Organization mission statements Are nontechnical in nature, so ISSMPs do not have to understand them Are quickly put together by senior management Provide everyone in the organization overall direction and focus for their activities Are very specific and provide specific goals and objectives. Which types of organizations need to have a formally documented mission statement? Commercial enterprises Nonprofit organizations Government agencies All the above. Deploying Internet security solutions that are acceptable by clients requires knowing the client's Expectations and location Location and technical knowledge System capabilities and expectations Expectation and technical knowledge. All organizations' security solutions are influenced by the following: Laws, employee culture, profit, and competition Goals, client expectations, regulations, and profit Group and client expectations and competition capabilities Profit, organization objectives, client capabilities, and senior management. A system's security solutions must be Cost effective, risk based, and acceptable Risk based and within division budget restraints Practical and 95% effective Acceptable by senior management and provide an ROI. A specific piece of information's level of classification is dependent on Need to know
Cost of producing the information Impact if compromised Affordability of required security. System security boundary must be determined early based on all but the following. Understanding the mission, goals, and objectives Coordinating the review with the end users Identify the system components that support each of the business functions Determining who is operationally and fiscally responsible for the system. Security boundary is important to establishing Who will be doing the certification effort Scoping the security effort Determining which regulations and laws apply If the system will need an Internet connection or not. The implementation phase of the System Development Life Cycle includes Conducting an initial security test Identifying security solutions Determining if the security is acceptable to operate Defining the system security requirements. The ISSMP's job is to provide security support until the end of which phase in the System Development Life Cycle? Disposition and Disposal Operation and Maintenance Implementation Initiation. Risk assessments are done in which phases of the System Development Life Cycle? Initiation Initiation and Implementation Implementation and Disposition and Disposal Initiation, Implementation, and Operations and Maintenance. Who sets the information security standards for the public sector? National Security Agency (NSA) International Organization for Standardization (ISO) National Institute of Standards and Technology (NIST) International Electrotechnical Commission (IEC). Families of controls are identified in which of the following documents? NIST Special Publication 800 53 ISO 27002 DODI8500.2 All the above. The ISSMP decides between using quantitative and qualitative risk assessment based on The budget process Threats Vulnerabilities Management decision processes. Assurances are those activities that provide management with what about security solutions? Due diligence Protection Cost effectiveness ROI. Which of the following provides a measurement of how well an organization's process includes the capability of continuously improving its processes? Common Criteria Evaluation and Validation Scheme OCTAVE Software Engineering Institute's Capability Maturity Model Commonly Accepted Security Practices and Regulations. Interconnections with other systems outside the system security boundary can have the following effects on a system: Increased dependencies to support the other system's security requirements Requirement to notify when a security event occurs on your system Obligation to inform the other system when outages are going to occur All the above. Annual Loss Expectancy and ROI are expressed in the following units: Currency and percentage Percentage and level of risk Cost of security and percentage Percentage and cost savings. Plan of Actions and Milestones (POA&M) is A security plan A management tool A list of all the systems security solutions A checklist of actions for monitoring security during the Implementation Phase. The ideal presentation to senior managers should follow which of the following rules? 20 page justification Five slides Answer all the questions that the audience could ask Be presented in 5 minutes. How does the need for security compare between systems developed for sale or external use and systems developed for in-house use? Systems for sale or external use always have more security concerns. Systems developed for in-house use always have more security concerns. Systems developed in house require security efforts on the part of the internal security team, while those developed for external use can have security outsourced. Both systems have security concerns that must be carefully addressed. When should a project's security measures be addressed? As close to the start of the project as possible Only after security issues are exploited After the initial project design is done When the functional specifications are being written. Which of the following pose the greatest risk of perpetrating a catastrophic theft of an organization's valuable data without expending great resources to do so? Foreign governments and their sponsored hackers Employees Activists from hacktivist groups such as Anonymous Customers. How does the use of Rapid Application Development (RAD) affect security planning? The compressed time between releases means security planning and concerns must be brought up early and stressed often. The process of iterative development means security is built in automatically. Security issues are more common in RAD projects. Security issues are less common in RAD projects. What security risks are associated with the use of prototyping and prototyping tools? Prototypes always allow hackers to understand what a business plans to do for security in its finished products. Prototyping helps ensure secure code. Prototyping tools write code with an eye toward that code's security. Prototypes and prototyping tools tend to generate basic and insecure code that must be carefully reviewed before use in the finished product. Risk analysis is a method to do what? Find all possible security issues and how to exploit them. Gather data on the cost to mitigate security threats and the possibility of the threat being exploited. Decide how much money to spend on security. Compare risks and rewards of having a security program. What mitigations should be listed in a risk analysis? Only those of the project itself Only mitigations that are software or network related Only those that can be mitigated with security technology All mitigations that apply to a risk the project has or inherits. How many levels of risk and mitigation must be taken into account during a risk analysis? Only the first level of identifying the risk and its immediate mitigation As many levels as needed to reach a level of mitigation that is no longer feasible Two levels—the risk and its mitigation and then the mitigation if that first mitigation fails The same number of levels as listed for maximum response times in the security plan. Security cost is defined as what when writing a risk analysis? The monetary costs of developing and implementing security measures, including consulting, hardware, additional software, and development process costs The productivity losses associated with time lost to implement and abide by security measures Both of the above None of the above. Who should review and sign off on security plans? Key players as well as anyone mandated by the enterprise itself Only those people required by the enterprise's policies Outside consultants only A third-party auditor. When are security reviews necessary? When legally mandated or required by company policy It depends on the project When any changes are made When a breach occurs. What impact can access to a project's source code have on security? It improves security because more people can look for issues. It has no real effect. There isn't much interest in enterprise in-house projects. It can compromise security and access should be limited. The source code cannot impact security. Only executable code that actually runs can impact security. Who should have access to a project's bug or defect database? Everyone at the company. Only those who require access to do their jobs. It should be public. The IT support team. Web 2.0 projects often have more security needs in what area? Data encryption, transmission, and storage Server hardening and updating Both of the above None of the above. What impact does virtualization have on security? Unique risks must be taken into account. No impact. Security is treated exactly as if virtualization is not in use. Virtualization reduces security risks. The same issues as those relevant to all of the systems being run on the virtual machines combined. What is the role of security in the maintenance phase of a project? Security must be maintained by regular code and security reviews by patching and updating software and hardware. Security must be maintained by patching and updating software and hardware, and by security reviews, but code reviews are no longer necessary. Security must be maintained by regular code and security reviews, but patching is irrelevant to this issue. Security is no longer needed during the maintenance phase. What is the difference between a public cloud system and a community cloud system? A public cloud involves a third party providing services to an organization via the Internet; a community cloud is a private cloud that is shared between several parties. A public cloud involves a third party providing services to an organization via the Internet; a community cloud infrastructure means the organization manages some resources available in house and has other resources provided to it by an external third party. A public cloud involves a third party providing services to an organization via the Internet; a community cloud is another word for a private cloud. They are the same. What types of security testing should be done on the system to ensure that it meets its security bar? Component level security testing is more than able to validate the system's security. Component level, end-to-end, and penetration testing should all be used to validate the system's security. End-to-end security testing is the best way to validate that the system meets its security bar. Penetration testing is the best way to validate that the system meets its security bar. What kind of data should be used in security testing? Mock data that follows real patterns Live data with sensitive information stripped out Live data in its entirety Live data with sensitive information stripped out. What benefit does using components or software that is certified or accredited bring to a system's security? Neither certification nor accreditation never has an effect on the system's security. In some cases, it can help increase the system's security level. It negatively affects the system's security. Certification can help improve security, but accreditation has no impact on security. Cyber vulnerability testing consists of which of the following activities? War driving and war dialing Network probing and network scanning Penetration testing All of the above. Which of the following statements is true? The main benefit of using an MSSP is to turn over all responsibilities and wash your hands of the entire enterprise security burden. MSSP relationships can be more casual because most MSSPs are willing and capable to take on the enterprise security responsibilities. Operations, monitoring, detection, notification, and resolution may be outsourced, but the security responsibility is only shared, not abdicated. When using an MSSP, in-house security efforts are no longer necessary. What is the intent of metrics? Objective measurement of the enterprise risk posture Objective evaluation of value to the organization in terms of business need Determine if operations are performing within SLAs Objective measurement of the enterprise security posture. An emerging formal practice to identify key people, process, technology, and environment that fulfill the mission and then to align security operations with these key resources is known as what? Enterprise risk management Enterprise security management Risk management Mission assurance. Given the existence of enterprise security guidance, and that enterprise employees, business partners, vendors, and other covered entities are aware and under stand the policies, standards, procedures, and guidelines, there is a need to enforce compliance in daily operations. Enforcement requires which of the following? Monitoring for noncompliance Detecting and responding to noncompliance Both of the above Neither of the above. Which of the following statements is false about the Enterprise Security Standard (ESS)? You can develop an ESS from an industry security standard or from security legislation or both. The structure of the ESS becomes the foundation for the enterprise security framework (ESF). To save money, and since the ESS is unique to each organization anyway, developing the ESS from staff experience, though somewhat arbitrary, is an acceptable practice. The enterprise security standard (ESS) is a list of all applicable security controls grouped by families. Which of the following statements is true about incident response? Some potential members of an incident response team are senior management, legal, corporate communications, and operations. Incident response team (IRT) and cyber incident response team (CIRT) are similar phrases for the same organizational function. The news media will print what they want anyway, so it is okay for anyone on the security team to speak to them about security incident details. All cyber incidents are unique and upon detection are immediately escalated to subject matter experts (SMEs). Which of the following statements is false? In a given environment, people perform processes using technology to produce results. Security is a support structure of safeguards for cost management and never contributes to revenue generation. A key differentiating characteristic of the cyber domain from the other domains is physical proximity. The complement to legislative compliance is good business practice. What is the purpose of a service level agreement (SLA)? The SLA is only used as a formal agreement between the enterprise and external service providers to establish services, performance parameters, and financial penalties for performance outside of specified parameters. The SLA records common understanding about the services provided and the performance parameters within which to provide the services. The SLA specifies performance measurements in terms of thresholds, e.g., number of transactions per hour, available bandwidth, and down time tolerances. The SLA is a formal agreement that specifies pay for performance within operations departments. What is the enterprise risk posture? Intentionally assumed position of safeguards throughout the entire organization The probability of specific eventualities throughout the entire organization The aggregation of all the safeguards and precautions that mitigate risk The formal articulation of an intentionally assumed position on dealing with potential negative impact. What is data exfiltration? The unauthorized use of USB devices The unauthorized transmission of data between departments The unauthorized transmission of data into the organization from a service provider The unauthorized transmission of data out of the organization. Which of the following groups is not representative of the nine core security principles? Nonrepudiation, possession, utility Authorized use, privacy, authorized access Confidentiality, integrity, authenticity Availability, privacy, utility. Which of the following is true about a Security Compliance Management Program (SCMP)? Governance identifies and enumerates all relevant security compliance requirements. These may include legislation, regulation, directives, instructions, contractual obligations, and good business practice. he planning function determines the appropriate steps to take to establish and maintain compliance. The results of planning will include a list of necessary security technologies to insert in IT operations. Implementation takes the policies, standards, procedures, and guidelines and inserts them into information technology systems. Deployment makes compliance part of daily operations throughout the enterprise. The role of adjudication is to resolve conflicts in the best interest of enterprise senior management and executives. Which of the following is false about system hardening? System hardening is the elimination of known vulnerabilities, exploits, and generally turning off or uninstalling unnecessary functions. Each operating system, each version of the same operating system, and each patch release of the same operating system may have a different procedure for hardening the system. Disabling unused services will require OS parameter changes at the kernel or registry level, or modifications to services that initiate or run at startup. None of the above. What is the difference between legislative management and litigation management? Litigation management is the use of lobby groups by senior management to establish working relationships with the local judiciary, and legislation management is the use of lobby groups with Congress to influence the content of security laws. Legislative management attempts to avoid litigation, and litigation management intends to minimize the negative effects on an organization in the event of an incident. Litigation management involves establishing working relationships between senior management, security personnel, and the enterprise legal department, and legislative management is the result of this working relationship. Litigation management comes before legislative management. Which of the following is a true statement about digital policy management (DPM)? A digital policy infrastructure is the collection of policy managers, policy clients, PDPs, and PEPs. DPM is the process of creating and disseminating information technology (IT) policies. DPM is the automated enforcement of policy on the network. None of the above. The most dangerous type of malware is A spear phishing attack because it targets a specific weakness in people. A zero day exploit because it tries to exploit unknown or undisclosed vulnerabilities. A physical breach because it is the hardest to see coming. An insider threat using a USB thumb sucker attack because of unique knowledge of the enterprise. Which of the following statements about bots is false? A bot is a type of malware that performs a specific function as directed by the bot herder. A bot is a term for software robot. Successful penetration of a PC by a bot makes that PC part of a botnet. A bot has a limited lifetime, typically less than 60 days, and must perform its nefarious activities before it removes itself from the infected system. What is the purpose of security policies? To provide a description of acceptable behavior within the enterprise To clearly convey the uses for security services and mechanisms within the enterprise To exert control over the organization by the security department To provide a description of acceptable behavior with the intent of minimizing risk to the organization. A privately held restaurant chain in New Jersey, USA is likely thinking about its compliance needs. Which is likely to apply? HIPAA GLB PCI-DSS SEC rules. Which one of the following is not a benefit of developing a disaster recovery plan? Reducing disruptions to operations Training personnel to perform alternate roles Minimizing decision making during a disastrous event Minimizing legal liability and insurance premiums. A business continuity policy should be reviewed and re evaluated Annually in light of management's strategic vision Biannually in preparation for an audit review Whenever critical systems are outsourced During implementation of system upgrades. Which of the following is a key phase of BC and DR plans? Damage assessment Personnel evacuation Emergency transportation Emergency response. The vitally important issue for emergency response is Calling emergency services Protecting the corporate image Accounting for employees Employee evacuation. The third stage in the development of business continuity plans is Define Business Continuity Management strategy. Exercise, review, and maintain the policy. Understand the organization. Develop and implement the BCM policy. Which one of the following is not required for understanding the organization? Understanding the organization's Organization chart Risk appetite Information technology infrastructure Core business functions. Key milestones in developing the project plan and governance include all of the below except Risk analysis Data gathering Audit approval Training, education, and awareness. The output of a business impact analysis is A prioritized list of critical data A prioritized list of sensitive systems The recommendation for alternate processing The scope of the business continuity plan. When a critical system cannot function at an acceptable level without input from a system on which it is dependent, which of the following statements is incorrect? The system on which it is dependent is at a higher priority. The system on which it is dependent is at a lower priority. The system on which it is dependent is at the same priority. The critical system feeds a lower priority system. People based threats include Theft, whitelisting, industrial action Industrial action, blacklisting, pandemics Pandemics, theft, industrial action Pandemics, call forwarding, theft. Risk acceptance is usually most appropriate when Impact is high and probability is low. Probability is high and impact is low. Impact is high and probability is high. Impact is low and probability is low. Heat maps reflect the level of risk an activity poses and include all of the below except A suggested risk appetite boundary Proposed risk countermeasures Risk zones Color coding. A System Information Form contains all of the following information except Recovery priority Maximum outage time Dependencies on other systems Recovery point objective. The Notification Activation Phase of the BCP/DRP includes A sequence of recovery goals Activities to notify recovery personnel The basis for declaring an emergency The assessment of system damage. Documenting recovery procedures is for Implementing recovery strategy Highlighting points requiring coordination between teams Outsourcing disaster recovery system development Providing instructions for the least knowledgeable recovery personnel. The primary purposes of testing is not to Satisfy audit requirements. Check that sources of data are adequate. Raise staff awareness of recovery plans. Prove the ability to recover from disruption. Plan maintenance should be scheduled After testing to account for hardware or personnel changes In anticipation of audit activity When changes are made to protected systems When changes are made to supported business processes. Communications is a critical activity during the response and recovery phases of an incident. The communications plan must provide all of the following except Alternative types of communications media A list of contacts reachable through a communications tree Alternative communications service providers Immediate access to mobile devices for key communicators. An Emergency Operations Center must be provided to centrally manage the incident. It should include all of the following except A provision for secure and confidential discussions Office space for recovery team leaders Access to all BC and DR plans Forms of refreshment for EOC personnel. Thorough training in plan activities helps ensure all of the following except All team members understand their responsibilities. All team members understand the roles of others. Team cooperation. Plans are current. Under the Electronic Communications Privacy Act, the expression "electronic communications" does NOT incorporate which of the following?
I. Tone only paging devices
II. Electronic funds transfer information
III. Tracking devices
IV. Wire or oral communications
I, II, III, and IV I I and II I and III. The Digital Millennium Copyright Act (DMCA) has specific provisions designed to legislate against and thus aid in preventing what type of action? Circumvention of technologies used to protect copyrighted work Creation of malicious code Digital manipulation or alteration of copyrighted computer code Digital reproduction of copyrighted documents and artwork. What questions are asked when deciding the outcome of a U.S. federal trade mark dilution case? (Chose all that are correct) When was the mark created? How distinctive is the mark? Who owns the mark? How unique and recognized is the mark?. To sue for copyright infringement in the United States, what is the first step that a copyright holder must take? No action is necessary, as copyright attaches as a right of the author as soon as the work is created. Register a copyright application with the Copyright Office of the Library of Congress. Formally publish the work. Put the alleged infringer on notice that you intend to bring an action. The judge in a civil court case can issue an order allowing for a civil search of another party's goods and to seize specific evidence. This order is known as a(n) Subpoena Doctrine of Exigent Circumstances Anton Piller Order Search warrant. Your company has a policy prohibiting pornography on company equipment, and an employee has become aware of a network user who has an image of a nude child on his computer. When you investigate the matter, you find that the person has several photos of children on a nude beach, but none of them involves sex or focuses on the child's genitalia. Which of the following is true? It is child pornography, and the computer user can be charged with possession of child pornography. It is child pornography, and the computer user can be charged or disciplined. It is not child pornography, and the computer user can be disciplined. It is not child pornography, and the computer user cannot be charged or disciplined. Your team has detected that an outside party attempted to do a port scan on a highly sensitive system. According to the U.S. government model, what is the maximum amount of time that should elapse before the relevant information is reported? One hour One day One week One month. Tracing violations or attempted violations of system security to the user responsible is a function of what? Authentication Access management Integrity checking Accountability. Why is a conflict of interest considered troubling from the standpoint of fraud prevention? A conflict of interest violates canons of professional responsibility. A conflict of interest is obviously unethical and causes waste. A conflict of interest can be a sign of fraud, if not a source of it. A conflict of interest violates federal law and is therefore illegal. The penalties that can be sanctioned to the losing party in a civil case can include Probation Community service Fines Imprisonment. Evidence needs to be one of the following in order to be deemed as admissible in a court of law: Conclusive Incontrovertible Irrefutable Relevant. RFC 1087 sets the IAB "Ethics and the Internet" categorization of unethical actions. Which of the following is NOT considered as unethical under the IAB? Downloading pornography Compromising user privacy without authorization Taking resources such as stationary and using equipment for personal uses Seeking to gain unauthorized access to resources. What is an evidence gathering technique that occurs when a law enforcement officer entices a party into enacting a criminal offense they may not have otherwise committed with the aim of capturing the person in a "sting" operation; is this considered legal or illegal? Enticement/legal Coercion/legal Entrapment/illegal Enticement/illegal. Which expression is used to describe the process where a party is provided with sufficient temptation such that they may hand over evidence of a crime that the individual has committed? Enticement Coercion Entrapment Encouragement. Which of the following is not considered to be intellectual property? Patents, servicemarks, and trademarks Plant grower's rights Computer hardware Trade secrets
. Which term best describes the situation where an individual attacks (hacks) a computer system with the motive of curiosity or the thrill of seeing what is there? Scoping attack Digital thrill seeking Recon attacks Phishing. The Fourth Amendment to the U.S. Constitution sets the standard for what action? Free speech Commercial transactions and interstate commerce Individual privacy Government searches or seizure. A set of principles that is derived from a cultural or religious authority and standards is known as Policy Law Guidelines A moral code. Why is prevention alone NOT sufficient to protect a system from attackers? Even the finest preventive measures experience failures. The maintenance of preventive measures is labor intensive. It is hard to put preventive measures into operation. Prevention by itself is an expensive alternative. What penalties does the CFAA hold for people who create and release malware? The CFAA has both civil and criminal sanctions. The CFAA has criminal sanctions. The CFAA has civil sanctions. The CFAA does not incorporate malware and is targeted at fraud such as phishing and financial fraud.