Management of Information Security 4th Edition – Test Bank
Instant Download With Answers
Chapter 02 – Planning for Security
- Because it sets out general business intentions, a mission statement does not need to be concise.
ANS: F PTS: 1 REF: 40
- A clearly directed strategy flows from top to bottom rather than from bottom to top.
ANS: T PTS: 1 REF: 41
- A top-down approach to information security usually begins with a systems administrator’s attempt to improve the security of their systems.
ANS: F PTS: 1 REF: 53
- The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization’s networks, information systems, and information security defenses.
ANS: F PTS: 1 REF: 66
- Penetration testing is often conducted by contractors, who are commonly referred to as black-hats.
ANS: F PTS: 1 REF: 67
- Which of the following explicitly declares the business of the organization and its intended areas of operations?
|a.||vision statement||c.||mission statement|
|b.||values statement||d.||business statement|
ANS: C PTS: 1 REF: 40
- Which type of planning is the primary tool in determining the long-term direction taken by an organization?
ANS: A PTS: 1 REF: 41
- Which of the following is true about planning?
|a.||Strategic plans are used to create tactical plans|
|b.||Tactical plans are used to create strategic plans|
|c.||Operational plans are used to create tactical plans|
|d.||Operational plans are used to create strategic plans|
ANS: A PTS: 1 REF: 42
- In which level of planning are budgeting, resource allocation, and manpower critical components?
ANS: D PTS: 1 REF: 43
- Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
ANS: D PTS: 1 REF: 43
- The basic outcomes of InfoSec governance should include all but which of the following?
|a.||Value delivery by optimizing InfoSec investments in support of organizational objectives|
|b.||Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved|
|c.||Time management by aligning resources with personnel schedules and organizational objectives|
|d.||Resource management by utilizing information security knowledge and infrastructure efficiently and effectively|
ANS: C PTS: 1 REF: 46
- The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
|a.||Hold regular meetings with the CIO to discuss tactical InfoSect planning|
|b.||Assign InfoSec to a key committee and ensure adequate support for that committee|
|c.||Ensure the effectiveness of the corporation’s InfoSec policy through review and approval|
|d.||Identify InfoSec leaders, hold them accountable, and ensure support for them|
ANS: A PTS: 1 REF: 46
- Which of the following should be included in an InfoSec governance program?
|a.||An InfoSec time management policy|
|b.||An InfoSec risk management methodology|
|c.||An InfoSec project management assessment from an outside consultant|
|d.||All of these are components of the InfoSec governance program|
ANS: B PTS: 1 REF: 46-47
- According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
ANS: A PTS: 1 REF: 48
- According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
ANS: B PTS: 1 REF: 48
- Which of the following is an information security governance responsibility of the Chief Security Officer?
|a.||Communicate policies and the program|
|b.||Set security policy, procedures, programs and training|
|c.||Brief the board, customers and the public|
|d.||Implement policy, report security vulnerabilities and breaches|
ANS: B PTS: 1 REF: 49
- Which of the following is a key advantage of the bottom-up approach to security implementation?
|a.||strong upper-management support|
|b.||a clear planning and implementation process|
|c.||utilizes the technical expertise of the individual administrators|
|d.||coordinated planning from upper management|
ANS: C PTS: 1 REF: 53
- Which of the following is a key step needed in order for a JAD approach to be successful?
|a.||prepare software demonstrations||c.||provide sequence-driven policies|
|b.||organize workshop activities||d.||use event-driven procedures|
ANS: B PTS: 1 REF: 54
- In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?
ANS: D PTS: 1 REF: 55
- What is the first phase of the SecSDLC?
ANS: B PTS: 1 REF: 55
- In which phase of the SecSDLC does the risk management task occur?
ANS: D PTS: 1 REF: 56
- Blackmail threat of informational disclosure is an example of which threat category?
|a.||Espionage or trespass||c.||Sabotage or vandalism|
|b.||Information extortion||d.||Compromises of intellectual property|
ANS: B PTS: 1 REF: 57
- Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
|a.||brute force||c.||back door|
ANS: C PTS: 1 REF: 59
- Which type of attack involves sending a large number of connection or information requests to a target?
|a.||malicious code||c.||brute force|
|b.||denial-of-service (DoS)||d.||spear fishing|
ANS: B PTS: 1 REF: 59
- Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
|a.||system controls||c.||operational controls|
|b.||technical controls||d.||managerial controls|
ANS: D PTS: 1 REF: 61
- The impetus to begin an SDLC-based project may be ____________________, that is, a response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders.
PTS: 1 REF: 55
- A ____________ overflow is an application error that occurs when the system can’t handle the amount of data that is sent.
PTS: 1 REF: 59
- A(n) ___________ attack enables an attacker to extract secrets maintained in a security system by observing the time it takes the system to respond to various queries.
PTS: 1 REF: 60
- _________resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states.
PTS: 1 REF: 62
- The ______________________ phase is the last phase of SecSDLC, but perhaps the most important.
ANS: maintenance and change
PTS: 1 REF: 65
- In ____________________ testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
PTS: 1 REF: 66-67
|b.||data owner||g.||strategic planning|
|e.||risk assessment||j.||threat agent|
- usually a documented way to circumvent controls or take advantage of weaknesses in control systems
- the process of moving an organization towards its vision by accomplishing its mission
- an act that is an intentional or unintentional attempt to compromise the information and/or the systems that support it
- assigns a comparative risk rating or score to each specific information asset
- measures that use or implement a technical solution to reduce risk of loss in an organization
- individual who determines the level of classification associated with data
- measures that deal with the functionality of security in an organization
- associated with assessing risks and then implementing or repairing controls to assure the confidentiality, integrity, and availability of information
- a specific instance or component that represents a danger to an organization’s assets
- the impetus for a project that is the result of a carefully developed planning strategy
- ANS: C PTS: 1 REF: 59
- ANS: G PTS: 1 REF: 41
- ANS: A PTS: 1 REF: 59
- ANS: E PTS: 1 REF: 60
- ANS: I PTS: 1 REF: 62
- ANS: B PTS: 1 REF: 64
- ANS: H PTS: 1 REF: 61
- ANS: F PTS: 1 REF: 60
- ANS: J PTS: 1 REF: 59
- ANS: D PTS: 1 REF: 55
- Information security governance yields significant benefits. List five.
- An increase in share value for organizations
- Increased predictability and reduced uncertainty of business operations by lowering information-security-related risks to definable and acceptable levels
- Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care
- Optimization of the allocation of limited security resources
- Assurance of effective information security policy and policy compliance
- A firm foundation for efficient and effective risk management, process improvement, and rapid incident response
- A level of assurance that critical decisions are not based on faulty information
- Accountability for safeguarding information during critical business activities, such as
mergers and acquisitions, business process recovery, and regulatory response.
PTS: 1 REF: 46
- Describe what happens during each phase of the IDEAL General governance framework.
Initiating – Lay the groundwork for a successful improvement effort.
Diagnosing – Determine where you are relative to where you want to be.
Establishing – Plan the specifics of how you will reach your destination.
Acting – Do the work according to the plan.
Learning – Learn from the experience and improve your ability to adopt new improvements in the future.
PTS: 1 REF: 48
- There are twelve categories of threats to information security. List five of them and provide an example of each.
Threat category Example
Compromises to intellectual property Software piracy or other copyright infringement
Deviations in quality of service Fluctuations in power, data, and other services
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, flood, earthquake, lightning, etc.
Human error or failure Accidents, employee mistakes,
Information extortion Blackmail threat of information disclosure
Sabotage or vandalism Damage to or destruction of systems or information
Software attacks Malware: viruses, worms, macros, etc.
Technical hardware failures or errors Hardware equipment failure
Technical software failures or errors Bugs, code problems, loopholes, back doors
Technological obsolescence Antiquated or outdated technologies
Theft Illegal confiscation of equipment or information
PTS: 1 REF: 57
- What is the role of planning in InfoSec management? What are the factors that affect planning?
Planning usually involves many interrelated groups and organizational processes. The groups involved in planning represent the three communities of interest; they may be internal or external to the organization and can include employees, management, stockholders, and other outside stakeholder. Among the factors that affect planning are the physical environment, the political and legal environment, the competitive environment, and the technological environment.
PTS: 1 REF: 37-38
- What is the values statement and what is its importance to an organization?
One of the first positions that management must articulate is the values statement. The trust and confidence of stakeholders and the public are important factors for any organization. By establishing a formal set of organizational principles and qualities in a values statement, as well as benchmarks for measuring behavior against these published values, an organization makes its conduct and performance standards clear to its employees and the public.
PTS: 1 REF: 39
- Contrast the vision statement with the mission statement.
If the vision statement states where the organization wants to go, the mission statement describes how it wants to get there.
PTS: 1 REF: 41
- How does tactical planning differ from strategic planning?
Tactical planning has a more short-term focus than strategic planning—usually one to three years. It breaks down each applicable strategic goal into a series of incremental objectives. Each objective should be specific and ideally will have a delivery date within a year.
PTS: 1 REF: 43
- According to the ITGI, what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met?
Inculcate a culture that recognizes the criticality of information and InfoSec to the organization
Verify that management’s investment in InfoSec is properly aligned with organizational strategies and the organization’s risk environment
Assure that a comprehensive InfoSec program is developed and implemented
Demand reports from the various layers of management on the InfoSec program’s effectiveness and adequacy
PTS: 1 REF: 45
- Describe the key approaches organizations are using to achieve unified ERM.
Combining physical security and InfoSec under one leader as one business function
Using separate business functions that report to a common senior executive
Using a risk council approach to provide a collaborative approach to risk management
PTS: 1 REF: 49-50
- What is necessary for a top-down approach to the implementation of InfoSec to succeed?
For any top-down approach to succeed, high-level management must buy into the effort and provide its full support to all departments. Such an initiative must have a champion—ideally,
an executive with sufficient influence to move the project forward, ensure that it is properly
managed, and push for its acceptance throughout the organization.
PTS: 1 REF: 54
There are no reviews yet.