Information Security and Risk Assessment MCQ With Answers – Part 5

Risk Assessment Information Security MCQ Tech Hyme

For most businesses, the threat to their intellectual assets and technical infrastructure comes from the bad guys sitting outside their organizations, trying to break in. These organizations establish strong perimeter defenses, essentially boxing in their assets. However, internal employees have access to proprietary information to do their jobs, and they often disseminate this information to areas where it is no longer under the control of the employer.

You may also read:

133. Which of the following technologies would utilize a Public Key Infrastructure (PKI)?

  1. Secure HyperText Transfer Protocol (SHTTP)
  2. Secure Shell (SSH)
  3. Message Authentication Codes (MAC)
  4. Digital signatures

134. Smart card technology is often used for what information security purpose?

  1. Message Integrity
  2. Authentication
  3. Confidentiality
  4. Availability

135. Extensible Markup Language (XML) is a language often used with Web application development. XML provides which of the following?

  1. Dynamic content delivery
  2. Dynamic message integrity
  3. Dynamic user authentication
  4. Dynamic client configuration

136. An acceptable use policy would be an example of which type of control?

  1. Process
  2. Platform
  3. Physical
  4. Network

137. Which type of attack against access control systems uses a list of common words?

  1. A brute force attack
  2. A denial-of-service attack
  3. A dictionary attack
  4. A network spoofing attack

138. Which type of information security process assigns a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted?

  1. Risk analysis
  2. Risk assessment
  3. Network vulnerability assessment
  4. Information classification

139. Which type of device creates a variable, alternating current (AC) field for the purpose of demagnetizing magnetic recording media?

  1. A degausser
  2. A demagnetizer
  3. A deionizer
  4. A deflator

140. Which of the following terms frequently refers to a network segment between the Internet and a private network?

  1. A security domain
  2. A zone of control
  3. A DeMilitarized Zone (DMZ)
  4. A security kernel

141. Which type of network attack captures sensitive pieces of information, such as passwords, passing through the network?

  1. Spoofing
  2. SYN flood
  3. Sniffing
  4. Steganography

142. Which of the following technologies would best secure the data on a laptop or other device that could be stolen?

  1. Data encryption
  2. File deletion
  3. No access to the floppy drive
  4. Steganography

143. Which of the following attacks is an example of a passive attack?

  1. Spoofing
  2. SYN flood
  3. Information gathering
  4. Port scanning

144. Which of the following common network attacks is an example of a denial-of-service attack?

  1. Spoofing
  2. SYN flood
  3. Sniffing
  4. Port scanning

145. Which of the following common network attacks is an example of an active attack?

  1. Information gathering
  2. Traffic analysis
  3. Sniffing
  4. Port scanning

146. Which type of network attack is most likely to present the ability to execute commands on the compromised machine?

  1. Spoofing
  2. SYN flood
  3. Sniffing
  4. Buffer overflow

147. Which attack is due to poor programming practices?

  1. Spoofing
  2. SYN flood
  3. Sniffing
  4. Buffer overflow

148. The change management procedure most likely to cause concern to the information security manager is when:

  1. Fallback processes are tested the weekend immediately prior to when the changes are made.
  2. Users are notified via electronic mail of major scheduled system changes.
  3. Manual process is used by operations for comparing program versions.
  4. Development managers have final authority for releasing new programs into production.

149. Which of the following would indicate that an automated production scheduling system has inadequate security controls?

  1. Control statements are frequently changed to point to test libraries.
  2. Failure of a process will automatically initiate the resetting of parameters.
  3. Developers have read access to both production and test schedules.
  4. Scheduling personnel have the ability to initiate an emergency override.

150. When a trading partner who has access to the corporate internal network refuses to follow corporate security policies, the information security manager should initiate which of the following?

  1. Revoke their access.
  2. Provide minimal access.
  3. Send a breach of contract letter.
  4. Contact the partner’s external auditors.

151. Which of the following is most important in writing good information security policies?

  1. Easy to read and understand
  2. Allows for flexible interpretation
  3. Describes technical vulnerability issues
  4. Changes whenever operating systems are upgraded

152. Which of the following would be the best approach when conducting a security awareness campaign?

  1. Provide technical details on exploits.
  2. Target system administrators and the help desk.
  3. Provide customized messages for different groups.
  4. Target senior managers and business process owners.

153. Performance objectives reached by consensus between the user and the provider of a service, or between an outsourcer and an organization are discussed is a(n):

  1. Outsource
  2. Contract
  3. Service level agreement
  4. Controlled by security administration

154. The act of overseeing the progress of a process to ensure that the rights and well-being of an enterprise are protected; that the data is accurate, complete, and verifiable; and that the conduct of the staff is in compliance with the policies, with applicable regulatory requirements, and with standards of the field is termed:

  1. Surveillance
  2. Monitoring
  3. Service level agreement
  4. Level of trust that is granted to system users

155. Cleanup or other methods used to remove or contain vulnerabilities:

  1. Remediation
  2. Penetration testing
  3. Vulnerability assessment
  4. Hard to do

156. An individual who attempts to access computer systems without authorization. These people are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system:

  1. Phreaker
  2. Placker
  3. Employee
  4. Cracker

157. An obligation to act in the best interest of another party. For instance, a corporation’s board member has a _________ to the shareholders, a trustee has a _______ to the trust’s beneficiaries, and an attorney has a _________ to a client:

  1. Due diligence
  2. Required by law
  3. Prudent person concept
  4. Fiduciary duty

158. Access to, knowledge of, or possession of information based on need to perform assigned job duties:

  1. Need to know
  2. Least privilege
  3. Classified
  4. Job rotation

159. The process of identifying and defining all items in a system, recording and reporting the status of these items and requests for change, and verifying the completeness and correctness of these items:

  1. Configuration management
  2. Change management
  3. Service level agreement
  4. Business impact analysis

160. Comprehensive evaluation of the technical and nontechnical security features of an information system and other safeguards, made in support of the approval/accreditation process, to establish the extent to which a particular design and implementation meet a set of specified security requirements:

  1. Certification
  2. Compliance audit
  3. Accreditation
  4. Nonrepudiation

161. A binding agreement between two or more persons that is enforceable by law:

  1. Contract
  2. Service level agreement
  3. Outsource
  4. Proposal

162. Process of controlling modifications to the infrastructure or any aspect of services, in a controlled manner, enabling approved changes with minimum disruption:

  1. Rotation of assignments
  2. Separation of duties
  3. Change management
  4. Service level agreements

163. File sharing is the practice of making files available for other users to download over the Internet and smaller networks. The file sharing model, where the files are stored on and served by personal computers of the users is called:

  1. Kazaa
  2. Morpheus
  3. Peer-to-peer
  4. Hybrid

164. Every department has its own language therefore the procedures must be developed using the terms that they are used to. If you write procedures using the wrong “language,” the procedure may as well be written in Sanskrit. The intended audience will not be able to understand it, or they will find in difficult to follow. The individual(s) that will provide the information for the procedure body are typically:

  1. Socially Awkward Males (SAM)
  2. Subject Matter Experts (SME)
  3. Business Approval Team (BAT)
  4. Technical Writing Expert (TWP)

165. A key component in the administrative procedures process is to implement a process that will help ensure that modifications to the information technology infrastructure are controlled and approved. The ability to track and approve changes to the production environment will go a long way in establishing an effective internal control structure. This process is called:

  1. Service level agreement
  2. Due diligence
  3. Copyright compliance
  4. Change management



You may also like:

Related Posts

Leave a Reply