Mid-Term Exam (CH:1-6)

1 / 73
The authorization process takes place before the authentication process.
Click the card to flip 👆
Terms in this set (73)
____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.Trojan HorsesA(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________TrueWhich of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?OrganizationAccording to the C.I.A. triad, which of the following is a desirable characteristic for computer security?AvailabilityThe malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information.TrueWhich of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?PolicyWhich type of attack involves sending a large number of connection or information requests to a target?Denial-of-Service (DoS)Corruption of information can occur only while information is being stored.FalseThere are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?MaliceThe penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?For Political AdvantageDeterrence is the best method for preventing an illegal or unethical activity. ____________True​It is the responsibility of InfoSec professionals to understand state laws and standards. ____________FalseInfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence ​professionals.​ ___________FalseAny court can impose its authority over an individual or organization if it can establish which of the following?JurisdictionWhich of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.DeterrenceWhich law extends protection to intellectual property, which includes words published in electronic formats?U.S Copyright LawWhich act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?HIPAATo protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996.​ ___________FalseISACA is a professional association with a focus on authorization, control, and security. ___________FalseA person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.FalseAn information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.Penetration TesterWhich of the following explicitly declares the business of the organization and its intended areas of operations?Mission Statement​The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.Chief Information Security Officer (CISO)Which of the following is a key advantage of the bottom-up approach to security implementation?b. utilizes the technical expertise of the individual administratorsWhich type of planning is the primary tool in determining the long-term direction taken by an organization?Strategic​Values statements should therefore be ambitious; after all, they are meant to express the aspirations of the organization.FalseWhich type of planning is used to organize the ongoing, day-to-day performance of tasks?OperationalWhich of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?Joint Application DesignWhich level of planning breaks down each applicable strategic goal into a series of incremental objectives?TacticalWhich of the following should be included in an InfoSec governance program?An InfoSec risk management methodologyIn which phase of the SecSDLC does the risk management task occur?AnalysisWhich of the following is an information security governance responsibility of the Chief Security Officer?Set security policy, procedures, programs and training​A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.ChampionWhich of the following set the direction and scope of the security process and provide detailed instruction for its conduct?Manageria ControlsA clearly directed strategy flows from top to bottom rather than from bottom to top.TrueWhat is the first phase of the SecSDLC?InvestigationWhich of the following are the two general groups into which SysSPs can be separated?Technical specifications and managerial guidanceWhich of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?Bull's-Eye ModelWhich policy is the highest level of policy and is usually created first?EISPWhich section of an ISSP should outline a specific methodology for the review and modification of the ISSP?Policy Review and ModificationWhat are the two general methods for implementing technical controls?Access control lists and configuration rulesWhich of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?User-Specific Security PoliciesWhich type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?Issue-SpecificSince most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex.FalseOne of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.TrueTrueWhich type of document is a more detailed statement of what must be done to comply with a policy?StandardWhich of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?Violations of PolicyThe first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.FalseWhich of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?Risk ManagementLegal assessment for the implementation of the information security program is almost always done by the information security or IT departments.FalseSmall organizations spend more per user on security than medium- and large-sized organizations.TrueWhich of the following is true about the security staffing, budget, and needs of a medium-sized organization?They have larger information security needs than a small organizationWhich of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?Centralized AuthenticationWhich of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?System TestingThe work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.FalseWhich of the following variables is the most influential in determining how to structure an information security program?Organizational CultureWhat should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?Threats-Vulnerabilities-Assets WorksheetWhat is the final step in the risk identification process?Listing assets in order of importanceHaving an established risk management program means that an organization's assets are completely protected.FalseMAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.FalseWhich of the following is an attribute of a network device is physically tied to the network interface?MAC AddressA prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet​. ____________FalseWhich of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?IP Address