Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Exam
Name___________________________________
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question.
1)
The newer title for the information security officer that reports to the CEO and manages an
information assurance unit is:
1)
A)
corporate information systems security officer.
B)
information security management officer.
C)
chief information officer.
D)
corporate information assurance officer.
2)
Which one of the following is not a general practice that retailers should follow as identified by
Visa?
2)
A)
Do not leave data or computers unsecured.
B)
Destroy data when it is no longer needed.
C)
Screen employees who have access to data.
D)
Regularly test the security system.
3)
The access control whereby users verify their right to access by providing something they have or
something they are is referred to as:
3)
A)
user authorization.
B)
user identification.
C)
user profiles.
D)
user authentication.
4)
When the impact severity can cause significant damage and cost but the firm will survive, it is
classified as:
4)
A)
severe impact.
B)
minor impact.
C)
major impact.
D)
significant impact.
5)
Which statement based on a survey by the Computer Security Institute is false?
5)
A)
Employees commit 81% of computer crimes.
B)
Controls that are put in place to address external threats typically go into action when an
effort to breach security is detected.
C)
Forty-nine percent of the respondents faced security incidents brought on by actions of
legitimate users.
D)
External threats are considered to present potentially more serious damage than do internal
threats.
6)
When all of the information systems should provide an accurate representation of the physical
systems that they represent, the information security objective is:
6)
A)
integrity.
B)
accuracy.
C)
availability.
D)
confidentiality.
7)
Which of the following is not part of the U.S. Government Internet Crime Legislation?
7)
A)
A penalty of 10 to 20 years imprisonment for attempting to cause injury by means of the
Internet, and a penalty of life imprisonment if death occurs.
B)
ISPs are exempt from liability if they report suspicions to the government that an Internet
crime might be committed.
C)
ISPs are required to maintain data about all communications events for one year.
D)
The use of electronic surveillance tools for 48 hours pending authorization by courts to use
such tools is permitted.
8)
Which type of control is built into systems by the system developers during the system
development life cycle?
8)
A)
formal control
B)
informal control
C)
technical control
D)
access control
9)
The type of firewall that allows a higher amount of authentication and filtering than does a router
is referred to as a(n):
9)
A)
IP spoofing firewall.
B)
application-level firewall.
C)
circuit-level firewall.
D)
packet-filtering firewall.
10)
The term that refers to a formal written document that spells out in detail the actions to be taken in
the event that there is a disruption, or threat of disruption, in any part of the firm’s computing
operation is referred to as a(n):
10)
A)
contingency plan.
B)
emergency plan.
C)
vital records plan.
D)
backup plan.
11)
Which of the following is the final section of the risk analysis report?
11)
A)
recommended action to address the risk
B)
the owner(s) of the risk
C)
what was done to mitigate the risk
D)
recommended time frame for addressing the risk
12)
The type of threat whereby the user distributes it as a utility and when used, produces unwanted
changes in the system’s functionality is called:
12)
A)
malicious software.
B)
a Trojan horse.
C)
a virus.
D)
a worm.
13)
When the database and software library are made available to persons not entitled to have access,
the type of information security risk is:
13)
A)
unauthorized destruction and denial of service.
B)
unauthorized use.
C)
unauthorized disclosure and theft.
D)
unauthorized modification.
14)
Which of the following set of guidelines places emphasis on the rationale for establishing a security
policy and is a product of the U.S. National Research Council?
14)
A)
COBIT
B)
GMITS
C)
GASSP
D)
ISF Standard of Good Practice
15)
The organization that aims its certification at intrusion detection, firewall and perimeter protection,
and operating system security is the:
15)
A)
SANS Institute.
B)
Information Systems Audit and Control Association.
C)
International Standards Organization.
D)
International Information System Security Certification Consortium.
16)
What acts as a filter and barrier that restricts the flow of data to and from the firm and the Internet?
16)
A)
spyware
B)
firewall
C)
virus protection software
D)
access control file
17)
When the impact severity is classified as significant and the vulnerability is judged to be medium,
what should happen to controls?
17)
A)
Controls should be improved.
B)
Controls should be kept intact.
C)
Controls must be improved.
D)
Nothing should happen.
18)
The certification that requires a completed exam, adherence to a code of ethics, and work
experience in information security is the:
18)
A)
SysAdmin, Audit, Network, Security Certification.
B)
Certification Information System Security Professional.
C)
Certified Information Security Manager.
D)
Global Information Assurance Certification.
19)
The set of guidelines that devotes considerable attention to the user behavior that is expected if the
program is to be successful is named:
19)
A)
COBIT.
B)
BSI IT Baseline Protection Manual.
C)
ISF Standard of Good Practice.
D)
United Kingdom’s BS7799.
20)
Which type of information security risk can be caused by a hacker?
20)
A)
unauthorized modification
B)
unauthorized disclosure and theft
C)
unauthorized use
D)
unauthorized destruction and denial of service
21)
Which type of threat is a computer program that can replicate itself without being observable to the
user, and embed copies of itself in other programs and boot sectors?
21)
A)
Trojan horse
B)
virus
C)
malware
D)
worm
22)
The title of the person who has typically been responsible for the firm’s information systems
security is the:
22)
A)
information security management officer.
B)
corporate information assurance officer.
C)
chief information officer.
D)
corporate information systems security officer.
23)
Which type of control is recognized as being the best bet for security?
23)
A)
cryptographic control
B)
technical control
C)
physical control
D)
access control
24)
Which of the following is not a step in information security management?
24)
A)
Define the controls that the threats can impose.
B)
Establish an information security policy.
C)
Implement controls that address the risks.
D)
Identify the threats that can attack the firm’s information resources.
25)
In which phase of an information security policy would the project team consult with all interested
and affected parties to determine the requirements of the new policy?
25)
A)
project initiation
B)
policy development
C)
policy dissemination
D)
consultation and approval
26)
Which type of control establishes codes of conduct, documentation of expected procedures and
practices, and monitoring and preventing behavior that varies from the established guidelines?
26)
A)
formal control
B)
informal control
C)
access control
D)
technical control
27)
The term that refers to a plan that specifies those measures that ensure the safety of employees
when disaster strikes is referred to as a(n):
27)
A)
backup plan.
B)
vital records plan.
C)
contingency plan.
D)
emergency plan.
28)
Which one of the following is not an expected security-related practice for retailers that Visa has
established?
28)
A)
Install and maintain a firewall.
B)
Screen employees who have access to data.
C)
Use and update antivirus software.
D)
Encrypt stored data.
29)
The type of control that includes such activities as instilling the firm’s ethical beliefs in its
employees, ensuring an understanding of the firm’s mission and objectives, education and training
programs, and management development programs is referred to as:
29)
A)
informal control.
B)
access control.
C)
formal control.
D)
technical control.
30)
When the firm seeks to protect its data and information from disclosure to unauthorized persons,
the information security objective is:
30)
A)
availability.
B)
accuracy.
C)
integrity.
D)
confidentiality.
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question.
31)
An ________ is a set of four numbers that uniquely identify each computer connected to
the Internet.
31)
32)
A ________ is a computer program that can replicate itself without being observable to the
user and embed copies of itself in other programs and boot sectors.
32)
33)
Identification and authentication make use of ________, or descriptions of authorized
users.
33)
34)
The ________ is a recommended level of security that in normal circumstances should offer
reasonable protection against unauthorized intrusion.
34)
35)
Identification and authentication make use of ________.
35)
36)
________ gathers data from the user’s machine.
36)
37)
The ________ specifies those measures that ensure the safety of employees when disaster
strikes.
37)
38)
A ________ is a complete computing facility that is made available by a supplier to its
customers for use in the event of emergencies.
38)
39)
________ have been developed that consider such characteristics as the person’s position in
the firm, access to sensitive data, ability to alter hardware components, the types of
applications used, the files owned, and the usage of certain network protocols.
39)
40)
The term ________ is used to describe the protection of both computer and non-computer
equipment, facilities, data, and information from misuse by unauthorized parties.
40)
41)
________ generates intrusive advertising messages.
41)
42)
Authorization makes use of ________ that specify the levels of access available to each
user.
42)
43)
________ are those that are built into systems by the system developers during the systems
development life cycle.
43)
44)
An ________ is a potential undesirable outcome of a breach of information security by an
information security threat.
44)
45)
The activities aimed at continuing operations after an information system disruption are
called ________.
45)
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false.
46)
A packet-filtering firewall is the most effective type of firewall.
46)
47)
Cryptography is the use of coding by means of mathematical processes.
47)
48)
Internal threats are considered to present potentially more serious damage than do external threats
due to the more intimate knowledge of the system by the internal threats.
48)
49)
Firms can enter into a reciprocal agreement with other users of the same type of equipment so that
each firm can provide backup to the other in the event of a catastrophe.
49)
50)
When backup service includes a hot site, only the building facilities but not the computing
resources are provided.
50)
51)
Impact severity can be classified as having a major impact when breakdowns that are typical of
day-to-day operations occur.
51)
52)
With a Trojan horse, the distribution is accomplished by users who distribute it as a utility.
52)
53)
User authorization makes use of access control files that specify the levels of access available to
each user.
53)
54)
The International Standard Organization is a nonprofit organization dedicated to assist computer
users with making their systems more secure.
54)
55)
The information security objective of confidentiality means that the firm seeks to protect its data
and information from disclosure to unauthorized persons.
55)
56)
GASSP is a product of the International Standards Organization and it provides a list of the
information security policy topics that should be included in an organization’s standards.
56)
57)
Formal controls include education and training programs and management development programs
in the firm.
57)
58)
A control is a mechanism that is implemented to either protect the firm from risks or to minimize
the impact of the risks on the firm should they occur.
58)
59)
The contingency plan specifies those measures that ensure the safety of employees when disaster
strikes.
59)
60)
An information security risk is a person, organization, mechanism, or event that has potential to
inflict harm on the firm’s information resources.
60)
61)
The term systems security is used to describe the protection of both computer and noncomputer
equipment, facilities, data, and information from misuse by unauthorized parties.
61)
62)
The backup plan where hardware, software, and data are duplicated so that when one set is
inoperable, the backup set can continue the processing is called redundancy.
62)
63)
A virus is a complete program or segment of code that can invade a system and perform functions
not intended by the system owners.
63)
64)
The Certified Information Security Manager designation is the newest professional certification for
security.
64)
65)
The final step in writing a risk analysis report should be to document what has been done to
mitigate the risk.
65)
66)
Unauthorized use occurs when persons who are not ordinarily entitled to use the firm’s resources
are able to do so.
66)
67)
Information security management is the activity of keeping the firm and its information resources
functional after a catastrophe.
67)
68)
Insider threat prediction tools have been developed that consider such characteristics as the person
’s position in the firm, access to sensitive data, ability to alter hardware components, the types of
applications used, the files owned, and the usage of certain network protocols.
68)
69)
The basis for security against threats by unauthorized persons is physical control.
69)
70)
When the level of impact is determined to be minor and the vulnerability is determined to be low,
then vulnerability analysis is unnecessary.
70)
71)
The Computer Security Institute found that 49% of computer crimes are committed by employees.
71)
72)
When a firm follows benchmark compliance, it is assumed that the government and industry
authorities have done a good job of considering the threats and risks and that the benchmarks offer
good protection.
72)
73)
COBIT focuses on the process that a firm can follow in developing standards, paying special
attention to the writing and maintaining of the documentation.
73)
74)
Access controls are those built into systems by the system developers during the system
development life cycle.
74)
75)
The SANS Institute offers certifications aimed at such specialties within information security as
intrusion detection, firewalls and perimeter protection, and operating system security.
75)
ESSAY. Write your answer in the space provided or on a separate sheet of paper.
76)
What are the three main objectives that information security is intended to achieve?
77)
Who is the CIAO and to whom does he or she report?
78)
Identify the four steps of information security management.
79)
What are the 10 security-related practices that Visa expects its retailers to follow?
80)
List the five phases to developing a security policy.
