Ch.14 Flashcards

1
Q

a policy that defines the actions users may perform while accessing systems and networking equipment

A

acceptable use policy (AUP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

the expected monetary loss that can be anticipated for an asset due to a risk over a one-year period

A

annualized loss expectancy (ALE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

the likelihood of a risk occurring within a year

A

annualized rate of occurrence (ARO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

a methodology for making modifications to a system and keeping track of those changes

A

change management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

a security policy that addresses the different aspects of how data should be handled within an organization

A

data policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

a security policy that outlines how long to maintain information in the user’s possession

A

data retention policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

a security policy that addresses how and when data will ultimately be erased

A

data wiping and disposing policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

an event that does not appear to be a risk but actually turns out to be one

A

false negative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

an event that in the beginning is considered to be a risk yet turns out to not be one

A

false positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

the “framework” and functions required to enable incident response and incident handling within an organization

A

incident management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

a type of risk control that is administrative and covers the laws, regulations, policies, practices, and guidelines that govern the overall requirements and controls

A

management risk control type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

the average amount of time expected until the first failure of a piece of equipment

A

mean time to failure (MTTF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

risk control type that covers the operational procedures to limit risk

A

operational risk control type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

a network that does not have servers, so each device simultaneously functions as both client and a server to all other devices connected to the network

A

peer-to-peer (P2P) network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

a security policy that outlines how the organization uses personal information it collects

A

privacy policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

an approach to risk calculation that uses an “educated guess” based on observation

A

qualitative risk calculation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

an approach to risk calculation that attempts to create actual numbers of the risk by using historical data

A

quantitative risk calculation

18
Q

specialized training that is customized to the specific role that an employee holds in the organization

A

role-based training

19
Q

a written document that states how an organization plans to protect the company’s information technology assets

A

security policy

20
Q

the expected monetary loss every time a risk occurs

A

single loss expectancy (SLE)

21
Q

grouping individuals and organizations into clusters or groups based on a like affiliation

A

social networking

22
Q

a risk control type that involves using technology to control risk

A

technical risk control type

23
Q

An event that appears to be a risk but turns out not to be one is called a _____.

a. false negative
b. false positive
c. negative-positive
d. risk negative event (RNE)

A

b

24
Q

Which of these is NOT a response to risk?

a. transference
b. resistance
c. mitigation
d. avoidance

A

b

25
Q

All of these approaches are part of the Simple Risk Model EXCEPT _____.

a. regulatory
b. preventive
c. detective
d. corrective

A

a

26
Q

A(n) _____ risk control type would use video surveillance systems and barricades to limit access to secure sites.

a. operational
b. managerial
c. technical
d. strategic

A

a

27
Q

A statement regarding due diligence would be found in which security policy?

a. disposal and destruction policy
b. security-related human resource policy
c. acceptable use policy
d. privacy policy

A

b

28
Q

Which risk category addresses events that impact the daily business of the organization?

a. tactical
b. strategic
c. operational
d. daily

A

c

29
Q

_____ management covers the procedures of managing object authorizations.

a. Asset
b. Task
c. Privilege
d. Threat

A

c

30
Q

Which statement does NOT describe a characteristic of a policy?

a. Policies define appropriate user behavior
b. Policies communicate a unanimous agreement of judgment.
c. Policies may be helpful if it is necessary to prosecute violators
d. Policies identify what tools and procedures are needed

A

a

31
Q

_____ is defined as the obligations that are imposed on owners an operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them.

a. Due process
b. Due care
c. Due obligaitons
d. Due diligence

A

b

32
Q

What is a collection of suggestions that should be implemented?

a. policy
b. guideline
c. standard
d. code

A

b

33
Q

Which statement is NOT a guideline for developing a security policy?

a. Notify users in advance that a new security policy is being developed and explain why the policy is needed
b. Require all users o approve the policy before it is implemented
c. Provide a sample of people affected by the policy with an opportunity to review the policy and comment on it.
d. Prior to deployment, give all users at least two weeks to review the policy and comment on it

A

a

34
Q

Which statement is NOT something that a security policy must do?

a. State reasons why the policy is necessary
b. Balance protection with productivity
c. Be capable of being implemented and enforced
d. Be concise and easy to understand.

A

b

35
Q

Which person should NOT serve on a security policy development team?

a. senior-level administrator
b. representative from a hardware vendor
c. member of the legal staff
d. member of management who can enforce the policy

A

b

36
Q

Which policy defines the actions users may perform while accessing systems and networking equipment?

a. end-user policy
b. acceptable use policy
c. Internet use policy
d. user permission policy

A

b

37
Q

______ may be defined as the study of what people understand to be good and right behavior and how people make those judgments.

a. Ethics
b. Morals
c. Values
d. Principles

A

a

38
Q

Which recommendation would NOT be found in a password management and complexity policy?

a. Do not use the name of a pet
b. do not use alphabetic characters
c. Do not use a password that is a word found in a dictionary
d. Do not use personally identifiable information

A

b

39
Q

For adult learners, a(n) _____ approach (the art of helping an adult learn) is often preferred.

a. pedagogical
b. andragogical
c. institutional
d. proactive

A

b

40
Q

Requiring employees to clear heir workspace of all papers at the end of each business day is called _____.

a. empty workspace policy
b. clean desk policy
c. disposal and removal policy
d. sunshine policy

A

b

41
Q

What is the security risk of a P2P network?

a. A virus can be transmitted
b. It is issued to spread spam
c. It consumes bandwidth
d. It allows law enforcement agencies to monitor the user’s actions

A

a

42
Q

Which statement is NOT a general security recommendation when using social networking sites?

a. Consider carefully who is accepted as a friend
b. Show “limited friends” a reduced version of your profile.
c. Only access a social networking site on personal time.
d. Disable options and then reopen them only as necessary

A

b