Question 1

Which of the following is an information security deliverable?&#10;A) Information-security-related processes.&#10;B) Software and hardware products.&#10;C) Security-related personnel.&#10;D) All of the above.

Accepted Answer

Information security deliverables encompass a wide range of elements including processes related to information security, software and hardware products designed for security purposes, and personnel who are specialized in security matters.

Question 2

How many increasing levels of Evaluation Assurance Levels (EALs) are there?&#10;A) 1.&#10;B) 3.&#10;C) 5.&#10;D) 7.

Accepted Answer

There are 7 increasing levels of Evaluation Assurance Levels (EALs), ranging from EAL1 to EAL7, each providing a higher level of assurance than the previous.

Question 3

Which of the following best describes a Passive Threat?&#10;A) A hacker destroying the Accounts Payable files.&#10;B) A disgruntled employee destroying the Accounts Payable files.&#10;C) A Vendor destroying the Accounts Payables files.&#10;D) A flood destroying the Accounts Payable files.

Accepted Answer

A passive threat is a threat that does not require a deliberate action by a human attacker. In this scenario, the flood is a passive threat as it is a natural disaster that can destroy the Accounts Payable files without any malicious intent from anyone. Options A, B, and C involve deliberate actions by a hacker, disgruntled employee, and vendor respectively, making them active threats.

Question 4

Which of the following types of assets require protection according to the ISO standards?&#10;A) Human Resource.&#10;B) Information Assets.&#10;C) Software Assets.&#10;D) All of the above.

Accepted Answer

ISO standards emphasize the protection of all types of assets, including human resources, information, and software, as part of comprehensive information security management.

Question 5

What are forms of assurance come for information security?&#10;A) Informal or Semi-formal.&#10;B) Formal Certification by an Accredited Certification Body.&#10;C) Self Certification.&#10;D) All of the above.

Accepted Answer

All of the above options are forms of assurance for information security. Informal or semi-formal methods might include internal reviews or audits, formal certification involves an accredited body certifying that an organization meets certain standards, and self-certification is where an organization assesses itself against a set of criteria or standards.

Question 6

How can an organization have some type evidence-based assertion that increases one's certainty that a security-related deliverable can withstand specified security threats?&#10;A) Through Risk Analysis Matrix.&#10;B) Through Information security assurance (ISA).&#10;C) Through Internal Controls.&#10;D) Through hiring hackers to test the system.

Accepted Answer

Information security assurance (ISA) refers to the process of providing evidence-based assurance that a security-related deliverable can withstand specified security threats. This is achieved through the use of various techniques such as testing, verification, and validation. ISA helps organizations to increase their certainty that their security-related deliverables are effective in mitigating security risks.

Options A, C, and D are not the best choices for providing evidence-based assurance because:
A) Risk Analysis Matrix only helps to identify risks but does not provide evidence that security-related deliverables can withstand the identified risks.
C) Internal Controls refer to the policies and procedures in place to ensure compliance, but do not provide evidence that security-related deliverables can withstand specified security threats.
D) Hiring hackers to test the system can help identify vulnerabilities, but it does not provide evidence that the system can withstand specified security threats.

Question 7

What does the standard ISO 27002 highlight?&#10;A) Controls that are essential to essential due to legislation.&#10;B) Controls That Exist in Common Practice for Accounting Standards.&#10;C) Controls that exist to conform to GAAP.&#10;D) All of the above.

Accepted Answer

The standard ISO 27002 highlights controls that are essential due to legislation related to information security, such as data protection laws and regulations. The other options are not relevant to the scope of ISO 27002.

Question 8

What does a Gap Analysis focus on?&#10;A) The uncovered security area between a companies firewall and their internet service providers security programs.&#10;B) Identifying needed controls that are not already in place.&#10;C) The background investigations of employees.&#10;D) All of the above.

Accepted Answer

A gap analysis typically focuses on identifying needed controls that are not already in place, rather than specific security issues such as the uncovered area between a company's firewall and their ISP's security programs or background investigations of employees.

Question 9

The levels of Evaluation Assurance Levels do what for each other?&#10;A) Contradict.&#10;B) Compliment.&#10;C) Provide increasing levels of assurance.&#10;D) Negate.

Accepted Answer

Evaluation Assurance Levels provide increasing levels of assurance, meaning as the level goes up, the amount of confidence in the security and reliability of the system or product increases.

Question 10

The ISO &#34;Family&#34; that promulgates information security standards are:&#10;A) 9000.&#10;B) 15000.&#10;C) 17000.&#10;D) 27000.

Accepted Answer

The ISO "Family" that promulgates information security standards is ISO/IEC 27000 series. This series includes a number of standards related to information security management systems (ISMS), such as ISO/IEC 27001 (ISMS requirements) and ISO/IEC 27002 (code of practice for information security controls).

Question 11

____________ are systems-related individuals or events that can result in losses to the organization.&#10;A) Threats.&#10;B) Vulnerabilities.&#10;C) Risks.&#10;D) Any of the above.

Accepted Answer

The answer of ____________ are systems-related individuals or events that...

Question 12

What are the three options when dealing with Risk Management?&#10;A) Accept the risk, Resolve the risk, Counteract the risk.&#10;B) Ignore the risk, Insure the risk, Write policies against the risk.&#10;C) Accept the risk, Insure the risk, Implement controls against the risk.&#10;D) Accept the risk, Insure the risk, Admonish employees who cause the risk.

Accepted Answer

The answer of What are the three options when dealing...

Question 13

What is the Statement of Applicability (SOA) and what should it be consistent with?&#10;A) The SOA is the end-product of the risk-assessment process and should be consistent with the ISMS policy developed in the early stages of the PDAC process.&#10;B) The SOA is the first draft of the risk-assessment process should be consistent with the ISMS policy developed in the early stages of the PDAC process.&#10;C) The SOA is the end-product of the risk-assessment process and should be contradictive to the ISMS policy developed in the later stages of the PDAC process.&#10;D) The SOA should be consistent with the risk assessment standards found in ISO 9002.

Accepted Answer

The answer of What is the Statement of Applicability (SOA)...

Question 14

Which of the following best describes and Active Threat?&#10;A) A flood destroying the Accounts Payable files.&#10;B) A hacker destroying the Accounts Payable files.&#10;C) A fire destroys the Accounts Payable files.&#10;D) A computer malfunction destroying the Accounts Payable files.

Accepted Answer

The answer of Which of the following best describes and...

Question 15

An organizational internal control process that ensures confidentiality, integrity, and availability within the company is called:&#10;A) An information security deliverable.&#10;B) An information security management system.&#10;C) Enterprise risk management.&#10;D) Planning-Doing-Checking-Acting.

Accepted Answer

The answer of An organizational internal control process that ensures...

Question 16

When developing an ISMS, how many phases are there?&#10;A) 3.&#10;B) 4.&#10;C) 5.&#10;D) 6.

Accepted Answer

The answer of When developing an ISMS, how many phases...

Question 17

Which of the following are levels of access security level within a corporation?&#10;A) Unclassified, Shared, Company Only, Confidential.&#10;B) Unclassified and classified.&#10;C) Unclassified, Secret, Top Secret and Eyes Only.&#10;D) Public, private and executive.

Accepted Answer

The answer of Which of the following are levels of...

Question 18

What are the 3 ISMS security objectives?&#10;A) Assess, modify, implement.&#10;B) Integrate, evaluate, modify.&#10;C) Confidentiality, integrity, availability.&#10;D) Integrity, evaluation, implementation.

Accepted Answer

The answer of What are the 3 ISMS security objectives?&#10;A)...

Question 19

An information security deliverable, information security management system and enterprise risk management are generally a part of a companies:&#10;A) Internal Controls.&#10;B) External Controls.&#10;C) Detective Controls.&#10;D) Preventative Controls.

Accepted Answer

The answer of An information security deliverable, information security management...

Question 20

Who is/are the International Standard Organization (ISO)?&#10;A) A group of Forensic Accountants who develop internal control standards.&#10;B) A membership organization for Information Security Managers.&#10;C) An international group that promulgates standards relating to business processes.&#10;D) A U.S. Governmental organization similar to the SEC that regulates computer fraud and information security.

Accepted Answer

The answer of Who is/are the International Standard Organization (ISO)?&#10;A)...

Question 21

Compare and contrast Trusted Product Evaluation Program (TPEP) and the Trust Technology Assessment Program (TTAP).

Accepted Answer

The answer of Compare and contrast Trusted Product Evaluation Program...

Question 22

What is the best approach to data protection?&#10;A) Firewalls.&#10;B) Intrusion detection controls.&#10;C) Risk Management Policies.&#10;D) Layered Approach.

Accepted Answer

The answer of What is the best approach to data...

Question 23

How could Information security assurance (ISA) be implemented at your businesses or college?

Accepted Answer

The answer of How could Information security assurance (ISA) be...

Question 24

The formal written disaster management and recovery plan should name one person within the organization as what?&#10;A) Emergency response director.&#10;B) Data recovery officer.&#10;C) Chief information officer.&#10;D) Emergency recovery specialist.

Accepted Answer

The answer of The formal written disaster management and recovery...

Question 25

Describe the risk assessment three-step process.

Accepted Answer

The answer of Describe the risk assessment three-step process....

Question 26

Incident handling applies primarily to the check (continuous evaluation) phase in the _______ methodology.&#10;A) ISO.&#10;B) SOA.&#10;C) ISMS.&#10;D) PDAC.

Accepted Answer

The answer of Incident handling applies primarily to the check...

Question 27

Which of the following is not a layer of data protection?&#10;A) Network layer.&#10;B) Internal control layer.&#10;C) Application layer.&#10;D) Database layer.

Accepted Answer

The answer of Which of the following is not a...

Question 28

What are some possible strategies for Risk Management/Treatment?

Accepted Answer

The answer of What are some possible strategies for Risk...

Question 29

Security engineering refers to what?&#10;A) The physical design of a security system.&#10;B) The application of engineering concepts to the development of security processes.&#10;C) The GAAP standards that apply to protecting accounting records.&#10;D) All of the above.

Accepted Answer

The answer of Security engineering refers to what?&#10;A) The physical...

Question 30

What is supposed to happen under information security incident management?

Accepted Answer

The answer of What is supposed to happen under information...

Question 31

Describe the ISMS Life Cycle and PDCA.

Accepted Answer

The answer of Describe the ISMS Life Cycle and PDCA....

Question 32

If your process has reached maturity, and has achieved lower costs, shorter development times, higher quality, and higher productivity, then it must have:&#10;A) Process predictability.&#10;B) Process control.&#10;C) Process compliance.&#10;D) Process effectiveness.

Accepted Answer

The answer of If your process has reached maturity, and...

Question 33

The Certified Information Systems Security Professionals (CISSP) tests what?&#10;A) Individuals.&#10;B) Organizations.&#10;C) Processes.&#10;D) Systems.

Accepted Answer

The answer of The Certified Information Systems Security Professionals (CISSP)...

Question 34

How is Information Security Assurance achieved?

Accepted Answer

The answer of How is Information Security Assurance achieved?...

Question 35

What is Federal Information Processing Standard 140 (FIPS 140) and what does it define?

Accepted Answer

The answer of What is Federal Information Processing Standard 140...

Question 36

Assessing risks involves:&#10;A) Threat analysis.&#10;B) Vulnerability analysis.&#10;C) Risk analysis.&#10;D) Both a and

Accepted Answer

The answer of Assessing risks involves:&#10;A) Threat analysis.&#10;B) Vulnerability analysis.&#10;C)...

Question 37

Who developed Trusted Product Evaluation Program (TPEP)?&#10;A) NASa.&#10;B) NSA.&#10;C) CIA.&#10;D) FBI.

Accepted Answer

The answer of Who developed Trusted Product Evaluation Program (TPEP)?&#10;A)...

Question 38

Explain how the ISO promulgates standards in &#34;families&#34; and what that means.

Accepted Answer

The answer of Explain how the ISO promulgates standards in...

Question 39

In regards to total destruction that occurs during a disaster, when does most of the damage occur?&#10;A) During the disaster.&#10;B) After the disaster, but before the recovery.&#10;C) During the recovery.&#10;D) When employees overreact.

Accepted Answer

The answer of In regards to total destruction that occurs...

Question 40

Who are some types of individuals posing active and passive threats?

Accepted Answer

The answer of Who are some types of individuals posing...

Question 41

Threats are systems-related individuals or events that can result in losses to the organization.

Accepted Answer

The answer of Threats are systems-related individuals or events that...

Question 42

Gap analysis focuses on identifying needed governmental controls that are not already in place.

Accepted Answer

The answer of Gap analysis focuses on identifying needed governmental...

Question 43

The assurance authority in a business would decide who to consult for assurances on deliverables.

Accepted Answer

The answer of The assurance authority in a business would...

Question 44

Single security standards, even when properly implemented, generally do not lead to complete security assurances in terms of all assessment approaches and life-cycle phases.

Accepted Answer

The answer of Single security standards, even when properly implemented,...

Question 45

The ISMS is a stand-alone process.

Accepted Answer

The answer of The ISMS is a stand-alone process....

Question 46

Process control means that the process produces results that are consistent and according to plans.

Accepted Answer

The answer of Process control means that the process produces...

Question 47

Some of the Certified Information Systems Security Professionals criteria are; Access Control Systems & Methodology, Applications & Systems Development, Business Continuity Planning, Cryptography, Law, Investigation & Ethics, Operations Security.

Accepted Answer

The answer of Some of the Certified Information Systems Security...

Question 48

Some Information security assurances involve organizations such as Local, state, national and international governments and organizations, Organizational policy makers (e.g., for policies relating to security, personnel, procurement, and marketing) and End users (including consumer and business users).

Accepted Answer

The answer of Some Information security assurances involve organizations such...

Question 49

Software assets include data and information of all types, including for example, data files, accounting information, plans and strategies, policies, intellectual property, documentation, user manuals, training manuals, policies and procedures.

Accepted Answer

The answer of Software assets include data and information of...

Question 50

The normal approach to penetration testing is to attempt to exploit all possible vulnerabilities.

Accepted Answer

The answer of The normal approach to penetration testing is...

Deck 5: Fraud Prevention and Risk Management