CIS 462 security and strategy

CIS 462 SECURITY AND STRATEGY FINAL EXAM

Question 1

2 out of 2 points

When constructing policies regarding data _______________, it is important that these policies offer particular guidance on separation of duties (SOD), and that there are procedures that verify SOD requirements.

Correct Answer:

access

  • Question 2

2 out of 2 points

At Stanford University, data is labeled according to a classification scheme that identifies information in the following way: prohibited, restricted, confidential, and unrestricted. Which of the following schemes has Stanford adopted?

Correct Answer:

legal classification

  • Question 3

2 out of 2 points

A risk exposure is defined as the impact to the organization when a situation transpires. The widely accepted formula for calculating exposure is as follows:


Risk exposure =________________ the event will occur + ____________ if the event occurs

Correct Answer:

likelihood, impact

  • Question 4

2 out of 2 points

One of the most important approaches used to secure personal data is ________________, which is the process used to prove the identity of an individual. ______________, however, is the process used to enable a person’s access privileges.

Correct Answer:

authentication, authorization

  • Question 5

2 out of 2 points

The term ________________ denotes data that is being stored on devices like a universal serial bus (USB) thumb drive, laptop, server, DVD, CD, or server. The term ______________ denotes data that exists in a mobile state on the network, such as data on the Internet, wireless networks, or a private network.

Correct Answer:

data at rest, data in transit

  • Question 6

2 out of 2 points

Despite the fact that there exists no mandatory scheme of data classification for private industry, there are four classifications used most frequently. Which of the following is not one of the four?

Correct Answer:

moderately sensitive

  • Question 7

2 out of 2 points

Consider this scenario: A major software company finds that code has been executed on an infected machine in its operating system. As a result, the company begins working to manage the risk and eliminates the vulnerability 12 days later. Which of the following statements best describes the company’s approach?

Correct Answer:

The company effectively implemented patch management.

  • Question 8

2 out of 2 points

Which of the following statements does not offer an explanation of what motivates an insider to pose a security risk?

Correct Answer:

An individual might think that threatening to disclose security information will earn the attention and recognition from the organization and thus result in promotion.

  • Question 9

2 out of 2 points

Consider this scenario: After many years, an employee is promoted to a position that has an elevated level of trust with his management. He started with the company in an entry-level position, and then moved from a supervisory to a managerial role. This role entails that the employee trains other employees and has a deep understanding of how the department functions. Which of the following actions should be taken in regard to this employee’s levels of access during the span of time he has worked for the company?

Correct Answer:

This employee should have prior access removed to ensure separation of duties and avoid future instances of security risk.

  • Question 10

2 out of 2 points

Which of the following user types is responsible for audit coordination and response, physical security and building operations, and disaster recovery and contingency planning?

Correct Answer:

security personnel

  • Question 11

2 out of 2 points

When is the best time to implement security policies to help developers diminish the number of vulnerabilities during application development?

Correct Answer:

while the application is being written

  • Question 12

2 out of 2 points

Aside from human user types, there are two other non-human user groups. Known as account types, ________________ are accounts implemented by the system for the purpose of supporting automated service, and ___________________ are accounts that remain non-human until individuals are assigned access and can use them to recover a system following a major outage.

Correct Answer:

system accounts, contingent IDs

  • Question 13

2 out of 2 points

Which of the following is not one of the types of control partners?

Correct Answer:

software engineers

  • Question 14

2 out of 2 points

One of seven domains of a typical IT infrastructure is the user domain. Within that domain is a range of user types, and each type has specific and distinct access needs. Which of the following types of users has the responsibility of creating and putting into place a security program within an organization?

Correct Answer:

security personnel

  • Question 15

0 out of 2 points

Which of the following statements illustrates the importance of the LAN-to-WAN domain to an organization’s security?

Correct Answer:

The WAN should never have a direct connection to the organization's private network without the traffic being heavily filtered and inspected.

  • Question 16

2 out of 2 points

The ______________________ denotes the application software and technology that concerns a wide range of topics from the data management to the systems that process information.

Correct Answer:

system/application domain

  • Question 17

0 out of 2 points

Depending on the organization, the control procedure of the Domain Name System (DNS) might be built into the WAN standard. This standard identifies the criteria securing a domain name. Which of the following is not one of the types of approvals that can be used to track domains?

Correct Answer:

an explanation of the desired market or audience for which the Web site is intended

  • Question 18

0 out of 2 points

Which of the following types of baseline documents is often created to serve the demands of the workstation domain?

Correct Answer:

virus scanner configuration standards

  • Question 19

0 out of 2 points

Which the following is not one the policies concerned with LAN-to-WAN filtering and connectivity?

Correct Answer:

content-blocking tools configuration standard

Question 20

2 out of 2 points

An important principle in information security is the concept of layers of security, which is often referred to as layered security, or defense in depth. Which of the following is not an example of a layer of security?

Correct Answer:

a control standard

  • Question 21

2 out of 2 points

A procure document should accompany every baseline document. Which of the following is a true statement about the circumstances for when a procedure document needs to be created to support the baseline document?

Correct Answer:

Because many configuration processes reuse the same procedure, there does not need to be a new procedure document for every configuration.

  • Question 22

2 out of 2 points

LAN security policies center on issues concerning connectivity; this includes determining how devices adhere to the network. Among the types of LAN control standards are _______________, which creates the schedules on LAN-attached devices for scheduled preventative and consistent maintenance, and ________________, which explains the change control management process for soliciting changes, granting changes, and implementing changes on the network

Correct Answer:

controlled maintenance, configuration change control

  • Question 23

2 out of 2 points

In order to assess policy compliance, many organizations will use a report card. The evaluation tools are comprised of criteria based on an organization’s requirements. Which of the following is not one the elements that would be included on a report card?

Correct Answer:

number of random audits performed

  • Question 24

0 out of 2 points

One of the six specifications for entities that implement SCAP is to provide particular names for operation systems, applications, and hardware. This specification articulates a standard naming convention for systems to promote consistency across varied products. Which of the following specifications fits this description?

Correct Answer:

Common Platform Enumeration (CPE)

  • Question 25

2 out of 2 points

A baseline is a point of departure that guarantees that systems comply with security requirements when they are enacted. However, it is not an uncommon occurrence that systems are changed in a way that means they are no longer in compliance. Thus, it is necessary to use an accepted method to ensure that settings have not been changed. Which of the following is not one of these methods?

Correct Answer:

patch management

  • Question 26

2 out of 2 points

In order to ensure compliance, organizations deploy both new and current technologies. Which of the following is not one these new technologies?

Correct Answer:

Common Platform Enumeration (CPE)

  • Question 27

2 out of 2 points

One of the methods that an organization can use to determine compliance is to perform _______________.

Correct Answer:

random audits

  • Question 28

2 out of 2 points

Consider this scenario: A sales organization with an onsite IT staff experiences a major outage due to a minor change to a printer. Though systems were working successfully, the printer stopped working when a new server was added to the network. The new server that was added to the network shared the same IP address as the printer. Which of the following statements captures a contributing cause of the problem with the IP compatibility?

Correct Answer:

The IP address conflict demonstrates that the organization failed to comply with change management policies.

  • Question 29

2 out of 2 points

A security _____________identifies a group of fundamental configurations designed to accomplish particular security objectives.

Correct Answer:

baseline

  • Question 30

2 out of 2 points

Many organizations have a(n) ________________________, which is comprised of end user devices (including tablets, laptops, and smartphones) on a shared network and that use distributed system software; this enables these devices to function simultaneously, regardless of location.

Correct Answer:

distributed infrastructure

  • Question 31

0 out of 2 points

The scope of security awareness training must be customized based on the type of user assigned to each role in an organization. For instance, it is important that ________________ receives training in security basic requirement, regulatory and legal requirement, detail policy review, and reporting suspicious activity.

Correct Answer:

middle management

  • Question 32

0 out of 2 points

Training that happens in a classroom has many benefits, but which of the following is the one of the most significant drawbacks concerning the instructors’ abilities?

Correct Answer:

Instructors with sufficient expertise are difficult to find.

  • Question 33

2 out of 2 points

__________________ is a term that denotes the way that a policy either diminishes business disruptions or facilitates the business’s success.

Correct Answer:

Business risk

  • Question 34

0 out of 2 points

Which of the following is not one the consequences of having an unmotivated employee?

Correct Answer:

employees lacking in self-interest

  • Question 35

2 out of 2 points

The goal of employee awareness and training is to ensure that individuals are equipped with the tools necessary for the implementation of security policies. Which of the following is one of the other benefits of a successfully enacted training and awareness program?

Selected Answer:

instituting chances for employees to gather new skills, which can foster enhanced job satisfaction

Correct Answer:

instituting chances for employees to gather new skills, which can foster enhanced job satisfaction

  • Question 36

2 out of 2 points

In order to enhance the training experience and emphasize the core security goals and mission, it is recommended that the executives _______________________.

Correct Answer:

video record a message from one the leaders in a senior role to share with new employees

  • Question 37

0 out of 2 points

In information security, the individual responsible for setting goals for implementing security policies is the _________________.

Correct Answer:

chief information security officer

  • Question 38

2 out of 2 points

There are many different types of automated controls that are configured into devices for the purpose of enforcing a security policy. Which of the following is not an automated control?

Correct Answer:

log reviews

  • Question 39

2 out of 2 points

One of the many roles of the security compliance committee is to focus on controls that are widely used across a large population of applications, systems, and operations. These types of controls are known as ___________________.

Correct Answer:

pervasive controls

  • Question 40

2 out of 2 points

___________________ are responsible for the monitoring of activities the pre, middle, and post stages of goal implementation, whereas __________________are responsible for the monitoring of activities following the implementation and are called upon to evaluate whether or not the goals have been achieved.

Correct Answer:

Management committees, government committees

  • Question 41

2 out of 2 points

It is important that security policies establish a concrete distinction between work life and home life. Such a distinction requires that employees understand that they have no expectation of _______________.

Correct Answer:

privacy with respect to personal devices connected to the network

  • Question 42

2 out of 2 points

The Gramm-Leach-Bliley Act (GLBA) was created to protect confidentiality and security of customer information. Thus, under GLBA, organizations are required to inform regulators quickly if any unauthorized access or breach has occurred. Consider this scenario: A bank teller accesses a customer account out of curiosity. What is best Assignment of action following this event?

Correct Answer:

The bank should notify the regulator based on the threshold set for the how many records can be subject to unauthorized access.

  • Question 43

2 out of 2 points

____________________ are instituted by the executive management and are responsible for enforcing policies by reviewing technology activity and greenlighting new projects and activities.

Correct Answer:

Gateway committees

  • Question 44

0 out of 2 points

Of the different IRT roles, the _______________ is head of the team and issues the ultimate call regarding how to respond to an incident, whereas the __________________ role is to monitor and document all the activity that unfolds during an incident.

Correct Answer:

IRT manager, IRT coordinator's

  • Question 45

2 out of 2 points

___________________ are attacks that obtain access by means of remote services, such as vendor networks, employee remote access tools, and point-of sale (POS) devices.

Correct Answer:

Insecure remote access

  • Question 46

2 out of 2 points

The IRT report that is ultimately generated for executive management must be certain to educate all stakeholders regarding exploited risks. Which of the following items is not required to be addressed in the report?

Correct Answer:

who detected the incident

  • Question 47

0 out of 2 points

In general, the IRT is comprised of a team with individuals that have different specialties; one such individual is the ___________________, who offers analytical skills and risk management. This specialist has focused forensic skills necessary for the collection and analysis of evidence.

Correct Answer:

information security representative

  • Question 48

2 out of 2 points

Which of the following departments has a significant role to play concerning the act of creating the messaging around an incident to the media and the parties impacted?

Correct Answer:

PR

  • Question 49

2 out of 2 points

In order to form an IRT, an organization is required to create a charter; this document identifies the authority, mission, and goals of a committee or team, and there are a number of different types of IRT models for doing this. Which of the following models permits an IRT to have the complete authority to ensure a breach is contained?

Correct Answer:

IRT that provides on-site response

  • Question 50

2 out of 2 points

An organization’s _______________________ is a particular group of differently skilled individuals who are responsible for attending to serious security situations.

Correct Answer:

incident response team (IRT)