Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
A. Identification
B. Authentication
C. Accountability
D. Authorization
answer
D. Authorization
Authorization determines the permissions that a user or process has in an access control scheme. In this case, Janet is determining those permissions, so she is performing an authorization function.
question
Which of the following would NOT be considered in the scope of organizational compliance efforts?
A. Laws
B. Company policy
C. Internal audit
D. Corporate culture
answer
A. Laws
Organizational compliance efforts include compliance with an organization's own policies, audits, culture, and standards. Legal compliance falls under the realm of regulatory compliance, not organizational compliance.
question
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?
A. Reduced operating costs
B. Access to a high level of expertise
C. Developing in-house talent
D. Building internal knowledge
answer
B. Access to a high level of expertise
In this scenario, Mark is most likely to achieve access to a high level of expertise because security vendors focus exclusively on providing advanced security services. Mark's costs are likely to increase rather than decrease with outsourcing, and this decision will inhibit developing internal knowledge and talent.
question
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
A. Service level agreement (SLA)
B. Blanket purchase agreement (BPA)
C. Memorandum of understanding (MOU)
D. Interconnection security agreement (ISA)
answer
A. Service level agreement (SLA)
SLAs are formal contracts that detail the specific services a vendor will provide. Notification of security breaches is a common requirement found in SLAs.
question
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
A. Service level agreement (SLA)
B. Blanket purchase agreement (BPA)
C. Memorandum of understanding (MOU)
D. Interconnection security agreement (ISA)
answer
C. Memorandum of understanding (MOU)
An MOU, also called a letter of intent, is an agreement between two or more parties that expresses areas of common interest that result in shared actions. MOUs are generally less enforceable than a formal agreement.
question
What is NOT a good practice for developing strong professional ethics?
A. Set the example by demonstrating ethics in daily activities
B. Encourage adopting ethical guidelines and standards
C. Assume that information should be free
D. Inform users through security awareness training
answer
C. Assume that information should be free
Users should not assume that information is free and respect intellectual property rights. Assuming that information should be free is one of the common fallacies about ethics.
question
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?
A. Seeking to gain unauthorized access to resources
B. Disrupting intended use of the Internet
C. Enforcing the integrity of computer-based information
D. Compromising the privacy of users
answer
C. Enforcing the integrity of computer-based information
RFC 1087 outlines six categories of unethical activity. IAB considers unethical and unacceptable any activity that purposely (1) seeks to gain unauthorized access to the resources of the Internet, (2) disrupts the intended use of the Internet, (3) wastes resources (people, capacity, computer) through such actions, (4) destroys the integrity of computer-based information, (5) compromises the privacy of users, or (6) involves negligence in the conduct of Internet-wide experiments.
question
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?
A. An organization should collect only what it needs.
B. An organization should share its information.
C. An organization should keep its information up to date.
D. An organization should properly destroy its information when it is no longer needed.
answer
B. An organization should share its information.
The OECD guidelines state that an organization should NOT share its information. Other principles in those guidelines state that organizations should collect only what they need, keep information up-to-date, properly destroy information, and use information only for the purpose for which it was collected.
question
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?
A. Job rotation
B. Least privilege
C. Need-to-know
D. Separation of duties
answer
D. Separation of duties
The principles of separation of duties breaks a task into subtasks that different users must carry out. This means that a single user cannot carry out a critical task without the help or approval of another user.
question
What is NOT a goal of information security awareness programs?
A. Teach users about security objectives
B. Inform users about trends and threats in security
C. Motivate users to comply with security policy
D. Punish users who violate policy
answer
D. Punish users who violate policy
: Security awareness programs should teach, inform, and motivate users. Although users who intentionally violate policies may be punished for their actions, this is a disciplinary issue that should be handled outside of the awareness program.
question
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
A. Baseline
B. Policy
C. Guideline
D. Procedure
answer
A. Baseline
Baselines provide basic configurations for specific types of computers or devices. Baselines are the benchmarks that help make sure a minimum level of security exists across multiple systems and across different products.
question
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
A. Intimidation
B. Name dropping
C. Appeal for help
D. Phishing
answer
D. Phishing
Phishing attacks use email messages and/or webpages that resemble the work of a reputable organization. They attempt to deceive users into revealing sensitive information, such as passwords.
question
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?
A. Value
B. Sensitivity
C. Criticality
D. Threat
answer
D. Threat
The three characteristics normally used to make classification decisions are value, sensitivity, and criticality.
question
Which activity manages the baseline settings for a system or device?
A. Configuration control
B. Reactive change management
C. Proactive change management
D. Change control
answer
A. Configuration control
Configuration control is the management of the baseline settings for a system device. The baseline settings are designed to meet security requirements.
question
What is the correct order of steps in the change control process?
A. Request, approval, impact assessment, build/test, monitor, implement
B. Request, impact assessment, approval, build/test, implement, monitor
C. Request, approval, impact assessment, build/test, implement, monitor
D. Request, impact assessment, approval, build/test, monitor, implement
answer
B. Request, impact assessment, approval, build/test, implement, monitor
The sequence of events during the change control process is request, impact assessment, approval, build/test, implement, and monitor.
question
Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking?
A. Project initiation and planning
B. Functional requirements and definition
C. System design specification
D. Operations and maintenance
answer
A. Project initiation and planning
The project initiation and planning phase includes developing project budgets, system design, maintenance, and the project timeline.
question
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?
A. Formatting
B. Degaussing
C. Physical destruction
D. Overwriting
answer
A. Formatting
Formatting a disk does not remove the data stored on it and is not a reliable data destruction technique. Physically destroying the media, overwriting the data multiple times, and degaussing with a magnetic field are all acceptable means for data destruction.
question
In an accreditation process, who has the authority to approve a system for implementation?
A. Certifier
B. Authorizing official (AO)
C. System owner
D. System administrator
answer
B. Authorizing official (AO)
The authorizing official (AO) is a senior manager who reviews the certification report and makes the decision to approve a system for implementation. The AO officially acknowledges and accepts the risk that the system may pose to agency mission, assets, or individuals.
question
In what type of attack does the attacker send unauthorized commands directly to a database?
A. Cross-site scripting
B. SQL injection
C. Cross-site request forgery
D. Database dumping
answer
B. SQL injection
In an SQL injection attack, the attacker executes malicious SQL statements against a database that provide unauthorized access to data or allow other unauthorized database activities.
question
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?
A. Spiral
B. Agile
C. Lean
D. Waterfall
answer
D. Waterfall
The waterfall model is a sequential process for developing software. The essence of the waterfall model is that no phase begins until the previous phase is complete.
question
One advantage of using a security management firm for security monitoring and is that it has a high level of expertise.
A. True
B. False
answer
A. True
question
Often an extension of a memorandum of understanding (MOU), the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets.
A. True
B. False
answer
B. False
The interconnection service agreement (ISA) serves as an agreement that documents the technical requirements of interconnected assets, and is often an extension of a MOU. A BPA creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services.
question
A remediation liaison makes sure all personnel are aware of and comply with an organization's policies.
A. True
B. False
answer
B. False
A compliance liaison makes sure all personnel are aware of and comply with an organization's policies. Remediation involves fixing something that is broken or defective.
question
The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege.
A. True
B. False
answer
A. True
question
Mandatory vacations minimize risk by rotating employees among various systems or duties.
A. True
B. False
answer
B. False
Job rotation minimizes risk by rotating employees among various systems or duties. Mandatory vacations give you the opportunity to detect fraud. When users are on vacation, you should suspend their access to your environment.
question
Social engineering is deceiving or using people to get around security controls.
A. True
B. False
answer
A. True
question
Written security policies document management's goals and objectives.
A. True
B. False
answer
A. True
question
A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing.
A. True
B. False
answer
A. True
question
Standards are used when an organization has selected a solution to fulfill a policy goal.
A. True
B. False
answer
A. True
question
Procedures do NOT reduce mistakes in a crisis.
A. True
B. False
answer
B. False
Procedures reduce mistakes in a crisis, ensure you don't miss important steps, provide for places within the process to conduct assurance checks, and are mandatory requirements.
question
The term "data owner" refers to the person or group that manages an IT infrastructure.
A. True
B. False
answer
B. False
The term "system owner" refers to the person or group that manages the infrastructure. The data owner is the person who owns the data or of someone the owner assigns.
question
Company-related classifications are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies.
A. True
B. False
answer
A. True
question
Classification scope determines what data you should classify; classification process determines how you handle classified data.
A. True
B. False
answer
A. True
question
Configuration changes can be made at any time during a system life cycle and no process is required.
A. True
B. False
answer
B. False
It's important that all configuration changes occur only within a controlled process. Uncontrolled configuration changes often result in conflicts and even new security vulnerabilities.
question
A hardware configuration chart should NOT include copies of software configurations.
A. True
B. False
answer
B. False
A hardware configuration chart should include copies of all software configurations so that you can examine changes and updates planned for one device in terms of their impact on other devices.
question
With proactive change management, management initiates the change to achieve a desired goal.
A. True
B. False
answer
A. True
question
Change doesn't create risk for a business.
A. True
B. False
answer
B. False
Change creates risk for a business. It might circumvent established security features and it could result in outage or system failure. It might require extensive retraining for employees to learn how to use the new systems.
question
A successful change control program should include the following elements to ensure the quality of the change control process: peer review, documentation, and back-out plans.
A. True
B. False
answer
A. True
question
Policies that cover data management should cover transitions throughout the data life cycle.
A. True
B. False
answer
A. True
question
Certification is the formal agreement by an authorizing official to accept the risk of implementing a system.
A. True
B. False
answer
B. False
Accreditation is the formal agreement by an authorizing official to accept the risk of implementing a system. Certification is the process of reviewing a system throughout its life cycle to ensure that it meets its specified security requirements.
Haven't found what you need?
Search for quizzes and test answers now
Quizzes.studymoose.com uses cookies. By continuing you agree to our cookie policy
