Ch.14 Flashcards
a policy that defines the actions users may perform while accessing systems and networking equipment
acceptable use policy (AUP)
the expected monetary loss that can be anticipated for an asset due to a risk over a one-year period
annualized loss expectancy (ALE)
the likelihood of a risk occurring within a year
annualized rate of occurrence (ARO)
a methodology for making modifications to a system and keeping track of those changes
change management
a security policy that addresses the different aspects of how data should be handled within an organization
data policy
a security policy that outlines how long to maintain information in the user’s possession
data retention policy
a security policy that addresses how and when data will ultimately be erased
data wiping and disposing policy
an event that does not appear to be a risk but actually turns out to be one
false negative
an event that in the beginning is considered to be a risk yet turns out to not be one
false positive
the “framework” and functions required to enable incident response and incident handling within an organization
incident management
a type of risk control that is administrative and covers the laws, regulations, policies, practices, and guidelines that govern the overall requirements and controls
management risk control type
the average amount of time expected until the first failure of a piece of equipment
mean time to failure (MTTF)
risk control type that covers the operational procedures to limit risk
operational risk control type
a network that does not have servers, so each device simultaneously functions as both client and a server to all other devices connected to the network
peer-to-peer (P2P) network
a security policy that outlines how the organization uses personal information it collects
privacy policy
an approach to risk calculation that uses an “educated guess” based on observation
qualitative risk calculation
an approach to risk calculation that attempts to create actual numbers of the risk by using historical data
quantitative risk calculation
specialized training that is customized to the specific role that an employee holds in the organization
role-based training
a written document that states how an organization plans to protect the company’s information technology assets
security policy
the expected monetary loss every time a risk occurs
single loss expectancy (SLE)
grouping individuals and organizations into clusters or groups based on a like affiliation
social networking
a risk control type that involves using technology to control risk
technical risk control type
An event that appears to be a risk but turns out not to be one is called a _____.
a. false negative
b. false positive
c. negative-positive
d. risk negative event (RNE)
b
Which of these is NOT a response to risk?
a. transference
b. resistance
c. mitigation
d. avoidance
b
All of these approaches are part of the Simple Risk Model EXCEPT _____.
a. regulatory
b. preventive
c. detective
d. corrective
a
A(n) _____ risk control type would use video surveillance systems and barricades to limit access to secure sites.
a. operational
b. managerial
c. technical
d. strategic
a
A statement regarding due diligence would be found in which security policy?
a. disposal and destruction policy
b. security-related human resource policy
c. acceptable use policy
d. privacy policy
b
Which risk category addresses events that impact the daily business of the organization?
a. tactical
b. strategic
c. operational
d. daily
c
_____ management covers the procedures of managing object authorizations.
a. Asset
b. Task
c. Privilege
d. Threat
c
Which statement does NOT describe a characteristic of a policy?
a. Policies define appropriate user behavior
b. Policies communicate a unanimous agreement of judgment.
c. Policies may be helpful if it is necessary to prosecute violators
d. Policies identify what tools and procedures are needed
a
_____ is defined as the obligations that are imposed on owners an operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them.
a. Due process
b. Due care
c. Due obligaitons
d. Due diligence
b
What is a collection of suggestions that should be implemented?
a. policy
b. guideline
c. standard
d. code
b
Which statement is NOT a guideline for developing a security policy?
a. Notify users in advance that a new security policy is being developed and explain why the policy is needed
b. Require all users o approve the policy before it is implemented
c. Provide a sample of people affected by the policy with an opportunity to review the policy and comment on it.
d. Prior to deployment, give all users at least two weeks to review the policy and comment on it
a
Which statement is NOT something that a security policy must do?
a. State reasons why the policy is necessary
b. Balance protection with productivity
c. Be capable of being implemented and enforced
d. Be concise and easy to understand.
b
Which person should NOT serve on a security policy development team?
a. senior-level administrator
b. representative from a hardware vendor
c. member of the legal staff
d. member of management who can enforce the policy
b
Which policy defines the actions users may perform while accessing systems and networking equipment?
a. end-user policy
b. acceptable use policy
c. Internet use policy
d. user permission policy
b
______ may be defined as the study of what people understand to be good and right behavior and how people make those judgments.
a. Ethics
b. Morals
c. Values
d. Principles
a
Which recommendation would NOT be found in a password management and complexity policy?
a. Do not use the name of a pet
b. do not use alphabetic characters
c. Do not use a password that is a word found in a dictionary
d. Do not use personally identifiable information
b
For adult learners, a(n) _____ approach (the art of helping an adult learn) is often preferred.
a. pedagogical
b. andragogical
c. institutional
d. proactive
b
Requiring employees to clear heir workspace of all papers at the end of each business day is called _____.
a. empty workspace policy
b. clean desk policy
c. disposal and removal policy
d. sunshine policy
b
What is the security risk of a P2P network?
a. A virus can be transmitted
b. It is issued to spread spam
c. It consumes bandwidth
d. It allows law enforcement agencies to monitor the user’s actions
a
Which statement is NOT a general security recommendation when using social networking sites?
a. Consider carefully who is accepted as a friend
b. Show “limited friends” a reduced version of your profile.
c. Only access a social networking site on personal time.
d. Disable options and then reopen them only as necessary
b