Deck 8: Controls for Information Security

A)is available for operation and use at times set forth by agreement.
B)is protected against unauthorized physical and logical access.
C)can be maintained as required without affecting system availability, security, and integrity.
D)is complete, accurate, and valid.

A)availability.
B)security.
C)privacy.
D)integrity.

A)P < 6
B)D = 6
C)P = 6
D)P > 6

A)FASB
B)COSO
C)AICPA
D)PCAOB

A)the time it takes to respond to and stop the attack.
B)the time it takes for the organization to detect that an attack is in progress.
C)the time it takes an attacker to break through the various controls that protect the organization's information assets.
D)the time it takes to assess threats and select risk response.

A)availability.
B)security.
C)privacy.
D)integrity.

A)D > P
B)P > D
C)P > C
D)C > P

A)Developing and documenting policies.
B)Effectively communicating policies to all outsiders.
C)Designing and employing appropriate control procedures to implement policies.
D)Monitoring the system and taking corrective action to maintain compliance with policies.

A)preventing fictitious transactions.
B)reducing the system cost.
C)making the system more efficient.
D)making it impossible for unauthorized users to access the system.

A)is available for operation and use at times set forth by agreement.
B)is protected against unauthorized physical and logical access.
C)can be maintained as required without affecting system availability, security, and integrity.
D)is complete, accurate, and valid.

A)availability.
B)security.
C)maintainability.
D)integrity.

A)availability.
B)security.
C)confidentiality.
D)integrity.

A)Information security is a technology issue based on prevention.
B)Security is a management issue, not a technology issue.
C)The idea of defense-in-depth employs multiple layers of controls.
D)The time-based model of security focuses on the relationship between preventive, detective and corrective controls.

A)effective.
B)ineffective.
C)overdone.
D)undermanaged.

A)is available for operation and use at times set forth by agreement.
B)is protected against unauthorized physical and logical access.
C)can be maintained as required without affecting system availability, security, and integrity.
D)is complete, accurate, and valid.

A)availability.
B)security.
C)privacy.
D)integrity.

A)the time it takes to respond to and stop the attack.
B)the time it takes for the organization to detect that an attack is in progress.
C)the time it takes an attacker to break through the various controls that protect the organization's information assets.
D)the time it takes to assess threats and select risk response.

A)scanning and mapping the target.
B)social engineering.
C)research.
D)reconnaissance.

A)scanning and mapping the target.
B)social engineering.
C)research.
D)reconnaissance.

A)Emergency response teams
B)Encryption
C)Log analysis
D)Intrusion detection

A)Physical access controls
B)Encryption
C)Emergency response teams
D)Log analysis

A)Continuous monitoring
B)Encryption
C)Emergency response teams
D)Log analysis

A)authentication.
B)authorization.
C)identification.
D)threat monitoring.

A)Physical access controls.
B)Encryption.
C)Intrusion detection.
D)Incident response teams.

A)Physical access controls.
B)Encryption.
C)Continuous monitoring.
D)Incident response teams.

A)the time it takes to respond to and stop the attack.
B)the time it takes for the organization to detect that an attack is in progress.
C)the time it takes an attacker to break through the various controls that protect the organization's information assets.
D)the time it takes to assess threats and select risk response.

A)Passwords should be changed at regular intervals.
B)Passwords should be no more than 8 characters in length.
C)Passwords should contain a mixture of upper and lowercase letters, numbers and characters.
D)Passwords should not be words found in dictionaries.

A)scanning and mapping the target.
B)social engineering.
C)research.
D)reconnaissance.

A)scanning and mapping the target.
B)social engineering.
C)research.
D)reconnaissance.

A)involves the use of two or more basic authentication methods.
B)is a table specifying which portions of the systems users are permitted to access.
C)provides weaker authentication than the use of effective passwords.
D)requires the use of more than one effective password.

A)authentication.
B)authorization.
C)identification.
D)threat monitoring.

A)Restricting access to rooms with printers.
B)Coding reports to reflect their importance.
C)Allowing visitors to move through the building without supervision.
D)Requiring employees to log out of applications when leaving their desk.

A)The creation of a "security-aware" culture.
B)The creation of a "Log user friendly" culture.
C)The creation of a "continuous monitoring" culture.
D)The creation of a chief information security officer position.

A)access control list
B)Internet protocol
C)packet switching protocol
D)transmission control protocol

A)Penetration test.
B)Vulnerability scan.
C)Deep packet inspection
D)Buffer overflow test.

A)demilitarized zone.
B)intrusion detection system.
C)intrusion prevention system.
D)firewall.

A)access control list
B)deep packet inspection
C)stateful packet filtering
D)static packet filtering

A)packet filtering.
B)deep packet inspection.
C)access control list.
D)access control matrix

A)Log analysis test
B)Intrusion test
C)Penetration test
D)Vulnerability test

A)Training.
B)Controlling physical access.
C)Controlling remote access.
D)Host and application hardening.

A)Controlling physical access.
B)Encryption.
C)Profiling.
D)Awareness training.

A)an intrusion prevention system.
B)stateful packet filtering.
C)static packet filtering.
D)deep packet inspection.

A)softening attack.
B)hardening attack.
C)cross-site scripting attack.
D)buffering attack.

A)deep packet inspection.
B)stateful packet filtering.
C)static packet filtering.
D)an intrusion prevention system.

A)access control list.
B)deep packet inspection.
C)intrusion filtering.
D)packet filtering.

A)intrusion detection system.
B)log analysis.
C)penetration test.
D)vulnerability scan.

A)is the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
B)is used to implement authentication controls.
C)matches the user's authentication credentials to his authorization.
D)is a table specifying which portions of the system users are permitted to access.

A)demilitarized zone.
B)intrusion detection system.
C)intrusion prevention system.
D)firewall.

A)access control list
B)Internet protocol
C)packet switching protocol
D)transmission control protocol

A)Intrusion detection system.
B)Vulnerability scan.
C)Log analysis.
D)Penetration test.

A)router scanners
B)vulnerabilities scanners
C)deep inspection scanners
D)TCP scanners

A)deep packet inspection.
B)hardening.
C)intrusion detection.
D)modaling.

A)validity test
B)biometric matrix
C)logical control matrix
D)access control matrix

A)authentication control.
B)biometric device.
C)remote access control.
D)authorization control.

A)preventive control.
B)detective control.
C)corrective control.
D)security control.

A)routes electronic communications within an organization.
B)connects an organization's information system to the Internet.
C)permits controlled access from the Internet to selected resources.
D)serves as the main firewall.

A)change management.
B)cloud computing.
C)patch management.
D)user account management.

A)a firewall.
B)stateful packet filtering.
C)a demilitarized zone.
D)employee awareness training.

A)authentication control.
B)biometric device.
C)remote access control.
D)authorization control.

A)routes electronic communications within an organization.
B)connects an organization's information system to the Internet.
C)permits controlled access from the Internet to selected resources.
D)serves as the main firewall.

A)The security level is set at the factory and cannot be changed.
B)Security is set to an adjustable level that changes depending on the wireless network the device is connected.
C)Security is set to the lowest level that the device is capable of handling.
D)Security is set to the highest level that the device is capable of handling.

A)IDS
B)TCP/IP
C)MAC
D)DMZ

A)authentication control.
B)authorization control.
C)physical access control.
D)hardening procedure.

A)a firewall.
B)employee training.
C)a demilitarized zone.
D)stateful packet filtering.

A)authorization control.
B)biometric device.
C)remote access control.
D)defense in depth.

A)Code mastication.
B)Boot sector corruption.
C)URL injection.
D)Buffer overflow.

A)chief information officer
B)chief operations officer
C)chief security officer
D)computer emergency response team