Mid-Term

Question 1

“4-1-9” fraud is an example of a __________ attack

Answer 1

social engineering

Question 2

“4-1-9” is one form of a(n) __________ fraud.

Answer 2

advance-fee

Question 3

A __________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

Answer 3

Distributed Denial of service

Question 4

A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use is known as a(n) __________.

Answer 4

Cracker

Question 5

A model of InfoSec that offers a comprehensive view of security for data while being stored, processed, or transmitted is the __________ security model

Answer 5

CNSS

Question 6

A potential weakness in an asset or its defensive control system(s) is known as a(n) __________.

Answer 6

vulnerability.

Question 7

process that defines what the user is permitted to do is known as __________.

Answer 7

Authorization.

Question 8

A short-term interruption in electrical power availability is known as a __________.

Answer 8

Fault

Question 9

A technique used to compromise a system is known as a(n) __________

Answer 9

exploit

Question 10

Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access.

Answer 10

Trepass

Question 11

An attack that uses phishing techniques along with specialized forms of malware to encrypt the victim’s data files is known as__________.

Answer 11

ransomware

Question 12

An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________.

Answer 12

penetration tester.

Question 13

An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it is known as a(n) __________.

Answer 13

Attack

Question 14

Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________

Answer 14

Threat

Question 15

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus __________.

Answer 15

hoaxes

Question 16

Human error or failure often can be prevented with training and awareness programs, policy, and __________ .

Answer 16

controls

Question 17

In the __________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.

Answer 17

man-in-the-middle

Question 18

One form of online vandalism is __________, in which individuals interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

Answer 18

hacktivist

Question 19

Technology services are usually arranged with an agreement defining minimum service levels known as a(n) __________.

Answer 19

SLA

Question 20

The hash values for a wide variety of passwords can be stored in a database known as a(n) __________, which can be indexed and quickly searched using the hash value, allowing the corresponding plaintext password to be determined.

Answer 20

rainbow table

Question 21

The protection of confidentiality, integrity, and availability of data regardless of its location is known as _______ security.

Answer 21

Information

Question 22

The protection of voice and data components, connections, and content is known as _______ security.

Answer 22

network

Question 23

The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property, is called _______

Answer 23

software piracy.

Question 24

The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?

Answer 24

authentication.

Question 25

What do audit logs that track user activity on an information system provide?

Answer 25

accountability

Question 26

___________is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.

Answer 26

Governance

Question 27

__________ are malware programs that hide their true nature and reveal their designed behavior only when activated.

Answer 27

Trojan horses

Question 28

__________ is the collection and analysis of information about an organization’s business competitors, often through illegal or unethical means, to gain an unfair edge over them.

Answer 28

Industrial espionage

Question 29

Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________

Answer 29

Data Owners.

Question 30

The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.

Answer 30

Chief of Information Security.

Question 31

A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the __________ while offering opportunities to lower costs.

Answer 31

enterprise risk management

Question 32

A clearly directed __________ flows from top to bottom, and a systematic approach is required to translate it into a program that can inform and lead all members of the organization.

Answer 32

strategy

Question 33

A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________.

Answer 33

Methodology

Question 34

A high-level executive such as a CIO or VP-IT, who will provide political support and influence for a specific project, is known as a(n) _________.

Answer 34

champion

Question 35

A person or organization that has a vested interest in a particular aspect of the planning or operation of an organization—for example, the information assets used in a particular organization—is known as a(n) _________.

Answer 35

stakeholder

Question 36

A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.

Answer 36

Team Leader.

Question 37

A qualified individual who is tasked with configuring security technologies and operating other technical control systems is known as a(n) ____________

Answer 37

Security Technician

Question 38

A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team

Answer 38

champion

Question 39

According to the Corporate Governance Task Force (CGTF), during which phase of the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?

Answer 39

establishing

Question 40

According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?

Answer 40

Initiating

Question 41

ISO 27014:2013 is the ISO 27000 series standard for ____________.

Answer 41

Governance of Information Security

Question 42

IT’s focus is the efficient and effective delivery of information and administration of information resources, while InfoSec’s primary focus is the __________ of all information assets.

Answer 42

protection

Question 43

In the __________ phase of the SecSDLC, the team studies documents and looks at relevant legal issues that could affect the design of the security solution.

Answer 43

Analysis

Question 44

In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it?

Answer 44

waterfall

Question 45

In which phase of the SecSDLC does the risk management task occur?

Answer 45

analysis

Question 46

Internal and external stakeholders, such as customers, suppliers, or employees who interact withinformation in support of their organization’s planning and operations, are known as ____________.

Answer 46

data users.

Question 47

The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as itsbudget and other constraints.

Answer 47

Investigation

Question 48

The __________ phase of the SecSDLChas team members create and develop the blueprint for security and develop critical contingency plans for incident response.

Answer 48

Justification

Question 49

The first priority of the CISO and the InfoSec management team should be the __________.

Answer 49

structure of a strategic plan

Question 50

The individual accountable for ensuringthe day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO, and resolving issues identified by technicians is known as a(n) ____________.

Answer 50

security manager.

Question 51

The letters GRC represent an approach to information security strategic guidance from a board of directors or senior management perspective. The letters stand for __________, __________, and __________.

Answer 51

Governance, risk management, and compliance.

Question 52

The process of integrating the governance of the physical security and information security efforts is known in the industryas __________.

Answer 52

convergence

Question 53

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly is known as __________.

Answer 53

Governance

Question 54

What is the first phase of the SecSDLC?

Answer 54

investigation

Question 55

When creating a __________, each level of each division translates its goals into more specific goals for the level below it.

Answer 55

strategic plan

Question 56

Whenusing the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization’s executive management, and so that it selects key stakeholders as well as the ____________.

Answer 56

Board Risk Committee.

Question 57

“GGG security” is a term commonly used to describe which aspect of security?

Answer 57

Physical.

Question 58

A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system is known as __________.

Answer 58

security analyst.

Question 59

An (ISC) 2 program geared toward individuals who want to take any of its certification exams before obtaining the requisite experience for certification is the __________.

Answer 59

Associate of (ISC)2.

Question 60

An ISACA certification targeted at upper-level executives, including CISOs and CIOs, directors, and consultants with knowledge and experience in IT governance, is known as the __________.

Answer 60

CGEIT

Question 61

An ISACA certification targeted at IT professionals who are in careers that link IT risk management with enterprise risk management is known as the __________.

Answer 61

CRISC

Question 62

In large organizations, the InfoSec department is often located within a(n) _________ division headed by the _________, who reports directly to the _________

Answer 62

IT, CISO, CIO

Question 63

Larger organizations tend to spend approximately __________ percent of the total IT budget on security.

Answer 63

5

Question 64

Medium-sized organizations tend to spend approximately __________ percent of the total IT budget on security.

Answer 64

11

Question 65

Smaller organizations tend to spend approximately __________ percent of the total IT budget on security.

Answer 65

20

Question 66

Organizations classified as __________ may still be large enough to implement the multitier approach to security, though perhaps with fewer dedicated groups and more functions assigned to each group.

Answer 66

Medium-sized

Question 67

The __________ certification, considered to be one of the most prestigious certifications for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral .

Answer 67

CISSP

Question 68

There are anumber of methods for customizing training for users; two of the most common involve customizing by __________ and by __________.

Answer 68

functional background, skill level.

Question 69

This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.

Answer 69

security manager

Question 70

What is the SETA program designed to do?

Answer 70

reduce the occurrence of accidental security breaches

Question 71

Deterrence is the best method for preventing an illegal or unethical activity. TRUE

Answer 71

TRUE

Question 72

Due diligence requires that an organization make a valid and ongoing effort to protect others.

Answer 72

TRUE

Question 73

A(n) compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information.

Answer 73

FALSE

Question 74

Ethics carry the sanction of a governing authority.

Answer 74

FALSE

Question 75

ISACA is a professional association with a focus on authorization, control, and security.

Answer 75

FALSE

Question 76

6.Information ambiguation occurs when pieces of nonprivate data are combined to create information that violates privacy.

Answer 76

FALSE

Question 77

InfraGard began as a cooperative effort between the FBI’s Cleveland field office and local intelligence professionals.

Answer 77

FALSE

Question 78

It is the responsibility of InfoSec professionals to understand state laws and bills.

Answer 78

FALSE

Question 79

The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies

Answer 79

TRUE

Question 80

The Secret Service is charged with the detection and arrest of any person who commits a U.S. federal offense relating to computer fraud, as well as false identification crimes.

Answer 80

TRUE

Question 81

To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996.

Answer 81

FALSE

Question 82

Information security policies are designed to provide structure in the workplace and explain the will of the organization’s management.

Answer 82

TRUE

Question 83

Access control lists regulate who, what, when, where, and why authorized users can access a system.

Answer 83

TRUE

Question 84

Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex.

Answer 84

FALSE

Question 85

Examples of actions that illustrate compliance with policies are known as laws.

Answer 85

FALSE

Question 86

Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations.

Answer 86

FALSE

Question 87

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee’s inappropriate or illegal use of the system.

Answer 87

TRUE

Question 88

18.Policies must specify penalties for unacceptable behavior and define an appeals process.

Answer 88

TRUE

Question 89

Technology is the essential foundation of an effective information security program.

Answer 89

FALSE

Question 90

The “Authorized Uses” section of an ISSP specifies what the identified technology cannot be used for.

Answer 90

FALSE

Question 91

The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization.

Answer 91

FALSE