Exam 9: Information Security

Which type of control is recognized as being the best bet for security?

Which type of control establishes codes of conduct, documentation of expected procedures and practices, and monitoring and preventing behavior that varies from the established guidelines?

The term___________ is used to describe the protection of both computer and non- computer equipment, facilities, data, and information from misuse by unauthorized parties.

Internal threats are considered to present potentially more serious damage than do external threats due to the more intimate knowledge of the system by the internal threats.

The term that refers to a formal written document that spells out in detail the actions to be taken in the event that there is a disruption, or threat of disruption, in any part of the firm's computing operation is referred to as a(n):

Impact severity can be classified as having a major impact when breakdowns that are typical of day- to- day operations occur.

An information security risk is a person, organization, mechanism, or event that has potential to inflict harm on the firm's information resources.

Unauthorized use occurs when persons who are not ordinarily entitled to use the firm's resources are able to do so.

The basis for security against threats by unauthorized persons is physical control.

The term systems security is used to describe the protection of both computer and noncomputer equipment, facilities, data, and information from misuse by unauthorized parties.

Formal controls include education and training programs and management development programs in the firm.

Which of the following set of guidelines places emphasis on the rationale for establishing a security policy and is a product of the U.S. National Research Council?

What are the three main objectives that information security is intended to achieve?

The type of control that includes such activities as instilling the firm's ethical beliefs in its employees, ensuring an understanding of the firm's mission and objectives, education and training programs, and management development programs is referred to as:

The SANS Institute offers certifications aimed at such specialties within information security as intrusion detection, firewalls and perimeter protection, and operating system security.

A ____________ is a computer program that can replicate itself without being observable to the user and embed copies of itself in other programs and boot sectors.

What acts as a filter and barrier that restricts the flow of data to and from the firm and the Internet?

When the level of impact is determined to be minor and the vulnerability is determined to be low, then vulnerability analysis is unnecessary.

The type of threat whereby the user distributes it as a utility and when used, produces unwanted changes in the system's functionality is called:

When a firm follows benchmark compliance, it is assumed that the government and industry authorities have done a good job of considering the threats and risks and that the benchmarks offer good protection.