Midterm Exam

1.Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) __________.

MIN

MSL

SLA

SSL

Answer: SLA

2. Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?

People

Policy

Projects

Protection

Answer: People

3. Corruption of information can occur only while information is being stored.

True

False

Answer: False

4. “Shoulder spying” is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual’s shoulder or viewing the information from a distance.

True

False

Answer: False

5. Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?

Policy

Programs

People

Planning

Answer: Policy

6. Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?

Brute force

Back door

DoS

Hoax

Answer: Back door

7. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus __________.

false alarms

polymorphisms

hoaxes

urban legends

Answer: hoaxes

8. According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?

Availability

Accountability

Authentication

Authorization

Answer: Availability

9. Blackmail threat of informational disclosure is an example of which threat category?

Information extortion

Sabotage or vandalism

Espionage or trespass

Compromises of intellectual property

Answer: Information extortion

10. The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack.

True

False

Answer: False

11. Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as __________.

data generators

data owners

data users

data custodians

Answer: data owners

12. Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an adverse event?

Business response

Risk management

Disaster readiness

Module 3

Contingency planning

Answer: Contingency planning

13. The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) __________.

chief information security officer

security manager

chief technology officer

security technician

Answer: security manager

14. Which type of document grants formal permission for an investigation to occur?

Evidentiary report

Affidavit

Search warrant

Forensic concurrence

Answer: Search warrant

15. Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization’s planning and operations are known as __________.

data generators

data custodians

data owners

data users

Answer: data users

16. Which of the following is a responsibility of the crisis management team?

Evaluating monitoring capabilities

Keeping the public informed about the event and the actions being taken

Restoring the services and processes in use

Restoring the data from backups

Answer: Keeping the public informed about the event and the actions being taken

17. In digital forensics, all investigations follow the same basic methodology. Which of the following should be performed first in a digital forensics investigation?

Acquire (seize) the evidence without alteration or damage

Identify relevant items of evidentiary value (EM)

Analyze the data without risking modification or unauthorized access

Report the findings to the proper authority

Answer: Identify relevant items of evidentiary value (EM)

18. ISO 27014:2013 is the ISO 27000 series standard for __________.

governance of information security

risk management

information security management

policy management

Answer: information security management

19. Which of the following is an approach available to an organization as an overall philosophy for contingency planning reactions?

Track, hack and prosecute

Transfer to local/state/federal law enforcement

Protect and forget

After-action review

Answer: Protect and forget

20. After an incident, but before returning to its normal duties, the CSIRT must do which of the following?

Create the incident damage assessment

Conduct an after-action review

Restore services and processes in use

Restore data from backups

Answer: Conduct an after-action review

21. Which of the following is an advantage of the one-on-one method of training?

Customized

Personal

Very cost-effective

Trainees can learn from each other

Maximizes use of company resources

Answer: Personal

22. What is the SETA program designed to do?

Reduce the occurrence of external attacks

Increase the efficiency of InfoSec staff

Reduce the occurrence of accidental security breaches

Improve operations

Answer: Reduce the occurrence of accidental security breaches

23. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?

They have a larger security staff than a small organization

They have a smaller security budget (as percent of IT budget) than a large organization

They have a larger security budget (as percent of IT budget) than a small organization

They have larger information security needs than a small organization

Answer: They have larger information security needs than a small organization

24. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?

Statement of Purpose

Limitations of Liability

Policy Review and Modification

Systems Management

Answer: Policy Review and Modification

25. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?

Prohibited Usage of Equipment

Authorized Access and Usage of Equipment

Violations of Policy

Systems Management

Answer: Violations of Policy

26. Which of the following is true about a company’s InfoSec awareness Web site?

It should contain large images to maintain interest

It should be tested with multiple browsers

Appearance doesn’t matter if the information is there

It should be placed on the Internet for public use

Answer: It should be tested with multiple browsers

27. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

Risk assessment

Systems testing

Risk management

Vulnerability assessment

Answer: Risk assessment

28. Which of the following are instructional codes that guide the execution of the system when information

access control lists

capability tables

configuration rules

user profiles

Answer: configuration rules

29. Which of the following variables is the most influential in determining how to structure an information security program?

Security capital budget

Organizational size

Organizational culture

Security personnel budget

Answer: Organizational culture

30. Which of the following are the two general groups into which SysSPs can be separated?

User specifications and managerial guidance

Business guidance and network guidance

Technical specifications and business guidance

Technical specifications and managerial guidance

Answer: Technical specifications and managerial guidance

Related answered questions on ECON 2010

Special offer! Get 20% discount on your first order. Promo code: SAVE20