CISS 300 Chapter 4 quiz – Flashcards
Unlock all answers in this set
Unlock answersquestion
The ____ security policy is a planning document that outlines the process of implementing security in the organization.
answer
a. program
question
Many corporations use a ____ to help secure the confidentiality and integrity of information.
answer
d. data classification scheme
question
The ____ security policy is an executive-level document that outlines the organization's approach and attitude towards information security and relates the strategic value of information security within the organization.
answer
a. general
question
The ____ strategy attempts to shift risk to other assets, other processes, or other organizations.
answer
a. transfer control
question
Management of classified data includes its storage and ____.
answer
a. distribution b. portability c. destruction d. All of the above answer is D.
question
____ policies address the particular use of certain systems.
answer
a. Systems-specific
question
The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) ____.
answer
b. CBA
question
Risk ____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.
answer
b. appetite
question
____ addresses are sometimes called electronic serial numbers or hardware addresses.
answer
d. MAC
question
The actions an organization can and perhaps should take while an incident is in progress should be specified in a document called the ____ plan.
answer
c. IR
question
Know yourself means identifying, examining, and understanding the threats facing the organization.
answer
False
question
A(n) disaster recovery plan dictates the actions an organization can and perhaps should take while an incident is in progress.
answer
False
question
A best practice proposed for a small home office setting is appropriate to help design control strategies for a multinational company.
answer
False
question
A(n) exposure factor is the expected percentage of loss that would occur from a particular attack.
answer
True
question
____ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders.
answer
c. Operational
question
The ____ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
answer
d. accept control
question
____ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede.
answer
b. DR
question
When organizations adopt levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as a(n) ____.
answer
d. standard of due care
question
Risk ____ is the application of controls to reduce the risks to an organization's data and information systems.
answer
b. control
question
The ____ strategy attempts to prevent the exploitation of the vulnerability.
answer
b. defend control
question
The general management of an organization must structure the IT and information security functions to defend the organizations information assets. (T/F)
answer
True
question
you realize you do not know the enemy, you will gain an advantage in every battle." (Sun Tzu). (T/F)
answer
False If you know your enemy
question
Risk control is the application of controls to reduce the risks to an organizations data and information systems. (T/F)
answer
True
question
Know yourself means identifying, examining, and understanding the threats facing the organization. (T/F)
answer
False
question
Once the organizational threats have been identified, an assets identification process is undertaken. (T/F)
answer
False Once the asset have been identified
question
Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets. (T/F)
answer
False is more difficult
question
You should adopt naming standards that do not convey information to potential system attackers. (T/F)
answer
True
question
When determining the relative importance of each asset, refer to the organizations mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts. (T/F)
answer
True
question
The amount of money spent to protect an asset is based in part on the value of the asset. (T/F)
answer
True
question
The value of intellectual property influences asset valuation. (T/F)
answer
True
question
You cannot use qualitative measures to rank values. (T/F)
answer
False
question
Protocols are activities performed within the organization to improve security. (T/F)
answer
False Programs are activities..
question
Eliminating a threat is an impossible proposition. (T/F)
answer
False - Possible but difficult
question
To determine if the risk is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited. (T/F)
answer
True
question
Leaving unattended computers on is one of the top information security mistakes made by individuals. (T/F)
answer
True
question
Some argue that it is virtually impossible to determine the true value of information and information-bearing assets. (T/F)
answer
True
question
CBAs cannot be calculated after controls have been functioning for a time. (T/F)
answer
False CBA can (after & before)
question
Metrics-based measures are generally less focused on numbers and more strategic than process-based measures. (T/F)
answer
False Metrics-based measures are generally more focused on numbers
question
Best business practices are often called recommended practices. (T/F)
answer
True
question
Organizations should communicate with system users throughout the development of the security program, letting them know that change are coming. (T/F)
answer
True
question
The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment. (T/F)
answer
True
question
Establishing a competitive business model, method, or technique enabled an organization to provide a product or service that was superior and created a(n) competitive advantage. (T/F)
answer
True
question
Risk control is the examination and documenting of the security posture of an organizations information technology and the risks it faces. (T/F)
answer
False - Risk Identification is
question
Mutually exclusive means that all information assets must fit in the list somewhere. (T/F)
answer
False Comprehensive means that all information assets
question
One way to determine which information assets are critical is by evaluating how much of the organizations revenue depends on a particular asset. (T/F)
answer
True
question
Each of the threats faced by an organization must be examined to assess its potential to endanger the organization and this examination is known as a threat profile. (T/F)
answer
False - is known as a threat assessment
question
Risk evaluation assigns a risk rating or score to each information asset. (T/F)
answer
False Risk assessment
question
Policies are documents that specify an organizations approach to security. (T/F)
answer
True
question
Program-specific policies address the specific implementations or applications of which users should be aware. (T/F)
answer
False - Issue-specific policies
question
The most common of the mitigation procedures is the disaster recovery plan. (T/F)
answer
True
question
The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. (T/F)
answer
True
question
Likelihood risk is the risk to the information asset that remains even after the application of controls. (T/F)
answer
False - Residual risk is
question
Benefit is the value that an organization realizes by using controls to prevent losses associated with a specific vulnerability. (T/F)
answer
True
question
ALE determines whether or not a particular control alternative is worth its cost. (T/F)
answer
False - CBA determines.
question
A(n) qualitative assessment is based on characteristics that do not use numerical measures. (T/F)
answer
True
question
Qualitative-based measures are comparisons based on numerical standards, such as numbers of successful attacks. (T/F)
answer
False Metrics-based measures
question
Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices. (T/F)
answer
True
question
In information security, benchmarking is the comparison of security activities and events against the organizations future performance. (T/F)
answer
False baselining is
question
Within organizations, technical feasibility defines what can and cannot occur based on the consensus and relationships between the communities of interest. (T/F)
answer
False - political feasibility
question
Risk measure defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. (T/F)
answer
False Risk appetite
question
Risk ____ is the application of controls to reduce the risks to an organizations data and information systems.
answer
control
question
The concept of competitive ____ refers to falling behind the competition.
answer
disadvantage
question
The first phase of risk management is ____.
answer
risk identification
question
.____ addresses are sometimes called electronic serial numbers or hardware addresses.
answer
MAC
question
. Many corporations use a ____ to help secure the confidentiality and integrity of information.
answer
data classification scheme
question
A(n) ____ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.
answer
FCO
question
The military uses a ____-level classification scheme.
answer
five
question
In the U.S. military classification scheme, ____ data is any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.
answer
confidential
question
Management of classified data includes its storage and ____.
answer
All of the above
question
There are individuals who search trash and recycling a practice known as ____ to retrieve information that could embarrass a company or compromise information security.
answer
dumpster diving
question
In a(n) ____, each information asset is assigned a score for each of a set of assigned critical factor.
answer
weighted factor analysis
question
____ equals likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty.
answer
Risk
question
The ____ security policy is an executive-level document that outlines the organizations approach and attitude towards information security and relates the strategic value of information security within the organization.
answer
general
question
The ____ security policy is a planning document that outlines the process of implementing security in the organization.
answer
program
question
.____ policies address the particular use of certain systems.
answer
Systems-specific
question
The ____ strategy attempts to prevent the exploitation of the vulnerability.
answer
defend control
question
The ____ strategy attempts to shift risk to other assets, other processes, or other organizations.
answer
transfer control
question
The actions an organization can and perhaps should take while an incident is in progress should be specified in a document called the ____ plan.
answer
IR
question
.____ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede.
answer
DR
question
The ____ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
answer
accept control