PLANNING FOR SECURITY

Question 1

1. A standard is a plan or course of action that conveys instructions from an organization’s senior management to those who make decisions, take actions, and perform other duties.

Answer 1

F

Question 2

2. Quality security programs begin and end with policy.

Answer 2

T

Question 3

3. The ISSP sets out the requirements that must be met by the information security blueprint or framework.

Answer 3

F

Question 4

4. You can create a single comprehensive ISSP document covering all information security issues.

Answer 4

T

Question 5

5. Each policy should contain procedures and a timetable for periodic review.

Answer 5

T

Question 6

6. A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee’s actions.

Answer 6

F

Question 7

7. A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.

Answer 7

F

Question 8

8. ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.

Answer 8

F

Question 9

9. To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date.

Answer 9

T

Question 10

10. The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.

Answer 10

T

Question 11

11. The security framework is a more detailed version of the security blueprint.

Answer 11

F

Question 12

12. The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.

Answer 12

F

Question 13

13. Many industry observers claim that ISO/IEC 17799 is not as complete as other frameworks.

Answer 13

T

Question 14

14. ISO/IEC 17799 is more useful than any other information security management approach.

Answer 14

F

Question 15

15. Failure to develop an information security system based on the organization’s mission, vision, and culture guarantees the failure of the information security program.

Answer 15

T

Question 16

16. NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans.

Answer 16

T

Question 17

17. NIST 800-14, The Principles for Securing Information Technology Systems, provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size.

Answer 17

F

Question 18

18. The Security Area Working Group endorses ISO/IEC 17799.

Answer 18

F

Question 19

19. Information security safeguards provide two levels of control: managerial and remedial.

Answer 19

F

Question 20

20. Management controls address the design and implementation of the security planning process and security program management.

Answer 20

T

Question 21

21. Informational controls guide the development of education, training, and awareness programs for users, administrators, and management.

Answer 21

F

Question 22

22. The gateway router can be used as the front-line defense against attacks, as it can be configured to allow only set types of protocols to enter.

Answer 22

T

Question 23

23. Every member of the organization needs a formal degree or

Answer 23

F

Question 24

24. Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.

Answer 24

T

Question 25

25. A disaster recovery plan addresses the preparation for and recovery from a disaster, whether natural or man-made.

Answer 25

T

Question 26

26. Additional redundancy to RAID can be provided by mirroring entire servers called redundant servers or server fault tolerance.

Answer 26

T

Question 27

27. A cold site provides many of the same services and options of a hot site.

Answer 27

F

Question 28

28. Disaster recovery personnel must know their roles without supporting documentation.

Answer 28

T

Question 29

29. Database shadowing only processes a duplicate in real-time data storage but does not duplicate the databases at the remote site.

Answer 29

F

Question 30

30. The Federal Bureau of Investigation deals with many computer crimes that are categorized as felonies.

Answer 30

T

Question 31

1. Strategic planning is the process of moving the organization towards its ____.
   a. standard c. mission
   b. policy d. vision

Answer 31

d. vision

Question 32

2. Standards may be published, scrutinized, and ratified by a group, as in formal or ____ standards.
   a. de formale c. de jure
   b. de public d. de facto

Answer 32

c. de jure

Question 33

3. The ____ is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
   a. ISP c. GSP
   b. EISP d. ISSP

Answer 33

b. EISP

Question 34

4. ____ often function as standards or procedures to be used when configuring or maintaining systems.
   a. ESSPs c. ISSPs
   b. EISPs d. SysSPs

Answer 34

d. SysSPs

Question 35

5. A security ____ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
   a. plan c. mission
   b. framework d. blanket

Answer 35

b. framework

Question 36

6. The stated purpose of ____ is to “give recommendations for information security management for use by those who are responsible for initiating, implementing, or maintaining security in their organization.”
   a. NIST SP800-18 c. ISO/IEC 27002
   b. RFC 2196 d. BS7799 (Part 2)

Answer 36

c. ISO/IEC 27002

Question 37

7. What country adopted ISO/IEC 17799?
   a. United States c. Japan
   b. Germany d. None of the above

Answer 37

d. None of the above

Question 38

8. SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ____.
   a. plan c. policy
   b. standard d. blueprint

Answer 38

d. blueprint

Question 39

9. Effective management includes planning and ____.
   a. organizing c. controlling
   b. leading d. All of the above

Answer 39

d. All of the above

Question 40

10. The Security Area Working Group acts as an advisory board for the protocols and areas developed and promoted by the Internet Society and the ____.
    a. IETF c. ISOC
    b. ISO/IEC d. IRTF

Answer 40

a. IETF

Question 41

11. The spheres of ____ are the foundation of the security framework and illustrate how information is under attack from a variety of sources.
    a. defense c. security
    b. assessment d. information

Answer 41

c. security

Question 42

12. ____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
    a. Managerial c. Operational
    b. Technical d. Informational

Answer 42

a. Managerial

Question 43

13. Redundancy can be implemented at a number of points throughout the security architecture, such as in ____.
    a. firewalls c. access controls
    b. proxy servers d. All of the above

Answer 43

d. All of the above

Question 44

14. ____ controls address personnel security, physical security, and the protection of production inputs and outputs.
    a. Informational c. Technical
    b. Operational d. Managerial

Answer 44

b. Operational

Question 45

15. Security ____ are the areas of trust within which users can freely communicate.
    a. perimeters c. rectangles
    b. domains d. layers

Answer 45

b. domains

Question 46

16. A buffer against outside attacks is frequently referred to as a(n) ____.
    a. proxy server c. DMZ
    b. no-man’s land d. firewall

Answer 46

c. DMZ

Question 47

17. ____-based IDPSs look at patterns of network traffic and attempt to detect unusual activity based on previous baselines.
    a. Firewall c. Network
    b. Host d. Domain

Answer 47

c. Network

Question 48

18. The SETA program is the responsibility of the ____ and is a control measure designed to reduce the incidences of accidental security breaches by employees.
    a. CIO c. CISO
    b. CISCO d. end users

Answer 48

c. CISO

Question 49

19. A(n) ____ plan deals with the identification, classification, response, and recovery from an incident.
    a. CM c. DR
    b. BC d. IR

Answer 49

d. IR

Question 50

20. The first phase in the development of the contingency planning process is the ____.
    a. BIA c. DP9
    b. BRP d. IRP

Answer 50

a. BIA

Question 51

21. An alert ____ is a document containing contact information for the people to be notified in the event of an incident.
    a. message c. plan
    b. roster d. list

Answer 51

b. roster

Question 52

22. Incident damage ____ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.
    a. assessment c. recovery
    b. evaluation d. plan

Answer 52

a. assessment

Question 53

23. RAID ____ drives can be hot swapped.
    a. 2 c. 4
    b. 3 d. 5

Answer 53

d. 5

Question 54

24. A ____ site provides only rudimentary services and facilities.
    a. cool c. hot
    b. warm d. cold

Answer 54

d. cold

Question 55

25. The transfer of large batches of data to an off-site facility is called ____.
    a. security perimeter c. electronic vaulting
    b. remote journaling d. database shadowing

Answer 55

c. electronic vaulting