September 16, 2021

TECH HYME

A Blog For Tech Enthusiasts

Information Security Policy Related Questions with Answers

24 min read

In a perfect world, policies and procedures would always produce the perfect product. This requires employees to follow policies and procedures at all times. However, we do not live in a perfect world. Neither policies nor procedures are always perfect, nor do employees always follow them.

Anyone who has cashed a check at a bank understands what a basic procedure looks like. A check-cashing procedure includes checking the person’s identification and the account balance. The bank’s policy states that when a teller follows the check-cashing procedure, and the account has sufficient funds, the teller may give the cash to the account holder. The teller must follow this procedure to protect the customer and the bank from fraud.

In the creation of information systems security policies, also called security policies, IS policies, or ISMS policies, many factors drive policy requirements. These requirements include organization size, processes, type of information, and laws and regulations. Once an organization creates policies, it will face both technical and human challenges implementing them.

Suggested Read:

The keys to implementing policies are employee acceptance and management enforcement. A policy is worth little or nothing if no one follows it.

The below listed questions will also helps you to clear the following information security related certification exams:

  • CEH – Certified Ethical Hacker
  • CISM –Certified Information Security Manager
  • CompTIA Security+
  • CISSP – Certified Information Systems Security Professional
  • GSEC – GIAC Security Essentials
  • ECSA – EC-Council Certified Security Analyst
  • GPEN – GIAC Penetration Tester
  • SSCP – Systems Security Certified Practitioner
  • CRISC – Certified in Risk and Information System Control
  • CISA – Certified Information Systems Auditor
  • CCNA – Cisco Certified Network Associate
  • CHFI – Computer Hacking Forensic Investigator
  • CCSP – Certified Cloud Security Professional
  • NCSF – NIST Cybersecurity Framework
  • LPT – Licensed Penetration Tester

Below are some widely used MCQ questions with answers of security policies related:

1. John works in the accounting department but travels to other company locations. He must present the past quarter’s figures to the chief executive officer (CEO) in the morning. He forgot to update the PowerPoint presentation on his desktop computer at the main office. What is at issue here?

  1. Unauthorized access to the system
  2. Integrity of the data
  3. Availability of the data
  4. Nonrepudiation of the data
  5. Unauthorized use of the system

2. Which of the following are generally accepted as IA tenets but not ISS tenets? (Select two.)

  1. Confidentiality
  2. Integrity
  3. Availability
  4. Authentication
  5. Nonrepudiation

3. When should a wireless security policy be initially written?

  1. When the industry publishes new wireless standards
  2. When a vendor presents wireless solutions to the business
  3. When the next generation of wireless technology is launched
  4. After a company decides to implement wireless and before it is installed

4. A toy company is giving its Web site a much-needed facelift. The new Web site is ready to be deployed. It’s late October, and the company wants to have the site ready for the holiday rush. The year-end holiday season accounts for 80 percent of its annual revenue. What process would be of particular importance to the toy company at this time?

  1. Continuous improvement
  2. Business process reengineering
  3. Change management
  4. Information security system life cycle

5. Information systems security policies should support business operations. These policies focus on providing consistent protection of information in the system. This happens by controlling multiple aspects of the information system that directly or indirectly affect normal operations at some point. While there are many different benefits to supporting operations, some are more prevalent than others. Which of the following are aspects of ISS policies that extend to support business operations?

  1. Controlling change to the IT infrastructure
  2. Protecting data at rest and in transit
  3. Protecting systems from the insider threat
  4. B and C only
  5. All the above

6. A weakness is found in a system’s configuration which could expose client data to unauthorized users. Which of the following best describes the problem?

  1. A new threat was discovered.
  2. A new vulnerability was discovered.
  3. A new risk was discovered.
  4. A and B
  5. B and C
  6. A, B, and C

7. What is policy compliance?

  1. The effort to follow an organization’s policy
  2. When customers read a Web site policy statement
  3. Adherence to an organization’s policy
  4. Failure to follow to an organization’s policy

8. What is an automated control?

  1. A control that stops behavior immediately and does not rely on human decisions
  2. A control that does not stop behavior immediately and relies on human decisions
  3. A control that does not stop behavior immediately but automates notification of incident
  4. A control that stops behavior immediately and relies on human decisions

9. Which of the following is not a business driver?

  1. Ability to acquire the newest technology
  2. Cost of maintaining controls
  3. Ability to legally defend
  4. Customer satisfaction

10. What is an information security policy?

  1. A policy that defines acceptable behavior of a customer
  2. A policy that defines what hardware to purchase
  3. A policy that defines how to protect information in any form
  4. A policy that defines the type of uniforms guards should wear

11. Which of the following is not a type of security control?

  1. Preventative
  2. Correlative
  3. Detective
  4. Corrective

12. Tone at the top refers to:

  1. A company’s leaders making sure every employee knows the priorities
  2. Senior leaders implementing and enforcing policies
  3. Senior managers building trust with the public and with regulators
  4. All of the above

13. What are the benefits to having a security awareness program emphasize the business risk?

  1. Risk becomes more relevant to employees
  2. Security policies are more likely to be followed
  3. Provides employees a foundation to deal with unexpected risk
  4. All of the above

14. Which of the following is not a guideline to be considered when developing policy to secure PII date?

  1. Align—Coordinate privacy policies with data classification policies
  2. Retain—Ensure proper controls around data retention and destruction
  3. Disclose—Fully disclose to the individual what data is being collected and how it will be used
  4. Resiliency—Policies provide guidelines for the unexpected

15. Which of the following is not a benefit of having an acceptable use policy?

  1. Outlines disciplinary action for improper behavior
  2. Prevents employees from misusing the Internet
  3. Reduces business liability
  4. Defines proper behavior while using the Internet

16. Which of the following do you need to measure to achieve operational consistency?

  1. Consistency
  2. Quality
  3. Results
  4. All of the above

17. Well-defined and properly implemented security policies help the business in which of the following ways?

  1. Maximize profit
  2. Reduce risk
  3. Produce consistent and reliable products
  4. All of the above

18. Which of the following are pressures on creating security policies?

  1. Shareholder value
  2. Regulations
  3. Technology vulnerabilities and limitations
  4. B and C only
  5. All of the above

19. Which of the following laws require proper security controls for handling privacy data?

  1. HIPAA
  2. GLBA
  3. FERPA
  4. B and C Only
  5. All of the above

20. Which of the following are control objectives for PCI DSS?

  1. Maintain an information security policy
  2. Protect cardholder data
  3. Alert when credit cards are illegally used
  4. A and B only
  5. None of the above

21. What should you ask for to gain confidence that a vendor’s security controls are adequate?

  1. An SSAE16 Type I audit
  2. An SSAE16 Type II audit
  3. A list of all internal audits
  4. All of the above

22. Why is it important to map regulatory requirements to policies and controls?

  1. To demonstrate compliance to regulators
  2. To ensure regulatory requirements are covered
  3. To demonstrate the importance of a security control
  4. All of the above

23. Who typically writes a report to the board of directors on the current state of information security within a company?

  1. Chief risk officer
  2. Chief information officer
  3. Chief information security officer
  4. A and B
  5. B and C
  6. A, B, and C

24. Which of the following attempts to identify where sensitive data is currently stored?

  1. Data Leakage Protection Inventory
  2. DLP Encryption Key
  3. Data Loss Protection Perimeter
  4. DLP Trojans

25. Voice over Internet Protocol (VoIP) can be used over which of the following?

  1. LAN
  2. WAN
  3. Both
  4. Neither

26. Which of the following is not one of the seven domains of typical IT infrastructure?

  1. Remote Access Domain
  2. LAN Domain
  3. World Area Network Domain
  4. System/Application Domain

27. One key difference between RBAC and ABAC is which of the following?

  1. ABAC is dynamic and RBAC is static.
  2. ABAC is static and RBAC is dynamic.
  3. No difference; these are just different terms to mean the same thing.

28. What policy generally requires that employees lock up all documents and digital media at the end of a workday and when not in use?

  1. Acceptable use policy
  2. Clean desk policy
  3. Privacy policy
  4. Walk out policy

29. What kind of workstation management refers to knowing what software is installed?

  1. Inventory management
  2. Patch management
  3. Security management
  4. Discovery management

30. Generally, remote authentication provides which of the following?

  1. Fewer controls than if you were in the office
  2. The same controls than if you were in the office
  3. More controls than if you were in the office
  4. Less need for controls than in the office

31. Where is a DMZ usually located?

  1. Inside the private LAN
  2. Within the WAN
  3. Between the private LAN and public WAN
  4. Within the mail server

32. What is a botnet?

  1. A piece of software the end user loads onto a device to prevent intrusion
  2. A piece of software a company loads onto a device to monitor its employees
  3. A piece of software a hacker loads onto a device without user knowledge
  4. A piece of software used to communicate between peers

33. Which of the following is a basic element of motivation?

  1. Pride
  2. Self-interest
  3. Success
  4. B and C
  5. All of the above

34. Which personality type often breaks through barriers that previously prevented success?

  1. Attackers
  2. Commanders
  3. Analyticals
  4. Pleasers

35. Which of the following is a method for overcoming apathy?

  1. Avoiding redundancy
  2. Issuing company directives
  3. Engaging in communication
  4. Requiring obedience to policies

36. Why is HR policy language often intentionally vague?

  1. To avoid being interpreted as an unintended promise
  2. To start lawsuits
  3. To avoid being too severe for new hires

37. When a catastrophic security breach occurs, who is ultimately held accountable by regulators and the public?

  1. Company officers
  2. The CIO
  3. The ISO
  4. The data owner

38. Which of the following are attributes of entrepreneurs?

  1. Innovators
  2. Well educated in business management
  3. More likely to take risks
  4. A and C
  5. B and C

39. Which of the following is the best measure of success for a security policy?

  1. Number of security controls developed as a result
  2. The number of people aware of the policy
  3. Reduction in risk
  4. The rank of the highest executive who approved it

40. A change agent typically will

  1. Ensure current processes are working
  2. Ensure application code changes are well understood
  3. Challenge whether a company’s existing processes represent the best approach

41. An IT policy framework charter includes which of the following?

  1. The program’s purpose and mission
  2. The program’s scope within the organization
  3. Assignment of responsibilities for program implementation
  4. Compliance management
  5. A, B, and C only
  6. A, B, C, and D

42. Which of the following is the first step in establishing an information security program?

  1. Adoption of an information security policy framework or charter
  2. Development and implementation of an information security standards manual
  3. Development of a security awareness-training program for employees
  4. Purchase of security access control software

43. Which of the following are generally accepted and widely used policy frameworks? (Select three.)

  1. COBIT
  2. ISO/IEC 27002
  3. NIST SP 800-53
  4. NIPP

44. Which of the following is not mandatory?

  1. Standard
  2. Guideline
  3. Procedure
  4. Baseline

45. Which of the following includes all of the detailed actions and tasks that personnel are required to follow?

  1. Standard
  2. Guideline
  3. Procedure
  4. Baseline

46. When building a policy framework, which of the following information systems factors should be considered?

  1. Unauthorized access to and use of the system
  2. Unauthorized disclosure of information
  3. Disruption of the system
  4. Modification of information
  5. Destruction of information resources
  6. A, B, and E only
  7. A, B, C, D, and E

47. What is the difference between risk appetite and risk tolerance?

  1. Risk tolerance measures impact and likelihood, while risk appetite measures variance from a target goal.
  2. Risk appetite measures impact and likelihood, while risk tolerance measures variance from a target goal.
  3. There is no difference between these two.

48. Which of the following are important to consider before a policy?

  1. Architecture operating model
  2. Intent
  3. Policy change control board
  4. A and B
  5. B and C
  6. A, B, and C

49. Which of the following is not an administrative control?

  1. Development of policies, standards, procedures, and guidelines
  2. Screening of personnel
  3. Change control procedures
  4. Logical access control mechanisms

50. Which of the following are common steps taken in the development of documents such as security policies, standards, and procedures?

  1. Design, development, publication, coding, and testing
  2. Feasibility, development, approval, implementation, and integration
  3. Initiation, evaluation, development, approval, publication, implementation, and maintenance
  4. Design, coding, evaluation, approval, publication, and implementation

51. Which type of control is associated with responding to and fixing a security incident?

  1. Deterrent
  2. Compensating
  3. Corrective
  4. Detective

52. Which of the following does a policy change control board do? (Select two.)

  1. Assesses policies and standards and makes recommendations for change
  2. Determines the policy and standards library numbering scheme
  3. Implements technical controls as business conditions change
  4. Reviews requested changes to the policy framework

53. Which of the following is not an IT security policy framework?

  1. COBIT
  2. ISO
  3. ERM
  4. OCTAVE

54. Which of the following are PCI DSS network requirements?

  1. Network segregation
  2. Penetration testing
  3. Virus scanning
  4. All of the above
  5. A and B only

55. Which of the following are common IT framework characteristics?

  1. Risk-based management
  2. Aligned business risk appetite
  3. Reduced operation disruption and losses
  4. Established path from requirements to control
  5. All of the above
  6. A and C only

56. Which of the following applies to both GRC and ERM?

  1. Defines an approach to reduce risk
  2. Applies rigid framework to eliminate redundant controls, policies, and efforts
  3. Passively enforces security policy
  4. Seeks line of sight into root causes of risks

57. Which of the following is not a key area of improvement noted after COBIT implementation?

  1. Value delivery
  2. Decentralization of the risk function
  3. Better resourcing of IT
  4. Better communication

58. Security awareness is required by which of the following?

  1. Law
  2. Customers
  3. Shareholders
  4. All of the Above

59. Which of the following does an acceptable use policy relate to?

  1. Server-to-server communication
  2. Users accessing the Internet
  3. Encryption when transmitting files
  4. A and B

60. What is the difference between least access privileges and best fit access privileges?

  1. Least access privileges customize access to an individual
  2. Best fit privileges customize access to a group based on risk
  3. No difference
  4. A and B

61. The steps to implement security controls on a firewall would be documented within which of the following?

  1. Policy
  2. Control standard
  3. Baseline standard
  4. Procedure

62. A DMZ separates a LAN from which of the following?

  1. Phone network
  2. Internet
  3. Cellular network
  4. VoIP Network

63. Visitor control is an aspect of which of the following?

  1. Network security
  2. Personnel security
  3. Workstation security
  4. Physical security

64. Which of the following can you use to segment LANs?

  1. Routers and firewalls
  2. Routers and gateways
  3. Gateways and servers
  4. Servers and workstations

65. Without a policy that leads to controls that restrict employees from installing their own software on a company workstation, a company could suffer which of the following consequences?

  1. Malware on the network
  2. Lawsuits from software licensing issues
  3. Loss of productivity
  4. All of the above

66. Good sources for security policies and standards include which of the following?

  1. U.S. Government
  2. Private companies selling standards
  3. Professional organizations
  4. Vendors
  5. All of the above

67. Two-factor authentication is a typical control used by employees to remotely access which of the following?

  1. Workstation
  2. LAN
  3. DMZ Web site
  4. WAN

68. Which document outlines the specific controls that a technology device needs to support?

  1. Control standard
  2. Baseline standard
  3. Procedure
  4. Policy

69. What is the difference between a stateless firewall and a stateful one?

  1. A stateful firewall looks at each packet individually and a stateless firewall examines the packet in context the connection and other packets.
  2. A stateless firewall looks at each packet individually and a stateful firewall examines the packet in context the connection and other packets.
  3. No difference

70. Which of the following is not a common need for most organizations to classify data?

  1. Protect information
  2. Retain information
  3. Sell information
  4. Recover information

71. You need to retain data for what major reasons?

  1. Legal obligation
  2. Needs of the business
  3. For recovery
  4. A and B
  5. All of the above

72. What qualities should the data owner possess?

  1. Is in a senior position within the business
  2. Understands the data operations of the business
  3. Understands the importance and value of the information to the business
  4. Understand the ramifications of inaccurate data or unauthorized access
  5. All of the above

73. What is a process to understand business leaders’ perspective of risk called?

  1. QA
  2. QC
  3. RCSA

74. Data in transit is what type of data?

  1. Data backup tapes being moved to a recovery facility
  2. Data on your USB drive
  3. Data traversing a network
  4. Data being stored for later transmission

75. Which of the following should not be in an information response team charter?

  1. Mission
  2. Organizational structure
  3. Detailed line budget
  4. Roles and responsibilities

76. Which of the following IRT members should be consulted before communicating to the public about an incident?

  1. Management
  2. Public relations
  3. IRT manager
  4. All of the above

77. As defined by this chapter, what is not a step in responding to an incident?

  1. Discovering an incident
  2. Reporting an incident
  3. Containing an incident
  4. Creating a budget to compare options
  5. Analyzing an incident response

78. What value does a forensic tool bring?

  1. Gathers evidence
  2. Helps evidence to be accepted by the court
  3. Can take a bit image of a machine
  4. All of the above

79. How important is it to identify the attacker before issuing a final IRT report?

  1. Critically important; do not issue the report without it
  2. Moderately important; nice to have but issue the report if not available
  3. Not important; focus on the incident and do not include identity of attacker even if you have it
  4. Important, but allow law enforcement to brief management about attacker’s identity

80. When analyzing an incident, you must try to determine which of the following?

  1. The tool used to attack
  2. The vulnerability that was exploited
  3. The result of the attack
  4. All of the above

81. What is the difference between a BCP and a DRP?

  1. A BCP focuses on the business recovery and DRP focuses on technology recovery.
  2. A DRP focuses on the business recovery and BCP focuses on technology recovery.
  3. There is no difference. The two terms mean the same thing.

82. Which of the following indicate that the culture of an organization is adopting IT security policies?

  1. Security policies are part of routine daily interaction.
  2. Security policies are supported by organizational committees.
  3. Security policies’ core values are demonstrated in workers’ instinctive reactions to situations.
  4. All of the above

83. A control environment is defined as:

  1. An inventory of the security policy controls
  2. A well-defined framework to track control exceptions
  3. A term describing the overall way in which the organization’s controls are governed and executed
  4. None of the above

84. Which of the following is not an organizational challenge when implementing security policies?

  1. Accountability
  2. Surplus of funding
  3. Lack of priority
  4. Tight schedules

85. Which type of plan is critical to ensuring security awareness reaches specific types of users?

  1. Rollout plan
  2. Media plan
  3. Executive project plan
  4. Communications plan

86. Why should a security policy implementation be flexible to allow for updates?

  1. Unknown threats will be discovered.
  2. New ways of teaching will be introduced.
  3. New technologies will be introduced.
  4. A and C
  5. All of the above

87. Which of the following is the least objectionable when dealing with policies with regard to outdated technology?

  1. Write security policies to best practices and issue a policy waiver for outdated technology that inherently cannot comply.
  2. Write security policies to the lowest, most common security standard the technology can support.
  3. Write different sets of policies for outdated technologies.
  4. All of the above

88. What is a strong indicator that awareness training is not effective?

  1. A firewall breach
  2. Sharing your password with a supervisor
  3. Sharing a laptop with a coworker
  4. A fire in the data center

89. A target state is generally defined as:

  1. A term used in technology to describe a future state
  2. A way to describe specific policy goals and objectives
  3. A way to describe what tools, processes, and resources (including people) are needed to achieve the goals and objectives
  4. All of the above
  5. None of the above

90. What is the best way to disseminate a new policy?

  1. Hardcopy
  2. Intranet
  3. Brown bag session
  4. All of the above

91. A formal communication plan is ________ when implementing major security policies.

  1. Always needed
  2. Optional
  3. Never needed

92. Which of the following is not an organizational gateway committee?

  1. Architecture review committee
  2. Internal connection committee
  3. Vendor governance committee
  4. Security compliance committee

93. Which of the following is not an access control?

  1. Authentication
  2. Authorization
  3. Decryption
  4. Logging

94. In which of the following areas might a company monitor its employees’ actions?

  1. Internet
  2. E-mail
  3. Computers
  4. A and B
  5. All of the above

95. What is not required in modern-day CISO positions?

  1. Must rely on the organization to enforce policy
  2. Needs to have strong law enforcement background
  3. Needs to build relationships and consensus
  4. Must influence behavior and change culture to enforce policy

96. What is an example of a manual control?

  1. Background checks
  2. Authentication
  3. Access rights reviews
  4. A and C
  5. All of the above

97. A breach of a single customer record cannot be considered a pervasive control weakness.

  1. True—you must lose a significant amount of data for it to be considered a pervasive control weakness.
  2. False—any breach can be a pervasive control weakness, depending on the control that failed.

98. Line management does which of the following to make policies operational?

  1. Acts as go-to people for addressing questions
  2. Applies policies consistently
  3. Gathers metrics on the policies’ effectiveness
  4. A and C
  5. All of the above

99. In which process would you place quality assurance controls?

  1. Governance processes
  2. Management processes
  3. A and B
  4. None of the above

100. Which of the following is not reviewed when monitoring a user’s e-mail and Internet activity?

  1. Data leakage
  2. Viruses and malware
  3. Unauthorized access to sites
  4. Network performance

101. An operating system and different applications are installed on a system. The system is then locked down with various settings. You want the same operating system, applications, and settings deployed to 50 other computers. What’s the easiest way?

  1. Scripting
  2. Imaging
  3. Manually
  4. Spread the work among different departments

102. Your organization wants to automate the distribution of security policy settings. What should be considered?

  1. Training of administrators
  2. Organizational acceptance
  3. Testing for effectiveness
  4. All of the above

103. An organization uses a decentralized IT model with a central IT department for core services and security. The organization wants to ensure that each department is complying with primary security requirements. What can be used to verify compliance?

  1. Group Policy
  2. Centralized change management policies
  3. Centralized configuration management policies
  4. Random audits

104. An organization wants to maintain a database of system settings. The database should include the original system settings and any changes. What should be implemented within the organization?

  1. Change management
  2. Configuration management
  3. Full ITIL life cycle support
  4. Security Content Automation Protocol

105. An organization wants to reduce the possibility of outages when changes are implemented on the network. What should the organization use?

  1. Change management
  2. Configuration management
  3. Configuration management database
  4. Simple Network Management Protocol

106. A security baseline image of a secure configuration that is then replicated during the deployment process is sometimes call a ________.

  1. Master copy
  2. Zero-day image
  3. Gold master
  4. Platinum image

107. What is a valid approach for validating compliance to security baseline?

  1. Vulnerability scanner
  2. Penetration test
  3. A and B

Let’s take a true/false based questions (with answers) and test your knowledge and learn some interesting things along the way.

1. COBIT is a widely accepted international best practices policy framework.

  1. True
  2. False

2. Ted is an administrator in the server backup area. He is reviewing the contract for the offsite storage facility for validity. This contract includes topics such as the amount of storage space required, the pickup and delivery of media, response times during an outage, and security of media within the facility. This contract is an example of information security.

  1. True
  2. False

3. Privacy regulations involve two important principles: full disclosure and data encryption.

  1. True
  2. False

4. Information used to open or access a bank account is generally considered PII data.

  1. True
  2. False

5. Mitigating controls always meet the full intent of the policy.

  1. True
  2. False

6. When creating laws and regulations, the government’s sole concern is the privacy of the individual.

  1. True
  2. False

7. Health care providers are those that process and facilitate billing.

  1. True
  2. False

8. The only consideration in protecting personal customer information is legal requirements.

  1. True
  2. False

9. You should always write new security policies each time a new regulation is issued.

  1. True
  2. False

10. Private WANs must be encrypted at all times.

  1. True
  2. False

11. A LAN is efficient for connecting computers within an office or groups of buildings.

  1. True
  2. False

12. What employees learn in awareness training influences them more than what they see within their department.

  1. True
  2. False

13. Always applying the most strict authentication method is the best way to protect the business and ensure achievement of goals.

  1. True
  2. False

14. Remote access does not have to be encrypted if strong authentication is used.

  1. True
  2. False

15. In hierarchical organizations, the leaders are close to the workers that deliver products and services.

  1. True
  2. False

16. User apathy often results in an employee just going through the motions.

  1. True
  2. False

17. In the case of policies, it is important to demonstrate to business how polices will reduce risk and will be derived in a way that keeps costs low.

  1. True
  2. False

18. An ideal time to refresh security policies is during a reduction in force.

  1. True
  2. False

19. A control partner’s role includes analysis of proposed policy changes and providing an opinion on their viability.

  1. True
  2. False

20. Security policies provide the “what” and “why” of security measures.

  1. True
  2. False

21. The purpose of a consequence model is to discipline an employee in order to ensure future compliance with information security policies.

  1. True
  2. False

22. A mitigating control eliminates the risk by achieving the policy goal in a different way.

  1. True
  2. False

23. When writing policies and standards, you should address the six key questions who, what, where, when, why, and how.

  1. True
  2. False

24. Guideline documents are often tied to a specific control standard.

  1. True
  2. False

25. The sole purpose of an architecture operating model is to define how all the businesses technology will be implemented.

  1. True
  2. False

26. Exceptions or waivers to security policies are a bad idea and should never be approved.

  1. True
  2. False

27. Security principles are needed in the absence of complete information to make high-quality security decisions.

  1. True
  2. False

28. “Access to all Organization information resources connected to the <Organization> network must be controlled by using user IDs and appropriate authentication” is a statement you might find in a procedure document.

  1. True
  2. False

29. The security committee is the key committee for the CISO.

  1. True
  2. False

30. The underlying concept of SOD is that individuals execute high-risk transactions as they receive preapproval.

  1. True
  2. False

31. A risk management and metrics team is generally the first team to respond to an incident.

  1. True
  2. False

32. Once you decide not to eliminate a risk but to accept it, you can ignore the risk.

  1. True
  2. False

33. Implementing a governance framework can allow an organization to systemically identify and prioritize risks.

  1. True
  2. False

    34. All organizations should have a full-time team dedicated to collecting, reviewing, and reporting to demonstrate adherence to regulations.

    1. True
    2. False

    35. Pretexting is what happens when a hacker breaks into a firewall.

    1. True
    2. False

    36. A privileged-level access agreement (PAA) prevents an administrator from abusing elevated rights.

    1. True
    2. False

    37. Social engineering occurs when a hacker posts her victories on a social Web site.

    1. True
    2. False

    38. Typically in large organizations all administrators have the same level of authority.

    1. True
    2. False

    39. An interactive service account typically does not have a password.

    1. True
    2. False

    40. Production data should be sanitized before being used in a test environment.

    1. True
    2. False

    41. Organizations should always create new policies tailored to their needs rather than adopt industry norms found on the Internet.

    1. True
    2. False

    42. An owner of the data must obtain approval from the custodian of the resource to use the data.

    1. True
    2. False

    43. Authorization is the process used to prove the identity of the person accessing systems, applications, and data.

    1. True
    2. False

    44. In all businesses you will always have data that needs to be protected.

    1. True
    2. False

    45. Risk exposure is best-guess professional judgment using a qualitative technique.

    1. True
    2. False

      46. Federal agencies can customize their own data classification scheme.

      1. True
      2. False

      47. Quality assurance is typically a detective control.

      1. True
      2. False

      48. Generally, having five to 10 data classifications works best to cover all the possible data needs of an organization

      1. True
      2. False

      49. Encryption protects data at rest from all type of breaches.

      1. True
      2. False

      50. All incidents regardless of how small should be handled by an incident response team.

      1. True
      2. False

      51. When containing an incident, you should always apply a long-term preventive solution.

      1. True
      2. False

        52. During the containment step, you should also gather as much evidence as reasonably possible about the incident.

        1. True
        2. False

        53. To clean up after an incident, you should always wipe the affected machine clean and rebuild it from scratch.

        1. True
        2. False

        54. The Business Impact analysis (BIA) is created after the business has created a Business Continuity Plan (BCP).

        1. True
        2. False

        55. The BIA assessment is created by the IRT team primarily for use during a security incident.

        1. True
        2. False

        56. Effective security policies require that everyone in the organization be accountable for policy implementation.

        1. True
        2. False

        57. Deliberate acts and malicious behavior by employees are easy to control, especially when proper deterrents are installed.

        1. True
        2. False

        58. Classroom training for security policy awareness is always the superior option to other alternatives, such as online training.

        1. True
        2. False

          59. A brown bag session is a formal training event with a tightly controlled agenda.

          1. True
          2. False

          60. The security compliance committee has one role, which is to identify when violations of policies occur.

          1. True
          2. False

          61. Laws define the specific internal IT processes needed to be compliant.

          1. True
          2. False

          62. Connecting a personal device to the company network can create legal implications.

          1. True
          2. False

          63. After a set of security settings has been applied to a system, there is no need to recheck these settings on the system.

          1. True
          2. False

          64. Several tools are available to automate the deployment of security policy settings. Some tools can deploy baseline settings. Other tools can deploy changes in security policy settings.

          1. True
          2. False

          65. Change requests are tracked in a control work order database. Approved changes are also recorded in a CMDB.

          1. True
          2. False

          66. Microsoft created the Web-Based Enterprise Management (WBEM) technologies for Microsoft products.

          1. True
          2. False

            67. It is important to protect your gold master because an infected copy could quickly result in widespread infection with malware.

            1. True
            2. False

              68. If an organization implements the COSO internal control framework, then it cannot implement another controls framework like COBIT.

              1. True
              2. False

              Below is the set of some important questions and answers related to the filling of the blanks.

              1. Governance is the practice of ensuring an entity is in conformance to policies, regulations, ________, and procedures.

              • Answer: Standards

              2. Greg has developed a document on how to operate and back up the new financial sections storage area network. In it, he lists the steps required for powering up and down the system as well as configuring the backup tape unit. Greg has written a ________.

              • Answer: Procedure

              3. Implementation and enforcement of policies is a challenge. The biggest hindrance to implementation of policies is the ________ factor.

              • Answer: Human

              4. A firewall is generally considered an example of a ________ control.

              • Answer: Preventive

              5. Nation-state attacks that try to disrupt the country’s critical infrastructure are sometimes referred to as ________.

              • Answer: Cyberterrorism or cyberwarfare

              6. The law that attempts to limit children’s exposure to sexually explicit material is ________.

              • Answer: CIPA

              7. Which of the seven domains refers to the technical infrastructure that connects the organization’s LAN to a WAN and allows end users to surf the Internet?

              • Answer: LAN-to-WAN Domain

              8. A ________ is a term that refers to a network that limits what and how computers are able to talk to each other.

              • Answer: Segmented Network

              9. Dedicated network devices whose only function is to create and manage VPN traffic are called VPN ________.

              • Answer: Concentrators

              10. The minimum standard in authentication for businesses is the use of ________.

              • Answer: IDs and Passwords

              11. Avoiders like to ________ and will do _______ but not much more.

              • Answer: Be in the background; precisely what is asked of them

              12. As the number of specialties increases so does ________.

              • Answer: The cost of business

              13. Kotter’s Eight-Step Change Model can help an organization gain support for _______ changes.

              • Answer: Security policy

              14. ________ are best defined as high-level statements, beliefs, goals, and objectives.

              • Answer: Policies

              15. Accounts that have not been accessed for a extended period of time are often referred to as ________.

              • Answer: Dormant accounts

              16. List the five tenets of information assurance that you should consider when building an IT policy framework. ________

              • Answer: Confidentiality, integrity, availability, authorization, and nonrepudiation

              17. List examples of physical security control items. ________

              • Answer: Answers may include devices and processes used to control physical access; examples include fences, security guards, locked doors, motion detectors, and alarms

              18. A process to refresh policies as needed based on a major event uses the principle called ________.

              • Answer: Lessons learned

              19. A(n) ________ is a plan or course of action used by an organization to convey instructions from its senior-most management to those who make decisions, take actions, and perform other duties on behalf of the organization.

              • Answer: Policy

              20. The principle that states security is improved when it is implemented as a series of overlapping controls is called ________

              • Answer: Defense in depth

              21. A security team’s organizational structure defines the team’s ________.

              • Answer: Priorities or specialties

              22. The more layers of approval required for SOD, the more ________ it is to implement the process.

              • Answer: Expensive or burdensome

              23. Asking to borrow someone’s keycard could be an example of ________.

              • Answer: Social engineering

              24. You can use a _______ process to grant temporary elevated rights.

              • Answer: Firecall-ID

              25. A(n) _______ looks at risk and issues an independent opinion.

              • Answer: Auditor

              26. A(n) _______ has inside information on how an organization operates.

              • Answer: Insider

              27. A CISO must _______ risks if the business unit is not responsive.

              • Answer: Escalate

              28. System accounts are also referred to as _______ accounts.

              • Answer: Service

              29. EDM typically refers in information security to ________.

              • Answer: Enterprise data management

              30. The content for the documents in the policies and standards library should be written so they are ________ and________.

              • Answer: Cohesive, coherent

              31. The lowest federal government data classification rating for classified material is ________.

              • Answer: Confidential

              32. Risk exposure can be expressed in the following manner: ________ = ________ × ________.

              • Answer: Risk exposure [=] Likelihood the event will occur [×] Impact if the event occurs

              33. A method outlined in this chapter to determine if an incident is major or minor is to classify an incident with a _______ rating.

              • Answer: Severity

              34. The IRT starts recording events once an __________.

              • Answer: Incident is declared

              35. Which IRT member is responsible for handling the media?

              • Answer: Public relations

              36. To get employees to comply and accept security policies, the organization must understand the employees’ ________

              • Answer: Motivations or needs

              37. ________ often focuses on enterprise risk management across multiple lines of business to resolve strategic business issues.

              • Answer: Executive management

              38. ________ establish how the organization achieves regulatory requirements.

              • Answer: Security policies

              39. When testing for security in an application code, the quality assurance process tests ________ the code is in production and quality control tests ________ the code is in production.

              • Answer: Before, after

              40. The operational risk function is responsible for ensuring that the business operates within risk ________ and risk ________.

              • Answer: Appetite, tolerance

              41. A ________ is a starting point or standard. Within IT, it provides a standard focused on a specific technology used within an organization.

              • Answer: Baseline

              42. The time between when a new vulnerability is discovered and when software developers start writing a patch is known as a ________.

              • Answer: Vulnerability window or security gap

              43. A common method of scoring risk is reflected in the formula as follows, Risk = ________ × ________.

              • Answer: Likelihood × Impact

              44. A ________ can be used with a downloaded file. It offers verification that the file was provided by a specific entity. It also verifies the file has not been modified.

              • Answer: Digital signature

              Leave a Reply