Of all the reasons that people commit errors when it comes to IT security, which of the following is the main reason people make mistakes?
Which of the following statements does notoffer an explanation of what motivates an insider to pose a security risk?
Which of the following user types is responsible for audit coordination and response, physical security and building operations, and disaster recovery and contingency planning?
There are many ways that people can be manipulated to disclose knowledge that can be used to jeopardize security. One of these ways is to call someone under the false pretense of being from the IT department. This is known as _________________________.
One of seven domains of a typical IT infrastructure is the user domain. Within that domain is a range of user types, and each type has specific and distinct access needs. Which of the following types of users has the responsibility of creating and putting into place a security program within an organization?
It is recommended that systems administrators analyze logs in order to determine if they have been altered because monitoring can deter risk. To serve this goal, a ________________ can be used to assemble logs from platforms throughout the network.
Consider this scenario: A company that buys a sizeable amount of equipment for its manufacturing process needs to accurately report such expenditures, so it calls upon the services of financial auditors. While financial auditors might consider how robust the data might be, the company might also involve IT auditors to examine the technology in place to gather the data itself. What process is this company using to address its concerns?
It is necessary to retain information for two significant reasons: legal obligation and business needs. Data that occupies the class of ________________ is comprised of records that are required to support operations; the data included might be customer and vendor records.
Despite the fact that there exists no mandatory scheme of data classification for private industry, there are four classifications used most frequently. Which of the following is not one of the four?
Of all the needs that an organization might have to classify data, there are three that are most prevalent. Which of the following is notone of the reasons?
If an organization is creating a customized data classification scheme, it is important to keep in mind the accepted guidelines. Which of the following is notone these guidelines?
A risk exposure is defined as the impact to the organization when a situation transpires. The widely accepted formula for calculating exposure is as follows:Risk exposure =________________ the event will occur + ____________ if the event occurs
Of the risk management strategies, _________________ refers to the act of not engaging in actions that lead to risk, whereas ____________________refers to acquiescence in regard to the risks of particular actions as well as their potential results .
Because risk management is a both a governance process and a model that seeks consistent improvement, there is a series of steps to be followed every time a new risk emerges. Which of the following is notone of these steps?
The IRT report that is ultimately generated for executive management must be certain to educate all stakeholders regarding exploited risks. Which of the following items is not required to be addressed in the report?
Which of the following departments has a significant role to play concerning the act of creating the messaging around an incident to the media and the parties impacted?
In general, the IRT is comprised of a team with individuals that have different specialties; one such individual is the ___________________, who offers analytical skills and risk management. This specialist has focused forensic skills necessary for the collection and analysis of evidence.
In addition to compiling the list of user access requirements, applications, and systems, the BIA also includes processes that are ____________. These processes safeguard against any risks that might occur due to key staff being unavailable or distracted.
When an incident occurs, there are a number of options that can be pursued. Which of the following actions is recommended when assets of a low value are being attacked?
While the amount of data known as mission-criticaldepends on the organization and industry, such data should only represent less than ____________ percent of the data population.
It is important to conduct a nearly continuous evaluation of possible ______________ to guarantee that recovery estimates provided to customers are accurate and maintain credibility with customers.
Which of the following statements is most accurate with respect to infrastructure security, as demonstrated by the private sector?
Which of the following statements illustrates the importance of the LAN-to-WAN domain to an organization’s security?
It is important that LAN guidelines transfer technical knowledge and experience by guiding an individual through core principles and varied ways of considering risks. Which of the following guidelines documents instructions on the intricacies and uses of wireless structures and types?
In general, WAN-specific standards identify specific security requirements for WAN devices. For example, the ____________________ explains the family of controls needed to secure the connection from the internal network to the WAN router, whereas the ______________________ identifies which controls are vital for use of Web services provided by suppliers and external partnerships.
A procure document should accompany every baseline document. Which of the following is a true statement about the circumstances for when a procedure document needs to be created to support the baseline document?
Domain security control requirements are embodied in several different types of documents. One such document is known as _______________________, which uses a hierarchical organizing structure to identify the key terms and their explanations.
An important principle in information security is the concept of layers of security, which is often referred to as layered security, or defense indepth. Which of the following is not an example of a layer of security?
Which of the following has the responsibility of offering instruction on intrusion detection systems and intrusion prevention system standards as well as their accompanying uses for diminishing false alerts?
Consider this scenario: A sales organization with an onsite IT staff experiences a major outage due to a minor change to a printer. Though systems were working successfully, the printer stopped working when a new server was added to the network. The new server that was added to the network shared the same IP address as the printer. Which of the following statements captures a contributing cause of the problem with the IP compatibility?
Even though SNMP is a part of the TCP/IP suite of protocols, it has undergone a series of improvements since its first version. Which of the following is not one of the improvements offered in version 3?
One of the six specifications for entities that implement SCAP is to provide particular names for operation systems, applications, and hardware. This specification articulates a standard naming convention for systems to promote consistency across varied products. Which of the following specifications fits this description?
Because not all automated tools have the same functions, it is important to run tests on their effectiveness before making a financial or resource allocation investment. For example, if an organization is interested in discovery, which of the follow questions is important to ask?
There are several different best practices available for implementation when creating a plan for IT security policy compliance monitoring. One such practice is to design a baseline derived from the security policy, which entails _________________.
There are a number of automated tools created by Microsoft that can be used to verify compliance. Once such tool is the ____________________, which is a free download that locates system vulnerabilities by sending queries. This tool can scan multiple systems in a network and maintain a history of reports for all prior scans.
________________ controls the processes associated with monitoring and changing configuration throughout the life of a system. This includes the original baseline configuration.
There are number of issues to consider when composing security policies. One such issue concerns the use of security devices. One such device is a ____________, which is a network security device with characteristics of a decoy that serves as a target that might tempt a hacker.
One of the different manual controls necessary for managing risk is ________________, which is a type of formal management verification. In the process, management confirms that a condition is present and that security controls and policies are in place.
The Gramm-Leach-Bliley Act (GLBA) was created to protect confidentiality and security of customer information. Thus, under GLBA, organizations are required to inform regulators quickly if any unauthorized access or breach has occurred. Consider this scenario: A bank teller accesses a customer account out of curiosity. What is best course of action following this event?
Which of the following committees is responsible for the review of concepts, testing phases, and designs of new initiatives as well as determining when a project can enter the production phase?
While there are many valid reasons to monitor users’ computer activities, which of the following is an invalid reason?
The information security organization performs a significant role in the implementation of solutions that mitigate risk and control solutions. Because the security organization institutes the procedures and policies to be executed, they occupy role of ____________________.
There are many roles and responsibilities entailed in the management and identification of risks and the enforcement of policies related to information security. One such role is ________________, which has the responsibility of enforcing policies at the employee level.
A(n) ______________________ is a centrally located device that is capable and permitted to extend and connect to distributed services.
Many organizations have a(n) ________________________, which is comprised of end user devices (including tablets, laptops, and smartphones) on a shared network and that use distributed system software; this enables these devices to function simultaneously, regardless of location.
The scope of security awareness training must be customized based on the type of user assigned to each role in an organization. For instance, it is important that ________________ receives training in security basic requirement, regulatory and legal requirement, detail policy review, and reporting suspicious activity.
Which of the following scenarios illustrates an ideal time to implement security policies in order to gain the maximum level of organizational commitment?
Which of the following is the most important reason to solicit feedback from people who have completed security awareness training?
A major defense corporation rolls out a campaign to manage persistent threats to its infrastructure. The corporation decides to institute a ___________________ to identify and evaluate the knowledge gaps that can be addressed through additional training for all employees, even administrators and management.
Which of the following is one of the downsides of a computer-based training (CBT) approach?