A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on it.
Select one:
True
False
FALSE
Establishing a competitive business model, method, or technique enabled an organization to provide a product or service that was superior and created a(n) competitive advantage. _________________________
Select one:
True
False
TRUE
Management of classified data includes its storage and _________.
Select one:
a.
portability
b.
All of the above
c.
distribution
d.
destruction
b.
All of the above
Benchmarking is the process of comparing other organizations' activities against the practices used in one's own organization to produce results it would like to duplicate._________________________
Select one:
True
False
TRUE
In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack, with the SLE being the product of the asset's value and the annualized loss expectancy.
Select one:
True
False
FALSE
_________ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders.
Select one:
a.
Political
b.
Organizational
c.
Operational
d.
Technical
c.
Operational
Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets.
Select one:
True
False
FALSE
Cost Benefit Analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended.
Select one:
T
FALSE
Exposure factor is the expected percentage of loss that would occur from a particular attack. _________________________
Select one:
True
False
TRUE
________ equals the probability of a successful attack times the expected loss from a successful attack plus an element of uncertainty.
Select one:
a.
Loss Frequency
b.
Loss
c.
Loss Magnitude
d.
Risk
d.
Risk
Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems.
Select one:
a.
identification
b.
management
c.
control
d.
security
c.
control
A(n) _________ is a formal access control methodology used to assign a level of
confidentiality to an information asset and thus restrict the number of people who can access it..
Select one:
a.
security clearance scheme
b.
risk management scheme
c.
data c
c.
data classification scheme
Risk _________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.
Select one:
a.
acceptance
b.
appetite
c.
avoidance
d.
benefit
a.
acceptance
The __________ plan specifies the actions an organization can and should take while an adverse event (that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization) is in progress.
Se
c.
IR
Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered 'National Security Information', __________ data is the lowest level classification.
Select one:
a.
Confidential
b.
Unclassified
c.
b.
Unclassified
The first phase of risk management is _________.
Select one:
a.
risk evaluation
b.
risk control
c.
design
d.
risk identification
d.
risk identification
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range is called the __________.
Select one:
a.
loss frequency
b.
benefit of loss
c.
likelihood
d.
annualize
a.
loss frequency
In information security, benchmarking is the comparison of past security activities and events against the organization's current performance. _________________________
Select one:
True
False
FALSE
Know yourself means identifying, examining, and understanding the threats facing the organization.
Select one:
True
False
FALSE
When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as __________.
Select one:
a.
best practices
b.
benchmarking
c.
c.
standards of due care
If the acceptance strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and portray an apathetic approach to security in general
Select one:
True
False
TRUE
Cost mitigation ?is the process of preventing the financial impact of an incident by implementing a control. _________________________
Select one:
True
False
FALSE
The __________ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
Select one:
a.
transfer
b.
acceptance
c.
mitigation
d.
defense
b.
acceptance
Best business practices are often called recommended practices.
Select one:
True
False
TRUE
Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack. _________________________
Select one:
True
False
TRUE
The __________ is the difference between an organization's observed and desired performance.
Select one:
a.
issue delta
b.
objective
c.
performance gap
d.
risk assessment
c.
performance gap
In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization,
Select one:
True
False
TRUE
Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization. known as a threat prioritization. _________________________
Select one:
True
False
FALSE
________ addresses are sometimes called electronic serial numbers or hardware addresses.
Select one:
a.
IP
b.
DHCP
c.
HTTP
d.
MAC
d.
MAC
_______ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the flood waters recede.
Select one:
a.
BR
IncorrectIncorrect
b.
DR
________ assigns a status level to employees to designate the maximum level of classified data they may access.
Select one:
a.
security clearance scheme
b.
risk management scheme
c.
data recovery scheme
d.
data classification scheme
a.
security clearance scheme
A best practice proposed for a small to medium business will be similar to one used to help design control strategies for a large multinational company.
Select one:
True
False
FALSE
The _________ control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.
Select one:
a.
defense
b.
transfer
c.
mitigate
d.
termination
a.
defense
Operational feasibility is also known as behavioral feasibility. _________________________
Select one:
True
False
TRUE
There are individuals who search trash and recycling - a practice known as _________ - to retrieve information that could embarrass a company or compromise information security.
Select one:
a.
dumpster diving
b.
shoulder surfing
c.
corporate espionage
d.
a.
dumpster diving
A(n) qualitative assessment is based on characteristics that do not use numerical measures. _________________________
Select one:
True
False
TRUE
According to Sun Tzu, if you know your self and know your enemy you have an average chance to be successful in an engagement.
Select one:
True
False
FALSE
In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria and then summing and ranking those scores.
Select one:
a.
data classification scheme
b.
weight
b.
weighted factor analysis
Baselining is the comparison of past security activities and events against the organization's current performance.
Select one:
True
False
TRUE
A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functio
FALSE
One advantage to benchmarking is that best practices change very little over time.
Select one:
True
False
FALSE
The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) __________.
Select one:
a.
ARO
b.
SLE
c.
ALE
d.
CBA
d.
CBA
_________ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures.
Select one:
a.
Qualitative assessment
b.
Metric-centric model
c.
Quantitative assessment
d.
Value-specific constant
a.
Qualitative assessment
The __________ control strategy attempts to shift risk to other assets, other processes, or other organizations.
Select one:
a.
defend
b.
accept
c.
transfer
d.
mitigate
c.
transfer
The concept of competitive _________ refers to falling behind the competition.
Select one:
a.
shortcoming
b.
drawback
c.
failure
d.
disadvantage
d.
disadvantage
A(n) _________ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.
Select one:
a.
IP
b.
CTO
c.
HTTP
d.
FCO
d.
FCO
_________ is simply how often you expect a specific type of attack to occur.
Select one:
a.
ARO
b.
CBA
c.
ALE
d.
SLE
a.
ARO
One way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed. _________________________
Select one:
True
False
TRUE
A data classification scheme is a formal access control methodology used to assign a level of
availability to an information asset and thus restrict the number of people who can access it.
Select one:
True
False
FALSE
Loss event frequency is the combination of an asset's value and the percentage of it that might be lost in an attack.. _________________________
Select one:
True
False
FALSE