Information Security Quiz 4 – Flashcards

Unlock all answers in this set

Unlock answers
question
PCI DSS
answer
The purpose is to enhance security of credit card data. key pieces: name, credit card number, expiration date, security code
question
PCI DSS 6 Principles
answer
1) Build and Maintain a Secure Network 2) Protect Cardholder 3) Maintain a Vulnerability Management Program 4) Implement Strong Access Control Measures 5) Regularly Monitor and Test Networks 6) Maintain an Information Security Policy
question
3 step continuous process PCI DSS
answer
Assess, Remediate, Report
question
NIST
answer
The mission is to promote U.S. Innovation and competitiveness
question
SP 800-30 includes 5 chapters
answer
1) Introduction 2) Risk Management Overview 3) Risk Assessment 4) Risk Mitigation 5) Evaluation and Assessment
question
GAISP 2 major sections
answer
Pervasive principles Broad functional principles
question
COBIT
answer
Is a set of good practices for IT management, designed to provide a framework for control of IT functions. written by ITGI.
question
basic COBIT principle
answer
Business Requirements -drive investments in IT Resources - That are used by IT Processes - To deliver Enterprise Information - Which responds to...
question
4 COBIT domains
answer
Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate
question
ISO
answer
develops and publishes standards
question
Three important ISO standards
answer
Security Techniques Principles and Guidelines on Implementation Risk Management - vocabulary
question
IEC
answer
prepares and publishes standards for electrical, electronic, and related technologies
question
ITIL
answer
group of books developed by the UK OGC
question
ITIL 5 books
answer
Service Strategy Service Design Service Transition Service Operation Continual Service Improvement
question
CMMI
answer
process improvement approach to management.
question
CMMI 3 primary areas of interest
answer
Product and Service Development Service est., management, and delivery Product and service acquisition
question
levels
answer
0: nonexistent 1: initial 2: managed 3: defined 4: quantitatively managed 5: optimized
question
DoD DIACAP
answer
risk management process
question
^ phases
answer
initiate and plan implement and validate make certification and accreditation decisions maintain ATO/review decommision
question
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
answer
annually
question
What law applies to organizations handling health care information?
answer
HIPPA
question
CEOs and CFOs can go to jail if financial statements are inaccurate. What law is this from?
answer
SOX
question
What law requires schools and libraries to limit offensive content on their computers?
answer
CIPA
question
Employees in some companies are often required to take an annual vacation of at least 5 days. The purpose is to reduce fraud and embezzlement. What is this called?
answer
Mandatory vacation
question
Fiduciary refers to relationship of trust.
answer
True
question
Merchants that handle credit cards are expected to implement data security. What standard should they follow?
answer
PCI DSS
question
The NIST published Special Publication 800-30. What does this cover?
answer
Risk management
question
The COBIT framework is organized into four IT domains and 34 IT processes. Which one covers strategy and tactics?
answer
Plan and organize
question
A basic principle of this standard is summarized with four sentences... What is this standard?
answer
COBIT
question
Which of the following ISO standards can be used to verify that an organization meets certain requirements? Part I identifies objectives and controls. Part II is used for certification.
answer
ISO 27002 Information Tech Sec Techniques
question
Which of the following ISO docs provides generic guidance on risk management?
answer
ISO 31000 Risk Management Principles and Guidelines
question
ITIL is a group of five books developed by the UK OGC.
answer
True
question
In the CMMI, level ___ indicates the highest level of maturity.
answer
5
question
The DIACAP is a risk management process applied to IT systems. What happens after a system is accredited?
answer
It receives authority to operate
question
What is a BIA?
answer
business impact analysis is a study used to identify the impact that can result from disruptions in the business. It focuses on the failure of one or more critical IT functions.
question
MAO
answer
max acceptable outage
question
CBFs
answer
critical business fucntions
question
CSFs
answer
critical success factors
question
Seven steps of contigency planning
answer
1) develop the contingency planning policy statement 2) conduct the business impact analysis 3) identify preventative controls 4) develop recovery strategies 5) develop an IT contengency plan 6) plan testing, training, and exercises 7) Plan maintanence
question
BIA process
answer
1) identify environment 2) identify stakeholders 3) identify critical business functions 4) identify max downtime 5) identify critical resources 6) identify recovery priorities 7) develop BIA report
question
BIA best practices
answer
start with clear objectives don't lose sight of objectives use a top-down approach vary data collection methods plan interviews and meetings in advance don't look for the quick solution consider the BIA as a project condsider the use of tools
question
The _______ identifies the maxx acceptable downtime for a system.
answer
maximum acceptable outage(MAO)
question
Stakeholders can determine what functions are considered critical business functions
answer
true
question
The BIA is part of the _____
answer
Business continuity plan (BCP)
question
What defines the boundaries of a business impact analysis?
answer
Scope
question
What are two objectives of a BIA?
answer
Identify critical resources, identify critical business functions
question
You are working on a BIA. You are calculating costs to determine the impact of an outage for a specific system. When calculating the costs, you should calculate the direct and ______ costs.
answer
Indirect
question
You are working on a BIA. You want to identify the max amount of data loss an org can accept. What is this called?
answer
recovery point objectives
question
You have identified the MAO for a system. You now want to specify the time required for a system to be recovered. What is this?
answer
recovery time objectives
question
Which of the following statements is true?
answer
The RTO applies to any systems or functions. However, the RPO only refers to data housed in databases.
question
You are working on a BIA. You are calculating costs to determine the impact of an outage for a specific system. Which one of the following is a direct cost?
answer
loss of sales
question
What type of approach does a BIA use?
answer
Top-down approach where CBFs are examined first.
question
Mission-critical business functions are considered vital to an org. What are they derived from?
answer
Critical success facors
question
You are performing a BIA for an org. What should you map the critical business functions to?
answer
IT systems
question
Of the following choices, what are considered best practices related to a BIA?
answer
start with clear objectives, use different data collection methods
question
A cost-benefit analysis is an important part of a BIA.
answer
false
question
A(n) ________ is a plan that helps an org continue to operate during and after a disruption or disaster.
answer
BCP or business continuity plan
question
Business continuity and disaster recovery is the same thing.
answer
false
question
You want to ensure that a BCP includes specific locations, systems, employees, and vendors. You should identify these requirements in the _____ statement.
answer
scope
question
What is the purpose of a BCP?
answer
to ensure mission-critical elements of an org continue to operate after disruption
question
What does a BCP help to protect during and after a disruption or disaster?
answer
confidentiality, integrity, and availability
question
The ______ is responsible for declaring an emergency and activating the BCP.
answer
BCP coordinator
question
After a BCP has been activated, who has overall authority for the recovery of the systems?
answer
EMT
question
After a BCP has been activated, who will assess the damages?
answer
DAT
question
After a BCP has been activated, who will recover and restore critical IT services?
answer
TRT
question
What are the three phases of BCP?
answer
activation/notification, recovery, reconstitution
question
A major dis
answer
least critical business functions
question
A major dis
answer
Run the servers concurrently tith the alternate location fro three to five days
question
What can you do to show that the BCP will work as planned?
answer
BCP testing
question
What types of exercises can demonstrate a BCP in action?
answer
tabletop exercises, functional exercises, full-scale exercises
question
Once a BCP has been developed, it should be reviewed and updated on a regular basis.
answer
true
question
A(n) ______ is a plan used to restore critical business functions to operation after a disruption or disaster.
answer
Disaster Recovery Plan (DRP)
question
A DRP has multiple purposes. This includes saving lives, ensuring business continuity, and recovering after a disaster.
answer
true
question
Disaster recover and fault tolerance are the same thing
answer
false
question
A ______ is an element necessary for success......
answer
Critical success factor (CSF)
question
A business impact analysis includes a max allowable outage...
answer
recovery time objective (RTO)
question
A certain DRP covers a system that hosts large database. You want to ensure that the dat is copied to an off-site location. What could you use?
answer
data replication, electronic vaulting, remote journaling
question
A copy of backups should be stored ________ to ensure the org can service a catastrophic disaster to the primary location.
answer
Off-site
question
You are considering an alternate location for a DRP. You want to ensure the alternate location can be brought online as quickly as possible. What type of site would you choose?
answer
cold site
question
You are considering an alternate location for a DRP. You want to ensure the alternate location can be brought online as quickly as possible. What type of site would you choose?
answer
hot site
question
You are considering an alternate location for a DRP. You want to use a business location that is already running non-critical business functions as the alternate location. This location has most of the equipment needed. What type of site is this?
answer
warm site
question
Which of the following elements are commonly included in a DRP?
answer
purpose, scope, communications, recovery steps and procedures
question
Of the following, what is critical for any DRP?
answer
data replication, cloud computing, virtualization
question
Your org has created a DRP but it hasn't been tested. Which of the following methods can you use to test it?
answer
fuel for generators
question
Once a DRP has been created, it's not necessary to update it.
answer
false
Get an explanation on any task
Get unstuck with the help of our AI assistant in seconds
New