|
A free membership is required to access uploaded content. Login or Register.
Corporate Computer Security Planning and Policy.docx
|
Uploaded: 6 years ago
Category: Computer Science
Type: Other
Rating:
N/A
|
Filename: Corporate Computer Security Planning and Policy.docx
(32.75 kB)
Page Count: 15
Credit Cost: 1
Views: 177
Last Download: N/A
|
Transcript
Corporate Computer Security
Planning and Policy
1) This book focuses on ________.
A) offense
B) defense
C) offense and defense about equally
D) None of the above
Answer: B
Question: 1
2) Closing all routes of attack into an organization's system(s) is called ________.
A) defense in depth
B) comprehensive security
C) total security
D) access control
Answer: B
Question: 2b
3) A ________ occur(s) when a single security element failure defeats the overall security of a system.
A) spot failure
B) weakest link failure
C) defense in depth departure
D) critical failure
Answer: B
Question: 2c
4) Which of the following is a formal process?
A) Annual corporate planning
B) Planning and developing individual countermeasures
C) Both A and B
D) Neither A nor B
Answer: C
Question: 3a
5) A planned series of actions in a corporation is a(n) ________.
A) strategy
B) sequence
C) process
D) anomaly
Answer: C
Question: 3a
6) The growing number of compliance laws and regulations is driving firms to use formal governance frameworks to guide their security processes.
Answer: TRUE
Question: 3b
7) Many compliance regimes require firms to adopt specific formal governance framework to drive security planning and operational management.
Answer: TRUE
Question: 3b
8) Planning, protection, and response follow a fairly strict sequence from one stage to another.
Answer: FALSE
Question: 4b
9) The stage of the plan-protect response cycle that consumes the most time is ________.
A) planning
B) protection
C) response
D) each of the above consumes about the same amount of time
Answer: B
Question: 4c
10) ________ is the plan-based creation and operation of countermeasures.
A) Planning
B) Protection
C) Response
D) All of the above
Answer: B
Question: 4d
11) What is missing from the definition of response as "recovery?"
A) The phrase "according to plan" must be added to "recovery."
B) The definition must refer to specific resources.
C) The phrase "Reasonable degree of" must begin the definition.
D) The phrase "and prosecution" must be added after "recovery."
Answer: A
Question: 4e
12) Strong security can be an enabler, allowing a company to do things it could not do otherwise.
Answer: TRUE
Question: 5a
13) The key to security being an enabler is ________.
A) getting it involved early within the project
B) having strong corporate policies
C) extensive training
D) adequate spending on security
Answer: A
Question: 5b
14) IT security people should maintain a negative view of users.
Answer: FALSE
Question: 5c
15) It is a good idea to view the security function as a police force or military organization.
Answer: FALSE
Question: 5d
16) The first step in developing an IT security plan is to ________.
A) determine needs
B) assess the current state of the company's security
C) create comprehensive security
D) prioritize security projects
Answer: B
Question: 6a
17) Once a company's resources are enumerated, the next step is to ________.
A) create a protection plan for each
B) assess the degree to which each is already protected
C) enumerate threats to each
D) classify them according to sensitivity
Answer: D
Question: 6c
18) After performing a preliminary security assessment, a company should develop a remediation plan for EVERY security gap identified.
Answer: TRUE
Question: 6d
19) A company should consider list of possible remediation plans as an investment portfolio.
Answer: TRUE
Question: 6e
20) The factors that require a firm to change its security planning, protection, and response are called driving forces.
Answer: TRUE
Question: 7a
21) Compliance laws and regulations ________.
A) create requirements to which security must respond
B) can be expensive for IT security
C) Both A and B
D) Neither A nor B
Answer: C
Question: 7b
22) A ________ is a material deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement in the annual or interim financial statements will not be prevented or detected.
A) material control failure
B) material control deficiency
C) critical control deficiency
D) critical control failure
Answer: B
Question: 8a
23) When companies studied where they stored private information, they found that much of this information was stored inside spreadsheets and word processing documents.
Answer: TRUE
Question: 9b
24) ________ specifically addresses data protection requirements at financial institutions.
A) GLBA
B) HIPAA
C) The Revised SEC Act
D) Sarbanes-Oxley
Answer: A
Question: 9c
25) ________ specifically addresses data protection requirements at health care institutions.
A) GLBA
B) HIPAA
C) Sarbanes-Oxley
D) The SEC Act
Answer: B
Question: 9d
26) Data breach notification laws typically ________.
A) require companies to notify affected people if sensitive personally identifiable information is stolen or even lost
B) have caused companies to think more about security
C) Both A and B
D) Neither A nor B
Answer: C
Question: 10a
27) The FTC can act against companies that fail to take reasonable precautions to protect privacy information.
Answer: TRUE
Question: 11a
28) The FTC can ________.
A) impose fines
B) require annual audits by external auditing firms for many years
C) Both A and B
D) Neither A nor B
Answer: C
Question: 11b
29) Which companies do PCI-DSS affect?
A) E-commerce firms
B) Medical firms
C) Government organizations
D) Companies that accept credit card payments
Answer: D
Question: 13
30) What type of organization is subject to FISMA?
A) E-commerce firms
B) Medical firms
C) Government organizations
D) Companies that accept credit card payments
Answer: C
Question: 14a
31) In FISMA, ________ is done internally by the organization.
A) certification
B) accreditation
C) Both A and B
D) Neither A nor B
Answer: C
Question: 14b
32) The manager of the security department often is called ________.
A) the chief security officer (CSO)
B) the chief information security officer (CISO)
C) Either A and B
D) Neither A nor B
Answer: C
Question: 15a
33) Placing security within IT ________.
A) creates independence
B) is likely to give security stronger backing from the IT department
C) Both A and B
D) Neither A nor B
Answer: B
Question: 16a
34) Independence is best provided for IT security by placing it within the IT department.
Answer: FALSE
Question: 16a
35) Most IT security analysts recommend placing IT security functions within the IT department.
Answer: FALSE
Question: 16c
36) In order to demonstrate support for security, top management must ________.
A) ensure that security has an adequate budget
B) support security when there are conflicts between the needs of security and the needs of other business functions
C) follow security procedures themselves
D) All of the above
Answer: D
Question: 17b
37) ________ examines organizational units for efficiency, effectiveness, and adequate controls.
A) Internal auditing
B) Financial auditing
C) IT auditing
D) None of the above
Answer: A
Question: 18b
38) ________ examines financial processes for efficiency, effectiveness, and adequate controls.
A) Internal auditing
B) Financial auditing
C) IT auditing
D) None of the above
Answer: B
Question: 18b
39) ________ examines IT processes for efficiency, effectiveness, and adequate controls.
A) Internal auditing
B) Financial auditing
C) IT auditing
D) None of the above
Answer: C
Question: 18b
40) Placing IT auditing in an existing auditing department would give independence from IT security.
Answer: TRUE
Question: 18c
41) ________ entails investigating the IT security of external companies and the implications of close IT partnerships before implementing interconnectivity.
A) Auditing
B) Due diligence
C) Peer-to-peer security
D) Vulnerability testing
Answer: B
Question: 18h
42) To outsource some security functions, a firm can use an MISP.
Answer: FALSE
Question: 19a
43) A benefit of using MSSPs is that they provide ________.
A) cost savings
B) independence
C) Both A and B
D) Neither A nor B
Answer: C
Question: 19b
44) What security functions typically are outsourced?
A) Intrusion detection
B) Vulnerability testing
C) Both A and B
D) Neither A nor B
Answer: C
Question: 19c
45) What security functions typically are outsourced?
A) Policy
B) Vulnerability testing
C) Both A and B
D) Neither A nor B
Answer: B
Question: 19c
46) What security function(s) usually is(are) not outsourced?
A) Planning
B) Intrusion detection
C) Vulnerability testing
D) All of the above
Answer: A
Question: 19e
47) Vulnerability testing typically is not outsourced.
Answer: FALSE
Question: 19e
48) According to the author, information assurance is a good name for IT security.
Answer: FALSE
Question: 20a
49) The goal of IT security is risk elimination.
Answer: FALSE
Question: 20b
50) The goal of IT security is reasonable risk reduction.
Answer: TRUE
Question: 20b
51) Security tends to impede functionality.
Answer: TRUE
Question: 20c
52) In benefits, costs and benefits are expressed on a per-year basis.
Answer: TRUE
Question: 21a
53) SLE times APO gives the ________.
A) expected per-event loss
B) expected annual loss
C) expected life cycle loss
D) expected per-event benefit
Answer: B
Question: 21b
54) When risk analysis deals with costs and benefits that vary by year, the computations should use ________.
A) NPV
B) IRR
C) Either A or B
D) Neither A nor B
Answer: C
Question: 23a
55) Which of the following gives the best estimate of the complete cost of a compromise?
A) ALE
B) ARO
C) TCI
D) Life cycle cost
Answer: C
Question: 23b
56) The worst problem with classic risk analysis is that ________.
A) protections often protect multiple resources
B) resources often are protected by multiple resources
C) we cannot estimate the annualized rate of occurrence
D) costs and benefits are not the same each year
Answer: C
Question: 23d
57) The book recommends hard-headed thinking about security ROI analysis.
Answer: FALSE
Question: 23e
58) Which of the following is a way of responding to risk with active countermeasures?
A) Risk reduction
B) Risk acceptance
C) Risk avoidance
D) All of the above
Answer: A
Question: 24a
59) ________ means implementing no countermeasures and absorbing any damages that occur.
A) Risk reduction
B) Risk acceptance
C) Risk avoidance
D) None of the above
Answer: B
Question: 24b
60) ________ means responding to risk by taking out insurance.
A) Risk reduction
B) Risk acceptance
C) Risk avoidance
D) Risk transference
Answer: D
Question: 24c
61) ________ means responding to risk by not taking a risky action.
A) Risk reduction
B) Risk acceptance
C) Risk avoidance
D) Risk transference
Answer: C
Question: 24e
62) Responding to risk through risk avoidance is likely to be acceptable to other units of the firm.
Answer: FALSE
Question: 24f
63) A technical security architecture includes ________.
A) all of a firm's countermeasures
B) how countermeasures are organized
C) Both A and B
D) Neither A nor B
Answer: C
Question: 25a
64) A technical security architecture should be created ________.
A) annually
B) before a firm creates individual countermeasures
C) before a firm creates a specific countermeasure
D) after each major compromise
Answer: B
Question: 25c
65) Companies should replace their legacy security technologies immediately.
Answer: FALSE
Question: 25d
66) Using both a firewall and host hardening to protect a host is ________.
A) defense in depth
B) risk acceptance
C) an anti-weakest link strategy
D) adding berms
Answer: A
Question: 26a
67) ________ requires multiple countermeasures to be defeated for an attack to succeed.
A) Defense in depth
B) Weakest link analysis
C) Both A and B
D) Neither A nor B
Answer: A
Question: 26b
68) ________ is a single countermeasure composed of multiple interdependent components in series that require all components to succeed if the countermeasure is to succeed.
A) Defense in depth
B) Weakest link
C) Both A and B
D) Neither A nor B
Answer: B
Question: 26b
69) Central security consoles ________.
A) are dangerous
B) allow policies to be applied consistently
C) Both A and B
D) Neither A nor B
Answer: C
Question: 26d
70) Security professionals should minimize burdens on functional departments.
Answer: TRUE
Question: 26e
71) Having realistic goals for reducing vulnerabilities ________.
A) is giving in to the problem
B) helps to focus on the most critical threats
C) is a cost-saving method
D) is risk avoidance
Answer: B
Question: 26f
72) Border management ________.
A) is no longer important because there are so many ways to bypass borders
B) is close to a complete solution to access control
C) Both A and B
D) Neither A nor B
Answer: D
Question: 27b
73) A(n) ________ is a statement of what should be done under specific circumstances.
A) implementation control
B) policy
C) policy guidance document
D) procedure
Answer: B
Question: 28a
74) Policies should specify the details of how protections are to be applied.
Answer: FALSE
Question: 28b
75) Policies should specify implementation in detail.
Answer: FALSE
Question: 28c
76) When you wish to create a specific firewall, you should create a security policy for that firewall specifically.
Answer: TRUE
Question: 29d
77) Policies should be written by ________.
A) IT security
B) corporate teams involving people from multiple departments
C) a senior executive
D) an outside consultant, to maintain independence
Answer: B
Question: 30
78) ________ are mandatory.
A) Standards
B) Guidelines
C) Both A and B
D) Neither A nor B
Answer: A
Question: 31a
79) ________ are discretionary.
A) Standards
B) Guidelines
C) Both A and B
D) Neither A nor B
Answer: B
Question: 31a
80) It is mandatory for decision makers to consider guidelines.
Answer: TRUE
Question: 31b
81) Guidelines are appropriate in simple and highly certain circumstances.
Answer: FALSE
Question: 31c
82) ________ specify the low-level detailed actions that must be taken by specific employees.
A) Procedures
B) Processes
C) Both A and B
D) Neither A nor B
Answer: A
Question: 32a
83) The steps required to issue a new employee a password should be specified in a ________.
A) procedure
B) process
C) Both A and B
D) Neither A nor B
Answer: A
Question: 32b
84) In manual procedures, the segregation of duties ________.
A) reduces risk
B) increases risk by creating blind spots
C) increases risk by reducing accountability
D) can only be done safely through information technology
Answer: A
Question: 32c
85) When someone requests to take an action that is potentially dangerous, what protection should be put into place?
A) Limit the number of people that may request an approval
B) Ensure that the approver is the same as the requestor
C) Both A and B
D) Neither A nor B
Answer: A
Question: 32d
86) Mandatory vacations should be enforced ________.
A) to improve employee diligence to threats
B) to reduce the possibility of collusion between employees
C) to be in compliance with state and federal law
D) for ethical purposes
Answer: B
Question: 32e
87) ________ are check lists of what should be done in a specific procedure.
A) Baselines
B) Guidelines
C) Standards
D) Procedures
Answer: A
Question: 32f
88) ________ are descriptions of what the best firms in the industry are doing about security.
A) Best practices
B) Recommended practices
C) Both A and B
D) Neither A nor B
Answer: A
Question: 32g
89) ________ are prescriptive statements about what companies should do and are put together by trade associations and government agencies.
A) Best practices
B) Recommended practices
C) Both A and B
D) Neither A nor B
Answer: B
Question: 32g
90) The party that is ultimately held accountable for a resource or control is ________.
A) the owner
B) the trustee
C) the accredited security officer
D) the certified security officer
Answer: A
Question: 32h
91) The owner can delegate ________ to the trustee.
A) the work of implementation of a resource or control
B) accountability for a resource or control
C) Both A and B
D) Neither A nor B
Answer: A
Question: 32i
92) Different honest people can make different ethical decisions in a given situation.
Answer: TRUE
Question: 33a
93) Companies create codes of ethics in order to make ethical decision making more predictable.
Answer: TRUE
Question: 33b
94) In a firm, codes of ethics apply to ________.
A) part-time employees
B) senior managers
C) Both A and B
D) Neither A nor B
Answer: C
Question: 33d
95) Senior officers often have an additional code of ethics.
Answer: TRUE
Question: 33e
96) Which of the following is an example of a conflict of interest?
A) Preferential dealings with relatives
B) Investing in competitors
C) Competing with the company while still employed by the company
D) All of the above
Answer: D
Question: 33h
97) ________ are monetary gifts to induce an employee to favor a supplier or other party.
A) Bribes
B) Kickbacks
C) Both A and B
D) Neither A nor B
Answer: A
Question: 33k
98) ________ are payments made by a supplier to a corporate buyer when a purchase is made.
A) Bribes
B) Kickbacks
C) Both A and B
D) Neither A nor B
Answer: B
Question: 33k
99) It is acceptable for an employee to reveal ________.
A) confidential information
B) private information
C) trade secrets
D) None of the above
Answer: D
Question: 33l
100) Exceptions in policies and procedures should be forbidden.
Answer: FALSE
Question: 34a
101) Which of the following is a good rule for handling exceptions?
A) Only some people should be allowed to request exceptions.
B) The requestor and approver should be different people.
C) The exception should be documented.
D) All of the above.
Answer: D
Question: 34c
102) Policies drive ________.
A) implementation
B) oversight
C) Both A and B
D) Neither A nor B
Answer: C
Question: 35b
103) Conducting stings on employees ________.
A) raises awareness
B) raises resentment
C) Both A and B
D) Neither A nor B
Answer: C
Question: 35f
104) Electronic employee monitoring is rare.
Answer: FALSE
Question: 35g
105) Informing employees that monitoring will be done is a bad idea.
Answer: FALSE
Question: 35h
106) Security metrics allow a company to know if it is improving in its implementation of policies.
Answer: TRUE
Question: 35j
107) The purpose(s) of auditing is(are) to ________.
A) develop opinions on the health of controls
B) find punishable instances of noncompliance
C) Both A and B
D) Neither A nor B
Answer: A
Question: 36a
108) Audits place special attention on ________.
A) compliance avoidance
B) noncompliance
C) memo log files
D) absences from duty
Answer: A
Question: 36c
109) ________ audits are done by an organization on itself.
A) Internal
B) External
C) Both A and B
D) Neither A nor B
Answer: A
Question: 36d
110) Hotlines for reporting improper behavior are required by law to be non-anonymous.
Answer: FALSE
Question: 37a
111) Internal corporate attackers often have a history of overt unacceptable behavior.
Answer: TRUE
Question: 37c
112) Which of the following is not one of the three elements in the fraud and abuse triangle?
A) Opportunity
B) Resistance
C) Rationalization
D) Pressure
Answer: B
Question: 37d
113) Employees usually must rationalize bad behavior.
Answer: TRUE
Question: 37f
114) Before doing a vulnerability test, a security employee must ensure that ________.
A) doing a vulnerability test is in his or her job description
B) no damage will be done
C) he or she has a specific contract to do a specific test
D) the test is a surprise to everyone, including the tester's superior, who may be engaged in illicit activities
Answer: C
Question: 38b
115) Which of the following are examples of opportunity?
A) Weak security controls
B) Insufficient oversight from management
C) An unlocked safe
D) All of the above
Answer: D
116) An example of "pressure" from the fraud triangle would include paying back embezzled money.
Answer: FALSE
117) A governance framework specifies how to do ________.
A) planning
B) implementation
C) oversight
D) All of the above.
Answer: D
Question: 40a
118) COSO focuses on ________.
A) corporate internal and financial controls
B) IT governance
C) IT security governance
D) All of the above
Answer: A
Question: 40b
119) CobiT focuses on ________.
A) corporate governance
B) controlling entire IT function
C) IT security governance
D) All of the above about equally
Answer: B
Question: 40b
120) In COSO, a company's overall control culture is called its ________.
A) control culture
B) tone at the top
C) control environment
D) security culture
Answer: C
Question: 41c
121) Which CobiT domain has the most control objectives?
A) Planning & Organization
B) Acquisition & Implementation
C) Delivery & Support
D) Monitoring
Answer: C
Question: 42d
122) ________ is preferred by U.S. auditors.
A) ISO/IEC 27000 family
B) COSO
C) CobiT
D) PCI-DSS
Answer: C
Question: 42e
123) The ISO/IEC 2700 family focuses on ________.
A) corporate governance
B) IT governance
C) IT security governance
D) All of the above about equally
Answer: C
Question: 40c
124) Which of the following specifies how to do certification by external parties?
A) COSO
B) CobiT
C) ISO/IEC 27000
D) All of the above have certification by external parties.
Answer: C
Question: 43d
|
|
Comments (0)
|
Post your homework questions and get free online help from our incredible volunteers
1257 People Browsing
122 Signed Up Today
|