1 - Security Influences and Risk

Question 1

Advisory Security Policy

Answer 1

Provides instruction on acceptable and unacceptable activities

Question 2

Informative Security Policy

Answer 2

Provides information from an education standpoint

Question 3

Risk management involves:

Answer 3

identification, assessment, analyzation, and mitigation of risks

Question 4

Measurement of information security issues at management levels is accomplished by what?

Answer 4

The risk management framework

Question 5

What do risk profiles represent?

Answer 5

a cross-section of an organization’s comfort level of which risks it will and will not tolerate

Question 6

Risk management measure the effect of security on what?

Answer 6

business objectives

Question 7

Security practitioner must consider what objectives?

Answer 7

business and security

Question 8

What is NIST?

Answer 8

a U.S. government agency that develops a formal series of special publications that detail policies, procedures, and guidelines for the security of federal computer devices.

Question 9

The NIST Risk Management Framework (RMF) is detailed in what publication?

Answer 9

NISP SP 800-39: Managing Information Security Risk

Question 10

The NIST Risk Management Framework (RMF) includes what stages related to security controls?

Answer 10

• Categorize
• Select
• Implement
• Assess
• Authorize
• Monitor

Question 11

What is ISO?

Answer 11

ISO is the world’s largest standards organization; it creates standard for many industries, including security and technology

Question 12

What organizations are able to provide official accreditation to organization for demonstrating compliance with particular standard and guidelines?

Answer 12

NIST and ISO

Question 13

Many partnership business models involve the exchange of information, making information security requirements what?

Answer 13

a cross-business issue

Question 14

With regard to personnel, business models influence what?

Answer 14

how personnel are employed and whether to rely on in-house expertise or offshore talent

Question 15

What are the two high-level types of partnerships?

Answer 15

formal and informal

Question 16

Partners share in what?

Answer 16

operational responsibility, profits, and liabilities associate with a business

Question 17

Policies associate with the user of information by a partner should be?

Answer 17

determined in advance and provided to customer(s) for approval

Question 18

Customer data cannot be shared with other parties without:

Answer 18

notification of business purpose and (in the EU) customer consent, aka opt-in

Question 19

Cloud computing helps organizations in what ways?

Answer 19

Reducing costs and improving productivity by utilizing applications, accessibility, storage, availability, and scalability

Question 20

Prior to signing an agreement with a cloud provider, organizations must do what?

Answer 20

Determine the risk management and assessment processes the cloud provider implements

Question 21

Reviewing service level agreements allows you to learn what?

Answer 21

the service offerings and promises of a cloud, outsourcing, or other provider

Question 22

As businesses become global what practice with regard to personnel is becoming more common?

Answer 22

outsourcing of business functions, including information security activities

Question 23

Merger and acquisitions can result in changes to many business processes, which requires what before completion?

Answer 23

Careful attention during due diligence periods, including attention to information security processes

Question 24

What are managed security services?

Answer 24

Outsourced security and network services

Question 25

Managed security services can include what?

Answer 25

• physical security
• vulnerability assessments
• penetration testing
• operation security monitoring
• compliance monitoring/auditing
• digital forensics
• other consulting efforts

Question 26

What is the HIPAA Security Rule?

Answer 26

It standardizes the protection of PHI and requires administrative, physical, and technical safeguards

Question 27

What is PHI

Answer 27

private health information

Question 28

The GLBA’s provisions for financial organizations to protect the privacy of customer data is carried out by what?

Answer 28

the Safeguards Rule and the Privacy Rule

Question 29

SOX is an abbreviation for what?

Answer 29

the Sarbanes-Oxley Act

Question 30

SOX was created to do what?

Answer 30

Mandate publicly trade corporations to implement internal controls, auditing, and disclosure practices to protect businesses, investors, and customers from corporate scandals.

Question 31

FISMA stands for what?

Answer 31

Federal Information Security Modernization Act

Question 32

What is the purpose of FISMA?

Answer 32

To direct government agencies to enforce various security requirements on government networks and devices

Question 33

PCI DSS stands for what?

Answer 33

Payment Card Industry Data Security Standard

Question 34

What does PCI DSS require?

Answer 34

All organizations that process payment cards to protect both the transactions and the card holder data

Question 35

EU directives 2002/58/EC & 2009/136/EC both require what?

Answer 35

telecoms and ISPs to offer security for their services and to notify customers of security threats

Question 36

GDPR stands for what?

Answer 36

General Data Protection Regulation

Question 37

In general, what does GDPR do?

Answer 37

Improves the security and privacy practices required when dealing with EU customer data

Question 38

Organizations with international partnerships and locations with need to consider what with regard to export requirements?

Answer 38

Both local and foreign export requirements

Question 39

Analysis of competitors will improve organization awareness of what with regard to security?

Answer 39

security standards, procedures, guidelines, and best practices

Question 40

An internal audit can be used to do what?

Answer 40

Verify compliance with internal and external security requirements, as well as provide management with feedback on risk management efforts

Question 41

The COBIT framework provides what?

Answer 41

a set of generally accepted measures, indicators, processes, and best practices to assist in maximizing the benefits of IT

Question 42

COBIT stands for what?

Answer 42

Control Objectives for Information Technology

Question 43

HITECH stands for what?

Answer 43

Health Information Technology for Economic and Clinical Health

Question 44

The HITECH Act generally does what?

Answer 44

widens the scope of privacy and security protections available under HIPAA

Question 45

Client and customer data requirements result in what?

Answer 45

Organizational security requirements

Question 46

Top-level management evaluates security using what mindset?

Answer 46

a risk management mindset

Question 47

Deperimeterization describes what?

Answer 47

The moving of organization boundaries from the edge of the network to wherever the user’s device is.

(This includes the edge network, cloud environment, Wi-Fi network, the user’s home network, or networks accessed while traveling)

Question 48

How are teleworkers distinguished from telecommuters?

Answer 48

telecommuters work from home, whereas teleworkers travel to non-main office locations like branches or customer sites

Question 49

What does COPE stand for with regard to mobile devices?

Answer 49

Corporate Owned/Personally Enabled

Question 50

COPE describes what situation?

Answer 50

corporations buy devices but employees use them for personal and business needs

Question 51

CYOD stands for what?

Answer 51

Choose your own device

Question 52

A CYOD policy allows a business to do what?

Answer 52

Publish a limited list of devices that employees can buy, allowing the business to limit the disparity of devices to support while giving employees some level of choice

Question 53

Enterprise standard operating environments provide what benefits to the organization?

Answer 53

reduce complexity, improve security, and reduce resource requirements for operations

Question 54

What are the risk management steps, in order?

Answer 54

• Identification
• Assessment
• Analyzation
• Mitigation

Question 55

Security audit findings can be used for what?

Answer 55

to facilitate improvements in the security system

Question 56

What is divestiture?

Answer 56

When an organization sells off one of its business units