Upgrade to remove ads
Terms in this set (93)
The foundation of an information security program is:
Alignment with the goals and objectives of the organization
The core principles of an information security program are:
Confidentiality, Integrity and Availability
The key factor in a successful information security program is:
Senior Management support
A threat can be described as:
Any event or action that could cause harm to the organization
True/False: Threats can be either intentional or accidental
Personnel Security requires trained personnel to manage systems and networks. When does personnel security begin?
Through pre-employment checks
Who plays the most important role in information security?
The advantage of an IPS (intrusion prevention system) over an IDS (intrusion detection system) is that:
The IPS can block suspicious activity in real time
True/False: Physical security is an important part of an Information Security program
The Sherwood Applied Business Security Architecture (SABSA) is primarily concerned with:
An enterprise=wide approach to security architecture
A centralized approach to security has the primary advantage of:
Uniform enforcement of security policies
The greatest advantage to a decentralized approach to security is:
More adjustable to local laws and requirements
A primary objective of an information security strategy is to:
Identify and protect information assets
The first step in an information security strategy is to:
Determine the desired state of security
Effective information security governance is based on:
implementing security policies and procedures
The use of a standard such as ISO27001 is useful to:
Ensure that all relevant security needs have been addressed
Three main factors in a business case are resource usage, regulatory compliance and:
Return on investment
What is a primary method for justifying investments in information security?
development of a business case
Relationships with third parties may:
Require the organization to comply with the security standards of the third party
True or False? The organization does not have to worry about the impact of third party relationships on the security program
The role of an Information Systems Security Steering Committee is to:
Provide feedback from all areas of the organization
The most effective tool a security department has is:
A security awareness program
The role of Audit in relation to Information Security is:
The validate the effectiveness of the security program against established metrics
Who should be responsible for development of a risk management strategy?
The Security Manager
The security requirements of each member of the organization should be documented in:
Their job descriptions
What could be the greatest challenge to implementing a new security strategy?
Obtaining buy-in from employees
A disgruntled former employee is a:
A bug or software flaw is a:
An audit log is an example of a:
A compensating control is used:
When normal controls are not sufficient to mitigate the trick
Encryption is an example of a:
The examination of risk factors would be an example of:
True/False: The only real risk mitigation technique is based on effective implementation of technical controls.
Should a risk assessment consider controls that are planned but not yet implemented?
Yes, because it would not be appropriate to recommend implementing controls that are already planned
The main purpose of information classification is to:
Ensure the effective, appropriate protection of information
The value of information is based in part on:
The fines imposed by regulators in the event of a breach
The definition of an information security baseline is:
The minimum level of security mandated in the organization
The use of a baseline can help the organization to:
Compare the current state of security with the desired state
The purpose of a Business Impact Analysis (BIA) is to:
Estimate the potential impact on the business in case of a system failure
The ultimate goal of BIA is to:
determine the priorities for recovery of business processes and systems
New controls should be implemented as a part of the risk mitigation strategy:
In areas where the cost of the control is justified by the benefit obtained
An example of risk transference as a risk mitigation option is:
The purchase of insurance to cover some of the losses associated with an incident.
The purpose of a life cycle (as used in the Systems Development Life Cycle (SDLC)) is to:
Assist in the management of a complex project by breaking it into individual steps
At which stage of a project should risk management be performed?
At each stage starting at project initiation
When working with an outside party that may include access to sensitive information, each party should require a:
Non-disclosure agreement (NDA)
Symmetric key algorithms are best used for:
Encryption of large amounts of data
An benefit provided by a symmetric algorithm is:
Asymmetric algorithms are often used in:
The primary benefit of a hash function is:
Proving integrity of a message
Which key would open a message encrypted with John's public key?
John corresponding private key
Symmetric encryption is a:
two-way encryption process
A primary reason for the development of public key cryptography was to:
Address the ley distribution problems of asymmetric encryption
What is the length of a digest created by a hash function?
A hash function creates a fixed length hash regardless of input message length
A hash is often used for:
Password based authentication
The entity requesting access in an access control system is often known as:
Access control is a means to:
Permit authorized persons appropriate levels of access
A surveillance camera is an access control based on:
Anti-virus systems should be deployed on:
Gateways and individual desktops
The use of a policy compliant system may enable an organization to:
Enforce policies at a desktop level
An information classification policy is what form of control?
Which of the following is a one-way function?
True/False: A Disaster Recovery Plan is a part of an Information Security Framework
An important element of an information security program is:
The development of metrics to measure program performance
Identity management applies to:
Giving both internal and external users unique identification
The practice of only granting a user the lowest level required is:
A deterrent control can be used to:
Discourage inappropriate behavior
An example of a preventative control is:
A disadvantage of an automated control may be:
That it may implement a configuration change automatically without review
The implementation of a security program requires:
a person that takes ownership of each activity
The manipulation of staff to perform unauthorized actions is known as:
Audit is a form of:
When an organization undertakes a program to outsource the IT function what must it do as part of the outsourcing program?
Ensure that security requirements are addressed in any contracts
What is the best way to understand business priorities?
Interviews with senior management
In case the implementation of an IT project fails, what is the next step?
Rollback the implementation if possible
A gap analysis can be used to:
Determine the disparity between current and desired state
Every policy should be backed up through the use of:
Procedures, standards and baselines
The testing and evaluation of the security of a system made in support of the decision to implement the system is known as
Ensuring that a system is not implemented until it has been formally approved by a senior manager is part of:
Teaching staff how to use a new security tool is known as:
To ensure the quality and adherence to standards for a modification to a system the organization enforces:
One of the most important considerations when two organizations are considering a merger is?
What document is used to set out the expectations for vendors or suppliers?
Service level agreements
Good information security metrics are clear, timely and?
A vulnerability test is intended to:
Find weaknesses in the system
True/False: Penetration testing and vulnerability assessments can be either internal or external.
True/False: Gathering data to evaluate the security program cannot be done through interviews since the answers are too subjective.
Metrics to evaluate the effectiveness of system controls may be based on:
Key performance indicators (KPIs)
The three authentication factors are:
knowledge, ownership, biometric
Sensitive information about a person is called:
Remote access poses the risk that
Unauthorized users may use remote access systems to gain access
A Virtual Private Network (VPN) is used to:
Create a secure tunnel to allow transmission of sensitive data over an insecure network
A security risk associated with disposal of any storage device is:
The removal of sensitive information
When an outsourcing contract expires the organization must:
Ensure all data is removed or destroyed by the outsource service provider
THIS SET IS OFTEN IN FOLDERS WITH...
CISM Practice Question Database 2014
CISM (Certified Information Security manager) - Qu…
YOU MIGHT ALSO LIKE...
INFO Ch 4
Chapter 3, 4 & 5
Chapter 5 Cyber security, Principles of Informatio…
Principles of Information Security Chapter 4
OTHER SETS BY THIS CREATOR
70-764 Microsoft SQL 2016 - Administering a SQL Da…
70-765 - Provisioning SQL Databases Flashcards
CompTIA Cybersecurity Analyst (CSA+) Flashcards
MCSA 70-741 Networking with Windows Server 2016
OTHER QUIZLET SETS
Unit 3 Age of Revolutions
IW Test Flashcards
Assemblies of God Fundamental Truths (Condensed)
accounting final exam