Management of Information Security Notes Chapter 2 — Planning for Security – Flashcards
Unlock all answers in this set
Unlock answersquestion
attack
answer
An act or event that exploits a vulnerability is known as a(n) ____________________.
question
owners
answer
Data ____________________ are responsible for the security and use of a particular set of information.
question
safeguards
answer
Controls or ____________________ are used to protect information from attacks by threats; the terms are also often used interchangeably.
question
Resource management by executing appropriate measures to manage and mitigate risks to information technologies
answer
The basic outcomes of information security governance should include all but which of the following?
question
Acting
answer
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization do the work according to the plan?
question
phishing
answer
In a(n) ____________________ attack, the attacker uses an e-mail or forged Web site to attempt to extract personal information from a user.
question
threat agent
answer
A(n) ____ damages or steals an organization's information or physical asset.
question
True
answer
Information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide strategic direction, verification that risk management practices are appropriate, and validation that the organization's assets are used properly.
question
Managerial
answer
____ controls set the direction and scope of the security process and provide detailed instructions for its conduct
question
plan-driven
answer
A SDLC-based project that is the result of a carefully developed strategy is said to be ____.
question
managers
answer
Operational plans are used by ____.
question
tactical
answer
Budgeting, resource allocation, and manpower are critical components of the ____ plan.
question
vulnerability
answer
An identified weakness of a controlled system is known as a ____.
question
exploit
answer
A technique or mechanism that is used to compromise a system is called a(n) ____________________.
question
False
answer
Penetration testing is often conducted by consultants or outsourced contractors, who are commonly referred to as hackers, ninja teams or black teams.
question
brute force
answer
The application of computing and network resources to try every possible combination of characters to crack a password is known as a ____ attack.
question
False
answer
Strategic planning has a more short-term focus than tactical planning.
question
False
answer
Benefits of Information Security Governance include optimization of the allocation of limited security safeguards.
question
False
answer
Tactical planning is the basis for the long-term direction taken by the organization.
question
True
answer
Strategic plans are used to create tactical plans.
question
structured review
answer
At the end of each phase of the security systems development life cycle (SecSDLC), a ____ takes place.
question
values
answer
The ____________________ statement contains a formal set of organizational principles, standards, and qualities.
question
strategic
answer
The long-term direction taken by the organization is based on ____ planning
question
project planning
answer
Tactical planning is also referred to as ____.
question
back door
answer
A ____ is a feature left behind by system designers or maintenance staff.
question
attack
answer
A(n) ____ is an act or event that exploits a vulnerability.
question
False
answer
Some companies refer to operational planning as intermediate planning.
question
objectives
answer
Information security ____ must be addressed at the highest levels of an organization's management team in order to be effective and offer a sustainable approach.
question
True
answer
CISOs use the operational plan to organize, prioritize, and acquire resources for major projects.
question
Operational
answer
____ controls deal with managerial functions and lower-level planning such as disaster recovery and incident response planning.
question
analysis
answer
The ____ phase of the security systems development life cycle (SecSDLC) assesses the organization's readiness, its current systems status, and its capability to implement and then support the proposed systems.
question
True
answer
A(n) vulnerability is an identified weakness of a controlled information asset and is the result of absent or inadequate controls.
question
logical design
answer
In the ____ phase of the security systems development life cycle (SecSDLC), the information obtained during the analysis phase is used to develop a proposed system-based solution for the business problem.
question
threat
answer
A(n) ____________________ is an object, person, or other entity that represents a constant danger to an asset of an organization.
question
operational
answer
Tactical plans are used to develop ____________________ plans.
question
exploit
answer
A(n) ____ is a technique or mechanism used to compromise a system.
question
compromises to intellectual property
answer
Copyright infringement is an example of the ____ category of threat.
question
IDEAL
answer
he Carnegie Mellon University ____________________ information security governance model begins with a stimulus for change and loops through proposals for future actions.
question
values
answer
The ____ statement contains a formal set of organizational principles, standards, and qualities.
question
Chief Risk Officer
answer
The ____________________ has the primary responsibility for independent annual audit coordination.
question
maintenance
answer
The ____ phase is typically the most important phase of the security systems development life cycle (SecSDLC).
question
Place information security at the top of the board's agenda
answer
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
question
denial-of-service (DoS)
answer
A ____ attack involves sending a large number of connection or information requests to a target.
question
waterfall
answer
In the security systems development life cycle (SecSDLC), the work products of each phase fall into the next phase to serve as its starting point, which is known as the ____ model.
question
ambitious
answer
Vision statements are meant to be ____.
question
True
answer
The basic outcomes of information security governance should include risk management by executing appropriate measures to manage and mitigate threats to information resources.
question
Operational
answer
____ plans are used to organize the ongoing, day-to-day performance of tasks.
question
champion
answer
For any top-down approach to security implementation to succeed, the initiative must have a(n) ____ with influence to move the project forward.
question
True
answer
In a(n) methodology, a problem is solved based on a structured sequence of procedures.
question
False
answer
Organizations following the IDEAL Governance framework would determine where you are relative to where you want to be in the evaluation phase.
