Management of Information Security Notes Chapter 2 — Planning for Security

Flashcard maker : Lily Taylor
attack
An act or event that exploits a vulnerability is known as a(n) ____________________.
owners
Data ____________________ are responsible for the security and use of a particular set of information.
safeguards
Controls or ____________________ are used to protect information from attacks by threats; the terms are also often used interchangeably.
Resource management by executing appropriate measures to manage and mitigate risks to information technologies
The basic outcomes of information security governance should include all but which of the following?
Acting
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization do the work according to the plan?
phishing
In a(n) ____________________ attack, the attacker uses an e-mail or forged Web site to attempt to extract personal information from a user.
threat agent
A(n) ____ damages or steals an organization’s information or physical asset.
True
Information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide strategic direction, verification that risk management practices are appropriate, and validation that the organization’s assets are used properly.
Managerial
____ controls set the direction and scope of the security process and provide detailed instructions for its conduct
plan-driven
A SDLC-based project that is the result of a carefully developed strategy is said to be ____.
managers
Operational plans are used by ____.
tactical
Budgeting, resource allocation, and manpower are critical components of the ____ plan.
vulnerability
An identified weakness of a controlled system is known as a ____.
exploit
A technique or mechanism that is used to compromise a system is called a(n) ____________________.
False
Penetration testing is often conducted by consultants or outsourced contractors, who are commonly referred to as hackers, ninja teams or black teams.
brute force
The application of computing and network resources to try every possible combination of characters to crack a password is known as a ____ attack.
False
Strategic planning has a more short-term focus than tactical planning.
False
Benefits of Information Security Governance include optimization of the allocation of limited security safeguards.
False
Tactical planning is the basis for the long-term direction taken by the organization.
True
Strategic plans are used to create tactical plans.
structured review
At the end of each phase of the security systems development life cycle (SecSDLC), a ____ takes place.
values
The ____________________ statement contains a formal set of organizational principles, standards, and qualities.
strategic
The long-term direction taken by the organization is based on ____ planning
project planning
Tactical planning is also referred to as ____.
back door
A ____ is a feature left behind by system designers or maintenance staff.
attack
A(n) ____ is an act or event that exploits a vulnerability.
False
Some companies refer to operational planning as intermediate planning.
objectives
Information security ____ must be addressed at the highest levels of an organization’s management team in order to be effective and offer a sustainable approach.
True
CISOs use the operational plan to organize, prioritize, and acquire resources for major projects.
Operational
____ controls deal with managerial functions and lower-level planning such as disaster recovery and incident response planning.
analysis
The ____ phase of the security systems development life cycle (SecSDLC) assesses the organization’s readiness, its current systems status, and its capability to implement and then support the proposed systems.
True
A(n) vulnerability is an identified weakness of a controlled information asset and is the result of absent or inadequate controls.
logical design
In the ____ phase of the security systems development life cycle (SecSDLC), the information obtained during the analysis phase is used to develop a proposed system-based solution for the business problem.
threat
A(n) ____________________ is an object, person, or other entity that represents a constant danger to an asset of an organization.
operational
Tactical plans are used to develop ____________________ plans.
exploit
A(n) ____ is a technique or mechanism used to compromise a system.
compromises to intellectual property
Copyright infringement is an example of the ____ category of threat.
IDEAL
he Carnegie Mellon University ____________________ information security governance model begins with a stimulus for change and loops through proposals for future actions.
values
The ____ statement contains a formal set of organizational principles, standards, and qualities.
Chief Risk Officer
The ____________________ has the primary responsibility for independent annual audit coordination.
maintenance
The ____ phase is typically the most important phase of the security systems development life cycle (SecSDLC).
Place information security at the top of the board’s agenda
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
denial-of-service (DoS)
A ____ attack involves sending a large number of connection or information requests to a target.
waterfall
In the security systems development life cycle (SecSDLC), the work products of each phase fall into the next phase to serve as its starting point, which is known as the ____ model.
ambitious
Vision statements are meant to be ____.
True
The basic outcomes of information security governance should include risk management by executing appropriate measures to manage and mitigate threats to information resources.
Operational
____ plans are used to organize the ongoing, day-to-day performance of tasks.
champion
For any top-down approach to security implementation to succeed, the initiative must have a(n) ____ with influence to move the project forward.
True
In a(n) methodology, a problem is solved based on a structured sequence of procedures.
False
Organizations following the IDEAL Governance framework would determine where you are relative to where you want to be in the evaluation phase.

Get instant access to
all materials

Become a Member