Management Chapter 9 The term that refers to a formal written document that spells

Exam

Name___________________________________

MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question.

1)

The newer title for the information security officer that reports to the CEO and manages an

information assurance unit is:

1)

A)

corporate information systems security officer.

B)

information security management officer.

C)

chief information officer.

D)

corporate information assurance officer.

2)

Which one of the following is not a general practice that retailers should follow as identified by

Visa?

2)

A)

Do not leave data or computers unsecured.

B)

Destroy data when it is no longer needed.

C)

Screen employees who have access to data.

D)

Regularly test the security system.

D

3)

The access control whereby users verify their right to access by providing something they have or

something they are is referred to as:

3)

A)

user authorization.

B)

user identification.

C)

user profiles.

D)

user authentication.

D

4)

When the impact severity can cause significant damage and cost but the firm will survive, it is

classified as:

4)

A)

severe impact.

B)

minor impact.

C)

major impact.

D)

significant impact.

D

5)

Which statement based on a survey by the Computer Security Institute is false?

5)

A)

Employees commit 81% of computer crimes.

B)

Controls that are put in place to address external threats typically go into action when an

effort to breach security is detected.

C)

Forty–nine percent of the respondents faced security incidents brought on by actions of

legitimate users.

D)

External threats are considered to present potentially more serious damage than do internal

threats.

6)

When all of the information systems should provide an accurate representation of the physical

systems that they represent, the information security objective is:

6)

A)

integrity.

B)

accuracy.

C)

availability.

D)

confidentiality.

7)

Which of the following is not part of the U.S. Government Internet Crime Legislation?

7)

A)

A penalty of 10 to 20 years imprisonment for attempting to cause injury by means of the

Internet, and a penalty of life imprisonment if death occurs.

B)

ISPs are exempt from liability if they report suspicions to the government that an Internet

crime might be committed.

C)

ISPs are required to maintain data about all communications events for one year.

D)

The use of electronic surveillance tools for 48 hours pending authorization by courts to use

such tools is permitted.

8)

Which type of control is built into systems by the system developers during the system

development life cycle?

8)

A)

formal control

B)

informal control

C)

technical control

D)

access control

9)

The type of firewall that allows a higher amount of authentication and filtering than does a router

is referred to as a(n):

9)

A)

IP spoofing firewall.

B)

application–level firewall.

C)

circuit–level firewall.

D)

packet–filtering firewall.

10)

The term that refers to a formal written document that spells out in detail the actions to be taken in

the event that there is a disruption, or threat of disruption, in any part of the firm’s computing

operation is referred to as a(n):

10)

A)

contingency plan.

B)

emergency plan.

C)

vital records plan.

D)

backup plan.

A

Explanation:

11)

Which of the following is the final section of the risk analysis report?

11)

A)

recommended action to address the risk

B)

the owner(s) of the risk

C)

what was done to mitigate the risk

D)

recommended time frame for addressing the risk

C

Explanation:

12)

The type of threat whereby the user distributes it as a utility and when used, produces unwanted

changes in the system’s functionality is called:

12)

A)

malicious software.

B)

a Trojan horse.

C)

a virus.

D)

a worm.

B

Explanation:

C

Explanation:

13)

When the database and software library are made available to persons not entitled to have access,

the type of information security risk is:

13)

A)

unauthorized destruction and denial of service.

B)

unauthorized use.

C)

unauthorized disclosure and theft.

D)

unauthorized modification.

14)

Which of the following set of guidelines places emphasis on the rationale for establishing a security

policy and is a product of the U.S. National Research Council?

14)

A)

COBIT

B)

GMITS

C)

GASSP

D)

ISF Standard of Good Practice

15)

The organization that aims its certification at intrusion detection, firewall and perimeter protection,

and operating system security is the:

15)

A)

SANS Institute.

B)

Information Systems Audit and Control Association.

C)

International Standards Organization.

D)

International Information System Security Certification Consortium.

16)

What acts as a filter and barrier that restricts the flow of data to and from the firm and the Internet?

16)

A)

spyware

B)

firewall

C)

virus protection software

D)

access control file

17)

When the impact severity is classified as significant and the vulnerability is judged to be medium,

what should happen to controls?

17)

A)

Controls should be improved.

B)

Controls should be kept intact.

C)

Controls must be improved.

D)

Nothing should happen.

18)

The certification that requires a completed exam, adherence to a code of ethics, and work

experience in information security is the:

18)

A)

SysAdmin, Audit, Network, Security Certification.

B)

Certification Information System Security Professional.

C)

Certified Information Security Manager.

D)

Global Information Assurance Certification.

C

19)

The set of guidelines that devotes considerable attention to the user behavior that is expected if the

program is to be successful is named:

19)

A)

COBIT.

B)

BSI IT Baseline Protection Manual.

C)

ISF Standard of Good Practice.

D)

United Kingdom’s BS7799.

C

20)

Which type of information security risk can be caused by a hacker?

20)

A)

unauthorized modification

B)

unauthorized disclosure and theft

C)

unauthorized use

D)

unauthorized destruction and denial of service

C

21)

Which type of threat is a computer program that can replicate itself without being observable to the

user, and embed copies of itself in other programs and boot sectors?

21)

A)

Trojan horse

B)

virus

C)

malware

D)

worm

B

A

22)

The title of the person who has typically been responsible for the firm’s information systems

security is the:

22)

A)

information security management officer.

B)

corporate information assurance officer.

C)

chief information officer.

D)

corporate information systems security officer.

23)

Which type of control is recognized as being the best bet for security?

23)

A)

cryptographic control

B)

technical control

C)

physical control

D)

access control

24)

Which of the following is not a step in information security management?

24)

A)

Define the controls that the threats can impose.

B)

Establish an information security policy.

C)

Implement controls that address the risks.

D)

Identify the threats that can attack the firm’s information resources.

25)

In which phase of an information security policy would the project team consult with all interested

and affected parties to determine the requirements of the new policy?

25)

A)

project initiation

B)

policy development

C)

policy dissemination

D)

consultation and approval

26)

Which type of control establishes codes of conduct, documentation of expected procedures and

practices, and monitoring and preventing behavior that varies from the established guidelines?

26)

A)

formal control

B)

informal control

C)

access control

D)

technical control

27)

The term that refers to a plan that specifies those measures that ensure the safety of employees

when disaster strikes is referred to as a(n):

27)

A)

backup plan.

B)

vital records plan.

C)

contingency plan.

D)

emergency plan.

28)

Which one of the following is not an expected security–related practice for retailers that Visa has

established?

28)

A)

Install and maintain a firewall.

B)

Screen employees who have access to data.

C)

Use and update antivirus software.

D)

Encrypt stored data.

B

Explanation:

29)

The type of control that includes such activities as instilling the firm’s ethical beliefs in its

employees, ensuring an understanding of the firm’s mission and objectives, education and training

programs, and management development programs is referred to as:

29)

A)

informal control.

B)

access control.

C)

formal control.

D)

technical control.

A

Explanation:

30)

When the firm seeks to protect its data and information from disclosure to unauthorized persons,

the information security objective is:

30)

A)

availability.

B)

accuracy.

C)

integrity.

D)

confidentiality.

D

Explanation:

SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question.

31)

An ________ is a set of four numbers that uniquely identify each computer connected to

the Internet.

31)

Explanation:

D

Explanation:

32)

A ________ is a computer program that can replicate itself without being observable to the

user and embed copies of itself in other programs and boot sectors.

32)

33)

Identification and authentication make use of ________, or descriptions of authorized

users.

33)

34)

The ________ is a recommended level of security that in normal circumstances should offer

reasonable protection against unauthorized intrusion.

34)

35)

Identification and authentication make use of ________.

35)

36)

________ gathers data from the user’s machine.

36)

37)

The ________ specifies those measures that ensure the safety of employees when disaster

strikes.

37)

38)

A ________ is a complete computing facility that is made available by a supplier to its

customers for use in the event of emergencies.

38)

39)

________ have been developed that consider such characteristics as the person’s position in

the firm, access to sensitive data, ability to alter hardware components, the types of

applications used, the files owned, and the usage of certain network protocols.

39)

40)

The term ________ is used to describe the protection of both computer and non–computer

equipment, facilities, data, and information from misuse by unauthorized parties.

40)

41)

________ generates intrusive advertising messages.

41)

42)

Authorization makes use of ________ that specify the levels of access available to each

user.

42)

43)

________ are those that are built into systems by the system developers during the systems

development life cycle.

43)

44)

An ________ is a potential undesirable outcome of a breach of information security by an

information security threat.

44)

45)

The activities aimed at continuing operations after an information system disruption are

called ________.

45)

TRUE/FALSE. Write ‘T’ if the statement is true and ‘F’ if the statement is false.

46)

A packet–filtering firewall is the most effective type of firewall.

46)

47)

Cryptography is the use of coding by means of mathematical processes.

47)

48)

Internal threats are considered to present potentially more serious damage than do external threats

due to the more intimate knowledge of the system by the internal threats.

48)

49)

Firms can enter into a reciprocal agreement with other users of the same type of equipment so that

each firm can provide backup to the other in the event of a catastrophe.

49)

50)

When backup service includes a hot site, only the building facilities but not the computing

resources are provided.

50)

51)

Impact severity can be classified as having a major impact when breakdowns that are typical of

day–to–day operations occur.

51)

52)

With a Trojan horse, the distribution is accomplished by users who distribute it as a utility.

52)

53)

User authorization makes use of access control files that specify the levels of access available to

each user.

53)

54)

The International Standard Organization is a nonprofit organization dedicated to assist computer

users with making their systems more secure.

54)

55)

The information security objective of confidentiality means that the firm seeks to protect its data

and information from disclosure to unauthorized persons.

55)

56)

GASSP is a product of the International Standards Organization and it provides a list of the

information security policy topics that should be included in an organization’s standards.

56)

57)

Formal controls include education and training programs and management development programs

in the firm.

57)

58)

A control is a mechanism that is implemented to either protect the firm from risks or to minimize

the impact of the risks on the firm should they occur.

58)

59)

The contingency plan specifies those measures that ensure the safety of employees when disaster

strikes.

59)

60)

An information security risk is a person, organization, mechanism, or event that has potential to

inflict harm on the firm’s information resources.

60)

61)

The term systems security is used to describe the protection of both computer and noncomputer

equipment, facilities, data, and information from misuse by unauthorized parties.

61)

62)

The backup plan where hardware, software, and data are duplicated so that when one set is

inoperable, the backup set can continue the processing is called redundancy.

62)

63)

A virus is a complete program or segment of code that can invade a system and perform functions

not intended by the system owners.

63)

64)

The Certified Information Security Manager designation is the newest professional certification for

security.

64)

65)

The final step in writing a risk analysis report should be to document what has been done to

mitigate the risk.

65)

66)

Unauthorized use occurs when persons who are not ordinarily entitled to use the firm’s resources

are able to do so.

66)

67)

Information security management is the activity of keeping the firm and its information resources

functional after a catastrophe.

67)

68)

Insider threat prediction tools have been developed that consider such characteristics as the person

’s position in the firm, access to sensitive data, ability to alter hardware components, the types of

applications used, the files owned, and the usage of certain network protocols.

68)

69)

The basis for security against threats by unauthorized persons is physical control.

69)

70)

When the level of impact is determined to be minor and the vulnerability is determined to be low,

then vulnerability analysis is unnecessary.

70)

71)

The Computer Security Institute found that 49% of computer crimes are committed by employees.

71)

72)

When a firm follows benchmark compliance, it is assumed that the government and industry

authorities have done a good job of considering the threats and risks and that the benchmarks offer

good protection.

72)

73)

COBIT focuses on the process that a firm can follow in developing standards, paying special

attention to the writing and maintaining of the documentation.

73)

74)

Access controls are those built into systems by the system developers during the system

development life cycle.

74)

75)

The SANS Institute offers certifications aimed at such specialties within information security as

intrusion detection, firewalls and perimeter protection, and operating system security.

75)

ESSAY. Write your answer in the space provided or on a separate sheet of paper.

76)

What are the three main objectives that information security is intended to achieve?

77)

Who is the CIAO and to whom does he or she report?

78)

Identify the four steps of information security management.

79)

What are the 10 security–related practices that Visa expects its retailers to follow?

80)

List the five phases to developing a security policy.