Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
87 Cards in this Set
- Front
- Back
Communication security involves the protection of which of the following? A. media, technology, and content B. the IT department C. people, physical assets D. radio handsets |
A. media, technology, and content |
|
The impetus for a project that is the result of a carefullydeveloped planning strategy
|
3. plan-driven |
|
The process of validating a supplicant ' s purported identity, thusensuring that the entity requesting access is the entity it claims tobe
|
5. authentication |
|
In the WBS approach, the project plan is first broken down intotasks placed on the WBS task list. The minimum attributes that shouldbe identified for each task include all but which of the following?
|
2. The number of people and other resources needed for each task |
|
Which of the following is true about a hot site?
|
4. It duplicates computing resources, peripherals, phone systems, applications, and workstations. |
|
Which policy is the highest level of policy and is usually createdfirst?
|
3. EISP |
|
A state that occurs when the quantity or quality of projectdeliverables is expanded from the original project plan
|
2. scope creep |
|
Using the Program Evaluation and Review Technique, which of thefollowing identifies the sequence of events or activities thatrequires the longest duration to complete, and that therefore cannotbe delayed without delaying the entire project?
|
2. critical path |
|
According to the C.I.A. triangle, which of the following is adesirable characteristic for computer security?
|
4. availability |
|
Which ofdesigners ora later timethe following is a feature left behind by systemmaintenance staff that allows quick access to a system atby bypassing access controls?
|
1. back door |
|
Which of the following is the process of examining a possibleincident and determining whether it constitutes an actual incident?
|
4. Incident Classification |
|
In which type of site are no computer hardware or peripheralsprovided?
|
4. cold site |
|
A detailed outline of the scope of the policy development projectis created duringinvestigationdesignwhich phase of the SecSDLC?
|
1. investigation |
|
Individual who determines the level of classification associatedwith data
|
7. data owner |
|
It is possible to take a very complex operation and diagram it inPERT if you can answer three key questions about each activity . Which of the following is NOT one of them?
|
1. What other activities require the same resources as this activity? |
|
Which section of an ISSP should outline a specific methodology forthe review and modification o f the ISSP?
|
4. Policy Review and Modification |
|
Which of the following are instructional codes that guide theexecution of the system when information is passing through it?
|
3. configuration rules |
|
Which of the following a r e the two general groups into whichSysSPs can be separated?
|
2. technical specifications and managerial guidance |
|
Which function of InfoSec Management encompasses securitypersonnel as well as aspects of the SETA program?
|
2. people |
|
What is the last stage of the business impact analysis?
|
2. prioritize resources associated with the business processes |
|
Which of the following is the transfer of live transactions to anoff- site facility?
|
2. remote journaling |
|
What are the two general methods for implementing technicalcontrols?
|
2. access control lists and configuration rules |
|
In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
|
1. design |
|
Which is the first step in the contingency planning process?
|
2. business impact analysis |
|
Which of the following is NOT a step in the problem- solvingprocess?
|
1. build support among management for the candidate solution |
|
Creating a blueprint by looking at the paths taken by organizationssimilar to the one whose plan you are developing
|
7. benchmarking |
|
A time-release safe is an example of which type of access control?
|
1. content-dependent |
|
Security efforts that balance the need for information access withthe need for adequate protection
|
10. best security practices |
|
Which of the following is NOT a step in the process of implementingtraining?
|
4. hire expert consultants |
|
Problems with benchmarking include all but which of the following?
|
1. benchmarking doesn't help in determining the desired outcome of the security process |
|
Which of the following is the primary purpose of ISO/IEC27001:2005?
|
2. To enable organizations that adopt it to obtain certification |
|
Which of the following functions needed to implement theinformation security program evaluates patches used to close softwarevulnerabilities and acceptance testing of new systems to assurecompliance with policy and effectiveness?
|
4. Systems testing |
|
Which control category discourages an incipient incident?
|
4. deterrent |
|
What is the SETA program designed to do?
|
3. reduce the incidence of accidental security breaches |
|
Controls that remedy a circumstance or mitigate damage done duringan incident are categorized as which of the following?
|
3. corrective |
|
A model level of performance that demonstrates industrialleadership, quality, and concern for the protection of information
|
2. gold standard |
|
Which of the following is NOT a question a CISO should be preparedto answer, about a performance measures program, according toKovacich?
|
2. Where affect will these measurements have on efficiency? |
|
Which of the following is true about a company's InfoSec awarenessWeb site?
|
3. it should be tested with multiple browsers |
|
System logs, log review processes, and log consolidation andmanagement
|
9. audit trails |
|
Under lattice-based access controls, the column of attributesassociated with a particular object (such as a printer) is referred toas which of the following?
|
4. access control list |
|
Security plan, initiation phase, development/acquisition phase ...
|
2. life cycle planning |
|
Which of the following is a generic blueprint offered by a serviceorganization which must be flexible, scalable, robust, and detailed?
|
3. security model |
|
Which function needed to implement the information securityprogram includes researching, creating, maintaining, and promotinginformation security plans?
|
2. planning |
|
Which of the following is a disadvantage of the one-on-onetraining method?
|
4. Resource intensive, to the point of being inefficient |
|
A SETA program consists of three elements: security education,security training, and which of the following?
|
2. security awareness |
|
In security management, which of the following is issued by amanagement official and serves as a means of assuring that systems areof adequate quality?
|
1. accreditation |
|
One of the factors that cause upper management to juggle withstaffing levels
|
8. office politics |
|
One of the TCSEC's covert channels, which transmit information bymanaging the relative timing of events
|
4. timing channels |
|
A value or profile of a performance metric against which changesin the performance metric can be usefully compared
|
8. baseline |
|
Which of the following variables is the most influential indetermining how to structure an information security program?
|
4. Organizational culture |
|
Which of the following affects the cost of a control?
|
3. maintenance |
|
performed using categories instead of specific values to determinerisk
|
3. qualitative risk assessment |
|
Which of the following is NOT an alternative to using CBA tojustify risk controls?
|
1. selective risk avoidance |
|
By multiplying the asset value by the exposure factor, you cancalculate which of the following?
|
1. single loss expectancy |
|
must be comprehensive and mutually exclusive
|
4. classification categories |
|
The only use of the acceptance strategy that industry practicesrecognize as valid occurs when the organization has done all but whichof the following?
|
1. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset |
|
A choice not to protect an asset and the removal of it from theenvironment that represents risk
|
9. termination risk control strategy |
|
Once a control strategy has been selected and implemented, whatshould be done on an ongoing basis to determine their effectivenessand to estimate the remaining risk?
|
3. monitoring and measurement |
|
process of discovering the risks to an organization's operations
|
2. risk identification |
|
Which of the following is NOT among the typical columns in theranked vulnerability risk worksheet?
|
2. uncertainty percentage |
|
Two of the activities involved in risk management includeidentifying risks and assessing risks. Which of the followingactivities is part of the risk assessment process?
|
4. calculating the risks to which assets are exposed in their current setting |
|
occurs when a manufacturer performs an upgrade to a hardwarecomponent at the customer's premises
|
1. field change order |
|
What should each information asset-threat pair have at a minimumthat clearly identifies any residual risk that remains after theproposed strategy has been executed?
|
2. documented control strategy |
|
remains even after the existing control has been applied
|
9. residual risk |
|
a mechanism to control risk by the prevention of an exploitationof a vulnerability
|
4. defense risk control strategy |
|
In which technique does a group rate or rank a set of information,compile the results and repeat until everyone is satisfied with theresult?
|
4. Delphi |
|
Which of the following describes an organization's efforts toreduce damage caused by a realized incident or disaster?
|
3. mitigation |
|
What is the final step in the risk identification process?
|
2. listing assets in order of importance |
|
What is the result of subtracting the post-control annualized lossexpectancy and the ACS from the pre-control annualized lossexpectancy?
|
4. cost-benefit analysis |
|
Classification categories must be mutually exclusive and which ofthe following?
|
1. comprehensive |
|
the prioritized list of threats is placed along the vertical axis
|
8. TVA worksheet |
|
Which of the following is a network device attribute that is tiedto the network interface
|
4. MAC address |
|
the quantity and nature of risk that organizations are willing toaccept
|
8. risk appetite |
|
columns include asset impact, vulnerability, and risk-ratingfactor
|
7. ranked vulnerability risk worksheet |
|
an approach to control risk by attempting to reduce the impact ofthe loss caused by a realized incident
|
10. mitigation risk control strategy |
|
What are the 14 "elements" of a security program? |
|
|
Which of the four processes of a general application of access controls is missing?
|
Identification |
|
Which of the four processes of a general application of access controls is missing
|
Authorization |
|
Which of the four processes of a general application of access controls is missing?
|
Authentication |
|
Which of the four processes of a general application of access controls is missing?
|
Accountability |
|
What are three key principles access control is built on? |
|
|
Which of the six categories of Access Control by characteristics is missing?
|
Deterrent |
|
Which of the six categories of Access Control by characteristics is missing?
|
Preventative |
|
Which of the six categories of Access Control by characteristics is missing?
|
Detective |
|
Which of the six categories of Access Control by characteristics is missing?
|
Corrective |
|
Which of the six categories of Access Control by characteristics is missing?
|
Recovery |
|
Which of the six categories of Access Control by characteristics is missing?
|
Compensating |