Question 1

Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?

Accepted Answer

The traditional waterfall model is a linear and sequential approach where the output of one phase becomes the input for the next phase.

Question 2

The impetus to begin an SDLC-based project may be ____________________,that is,a response to some activity in the business community,inside the organization,or within the ranks of employees,customers,or other stakeholders.

Accepted Answer

The answer of The impetus to begin an SDLC-based project...

Question 3

An example of a stakeholder of a company includes all of the followingexcept:​

Accepted Answer

The general public is not a direct stakeholder of a company, as they are not directly impacted by the company's operations or profits. However, they may still be considered an indirect stakeholder if their interests, such as environmental or social concerns, are impacted by the company's actions. Employees, stockholders, and management are all direct stakeholders of a company.

Question 4

A project manager who understands project management,personnel management,and InfoSec technical requirements is needed to fill the role of a(n)____________.

Accepted Answer

A team leader in the context of project management should possess knowledge of project management, personnel management and InfoSec technical requirements to effectively lead the team and ensure project success. A champion is someone who advocates for a particular cause, an end user is someone who uses the product/service, and a policy developer specifically focuses on developing policies. These roles may require some knowledge of project management, but not necessarily the full range of skills listed in the question.

Question 5

The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.

Accepted Answer

Vulnerability assessment is the process of identifying and documenting specific vulnerabilities or weaknesses in an organization's information asset environment. This may involve scanning for known vulnerabilities, reviewing configurations and access controls, and analyzing network traffic to identify potential vulnerabilities. The goal is to identify areas where the organization's assets may be vulnerable to attack, and to develop strategies for mitigating those vulnerabilities. Penetration testing involves attempting to exploit identified vulnerabilities to determine how an attacker could potentially gain access to the organization's systems or data, and is often used in conjunction with vulnerability assessments. Exploit identification involves identifying known or unknown vulnerabilities in software or systems, which can then be used to develop exploits that can be used to attack those systems. Safeguard neutralization is not a recognized term in the field of information security.

Question 6

Which of these is a systems development approach that incorporates teams ofrepresentatives from multiple constituencies,including users,management,and IT,each with avested interest in the project's success?

Accepted Answer

Joint application design (JAD) is a systems development approach that includes representatives from various groups, including users, management, and IT. These representatives work together as a team, and each has an interest in the project's success. The approach is collaborative, and the goal is to achieve consensus on project requirements and design.

Question 7

A senior executive who promotes the project and ensures its support,both financially and administratively,at the highest levels of the organization is needed to fill the role of a(n)____________ on a development team.

Accepted Answer

A champion is a senior executive who promotes and supports the project at the highest levels of the organization both financially and administratively. They act as a bridge between the development team and the rest of the organization, ensuring that the project's goals align with the organization's overall strategy.

Question 8

The individual responsible for the assessment,management,and implementation of information-protection activities in the organization is known as a(n)____________.

Accepted Answer

A chief information security officer (CISO) is the individual responsible for assessing, managing, and implementing information-protection activities in the organization. They are tasked with ensuring that the organization's information is protected from cyber threats and other security risks. A security technician or manager may have responsibilities in this area but would not have the overall responsibility or authority that a CISO possesses. A chief technology officer (CTO) is responsible for the overall technology strategy of the organization but may not necessarily have a specific focus on information security.

Question 9

ISO 27014:2013 is the ISO 27000 series standard for ____________.

Accepted Answer

ISO 27014:2013 specifically focuses on the governance of information security, providing guidelines for senior management to establish and maintain an effective information security governance framework. It complements the ISO 27001 standard, which covers information security management systems.

Question 10

What is the first phase of the SecSDLC?

Accepted Answer

The first phase of the Security Systems Development Life Cycle (SecSDLC) is the investigation phase, where the need for a new or enhanced security system is explored and defined.

Question 11

An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n)____________.

Accepted Answer

A penetration tester is an information security professional who is authorized to attempt to gain system access to identify and recommend resolutions for vulnerabilities in those systems. Gray-hat hackers and script kiddies are not authorized and may engage in malicious activities, while a zebra team is not a commonly used term in information security.

Question 12

A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.

Accepted Answer

Penetration testing involves simulating attacks by a malicious external source to identify vulnerabilities in a system's security. Vulnerability assessment is a broader term that includes identifying and assessing potential vulnerabilities in a system, but doesn't necessarily involve actively attempting to exploit them. Exploit identification focuses specifically on identifying and understanding how vulnerabilities could be exploited, but doesn't involve testing a system's defenses against those exploits. Safeguard neutralization is not a commonly used term in the field of security testing and evaluation.

Question 13

The individual accountable for ensuring the day-to-day operation of the InfoSec program,accomplishing the objectives identified by the CISO and resolving issues identified by techniciansare known as a(n)____________.

Accepted Answer

The role described in the question is that of a security manager, who is responsible for overseeing the daily operations of an organization's information security program, implementing the strategy set by the CISO, and addressing technical issues raised by security technicians. The chief information security officer (A) is a higher-level executive who sets the overall information security strategy for an organization, while security technicians (B) are responsible for implementing and maintaining specific security controls. The chief technology officer (D) is responsible for the overall technology strategy and implementation of an organization, but may not have direct responsibility for information security.

Question 14

In which phase of the SecSDLC does the risk management task occur?

Accepted Answer

The risk management task occurs in the analysis phase of the SecSDLC, where threats and vulnerabilities are assessed, and risk mitigation measures are identified and prioritized. The physical design phase involves designing the physical infrastructure, while the implementation phase involves deploying the system. The investigation phase involves examining incidents or breaches, and the analysis phase focuses on identifying and addressing security flaws and risks.

Question 15

When using theGoverningfor Enterprise Security (GES)program,anEnterprise Security Program (ESP)should be structured so that governance activities aredriven by the organization's executive management,select key stakeholders,as well as the ____________.

Accepted Answer

The GES program emphasizes the importance of having a governance structure that includes a Board Risk Committee to oversee enterprise security. Therefore, when structuring an ESP, it is important to ensure that governance activities are driven by the organization's executive management, select key stakeholders, as well as the Board Risk Committee to ensure effective oversight of enterprise security. The other options may also play a role in governance activities, but the Board Risk Committee is specifically highlighted in the GES program.

Question 16

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?

Accepted Answer

Managerial controls set the direction and scope of the security process and provide detailed instruction for its conduct. They include policies, procedures, and standards for securing the organization's assets and resources. System controls, technical controls, and operational controls are types of security controls that support the implementation of managerial controls but do not set the direction or scope of the security process.

Question 17

Which of the following is a key advantage of the bottom-up approach to security implementation?

Accepted Answer

The bottom-up approach leverages the technical expertise of individual administrators, allowing for a more detailed and nuanced approach to security implementation. Upper-management support and coordinated planning may still be important, but they are not key advantages of the bottom-up approach.

Question 18

Individuals who control,and are therefore responsible for,the security and use of a particular set of information are known as ____________.

Accepted Answer

Data owners are individuals who control and are responsible for the security and use of a particular set of information. They have the ultimate responsibility for ensuring that the data is used in a manner that complies with applicable laws, regulations, and policies. Data custodians, on the other hand, are responsible for the technical implementation of security controls and maintaining the integrity of the data. Data users are individuals who have some level of access to the data, and data generators are individuals who create the data.

Question 19

Which of the following is an information security governance responsibility of the Chief Security Officer?

Accepted Answer

The Chief Security Officer (CSO) is responsible for setting security policy, procedures, programs and training. Communicating policies and the program, briefing the board, customers, and the public, as well as implementing policy and reporting security vulnerabilities and breaches are other responsibilities that may fall on the CSO but are not exclusive to their role in information security governance.

Question 20

A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.

Accepted Answer

The 2007 Deloitte report suggests that enterprise risk management is a valuable approach that can align security functions with the business mission and lower costs.

Quiz 3: Governance and Strategic Planning for Security

Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?

The impetus to begin an SDLC-based project may be ____________________,that is,a response to some activity in the business community,inside the organization,or within the ranks of employees,customers,or other stakeholders.

An example of a stakeholder of a company includes all of the followingexcept:

A project manager who understands project management,personnel management,and InfoSec technical requirements is needed to fill the role of a(n) ____________.

The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.

Which of these is a systems development approach that incorporates teams ofrepresentatives from multiple constituencies,including users,management,and IT,each with avested interest in the project's success?

A senior executive who promotes the project and ensures its support,both financially and administratively,at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.

The individual responsible for the assessment,management,and implementation of information-protection activities in the organization is known as a(n) ____________.

ISO 27014:2013 is the ISO 27000 series standard for ____________.

What is the first phase of the SecSDLC?

An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.

A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.

The individual accountable for ensuring the day-to-day operation of the InfoSec program,accomplishing the objectives identified by the CISO and resolving issues identified by techniciansare known as a(n) ____________.

In which phase of the SecSDLC does the risk management task occur?

When using theGoverningfor Enterprise Security (GES) program,anEnterprise Security Program (ESP) should be structured so that governance activities aredriven by the organization's executive management,select key stakeholders,as well as the ____________.

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?

Which of the following is a key advantage of the bottom-up approach to security implementation?

Individuals who control,and are therefore responsible for,the security and use of a particular set of information are known as ____________.

Which of the following is an information security governance responsibility of the Chief Security Officer?

A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.

Quiz 3: Governance and Strategic Planning for Security

Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?

The impetus to begin an SDLC-based project may be ____________________,that is,a response to some activity in the business community,inside the organization,or within the ranks of employees,customers,or other stakeholders.

An example of a stakeholder of a company includes all of the followingexcept:​

A project manager who understands project management,personnel management,and InfoSec technical requirements is needed to fill the role of a(n) ____________.

The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.

Which of these is a systems development approach that incorporates teams ofrepresentatives from multiple constituencies,including users,management,and IT,each with avested interest in the project's success?

A senior executive who promotes the project and ensures its support,both financially and administratively,at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.

The individual responsible for the assessment,management,and implementation of information-protection activities in the organization is known as a(n) ____________.

ISO 27014:2013 is the ISO 27000 series standard for ____________.

What is the first phase of the SecSDLC?

An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.

A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.

The individual accountable for ensuring the day-to-day operation of the InfoSec program,accomplishing the objectives identified by the CISO and resolving issues identified by techniciansare known as a(n) ____________.

In which phase of the SecSDLC does the risk management task occur?

When using theGoverningfor Enterprise Security (GES) program,anEnterprise Security Program (ESP) should be structured so that governance activities aredriven by the organization's executive management,select key stakeholders,as well as the ____________.

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?

Which of the following is a key advantage of the bottom-up approach to security implementation?

Individuals who control,and are therefore responsible for,the security and use of a particular set of information are known as ____________.

Which of the following is an information security governance responsibility of the Chief Security Officer?

A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.

An example of a stakeholder of a company includes all of the followingexcept: