Management of Information Security Notes Chapter 2 — Planning for Security

question

attack
answer

An act or event that exploits a vulnerability is known as a(n) ____________________.
question

owners
answer

Data ____________________ are responsible for the security and use of a particular set of information.
question

safeguards
answer

Controls or ____________________ are used to protect information from attacks by threats; the terms are also often used interchangeably.
question

Resource management by executing appropriate measures to manage and mitigate risks to information technologies
answer

The basic outcomes of information security governance should include all but which of the following?
question

Acting
answer

According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization do the work according to the plan?
question

phishing
answer

In a(n) ____________________ attack, the attacker uses an e-mail or forged Web site to attempt to extract personal information from a user.
question

threat agent
answer

A(n) ____ damages or steals an organization’s information or physical asset.
question

True
answer

Information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide strategic direction, verification that risk management practices are appropriate, and validation that the organization’s assets are used properly.
question

Managerial
answer

____ controls set the direction and scope of the security process and provide detailed instructions for its conduct
question

plan-driven
answer

A SDLC-based project that is the result of a carefully developed strategy is said to be ____.
question

managers
answer

Operational plans are used by ____.
question

tactical
answer

Budgeting, resource allocation, and manpower are critical components of the ____ plan.
question

vulnerability
answer

An identified weakness of a controlled system is known as a ____.
question

exploit
answer

A technique or mechanism that is used to compromise a system is called a(n) ____________________.
question

False
answer

Penetration testing is often conducted by consultants or outsourced contractors, who are commonly referred to as hackers, ninja teams or black teams.
question

brute force
answer

The application of computing and network resources to try every possible combination of characters to crack a password is known as a ____ attack.
question

False
answer

Strategic planning has a more short-term focus than tactical planning.
question

False
answer

Benefits of Information Security Governance include optimization of the allocation of limited security safeguards.
question

False
answer

Tactical planning is the basis for the long-term direction taken by the organization.
question

True
answer

Strategic plans are used to create tactical plans.
question

structured review
answer

At the end of each phase of the security systems development life cycle (SecSDLC), a ____ takes place.
question

values
answer

The ____________________ statement contains a formal set of organizational principles, standards, and qualities.
question

strategic
answer

The long-term direction taken by the organization is based on ____ planning
question

project planning
answer

Tactical planning is also referred to as ____.
question

back door
answer

A ____ is a feature left behind by system designers or maintenance staff.
question

attack
answer

A(n) ____ is an act or event that exploits a vulnerability.
question

False
answer

Some companies refer to operational planning as intermediate planning.
question

objectives
answer

Information security ____ must be addressed at the highest levels of an organization’s management team in order to be effective and offer a sustainable approach.
question

True
answer

CISOs use the operational plan to organize, prioritize, and acquire resources for major projects.
question

Operational
answer

____ controls deal with managerial functions and lower-level planning such as disaster recovery and incident response planning.
question

analysis
answer

The ____ phase of the security systems development life cycle (SecSDLC) assesses the organization’s readiness, its current systems status, and its capability to implement and then support the proposed systems.
question

True
answer

A(n) vulnerability is an identified weakness of a controlled information asset and is the result of absent or inadequate controls.
question

logical design
answer

In the ____ phase of the security systems development life cycle (SecSDLC), the information obtained during the analysis phase is used to develop a proposed system-based solution for the business problem.
question

threat
answer

A(n) ____________________ is an object, person, or other entity that represents a constant danger to an asset of an organization.
question

operational
answer

Tactical plans are used to develop ____________________ plans.
question

exploit
answer

A(n) ____ is a technique or mechanism used to compromise a system.
question

compromises to intellectual property
answer

Copyright infringement is an example of the ____ category of threat.
question

IDEAL
answer

he Carnegie Mellon University ____________________ information security governance model begins with a stimulus for change and loops through proposals for future actions.
question

values
answer

The ____ statement contains a formal set of organizational principles, standards, and qualities.
question

Chief Risk Officer
answer

The ____________________ has the primary responsibility for independent annual audit coordination.
question

maintenance
answer

The ____ phase is typically the most important phase of the security systems development life cycle (SecSDLC).
question

Place information security at the top of the board’s agenda
answer

The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
question

denial-of-service (DoS)
answer

A ____ attack involves sending a large number of connection or information requests to a target.
question

waterfall
answer

In the security systems development life cycle (SecSDLC), the work products of each phase fall into the next phase to serve as its starting point, which is known as the ____ model.
question

ambitious
answer

Vision statements are meant to be ____.
question

True
answer

The basic outcomes of information security governance should include risk management by executing appropriate measures to manage and mitigate threats to information resources.
question

Operational
answer

____ plans are used to organize the ongoing, day-to-day performance of tasks.
question

champion
answer

For any top-down approach to security implementation to succeed, the initiative must have a(n) ____ with influence to move the project forward.
question

True
answer

In a(n) methodology, a problem is solved based on a structured sequence of procedures.
question

False
answer

Organizations following the IDEAL Governance framework would determine where you are relative to where you want to be in the evaluation phase.

Get instant access to
all materials

Become a Member