03(full).pdf

《03(full).pdf》由会员分享，可在线阅读，更多相关《03(full).pdf（9页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、Within the context of the CBK,which of the following provides a MINIMUM level of security ACCEPTABLE for an environment?A baseline In a properly segregated environment,which of the following tasks is compatible with the task of security administrator?Quality assurance Within the realm of IT security

2、,which of the following combinations best defines risk?Threat coupled with a vulnerability Step-by-step instructions used to satisfy control requirements is called a:procedure Who should provide access authorization to computerized information?Data owner IT security measures should:Be tailored to me

3、et organizational security goals.What is the goal of the Maintenance phase in a common development process of a security policy?to review of the document on the specified review date Three key things that must be considered for the planning and implementation of access control mechanisms do NOT incl

4、ude:the systems vulnerability to viruses Which of the following best defines add-on security?Protection mechanisms implemented after an information system has become operational.Which of the following should NOT be addressed by employee termination practices?Employee bonding to protect against losse

5、s due to theft.Which of the following best allows risk management results to be used knowledgeably?An uncertainty analysis Why do many organizations require every employee to take a mandatory vacation of a week or more?To reduce the opportunity for an employee to commit an improper or illegal act.Re

6、lated to information security,the guarantee that the message sent is the message received is an example of which of the following?integrity What would be the Annualized Rate of Occurrence(ARO)of the threat user input error,in the case where a company employs 100 data entry clerks and every one of th

7、em makes one input error each month?1,200 What can be best defined as the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment?Threat analysis Which of the following is not a responsibility of a database

8、 administrator?Providing access authorization to databases Which of the following would BEST be defined as an absence or weakness of safeguard that could be exploited?A vulnerability One of these statements about the key elements of a good configuration process is NOT true Controlling modifications

9、to system hardware in order to protect resource from changes A deviation from an organization-wide security policy requires which of the following?risk acceptance.What are the three FUNDAMENTAL principles of security?Confidentiality,integrity and availability Which of the following is most concerned

10、 with personnel security?Operational controls Preservation of confidentiality information systems requires that the information is not disclosed to:Unauthorized persons or processes.Who of the following is responsible for ensuring that proper controls are in place to address integrity,confidentialit

11、y,and availability of IT systems and data?System and information owners Which of the following should NOT be a role of the Security Administrator?Authorizing access rights Which of the following is not a component of a Operations Security triples?Risk Related to information security,integrity is the

12、 opposite of which of the following?alteration What can be described as a measure of the magnitude of loss or impact on the value of an asset?Exposure factor Ultimately,the security of computer-based information systems is which of the following?a management issue.Which of the following would best r

13、elate to resources being used only for intended purposes?Availability An effective information security policy should not have which of the following characteristic?Be designed with a short-to mid-term focus Which of the following would VIOLATE the Due Care concept?Data owners not laying out the fou

14、ndation of data protection Which of the following is NOT a part of a risk analysis?Choose the best countermeasure Related to information security,the prevention of the intentional or unintentional unauthorized disclosure of contents is which of the following?Confidentiality Which of the following is

15、 not a goal of integrity?Prevention of the modification of information by authorized users.What is the main responsibility of information(data)owner?determining the data sensitivity or classification level What is opposite of the C.I.A.in risk management:disclosure,alteration,destruction Who is resp

16、onsible for initiating corrective actions when there are security violations?Management Which of the following is NOT a common integrity goal?Prevent paths that could lead to inappropriate disclosure.Which approach to a security program makes sure that the people actually responsible for protecting

17、the companys assets are DRIVING the program?The top-down approach Who should DECIDE how a company should approach security and what security measures should be implemented?Senior management What can best be defined as high-level statements,beliefs,goals and objectives?Policies How should a risk be H

18、ANDLED when the cost of the countermeasure OUTWEIGHS the cost of the risk?Accept the risk What is called a weakness or lack of a safeguard,which may be exploited by a threat,causing harm to the information systems or networks?Vulnerability Which of the following should be given technical security tr

19、aining?IT support personnel and system administrators How is Annualized Loss Expectancy(ALE)derived from a threat?SLE x ARO Which of the following is an advantage of a qualitative over a quantitative risk analysis?It prioritizes the risks and identifies areas for immediate improvement in addressing

20、the vulnerabilities.Which of the following statements pertaining to a security policy is incorrect?It specifies how hardware and software should be used throughout the organization.What is the main purpose of Corporate Security Policy?to communicate managements intentions in regards to information s

21、ecurity Which of the following is the weakest link in a security system?People Which of the following is not a responsibility of an information owner?Running regular backups and periodically testing the validity of the backup data.Computer security should be first and foremost which of the following

22、:Be cost-effective.Which one of the following individuals has PRIMARY responsibility for determining the classification level of information?Owner The control of communications test equipment should be clearly addressed by security policy for which of the following reasons?Test equipment can be used

23、 to browse information passing on a network.What is called an event or activity that has the potential to cause harm to the information systems or networks?Threat The major objective of system configuration management is which of the following?system stability.Which of the following is BEST defined

24、as a physical control?Environmental controls Which data classification SHOULD APPLY to commercial trade secrets?Confidential What is the difference between Advisory and Regulatory security policies?Advisory policies are not mandated.Regulatory policies must be implemented.Which of the following is t

25、he best reason for the use of an automated risk analysis tool?Minimal information gathering is required due to the amount of information built into the tool.Which of the following questions should a user be unable to answer regarding their organizations information security policy?What are the actio

26、ns that need to be performed in case of a disaster?Which of the following would be the first step in establishing an information security program?Adoption of a corporate information security policy statement.Which of the following would best classify as a management control?Review of security contro

27、ls Making sure that the data is accessible when and where it is needed is which of the following?availability In a discretionary access environments,which of the following entities is authorized to grant information access to other people?Owner.What would BEST define risk management?The process of r

28、educing risk to an acceptable level According to private sector data classification levels,how would salary levels and medical information be classified?Private.Which of the following is given the responsibility of the maintenance and protection of the data?Data custodian Which of the following task

29、s may be performed by the same person in a well-controlled information processing facility/computer center?System development and systems maintenance Which of the following statements pertaining to quantitative risk analysis is false?It requires little experience to apply What can be defined as an e

30、vent that could cause harm to the information systems?A threat Which of the following department managers would be best suited to oversee the development of an information security policy?Business operations All risks must be:Identified Which must bear the primary responsibility for determining the

31、level of protection needed for information systems resources?Senior Management.What is a difference between a Quantitative Analysis versus a Qualitative Risk Analysis?quantitative analysis provides formal cost/benefit analysis and qualitative does not The preliminary steps to security planning inclu

32、de all of the following EXCEPT which of the following?Establish a security audit function.Which of the following questions would not help in assessing personnel security controls?Is access to facilities by personnel controlled through the use of guards,identification badges,or entry devices such as

33、key cards or biometrics?Which one of the following represents an ALE calculation?single loss expectancy x annualized rate of occurrence.Related to information security,availability is the opposite of which of the following?destruction Which of the following could be BEST defined as the likelihood of

34、 a threat agent taking advantage of a vulnerability?A risk Why would an information security policy require that communications test equipment be controlled?The equipment can be used to browse information passing on a network The absence of a safeguard or weakness in a system that may possibly be ex

35、ploited is called a(n)?Vulnerability Which of the following represents an ALE calculation?Single loss expectancy X annualized rate of occurrence Which of the following is the MOST important aspect relating to employee termination?The appropriate company staff are notified about the termination.Makin

36、g sure that only those who are supposed to access the data can access is which of the following?confidentiality.In the CIA triad,what does the letter A stand for?Availability In an organization,an Information Technology security function should:Be lead by a Chief Security Officer and report directly

37、 to the CEO.Who should measure the effectiveness of security related controls in an organization?the systems auditor.One purpose of a security awareness program is to modify:employees attitudes and behaviors.Risk mitigation and risk reduction controls can be of which of the following types?preventiv

38、e,detective,or corrective ISO 17799 is a standard for:Information Security Management Which of the following groups represents the leading source of computer crime losses?employees.One of the following assertions is not a characteristic of Internet Protocol Security(IPsec)Data is delivered in the ex

39、act order in which it is sent What is the property ensure that only those who are supposed to access the data can access it is:Confidentiality.What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at$1,000,000 from a threat that has an annualize

40、d rate of occurrence(ARO)of once every five years and an exposure factor(EF)of 30%?$60,000 Which of the following choices is NOT part of a security policy?description of specific technologies used in the field of information security If risk is defined as the potential that a given threat will explo

41、it vulnerabilities of an asset or group of assets to cause loss or damage to the assets then risk has all of the following elements EXCEPT?Controls addressing the threats Which of the following is NOT an administrative control?Logical access control mechanisms Related to information security,confide

42、ntiality is the opposite of which of the following?disclosure What is called the probability that a threat to an information system will materialize?Risk Which of the following is NOT a technical control?Monitoring for physical intrusion Which of the following is not a way for programmers to bypass

43、normal security controls while developing their software?A Trojan horse What does residual risk mean?The security risk that remains after controls have been implemented Controls are implemented to:mitigate risk and reduce the potential for loss Making sure that the data has not been changed unintent

44、ionally,due to an accident or malice is:Integrity.Which of the following would be the best criterion to consider in determining the classification of an information asset?Value Which of the following are steps of a common development process of creating a security policy,standards and procedures?ini

45、tial and evaluation,development,approval,publication,implementation,maintenance Who is responsible for providing reports to the senior management on the effectiveness of the security controls?Information systems auditors Which of the following embodies all the detailed actions that personnel are required to follow?Procedures Which of the following is responsible for MOST of the security issues?Personnel