Question 6.6. Defining the scope of an ISMS is part of which phase of the BS7799 Part 2 Plan-Do-Check-Act cycle?
Plan
Do
Check
Act
Question 7.7. A ____ is a more detailed statement of what must be done to comply with a policy.
procedure
standard
Guideline
Practice
Question 8.8. ____ leaders are also known as "laid-back" leaders.
Autocratic
Laissez-faire
Democratic
Aristocratic
Question 9.9. The information security policy is written during the ____ phase of the SecSDLC.
investigation
maintenance
implementation
design
Question 10.10. Vulnerability Identification is a part of the ____ chapter of NIST SP 800-30.
Risk Assessment
Risk Mitigation
Evaluation and Assessment
Risk Management Overview
Question 11.11. At the end of each phase of the security systems development life cycle (SecSDLC), a ____ takes place.
brainstorming session
structured discussion
structured review
planning session
Question 12.12. The ___ section of ISO/IEC 17799:2005 addresses legal requirements, security policies and standards, and technical and information systems audit considerations.
human resources security
business continuity management
compliance
information security incident management
Question 13.13. ____ controls deal with managerial functions and lower-level planning such as disaster recovery and incident response planning.
Managerial
Operational
Technical
Tactical
Question 14.14. According to the C.I.A. triangle, the three desirable characteristics of information are confidentiality, integrity, and ____.
accountability
availability
authorization
authentication
Question 15.15. ____ is an international standard framework that is based on the security model Information Technology-Code of Practice for Information Security Management.
ISO/IEC 17799
NIST SP 800-12
RFC 2196
NIST SP 800-26
Question 16.16. Which of the following is a characteristic of the bottom-up approach to security implementation?
strong upper-management support
a clear planning and implementation process
systems administrators attempting to improve the security of their systems
ability to influence organizational culture
Question 17.17. The COSO framework is built on five interrelated components. Which of the following is NOT one of them?
Control environment
Risk assessment
Control activities
Information management
Question 18.18. Which of the following is an advantage of the user support group form of training?
usually conducted in an informal social setting
formal training plan
can be live, or can be archived and viewed at the trainee's convenience
can be customized to the needs of the trainee
Question 19.19. The ____ model describes the layers at which security controls can be applied.
NSTISSC
EISP
bull's-eye
policy
Question 20.20. A policy acknowledgment screen that does not require any unusual action on the part of the user to move past it is a ____.
blow-by screen
first-parameter screen
light screen
peripheral screen
Question 21.21. ____ evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness.
Systems testing
Risk assessment
Incident response
Planning
Question 22.22. Very large organizations have ____ computers.
100 to 1,000
1,000 to 5,000
10,000 to 50,000
more than 10,000
Question 23.23. During the ____ phase of the SecSDLC, the information security policy is monitored, maintained, and modified as needed.
implementation
maintenance
analysis
investigation
Question 24.24. The logical design of a system is said to be ____ independent.
design
hardware
implementation
product
Question 25.25. Which of the following is not a best practice recommendation from Microsoft for PC protection?
Use antivirus software
Avoid open source software
Build personal firewalls
Update product security
Question 26.26. Which of the following is the first step in the process of implementing training?
identify training staff
identify target audiences
identify program scope, goals, and objectives
motivate management and employees
Question 27.27. In NIST SP 800-26, the area of Physical Security comes under ____.
Management Controls
Operational Controls
Technical Controls
Personnel Controls
Question 28.28. The protection of information and the systems and hardware that use, store, and transmit that information is known as ____.
security
information security
authentication
identification
Question 29.29. Physical security is concerned with the protection of the ____.
people within the organization
physical assets of the organization
network devices of the organization
data of the organization
Question 30.30. The ____ layer of the bull's-eye model consists of computers used as servers, desktop computers, and systems used for process control and manufacturing systems.
Policies
Networks
Applications
Systems
Question 31.31. Security efforts that are among the best in the industry are referred to as ____.
best industry practices
best security models
best business models
best security practices
Question 32.32. As part of DRP readiness, each employee should have two types of ____ information cards in his or her possession at all times.
emergency
medical
insurance
lottery
Question 33.33. In the bull's-eye model, the ____ layer is the place where threats from public networks meet the organization's networking infrastructure.
Applications
Networks
Systems
Policies
Question 34.34. ____ involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely.
Security awareness
Security education
Security accountability
Security training
Question 35.35. A ____ is a value or profile of a performance metric against which changes in the performance metric can be usefully compared.
target
framework
benchmark
baseline
Question 36.36. ____ management is the administration of various components involved in the security program.
Configuration
Accounting
Fault
Performance
Question 37.37. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of the ____ process.
accountability
authorization
identification
authentication
Question 38.38. ____ is the transfer of live transactions to an off-site facility.
Remote journaling
Electronic vaulting
Database shadowing
Timesharing
Question 39.39. A manager has informational, interpersonal, and ____ roles within the organization.
decisional
creative
security related
leadership
Question 40.40. The COSO framework component ____ includes the policies and procedures to support management directives.
Control environment
Risk assessment
Control activities
Information management