Chapter 5 – ITSY 1300 – Flashcards
Unlock all answers in this set
Unlock answersquestion
A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on it. Select one: True False
answer
False
question
Establishing a competitive business model, method, or technique enabled an organization to provide a product or service that was superior and created a(n) competitive advantage. _________________________ Select one: True False
answer
True
question
Management of classified data includes its storage and _________. Select one: a. portability b. All of the above c. distribution d. destruction
answer
b. All of the above
question
Benchmarking is the process of comparing other organizations' activities against the practices used in one's own organization to produce results it would like to duplicate._________________________ Select one: True False
answer
True
question
In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack, with the SLE being the product of the asset's value and the annualized loss expectancy. Select one: True False
answer
False
question
_________ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders. Select one: a. Political b. Organizational c. Operational d. Technical
answer
c. Operational
question
Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets. Select one: True False
answer
False
question
Cost Benefit Analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended. Select one: True False
answer
False
question
Exposure factor is the expected percentage of loss that would occur from a particular attack. _________________________ Select one: True False
answer
True
question
________ equals the probability of a successful attack times the expected loss from a successful attack plus an element of uncertainty. Select one: a. Loss Frequency b. Loss c. Loss Magnitude d. Risk
answer
d. Risk
question
Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems. Select one: a. identification b. management c. control d. security
answer
c. control
question
A(n) _________ is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.. Select one: a. security clearance scheme b. risk management scheme c. data classification scheme d. data recovery scheme
answer
c. data classification scheme
question
Risk _________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. Select one: a. acceptance b. appetite c. avoidance d. benefit
answer
a. acceptance
question
The __________ plan specifies the actions an organization can and should take while an adverse event (that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization) is in progress. Select one: a. BC b. DR c. IR d. BR
answer
c. IR
question
Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered 'National Security Information', __________ data is the lowest level classification. Select one: a. Confidential b. Unclassified c. Sensistive d. Public
answer
b. Unclassified
question
The first phase of risk management is _________. Select one: a. risk evaluation b. risk control c. design d. risk identification
answer
d. risk identification
question
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range is called the __________. Select one: a. loss frequency b. benefit of loss c. likelihood d. annualized loss expectancy
answer
a. loss frequency
question
In information security, benchmarking is the comparison of past security activities and events against the organization's current performance. _________________________ Select one: True False
answer
False
question
Know yourself means identifying, examining, and understanding the threats facing the organization. Select one: True False
answer
False
question
When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as __________. Select one: a. best practices b. benchmarking c. standards of due care d. baselining
answer
c. standards of due care
question
If the acceptance strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and portray an apathetic approach to security in general Select one: True False
answer
True
question
Cost mitigation ?is the process of preventing the financial impact of an incident by implementing a control. _________________________ Select one: True False
answer
False
question
The __________ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. Select one: a. transfer b. acceptance c. mitigation d. defense
answer
b. acceptance
question
Best business practices are often called recommended practices. Select one: True False
answer
True
question
Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack. _________________________ Select one: True False
answer
True
question
The __________ is the difference between an organization's observed and desired performance. Select one: a. issue delta b. objective c. performance gap d. risk assessment
answer
c. performance gap
question
In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization, Select one: True False
answer
True
question
Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization. known as a threat prioritization. _________________________ Select one: True False
answer
False
question
________ addresses are sometimes called electronic serial numbers or hardware addresses. Select one: a. IP b. DHCP c. HTTP d. MAC
answer
d. MAC
question
_______ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the flood waters recede. Select one: a. BR IncorrectIncorrect b. DR c. BC d. IR
answer
b. DR
question
________ assigns a status level to employees to designate the maximum level of classified data they may access. Select one: a. security clearance scheme b. risk management scheme c. data recovery scheme d. data classification scheme
answer
a. security clearance scheme
question
A best practice proposed for a small to medium business will be similar to one used to help design control strategies for a large multinational company. Select one: True False
answer
False
question
The _________ control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Select one: a. defense b. transfer c. mitigate d. termination
answer
a. defense
question
Operational feasibility is also known as behavioral feasibility. _________________________ Select one: True False
answer
True
question
There are individuals who search trash and recycling - a practice known as _________ - to retrieve information that could embarrass a company or compromise information security. Select one: a. dumpster diving b. shoulder surfing c. corporate espionage d. pretexting
answer
a. dumpster diving
question
A(n) qualitative assessment is based on characteristics that do not use numerical measures. _________________________ Select one: True False
answer
True
question
According to Sun Tzu, if you know your self and know your enemy you have an average chance to be successful in an engagement. Select one: True False
answer
False
question
In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria and then summing and ranking those scores. Select one: a. data classification scheme b. weighted factor analysis c. risk management program d. threat assessment
answer
b. weighted factor analysis
question
Baselining is the comparison of past security activities and events against the organization's current performance. Select one: True False
answer
True
question
A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternate location. _________________________ Select one: True False
answer
False
question
One advantage to benchmarking is that best practices change very little over time. Select one: True False
answer
False
question
The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) __________. Select one: a. ARO b. SLE c. ALE d. CBA
answer
d. CBA
question
_________ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures. Select one: a. Qualitative assessment b. Metric-centric model c. Quantitative assessment d. Value-specific constant
answer
a. Qualitative assessment
question
The __________ control strategy attempts to shift risk to other assets, other processes, or other organizations. Select one: a. defend b. accept c. transfer d. mitigate
answer
c. transfer
question
The concept of competitive _________ refers to falling behind the competition. Select one: a. shortcoming b. drawback c. failure d. disadvantage
answer
d. disadvantage
question
A(n) _________ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment. Select one: a. IP b. CTO c. HTTP d. FCO
answer
d. FCO
question
_________ is simply how often you expect a specific type of attack to occur. Select one: a. ARO b. CBA c. ALE d. SLE
answer
a. ARO
question
One way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed. _________________________ Select one: True False
answer
True
question
A data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict the number of people who can access it. Select one: True False
answer
False
question
Loss event frequency is the combination of an asset's value and the percentage of it that might be lost in an attack.. _________________________ Select one: True False
answer
False