Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
28 Cards in this Set
- Front
- Back
|
1. what was ISO 17799 renamed as?
A. BS 7799-1 B. ISO 27000 C. ISO 27001 D. ISO 27002 |
ISO 27002
|
|
|
2. Which choice below is an incorrect description of a control?
a. Detective controls discover attacks and trigger preventative or corrective controls. b. Corrective controls reduce the likelihood of a deliberate attack. c. Corrective controls reduce the effect of an attack. d. Controls are the countermeasures for vulnerabilities. |
b. Corrective controls reduce the likelihood of a deliberate attack.
|
|
|
3. Which statement below is accurate about the reasons to implement layered security architecture?
a. A layered security approach is not necessary when using COTS products. b. A good packet-filtering router will eliminate the need to implement layered security architecture. c. A layered security approach is intended to increase the work-factor for an attacker. d. A layered approach doesn’t really improve the security posture of the organization. |
c. A layered security approach is intended to increase the work-factor for an attacker.
|
|
|
4. Which choice below represents an application or system demonstrating a need for a high level of confidentiality protection and controls?
a. Unavailability of the system could result in inability to meet payroll obligations and could cause work stoppage and failure of user organizations to meet critical mission requirements. The system requires 24-hour access. b. The application contains proprietary business information and other financial information, which if disclosed to unauthorized sources, could cause an unfair advantage for vendors, contractors, or individuals and could result in financial loss or adverse legal action to user organizations. c. Destruction of the information would require significant expenditures of time and effort to replace. Although corrupted information would present an inconvenience to the staff, most information, and all vital information, is backed up by either paper documentation or on disk. d. The mission of this system is to produce local weather forecast information t |
b. The application contains proprietary business information and other financial information, which if disclosed to unauthorized sources, could cause an unfair advantage for vendors, contractors, or individuals and could result in financial loss or adverse legal action to user organizations.
|
|
|
5. Which choice below is NOT a concern of policy development at the high level?
a. Identifying the key business resources b. Identifying the type of firewalls to be used for perimeter security c. Defining roles in the organization d. Determining the capability and functionality of each role |
b. Identifying the type of firewalls to be used for perimeter security
|
|
|
6. Which choice below is NOT an accurate statement about the visibility of IT security policy?
a. The IT security policy should not be afforded high visibility. b. The IT security policy could be visible through panel discussions with guest speakers. c. The IT security policy should be afforded high visibility. d. The IT security policy should be included as a regular topic at staff meetings at all levels of the organization. |
a. The IT security policy should not be afforded high visibility.
|
|
|
7. Which question below is NOT accurate regarding the process of risk assessment?
a. The likelihood of a threat must be determined as an element of the risk assessment. b. The level of impact of a threat must be determined as an element of the risk assessment. c. Risk assessment is the first process in the risk management methodology d. Risk assessment is the final result of the risk management methodology. |
d. Risk assessment is the final result of the risk management methodology.
|
|
|
8. Which choice below would NOT be considered an element of proper user account management?
a. Users should never be rotated out of their current duties. b. The users’ accounts should be reviewed periodically. c. A process for tracking access authorizations should be implemented. d. Periodically re-screen personnel in sensitive positions. |
a. Users should never be rotated out of their current duties.
|
|
|
9. Which choice below is NOT one of NIST’s 33 IT security principles?
a. Implement least privilege. b. Assume that external systems are insecure. c. Totally eliminate any level of risk. d. Minimize the system elements to be trusted |
c. Totally eliminate any level of risk.
|
|
|
10. How often should an independent review of the security controls be performed, according to OMB Circular A-130?
a. Every year b. Every 3 years c. Every 5 years d. Never |
b. Every 3 years
|
|
|
11. Which choice below BEST describes the difference between the System Owner and the Information Owner?
a. There is a one-to-one relationship between system owners and information owners. b. One system could have multiple information owners. c. The Information Owner is responsible for defining the system’s operating parameters. d. The System Owner is responsible for establishing the rules for appropriate use of the information |
b. One system could have multiple information owners.
|
|
|
12. Which choice below is NOT a generally accepted benefit of security awareness, training, and education?
a. A security awareness program can help operators understand the value of the information. b. A security education program can help system administrators recognize unauthorized intrusion attempts. c. A security awareness and training program will help prevent natural disasters from occurring. d. A security awareness and training program can help an organization reduce the number and severity of errors and omissions. |
c. A security awareness and training program will help prevent natural disasters from occurring.
|
|
|
13. Which choice below is NOT an example of an issue-specific policy?
a. Email privacy policy b. Virus-checking disk policy c. Defined router ACLs d. Unfriendly employee termination policy |
c. Defined router ACLs
|
|
|
14. Which choice below is an accurate statement about standards?
a. Standards are the high-level statements made by senior management in support of information systems security. b. Standards are the first element created in an effective security policy program. c. Standards are used to describe how policies will be implemented within an organization. d. Standards are senior management’s directives to create a computer security program. |
c. Standards are used to describe how policies will be implemented within an organization.
|
|
|
15. Which choice below is a role of the Information Systems Security Officer?
a. The ISO establishes the overall goals of the organization’s computer security program. b. The ISO is responsible for day-to-day security administration. c. The ISO is responsible for examining systems to see whether they are meeting stated security requirements. d. The ISO is responsible for following security procedures and reporting security problems. |
b. The ISO is responsible for day-to-day security administration.
|
|
|
16. Which of the following assessment methodologies was developed by the National Security Agency to assist both assessment suppliers and consumers?
a. Federal Information Technology Security Assessment Framework (FITSAF) b. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) c. Federal Information Processing Standard (FIPS) 102 d. INFOSEC Assessment Methodology (IAM) |
d. INFOSEC Assessment Methodology (IAM)
|
|
|
17. Which statement below is NOT correct about safeguard selection in the risk analysis process?
a. Maintenance costs need to be included in determining the total cost of the safeguard. b. The best possible safeguard should always be implemented, regardless of cost. c. The most commonly considered criteria is the cost effectiveness of the safeguard. d. Many elements need to be considered in determining the total cost of the safeguard. |
b. The best possible safeguard should always be implemented, regardless of cost.
|
|
|
18. What are high-level policies?
a. They are recommendations for procedural controls. b. They are the instructions on how to perform a Quantitative Risk Analysis. c. They are statements that indicate a senior management’s intention to support InfoSec. d. They are step-by-step procedures to implement a safeguard. |
c. They are statements that indicate a senior management’s intention to support InfoSec
|
|
|
19. Which of the following assessment methodologies below is a self-guided assessment implemented in a series of short workshops focusing on key organizational areas and conducted in three phases?
a. Federal Information Technology Security Assessment Framework (FITSAF) b. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) c. Office of Management and Budget (OMB) Circular A-130 d. INFOSEC Assessment Methodology (IAM) |
b. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
|
|
|
20. Which policy type is MOST likely to contain mandatory or compulsory standards?
a. Guidelines b. Advisory c. Regulatory d. Informative |
c. Regulatory
|
|
|
21. What does an Exposure Factor (EF) describe?
a. A dollar figure that is assigned to a single event b. A number that represents the estimated frequency of the occurrence of an expected threat c. The percentage of loss that a realized threat event would have on a specific asset d. The annual expected financial loss to an organization from a threat |
c. The percentage of loss that a realized threat event would have on a specific asset
|
|
|
22. What is the MOST accurate definition of a safeguard?
a. A guideline for policy recommendations b. A step-by-step instructional procedure c. A control designed to counteract a threat d. A control designed to counteract an asset |
c. A control designed to counteract a threat
|
|
|
23. Which choice MOST accurately describes the differences between standards, guidelines, and procedures?
a. Standards are recommended policies, whereas guidelines are mandatory policies. b. Procedures are step-by-step recommendations for complying with mandatory guidelines. c. Procedures are the general recommendations for compliance with mandatory guidelines. d. Procedures are step-by-step instructions for compliance with mandatory standards. |
d. Procedures are step-by-step instructions for compliance with mandatory standards.
|
|
|
24. What are the detailed instructions on how to perform or implement a control called?
a. Procedures b. Policies c. Guidelines d. Standards |
a. Procedures
|
|
|
25. How is an SLE derived?
a. (Cost – benefit) * (% of Asset Value) b. AV - EF c. ARO - EF d. % of AV – implementation cost |
b. AV - EF
|
|
|
26. What is a noncompulsory recommendation on how to achieve compliance with published standards called?
a. Procedures b. Policies c. Guidelines d. Standards |
c. Guidelines
|
|
|
27. Which choice MOST accurately describes the difference between the role of a data owner versus the role of a data custodian?
a. The custodian implements the information classification scheme after the initial assignment by the owner. b. The data owner implements the information classification scheme after the initial assignment by the custodian. c. The custodian makes the initial information classification assignments, whereas the operations manager implements the scheme. d. The custodian implements the information classification scheme after the initial assignment by the operations manager. |
a. The custodian implements the information classification scheme after the initial assignment by the owner.
|
|
|
28. What is an ARO?
a. A dollar figure assigned to a single event b. The annual expected financial loss to an organization from a threat c. A number that represents the estimated frequency of an occurrence of an expected threat d. The percentage of loss that a realized threat event would have on a specific asset |
c. A number that represents the estimated frequency of an occurrence of an expected threat
|
