PLANNING FOR SECURITY Flashcards

1
Q
  1. A standard is a plan or course of action that conveys instructions from an organization’s senior management to those who make decisions, take actions, and perform other duties.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Quality security programs begin and end with policy.
A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. The ISSP sets out the requirements that must be met by the information security blueprint or framework.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. You can create a single comprehensive ISSP document covering all information security issues.
A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Each policy should contain procedures and a timetable for periodic review.
A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee’s actions.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date.
A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.
A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. The security framework is a more detailed version of the security blueprint.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Many industry observers claim that ISO/IEC 17799 is not as complete as other frameworks.
A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. ISO/IEC 17799 is more useful than any other information security management approach.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Failure to develop an information security system based on the organization’s mission, vision, and culture guarantees the failure of the information security program.
A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans.
A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. NIST 800-14, The Principles for Securing Information Technology Systems, provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. The Security Area Working Group endorses ISO/IEC 17799.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. Information security safeguards provide two levels of control: managerial and remedial.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. Management controls address the design and implementation of the security planning process and security program management.
A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. Informational controls guide the development of education, training, and awareness programs for users, administrators, and management.
A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. The gateway router can be used as the front-line defense against attacks, as it can be configured to allow only set types of protocols to enter.
A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  1. Every member of the organization needs a formal degree or
A

F

24
Q
  1. Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.
A

T

25
Q
  1. A disaster recovery plan addresses the preparation for and recovery from a disaster, whether natural or man-made.
A

T

26
Q
  1. Additional redundancy to RAID can be provided by mirroring entire servers called redundant servers or server fault tolerance.
A

T

27
Q
  1. A cold site provides many of the same services and options of a hot site.
A

F

28
Q
  1. Disaster recovery personnel must know their roles without supporting documentation.
A

T

29
Q
  1. Database shadowing only processes a duplicate in real-time data storage but does not duplicate the databases at the remote site.
A

F

30
Q
  1. The Federal Bureau of Investigation deals with many computer crimes that are categorized as felonies.
A

T

31
Q
  1. Strategic planning is the process of moving the organization towards its ____.
    a. standard c. mission
    b. policy d. vision
A

d. vision

32
Q
  1. Standards may be published, scrutinized, and ratified by a group, as in formal or ____ standards.
    a. de formale c. de jure
    b. de public d. de facto
A

c. de jure

33
Q
  1. The ____ is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
    a. ISP c. GSP
    b. EISP d. ISSP
A

b. EISP

34
Q
  1. ____ often function as standards or procedures to be used when configuring or maintaining systems.
    a. ESSPs c. ISSPs
    b. EISPs d. SysSPs
A

d. SysSPs

35
Q
  1. A security ____ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
    a. plan c. mission
    b. framework d. blanket
A

b. framework

36
Q
  1. The stated purpose of ____ is to “give recommendations for information security management for use by those who are responsible for initiating, implementing, or maintaining security in their organization.”
    a. NIST SP800-18 c. ISO/IEC 27002
    b. RFC 2196 d. BS7799 (Part 2)
A

c. ISO/IEC 27002

37
Q
  1. What country adopted ISO/IEC 17799?
    a. United States c. Japan
    b. Germany d. None of the above
A

d. None of the above

38
Q
  1. SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ____.
    a. plan c. policy
    b. standard d. blueprint
A

d. blueprint

39
Q
  1. Effective management includes planning and ____.
    a. organizing c. controlling
    b. leading d. All of the above
A

d. All of the above

40
Q
  1. The Security Area Working Group acts as an advisory board for the protocols and areas developed and promoted by the Internet Society and the ____.
    a. IETF c. ISOC
    b. ISO/IEC d. IRTF
A

a. IETF

41
Q
  1. The spheres of ____ are the foundation of the security framework and illustrate how information is under attack from a variety of sources.
    a. defense c. security
    b. assessment d. information
A

c. security

42
Q
  1. ____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
    a. Managerial c. Operational
    b. Technical d. Informational
A

a. Managerial

43
Q
  1. Redundancy can be implemented at a number of points throughout the security architecture, such as in ____.
    a. firewalls c. access controls
    b. proxy servers d. All of the above
A

d. All of the above

44
Q
  1. ____ controls address personnel security, physical security, and the protection of production inputs and outputs.
    a. Informational c. Technical
    b. Operational d. Managerial
A

b. Operational

45
Q
  1. Security ____ are the areas of trust within which users can freely communicate.
    a. perimeters c. rectangles
    b. domains d. layers
A

b. domains

46
Q
  1. A buffer against outside attacks is frequently referred to as a(n) ____.
    a. proxy server c. DMZ
    b. no-man’s land d. firewall
A

c. DMZ

47
Q
  1. ____-based IDPSs look at patterns of network traffic and attempt to detect unusual activity based on previous baselines.
    a. Firewall c. Network
    b. Host d. Domain
A

c. Network

48
Q
  1. The SETA program is the responsibility of the ____ and is a control measure designed to reduce the incidences of accidental security breaches by employees.
    a. CIO c. CISO
    b. CISCO d. end users
A

c. CISO

49
Q
  1. A(n) ____ plan deals with the identification, classification, response, and recovery from an incident.
    a. CM c. DR
    b. BC d. IR
A

d. IR

50
Q
  1. The first phase in the development of the contingency planning process is the ____.
    a. BIA c. DP9
    b. BRP d. IRP
A

a. BIA

51
Q
  1. An alert ____ is a document containing contact information for the people to be notified in the event of an incident.
    a. message c. plan
    b. roster d. list
A

b. roster

52
Q
  1. Incident damage ____ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.
    a. assessment c. recovery
    b. evaluation d. plan
A

a. assessment

53
Q
  1. RAID ____ drives can be hot swapped.
    a. 2 c. 4
    b. 3 d. 5
A

d. 5

54
Q
  1. A ____ site provides only rudimentary services and facilities.
    a. cool c. hot
    b. warm d. cold
A

d. cold

55
Q
  1. The transfer of large batches of data to an off-site facility is called ____.
    a. security perimeter c. electronic vaulting
    b. remote journaling d. database shadowing
A

c. electronic vaulting