September 16, 2021

TECH HYME

A Blog For Tech Enthusiasts

Information Security and Risk Assessment MCQ With Answers – Part 1

7 min read
Risk Assessment Information Security MCQ Tech Hyme

Many computer users believe that because they are skilled at generating documents and presentations, they know everything about computers. These power users have moved beyond application basics, but many still do not understand even basic security concepts.

You may also read:

1. The primary responsibility of the information security steering committee is:

  1. Direction setting and performance monitoring
  2. Information security policy development
  3. Information security control implementation
  4. Provision of information security training for employees

2. Which of the following would be included in an information security strategic plan?

  1. Specifications for planned hardware purchases
  2. Analysis of future business objectives
  3. Target dates for information security projects
  4. Annual budgetary targets for the security department

3. The most important responsibility of an information security manager in an organization is:

  1. Recommending and monitoring security policies
  2. Promoting security awareness within the organization
  3. Establishing procedures for security policies
  4. Administering physical and logical access controls

4. On which of the following would an information security strategy place the most emphasis?

  1. Business goals and objectives
  2. Technology plans and deliverables
  3. Industry best practices
  4. Security metrics

5. Which of the following best describes an information security department’s strategic planning process?

  1. The department will have either short-range or long-range plans depending on the organization’s broader plans and objectives.
  2. The department’s strategic plan must be time and project oriented, but not so detailed as to address and help determine priorities to meet business needs.
  3. Long-range planning for the department should recognize organizational goals, technological advances, and regulatory requirements.
  4. Short-range planning for the department does not need to be integrated into the long-range plans of the organization because technological advances will drive the department plans much quicker than organizational plans.

6. To ensure that an organization’s password policy is effective, it must provide two key elements: difficult to guess; and

  1. Be encrypted at all times
  2. Contain a number of characters
  3. Must be changed periodically
  4. Controlled by security administration

7. “Least privilege” is defined as:

  1. The level of authorization granted to a user that is under investigation
  2. Access to, knowledge of, or possession of information based on need to perform assigned job duties
  3. Only most restrictive privileges granted based on need for job performance
  4. Level of trust that is granted to system users

8. An organization’s log-on screen must contain three statements: the system is for authorized users, activities will be monitored, and

  1. Wrongful activities will be turned over to HR.
  2. By completing the log-on process you agree to the monitoring.
  3. Password must not be shared.
  4. Violators will be prosecuted.

9. Authentication is the process to verify the identity of a user, device, or other entity. The most common forms of authentication used today are passwords. Three types of authentication are: something you know, something you have, and

  1. A combination of any of these two items
  2. Something that you are
  3. A magnetic stripe card
  4. A pass phrase

10. The purpose of change control is to:

  1. Track changes to system hardware, software, firmware, and documentation.
  2. Maintain visibility of changes to the system.
  3. Ensure that changes to the system are approved.
  4. To track and approve changes to system hardware, software, firmware, and documentation.

11. What data should be subject to a data classification scheme?

  1. Sensitive data
  2. Critical data
  3. Classified data
  4. All data

12. The principle of separation of duties is useful in:

  1. Reducing the opportunity for fraud
  2. Identifying critical positions
  3. Developing job descriptions
  4. Conducting background investigations

13. What are the three objectives of information security?

  1. Prevent, detect, respond
  2. Integrity, authenticity, and completeness
  3. Confidentiality, integrity, and availability
  4. Identification, authentication, non-repudiation

14. Four deliverables from a risk assessment process are threats identified, controls selected, action plan complete, and

  1. Risk level established
  2. Technical issues quantified
  3. Vulnerability assessment completed
  4. Risk mitigation established

15. Need-to-know is defined as

  1. Access to, knowledge of, or possession of information based on need to perform security duties
  2. Possession of information based on need to perform assigned duties
  3. Access to, knowledge of, or possession of information based on need to perform assigned job duties
  4. Knowledge of information or activities based on need to perform job functions

16. A financial estimate designed to help consumers and enterprise managers assess direct and indirect costs related to the purchase of any capital investment, such as (but not limited to) computer software or hardware is termed:

  1. Return on investment
  2. Return on security investment
  3. Total value of asset compensation
  4. Total cost of ownership

17. The process where senior management commits allegiance to the enterprise and acknowledges that the interest of the enterprise must prevail over any personal or individual interest is termed:

  1. Duty of fairness
  2. Conflict of interest
  3. Duty of loyalty
  4. Duty of care

18. This recent piece of legislation requires annual affirmation of management’s responsibility for internal controls over financial reporting. Management must attest to effectiveness based on an evaluation and the auditor must attest and report on management’s evaluation.

  1. Foreign Corrupt Practices Act
  2. Sarbanes–Oxley
  3. Model Business Corporation Act
  4. Gramm–Leach–Bliley Act

19. An annual report of the state of information security should be presented to the information security steering committee. This reporting requirement has been established in the current legislation and information security international standards. This report should not be confused with a standard feature audit performed by the audit staff nor is it part of some third-party certification process. Who is responsible for presenting this annual report?

  1. CISO
  2. CTO
  3. CEO
  4. CFO

20. This individual is responsible for the organization’s planning, budgeting, and performance, including its information security components. Decisions made in this area should be based on an effective risk management program.

  1. Information owner
  2. Information security administrator
  3. General auditor
  4. Chief information security officer

21. This form of emergency plan provides procedures for disseminating status reports to personnel and the public. It addresses communications with personnel and the public and is not IT focused. This plan is called:

  1. Emergency response plan
  2. Crisis communication plan
  3. Continuity of operation plan
  4. Cyber incident response plan

22. Any information security program must get its direction from executive management. The requirements of today’s laws and regulations have identified either the organization’s board of directors or what other body as responsible for instituting an effective program?

  1. Information security steering committee
  2. Business operations approval team
  3. Crisis management team
  4. Cyber incident response board

23. Developing business case and enterprise value analysis that supports information security program investments is a vital task for the information security manager. Organizations often justify spending based on a project’s value. Two common methods used are Total Cost of Operations (TCO) and what other widely accepted method?

  1. Cost-benefit analysis
  2. Risk-based assessment
  3. Network vulnerability investment
  4. Return on investment

24. Unlike the policy development process, the use of a team to develop procedures will actually slow the process down. Many security professionals reach this stage of the information security program and believe that the bulk of their work is complete and now it will be up to whom to write the procedures?

  1. Technical writer
  2. Help desk administrator
  3. Subject matter expert
  4. Socially awkward male

25. There are three types of policies and you will use each type at different times in your information security program and throughout the organization to support the business process or mission. The policy that is used to establish the organization’s overall vision and direction is termed:

  1. Global (Tier 1)
  2. Topic-specific (Tier 2)
  3. Application-specific (Tier 3)
  4. System-specific (Tier 4)

26. A director shall discharge his or her duties: in good faith; with the care an ordinarily prudent person in a like position would exercise under similar circumstances; and in a manner he or she reasonably believes is in the best interest of the enterprise. This responsibility is termed:

  1. Duty of loyalty
  2. Duty of fairness
  3. Fiduciary duty
  4. Duty of care

27. The group who is charged with the responsibility to “assess the adequacy of and compliance with management, operating, and financial controls, as well as the administrative and operational effectiveness of organizational units” is who?

  1. Information security
  2. Auditing staff
  3. Corporate council
  4. Government and regulatory affairs

28. This organization got its start in 1967, when a small group of individuals with similar jobs—auditing controls in the computer systems that were becoming increasingly critical to the operations of their organizations—sat down to discuss the need for a centralized source of information and guidance in the field. This organization is called:

  1. Data Processing Management Association (DPMA)
  2. Information Systems Security Association (ISSA)
  3. Information Systems Audit and Control Association (ISACA)
  4. American Society for Industrial Security (ASIS)

29. An annual report of the state of information security should be presented to the information security steering committee. This reporting requirement has been established in the current legislation and information security international standards. This report should not be confused with a standard feature audit performed by the audit staff nor is it part of some third-party certification process. Typically the CISO would prepare a report on the levels of compliance currently seen throughout the business units. The report development process normally has two key components: compliance with core information security requirements; and what?

  1. The level of implementation for the current information security initiative
  2. The percentage of overall compliance to agency regulations
  3. Number of liability cases pending
  4. What departments are least compliant with the program

30. The Cyber Security Industrial Alliance published their National Agenda for Information Security in 2006 in December, 2005. In this document the Alliance noted that “Information assurance in the private sector is critical to creating a more secure infrastructure.” The report recommended that the federal government “encourage” CEOs to review cyber security measures at board meetings. This effort will help senior executives understand what?

  1. Their personal liability for noncompliance
  2. Their responsibilities when accessing material inside information
  3. The security-related implications of Sarbanes–Oxley, GLBA, and HIPAA
  4. The impact of ROSI on profit margins

31. Which of the following is a key drawback in the use of quantitative risk analysis? It:

  1. Applies numeric measurements to qualitative elements
  2. Attempts to assign numeric values to exposures of assets
  3. Is based on a criticality analysis of information assets
  4. Produces the results in numeric (percentage, probability) form

32. Acceptable risk is usually:

  1. Subjectively determined
  2. Objectively determined
  3. Less than residual risk
  4. Based on loss expectancy

33. The cost of mitigating a risk should not exceed the:

  1. Annual loss expectancy
  2. Value of the physical asset
  3. Expected benefit to be derived
  4. Cost to the perpetrator to exploit the weakness

 

Leave a Reply