Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CPP1 > Inf Sec > Flashcards

Inf Sec Flashcards

1
Q

A property right granted to an inventor to exclude others from making, using, offering for sale, or selling the invention for a limited time is called a

A

Patent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What factors should be considered when using the internet to link organization offices?

A

Confidentiality, Integrity, and Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following fields involves defences against the interception of data communication from microphones transmitters or wiretaps?

A

Transmission security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In protecting information assists, an effective protection strategy begins with:

A

A clear, practical policy that is shared with all relevant parties and enforced with fairness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the key organizational asset?

A

Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the key steps that can be taken after an information loss?

A

1 - Investigation
2 - Damage, assessment
3 - Recovery and follow-up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is application security?

A

Modern business applications typically consist of custom code, third-party software, and one or more servers. Improper integration of these components can result in a vulnerability that can later be exploited to gain unauthorized access to data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What an intrusion detection system can monitor

A

1 - Malicious programs,
2 - Unauthorized changes to files and settings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the most effective IT protection?

A

Most effective IT protection is a layered approach that integrates
1 - Physical measures
2 - Procedural measure
3 - Logical protection measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the elements of technical surveillance countermeasures?

A

Services
Equipment and
Techniques.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who should execute an NDA as a condition of employment in the organization?

A

All employees should execute an NDA as a condition of employment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When information can be said trade secret?

A

For information to be trade secret, the owner must be able to prove that,
1 - Information added value or benefit to the owner
2 - The trade secret was significantly identified
3 - The owner provided a reasonable level of protection for the trade secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the fundamental difference between patent and trade secret?

A

Patent require that the inventor publicly disclose the inventions elements and a patent lasts only 20 years.
Conversely a trade secret is not disclosed and may last indefinitely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Why it is essential to register the trade marks before the product enters the stream of commerce in any country

A

Because it is the primary means of ensuring that mark is eligible for before the product enters the stream of commerce protection under that country’s law and ensuring that trademark infringement can be remedied through administrative or judicial proceedings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the best way to start addressing infringement of patents, copyrights and trademarks?

A

The best way to start addressing infringement of patents, copyrights and trademarks is to register those rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which type of facts are respond by operations security?

A

Operations security responds to the fact that small bits of information taken from several different sources can be combined to reveal sensitive information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Operations security is used to protect which type of information?

A

To protect unclassified information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How an organization can ensure that critical information retains its availability, confidentiality, and integrity during all phases of crisis situations including response and recovery?

A

By incorporating information asset protection program into the organization’s business continuity plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Personnel security plays a key role in information asset protection program. What matters includes in personnel security to protect information assets?

A

Due diligence investigations of potential partners, standard pre employment screening, and vetting of subcontractors, vendors, and consultants.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Based on what, an employee’s access to information assets should be determined?

A

An employee’s access should be based on his or her current job function and need to know, not solely on position or management level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Who typically determines the classification level of information asset?

A

The originator of the information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What must be ensured by the protection measures to protect security?

A

The protection measures (the physical and cyber environment) must be sufficient to ensure confidentiality, integrity, availability, accountability, recoverability, auditability, non- repudiation of information in both the physical and cyber environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How all the information in the organization need to be evaluated

A

All information needs to be appropriately evaluated for sensitivity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What should clarify that information is one of the organization’s most important resources?

A

The policy of the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

While developing information asset protection policies and awareness what is important?

A

It is important to identify what information should be and protected and when, and then identify the many forms this information may take over its life cycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

In the organization who can influence security most and why?

A

The first-and second-tier management and because the managers who see employees every day are the ones who will actually be there to notice when people are following security practices and when they are not.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Who is ultimately responsible for protecting information assets in the organization?

A

Ultimately the responsibility for protecting information assets rests with the leadership of an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What are the purposes of information risk assessment

A

Risk assessment should identify risks, quantify them, and prioritize them according to the organization’s criteria for risk acceptance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

How, in 80 percent of the cases, the perpetrator of information assets comes to the attention of management?

A

The perpetrator come to the attention of management due to inappropriate behaviors before the incident (e.g; tardiness, truancy, arguments with coworkers, or poor job performance)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are the elements basically have converged to create unusually fertile ground for insider espionage?

A

Elements that create fertile ground for insider espionage due to information revolution, global economic competition, the involvement of new and non-traditional intelligence adversaries, other changes in the domestic and international environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are the causes for inadvertent threats?

A

Inadvertent threats can be attributed to inadequate employee training, misunderstandings, lack of attention to details, lax security enforcement, pressure to produce a deliverable, insufficient staffing etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

From whom basically the largest losses of information come?

A

The largest losses basically are from the people in the mirror, people make mistake, and those mistakes are the most likely thing to hurt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the most frequently overlooked threats?

A

The most frequently overlooked threats are inadvertent threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What need to be done to assess intentional threats?

A

To assess intentional threats need to identify
1 - Potential adversaries
2 - Evaluates their capability
3 - Intention to target key information assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What are the types of threats for information assets?

A

Types of threats for information assets may include:
1 - Intentional threats
2 - Natural threats
3 - Inadvertent threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is the goal of information security program?

A

The goal of information security program is to optimize risk, never minimize.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which of the following is one step in the risk assessment process for use in protecting information?

A

Identifying information assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

According to the existing trends of security problems, what is one of the most serious economic and national security challenges for US?

A

Cyber threat is one of the most serious economic and national security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

When a person who can control the computer linked with access control system, what kind of change is possible to make?

A

A person who can control the computer can create two dangers:
1 - A valid administrator could add a backdoor or additional card
2 - The system may be accessible to the internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is the weakness of HID cards

A

When card reader requests an identification number to the card, the card simply supplies without verification of authenticity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is phishing?

A

When an outsiders who gain insider privileges in extracting information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

To combat cyber-attacks what is required

A

Effectively combating cyber-attacks requires:
1 - Increased awareness
2 - New technology
3 - And improved response and recovery capabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

When an information security system is dependent on internet, hackers can exploit the system by using different forms of attacks. What are those forms of attack?

A

Hackers make attacks by using worms, viruses, network flooding, no-notice attacks through compromised routers, spyware, insider attacks, data ex-filtration by outsiders who gain insider privileges(phishing), and distributed denial of service attacks are all commonplace

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What are the additional risks created by convergence?

A

Convergence creates significant additional risk to the organization because the physical security devices are now accessible from anywhere on the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is security convergence?

A

Security convergence is the integration. in a formal, collaborative, and strategic manner, of the cumulative security resources of the organization in order to deliver enterprise-wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What are the seven critical success factors that an information security standard of care must meet?

A

1- Executive management responsibility
2- Information security policy
3- User awareness training and education
4- Computer and network security
5- Third- party information security assurance
6- Physical and personnel security
7- Periodic risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

The objective of ISS program is to prudently and cost-effectively manage the risk that critical information in three forms of protection and what are those forms?

A

Not compromised-confidentiality; remain unchanged without authorization- integrity; remains available-Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What is “Rogueware

A

Rogueware, or software that pretends to be security software but really compromise a computer, is also on the rise. Cybercriminals are doing this job by getting users to download this malicious software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What kind of attack can circumvent signature-based controls?

A

Malware attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

How successful breaches of information occur in the organization

A

When someone is able to take advantage of an error committed by the victim and installed malware to take advantage of it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Which kind of criminal group poses the greater threat to corporate information systems?

A

Organized criminal groups pose the greater threat to corporate information systems because this group can organize their funds to conduct their attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What factors are promoting cyber¬-attacks

A

The factors that are promoting cyber-attack are: Cybercriminals do not need to change their malware as quickly but can implement it on more sites; they can use the automated techniques that continually compromise legitimate web sites; moreover, they can change malware code so it is not detected by traditional antivirus system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What is the purpose of bots

A

Bots (software applications that run automated tasks) under the control of the hackers to bring the site down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Why sanitized code is used

A

Sanitized code used in a penetration test to obtain Social Security Numbers and other sensitive information from a supposedly database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

How security professional should augment their physical security to address the challenges of information systems security?

A

To address the challenges of ISS, security professional must augment their physical security paradigm with a new logical security paradigm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

In relation to the information systems security (ISS), the security professional strives to protect what?

A

The security professional strives to protect CIA triangle:
1‐ Confidentiality
2‐Integrity
3‐ Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What is the difference between residual threat risk and residual risk

A

Residual Threat Risk for each threat, the remaining potential risk after all ISS counter measures are applied and Residual Risk , the total remaining potential risk after all ISS countermeasures are applied across all threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What types of threat agents exist with information systems security

A

Information system threats agents are :
1- Natural
2- People
3- Virtual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

In relation to the virtual threat, a computer program or script can be illegitimately installed on a workstation, server, router or other information systems device and capable of doing what types of activities?

A

A computer program or script illegitimately installed on a workstation, server, router or other information systems device and capable of any or all of the following:
1 -Sending information from the device on which it is installed to the owner of the program (its control),
2- Receiving command and control instructions from its control and adjusting its behavior accordingly,
3- Executing commands on the device on which it is installed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Before using a virtual threat agent, a cybercriminal or other perpetrator must get in onto a target computer. What types of methods they may use?

A

Methods include
1- Direct physical access to the computer (via USB drive or cybercriminal or other perpetrator must other peripheral)
2- Hacking into the computer remotely
3- Placing malware on the computer
4- Phishing
5- Engineering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

What are the broad categories you can break Information systems security

A

1- Vulnerabilities in the information systems infrastructure
2- Vulnerabilities in people using the information systems infrastructure(Users)
3- Vulnerabilities in people maintaining the information systems infrastructure (custodians)
4- Executive and senior management vulnerabilities
5- Vulnerabilities in information systems management processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Before outlining the range of countermeasures available for managing residual information system risk, what is important to specify?

A

It is important to specify the ISS control objectives that those counter measures must meet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What are the broad categories to divide Information systems countermeasures

A

Information system countermeasures divided into three broad classifications:
1‐ Administrative control
2‐ Technical controls
3‐ Physical controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

What is perhaps most important in information security

A

Perhaps most important in information security, as in physical security is to have the buy‐in of executive management in supporting security initiatives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What are the layers OSI model consisting?

A

The seven layers of the OSI model are:
1‐ Physical(layer‐1)
2‐ Data link (layer‐2)
3‐ Network(layer‐3)
4‐ Transport(layer‐4)
5‐ Session(layer‐5)
6‐ Presentation(layer‐6)
7‐ Application(layer‐7)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Which of the OSI layers was developed so that computers that could not immediately see each other could nevertheless still communicate?

A

In OSI (open system Interconnect) layer 3, computers that could not immediately see each other could nevertheless still communicate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

In OSI layer 3, with the help of which equipment, computers can communicate to each other’s though they cannot see each others?

A

The computer device called “router” allows for this communication to happen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What do you understand by buffer overflow?

A

It is a form of attack. In this instance, a malicious user or program can give more information to the computer program that it is expecting. The extra words or characters can produce a buffer overflow state, giving the computer instructions to do something unintended

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What is the third element of the AAA triad?

A

This process of authentication and authorization is part of what is called the AAA triad. The third part of this triad is auditing/accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Apart from AAA, how else is data confidentiality can be maintained?

A

Apart from AAA, data confidentiality can be maintained through encryption and system protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Explain the difference between authentication and authorization

A

(From any source) Authentication means examining identification of user who seeks to gain access to computer by asking for a user name and password. Authorization means, after identifying a user, the Computer checks a data base to see what type of authorization that particular user has. This process particularly allows the user to avail his/her rights as per the level of access of information predetermined by organization’s policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

What are the different approaches can be applied beyond the user name and password to make authentication process more difficult for increasing the security of data?

A

Biometric authentication; second‐factor authentication (one time password); encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

While designing an information system, why it is important to include redundancy system in it?

A

Because redundancy aids the efforts to ensure data availability and also ensure continuity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

If a company is truly concerned about the security of its data, over the open internet or within a more private network, what technology can be used?

A

The technology called virtual private network (VPN), can be used which encrypts data from one point to another.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What do you understand by “an escalation of privileges” attack?

A

“Escalation of privilege” is basically a specially crafted e-mail based attack which enables the mail system to do something undesirable to the recipient. This type of attack succeed because the email program is tricked into executing the e-mail as if it were a program rather than a simply processing it as text.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Despite of a number of advantages of VOIP system, what is the security downside?

A

In the VOIP system, every phone and every phone and server hosting phone-related information, including voicemail and the actual phone calls in progress, have potential to be compromised as these systems are completely accessible on the framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What is a critical aspect of any information security program?

A

Third-party review is a critical aspect of any information security program. Each organization is responsible for managing its vendors and ensuring that they come up to a specific level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

What is the fundamental difference between IDS and IPS?

A

Intrusion detection (IDS) is designed to monitor one’s network and attempt and to interpret either via behavior or pattern/signatures whether someone is trying to attack the system. An intrusion prevention system (IPS), which is designed to automatically stop an attack in progress.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

What is ISO 27001 and into what 11 domains is it broken down?

A

The ISO 27001 is an international standard for managing information security.
This standard is broken down into 11 domains which are:
1‐Security policy
2‐Organization of information security
3‐Asset management
4‐Human resource security
5‐Physical and environmental security
6‐ Communications and operations management
7‐Access control
8‐Information system acquisition, development and management
9‐Information security incident management
10‐Business continuity management
11‐Compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What is the center piece of ISO27001

A

The center piece of ISO 27001 is its concept of ISMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

What is the three basic pillar of information security?

A

Integrity, non‐repudiation and confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

What is the purpose of program developed based on “red flag rules”?

A

Early detection and prevention of identity theft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What is the biggest challenge for management in relation to the ISS policy implementation?

A

Management’s biggest challenges lies not in the writing of specific ISS policies but in the orderly development and implementation of policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

The effectiveness of an information security program ultimately depends upon depends on what?

A

Depends upon people’s behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

An employee’s access to information should be based on what criteria

A

Their current job function and “need-to-know.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

In the context of information asset protection, “sanitizing” is the process of:

A

Removing data on the media before the media is reused

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Which of the following can be used to authenticate and authorize computer access?

A

What a person has/what a person knows/who a person is

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Original works in the form of books, magazines, musical scores, movies, and computer software programs are protected by a:

A

Copyright

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

How does a host intrusion prevention system (HIPS) differ from an intrusion detection system (IDS)?

A

HIPS operates on a host system, such as a computer or server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

A password cracking attempt that systematically tries every possible combination of letters and number is referred to as a:

A

Brute force attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

A software program that performs a useful purpose but also has a hidden destructive purpose is known as a:

A

Trojan horse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Which of the following fields involves defences against the interception of data communication from microphones transmitters or wiretaps?

A

Transmission security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

When preparing for a technical surveillance countermeasures (TSCM) inspection, it is not necessary to determine the:

A

Height of the building

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

The first step in keeping sensitive information secure to.

A

Classify it according to its value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

In a theft of proprietary information case, which of the following steps is most important to the security manager?

A

The information was patented, trademarked, or copyrighted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

Which of the following is one step in the risk assessment process for use in protecting information?

A

Identifying information assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

The first step in securing sensitive information is to

A

Identify it and classify it by value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

One step for harmonizing information asset protection (IAP) and general business practices is to:

A

Communicate IAP issues to all elements of management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

The ISO 27001 and ISO 27002 standards are important for the information system security (ISS) practitioner

A

Represent the first acknowledged worldwide standards to identify a code of practice for the management of information security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

Why it is important to encrypt the video stream regarding video cameras in the network?

A

To ensure that whatever credentials are passed between a workstation and the device, they cannot be easily stolen off the network. Otherwise, the organization may face one of these familiar issues: denial of services, insertion of inaccurate data, data theft, data modification, and data destruction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

Based on the present context of cyber security, it is not recommended to allow a legitimate user to access video or access control data at a distance with only user name and password. To ensure greater protection of data what corporate ISS policies should prohibit?

A

Corporate ISS policies should prohibit accessing into network without using second‐factor authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

When a converged IP‐based access control system is vulnerable to viruses and Trojans?

A

In a converged IP‐based across control system is vulnerably to viruses and Trojans because if control system, not placing antivirus or other host protection software on the machine that runs the system could leave it susceptible to compromise or failure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

What kind of causes could arise while upgrading a video camera within a network?

A

Upgrading a video camera could cause a broadcast storm on the network due to a bug in the camera, causing not only that video camera but also other systems to stop working.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

What kind of inconveniences we might face with IP‐CCTV systems in locations where power supply is not consistently reliable or fluctuate?

A

If power supply is not consistently, which might cause to leave an organization’s video system down during the restart because computer‐based systems make take unexpectedly long to start up and shut down.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

As part of ISS organization, before providing access to a third party to an organization’s data, what process must complete to protect own security?

A

When using 3rd party delivery services, ISS professional need to ensure that organization is protected by making sure that provider must adhere to the organization’s policies. Besides, a vetting process can be carried out before allowing access to an organization’s data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

Why physical security professional to work in collaborate with the ISS department?

A

It is critical for the physical security professional to collaborate with the ISS department to ensure that physical security is a good ISS partner and complies with policies and procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

What is the first job of the individual charged with an organization’s ISS?

A

The first job of the individual charged with an organization’s ISS is to create ISMS appropriate for the size of the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

What is the difference between how physical security managers and ISS professionals mitigate risk?

A

Physical security professionals mitigate risk via policies, references and frameworks. On the other hand, ISS professionals mitigate risk through an information security management system(ISMS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

How a malware attack takes place while simply visiting a website?

A

In case of web attack, when users are accessing the web they can pick up malware simply by going to a compromised web and malware introduction on to the network cannot be blocked by VPN because web attack can defeat every control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

Why a web attack is particularly dangerous?

A

Because it can defeat almost every control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

Why is a malware attack particularly insidious?

A

This is because malware has been designed to be primarily silent. The longer the hackers can stay in stealth mode, owning an organization system stealing its information, the more they have time to gain. Etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

How even a completely “patched” and up‐to‐date system still is possible to be compromised?

A

An engineer could configure the system incorrectly or make an architectural mistake, such as plugging an internal server into as witch that is accessible via the internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

How a hacker can launch an attack against a converged IP‐based video protection system?

A

Hackers may start by checking a readily accessible website. If, via social engineering they can steal a username and password to gain access, they will. If this is not possible, they might use a brute force password cracker that enables them to try many passwords very quickly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

How malware attack can be launched in the network?

A

Someone attacks a system by installing software on it, either with the user’s knowledge (usually hidden in other software or e‐mail)or automatically, without the user’s knowledge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

What is social engineering?

A

Social engineering is the manipulation of people to get them to do something that weakens the security of the networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

Why does communication at the layer 3 level increase risk in converged access control system?

A

Layer3 or indirect communication is the mechanism that allows for computers to interact across the internet globally. In a converged paradigm, an organizations computers and physical security assets are potentially accessible from across the world‐therefore vulnerable to attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

How physical security practitioners should categories ISS risk to address the security risks brought on by convergence?

A

According to the CIA triad

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

Security convergence can indeed enhance risk mitigation, but it can also increase total organizational risk. If it is so, give examples of risks?

A

When physical security practitioners put physical security technology onto the network, they open the door to significant network‐based security risk. Some elements of information systems security (ISS) can weaken the physical security. These are: 1‐ denial of service (DOS), 2‐ insertion of inaccurate data, 3‐data theft, 4‐ data modification, 5‐ data destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
119
Q

How to define convergence?

A

Convergence is the integration, in a formal, collaborative, and strategic manner of the cumulative security resources of the organization in order to deliver enterprise-wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
120
Q

Asset

A

Anything that has tangible or Intangible value to an enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
121
Q

Intangible Asset

A

Assets that do not have a physical presence (Information, Intellectual property, reputation etc..).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
122
Q

Tangible Asset

A

Assets that have a physical presence. (Human & Environmental assets).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
123
Q

Copyrights

A

A property right in an original work of authorship fixed in any tangible medium of expression, giving the holder the exclusive right to reproduce, adapt, distribute, perform, and display the work.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
124
Q

Example of Copyrights

A

Original works may include things such as Literary, musical, dramatic, choreographic, pictorial, graphic, sculptural, and architectural work; motion pictures and other audio-visual works; and sound & records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
125
Q

Intellectual property rights (IPR)

A

Intangible rights protecting the realization of ideas and concepts resulting in commercially valuable products. NOTE: Examples include but are not limited to trademark, copyright, and patent rights, as well as trade secret rights, publicity rights, moral rights, and rights against unfair competition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
126
Q

Internet of things (loT)

A

A system of interrelated computing devices, mechanical, and digital machines provided with unique identifiers (UIDs) with the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
127
Q

Non-disclosure agreement (NDA)

A

A Legal contract that establishes a relationship between two or more parties outlining confidentiality and the responsibility for protecting information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
128
Q

Patent

A

to exclude others from making, using, marketing, selling, offering for sale, or importing an invention for a specified period granted to the inventor if the device or process is novel, useful, and no obvious

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
129
Q

Proprietary information

A

Information of value, owned by an entity or entrusted to it, which has not been disclosed publicly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
130
Q

Risk

A

Effect of uncertainty on the achievement of strategic, tactical, and operational objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
131
Q

Risk assessment

A

Overall and systematic process for evaluating the effects of uncertainty on achieving an enterprise’s objectives_ Risk assessment includes risk identification, risk analysis, and risk evaluation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
132
Q

RCA- Root cause analysis

A

A technique used to identify the conditions that initiate the occurrence of an undesired activity or state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
133
Q

Technical surveillance Countermeasures (TSCM)

A

Employment of services, equipment, and techniques designed to Locate, identify, and neutralize the effectiveness of technical surveillance activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
134
Q

Threat

A

Potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
135
Q

Trade secret

A

All forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processed, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if (a the owner thereof has taken reasonable measures to keep such information secret; and if) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
136
Q

Information assets are necessary in achieving organizations strategic ____________ and ____________.

A

Goals & Objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
137
Q

In order to safeguard its information assets, what should be established by an organization.

A

IAP - Information Asset Protection program appropriate to its size & type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
138
Q

Mixed assets

A

Some assets have both tangible and intangible characteristics and may be referred to as “mixed assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
139
Q

As per ESRM who shares the Security Responsibility

A

Security Professionals & Asset Owners.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
140
Q

As per ESRM all the final security decisions are responsibility of whom ?

A

Asset Owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
141
Q

Who is responsible for protecting the information’s assets in an organization

A

The Top Management & Other Asset owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
142
Q

Who is responsible for overseeing the implementation, maintenance, and evaluation of the IAP program ?

A

The IAP Lead nominated/Assigned by Top Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
143
Q

What should be established by organization to measure the IAP program

A

Metrics & Key performance indicators

144
Q

___________ and ___________ establish the standards that govern how an organization expects its employees to behave in protecting and safeguarding information from misuse, loss, theft, and misappropriation

A

Policies & Procedures

145
Q

The IAP policies and procedures should be communicated to.

A

All individuals working for or on behalf of the organization

146
Q

What is the initial stage of protecting the information asset

A

Asset Identification followed by asset valuation & prioritization

147
Q

Basis of asset valuation are ?

A

Importance-criticality-sensitivity

148
Q

What is the key element of Information Risk assessment..?

A

Valuing assets / Assigning Value to assets

149
Q

Highly Restricted information

A

Highly restricted is used for information that could allow a competitor to take action that could seriously damage an organization’s competitive position in the marketplace, or the disclosure of which could cause significant damage to the organization’s financial or competitive position, brand, or reputation.

150
Q

Restricted Information

A

Restricted is used for information that is organizationally or competitively sensitive or could introduce Legal or employee privacy risks.

151
Q

Information is a critical asset for an organization, Asses to employee is based on..?

A

His or Her current Role in organization

152
Q

Information protection triad

A

Security Measure - Legal Protection - Management Practice

153
Q

They do not have to be ‘registered” to be protected

A

Trade Secret

154
Q

To be able to prove a trade secret case in court, the information asset must be

A

Clearly identified and valuated

155
Q

This form of legal protection provides the owner with the Legal right to exclude anyone else from manufacturing or marketing an invention or process

A

Patent

156
Q

Trademark

A

A trademark is a name, phrase, sound, or symbol used in association with a product

157
Q

Service mark

A

A service mark is a brand name or logo that identifies the provider of a service. A service mark may consist of a word, phrase, symbol, design, or a combination of these elements

158
Q

Trademark protection typically Lasts for..?

A

10 years after registration and can be renewed

159
Q

Through ____________ agreement, the individual acknowledges that all information assets are considered confidential, will be properly protected, and are the property of the employer

A

NDA - Non Disclosure Agreement

160
Q

Critical component of any IAP program ?

A

People

161
Q

Protecting information assets begins with

A

an individual’s recruitment

162
Q

First opportunity to inform individuals about IAP policies and procedures through awareness and training

A

During On Boarding

163
Q

What are most effective measures that supports the IAP program objectives?

A

Security awareness & Training

164
Q

Eyes & Ears of the organizations in IAP program

A

Employees are the eyes & ears of the organization that spot physical and electronic security risks that need to be reported

165
Q

ISO 27001 and 27002 discuss the concept of?

A

Information security management system (ISMS)

166
Q

To address the electronic/Digital environment risk, organizations should implement cyber security measures based on a

A

Risk management approach that is consistent with the IAP strategy

167
Q

The selection of cyber security controls will vary depending on the Organization’s

A

Business needs, regulatory/contractual compliance Requirements, risk profile, internal & external audit findings.

168
Q

The organization should conduct_____________ as part of their investigative support role to determine the causes that led or contributed to the information asset loss incident

A

RCA - Root Cause Analysis

169
Q

Competitive intelligence involves the_________ & _________ collection of valuable information on a competitor or related entity on marketing plans, technologies, product developments, and other strategic information

A

Legal and ethical

170
Q

OSINT

A

Open Source Intelligence

171
Q

In a commercial setting (the private sector), OSINT is defined as the process of

A

Collecting publicly available information and using it for a business purpose

172
Q

What pushed organizations to rely on Web-based systems?

A

The emergence of remote work models

173
Q

Information/Organizational assets at both onsite and virtual trade shows and similar events cane be protected by

A

Proper training

174
Q

Sharing of information should be based on

A

Roles & Need to Know basis

175
Q

Risks of remote/telework environments can be effectively managed by

A

Implementing and test crisis management and business continuity plans

176
Q

Who is responsible to protect information assets?

A

All employees, suppliers, contractors, and agents are responsible for protecting (company/organization) information assets to assure its confidentiality, integrity, and availability

177
Q

Trusted Parties

A

Trusted parties include vendors, supplier, contractors, consultants, interns, and others who are granted access to information assets or facilities.

178
Q

In order to safeguard its information assets, an organization should establish a policy that requires specific measures be taken to protect information asset. What are the elements this policy should outline?

A

Organizational roles, responsibilities, and accountabilities

179
Q

Effective protection of information assets, whether in electronic, verbal, written, or any other form, what are the basic principles it involves?

A

Classification and labelling information; handling protocols to specify use, distribution, storage, security expectations, declassification, return, and destruction/disposal methodology; Training; incident reporting and investigation; audit compliance processes and special needs (disaster recovery).

180
Q

What is important to understand in relation to intellectual property rights?

A

It is important to understand the IPR climate and the ability of legal safeguards that are applicable in each jurisdiction where there is a necessity to support your business requirements

181
Q

When an information asset can be said as trade secret?

A

The owner thereof has taken reasonable measures to keep such information secret; and (b) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public

182
Q

At the beginning of developing information asset program, what is important to identify?

A

It is important identify what information should be protected and then identify the many forms this information may take over its lifecycle. It is also important to recognize that only a certain segment of the organization’s information may warrant protection. Once such information is identified, it should be classified such that the most significant information assets receive the greatest degree of protection. However, some suggested controls might not be applicable, or practical, in every part of every organization.

183
Q

What are the basic criteria to determine the levels of information?

A

Sensitivity and criticality

184
Q

What is the difference between sensitivity and criticality?

A

Sensitivity: This information includes that which if disclosed outside of trusted people and processes would likely have a significant impact on the organization’s operations and business strategy. Criticality: Critical information is that upon which an organization relies to accomplish its mission and support business decisions.

185
Q

In order to be most effective at identifying and addressing risk, risk assessment should be considered at which levels?

A

At the product, technology and transaction specific level.

186
Q

While developing information asset program, which step helps narrow the scope of the information that requires protection and focuses limited security resources where they are most needed?

A

This step is to identify the information that may need to be labelled and protected.

187
Q

Why distinct controls on privacy information should be implemented?

A

In order to maintain the necessary level of trust and to meet legal and regulatory requirements.

188
Q

Almost invariably, what are the most cost effective measures that can be employed to protect corporate and organizational information assets?

A

Security awareness and training.

189
Q

What helps best to achieve the information asset protection in the organization?

A

Through routine business practices that permeate every element of an organization.

190
Q

What is the key element of threat to sensitive information?

A

Technical means of collecting information by adversaries

191
Q

It is recommended that physical security professional work with IT professional to determine kind Of protective measures need to be implemented for information security. In course of this process what are the key factors to consider?

A

Key factors to consider are the amount of information within your company that is considered information and the level of protection that this information should receive.

192
Q

If an organization face the significant internal threat what kind of protection measures need to be implemented?

A

Compartmentalization is an important measure to counter the internal threat.

193
Q

What is the primary objective of logical network access control?

A

The primary objective is to preserve and protect the confidentiality, integrity, and availability of information, systems, and resources

194
Q

In relation to the application security how vulnerabilities can be exploited?

A

By using a point of entry legitimately open for business needs

195
Q

What an encryption should support?

A

Encryption should support an information identification, classification and protection structure

196
Q

In order to be able to probe a trade secret case in court what are the preconditions must be fulfilled?

A

Document your identification and valuation of the asset, its role in establishing competitive advantage in your industry, and the full scope of protection measures you have instituted to protect it.

197
Q

What can be ensured by a written non‐disclosure agreement?

A

Possible to ensure a common understanding as well as a legal obligation with respect to protecting information assets.

198
Q

What are the key elements of an assets protection strategy for trade show participation?

A

Training, awareness and preparation

199
Q

Based on what it is possible to identify “high risk” travellers?

A

Identify “high risk” travellers based on their position, project, access or clearance within the company

200
Q

A property right or other valid economic interest in data resulting from private investment. Protection of such data from unauthorized use or disclosure is necessary to prevent the compromise of such property right or economic interest.” This the definition for

A

Proprietary information

201
Q

Employment of services, equipment and techniques designed to locate, identify and neutralize the effectiveness of covert technical surveillance devices.”, is the definition for which of the following

A

Technical surveillance countermeasures

202
Q

Which of the following BEST describes who has the ultimate responsibility for protecting the organization’s information assets

A

The organization’s leadership

203
Q

A key element in the IAP risk assessment process is a thorough study of existing and projected threats. What are the categories?

A

Intentional, natural and inadvertent threats

204
Q

Which of the following statements is correct

A

Risk assessments should identify risks, quantify them, and prioritize them according to the organization’s criteria for risk acceptance.

205
Q

Information warranting protection must be appropriately identified and marked. Various levels are used to distinguish the degree of sensitivity or the degree of protection warranted: confidential, restricted, limited, non-public, etc. Who is BEST suited to define the security level?

A

The originator of the information

206
Q

Access to internal company information should be restricted. Which of the following BEST describes who can access sensitive information

A

Company personnel or others who have signed a nondisclosure agreement

207
Q

When defining protection for information systems, persons are assigned increased levels of trust for access to entitled access levels of sensitive information. This is called:

A

Defense in Depth

208
Q

A janitor has limited access to information on the organization’s information systems restricting access to only his/her payroll information and personal timesheets. HR and payroll personnel have access to higher levels of the same timesheet information. This is an example of:

A

Defense in Depth

209
Q

Private and personal information pertaining to an organization’s employees, management, relationships, customers, or others, is also often referred to as

A

Personally Identifiable Information

210
Q

According to most international legal requirements, these do not have to be registered to be protected. Nevertheless, a person can formalize ownership through government registration, which may help in any later enforcement actions. This applies to which of the following? .

A

Copyrights

211
Q

These need not be registered with any outside agency, so the owner can maintain a greater degree of control over the asset. The owner must be able to prove that the information added value or benefit to the owner, was specifically identified, and the owner provided a reasonable level of protection. This is called which of the following:

A

Trade Secret

212
Q

A process by which users are identified and granted privileges to information, systems, or resources, is called which of the following

A

Logical network access control

213
Q

Network devices typically communicate using a worldwide internet standard for communication, also called:

A

TCP/IP

214
Q

These special systems are typically programmed at the manufacturer and run proprietary or nonstandard operating systems. These may include video cameras, card readers, access controllers, intrusion detection (alarm) control panels and video converters. Another term for these systems is:

A

Embedded systems

215
Q

Any circumstance, capability, action, or event with the potential to adversely impact an information system through unauthorized access, destruction, disclosure, modification of data, and/ or denial of service, is also referred to as:

A

Information systems threat

216
Q

Threats * Vulnerabilities = x
Countermeasures

What is “x”?

A

Residual risk

217
Q

Inappropriate links to unprotected networks, improper system configuration, or unpatched workstations are examples of:

A

Vulnerability in the information systems infrastructure

218
Q

There are 3-information security system control objectives, which of the following are the objectives?

A

Detection; recovery; and compliance

219
Q

Information systems countermeasures are divided into three broad classifications, “Management policies, standards, procedures, guidelines, personnel screening and awareness training”. They are called which of the following?

A

Administrative controls

220
Q

The best way to protect a document is to do what

A

Mark & classify

221
Q

The effectiveness of an information security program ultimately depends upon

A

People’s behavior

222
Q

What is the culture of an organization

A

A pattern of shared basic assumptions that the group learned to solve its problems

223
Q

A possibility that a particular threat will adversely impact an ISS by exploiting a particular vulnerability is called

A

Risk

224
Q

Which threat is classified as logical threat

A

Virtual threat

225
Q

Amongst the key step taken after an information loss, which is the most time critical

A

Damage assessment

226
Q

A technique that reduces a threat vulnerability by eliminating the harm it can cause and reporting it so that corrective action can be taken is

A

ISS countermeasure

227
Q

An information communication attacking agent is

A

Trojan Horse

228
Q

The most important in information security is

A

Management buy-in

229
Q

Who are the causes of most losses in information assets of an organization

A

Outsiders’ threats

230
Q

Amongst the steps to take after an information loss, one primary element of recovery is, To return to normal business as soon as possible, what is the other

A

Implement measures to prevent a recurrence of the problem

231
Q

The total remaining potential risk after all ISS countermeasures are applied across all threats is called

A

Residual risk

232
Q

A device placed between the internet and the system one needs to protect is

A

Fire wall

233
Q

Accessing a computer remotely by placing malware on the computer perhaps while the user is visiting a website is

A

Hacking

234
Q

Controls placed on the information system infrastructure to prevent the exploitation threats are called

A

Infrastructure countermeasures

235
Q

What are the broad classification of information system countermeasures

A

Administrative
Technical
Physical

236
Q

What are the organization’s ISS overall objectives

A

Maintain confidentiality
Main integrity
Main availability

237
Q

To fraudulently convince user to deliberately give up the user’s I.D/ password to get into the network is referred to as

A

Social engineering

238
Q

A hacker who goes after a system by accessing it via normal channels, through exploiting existing vulnerabilities is called

A

Direct attack

239
Q

Perhaps the most frequently over looked threats and are also the most difficult to identify and evaluate are

A

Inadvertent threats

240
Q

For each threat, the remaining potential risk after all ISS countermeasures are applied is referred to

A

Residual threat risk

241
Q

What category of information system threats requires the need for logical paradigm

A

Virtual threats

242
Q

An important aspect of information security which is used to prevent individuals from gaining access to the actual data of an organization is

A

Cryptography

243
Q

What standards provide a definitive certification guidance for an organization’s information assets

A

ISO 27001 & ISO 27002

244
Q

The unauthorized acquisition and/or dissemination by an employee of confidential data critical to the employer business is

A

Industrial espionage

245
Q

What is the major difference between HIPS and IDS

A

HIPS is like IDS except it operates on a host system

246
Q

A system used to dial into a company’s telecommunication system and make configuration changes to it is

A

RMAT

247
Q

What is perhaps the oldest form of communication that connects to a computer network

A

Printers

248
Q

What will trigger the destruction of information but will not multiply itself

A

Trojan Horse

249
Q

What is one of the key objectives of an organization ISS (Information System Security)

A

Using corporate resources effectively to protect sensitive information and systems

250
Q

What is perhaps the most important in information security as in physical security

A

Having the buy-in of executive management in supporting the security initiatives

251
Q

What has become the de-facto standard communication mechanism in the corporate arena

A

E-mails

252
Q

What is the centerpiece of ISO 27001

A

ISMS

253
Q

A mechanism by which individuals who do not know each can ensure secure transaction is

A

Certificate

254
Q

List what are considered as an information system security control objective

A

Protect
Compliance
Recovery
Detection

255
Q

A written agreement that forbids an employee from taking up an employment in a competitors organization for a specific period of time is referred to as

A

Non competitive covenant

256
Q

Logos, marks, signs of an organization is protected by what

A

Trade marks

257
Q

What is referred to as a clear and practical written document that is shared with all relevant units and is fairly enforced

A

Policy document for protecting an organization information asset

258
Q

A property right granted to an inventor to exclude others from making, offering for sale the invention for a limited time is referred to as

A

Patent

259
Q

What defines access control to an organization information assets

A

AAA triad
Authentication,
Authorization and
Accountability /Auditing

260
Q

What are considered second factor authentication

A

Biometrics
OTP
Encryption

261
Q

When personnel, equipments and awareness trainings are employed as protection measures by an organization for its information assets protection this is referred to as

A

Security measures

262
Q

Which standard provides a definitive certification guidance for an organization information security

A

ISO 27001/2

263
Q

What is an emerging international standard for managing an organization’s information security

A

ISO 27001/2

264
Q

What are the pillars of information security

A

Integrity
Non-repudiation
Confidentiality

265
Q

One of the most important elements when developing an information security incident response plan is

A

The policy document

266
Q

What is the fundamental idea behind an information security management system

A

Continual improvement

267
Q

Upon what does the effectiveness of an information security program ultimately depend

A

People’s behavior

268
Q

When implementing an organization’s information security improvement program, one key factor to consider is

A

People’s behavior

269
Q

When implementing an organization’s information security improvement program, one key factor to consider is

A

Organizational culture

270
Q

What will fuel commercial technology theft in an organization

A

Continued fierce global economic competition

271
Q

The manipulation of people to get them to do something that weakens their security on the network is

A

Social engineering

272
Q

Logo, trademarks, patents and trade, secrets all come under what

A

Proprietary information

273
Q

Who is responsible for trade secret custody

A

The owner

274
Q

What are done to an information asset to be protected

A

 Identification
 Classification
 Marking

275
Q

What is an organization culture

A

A pattern of shared basic assumptions that the group learned

276
Q

Obscuring the meaning of information by altering or encoding it in such a way that it can only be decoded by the people it is meant for I known as what?

A

Encryption

277
Q

For a newly discovered process or product the guideline for protection to be followed until they enter the market is

A

Trade secret guidelines
Acquisition of patent protection
Consider using trade commission as venues for resolving patent disputes

278
Q

Which standards are considered formed emerging international standard for managing information security of an organization

A

ISO/IEC 27001/ISO IEC 27002

279
Q

What is presently considered a de-factor standard for ISS certification

A

CISSP

280
Q

In Information system risk assessment what should the IT department do to stop virtual fraudsters

A

Encryption

281
Q

Illegal form of corporate information theft from a competitor is referred to as

A

Industrial espionage

282
Q

Which are the classification of an information security counter measure

A

Administrative controls
Technical controls
Physical controls

283
Q

What is the life span of a patent from first filling

A

20 years

284
Q

An organization’s information protection strategy should be designed to support what of the organization

A

Goals
Strategy
Timeliness

285
Q

Who constitutes a significant area of vulnerability for U.S natural security

A

Insiders

286
Q

Ultimately the responsibility for protecting information assets rest with who

A

Leadership of an organization

287
Q

Who typically determines the classification level of an information

A

Originator

288
Q

Access to internal information should be restricted to company personnel, who have

A

Signed a non-disclosure agreement

289
Q

Who are responsible for sharing information assets and protecting them from inappropriate disclosure, modification misuse or loss

A

All employees/ members of the extended enterprise

290
Q

What is the recommended mailing procedure for a highly restricted document within the company

A

Double seal envelopes, mark inner envelop ‘‘Highly restricted’’ to be opened by addressee only, No security mark on outer envelop

291
Q

What is one of the key objectives of an organization’s ISS program

A

Using corporate resources effectively to protect sensitive information and system

292
Q

The cost of a theft of a trade secret by a cyber thief is what

A

The value of the trade secret to the company

293
Q

In basic risk management, how much one should spend to prevent an ISS incident equals what

A

The probability of the incident times its cost

294
Q

Typically part of information security policy framework recommendation as in ISO 27001/2 is

A

Classifying and controlling sensitive information

295
Q

The objective of an organization’s information system security (ISS) program is

A

Prudently and cost-effectively manage the risk that critical organizational information are exposed against compromise, alteration, unavailability

296
Q

A repository of data, that also acts as a mechanism of access to data is called

A

Servers

297
Q

In the ‘AAA’ triad, the third ‘‘A’’ stands for

A

Auditing

298
Q

Perhaps the most important files whose integrity must be preserved are file containing what information

A

Users I.D’s/password
Allowed roles (rights)
Permissions/privileges

299
Q

What is considered a critical aspect of any information program is

A

Third party review

300
Q

Which standard is designed to provide a uniform set of ISS standards for protecting credit card information’s

A

PCI DSS

301
Q

How do you protect most valuable information assets

A

Encryption

302
Q

Words, names, symbols used in connection with goods and services to identify their sources is

A

Trade marks

303
Q

In the corporate arena, what ensures a common understanding and a legal obligation regarding the protection information assets of the organization in relation to employees

A

Non-disclosure agreements

304
Q

The use of information system to commit crime is referred to as

A

Cyber crime

305
Q

Perhaps the most frequency overlooked threats to the security of information

A

Inadvertent threats.

306
Q

What are findings of research commissioned by the U.S Defense personnel security research centre

A

The internet allows sellers and seekers of information to remain anonymous.
Americans are more vulnerable to experiencing serve financial crisis due to aggressive spending habits.
Organizational loyalty and obligation is diminishing and employees may be less deterred from theft of information.

307
Q

List what are findings of a study of insider incidents by the U.S secret service

A

Negative work events are a frequent trigger factor insider information theft.
Insider information thieves often present performance issues.
Three out of ten perpetrators had previous arrest records.

308
Q

In relation to information, who or what is a fiduciary

A

A person to whom sensitive company information is entrusted and who should be bound by the terms of an NDA

309
Q

What are appropriate ways to protect electronic files containing trade scores against theft. Source various/inferred

A

Access control to IT system on which trade secrets are stored should be protected according to the AAA triad.
The fundamentals of the CIA triad apply to both secrets and other sensitive information.
Encryption of trade secrets should be a standard countermeasure…

310
Q

With regard to information security, application of layered protection (defense-in-depth) implies to what

A

The levels of trust should increase for those who are given access to successive layers (working from the outside of the layer inwards).
Each layer should seek to employ delays, detection and deterrence.
A range of complementary security technologies should be employed.

311
Q

A specific risk to sensitive obsolete prototypes is that they

A

Can be reversed engineered if not destroyed properly.

312
Q

Within the context of information protection, personnel security should include what

A

 Due diligence of potential partners;
 Standard pre-employment screening;
 Vetting of subcontractors, vendors and consultants

313
Q

Clearly marking information to state how the information will be used and made available to others, what notifications and actions will be taken in the events of compromise, and instructions for destruction of the information are safeguards that are specifically applied to:

A

Personally identifiable information

314
Q

A business activity that special risks to a company’s sensitive information is

A

The establishment of partnerships or outsourcing agreements

315
Q

How long is the life of a patent from first filling?

A

20 years

316
Q

For information to be considered a trade secret, the owner must be able to prove that the information added benefit to the owner, the owner provided a reasonable level of protection and what else?

A

The trade secret was specifically identified.

317
Q

What are vital steps in the creation of information asset protection (IAP) programs

A

The organization’s leadership should show its commitment to IAP by providing appropriate resources and requiring all business units to develop strategies to align business and protection goals,.
A dedicated department, group, or individuals should be tasked with policy management and auditing.
All business units, personnel, temporary employees, vendors, consultants, contractors, and business partners should be required to adhere to the policy

318
Q

Who should sign a non-disclosure agreement as a condition of employment

A

All employees.

319
Q

Protection of information, especially in digital data form, should be subject to be ‘‘CIA triad’’. Confidentiality, integrity and?

A

Availability

320
Q

Information warranting protection must be?

A

Appropriately identified and marked.

321
Q

What is the method for identifying information security protection gaps in current security measures and which responds to the facts that shall bits of information from different sources can be complied to create sensitive information?

A

OPSEC

322
Q

A system to authenticate the identity of a sender of an email is called:

A

Digital signature.

323
Q

What is the best way to address infringements of patents, copyrights and trademarks

A

Register those rights.

324
Q

What should be registered in order for legal protection to exits?

A

Trademarks.

325
Q

What best describes the professional development needs of the traditional security professional in regard to the growing threat of cybercrime?

A

The security professional needs a practical understanding of the new logical security paradigm.

326
Q

In regard to cybercrime what are the major challenges

A

 There is a worldwide federation between various classes of cybercriminals and malware developers.
 Nation states are involved in cybercrime.
 Cyber extortion is an example of a significant threat facing some businesses.
 There is no cohesive global law enforcement effort to eliminate cybercrime.

327
Q

Why are firewalls and anti-virus fundamentally imperfect

A

Because they can circumvent signature-based controls.

328
Q

How do cybercriminals use rouge wares to target computers

A

Rouge ware, masquerading as security software, is frequently downloaded by non-savvy IT users and by cybercriminals into compromise information on a target computer or to enroll into a both net.

329
Q

What represents whether a company’s ISS programme meet an information security standard of due care?

A

Legislation and regulation of information holders to protect all; contract and tort law on security information and information assets, recommended security practices of the professional ISS community.

330
Q

Access control to information systems encompasses which processes?

A

Identification,
Authentication,
Authorization and
Accountability

331
Q

What is defined as integration in a formal, collaborative, and strategic manner, of the cumulative security resources of the organization in order to deliver enterprise-wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency and cost savings?

A

Convergence.

332
Q

What is a major challenge with regard to SCADA

A

The use of the internet exposes SCADA system response and recovery capabilities

333
Q

What is the worldwide internet standard for communication, over which network PPS communicate

A

TCP/IP.

334
Q

Specifically in relation to access control system that are TCP/IP based, we find two dangers what are these

A

The creation of a back door or additional cards by administrators; a PC to which the access control server is connected may have been taken over by an adversary.

335
Q

What is the most correct statement with regard to IP video surveillance

A

IP video surveillance is vulnerable to internet-based threats such as unauthorized access, tampering and destruction of recordings.

336
Q

The key objectives of an organization’s ISS program can be summarized as

A

Protecting against the insider threat,
Protecting against unauthorized change,
Protecting against unavailability

337
Q

Any flaw or weakness in an information systems design, implementation, or operation and management is the definition of an:

A

Information systems vulnerability

338
Q

What represents the fundamental equation of ISS?

A

Residual risk=(Threats x Vulnerabilities) ÷ Countermeasures

339
Q

As a precursor to initiating a malicious act, virtual threats typically enter computer networks by:

A

USB peripheral device attachment; hacking; malware, sometimes as a result of visiting a website; phishing; social engineering.

340
Q

An example of an ISS vulnerability typically created by users is

A

Social engineering.

341
Q

Using a computer to trim off small amounts of money from sources and diverting those slices into one’s own or an accomplice’s account is known as the ‘‘salami’’. In which sector is this crime most common

A

Banking

342
Q

There have numerous cases in which sensitive data stored on notebook computers was compromised. The only reliable protection is to require notebook users to

A

Encrypt sensitive files.

343
Q

As in other security, information systems countermeasures can be divided into three board classifications. Which answer best encapsulates these?

A

Administrative controls,
Technical controls,
Physical controls.

344
Q

From a security point of view, which of the following is the most dangerous logical entry point in a computer

A

Communication stack

345
Q

If authentication and authorization are the first two elements of the AAA triad, what is third

A

Auditing/accountability.

346
Q

Which kind of attack, prevalent in web applications, tricks email programs into executing the e-mail as if it were a program rather than simply processing it as text

A

Escalation of privilege attack.

347
Q

What forms an emerging international standard for IT security

A

ISO 27001/2.

348
Q

List major challenges of security convergence?

A

 When physical security practitioners put physical security technology into the network, they open the door to significant network-based security task.
 When physical security practitioners put physical security technology into the network, cost-effectiveness can be increased.
 When physical security practitioners put physical security technology into the networks, greater operational effectiveness and efficiency can be achieved than in stand-alone system.
 When physical security practitioners put physical security technology into the network, they increase network-based security risk

349
Q

In an IT context, what is meant by the team social engineering

A

Someone convinces a user to share his credentials to get on the network.

350
Q

A fully configured exclusive computer facility, with all IS services and communications links is known as a?

A

Hot site.

351
Q

A property right or other valid economic interest in data resulting from private investment protection of such data from unauthorized use and disclosure is necessary in order to prevent the compromise of such property right or economic interest. This is the definition of:

A

Proprietary information.

352
Q

The following definition relates to which one of the answers below: ‘‘initially appear to be legitimate and will behave as though they were doing what the operator expects. But they contain a block of undesirable computer code or another computer program that allows them to do detrimental things to the system, such as infecting a machine with virus, worm, bomb, or trapdoor’’.

A

Trojan horse.

353
Q

In computer attacks, there are two types of bombs, as follows

A

Time bombs and logic bombs.

354
Q

An organization that sends an e-mails to an outside organization, what would it use for protection for the mail

A

Virtual private network (VPN)

355
Q

A device that records the calls/callers in a telephone is

A

Pen register

356
Q

Who uses PCI-DSS

A

All companies involved in credit card issuance

CPP1 (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions