Question 1

The key to security being an enabler is ________.&#10;A) getting it involved early within the project&#10;B) having strong corporate policies&#10;C) extensive training&#10;D) adequate spending on security

Accepted Answer

Getting security involved early within the project ensures that potential security risks are identified and addressed before they become more difficult and expensive to fix later on. This proactive approach makes security an enabler rather than a hindrance to the project's success. While having strong policies, extensive training, and adequate spending on security are also important, involving security early on has the biggest impact on its ability to enable the project.

Question 2

The stage of the plan-protect response cycle that consumes the most time is ________.&#10;A) planning&#10;B) protection&#10;C) response&#10;D) each of the above consumes about the same amount of time

Accepted Answer

B

Question 3

Many compliance regimes require firms to adopt specific formal governance framework to drive security planning and operational management.

Accepted Answer

Many compliance regimes, such as PCI DSS and HIPAA, require firms to adopt specific formal governance frameworks like COBIT or ITIL to drive security planning and operational management. These frameworks help organizations define their security strategy, establish policies and procedures, and ensure compliance with regulations.

Question 4

Strong security can be an enabler, allowing a company to do things it could not do otherwise.

Accepted Answer

Strong security measures can help build trust with customers and partners, protect against cyber threats and data breaches, and comply with regulations. This can give a company the confidence to pursue new business opportunities and expand its operations while maintaining the safety and privacy of sensitive information. Therefore, strong security can be an enabler for a company.

Question 5

What is missing from the definition of response as &#34;recovery?&#34;&#10;A) The phrase &#34;according to plan&#34; must be added to &#34;recovery.&#34;&#10;B) The definition must refer to specific resources.&#10;C) The phrase &#34;Reasonable degree of&#34; must begin the definition.&#10;D) The phrase &#34;and prosecution&#34; must be added after &#34;recovery.&#34;

Accepted Answer

The definition of response as "recovery" should include the phrase "according to plan" to indicate that the recovery should follow a predetermined plan.

Question 6

Which of the following is a formal process?&#10;A) Annual corporate planning&#10;B) Planning and developing individual countermeasures&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

Both annual corporate planning and planning and developing individual countermeasures are considered formal processes as they involve structured, predefined procedures aimed at achieving specific objectives within organizations.

Question 7

A ________ occur(s) when a single security element failure defeats the overall security of a system.&#10;A) spot failure&#10;B) weakest link failure&#10;C) defense in depth departure&#10;D) critical failure

Accepted Answer

A weakest link failure means that the security of a system can be compromised by the failure of a single element. This is often the result of inadequate or insufficient security measures, and highlights the importance of having a comprehensive and layered approach to security, rather than relying on a single point of protection. Spot failure, defense in depth departure, and critical failure are not specific terms related to this scenario.

Question 8

After performing a preliminary security assessment, a company should develop a remediation plan for EVERY security gap identified.

Accepted Answer

Developing a remediation plan for every security gap identified is an essential step in addressing potential security threats and strengthening a company's security posture. It helps to minimize the risk of a security breach and its potential impact on the organization. Therefore, it is important for a company to develop a remediation plan for every security gap identified in the preliminary security assessment.

Question 9

This book focuses on ________.&#10;A) offense&#10;B) defense&#10;C) offense and defense about equally&#10;D) None of the above

Accepted Answer

The answer of This book focuses on ________.&#10;A) offense&#10;B) defense&#10;C)...

Question 10

Once a company's resources are enumerated, the next step is to ________.&#10;A) create a protection plan for each&#10;B) assess the degree to which each is already protected&#10;C) enumerate threats to each&#10;D) classify them according to sensitivity

Accepted Answer

After enumerating a company's resources, the next step is to classify them according to sensitivity. This will help the company prioritize the protection of its most essential resources. While it is important to assess the degree to which resources are protected and identify threats, these steps come after classification. Creating a protection plan for each resource may also come after identifying threats and assessing their level of risk.

Question 11

A planned series of actions in a corporation is a(n) ________.&#10;A) strategy&#10;B) sequence&#10;C) process&#10;D) anomaly

Accepted Answer

The answer of A planned series of actions in a...

Question 12

It is a good idea to view the security function as a police force or military organization.

Accepted Answer

The answer of It is a good idea to view...

Question 13

The growing number of compliance laws and regulations is driving firms to use formal governance frameworks to guide their security processes.

Accepted Answer

The answer of The growing number of compliance laws and...

Question 14

A company should consider list of possible remediation plans as an investment portfolio.

Accepted Answer

The answer of A company should consider list of possible...

Question 15

The factors that require a firm to change its security planning, protection, and response are called driving forces.

Accepted Answer

The answer of The factors that require a firm to...

Question 16

Closing all routes of attack into an organization's system(s) is called ________.&#10;A) defense in depth&#10;B) comprehensive security&#10;C) total security&#10;D) access control

Accepted Answer

The answer of Closing all routes of attack into an...

Question 17

Planning, protection, and response follow a fairly strict sequence from one stage to another.

Accepted Answer

The answer of Planning, protection, and response follow a fairly...

Question 18

The first step in developing an IT security plan is to ________.&#10;A) determine needs&#10;B) assess the current state of the company's security&#10;C) create comprehensive security&#10;D) prioritize security projects

Accepted Answer

The answer of The first step in developing an IT...

Question 19

IT security people should maintain a negative view of users.

Accepted Answer

The answer of IT security people should maintain a negative...

Question 20

________ is the plan-based creation and operation of countermeasures.&#10;A) Planning&#10;B) Protection&#10;C) Response&#10;D) All of the above

Accepted Answer

The answer of ________ is the plan-based creation and operation...

Question 21

The manager of the security department often is called ________.&#10;A) the chief security officer (CSO)&#10;B) the chief information security officer (CISO)&#10;C) Either A and B&#10;D) Neither A nor B

Accepted Answer

The answer of The manager of the security department often...

Question 22

Compliance laws and regulations ________.&#10;A) create requirements to which security must respond&#10;B) can be expensive for IT security&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Compliance laws and regulations ________.&#10;A) create requirements...

Question 23

________ examines organizational units for efficiency, effectiveness, and adequate controls.&#10;A) Internal auditing&#10;B) Financial auditing&#10;C) IT auditing&#10;D) None of the above

Accepted Answer

The answer of ________ examines organizational units for efficiency, effectiveness,...

Question 24

Independence is best provided for IT security by placing it within the IT department.

Accepted Answer

The answer of Independence is best provided for IT security...

Question 25

When companies studied where they stored private information, they found that much of this information was stored inside spreadsheets and word processing documents.

Accepted Answer

The answer of When companies studied where they stored private...

Question 26

The FTC can act against companies that fail to take reasonable precautions to protect privacy information.

Accepted Answer

The answer of The FTC can act against companies that...

Question 27

________ examines financial processes for efficiency, effectiveness, and adequate controls.&#10;A) Internal auditing&#10;B) Financial auditing&#10;C) IT auditing&#10;D) None of the above

Accepted Answer

The answer of ________ examines financial processes for efficiency, effectiveness,...

Question 28

Placing security within IT ________.&#10;A) creates independence&#10;B) is likely to give security stronger backing from the IT department&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Placing security within IT ________.&#10;A) creates independence&#10;B)...

Question 29

________ specifically addresses data protection requirements at financial institutions.&#10;A) GLBA&#10;B) HIPAA&#10;C) The Revised SEC Act&#10;D) Sarbanes-Oxley

Accepted Answer

The answer of ________ specifically addresses data protection requirements at...

Question 30

The FTC can ________.&#10;A) impose fines&#10;B) require annual audits by external auditing firms for many years&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of The FTC can ________.&#10;A) impose fines&#10;B) require...

Question 31

Which companies do PCI-DSS affect?&#10;A) E-commerce firms&#10;B) Medical firms&#10;C) Government organizations&#10;D) Companies that accept credit card payments

Accepted Answer

The answer of Which companies do PCI-DSS affect?&#10;A) E-commerce firms&#10;B)...

Question 32

In order to demonstrate support for security, top management must ________.&#10;A) ensure that security has an adequate budget&#10;B) support security when there are conflicts between the needs of security and the needs of other business functions&#10;C) follow security procedures themselves&#10;D) All of the above

Accepted Answer

The answer of In order to demonstrate support for security,...

Question 33

________ examines IT processes for efficiency, effectiveness, and adequate controls.&#10;A) Internal auditing&#10;B) Financial auditing&#10;C) IT auditing&#10;D) None of the above

Accepted Answer

The answer of ________ examines IT processes for efficiency, effectiveness,...

Question 34

A ________ is a material deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement in the annual or interim financial statements will not be prevented or detected.

A) material control failure
B) material control deficiency
C) critical control deficiency
D) critical control failure

Accepted Answer

The answer of A ________ is a material deficiency, or...

Question 35

Most IT security analysts recommend placing IT security functions within the IT department.

Accepted Answer

The answer of Most IT security analysts recommend placing IT...

Question 36

Data breach notification laws typically ________.&#10;A) require companies to notify affected people if sensitive personally identifiable information is stolen or even lost&#10;B) have caused companies to think more about security&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Data breach notification laws typically ________.&#10;A) require...

Question 37

What type of organization is subject to FISMA?&#10;A) E-commerce firms&#10;B) Medical firms&#10;C) Government organizations&#10;D) Companies that accept credit card payments

Accepted Answer

The answer of What type of organization is subject to...

Question 38

In FISMA, ________ is done internally by the organization.&#10;A) certification&#10;B) accreditation&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of In FISMA, ________ is done internally by...

Question 39

________ specifically addresses data protection requirements at health care institutions.&#10;A) GLBA&#10;B) HIPAA&#10;C) Sarbanes-Oxley&#10;D) The SEC Act

Accepted Answer

The answer of ________ specifically addresses data protection requirements at...

Question 40

Placing IT auditing in an existing auditing department would give independence from IT security.

Accepted Answer

The answer of Placing IT auditing in an existing auditing...

Question 41

In benefits, costs and benefits are expressed on a per-year basis.

Accepted Answer

The answer of In benefits, costs and benefits are expressed...

Question 42

Which of the following is a way of responding to risk with active countermeasures?&#10;A) Risk reduction&#10;B) Risk acceptance&#10;C) Risk avoidance&#10;D) All of the above

Accepted Answer

The answer of Which of the following is a way...

Question 43

To outsource some security functions, a firm can use an MISP.

Accepted Answer

The answer of To outsource some security functions, a firm...

Question 44

What security functions typically are outsourced?&#10;A) Policy&#10;B) Vulnerability testing&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of What security functions typically are outsourced?&#10;A) Policy&#10;B)...

Question 45

SLE times APO gives the ________.&#10;A) expected per-event loss&#10;B) expected annual loss&#10;C) expected life cycle loss&#10;D) expected per-event benefit

Accepted Answer

The answer of SLE times APO gives the ________.&#10;A) expected...

Question 46

The goal of IT security is risk elimination.

Accepted Answer

The answer of The goal of IT security is risk...

Question 47

________ means responding to risk by taking out insurance.&#10;A) Risk reduction&#10;B) Risk acceptance&#10;C) Risk avoidance&#10;D) Risk transference

Accepted Answer

The answer of ________ means responding to risk by taking...

Question 48

Which of the following gives the best estimate of the complete cost of a compromise?&#10;A) ALE&#10;B) ARO&#10;C) TCI&#10;D) Life cycle cost

Accepted Answer

The answer of Which of the following gives the best...

Question 49

The book recommends hard-headed thinking about security ROI analysis.

Accepted Answer

The answer of The book recommends hard-headed thinking about security...

Question 50

What security function(s) usually is(are) not outsourced?&#10;A) Planning&#10;B) Intrusion detection&#10;C) Vulnerability testing&#10;D) All of the above

Accepted Answer

The answer of What security function(s) usually is(are) not outsourced?&#10;A)...

Question 51

________ entails investigating the IT security of external companies and the implications of close IT partnerships before implementing interconnectivity.&#10;A) Auditing&#10;B) Due diligence&#10;C) Peer-to-peer security&#10;D) Vulnerability testing

Accepted Answer

The answer of ________ entails investigating the IT security of...

Question 52

________ means implementing no countermeasures and absorbing any damages that occur.&#10;A) Risk reduction&#10;B) Risk acceptance&#10;C) Risk avoidance&#10;D) None of the above

Accepted Answer

The answer of ________ means implementing no countermeasures and absorbing...

Question 53

What security functions typically are outsourced?&#10;A) Intrusion detection&#10;B) Vulnerability testing&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of What security functions typically are outsourced?&#10;A) Intrusion...

Question 54

The goal of IT security is reasonable risk reduction.

Accepted Answer

The answer of The goal of IT security is reasonable...

Question 55

Vulnerability testing typically is not outsourced.

Accepted Answer

The answer of Vulnerability testing typically is not outsourced....

Question 56

The worst problem with classic risk analysis is that ________.&#10;A) protections often protect multiple resources&#10;B) resources often are protected by multiple resources&#10;C) we cannot estimate the annualized rate of occurrence&#10;D) costs and benefits are not the same each year

Accepted Answer

The answer of The worst problem with classic risk analysis...

Question 57

When risk analysis deals with costs and benefits that vary by year, the computations should use ________.&#10;A) NPV&#10;B) IRR&#10;C) Either A or B&#10;D) Neither A nor B

Accepted Answer

The answer of When risk analysis deals with costs and...

Question 58

According to the author, information assurance is a good name for IT security.

Accepted Answer

The answer of According to the author, information assurance is...

Question 59

Security tends to impede functionality.

Accepted Answer

The answer of Security tends to impede functionality....

Question 60

A benefit of using MSSPs is that they provide ________.&#10;A) cost savings&#10;B) independence&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of A benefit of using MSSPs is that...

Question 61

Security professionals should minimize burdens on functional departments.

Accepted Answer

The answer of Security professionals should minimize burdens on functional...

Question 62

Policies should specify implementation in detail.

Accepted Answer

The answer of Policies should specify implementation in detail....

Question 63

Using both a firewall and host hardening to protect a host is ________.&#10;A) defense in depth&#10;B) risk acceptance&#10;C) an anti-weakest link strategy&#10;D) adding berms

Accepted Answer

The answer of Using both a firewall and host hardening...

Question 64

Companies should replace their legacy security technologies immediately.

Accepted Answer

The answer of Companies should replace their legacy security technologies...

Deck 2: Planning and Policy