Chapter 15

Question 1

Select the option that best describes an asset:

a) any item that is owned by an enterprise
b) any item that is used by management
c) any item that is used b y all employees
d) any item that has a positive economic value

Answer 1

d) any item that has a positive economic value

Question 2

Risk avoidance involves identifying the risk and and making the decision to engage in the activity.

(T/F)

Answer 2

False

Question 3

Websites that group individuals and organizations into clusters or groups based on some sort are considered to be what type of networks?

a) social media network
b) social engineering network
c) social management network
d) social control network

Answer 3

a) social media network

Question 4

What describes an agreement between two or more parties and demonstrates a “convergence of will” between the parties so that they can work together?

a) BPA
b) ISA
c) NDA
d) MOU

Answer 4

d) MOU

Question 5

List and describe three of the six risk categories.

Answer 5

three categories:

1) strategic
2) compliance
3) finanical

Question 6

What type of learner learns best through hands-on approaches?

a) kinesthetic
b) auditory
c) spatial
d) visual

Answer 6

a) kinesthetic

Question 7

What is a service contract between a vendor and a client that specifies what services will be provided, the responsibilities of each party, and any guarantees service?

a) SLA
b) ISA
c) MOU
d) BPA

Answer 7

a) SLA

Question 8

Due to the potential impact of changes that can affect all users in an organization, and considering that security vulnerabilities can arise from uncoordinated changes, what should an organization create to oversee changes?

a) security control team
b) incident response team
c) change management team
d) compliance team

Answer 8

c) change management team

Question 9

Which term below describes the art of helping an adult learn?

a) deontological
b) pedagogical
c) metagogical
d) andragogical

Answer 9

d) andragogical

Question 10

A written document that states how an organization plans to protect the company’s information technology assets is a:

a) security procedure
b) standard
c) security policy
d) guideline

Answer 10

c) security policy

Question 11

Which of the following threats would be classified as the actions of a hactivist?

a. External threat
b. Internal threat
c. Environmental threat
d. Compliance threat

Answer 11

a. External threat

Question 12

Which of these is NOT a response to risk?

a. Mitigation
b. Transference
c. Resistance
d. Avoidance

Answer 12

c. Resistance

Question 13

Agnella was asked to create a report that listed the reasons why a contractor should be provided penetration testing authorization. Which of the follow would she NOT list in her report?

a. Legal authorization
b. Indemnification
c. Limit retaliation
d. Access to resources

Answer 13

d. Access to resources

Question 14

Which of the following risk control types would use video surveillance systems and barricades to limit access to secure sites?

a. Operational
b. Managerial
c. Technical
d. Strategic

Answer 14

c. Technical

Question 15

Which of the following approaches to risk calculation typically assigns a numeric value (1‒10) or label (High, Medium, or Low) represents a risk?

a. Quantitative risk calculation
b. Qualitative risk calculation
c. Rule-based risk calculation
d. Policy-based risk calculation

Answer 15

a. Quantitative risk calculation

Question 16

Which of the following is the average amount of time that it will take a device to recover from a failure that is not a terminal failure?

a. MTTF
b. MTTR
c. FIT
d. MTBF

Answer 16

b. MTTR

Question 17

Which of the following covers the procedures of managing object authorizations?

a. Asset management
b. Task management
c. Privilege management
d. Threat management

Answer 17

c. Privilege management

Question 18

Which statement does NOT describe a characteristic of a policy?

a. Policies define appropriate user behavior.
b. Policies identify what tools and procedures are needed.
c. Policies communicate a unanimous agreement of judgment.
d. Policies may be helpful if it is necessary to prosecute violators.

Answer 18

b. Policies identify what tools and procedures are needed.

Question 19

Tomassa is asked to determine the expected monetary loss every time a risk occurs. Which formula will she use?

a. AV
b. ARO
c. ALE
d. SLE

Answer 19

d. SLE

Question 20

What is a collection of suggestions that should be implemented?

a. Policy
b. Guideline
c. Standard
d. Code

Answer 20

b. Guideline

Question 21

Simona needs to research a control that attempts to discourage security violations before they occur. Which control will she research?

a. Deterrent control
b. Preventive control
c. Detective control
d. Corrective control

Answer 21

a. Deterrent control

Question 22

Which statement is NOT something that a security policy must do?

a. State reasons why the policy is necessary.
b. Balance protection with productivity.
c. Be capable of being implemented and enforced.
d. Be concise and easy to understand.

Answer 22

b. Balance protection with productivity.

Question 23

What describes is the ability of an enterprise data center to revert to its former size after expanding?

a. Scalability
b. Elasticity
c. Contraction
d. Reduction

Answer 23

b. Elasticity

Question 24

Which policy defines the actions users may perform while accessing systems and networking equipment?

a. End-user policy
b. Acceptable use policy
c. Internet use policy
d. User permission policy

Answer 24

b. Acceptable use policy

Question 25

While traveling abroad, Giuseppe needs to use public Internet café computers to access the secure network. Which of the following non-persistence tools should he use?

a. Snapshot
b. Live boot media
c. Revert to known state
d. Secure Configuration

Answer 25

b. Live boot media

Question 26

Bria is reviewing the company’s updated personal email policy. Which of the following will she NOT find in it?

a. Employees should not use company email to send personal email messages.
b. Employees should not access personal email at work.
c. Employees should not forward company emails to a personal email account.
d. Employees should not give out their company email address unless requested.

Answer 26

d. Employees should not give out their company email address unless requested.

Question 27

For adult learners, which approach is often preferred?

a. Pedagogical
b. Andragogical
c. Institutional
d. Proactive

Answer 27

b. Andragogical

Question 28

Which of the following is NOT a security risk of social media sites for users?

a. Personal data can be used maliciously.
b. Users may be too trusting.
c. Social media security is lax or confusing.
d. Social media sites use popup ads.

Answer 28

d. Social media sites use popup ads.

Question 29

Which of the following is NOT a time employee training should be conducted?

a. After monthly patch updates.
b. When a new computer is installed.
c. During an annual department retreat.
d. When an employee is promoted.

Answer 29

a. After monthly patch updates.

Question 30

Bob needs to create an agreement between his company and a third-party organization that demonstrates a “convergence of will” between the parties so that they can work together. Which type of agreement will Bob use?

a. SLA
b. BPA
c. ISA
d. MOU

Answer 30

d. MOU

Question 31

The security administrator for Corp.com wants to provide wireless access for employees as well as guests. Multiple wireless access points and separate networks for internal users and guests are required. Which of the following should separate each network? (Choose all that apply.)

a) Channels
b) SSIDs
c) Physical security
d) Security protocols

Answer 31

a) channels
b) SSIDs
d) security protocols

Question 32

Which of the following is true concerning vulnerability scanning? (Choose all that apply.)

a) Some scanning attempts are intrusive while some are non-intrusive.
b) False positive is possible!
c) All scanning attempts must be credentialed.
d) False negative is not possible!
e) Some scanning attempts may be credentialed while some may be non-credentialed.

Answer 32

a) Some scanning attempts are intrusive while some are non-intrusive.
b) False positive is possible!
e) Some scanning attempts may be credentialed while some may be non-credentialed.

Question 33

How is credentialed scanning better than non-credentialed scanning? (Choose all that apply.)

a) Customized auditing
b) Safer scanning
c) More accurate results
d) Active vs. passive scanning

Answer 33

a) Customized auditing
b) Safer scanning
c) More accurate results

Question 34

Help from a Recovery Agent is necessary when:

a) One needs to setup a registration authority.
b) One needs to service a CSR.
c) One needs to remove a CRL.
d) The private key is lost by a user.
e) One wants to implement OSCP.
f) The public key is lost.

Answer 34

d) The private key is lost by a user.

Question 35

What is the difference between a key escrow and a recovery agent? (Choose all that apply.)

a) The former is primarily for helping internal users
b) The former has replaced the latter in many occasions
c) The former is primarily for third party access to data
d) The latter is primarily for third party access to data
e) The latter is primarily for helping internal users

Answer 35

c) The former is primarily for third party access to data
e) The latter is primarily for helping internal users