It 342 - Final Exam

Front 1

Communication security involves the protection of which of the following?

A. media, technology, and content

B. the IT department

C. people, physical assets

D. radio handsets

Back 1

A. media, technology, and content

Front 2

The impetus for a project that is the result of a carefullydeveloped planning strategy

1. strategic planning
2. operational controls
3. plan-driven
4. risk management
5. attack
6. threat agent
7. technical controls
8. data owner
9. risk assessment
10. exploit
    

Back 2

3. plan-driven

Front 3

The process of validating a supplicant ' s purported identity, thusensuring that the entity requesting access is the entity it claims tobe

1. identification
2. project management
3. integrity
4. information security
5. authentication
6. slack time
7. operations security
8. scope creep
9. authorization
10. organizing

Back 3

5. authentication

Front 4

In the WBS approach, the project plan is first broken down intotasks placed on the WBS task list. The minimum attributes that shouldbe identified for each task include all but which of the following?

1. Work to be accomplished (activities and deliverables)
   
2. The number of people and other resources needed for each task
   
3. The common or specialized skills needed to perform the task
4. Estimated amount of effort required for completion, in hours orworkdays

Back 4

2. The number of people and other resources needed for each task

Front 5

Which of the following is true about a hot site?

1. All communications services must be installed after the site isoccupied.
2. It is an empty room with standard heating, air conditioning, andelectrical service.
3. It includes computing equipment and peripherals with servers butno client workstations.
4. It duplicates computing resources, peripherals, phone systems,applications, and workstations.

Back 5

4. It duplicates computing resources, peripherals, phone systems, applications, and workstations.

Front 6

Which policy is the highest level of policy and is usually createdfirst?

1. USSP
   
2. ISSP
3. EISP
4. SysSP

Back 6

3. EISP

Front 7

A state that occurs when the quantity or quality of projectdeliverables is expanded from the original project plan

1. integrity
2. scope creep
3. authorization
4. authentication
5. identification
6. project management
7. slack time
8. information security
9. Operations security
10. organizing
    

Back 7

2. scope creep

Front 8

Using the Program Evaluation and Review Technique, which of thefollowing identifies the sequence of events or activities thatrequires the longest duration to complete, and that therefore cannotbe delayed without delaying the entire project?

1. program path
2. critical path
3. crucial factor set
4. critical function
   

Back 8

2. critical path

Front 9

According to the C.I.A. triangle, which of the following is adesirable characteristic for computer security?

1. authorization
2. accountability
3. authentication
4. availability
   

Back 9

4. availability

Front 10

Which ofdesigners ora later timethe following is a feature left behind by systemmaintenance staff that allows quick access to a system atby bypassing access controls?

1. back door
2. brute force
3. Dos
4. hoax
   

Back 10

1. back door

Front 11

Which of the following is the process of examining a possibleincident and determining whether it constitutes an actual incident?

1. Incident verification
2. Incident identification
3. Incident registration
4. Incident classification
   

Back 11

4. Incident Classification

Front 12

In which type of site are no computer hardware or peripheralsprovided?

1. timeshare
2. warm site
3. hot site
4. cold site

Back 12

4. cold site

Front 13

A detailed outline of the scope of the policy development projectis created duringinvestigationdesignwhich phase of the SecSDLC?

1. investigation
2. design
3. implementation
4. analysis
   

Back 13

1. investigation

Front 14

Individual who determines the level of classification associatedwith data

1. risk assessment
2. attack
3. operational controls
4. technical controls
5. strategic planning
6. risk management
7. data owner
8. threat agent
9. plan-driven
10. exploit
    

Back 14

7. data owner

Front 15

It is possible to take a very complex operation and diagram it inPERT if you can answer three key questions about each activity . Which of the following is NOT one of them?

1. What other activities require the same resources as this activity?
2. How long will it take?
3. What activity occurs immediate activity after this activity?
4. What activity occurs immediately before this activity?
   

Back 15

1. What other activities require the same resources as this activity?

Front 16

Which section of an ISSP should outline a specific methodology forthe review and modification o f the ISSP?

1. Systems Management
2. Limitations of Liability
3. Statement of Purpose
4. Policy Review and Modification
   

Back 16

4. Policy Review and Modification

Front 17

Which of the following are instructional codes that guide theexecution of the system when information is passing through it?

1. user profile
2. capability tables
3. configuration rules
4. access control lists
   

Back 17

3. configuration rules

Front 18

Which of the following a r e the two general groups into whichSysSPs can be separated?

1. business guidance and network guidance
2. technical specifications and managerial guidance
3. user specifications and managerial guidance
4. technical specifications and business guidance
   

Back 18

2. technical specifications and managerial guidance

Front 19

Which function of InfoSec Management encompasses securitypersonnel as well as aspects of the SETA program?

1. policy
2. people
3. protection
4. projects

Back 19

2. people

Front 20

What is the last stage of the business impact analysis?

1. collect critical information about each business unit
2. prioritize resources associated with the business processes
3. analysis and prioritization of business processes
   
4. identify resource requirements

Back 20

2. prioritize resources associated with the business processes

Front 21

Which of the following is the transfer of live transactions to anoff- site facility?

1. Database shadowing
2. remote journaling
3. Electronic vaulting
4. Timesharing
   

Back 21

2. remote journaling

Front 22

What are the two general methods for implementing technicalcontrols?

1. firewall rules and access filters
2. access control lists and configuration rules
3. user profiles and filters
4. profile lists and configuration filters
   

Back 22

2. access control lists and configuration rules

Front 23

In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?

1. design
2. implementation
3. analysis
4. investigation
   

Back 23

1. design

Front 24

Which is the first step in the contingency planning process?

1. incident response planning
2. business impact analysis
3. disaster recovery planning
4. business continuity training
   

Back 24

2. business impact analysis

Front 25

Which of the following is NOT a step in the problem- solvingprocess?

1. build support among management for the candidate solution
2. Gather facts and make assumptions
3. Select, implement and evaluate a solution
4. Analyze and compare possible solutions
   

Back 25

1. build support among management for the candidate solution

Front 26

Creating a blueprint by looking at the paths taken by organizationssimilar to the one whose plan you are developing

1. certification
2. gold standard
3. standard of due care
4. NIST SP 800-37
5. accreditation
6. due diligence
7. benchmarking
8. baseline
9. recommended business practices
10. best security practices

Back 26

7. benchmarking

Front 27

A time-release safe is an example of which type of access control?

1. content-dependent
2. temporal isolation
3. constrained user interface
4. non-discretionary
   

Back 27

1. content-dependent

Front 28

Security efforts that balance the need for information access withthe need for adequate protection

1. certification
2. gold standard
3. standard of due care
4. NIST SP 800-37
5. accreditation
6. due diligence
7. benchmarking
8. baseline
9. recommended business practices
10. best security practices
    

Back 28

10. best security practices

Front 29

Which of the following is NOT a step in the process of implementingtraining?

1. administer the program
2. identify target audiences
3. maintain the program
4. hire expert consultants
   

Back 29

4. hire expert consultants

Front 30

Problems with benchmarking include all but which of the following?

1. benchmarking doesn't help in determining the desired outcome of thesecurity process
2. Organizations don't often share information on successful attacks
3. Organizations being benchmarked are seldom identical
4. Recommended practices change and evolve, thus past performance isno indicator of future success
   

Back 30

1. benchmarking doesn't help in determining the desired outcome of the security process

Front 31

Which of the following is the primary purpose of ISO/IEC27001:2005?

1. Use within an organization to formulate security requirements andobjectives
2. To enable organizations that adopt it to obtain certification
3. Use within an organization to ensure compliance with laws andregulations
4. Implementation of business-enabling information security
   

Back 31

2. To enable organizations that adopt it to obtain certification

Front 32

Which of the following functions needed to implement theinformation security program evaluates patches used to close softwarevulnerabilities and acceptance testing of new systems to assurecompliance with policy and effectiveness?

1. incident response
2. systems security administration
3. risk assessment
4. Systems testing

Back 32

4. Systems testing

Front 33

Which control category discourages an incipient incident?

1. remitting
2. compensating
3. preventative
4. deterrent
   

Back 33

4. deterrent

Front 34

What is the SETA program designed to do?

1. reduce the occurrence of external attacks
   
2. increase the efficiency of InfoSec staff
3. reduce the incidence of accidental security breaches
4. improve the operations

Back 34

3. reduce the incidence of accidental security breaches

Front 35

Controls that remedy a circumstance or mitigate damage done duringan incident are categorized as which of the following?

1. compensating
   
2. deterrent
3. corrective
4. preventative

Back 35

3. corrective

Front 36

A model level of performance that demonstrates industrialleadership, quality, and concern for the protection of information

1. certification
2. gold standard
3. standard of due care
4. NIST SP 800-37
5. accreditation
6. due diligence
7. benchmarking
8. baseline
9. recommended business practices
10. best security practices
    

Back 36

2. gold standard

Front 37

Which of the following is NOT a question a CISO should be preparedto answer, about a performance measures program, according toKovacich?

1. Where will these measurements be collected?
2. Where affect will these measurements have on efficiency?
3. Why should these measurements be collected?
4. Who will collect these measurements?

Back 37

2. Where affect will these measurements have on efficiency?

Front 38

Which of the following is true about a company's InfoSec awarenessWeb site?

1. appearance doesn't matter if the information is there
2. it should contain large images to maintain interest
3. it should be tested with multiple browsers
4. it should be placed on the Internet for public consumption
   

Back 38

3. it should be tested with multiple browsers

Front 39

System logs, log review processes, and log consolidation andmanagement

1. legal
2. life cycle planning
3. InfoSec program
4. risk management
5. SETA
6. security technicians
7. formal class
8. office politics
9. audit trails
10. CISO
    

Back 39

9. audit trails

Front 40

Under lattice-based access controls, the column of attributesassociated with a particular object (such as a printer) is referred toas which of the following?

1. capabilities table
2. access matrix
3. sensitivity level
4. access control list
   

Back 40

4. access control list

Front 41

Security plan, initiation phase, development/acquisition phase ...

1. legal
2. life cycle planning
3. InfoSec program
4. risk management
5. SETA
6. security technicians
7. formal class
8. office politics
9. audit trails
10. CISO
    

Back 41

2. life cycle planning

Front 42

Which of the following is a generic blueprint offered by a serviceorganization which must be flexible, scalable, robust, and detailed?

1. framework
2. organizational model
3. security model
4. security outline
   

Back 42

3. security model

Front 43

Which function needed to implement the information securityprogram includes researching, creating, maintaining, and promotinginformation security plans?

1. compliance
2. planning
3. systems security administration
4. policy
   

Back 43

2. planning

Front 44

Which of the following is a disadvantage of the one-on-onetraining method?

1. Content may not be customized to the needs of the organization
2. Inflexible
3. May not be responsive to the needs of all the trainees
4. Resource intensive, to the point of being inefficient
   

Back 44

4. Resource intensive, to the point of being inefficient

Front 45

A SETA program consists of three elements: security education,security training, and which of the following?

1. Security accountability
2. security awareness
3. security authorization
4. security authentication
   

Back 45

2. security awareness

Front 46

In security management, which of the following is issued by amanagement official and serves as a means of assuring that systems areof adequate quality?

1. accreditation
2. testimonial
3. certification
4. performance measurements

Back 46

1. accreditation

Front 47

One of the factors that cause upper management to juggle withstaffing levels

1. legal
2. life cycle planning
3. InfoSec program
4. risk management
5. SETA
6. security technicians
7. formal class
8. office politics
9. audit trails
10. CISO
    

Back 47

8. office politics

Front 48

One of the TCSEC's covert channels, which transmit information bymanaging the relative timing of events

1. rule-based access controls
2. sensitivity levels
3. content-dependent access controls
4. timing channels
5. separation of duties
6. DAC
7. blueprint
8. TCB
9. storage channels
10. task-based controls
    

Back 48

4. timing channels

Front 49

A value or profile of a performance metric against which changesin the performance metric can be usefully compared

1. certification
2. gold standard
3. standard of due care
4. NIST SP 800-37
5. accreditation
6. due diligence
7. benchmarking
8. baseline
9. recommended business practices
10. best security practices
    

Back 49

8. baseline

Front 50

Which of the following variables is the most influential indetermining how to structure an information security program?

1. Security personnel budget
2. Security capital budget
3. Organizational size
4. Organizational culture
   

Back 50

4. Organizational culture

Front 51

Which of the following affects the cost of a control?

1. asset resale
2. CBA report
3. maintenance
4. liability insurance
   

Back 51

3. maintenance

Front 52

performed using categories instead of specific values to determinerisk

1. field change order
2. risk identification
3. qualitative risk assessment
4. classification categories
5. ranked vulnerability risk worksheet
6. threat identification
7. risk management
8. TVA worksheet
9. residual risk
10. risk analysis

Back 52

3. qualitative risk assessment

Front 53

Which of the following is NOT an alternative to using CBA tojustify risk controls?

1. selective risk avoidance
2. benchmarking
3. due care and due diligence
4. the gold standard
   

Back 53

1. selective risk avoidance

Front 54

By multiplying the asset value by the exposure factor, you cancalculate which of the following?

1. single loss expectancy
2. annualized loss expectancy
3. annualized cost of the safeguard
4. value to adversaries
   

Back 54

1. single loss expectancy

Front 55

must be comprehensive and mutually exclusive

1. field change order
2. risk identification
3. qualitative risk assessment
4. classification categories
5. ranked vulnerability risk worksheet
6. threat identification
7. risk management
8. TVA worksheet
9. residual risk
10. risk analysis
    

Back 55

4. classification categories

Front 56

The only use of the acceptance strategy that industry practicesrecognize as valid occurs when the organization has done all but whichof the following?

1. Determined that the costs to control the risk to an informationasset are much lower than the benefit gained from the informationasset
2. Determined the level of risk posed to the information asset
3. Performed a thorough cost-benefit analysis
4. Assessed the probability of attack and the likelihood of asuccessful exploitation of a vulnerability
   

Back 56

1. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset

Front 57

A choice not to protect an asset and the removal of it from theenvironment that represents risk

1. single loss expectancy
2. asset valuation
3. cost-benefit analysis
4. defense risk control strategy
5. acceptance risk control strategy
6. organizational feasibility
7. cost avoidance
8. risk appetite
   
9. termination risk control strategy
10. mitigation risk control strategy

Back 57

9. termination risk control strategy

Front 58

Once a control strategy has been selected and implemented, whatshould be done on an ongoing basis to determine their effectivenessand to estimate the remaining risk?

1. review and reapplication
2. analysis and adjustment
3. monitoring and measurement
4. evaluation and funding
   

Back 58

3. monitoring and measurement

Front 59

process of discovering the risks to an organization's operations

1. field change order
2. risk identification
3. qualitative risk assessment
4. classification categories
5. ranked vulnerability risk worksheet
6. threat identification
7. risk management
8. TVA worksheet
9. residual risk
10. risk analysis
    

Back 59

2. risk identification

Front 60

Which of the following is NOT among the typical columns in theranked vulnerability risk worksheet?

1. asset impact
2. uncertainty percentage
3. risk-rating factor
4. vulnerability likelihood
   

Back 60

2. uncertainty percentage

Front 61

Two of the activities involved in risk management includeidentifying risks and assessing risks. Which of the followingactivities is part of the risk assessment process?

1. Creating an inventory of information assets
2. Assigning a value to each information asset
3. Classifying and organizing information assets into meaningfulgroups
4. calculating the risks to which assets are exposed in their currentsetting
   

Back 61

4. calculating the risks to which assets are exposed in their current setting

Front 62

occurs when a manufacturer performs an upgrade to a hardwarecomponent at the customer's premises

1. field change order
2. risk identification
3. qualitative risk assessment
4. classification categories
5. ranked vulnerability risk worksheet
6. threat identification
7. risk management
8. TVA worksheet
9. residual risk
10. risk analysis
    

Back 62

1. field change order

Front 63

What should each information asset-threat pair have at a minimumthat clearly identifies any residual risk that remains after theproposed strategy has been executed?

1. risk acceptance plan
2. documented control strategy
3. cost-benefit analysis
4. probability calculation
   

Back 63

2. documented control strategy

Front 64

remains even after the existing control has been applied

1. field change order
2. risk identification
3. qualitative risk assessment
4. classification categories
5. ranked vulnerability risk worksheet
6. threat identification
7. risk management
8. TVA worksheet
9. residual risk
10. risk analysis
    

Back 64

9. residual risk

Front 65

a mechanism to control risk by the prevention of an exploitationof a vulnerability

1. single loss expectancy
2. asset valuation
3. cost-benefit analysis
4. defense risk control strategy
5. acceptance risk control strategy
6. organizational feasibility
7. cost avoidance
8. risk appetite
9. termination risk control strategy
10. mitigation risk control strategy
    

Back 65

4. defense risk control strategy

Front 66

In which technique does a group rate or rank a set of information,compile the results and repeat until everyone is satisfied with theresult?

1. Hybrid Measures
2. OCTAVE
3. FAIR
4. Delphi
   

Back 66

4. Delphi

Front 67

Which of the following describes an organization's efforts toreduce damage caused by a realized incident or disaster?

1. avoidance
2. transference
3. mitigation
4. acceptance
   

Back 67

3. mitigation

Front 68

What is the final step in the risk identification process?

1. identifying and inventorying assets
2. listing assets in order of importance
3. classifying and categorizing assets
4. assessing values for information assets
   

Back 68

2. listing assets in order of importance

Front 69

What is the result of subtracting the post-control annualized lossexpectancy and the ACS from the pre-control annualized lossexpectancy?

1. exposure factor
2. annualized rate of occurrence
3. single-loss expectancy
4. cost-benefit analysis
   

Back 69

4. cost-benefit analysis

Front 70

Classification categories must be mutually exclusive and which ofthe following?

1. comprehensive
2. repeatable
3. unique
4. selective
   

Back 70

1. comprehensive

Front 71

the prioritized list of threats is placed along the vertical axis

1. field change order
2. risk identification
3. qualitative risk assessment
4. classification categories
5. ranked vulnerability risk worksheet
6. threat identification
7. risk management
8. TVA worksheet
9. residual risk
10. risk analysis
    

Back 71

8. TVA worksheet

Front 72

Which of the following is a network device attribute that is tiedto the network interface

1. model number
2. serial number
3. IP address
4. MAC address
   

Back 72

4. MAC address

Front 73

the quantity and nature of risk that organizations are willing toaccept

1. single loss expectancy
2. asset valuation
3. cost-benefit analysis
4. defense risk control strategy
5. acceptance risk control strategy
6. organizational feasibility
7. cost avoidance
8. risk appetite
9. termination risk control strategy
10. mitigation risk control strategy
    

Back 73

8. risk appetite

Front 74

columns include asset impact, vulnerability, and risk-ratingfactor

1. qualitative risk assessment
2. TVA worksheet
3. risk analysis
4. threat identification
5. field change order
6. classification categories
7. ranked vulnerability risk worksheet
8. residual risk
9. risk identification
10. risk management
    

Back 74

7. ranked vulnerability risk worksheet

Front 75

an approach to control risk by attempting to reduce the impact ofthe loss caused by a realized incident

1. single loss expectancy
2. asset valuation
3. cost-benefit analysis
4. defense risk control strategy
5. acceptance risk control strategy
6. organizational feasibility
7. cost avoidance
8. risk appetite
9. termination risk control strategy
10. mitigation risk control strategy
    

Back 75

10. mitigation risk control strategy

Front 76

What are the 14 "elements" of a security program?

Back 76

1. policy
2. program management
3. Risk Management
4. Life Cycle Planning
5. Personnel/User Issues
6. Preparing for Contingencies and Disaster
7. Computer Security Incident Handling
8. Awareness and Training
9. Security Considerations in Computer Support and Operation
10. Physical and Environmental Security
11. Identification and Authentication
12. Logical Access Control
13. Audit Trails
14. Cryptography

Front 77

Which of the four processes of a general application of access controls is missing?

1. _
2. Authorization
3. Authentication
4. Accountability

Back 77

Identification

Front 78

Which of the four processes of a general application of access controls is missing

1. Identification
2. _
3. Authentication
4. Accountability
   

Back 78

Authorization

Front 79

Which of the four processes of a general application of access controls is missing?

1. Identification
2. Authorization
3. _
4. Accountability
   

Back 79

Authentication

Front 80

Which of the four processes of a general application of access controls is missing?

1. Identification
2. Authorization
3. Authentication
4. _
   

Back 80

Accountability

Front 81

What are three key principles access control is built on?

Back 81

1. Least Privilege
   
2. Need To Know
3. Separation of Duties

Front 82

Which of the six categories of Access Control by characteristics is missing?

1. _
2. Preventative
3. Detective
4. Corrective
5. Recovery
6. Compensating

Back 82

Deterrent

Front 83

Which of the six categories of Access Control by characteristics is missing?

1. Deterrent
2. _
3. Detective
4. Corrective
5. Recovery
6. Compensating

Back 83

Preventative

Front 84

Which of the six categories of Access Control by characteristics is missing?

1. Deterrent
2. Preventative
3. _
4. Corrective
5. Recovery
6. Compensating
   

Back 84

Detective

Front 85

Which of the six categories of Access Control by characteristics is missing?

1. Deterrent
2. Preventative
3. Detective
4. _
5. Recovery
6. Compensating
   

Back 85

Corrective

Front 86

Which of the six categories of Access Control by characteristics is missing?

1. Deterrent
2. Preventative
3. Detective
4. Corrective
5. _
6. Compensating
   

Back 86

Recovery

Front 87

Which of the six categories of Access Control by characteristics is missing?

1. Deterrent
2. Preventative
3. Detective
4. Corrective
5. Recovery
6. _
   

Back 87

Compensating