Explore all topics
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
search
ai logoChat with AI
Servicesarrow
Discoverarrow

Topics

Explore all topics
Discover more topics

Deck 4: Planning for Security

Full screen (f)
exit full mode
Question
The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.
Use Space or
up arrow
down arrow
to flip the card.
Question
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates.
Question
The complete details of ISO/IEC 27002 are widely available to everyone.
Question
Failure to develop an information security system based on the organization's mission, vision, and culture guarantees the failure of the information security program.
Question
The ISSP is a plan which sets out the requirements that must be met by the information security blueprint or framework.
Question
A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.
Question
Good security programs begin and end with policy.
Question
NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans, and provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size.
Question
A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee's actions.
Question
A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior.
Question
NIST 800-14's Principles for Securing Information Technology Systems can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture.
Question
You can create a single, comprehensive ISSP document covering all information security issues.
Question
The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.
Question
In 2016, NIST published a new Federal Master Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of critical infrastructure services at every organization in the United States, based on vendor-specific technologies.
Question
To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards.
Question
Each policy should contain procedures and a timetable for periodic review.
Question
The ISO/IEC 27000 series is derived from an earlier standard, BS7799.
Question
The security framework is a more detailed version of the security blueprint.
Question
ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.
Question
Managerial controls set the direction and scope of the security process and provide detailed instructions for its conduct.
Question
Every member of the organization's InfoSec department must have a formal degree or certification in information security.
Question
The operational plan documents the organization's intended long-term direction and efforts for the next several years. _________________________
Question
A disaster recovery plan shows the organization's intended efforts to restore operations at the original site in the aftermath of a disaster.
Question
Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training, and rehearsal.
Question
NIST responded to a mandate and created a voluntary Risk Management Framework that provides an effective approach
to manage cybersecurity risks. _________________________
Question
Systems-specific security policies are organizational policies that provide detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. _________________________
Question
The stated purpose of ISO/IEC 27002 is to offer guidelines and voluntary directions for information security management. _________________________
Question
A security policy should begin with a clear statement of purpose. _________________________
Question
A(n) capability table specifies which subjects and objects users or groups can access. _________________________
Question
Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _________________________
Question
Some policies may also need a(n) sunset clause indicating their expiration date. _________________________
Question
Guidelines are detailed statements of what must be done to comply with policy. _________________________
Question
To remain viable, security policies must have a responsible manager, a schedule of reviews, a
method for making recommendations for reviews, and a policy issuance and revision date. _________________________
Question
​An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement.
Question
A cold site provides many of the same services and options of a hot site, but at a lower cost.
Question
Database shadowing duplicates data in real-time data storage, but does not back up the databases at the remote site.
Question
The security model is the basis for the design, selection, and implementation of all security program elements, including policy implementation and ongoing policy and program management. _________________________
Question
Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.
Question
A hard drive feature known as "hot swap" is a RAID implementation (typically referred to as RAID Level 1) in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails.
Question
A(n) strategic ​information security policy is also known as a general security policy, and sets the strategic
direction, scope, and tone for all security efforts. _________________________
Question
A(n) differential backup only archives the files that have been modified that day, and thus requires less space and time than a full backup. _________________________
Question
A(n) DR plan ensures that critical business functions continue if a catastrophic incident or disaster occurs. _________________________
Question
The recovery point objective (RPO) is the point in time prior to a disruption or system outage to which mission/business process data can be recovered after an outage. _________________________
Question
Evidence is the physical object or documented information that proves an action occurred or identifies the intent of a perpetrator. _________________________
Question
The key components of the security perimeter include firewalls, DMZs (demilitarized zones), Web servers, and IDPSs. _________________________
Question
The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________."

A)implementation
B)certification
C)management
D)accreditation
Question
A(n) disaster is any adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. _________________________
Question
One of the basic tenets of security architectures is the layered implementation of security, which is called defense in redundancy. _________________________
Question
A(n) alarming event is an event with negative consequences that could threaten the organization's information assets or operations.__________________
Question
________often function as standards or procedures to be used when configuring or maintaining systems.

A)ESSPs
B)EISPs
C)ISSPs
D)SysSPs
Question
A(n) sequential roster is activated as the first person calls a few people on the roster, who in turn call a few other people. _________________________
Question
The ________is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.

A)SysSP
B)EISP
C)GSP
D)ISSP
Question
Standards may be published, scrutinized, and ratified by a group, as in formal or ________ standards.

A)de formale
B)de public
C)de jure
D)de facto
Question
A service bureau is an agency that provides a service for a fee. _________________________
Question
A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years.

A)standard
B)operational
C)tactical
D)strategic
Question
The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification. _________________________
Question
The Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area. _________________________
Question
​The goals of information security governance include all but which of the following?

A)Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care
B)​Strategic alignment of information security with business strategy to support organizational objectives
C)​Risk management by executing appropriate measures to manage and mitigate threats to information resources
D)​Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
Question
Technical controls are the tactical and technical implementations of security in the organization. _________________________
Question
An information security ________ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training.

A)plan
B)framework
C)model
D)policy
Question
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____.

A)off-site storage
B)remote journaling
C)electronic vaulting
D)database shadowing
Question
__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.

A)Networking
B)Proxy
C)Defense in depth
D)Best-effort
Question
​Security __________ are the areas of trust within which users can freely communicate.

A)​perimeters
B)​domains
C)​rectangles
D)​layers
Question
A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes __________.

A)controls have been bypassed
B)controls have proven ineffective
C)controls have failed
D)All of the above
Question
Redundancy can be implemented at a number of points throughout the security architecture, such as in ________.

A)firewalls
B)proxy servers
C)access controls
D)All of the above
Question
__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information.

A)Firewalling
B)Hosting
C)Redundancy
D)Domaining
Question
When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems?

A)The standard lacked the measurement precision associated with a technical standard.
B)It was not as complete as other frameworks.
C)The standard was hurriedly prepared, given the tremendous impact its adoption could have on industry information security controls.
D)The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
Question
The transfer of transaction data in real time to an off-site facility is called ____.

A)off-site storage
B)remote journaling
C)electronic vaulting
D)database shadowing
Question
According to NIST SP 800-14's security principles, security should ________.

A)support the mission of the organization
B)require a comprehensive and integrated approach
C)be cost-effective
D)All of the above
Question
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.

A)technology
B)Internet
C)people
D)operational
Question
________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.

A)Managerial
B)Technical
C)Operational
D)Informational
Question
A(n) _________ is a document containing contact information for the people to be notified in the event of an incident.

A)emergency notification system
B)alert roster
C)phone list
D)call register
Question
The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages?

A)Determine mission/business processes and recovery criticality
B)Identify recovery priorities for system resources
C)Identify resource requirements
D)All of these are BIA stages
Question
_________ controls address personnel security, physical security, and the protection of production inputs and outputs.

A)​Informational
B)Operational
C)​Technical
D)​Managerial
Question
The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees.

A)intentional
B)external
C)accidental
D)physical
Question
A ____ site provides only rudimentary services and facilities.

A)commercial
B)warm
C)hot
D)cold
Question
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to __________.

A)identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
B)assess progress toward a recommended target state
C)communicate among local, state, and national agencies about cybersecurity risk
D)None of these
Question
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________.

A)plan
B)standard
C)policy
D)blueprint
Question
_________ is the rapid determination of the scope of the breach in the confidentiality, integrity, and availability of information and information assets during or just following an incident.

A)Damage assessment
B)Containment development
C)Incident response
D)Disaster assessment
Question
RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure.

A)replicated
B)resistant
C)random
D)redundant
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/110
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 4: Planning for Security
1
The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.
True
2
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates.
True
3
The complete details of ISO/IEC 27002 are widely available to everyone.
False
4
Failure to develop an information security system based on the organization's mission, vision, and culture guarantees the failure of the information security program.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
5
The ISSP is a plan which sets out the requirements that must be met by the information security blueprint or framework.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
6
A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
7
Good security programs begin and end with policy.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
8
NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans, and provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
9
A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee's actions.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
10
A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
11
NIST 800-14's Principles for Securing Information Technology Systems can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
12
You can create a single, comprehensive ISSP document covering all information security issues.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
13
The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
14
In 2016, NIST published a new Federal Master Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of critical infrastructure services at every organization in the United States, based on vendor-specific technologies.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
15
To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
16
Each policy should contain procedures and a timetable for periodic review.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
17
The ISO/IEC 27000 series is derived from an earlier standard, BS7799.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
18
The security framework is a more detailed version of the security blueprint.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
19
ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
20
Managerial controls set the direction and scope of the security process and provide detailed instructions for its conduct.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
21
Every member of the organization's InfoSec department must have a formal degree or certification in information security.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
22
The operational plan documents the organization's intended long-term direction and efforts for the next several years. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
23
A disaster recovery plan shows the organization's intended efforts to restore operations at the original site in the aftermath of a disaster.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
24
Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training, and rehearsal.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
25
NIST responded to a mandate and created a voluntary Risk Management Framework that provides an effective approach
to manage cybersecurity risks. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
26
Systems-specific security policies are organizational policies that provide detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
27
The stated purpose of ISO/IEC 27002 is to offer guidelines and voluntary directions for information security management. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
28
A security policy should begin with a clear statement of purpose. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
29
A(n) capability table specifies which subjects and objects users or groups can access. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
30
Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
31
Some policies may also need a(n) sunset clause indicating their expiration date. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
32
Guidelines are detailed statements of what must be done to comply with policy. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
33
To remain viable, security policies must have a responsible manager, a schedule of reviews, a
method for making recommendations for reviews, and a policy issuance and revision date. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
34
​An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
35
A cold site provides many of the same services and options of a hot site, but at a lower cost.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
36
Database shadowing duplicates data in real-time data storage, but does not back up the databases at the remote site.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
37
The security model is the basis for the design, selection, and implementation of all security program elements, including policy implementation and ongoing policy and program management. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
38
Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
39
A hard drive feature known as "hot swap" is a RAID implementation (typically referred to as RAID Level 1) in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
40
A(n) strategic ​information security policy is also known as a general security policy, and sets the strategic
direction, scope, and tone for all security efforts. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
41
A(n) differential backup only archives the files that have been modified that day, and thus requires less space and time than a full backup. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
42
A(n) DR plan ensures that critical business functions continue if a catastrophic incident or disaster occurs. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
43
The recovery point objective (RPO) is the point in time prior to a disruption or system outage to which mission/business process data can be recovered after an outage. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
44
Evidence is the physical object or documented information that proves an action occurred or identifies the intent of a perpetrator. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
45
The key components of the security perimeter include firewalls, DMZs (demilitarized zones), Web servers, and IDPSs. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
46
The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________."

A)implementation
B)certification
C)management
D)accreditation
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
47
A(n) disaster is any adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
48
One of the basic tenets of security architectures is the layered implementation of security, which is called defense in redundancy. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
49
A(n) alarming event is an event with negative consequences that could threaten the organization's information assets or operations.__________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
50
________often function as standards or procedures to be used when configuring or maintaining systems.

A)ESSPs
B)EISPs
C)ISSPs
D)SysSPs
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
51
A(n) sequential roster is activated as the first person calls a few people on the roster, who in turn call a few other people. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
52
The ________is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.

A)SysSP
B)EISP
C)GSP
D)ISSP
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
53
Standards may be published, scrutinized, and ratified by a group, as in formal or ________ standards.

A)de formale
B)de public
C)de jure
D)de facto
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
54
A service bureau is an agency that provides a service for a fee. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
55
A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years.

A)standard
B)operational
C)tactical
D)strategic
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
56
The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
57
The Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
58
​The goals of information security governance include all but which of the following?

A)Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care
B)​Strategic alignment of information security with business strategy to support organizational objectives
C)​Risk management by executing appropriate measures to manage and mitigate threats to information resources
D)​Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
59
Technical controls are the tactical and technical implementations of security in the organization. _________________________
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
60
An information security ________ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training.

A)plan
B)framework
C)model
D)policy
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
61
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____.

A)off-site storage
B)remote journaling
C)electronic vaulting
D)database shadowing
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
62
__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.

A)Networking
B)Proxy
C)Defense in depth
D)Best-effort
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
63
​Security __________ are the areas of trust within which users can freely communicate.

A)​perimeters
B)​domains
C)​rectangles
D)​layers
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
64
A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes __________.

A)controls have been bypassed
B)controls have proven ineffective
C)controls have failed
D)All of the above
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
65
Redundancy can be implemented at a number of points throughout the security architecture, such as in ________.

A)firewalls
B)proxy servers
C)access controls
D)All of the above
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
66
__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information.

A)Firewalling
B)Hosting
C)Redundancy
D)Domaining
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
67
When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems?

A)The standard lacked the measurement precision associated with a technical standard.
B)It was not as complete as other frameworks.
C)The standard was hurriedly prepared, given the tremendous impact its adoption could have on industry information security controls.
D)The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
68
The transfer of transaction data in real time to an off-site facility is called ____.

A)off-site storage
B)remote journaling
C)electronic vaulting
D)database shadowing
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
69
According to NIST SP 800-14's security principles, security should ________.

A)support the mission of the organization
B)require a comprehensive and integrated approach
C)be cost-effective
D)All of the above
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
70
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.

A)technology
B)Internet
C)people
D)operational
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
71
________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.

A)Managerial
B)Technical
C)Operational
D)Informational
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
72
A(n) _________ is a document containing contact information for the people to be notified in the event of an incident.

A)emergency notification system
B)alert roster
C)phone list
D)call register
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
73
The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages?

A)Determine mission/business processes and recovery criticality
B)Identify recovery priorities for system resources
C)Identify resource requirements
D)All of these are BIA stages
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
74
_________ controls address personnel security, physical security, and the protection of production inputs and outputs.

A)​Informational
B)Operational
C)​Technical
D)​Managerial
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
75
The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees.

A)intentional
B)external
C)accidental
D)physical
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
76
A ____ site provides only rudimentary services and facilities.

A)commercial
B)warm
C)hot
D)cold
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
77
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to __________.

A)identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
B)assess progress toward a recommended target state
C)communicate among local, state, and national agencies about cybersecurity risk
D)None of these
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
78
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________.

A)plan
B)standard
C)policy
D)blueprint
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
79
_________ is the rapid determination of the scope of the breach in the confidentiality, integrity, and availability of information and information assets during or just following an incident.

A)Damage assessment
B)Containment development
C)Incident response
D)Disaster assessment
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
80
RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure.

A)replicated
B)resistant
C)random
D)redundant
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 110 flashcards in this deck.
Examlex
Examlex
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App

Scan to downloadDownload the App
qr-code

Copyright © 2025 Examlex LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree