Ch.14

Question 1

a policy that defines the actions users may perform while accessing systems and networking equipment

Answer 1

acceptable use policy (AUP)

Question 2

the expected monetary loss that can be anticipated for an asset due to a risk over a one-year period

Answer 2

annualized loss expectancy (ALE)

Question 3

the likelihood of a risk occurring within a year

Answer 3

annualized rate of occurrence (ARO)

Question 4

a methodology for making modifications to a system and keeping track of those changes

Answer 4

change management

Question 5

a security policy that addresses the different aspects of how data should be handled within an organization

Answer 5

data policy

Question 6

a security policy that outlines how long to maintain information in the user’s possession

Answer 6

data retention policy

Question 7

a security policy that addresses how and when data will ultimately be erased

Answer 7

data wiping and disposing policy

Question 8

an event that does not appear to be a risk but actually turns out to be one

Answer 8

false negative

Question 9

an event that in the beginning is considered to be a risk yet turns out to not be one

Answer 9

false positive

Question 10

the “framework” and functions required to enable incident response and incident handling within an organization

Answer 10

incident management

Question 11

a type of risk control that is administrative and covers the laws, regulations, policies, practices, and guidelines that govern the overall requirements and controls

Answer 11

management risk control type

Question 12

the average amount of time expected until the first failure of a piece of equipment

Answer 12

mean time to failure (MTTF)

Question 13

risk control type that covers the operational procedures to limit risk

Answer 13

operational risk control type

Question 14

a network that does not have servers, so each device simultaneously functions as both client and a server to all other devices connected to the network

Answer 14

peer-to-peer (P2P) network

Question 15

a security policy that outlines how the organization uses personal information it collects

Answer 15

privacy policy

Question 16

an approach to risk calculation that uses an “educated guess” based on observation

Answer 16

qualitative risk calculation

Question 17

an approach to risk calculation that attempts to create actual numbers of the risk by using historical data

Answer 17

quantitative risk calculation

Question 18

specialized training that is customized to the specific role that an employee holds in the organization

Answer 18

role-based training

Question 19

a written document that states how an organization plans to protect the company’s information technology assets

Answer 19

security policy

Question 20

the expected monetary loss every time a risk occurs

Answer 20

single loss expectancy (SLE)

Question 21

grouping individuals and organizations into clusters or groups based on a like affiliation

Answer 21

social networking

Question 22

a risk control type that involves using technology to control risk

Answer 22

technical risk control type

Question 23

An event that appears to be a risk but turns out not to be one is called a _____.

a. false negative
b. false positive
c. negative-positive
d. risk negative event (RNE)

Answer 23

b

Question 24

Which of these is NOT a response to risk?

a. transference
b. resistance
c. mitigation
d. avoidance

Answer 24

b

Question 25

All of these approaches are part of the Simple Risk Model EXCEPT _____. a. regulatory b. preventive c. detective d. corrective

Answer 25

a

Question 26

A(n) _____ risk control type would use video surveillance systems and barricades to limit access to secure sites. a. operational b. managerial c. technical d. strategic

Answer 26

a

Question 27

A statement regarding due diligence would be found in which security policy? a. disposal and destruction policy b. security-related human resource policy c. acceptable use policy d. privacy policy

Answer 27

b

Question 28

Which risk category addresses events that impact the daily business of the organization? a. tactical b. strategic c. operational d. daily

Answer 28

c

Question 29

_____ management covers the procedures of managing object authorizations. a. Asset b. Task c. Privilege d. Threat

Answer 29

c

Question 30

Which statement does NOT describe a characteristic of a policy? a. Policies define appropriate user behavior b. Policies communicate a unanimous agreement of judgment. c. Policies may be helpful if it is necessary to prosecute violators d. Policies identify what tools and procedures are needed

Answer 30

a

Question 31

_____ is defined as the obligations that are imposed on owners an operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them. a. Due process b. Due care c. Due obligaitons d. Due diligence

Answer 31

b

Question 32

What is a collection of suggestions that should be implemented? a. policy b. guideline c. standard d. code

Answer 32

b

Question 33

Which statement is NOT a guideline for developing a security policy? a. Notify users in advance that a new security policy is being developed and explain why the policy is needed b. Require all users o approve the policy before it is implemented c. Provide a sample of people affected by the policy with an opportunity to review the policy and comment on it. d. Prior to deployment, give all users at least two weeks to review the policy and comment on it

Answer 33

a

Question 34

Which statement is NOT something that a security policy must do? a. State reasons why the policy is necessary b. Balance protection with productivity c. Be capable of being implemented and enforced d. Be concise and easy to understand.

Answer 34

b

Question 35

Which person should NOT serve on a security policy development team? a. senior-level administrator b. representative from a hardware vendor c. member of the legal staff d. member of management who can enforce the policy

Answer 35

b

Question 36

Which policy defines the actions users may perform while accessing systems and networking equipment? a. end-user policy b. acceptable use policy c. Internet use policy d. user permission policy

Answer 36

b

Question 37

______ may be defined as the study of what people understand to be good and right behavior and how people make those judgments. a. Ethics b. Morals c. Values d. Principles

Answer 37

a

Question 38

Which recommendation would NOT be found in a password management and complexity policy? a. Do not use the name of a pet b. do not use alphabetic characters c. Do not use a password that is a word found in a dictionary d. Do not use personally identifiable information

Answer 38

b

Question 39

For adult learners, a(n) _____ approach (the art of helping an adult learn) is often preferred. a. pedagogical b. andragogical c. institutional d. proactive

Answer 39

b

Question 40

Requiring employees to clear heir workspace of all papers at the end of each business day is called _____. a. empty workspace policy b. clean desk policy c. disposal and removal policy d. sunshine policy

Answer 40

b

Question 41

What is the security risk of a P2P network? a. A virus can be transmitted b. It is issued to spread spam c. It consumes bandwidth d. It allows law enforcement agencies to monitor the user's actions

Answer 41

a

Question 42

Which statement is NOT a general security recommendation when using social networking sites? a. Consider carefully who is accepted as a friend b. Show "limited friends" a reduced version of your profile. c. Only access a social networking site on personal time. d. Disable options and then reopen them only as necessary

Answer 42

b