needed for a foundation in InfoSec. *a. SP 800-12, Rev. 1: An Introduction to Information Security (2017) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal

Information Systems (2006) c. SP 800-34, Rev. 1: Contingency Planning Guide for Federal Information Systems (2010) d. SP 800-55, Rev. 1: Performance Measurement Guide for Information Security (2008) e.

26. Which of the following provides advice about the implementation of sound controls and

control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? *a. COBIT b. COSO c. NIST d. ISO

27. Although COBIT was designed to be an IT __________ and management structure, it

includes a framework to support InfoSec requirements and assessment needs. *a. governance b. policy c. auditing d. awareness

28. The COSO framework is built on five interrelated components. Which of the following is

NOT one of them? a. control environment b. risk assessment c. control activities *d. InfoSec governance

29. The Information Technology Infrastructure Library (ITIL) is a collection of methods and

practices primarily for __________.


*a. managing the development and operation of IT infrastructures b. operation of IT control systems to improve security c. managing the security infrastructure d. developing secure Web applications

30. The Information Security __________ is a managerial model provided by an industry

working group, National Cyber Security Partnership, which provides guidance in the development and implementation of organizational InfoSec structures and recommends the responsibilities that various members should have in an organization. *a. Governance Framework b. Security Blueprint c. Risk Model d. Compliance Architecture

31. Which piece of the Trusted Computing Base's security system manages access controls? a. trusted computing base *b. reference monitor c. covert channel d. verification module

32. Which security architecture model is part of a larger series of standards collectively referred

to as the “Rainbow Series”? a. Bell-LaPadula *b. TCSEC c. ITSEC d. Common Criteria

33. Under the Common Criteria, which term describes the user-generated specifications for

security requirements? a. Target of Evaluation (ToE) *b. Protection Profile (PP) c. Security Target (ST) d. Security Functional Requirements (SFRs)

34. Which access control principle specifies that no unnecessary access to data exists by

regulating members so they can perform only the minimum data manipulation necessary? a. need-to-know b. eyes only *c. least privilege


d. separation of duties

35. What is the information security principle that requires significant tasks to be split up so that

more than one individual is required to complete them? a. need-to-know b. eyes only c. least privilege *d. separation of duties

36. Which access control principle limits a user’s access to the specific information required to

perform the currently assigned task? *a. need-to-know b. eyes only c. least privilege d. separation of duties

37. Controls that remedy a circumstance or mitigate damage done during an incident are

categorized as which of the following? a. preventative b. deterrent *c. corrective d. compensating

38. Which of the following is NOT a category of access control? a. preventative *b. mitigating c. deterrent d. compensating

39. Which control category discourages an incipient incident—e.g., video monitoring? a. preventative *b. deterrent c. remitting d. compensating

40. An information attack that involves searching through a target organization’s trash and

recycling bins for sensitive information is known as __________.


a. rubbish surfing b. social engineering *c. dumpster diving d. trash trolling

41. Which of the following is NOT one of the three levels in the U.S. military data classification

scheme for National Security Information? a. confidential b. secret c. top secret *d. for official use only

42. Which of the following specifies the authorization level that each user of an information

asset is permitted to access, subject to the need-to-know principle? a. discretionary access controls b. task-based access controls *c. security clearances d. sensitivity levels

43. Under lattice-based access controls, the column of attributes associated with a particular

object (such as a printer) is referred to as which of the following? *a. access control list b. capabilities table c. access matrix d. sensitivity level

44. Which type of access controls can be role-based or task-based? a. constrained b. content-dependent *c. nondiscretionary d. discretionary

45. In which form of access control is access to a specific set of information contingent on its

subject matter? *a. content-dependent access controls b. constrained user interfaces c. temporal isolation d. none of these


46. An ATM that limits what kinds of transactions a user can perform is an example of which

type of access control? a. content-dependent *b. constrained user interface c. temporal isolation d. nondiscretionary

47. A time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface *c. temporal isolation d. nondiscretionary

48. Which security architecture model is based on the premise that higher levels of integrity are

more worthy of trust than lower ones? a. Clark-Wilson b. Bell-LaPadula c. Common Criteria *d. Biba

49. Which of the following is NOT a change control principle of the Clark-Wilson model? a. no changes by unauthorized subjects b. no unauthorized changes by authorized subjects *c. no changes by authorized subjects without external validation d. the maintenance of internal and external consistency

50. In information security, a framework or security model customized to an organization,

including implementation details, is known as a(n) __________. Correct Answer(s): a. blueprint

51. In information security, a specification of a model to be followed during the design,

selection, and initial and ongoing implementation of all subsequent security controls is known as a(n) __________. Correct Answer(s): a. framework


52. To design a security program, an organization can use a(n) __________, which is a generic

outline of the more thorough and organization-specific blueprint. Correct Answer(s): a. security model b. framework

53. In the COSO framework, __________ activities include those policies and procedures that

support management directives. Correct Answer(s): a. control

54. ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and

how to set up a(n) __________. Correct Answer(s): a. information security management system b. ISMS

55. __________ channels are unauthorized or unintended methods of communications hidden

inside a computer system, including storage and timing channels. Correct Answer(s): a. Covert

56. __________ channels are TCSEC-defined covert channels that communicate by

modifying a stored object, such as in steganography. Correct Answer(s): a. Storage

57. Within TCB, a conceptual piece of the system that manages access controls—in other

words, it mediates all access to objects by subjects—is known as a __________. Correct Answer(s): a. reference monitor

58. Under TCSEC, the combination of all hardware, firmware, and software responsible for

enforcing the security policy is known as the __________. Correct Answer(s): a. trusted computing base (TCB)


b. TCB c. trusted computing base

59. The __________ principle is based on the requirement that people are not allowed to view

data simply because it falls within their level of clearance. Correct Answer(s): a. need to know b. need-to-know

60. The selective method by which systems specify who may use a particular resource and how

they may use it is called __________. Correct Answer(s): a. access control

61. The data access principle that ensures no unnecessary access to data exists by regulating

members so they can perform only the minimum data manipulation necessary is called __________. Correct Answer(s): a. least privilege

62. [e] 1. Controls access to a specific set of information based on its content. [a] 2. A TCSEC-defined covert channel, which transmits information by managing the relative timing of events. [j] 3. Ratings of the security level for a specified collection of information (or user) within a mandatory access control scheme. [g] 4. A framework or security model customized to an organization, including implementation details. [h] 5. A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user. [f] 6. Within TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy. [c] 7. Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion. [b] 8. Controls implemented at the discretion or option of the data user. [d] 9. One of the TCSEC’s covert channels, which communicate by modifying a stored object. [i] 10. Access is granted based on a set of rules specified by the central authority. a. timing channel b. DAC c. separation of duties


d. storage channel e. content-dependent access controls f. TCB g. blueprint h. task-based controls i. rule-based access controls j. sensitivity levels

63. What are the five principles that are focused on the governance and management of IT, as specified by COBIT 5? Correct Answer:

Principle 1: Meeting Stakeholder NeedsPrinciple 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management

64. Access controls are built on three key principles. briefly define them.

List and

Correct Answer:

Least privilege: The principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. Need-to-know: Limits a user’s access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function.

Separation of duties: A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion.

65. According to COSO, internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in what three categories? Correct Answer:

Effectiveness and efficiency of operationsReliability of financial reporting Compliance with applicable laws and regulations

66. There are seven access control methodologies categorized by their inherent characteristics. List and briefly define them.


Correct Answer:

• Directive—Employs administrative controls, such as policy and training, designed to proscribe certain user behavior in the organization • Deterrent—Discourages or deters an incipient incident; an example would be signs that indicate video monitoring • Preventative—Helps an organization avoid an incident; an example would be the requirement for strong authentication in access controls • Detective—Detects or identifies an incident or threat when it occurs; for example, anti-malware software • Corrective—Remedies a circumstance or mitigates damage done during an incident; for example, changes to a firewall to block the recurrence of a diagnosed attack • Recovery—Restores operating conditions back to normal; for example, data backup and recovery software • Compensating—Resolves shortcomings, such as requiring the use of encryption for transmission of classified data over unsecured networks

67. One approach used to categorize access control methodologies is based on the controls' operational impact on the organization. What are these categories, as described by NIST? Correct Answer:

ManagementOperational (or administrative) Technical

68. What is the data classification for information deemed to be National Security Information for the U.S. military, as specified in 2009 by Executive Order 13526? Correct Answer:

The U.S. military uses a three-level classification scheme for information deemed to be National Security Information (NSI), as defined in Executive Order 13526 in 2009. Here are the classifications along with descriptions from the document: 1) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe. 2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. 3) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.


69. When copies of classified information are no longer valuable or too many copies exist, what steps should be taken to destroy them properly? Why? Correct Answer:

When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly, usually after double signature verification. Documents should be destroyed by means of shredding, burning, or transfer to a service offering authorized document destruction. Policy should ensure that no classified information is inappropriately disposed of in trash or recycling areas. Otherwise, people who engage in dumpster diving, the retrieval of information from refuse or recycling bins, may compromise the security of the organization’s information assets. 70. Lattice-based access controls use a two-dimensional matrix to assign authorizations. What are the two dimensions and what are they called? Correct Answer:

Lattice-based access control specifies the level of access each subject has to each object, if any. With this type of control, the column of attributes associated with a particular object (such as a printer) is referred to as an access control list (ACL). The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table. 71. Under what circumstances should access controls be centralized as opposed to decentralized? Correct Answer:

One area of discussion among practitioners is whether access controls should be centralized or decentralized. A collection of users with access to the same data typically has a centralized access control authority, even under a DAC model. The level of centralization appropriate to a given situation varies by organization and the type of information protected. The less critical the protected information, the more controls tend to be decentralized. When critical information assets are being protected, the use of a highly centralized access control toolset is indicated. 72. What are the two primary access modes of the Bell-LaPadula model and what do they restrict? Correct Answer:

BLP access modes can be one of two types: simple security and the * (star) property. Simple security (also called the read property) prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (no read up).

The * property (the write property), on the other hand, prohibits a high-level subject from sending messages to a lower-level object. In short, subjects can read down and objects can write or append up (no write down).


CHAPTER 9

1. Temporary workers—often called temps—may not be subject to the contractual obligations or general policies that govern other employees. *a. True b. False

2. Using a practice called baselining, you are able to compare your organization’s efforts to those of other organizations you feel are similar in size, structure, or industry. a. True *b. False

3. A company striving for “best security practices” makes every effort to establish security program elements that meet every minimum standard in their industry. a. True *b. False

4. One question you should ask when choosing among recommended practices is “Can your organization afford to implement the recommended practice?” *a. True b. False

5. Performance measurements are seldom required in today’s regulated InfoSec environment. a. True *b. False

6. ISO 27001 certification is only available to companies that do business internationally. a. True *b. False

7. One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured. __________


*a. True b. False

8. The biggest barrier to baselining in InfoSec is the fact that many organizations do not share information about their attacks with other organizations. __________ a. True *b. False

9. Collusion is the requirement that every employee be able to perform the work of at least one other employee. __________ a. True *b. False

10. Standardization is an attempt to improve information security practices by comparing an organization’s efforts against those of a similar organization or an industry-developed standard to produce results it would like to duplicate. __________ a. True *b. False

11. Two-person control is the requirement that all critical tasks can be performed by multiple individuals. _________ a. True *b. False

12. Recommended or best practices are those security efforts that seek to provide a superior level of performance in the protection of information. __________ *a. True b. False

13. A security metric is an assessment of the performance of some action or process against which future performance is assessed. __________ a. True *b. False

14. A standard of due process is a legal standard that requires an organization and its employees to act as a “reasonable and prudent”


individual or organization would under similar circumstances. __________ a. True *b. False

15. Data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial— implemented in the organization are known as progress measurements. __________ a. True *b. False

16. A requirement that all employees take time off from work, which allows the organization to audit the individual’s areas of responsibility, is known as a mandatory vacation policy. __________ *a. True b. False

17. A(n) credit check can uncover past criminal behavior or other information that suggests a potential for future misconduct or a vulnerability that might render a job candidate susceptible to coercion or blackmail. __________ a. True *b. False

18. A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions is known as racketeering. __________ a. True *b. False

19. When hiring security personnel, which of the following should be conducted before the

organization extends an offer to any candidate, regardless of job level? a. new hire orientation b. covert surveillance c. organizational tour *d. background check

20. Which of the following is NOT a common type of background check that may be performed

on a potential employee?


a. identity *b. political activism c. motor vehicle records d. drug history

21. Employees pay close attention to job __________, and including InfoSec tasks in them will

motivate employees to take more care when performing these tasks. *a. performance evaluations b. descriptions c. quarterly reports d. vacation requests

22. Employees new to an organization should receive an extensive InfoSec briefing that

includes all of the following EXCEPT: *a. signing the employment contract b. security policies c. security procedures d. access levels

23. Incorporating InfoSec components into periodic employee performance evaluations can

__________. *a. heighten InfoSec awareness b. frighten employees c. demotivate workers d. reduce compliance to policy

24. Which of the following is NOT a task that must be performed if an employee is terminated? a. former employee must return all media *b. former employee’s home computer must be audited c. former employee’s office computer must be secured d. former employee should be escorted from the premises

25. Which of the following policies requires that every employee be able to perform the work of

at least one other staff member? a. collusion *b. job rotation c. two-person control d. separation of duties


26. Which of the following policies requires that two individuals review and approve each

other’s work before the task is considered complete? a. task rotation *b. two-person control c. separation of duties d. job rotation

27. Which of the following policies makes it difficult for an individual to violate InfoSec and is

quite useful in monitoring financial affairs? a. task rotation b. mandatory vacations *c. separation of duties d. job rotation

28. Organizations are required by privacy laws to protect sensitive or personal

employee information, including __________. *a. personally identifiable information (PII) b. corporate financial information c. internal business contact information d. employee salaries

29. Contract employees—or simply contractors—should not be allowed to do what? a. Work on the premises. *b. Wander freely in and out of facilities. c. Visit the facility without an escort. d. Be compensated based on hourly rates.

30. Workers typically hired to perform specific services for the organization and hired via a

third-party organization are known as __________. a. temporary workers b. consultants *c. contract employees d. business partners

31. If a temporary worker (temp) violates a policy or causes a problem, what is the strongest

action that the host organization can usually take, depending on the SLA? a. Nothing, the organization has no control over temps.


*b. Terminate the relationship with the individual and request that he or she be

censured. c. Fine the temp or force the temp to take unpaid leave, like permanent employees. d. Sue the temp agency for cause, demanding reparations for the actions of the temp. 32. Which of the following terms is described as the process of designing, implementing, and

managing the use of the collected data elements to determine the effectiveness of the overall security program? *a. performance management b. baselining c. best practices d. standards of due care/diligence

33. Organizations must consider all but which of the following during development and

implementation of an InfoSec measurement program? a. Measurements must yield quantifiable information. b. Data that supports the measures needs to be readily obtainable. c. Only repeatable InfoSec processes should be considered for measurement. *d. Measurements must be useful for tracking non-compliance by internal personnel.

34. Which of the following is NOT a factor critical to the success of an information security

performance program? a. strong upper-level management support *b. high level of employee buy-in c. quantifiable performance measurements d. results-oriented measurement analysis

35. Which of the following is NOT one of the types of InfoSec performance measures used by

organizations? a. those that determine the effectiveness of the execution of InfoSec policy b. those that determine the effectiveness and/or efficiency of the delivery of InfoSec

services *c. those that evaluate the frequency with which employees access internal security documents d. those that assess the impact of an incident or other security event on the organizationor its mission


36. Which of the following is NOT a question a CISO should be prepared to answer before

beginning the process of designing, collecting, and using performance measurements, according to Kovacich? a. Why should these measurements be collected? b. Where will these measurements be collected? *c. What affect will measurement collection have on efficiency? d. Who will collect these measurements?

37. The InfoSec measurement development process recommended by NIST is divided into two

major activities. Which of the following is one of them? a. development and selection of qualified personnel to gauge the implementation,

effectiveness, efficiency, and impact of the security controls *b. identification and definition of the current InfoSec program c. maintenance of the vulnerability management program d. comparison of organizational practices against similar organizations 38. InfoSec measurements collected from production statistics depend greatly on which of the

following factors? a. types of performance measures developed *b. number of systems and users of those systems c. number of monitored threats and attacks d. activities and goals implemented by the business unit

39. Which of the following is NOT a phase in the NIST InfoSec performance measures

development process? *a. Identify relevant stakeholders and their interests in InfoSec measurement. b. Integrate the organization’s process improvement activities across all business areas. c. Identify and document the InfoSec performance goals and objectives that

would guide security control implementation for the InfoSec program. d. Review any existing measurements and data repositories that can be used toderive measurement data.

40. One of the fundamental challenges in InfoSec performance measurement is defining what? a. interested stakeholders *b. effective security c. appropriate performance measures d. the proper assessment schedule


41. NIST recommends the documentation of performance measurements in a standardized

format to ensure ____________. a. the suitability of performance measure selection b. the effectiveness of performance measure corporate reporting *c. the repeatability of measurement development, customization, collection, and

reporting activities d. the acceptability of the performance measurement program by upper management 42. Which of the following is a possible result of failure to establish and maintain standards of

due care and due diligence? a. baselining *b. legal liability c. competitive disadvantage d. certification revocation

43. Which of the following is NOT a consideration when selecting recommended best

practices? a. threat environment is similar b. resource expenditures are practical c. organization structure is similar *d. same certification and accreditation agency or standard

44. Creating a blueprint by looking at the paths taken by organizations similar to the one whose

plan you are developing is known as which of the following? *a. benchmarking b. corporate espionage c. baselining d. due diligence

45. What do you call the legal requirements that an organization must adopt a standard based on

what a prudent organization should do, and then maintain that standard? a. certification and accreditation b. best practices *c. due care and due diligence d. baselining and benchmarking

46. Problems with benchmarking include all but which of the following? a. Organizations don’t often share information on successful attacks.


b. Organizations being benchmarked are seldom identical. c. Recommended practices change and evolve, so past performance is no indicator of

future success. *d. Benchmarking doesn’t help in determining the desired outcome of the security process. 47. Which of the following is NOT a question to be used as a self-assessment for recommended

security practices in the category of people? a. Do you perform background checks on all employees with access to sensitive

data,areas, or access points? *b. Are the user accounts of former employees immediately removed on termination? c. Would the typical employee recognize a security issue? d. Would the typical employee know how to report a security issue to the right people?

48. The ISO certification process takes approximately six to eight weeks and involves all of the

following steps EXCEPT: *a. rejection of the certification application based on lack of compliance or failure to

remediate shortfalls b. initial assessment of the candidate organization’s InfoSec management systems, procedures, policies, and plans c. writing of a manual documenting all procedural compliance d. presentation of certification by the certification organization

49. The benefits of ISO certification to organizations include all of the following EXCEPT: *a. increased opportunities for government contracts b. reduced costs associated with incidents c. smoother operations resulting from more clearly defined processes and

responsibilities d. improved public image of the organization, as certification implies increased trustworthiness

50. The benefits of ISO certification to an organization's employees include all of the following

EXCEPT: *a. reduced employee turnover due to misinterpreted security policies and practices b. lower risk of accidents and incidents associated with critical or sensitive information c. employee confidence in organizational security practices d. improved productivity and job satisfaction from more clearly defined InfoSec roles

and responsibilities


51. The organization of a task or process so it requires at least two individuals to work together

to complete is known as __________ control. Correct Answer(s): a. two-person b. two person c. two man d. two-man

52. A conspiracy or cooperation between two or more individuals or groups to commit illegal or

unethical actions is known as __________. Correct Answer(s): a. collusion

53. The requirement that all critical tasks can be performed by multiple individuals is known as

__________. Correct Answer(s): a. task rotation

54. The requirement that every employee be able to perform the work of at least one other

employee is known as __________. Correct Answer(s): a. job rotation

55. A requirement that all employees take time off from work, which allows the organization to

audit the individual’s areas of responsibility, is known as __________ vacation policy. Correct Answer(s): a. mandatory

56. Best security practices balance the need for user __________ to information with the need

for adequate protection while simultaneously demonstrating fiscal responsibility. Correct Answer(s): a. access

57. A practice related to benchmarking is __________, which is a measurement against a prior

assessment or an internal goal. Correct Answer(s): a. baselining


58. __________ encompasses a requirement that the implemented standards continue to provide

the required level of protection. Correct Answer(s): a. Due diligence

59. A goal of 100 percent employee InfoSec training as an objective for the training program is

an example of a performance __________. Correct Answer(s): a. target b. measure c. metric

60. The last phase in NIST performance measures implementation is to apply __________

actions, which closes the gap found in Phase 2. Correct Answer(s): a. corrective

61. [g] 1. The actions that demonstrate that an organization has made a valid effort to protect others and that the implemented standards continue to provide the required level of protection. [i] 2. A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions. [a] 3. A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances. [j] 4. The requirement that every employee be able to perform the work of at least one other employee. [h] 5. The requirement that all critical tasks can be performed by multiple individuals. [d] 6. The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization. [f] 7. An attempt to improve information security practices by comparing an organization’s efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate. [b] 8. Workers brought in by organizations to fill positions for a short time or to supplement the existing workforce. [e] 9. Workers hired to perform specific services for the organization. [c] 10. An assessment of the performance of some action or process against which future performance is assessed. a. standard of due care


b. temporary workers c. baseline d. performance measurements e. contract employees f. benchmarking g. due diligence h. task rotation i. collusion j. job rotation

62. When choosing from recommended practices, an organization should consider a number of questions. List four. Correct Answer:

Does your organization resemble the target organization of the recommended practice?Are you in a similar industry as the target of the recommended practice? Do you face similar challenges as the target of the recommended practice? Is your organizational structure similar to the target of the recommended practice? Can your organization expend resources at the level required by the recommended practice? Is your threat environment similar to the one assumed by the recommended practice?

63. List the four factors critical to the success of an InfoSec performance program, according to NIST SP 800-55, Rev. 1. Correct Answer:

Strong upper-level management supportPractical InfoSec policies and procedures Quantifiable performance measurements Results-oriented measurement analysis

64. Before beginning the process of designing, collecting, and using measures, the CISO should be prepared to answer several questions posed by Kovacich. List four of these questions. Correct Answer:

Why should these statistics be collected?What specific statistics will be collected? How will these statistics be collected? When will these statistics be collected? Who will collect these statistics? At what point in the function’s process will these statistics be collected?


65. The process of implementing a performance measures program recommended by NIST involves six phases. List and describe them. Correct Answer:

Phase 1: Prepare for data collection; identify, define, develop, and select information security measures.Phase 2: Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis). Phase 3: Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in Phase 2. This includes determining the range of corrective actions, prioritizing corrective actions based on overall risk mitigation goals, and selecting the most appropriate corrective actions. Phase 4: Develop the business case. Phase 5: Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in Phase 3. Phase 6: Apply corrective actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls.

66. What are the two major activities into which the InfoSec measurement development process recommended by NIST is divided? Correct Answer:

1. Identification and definition of the current InfoSec program2. Development and selection of specific measurements to gauge the implementation, effectiveness, efficiency, and impact of the security controls

67. On what elements do measurements collected from production statistics greatly depend? Explain your answer. Correct Answer:

Measurements collected from production statistics depend greatly on the number of systemsand the number of users of those systems. As the number of systems changes and/or the number of system users changes, the effort to maintain the same level of service will vary.

68. Why is measurement prioritization and selection important? it be achieved?

How can

Correct Answer:

Because organizations seem to better manage what they measure, it is important to ensure that individual metrics are prioritized in the same manner as the processes that they measure. This can be achieved with a simple low-, medium-, or high-priority ranking system or a weighted scale approach, which would involve assigning values to each measurement based on its importance in the context of the overall InfoSec program and in the overall risk-mitigation goals and criticality of the systems.


69. Why must you do more than simply list the InfoSec measurements collected when reporting them? Explain. Correct Answer:

In most cases, simply listing the measurements collected does not adequately convey their meaning. For example, a line chart showing the number of malicious code attacks occurring per day may communicate a basic fact, but unless the reporting mechanism can provide the context— for example, the number of new malicious code variants on the Internet in that time period—the measurement will not serve its intended purpose. In addition, you must make decisions about how to present correlated metrics—whether to use pie, line, bar, or scatter charts, and which colors denote which kinds of results. 70. Briefly describe at least five types of background checks. Correct Answer:

- Identity checks: personal identity validation- Education and credential checks: institutions attended, degrees and certifications earned, and certification status - Previous employment verification: where candidates worked, why they left, what they did, and for how long - Reference checks: validity of references and integrity of reference sources - Worker’s compensation history: claims from worker’s compensation - Motor vehicle records: driving records, suspensions, and other items noted in the applicant’s public record - Drug history: drug screening and drug usage, past and present - Medical history: current and previous medical conditions, usually associated with physical capability to perform the work in the specified position - Credit history: credit problems, financial problems, and bankruptcy - Civil court history: involvement as the plaintiff or defendant in civil suits - Criminal court history: criminal background, arrests, convictions, and time served

71. Briefly describe the two outprocessing methods of handling employees who leave their positions at a company. Correct Answer:

Hostile departure (usually involuntary), including termination, downsizing, lay-off, or quitting: Security cuts off all logical and keycard access before the employee is terminated. As soon as the employee reports for work, he or she is escorted into the supervisor’s office to receive the bad news. The individual is then escorted from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects under supervision. No organizational property is allowed to leave the premises, including diskettes, pens, papers, or books. Terminated employees can submit, in writing, a list of the property they wish to retain, stating their reasons for doing so. Once personal


property has been gathered, the employee is asked to surrender all keys, keycards, and other organizational identification and access devices, PDAs, pagers, cell phones, and all remaining company property, and is then escorted from the building. Friendly departure (voluntary) for retirement, promotion, or relocation: The employee may have tendered notice well in advance of the actual departure date, which can make it much more difficult for security to maintain positive control over the employee’s access and information usage. Employee accounts are usually allowed to continue, with a new expiration date. The employee can come and go at will and usually collects any belongings and leaves without escort. The employee is asked to drop off all organizational property before departing.


CHAPTER 10

1. In most organizations, the COO is responsible for creating the IR plan. a. True *b. False

2. When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan. a. True *b. False

3. A hot site is a fully configured computing facility that includes all services, communications links, and physical plant operations. *a. True b. False

4. In a cold site there are only rudimentary services, with no computer hardware or peripherals. *a. True b. False

5. Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster. a. True *b. False

6. When performing full-interruption testing, normal operations of the business are not impacted. a. True *b. False

7. The simplest kind of validation, the desk check, involves distributing copies of the appropriate plans to all individuals who will be assigned roles during an actual incident or disaster. *a. True b. False


8. An alert digest is a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. __________ a. True *b. False

9. A(n) wrap-up review is a detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery. __________ a. True *b. False

10. Patch and proceed is an organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker’s identification and prosecution. __________ *a. True b. False

11. A slow-onset disaster occurs over time and gradually degrades the capacity of an organization to withstand its effects. __________ *a. True b. False

12. Disaster classification is the process of examining an adverse event or incident and determining whether it constitutes an actual disaster. __________ *a. True b. False

13. The Hartford insurance company estimates that, on average, __________ businesses that

don’t have a disaster plan go out of business after a major loss like a fire, a break-in, or a storm. *a. over 40 percent of b. at least 60 percent of c. about 20 percent of d. two percent of

14. Contingency planning is primarily focused on developing __________.


*a. plans for unexpected adverse events b. policies for breach notifications c. plans for normal operations d. policies for normal operation

15. The actions taken by senior management to specify the organization’s efforts and actions if

an adverse event becomes an incident or disaster are known as __________. a. risk management *b. contingency planning c. business impact d. disaster readiness

16. Which of the following is the first component in the contingency planning process? a. business continuity training b. disaster recovery planning *c. business impact analysis d. incident response planning

17. The team responsible for designing and managing the IR plan by specifying the

organization’s preparation, reaction, and recovery from incidents is known as the __________. a. contingency planning management team (CPMT) b. disaster recovery planning team (DRPT) *c. computer security incident response team (CSIRT) d. incident response planning team (IRPT)

18. The group of senior managers and project members organized to conduct and lead all CP

efforts is known as the __________. a. contingency planning management team (CPMT) b. disaster recovery planning team (DRPT) *c. crisis management planning team (CMPT) d. incident response planning team (IRPT)

19. What is the final stage of the business impact analysis when using the NIST SP 800-34

approach? a. Identify resource requirements. b. Identify business processes. c. Determine mission/business processes and recovery criticality. *d. Identify recovery priorities for system resources.


20. Which of the following is a mathematical tool that is useful in assessing the relative

importance of business functions based on criteria selected by the organization? *a. weighted table analysis b. BIA questionnaire c. recovery time organizer d. MTD comparison

21. At what point in the incident life cycle is the IR plan initiated? a. before an incident takes place b. after the DRP is activated *c. when an incident is detected that affects the organization d. after the BCP is activated

22. Which of the following is NOT a major component of contingency planning? a. incident response b. disaster recovery c. business continuity *d. threat assessment

23. According to NIST’s SP 800-34, Rev. 1, which of the following is NOT one of the stages of

the business impact assessment? *a. Calculate asset valuation and combine with the likelihood and impact of potential

attacks in a TVA worksheet. b. Determine mission/business processes and recovery criticality. c. Identify resource requirements. d. Identify recovery priorities for system resources.

24. The total amount of time the system owner or authorizing official is willing to accept for a

business process outage or disruption, including all impact considerations, is known as __________. *a. maximum tolerable downtime (MTD) b. recovery point objective (RPO) c. work recovery time (WRT) d. recovery time objective (RTO)

25. The maximum amount of time that a system resource can remain unavailable before there is

an unacceptable impact on other system resources and supported business processes is known as __________.


a. maximum tolerable downtime (MTD) b. recovery point objective (RPO) c. work recovery time (WRT) *d. recovery time objective (RTO)

26. A useful tool for resolving the issue of what business function is the most critical, based on

criteria selected by the organization, is the __________. *a. weighted table analysis or weighted factor analysis b. threats-vulnerability-assets worksheet or TVA c. business impact assessment or BIA d. critical patch method assessment or CPMA

27. Which of the following is the first major task in the BIA, according to NIST SP 800-34,

Rev. 1? a. Calculate asset valuation and combine with the likelihood and impact of potential

attacks in a TVA worksheet. *b. Determine mission/business processes and recovery criticality. c. Identify resource requirements. d. Identify recovery priorities for system resources.

28. The amount of effort (expressed as elapsed time) needed to make business functions work

again after the technology element is recovered is known as __________. a. minimum tolerable downtime (MTD) b. recovery point objective (RPO) *c. work recovery time (WRT) d. recovery time objective (RTO)

29. Which of the following NIST Cybersecurity Framework (CSF) stages relates to reacting to

an incident? a. Identify b. Detect *c. Respond d. Protect

30. Which of the following NIST Cybersecurity Framework (CSF) stages relates to

implementation of effective security controls (policy, education, training and awareness, and technology)? a. Identify


b. Detect c. Respond *d. Protect

31. Which of the following is NOT a stage in the NIST Cybersecurity Framework (CSF)? a. Identify b. Detect c. Recover *d. React

32. Which of the following is a backup method that uses bulk batch transfer of data to an off-

site facility and is usually conducted via leased lines or secure Internet connections? a. database shadowing b. timesharing c. traditional backups *d. electronic vaulting

33. Which of the following refers to the backup of data to an off-site facility in close to real

time based on transactions as they occur? *a. remote journaling b. electronic vaulting c. database shadowing d. timesharing

34. Which of the following is the process of examining a possible incident and determining

whether it constitutes an actual incident? *a. incident classification b. incident identification c. incident registration d. incident verification

35. Which of the following is a "possible" indicator of an actual incident, according to Donald

Pipkin? *a. unusual consumption of computing resources b. activities at unexpected times c. presence of hacker tools d. reported attacks


36. Which of the following is a definite indicator of an actual incident, according to Donald

Pipkin? a. unusual system crashes b. reported attack c. presence of new accounts *d. use of dormant accounts

37. The steps in IR are designed to: *a. stop the incident, mitigate incident effects, provide information for recovery from

the incident b. control legal exposure, avoid unfavorable media attention, and minimize impact on stock prices c. delay the incident progress, backtrack the attack to its source IP, and apprehend the intruder d. stop the incident, inventory affected systems, and determine appropriate losses for insurance settlement 38. Which of the following determines the scope of the breach of confidentiality, integrity, and

availability of information and information assets? a. incident report *b. incident damage assessment c. information loss assessment d. damage report

39. Which of the following is an organizational CP philosophy for overall approach to

contingency planning reactions? *a. protect and forget b. pre-action review c. transfer to local/state/federal law enforcement d. track, hack, and prosecute

40. Which of the following is a part of the incident recovery process? *a. identifying the vulnerabilities that allowed the incident to occur and spread b. determining the event’s impact on normal business operations and, if necessary,

making a disaster declaration c. supporting personnel and their loved ones during the crisis d. keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise


41. After an incident, but before returning to its normal duties, the CSIRT must do which of the

following? a. Create the incident damage assessment. *b. Conduct an after-action review. c. Restore data from backups. d. Restore services and processes in use.

42. Which of the following is the best example of a rapid-onset disaster? *a. flood b. hurricane c. famine d. environmental degradation

43. When a disaster renders the current business location unusable, which plan is put into

action? *a. business continuity b. crisis management c. incident response d. business impact analysis

44. In the event of an incident or disaster, which planning element is used to guide off-site

operations? a. project management *b. business continuity c. disaster recovery d. incident response

45. Which of the following is true about a hot site? a. It is an empty room with standard heating, air conditioning, and electrical service. b. It includes computing equipment and peripherals with servers but not client

workstations. *c. It duplicates computing resources, peripherals, phone systems, applications, and workstations. d. All communications services must be installed after the site is occupied. 46. In which type of site are no computer hardware or peripherals provided? *a. cold site b. warm site


c. timeshare d. hot site

47. Which of the following is a responsibility of the crisis management team? a. restoring the data from backups b. evaluating monitoring capabilities *c. keeping the public informed about the event and the actions being taken d. restoring the services and processes in use

48. In which contingency plan testing strategy do individuals follow each and every IR/DR/BC

procedure, including the disruption of service, restoration of data from backups, and notification of appropriate individuals? a. desk check b. simulation c. structured walk-through *d. full-interruption

49. In which contingency plan testing strategy do individuals participate in a role-playing

exercise in which the CP team is presented with a scenario of an actual incident or disaster and expected to react as if it had occurred? a. desk check *b. simulation c. structured walk-through d. parallel testing

50. A(n) __________ is an event with negative consequences that could threaten the

organization’s information assets or operations. Correct Answer(s): a. adverse event b. incident candidate

51. Effective contingency planning begins with effective __________. Correct Answer(s): a. policy

52. The four components of contingency planning are the __________, the incident response

plan, the disaster recovery plan, and the business continuity plan.


Correct Answer(s): a. BIA b. business impact analysis

53. A(n) __________ process is a task performed by an organization or one of its units in

support of the organization’s overall mission. Correct Answer(s): a. business

54. The __________ is the point in time before a disruption or system outage to which business

process data can be recovered after the outage, given the most recent backup copy of the data. Correct Answer(s): a. recovery point objective (RPO) b. recovery point objective c. RPO

55. If operations at the primary site cannot be quickly restored, the __________ occurs

concurrently with the DR plan, enabling the business to continue at an alternate site. Correct Answer(s): a. BCP b. business continuity plan c. BC plan

56. The __________ plan is a detailed set of processes and procedures that anticipate, detect,

and mitigate the effects of an unexpected event that might compromise information resources and assets. Correct Answer(s): a. incident response b. IR

57. A(n) __________ occurs when an attack affects information resources and/or assets,

causing actual damage or other disruptions. Correct Answer(s): a. incident

58. __________ is a backup technique that stores duplicate online transaction data along with

duplicate databases at the remote site on a redundant server. Correct Answer(s): a. Database shadowing


59. The bulk batch transfer of data to an off-site facility is known as __________. Correct Answer(s): a. electronic vaulting

60. The process of examining an adverse event or incident candidate and determining whether it

constitutes an actual incident is known as incident __________. Correct Answer(s): a. classification

61. A(n) __________ is a document containing contact information of the individuals to notify

in the event of an actual incident. Correct Answer(s): a. alert roster

62. A(n) _________ is a description of the incident or disaster that usually contains just

enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. Correct Answer(s): a. alert message

63. When dealing with an incident, the incident response team must conduct a(n) __________,

which entails a detailed examination of the events that occurred from first detection to final recovery. Correct Answer(s): a. after action review b. after-action review c. AAR

64. __________ planning ensures that critical business functions can continue if a disaster

occurs. Correct Answer(s): a. Business continuity b. BC

65. A(n) __________ is an agency that provides physical facilities for a fee, in the case of

DR/BC planning.


Correct Answer(s): a. service bureau

66. In __________ testing of contingency plans, the individuals follow each and every

procedure, including interruption of service, restoration of data from backups, and notification of appropriate individuals. Correct Answer(s): a. full-interruption b. full interruption

67. What are the major components of contingency planning? Correct Answer:

Business impact analysis (BIA)Incident response plan (IR plan) Disaster recovery plan (DR plan) Business continuity plan (BC plan)

68. What teams are involved in contingency planning and contingency operations? Correct Answer:

Contingency planning management teamIncident response team Disaster recovery team Business continuity team

69. Explain the difference between a business impact analysis and the risk management process. Correct Answer:

One of the fundamental differences between a BIA and the risk management process is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect the information. The BIA assumes that these controls have been bypassed, have failed, or have otherwise proved ineffective, that the attack succeeded, and that the adversity being defended against has come to fruition. 70. When undertaking the BIA, what should the organization consider? Correct Answer:

ScopePlan Balance Objective


Follow-up

71. List four of the eight key components of a typical IR policy. Correct Answer:

The key components of a typical IR policy are: - Statement of management commitment - Purpose and objectives of the policy - Scope of the policy - Definition of InfoSec incidents and related items - Organizational structure and delineation of roles, responsibilities, and levels of authorities - Prioritization of severity ratings of incidents - Performance measures - Reporting and contact forms

72. List the seven steps of the incident recovery process, according to Donald Pipkin. Correct Answer:

The incident recovery process involves the following steps:- Identify the vulnerabilities that allowed the incident to occur and spread. Resolve them. - Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place. Install, replace, or upgrade them. - Evaluate monitoring capabilities (if present). Improve detection and reporting methods, or install new monitoring capabilities. - Restore the data from backups. - Restore the services and processes in use. - Continuously monitor the system. - Restore the confidence of the organization’s communities of interest.

73. There are six key elements that the CP team must build into the DR plan. What are three of them? Correct Answer:

The key elements that the CP team must build in the DRP are:- Clear delegation of roles and responsibilities - Execution of the alert roster and notification of key personnel - Clear establishment of priorities - Procedures for documentation of the disaster - Action steps to mitigate the impact of the disaster on the operations of the organization


- Alternative implementations for the various systems components, should primary versions be unavailable

74. Compare and contrast a hot site, a warm site, and a cold site. Correct Answer:

Hot site—A hot site is a fully configured computer facility, with all services, communicationslinks, and physical plant operations. It duplicates computing resources, peripherals, phone systems, applications, and workstations. Essentially, this duplicate facility needs only the latest data backups and the personnel to function. If the organization uses an effective data service, a hot site can be fully functional within minutes.

Warm site—A warm site provides many of the same services and options as the hot site, but typically software applications are not included or are not installed and configured. A warm site frequently includes computing equipment and peripherals with servers but not client workstations. Overall, it offers many of the advantages of a hot site at a lower cost. The disadvantage is that several hours or days are required to make a warm site fully functional.

Cold site—A cold site provides only rudimentary services and facilities. No computer hardware or peripherals are provided. All communications services must be installed after the site is occupied. A cold site is an empty room with standard heating, air conditioning, and electrical service. Everything else is an added-cost option. Despite these disadvantages, a cold site may be better than nothing. Its primary advantage is its low cost.

75. What are the three roles performed by the crisis management team? Correct Answer:

Supporting personnel and their loved ones during the crisisKeeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties

76. Discuss three of the five strategies that can be used to test contingency strategies. Correct Answer:

Desk check: The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster; each individual reviews the plan and validates its components.

Full-interruption testing: The CP testing strategy in which all team members follow each IR/DR/


BC procedure, including those for interruption of service, restoration of data from backups, and notification of appropriate individuals.

Simulation: The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred. The CP team is presented with a scenario in which all members must specify how they would react and communicate their efforts.

Structured walk-through: The CP testing strategy in which all involved individuals walk through a site and discuss the steps they would take during an actual CP event. A walk-through can also be conducted as a conference room talk-through.

Talk-through: A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization.


CHAPTER 11

1. If an organization deals successfully with change and has created procedures and systems that can be adjusted to the environment, the existing security improvement program will probably continue to work well. *a. True b. False

2. Over time, policies and procedures may become inadequate due to changes in the organization's mission and operational requirements, threats, or the environment. *a. True b. False

3. An effective information security governance program requires no ongoing review once it is well established. a. True *b. False

4. A general guideline for performance of hard drives suggests that when the amount of data stored on a particular hard drive averages 95% of available capacity for a prolonged period, you should consider an upgrade for the drive. a. True *b. False

5. Documentation procedures are not required for configuration and change management processes. a. True *b. False

6. A management model such as the ISO 27000 series deals with methods to maintain systems. a. True *b. False


7. External monitoring entails forming intelligence from various data sources and then giving that intelligence context and meaning for use by decision makers within the organization. *a. True b. False

8. US-CERT is generally viewed as the definitive authority for computer emergency response teams. *a. True b. False

9. Intelligence for external monitoring can come from a number of sources: vendors, CERT organizations, public network sources, and membership sites. *a. True b. False

10. Over time, external monitoring processes should capture information about the external environment in a format that can be referenced across the organization as threats emerge and for historical use. *a. True b. False

11. The internal monitoring domain is the component of the maintenance model that focuses on identifying, assessing, and managing the physical security of assets in an organization. a. True *b. False

12. Inventory characteristics for hardware and software assets that record the manufacturer and versions are related to technical functionality, and should be highly accurate and updated each time there is a change. *a. True b. False

13. The target selection step of Internet vulnerability assessment involves using the external monitoring intelligence to configure a test engine (such as Nessus) for the tests to be performed. a. True *b. False


14. An intranet vulnerability scan starts with the scan of the organization's default Internet search engine. a. True *b. False

15. All systems that are mission critical should be enrolled in platform security validation (PSV) measurement. *a. True b. False

16. Wireless vulnerability assessment begins with the planning, scheduling, and notification of all Internet connections, using software such as Wireshark. a. True *b. False

17. Remediation of vulnerabilities can be accomplished by accepting or transferring the risk, removing the threat, or repairing the vulnerability. *a. True b. False

18. The vulnerability database, like the risk, threat, and attack database, both stores and tracks information. *a. True b. False

19. In some instances, risk is acknowledged as being part of an organization’s business process. *a. True b. False

20. Threats cannot be removed without requiring a repair of the vulnerability. a. True *b. False


21. Policy needs to be reviewed and refreshed from time to time to ensure that it’s providing a current foundation for the information security program. *a. True b. False

22. Major planning components should be reviewed on a periodic basis to ensure that they are current, accurate, and appropriate. *a. True b. False

23. Rehearsal adds value by exercising the procedures, identifying shortcomings, and providing security personnel the opportunity to improve the security plan before it is needed. *a. True b. False

24. An effective information security governance program requires constant change. __________ a. True *b. False

25. The NIST SP 800-100 Information Security Handbook provides technical guidance for the establishment and implementation of an information security program. __________ a. True *b. False

26. The systems development life cycle (SDLC) is the overall process of developing, implementing, and retiring information systems through a multistep approach—from initiation to use. __________ a. True *b. False

27. For configuration management and control, it is important to document the proposed or actual changes in the system security plan. __________ *a. True b. False


28. Tracking monitoring involves assessing the status of the program as indicated by the database information and mapping it to standards established by the agency. __________ a. True *b. False

29. A user ticket is opened when a user calls about an issue. __________ a. True *b. False

30. In some organizations, asset management is the identification, inventory, and documentation of the current information system's status—hardware, software, and networking configurations. __________ a. True *b. False

31. CM assists in streamlining change management processes and prevents changes that could detrimentally affect the security posture of a system before they happen. __________ *a. True b. False

32. CERT stands for "computer emergency recovery team." __________ a. True *b. False

33. US-CERT is a set of moderated mailing lists full of detailed, fulldisclosure discussions and announcements about computer security vulnerabilities. It is sponsored in part by SecurityFocus. __________ a. True *b. False

34. Specific warning bulletins are issued when developing threats and specific assets pose a measurable risk to the organization. __________ a. True *b. False

35. The basic function of the external monitoring process is to monitor activity, report results, and escalate warnings. __________


*a. True b. False

36. The primary goal of the external monitoring domain is to maintain an informed awareness of the state of all the organization’s networks, information systems, and information security defenses. __________ a. True *b. False

37. Organizations should have a carefully planned and fully populated inventory of all their network devices, communication channels, and computing devices. __________ *a. True b. False

38. To be put to the most effective use, the information that comes from the IDPS must be integrated into the inventory process. __________ a. True *b. False

39. An example of the type of vulnerability exposed via traffic analysis occurs when an organization is trying to determine if all its device signatures have been adequately masked. __________ *a. True b. False

40. The process of identifying and documenting specific and provable flaws in the organization’s information asset environment is called vulnerability assessment (VA). __________ *a. True b. False

41. The internal vulnerability assessment is usually performed against every device that is exposed to the Internet, using every possible penetration testing approach. __________ a. True *b. False

42. You can document the results of the verification of a vulnerability by saving the results in what is called a(n) profile. __________


a. True *b. False

43. WLAN stands for "wide local area network." __________ a. True *b. False

44. The final process in the vulnerability assessment and remediation domain is the maintenance phase. __________ a. True *b. False

45. The best method of remediation in most cases is to repair a vulnerability. __________ *a. True b. False

46. The CISO uses the results of maintenance activities and the review of the information security program to determine if the status quo can adequately meet the threats at hand. __________ *a. True b. False

47. When possible, major incident response plan elements should be rehearsed. __________ *a. True b. False

48. A(n) war game puts a subset of plans in place to create a realistic test environment. __________ *a. True b. False

49. An affidavit is used as permission to search for evidentiary material at a specified location and/or to seize items to return to an investigator’s lab for examination after being signed by an approving authority. __________ a. True *b. False


50. __________ are a component of the "security triple." a. Threats b. Assets c. Vulnerabilities *d. All of the above

51. A(n) __________ item is a hardware or software item that is to be modified and revised

throughout its life cycle. a. revision b. update c. change *d. configuration

52. A __________ is the recorded condition of a particular revision of a software or hardware

configuration item. a. state *b. version c. configuration d. baseline

53. To maintain optimal performance, one typical recommendation suggests that when the

memory usage associated with a particular CPU-based system averages __________% or more over prolonged periods, you should consider adding more memory. a. 40 *b. 60 c. 10 d. 100

54. To evaluate the performance of a security system, administrators must establish system

performance __________. *a. baselines b. profiles c. maxima d. means

55. Control __________ baselines are established for network traffic and for firewall

performance and IDPS performance.


a. system b. application *c. performance d. environment

56. A primary mailing list for new vulnerabilities, called simply __________, provides time-

sensitive coverage of emerging vulnerabilities, documenting how they are exploited and reporting on how to remediate them. Individuals can register for the flagship mailing list or any one of the entire family of its mailing lists. a. Bugs b. Bugfix c. Buglist *d. Bugtraq

57. The __________ is a center of Internet security expertise and is located at the Software

Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. a. US-CERT b. Bugtraq c. CM-CERT *d. CERT/CC

58. The __________ Web site is home to the leading free network exploration tool, Nmap. *a. insecure.org b. Packet Storm c. Security Focus d. Snort-sigs

59. The __________ commercial site focuses on current security tool resources. a. Nmap-hackerz *b. Packet Storm c. Security Laser d. Snort-SIGs

60. The __________ mailing list includes announcements and discussion of a leading open-

source IDPS. a. Nmap-hackers b. Packet Storm


c. Security Focus *d. Snort

61. The optimum approach for escalation is based on a thorough integration of the monitoring

process into the __________. a. IDE b. CERT c. ERP *d. IRP

62. Detailed __________ on the highest risk warnings can include identifying which vendor

updates apply to which vulnerabilities as well as which types of defenses have been found to work against the specific vulnerabilities reported. a. escalation *b. intelligence c. monitoring d. elimination

63. A process called __________ examines the traffic that flows through a system and its

associated devices to identify the most frequently used devices. a. difference analysis *b. traffic analysis c. schema analysis d. data flow assessment

64. One approach that can improve the situational awareness of the information security

function is to use a process known as __________ to quickly identify changes to the internal environment. a. baselining *b. difference analysis c. differentials d. revision

65. __________ is used to respond to network change requests and network architectural design

proposals. *a. Network connectivity RA b. Dialed modem RA c. Application RA d. Vulnerability RA


66. The __________ is a statement of the boundaries of the RA. *a. scope b. disclaimer c. footer d. head

67. The __________ process is designed to find and document vulnerabilities that may be

present because there are misconfigured systems in use within the organization. a. ASP b. ISP c. SVP *d. PSV

68. __________, a level beyond vulnerability testing, is a set of security tests and evaluations

that simulate attacks by a malicious external source (hacker). *a. Penetration testing b. Penetration simulation c. Attack simulation d. Attack testing

69. Common vulnerability assessment processes include: a. Internet VA b. wireless VA c. intranet VA *d. all of these

70. __________ penetration testing is usually used when a specific system or network segment

is suspect and the organization wants the pen tester to focus on a particular aspect of the target. *a. White box b. Black box c. Gray box d. Green box

71. A step commonly used for Internet vulnerability assessment includes __________, which

occurs when the penetration test engine is unleashed at the scheduled time using the planned target list and test selection.


*a. scanning b. subrogation c. delegation d. targeting

72. The __________ vulnerability assessment is a process designed to find and document

selected vulnerabilities that are likely to be present on the organization's internal network. *a. intranet b. Internet c. LAN d. WAN

73. The __________ vulnerability assessment is designed to find and document vulnerabilities

that may be present in the organization’s wireless local area networks. *a. wireless b. phone-in c. battle-dialing d. network

74. __________ allows for major security control components to be reviewed on a periodic

basis to ensure that they are current, accurate, and appropriate. a. System review b. Project review *c. Program review d. Application review

75. Almost all aspects of a company’s environment are __________, meaning threats that were

originally assessed in the early stages of the project’s systems development life cycle have probably changed and new priorities have emerged. Correct Answer(s): a. dynamic

76. __________ is the process of reviewing the use of a system, not to check performance but to

determine if misuse or malfeasance has occurred. Correct Answer(s): a. Auditing

77. Organizations should perform a(n) __________ assessment of their information security

programs.


Correct Answer(s): a. periodic

78. A __________ configuration is a current record of the configuration of the information

system for use in comparisons to future states. Correct Answer(s): a. baseline

79. As the help desk personnel screen problems, they must also track the activities involved in

resolving each complaint in a help desk __________ system. Correct Answer(s): a. information

80. The objective of the external __________ domain within the maintenance model is to

provide early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that the organization needs in order to mount an effective and timely defense. Correct Answer(s): a. monitoring

81. When an organization uses specific hardware and software products as part of its

information security program, the __________ external intelligence source often provides either direct support or indirect tools that allow user communities to support each other. Correct Answer(s): a. vendors b. vendor

82. The primary goal of the __________ monitoring domain is an informed awareness of the

state of all the organization’s networks, information systems, and information security defenses. Correct Answer(s): a. internal

83. The process of collecting detailed information about devices in a network is often referred

to as __________. Correct Answer(s): a. characterization


84. __________ interconnections are the network devices, communications channels, and

applications that may not be owned by the organization but are essential to the organization’s cooperation with another company. Correct Answer(s): a. Partner

85. A(n) __________ analysis is a procedure that compares the current state of a network

segment (the systems and services it offers) against a known previous state of that same network segment (the baseline of systems and services). Correct Answer(s): a. difference

86. The primary objective of the planning and __________ domain is to keep a lookout over the

entire information security program. Correct Answer(s): a. risk assessment

87. As each project nears completion, a(n) __________ risk assessment group reviews the

impact of the project on the organization’s risk profile. Correct Answer(s): a. operational

88. The primary goal of the vulnerability assessment and __________ domain is to identify

specific, documented vulnerabilities and remediate them in a timely fashion. Correct Answer(s): a. remediation

89. The __________ tester’s ultimate responsibility is to identify weaknesses in the security of

the organization’s systems and networks and then present findings to the system owners in a detailed report. Correct Answer(s): a. pen b. penetration

90. The __________ vulnerability assessment is designed to find and document vulnerabilities

that may be present in the organization's public network. Correct Answer(s): a. Internet


91. The analysis step of an Internet vulnerability assessment occurs when a knowledgeable and

experienced vulnerability analyst screens test results for __________ vulnerabilities logged during scanning. Correct Answer(s): a. candidate

92. A(n) __________ risk is one that is higher than the risk appetite of the organization. Correct Answer(s): a. significant

93. Proven cases of real vulnerabilities can be considered vulnerability __________. Correct Answer(s): a. instances

94. The __________ step in the intranet vulnerability assessment is identical to the one

followed in Internet vulnerability analysis. Correct Answer(s): a. record-keeping

95. The __________ vulnerability assessment is designed to find and document vulnerabilities

that may be present in the organization's wireless local area networks. Correct Answer(s): a. wireless

96. In __________ selection, all areas of the organization’s premises should be scanned with a

portable wireless network scanner. Correct Answer(s): a. target

97. An attacker's use of a laptop while driving around looking for open wireless connections is

often called war __________. Correct Answer(s): a. driving


98. The primary goal of the readiness and __________ domain is to keep the information

security program functioning as designed and improve it continuously over time. Correct Answer(s): a. review

99. Rehearsals that use plans as realistically as possible are called __________ games. Correct Answer(s): a. war

100. Why should agencies monitor the status of their programs? Correct Answer:

Agencies should monitor the status of their programs to ensure that:- Ongoing information security activities are providing appropriate support to the agency mission - Policies and procedures are current and aligned with evolving technologies, if appropriate - Controls are accomplishing their intended purpose

101. List the four steps to developing a CM plan. Correct Answer:

The four steps in developing the CM plan are:- Establish baselines - Identify configuration - Describe the configuration control process - Identify a schedule for configuration audits

102. List the five domains of the security maintenance model. Correct Answer:

The security maintenance model is based on five subject areas or domains:- External monitoring - Internal monitoring - Planning and risk assessment - Vulnerability assessment and remediation - Readiness and review


CHAPTER 12

1. Technical controls alone, when properly configured, can secure an IT environment. a. True *b. False

2. The “something a person has” authentication mechanism takes advantage of something inherent in the user that is evaluated using biometrics. a. True *b. False

3. A firewall is any device that prevents a specific type of information from moving between the untrusted network and the trusted network. *a. True b. False

4. Secure Shell (SSH) provides security for remote access connections over public networks by creating a secure and persistent connection. *a. True b. False

5. The KDC component of Kerberos knows the secret keys of all clients and servers on the network. *a. True b. False

6. Biometrics are the use of physiological characteristics to provide authentication of an identification. __________ *a. True b. False

7. A smart chip is an authentication component, similar to a dumb card, that contains a computer chip to verify and validate several pieces of information instead of just a PIN. __________ a. True


*b. False

8. The false accept rate is the rate at which fraudulent users or nonusers are allowed access to systems or areas as a result of a failure in the biometric device. __________ *a. True b. False

9. Boundary controls regulate the admission of users into trusted areas of the organization. __________ a. True *b. False

10. A password should be difficult to guess.

__________

*a. True b. False

11. A bollard host is a device placed between an external, untrusted network and an internal, trusted network. __________ a. True *b. False

12. Intense packet inspection is a firewall function that involves examining multiple protocol headers and even content of network traffic, all the way through the TCP/IP layers and including encrypted, compressed, or encoded data. __________ a. True *b. False

13. A packet filtering firewall is a networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules. __________ *a. True b. False

14. A validity table is a tabular record of the state and context of each packet in a conversation between an internal and external user or system. __________


a. True *b. False

15. The action level is a predefined assessment level of an IDPS that triggers a predetermined response when surpassed. __________ a. True *b. False

16. In an IDPS, a sensor is a piece of software that resides on a system and reports back to a management server. __________ *a. True b. False

17. In wireless networking, the waveprint is the geographic area in which there is sufficient signal strength to make a network connection. __________ a. True *b. False

18. A wireless access point is a device used to connect wireless networking users and their devices to the rest of the organization’s network(s). __________ *a. True b. False

19. In e-commerce situations, some cryptographic tools can be used for misrepresentation in order to assure that parties to the transaction are authentic, and that they cannot later deny having participated in a transaction. __________ a. True *b. False

20. A semialphabetic substitution cipher is one that incorporates two or more alphabets in the encryption process. __________ a. True *b. False

21. Which of the following access control processes confirms the identity of the entity seeking

access to a logical or physical area? a. identification


*b. authentication c. authorization d. accountability

22. Which of the following is NOT among the three types of authentication mechanisms? a. something a person knows b. something a person has *c. something a person says d. something a person can produce

23. Which of the following characteristics currently used for authentication purposes is the

LEAST unique? a. fingerprints b. iris c. retina *d. face geometry

24. The rate at which authentic users are denied or prevented access to authorized areas as a

result of a failure in the biometric device is known as the __________. a. reset error ratio *b. false reject rate c. crossover error rate d. false accept rate

25. Which of the following is a commonly used criterion for comparing and evaluating

biometric technologies? a. false accept rate *b. crossover error rate c. false reject rate d. valid accept rate

26. Which of the following biometric authentication systems is considered to be truly unique,

suitable for use, and currently cost-effective? a. gait recognition b. signature recognition c. voice pattern recognition *d. fingerprint recognition


27. Which of the following biometric authentication systems is the most accepted by users? a. keystroke pattern recognition b. fingerprint recognition *c. signature recognition d. retina pattern recognition

28. Which type of firewall keeps track of each network connection established between internal

and external systems? a. packet filtering *b. stateful packet inspection c. application layer d. cache server

29. The combination of a system's TCP/IP address and a service port is known as a

__________. a. portlet b. NAT c. packet *d. socket

30. Which type of device exists to intercept requests for information from external users and

provide the requested information by retrieving it from an internal server? a. dynamic packet filtering firewall *b. proxy server c. intrusion detection system d. application layer firewall

31. The intermediate area between trusted and untrusted networks is referred to as which of the

following? a. unfiltered area b. semi-trusted area *c. demilitarized zone d. proxy zone

32. Which type of device can react to network traffic and create or modify configuration rules to

adapt? *a. dynamic packet filtering firewall b. proxy server


c. intrusion detection system d. application layer firewall

33. Which technology employs sockets to map internal private network addresses to a public

address using one-to-many mapping? a. network-address translation b. screened-subnet firewall *c. port-address translation d. private address mapping

34. The bastion host is usually implemented as a __________, as it contains two network

interfaces: one that is connected to the external network and one that is connected to the internal network, such that all traffic must go through the device to move between the internal and external networks. a. state-linked firewall b. screened-subnet firewall *c. dual-homed host d. double bastion host

35. In the _________ firewall architecture, a single device configured to filter packets serves as

the sole security point between the two networks. a. state-managed firewall b. screened-subnet firewall c. single-homed firewall *d. single bastion host

36. Which of the following is true about firewalls and their ability to adapt in a network? a. Firewalls can interpret human actions and make decisions outside their programming. b. Because firewalls are not programmed like a computer, they are less error prone. c. Firewalls are flexible and can adapt to new threats. *d. Firewalls deal strictly with defined patterns of measured observation.

37. Which of the following is NOT one of the administrative challenges to the operation of

firewalls? a. training b. uniqueness *c. replacement d. responsibility


38. Which of the following is NOT a method employed by IDPSs to prevent an attack from

succeeding? *a. sending DoS packets to the source b. terminating the network connection c. reconfiguring network devices d. changing the attack’s content

39. Which type of IDPS is also known as a behavior-based intrusion detection system? a. network-based *b. anomaly-based c. host-based d. signature-based

40. In an IDPS, a piece of software that resides on a system and reports back to a management

server is known as a(n) __________. a. agent b. sensor *c. Both of these are correct. d. Neither of these is correct.

41. Which type of IDPS works like antivirus software? a. network-based b. anomaly-based c. host-based *d. signature-based

42. Which tool can best identify active computers on a network? a. packet sniffer *b. port scanner c. trap and trace d. honey pot

43. What is the next phase of the pre-attack data gathering process after an attacker has

collected all of an organization’s Internet addresses? a. footprinting b. content filtering c. deciphering


*d. fingerprinting

44. What tool would you use if you want to collect information as it is being transmitted on the

network and analyze the contents for the purpose of solving network problems? a. port scanner *b. packet sniffer c. vulnerability scanner d. content filter

45. What is an application that entices individuals who are illegally perusing the internal areas

of a network by providing simulated rich content areas while the software notifies the administrator of the intrusion? a. port scanner b. sacrificial host *c. honey pot d. content filter

46. What is the organized research and investigation of Internet addresses owned or controlled

by a target organization? *a. footprinting b. content filtering c. deciphering d. fingerprinting

47. When an information security team is faced with a new technology, which of the following

is NOT a recommended approach? a. Determine if the benefits of the proposed technology justify the expected costs. b. Include costs for any additional risk control requirements that are mandated by the

new technology. c. Consider how the proposed solution will affect the organization’s risk exposure. *d. Evaluate how the new technology will enhance employee skills. 48. Which of the following is used in conjunction with an algorithm to make computer data

secure from anybody except the intended recipient of the data? *a. key b. plaintext c. cipher d. cryptosystem


49. In which cipher method are values rearranged within a block to create the ciphertext? *a. permutation b. Vernam c. substitution d. monoalphabetic

50. Which of the following is true about symmetric encryption? *a. It uses a secret key to encrypt and decrypt. b. It uses a private and public key. c. It is also known as public key encryption. d. It requires four keys to hold a conversation.

51. Which technology has two modes of operation: transport and tunnel? a. Secure Hypertext Transfer Protocol b. Secure Shell *c. IP Security Protocol d. Secure Sockets Layer

52. Which of the following provides an identification card of sorts to clients who request

services in a Kerberos system? *a. ticket granting service b. authentication server c. authentication client d. key distribution center

53. Which of the following is a Kerberos service that initially exchanges information with the

client and server by using secret keys? a. authentication server b. authentication client *c. key distribution center d. ticket granting service

54. What is most commonly used for the goal of nonrepudiation in cryptography? a. block cipher b. digital certificate c. PKI


*d. digital signature

55. The process of obtaining the plaintext message from a ciphertext message without knowing

the keys used to perform the encryption is known as __________. *a. cryptanalysis b. cryptology c. cryptography d. nonrepudiation

56. __________ is the determination of actions that an entity can perform in a physical or

logical area. Correct Answer(s): a. Authorization

57. A(n) __________ is a secret word or combination of characters known only by the user. Correct Answer(s): a. password

58. ________ recognition authentication captures the analog waveforms of human speech. Correct Answer(s): a. Voice

59. A(n) __________ token uses a challenge-response system in which the server challenges the

user with a number, which when entered into the token provides a response that allows access. Correct Answer(s): a. asynchronous

60. A(n) __________ is any device that prevents a specific type of information from moving

between an untrusted network and a trusted network. Correct Answer(s): a. firewall

61. You might put a proxy server in the __________, which is exposed to the outside world,

between the trusted network and the untrusted network. Correct Answer(s): a. demilitarized zone b. DMZ


62. __________ is a technology in which multiple real, routable external IP addresses are

converted to special ranges of internal IP addresses, usually on a one-to-one basis. Correct Answer(s): a. Network-address translation b. Network address translation c. NAT

63. The process of reversing public key encryption to verify that a message was sent by a

specific sender and thus cannot be refuted is known as __________. Correct Answer(s): a. digital signatures b. digital signature

64. The process of making and using codes to secure information is known as __________. Correct Answer(s): a. cryptography

65. The process of hiding messages, usually within image files, is known as __________. Correct Answer(s): a. steganography

66. The information used in conjunction with the encryption process to create the

ciphertext from the plaintext is known as a(n) __________. Correct Answer(s): a. key b. cryptovariable

67. The process of converting an original message (plaintext) into a form that cannot be used by

unauthorized individuals (ciphertext) is known as __________. Correct Answer(s): a. encryption

68. __________ presents a threat to wireless communications, and is therefore a practice that

makes it prudent to use a wireless encryption protocol to prevent unauthorized use of your Wi-Fi network. Correct Answer(s): a. War driving


69. The __________ wireless security protocol was replaced by stronger protocols due to

several vulnerabilities found in the early 2000s. Correct Answer(s): a. WEP b. wired equivalent privacy

70. The Ticket Granting Service (TGS) is one of three services in the __________ system,

and provides tickets to clients who request services. Correct Answer(s): a. Kerberos

71. [e] 1. An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates. [g] 2. A cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message. [a] 3. The organized research and investigation of Internet addresses owned or controlled by a target organization. [i] 4. In IPSec, an encryption method in which only a packet’s IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses. [f] 5. A cryptographic technique developed at AT&T and known as the “one-time pad,” this cipher uses a set of characters for encryption operations only one time and then discards it. [d] 6. Was developed by Netscape in 1994 to provide security for online e-commerce transactions. [b] 7. A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network—for example, restricting user access to Web sites with material that is not related to business, such as pornography or entertainment. [c] 8. A private, secure network operated over a public and insecure network. [h] 9. A cryptographic operation that involves simply rearranging the values within a block based on an established pattern. [j] 10. Public key container files that allow PKI system components and end users to validate a public key and identify its owner. a. footprinting b. content filter c. VPN d. SSL e. PKI f. Vernam cipher g. asymmetric encryption


h. transposition cipher i. transport mode j. digital certificate

72. Describe and provide an example for each of the three types of authentication mechanisms. Correct Answer:

There are three types of authentication mechanisms:- Something a person knows (for example, passwords and passphrases) - Something a person has (such as cryptographic tokens and smart cards) - Something a person produces (such as voice and signature pattern recognition, fingerprints, palm prints, hand topography, hand geometry, and retina and iris scans)

73. Briefly describe how biometric technologies are generally evaluated. Correct Answer:

Biometric technologies are generally evaluated according to three basic criteria:- False reject rate: the percentage of authorized users who are denied access - False accept rate: the percentage of unauthorized users who are allowed access - Crossover error rate: the point at which the number of false rejections equals the number of false acceptances

74. What should you look for when selecting a firewall for your network? Correct Answer:

1. What type of firewall technology offers the right balance between protection and cost for the needs of the organization?2. What features are included in the base price? What features are available at extra cost? Are all cost factors known? 3. How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently configure the firewall? 4. Can the candidate firewall adapt to the growing network in the target organization?

75. List the most common firewall implementation architectures. Correct Answer:

Three architectural implementations of firewalls are especially common: single bastion hosts, screened-host firewalls, and screened-subnet firewalls.


76. What are NAT and PAT?

Describe these technologies.

Correct Answer:

NAT is a method of converting multiple real, routable external IP addresses to special ranges of internal IP addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned internal address. A related approach, called port-address translation (PAT), converts a single real, valid, external IP address to special ranges of internal IP addresses—that is, a one-to-many approach in which one address is mapped dynamically to a range of internal addresses by adding a unique port number when traffic leaves the private network and is placed on the public network. 77. There are six recommended best practices for firewall use according to Laura Taylor. List three of them. Correct Answer:

All traffic from the trusted network is allowed out. The firewall device is never accessible directly from the public network. Simple Mail Transport Protocol (SMTP) data is allowed to pass through the firewall, but all of it is routed to a well-configured SMTP gateway to filter and route messaging traffic securely. All Internet Control Message Protocol (ICMP) data is denied. Telnet/terminal emulation access to all internal servers from the public networks is blocked. When Web services are offered outside the firewall, HTTP traffic is prevented from reaching your internal networks via the implementation of some form of proxy access or DMZ architecture.

78. Describe in basic terms what an IDPS is. Correct Answer:

Intrusion detection and prevention systems (IDPSs) work like burglar alarms. When the system detects a violation—the IT equivalent of an opened or broken window—it activates the alarm. This alarm can be audible and visible (noise and lights), or it can be a silent alarm that sends a message to a monitoring company. 79. What is WEP and why is it no longer in favor? Correct Answer:

WEP is designed to provide a basic level of security protection to Wi-Fi networks, to prevent unauthorized access or eavesdropping. However, WEP, like a traditional wired network, does not protect users from each other; it only protects the network from unauthorized users. In the early


2000s, cryptologists found several fundamental flaws in WEP, resulting in vulnerabilities that can be exploited to gain access. These vulnerabilities ultimately led to the replacement of WEP as the industry standard with WPA. 80. What is a packet sniffer and how can it be used for good or nefarious purposes? Correct Answer:

A packet sniffer is a network tool that collects and analyzes copies of packets from the network. It can provide a network administrator with valuable information to help diagnose and resolve networking issues. In the wrong hands, it can be used to eavesdrop on network traffic. 81. What is asymmetric encryption? Correct Answer:

Asymmetric encryption is also known as public key encryption. Whereas symmetric encryption systems use a single key both to encrypt and decrypt a message, asymmetric encryption uses two different keys. Either key can be used to encrypt or decrypt the message, but not both for the same message.


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.