当前位置:首页 >> 能源/化工 >>

03 (full)


Within the context of the CBK, which of the following provides a MINIMUM level of security ACCEPTABLE for an environment ?
A baseline

In a properly segregated environment, whi

ch of the following tasks is compatible with the task of security administrator?
Quality assurance

Within the realm of IT security, which of the following combinations best defines risk?
Threat coupled with a vulnerability

Step-by-step instructions used to satisfy control requirements is called a:
procedure

Who should provide access authorization to computerized information?
Data owner

IT security measures should:
Be tailored to meet organizational security goals.

What is the goal of the Maintenance phase in a common development process of a security policy?
to review of the document on the specified review date

Three key things that must be considered for the planning and implementation of access control mechanisms do NOT include:
the system's vulnerability to viruses

Which of the following best defines add-on security?
Protection mechanisms implemented after an information system has become operational.

Which of the following should NOT be addressed by employee termination practices?
Employee bonding to protect against losses due to theft.

Which of the following best allows risk management results to be used knowledgeably?
An uncertainty analysis

Why do many organizations require every employee to take a mandatory vacation of a week or more?
To reduce the opportunity for an employee to commit an improper or illegal act.

Related to information security, the guarantee that the message sent is the message received is an example of which of the following?
integrity

What would be the Annualized Rate of Occurrence (ARO) of the threat "user input error", in the case where a company employs 100 data entry clerks and every one of them makes one input error each month?
1,200

What can be best defined as the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment?
Threat analysis

Which of the following is not a responsibility of a database administrator?
Providing access authorization to databases

Which of the following would BEST be defined as an absence or weakness of safeguard that could be exploited?
A vulnerability

One of these statements about the key elements of a good configuration process is NOT true
Controlling modifications to system hardware in order to protect resource from changes

A deviation from an organization-wide security policy requires which of the following?
risk acceptance.

What are the three FUNDAMENTAL principles of security?
Confidentiality, integrity and availability

Which of the following is most concerned with personnel security?
Operational controls

Preservation of confidentiality information systems requires that the information is not disclosed to:
Unauthorized persons or processes.

Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data?
System and information owners

Which of the following should NOT be a role of the Security Administrator?
Authorizing access rights

Which of the following is not a component of a Operations Security "triples"?
Risk

Related to information security, integrity is the opposite of which of the following?
alteration

What can be described as a measure of the magnitude of loss or impact on the value of an asset?
Exposure factor

Ultimately, the security of computer-based information systems is which of the following?
a management issue.

Which of the following would best relate to resources being used only for intended purposes?
Availability

An effective information security policy should not have which of the following characteristic?
Be designed with a short- to mid-term focus

Which of the following would VIOLATE the Due Care concept?
Data owners not laying out the foundation of data protection

Which of the following is NOT a part of a risk analysis?
Choose the best countermeasure

Related to information security, the prevention of the intentional or unintentional unauthorized disclosure of contents is which of the following?
Confidentiality

Which of the following is not a goal of integrity?
Prevention of the modification of information by authorized users.

What is the main responsibility of information (data) owner?
determining the data sensitivity or classification level

What is opposite of the C.I.A. in risk management:
disclosure, alteration, destruction

Who is responsible for initiating corrective actions when there are security violations?
Management

Which of the following is NOT a common integrity goal?
Prevent paths that could lead to inappropriate disclosure.

Which approach to a security program makes sure that the people actually responsible for protecting the company's assets are DRIVING the program?
The top-down approach

Who should DECIDE how a company should approach security and what security measures should be implemented?
Senior management

What can best be defined as high-level statements, beliefs, goals and objectives?
Policies

How should a risk be HANDLED when the cost of the countermeasure OUTWEIGHS the cost of the risk?
Accept the risk

What is called a weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks?
Vulnerability

Which of the following should be given technical security training?
IT support personnel and system administrators

How is Annualized Loss Expectancy (ALE) derived from a threat?
SLE x ARO

Which of the following is an advantage of a qualitative over a quantitative risk analysis?
It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.

Which of the following statements pertaining to a security policy is incorrect?
It specifies how hardware and software should be used throughout the organization.

What is the main purpose of Corporate Security Policy?
to communicate management's intentions in regards to information security

Which of the following is the weakest link in a security system?
People

Which of the following is not a responsibility of an information owner?
Running regular backups and periodically testing the validity of the backup data.

Computer security should be first and foremost which of the following:
Be cost-effective.

Which one of the following individuals has PRIMARY responsibility for determining the classification level of information?
Owner

The control of communications test equipment should be clearly addressed by security policy for which of the following reasons?
Test equipment can be used to browse information passing on a network.

What is called an event or activity that has the potential to cause harm to the information systems or networks?
Threat

The major objective of system configuration management is which of the following?
system stability.

Which of the following is BEST defined as a physical control?
Environmental controls

Which data classification SHOULD APPLY to commercial trade secrets?
Confidential

What is the difference between Advisory and Regulatory security policies?
Advisory policies are not mandated. Regulatory policies must be implemented.

Which of the following is the best reason for the use of an automated risk analysis tool?
Minimal information gathering is required due to the amount of information built into the tool.

Which of the following questions should a user be unable to answer regarding their organization's information security policy?
What are the actions that need to be performed in case of a disaster?

Which of the following would be the first step in establishing an information security program?
Adoption of a corporate information security policy statement.

Which of the following would best classify as a management control?
Review of security controls

Making sure that the data is accessible when and where it is needed is which of the following?

availability

In a discretionary access environments, which of the following entities is authorized to grant information access to other people?
Owner.

What would BEST define risk management?
The process of reducing risk to an acceptable level

According to private sector data classification levels, how would salary levels and medical information be classified?
Private.

Which of the following is given the responsibility of the maintenance and protection of the data?
Data custodian

Which of the following tasks may be performed by the same person in a wellcontrolled information processing facility/computer center?
System development and systems maintenance

Which of the following statements pertaining to quantitative risk analysis is false?
It requires little experience to apply

What can be defined as an event that could cause harm to the information systems?
A threat

Which of the following department managers would be best suited to oversee the development of an information security policy?
Business operations

All risks must be:
Identified

Which must bear the primary responsibility for determining the level of protection needed for information systems resources?
Senior Management.

What is a difference between a Quantitative Analysis versus a Qualitative Risk Analysis?
quantitative analysis provides formal cost/benefit analysis and qualitative does not

The preliminary steps to security planning include all of the following EXCEPT which of the following?
Establish a security audit function.

Which of the following questions would not help in assessing personnel security controls?
Is access to facilities by personnel controlled through the use of guards, identification badges, or entry devices such as key cards or biometrics?

Which one of the following represents an ALE calculation?
single loss expectancy x annualized rate of occurrence.

Related to information security, availability is the opposite of which of the following?
destruction

Which of the following could be BEST defined as the likelihood of a threat agent taking advantage of a vulnerability?
A risk

Why would an information security policy require that communications test equipment be controlled?
The equipment can be used to browse information passing on a network

The absence of a safeguard or weakness in a system that may possibly be exploited is called a(n)?
Vulnerability

Which of the following represents an ALE calculation?
Single loss expectancy X annualized rate of occurrence

Which of the following is the MOST important aspect relating to employee termination?
The appropriate company staff are notified about the termination.

Making sure that only those who are supposed to access the data can access is which of the following?
confidentiality.

In the CIA triad, what does the letter A stand for?
Availability

In an organization, an Information Technology security function should:
Be lead by a Chief Security Officer and report directly to the CEO.

Who should measure the effectiveness of security related controls in an organization?
the systems auditor.

One purpose of a security awareness program is to modify:
employee's attitudes and behaviors.

Risk mitigation and risk reduction controls can be of which of the following types?
preventive, detective, or corrective

ISO 17799 is a standard for:
Information Security Management

Which of the following groups represents the leading source of computer crime losses?
employees.

One of the following assertions is not a characteristic of Internet Protocol Security (IPsec)
Data is delivered in the exact order in which it is sent

What is the property ensure that only those who are supposed to access the data can access it is:
Confidentiality.

What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of once every five years and an exposure factor (EF) of 30%?
$60,000

Which of the following choices is NOT part of a security policy?
description of specific technologies used in the field of information security

If risk is defined as "the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets" then risk has all of the following elements EXCEPT?
Controls addressing the threats

Which of the following is NOT an administrative control?
Logical access control mechanisms

Related to information security, confidentiality is the opposite of which of the following?
disclosure

What is called the probability that a threat to an information system will materialize?
Risk

Which of the following is NOT a technical control?
Monitoring for physical intrusion

Which of the following is not a way for programmers to bypass normal security controls while developing their software?
A Trojan horse

What does "residual risk" mean?
The security risk that remains after controls have been implemented

Controls are implemented to:
mitigate risk and reduce the potential for loss

Making sure that the data has not been changed unintentionally, due to an accident or malice is:
Integrity.

Which of the following would be the best criterion to consider in determining the classification of an information asset?
Value

Which of the following are steps of a common development process of creating a security policy, standards and procedures?
initial and evaluation, development, approval, publication, implementation, maintenance

Who is responsible for providing reports to the senior management on the effectiveness of the security controls?
Information systems auditors

Which of the following embodies all the detailed actions that personnel are required to follow?
Procedures

Which of the following is responsible for MOST of the security issues?
Personnel


相关文章:
Windows Server 2003 集合下载地址及个版本序列号汇总
2003/sp2/R2/Windows Server 2003 R2 Enterprise with SP2 VOL MSDN (ENG) CD2.iso win2003 英文标准版 r2 sp2 cd1:http://sin.fullproduct.download....
2008-03-05政府工作报告-中英文逐段对照版(...
2008-03-05 政府工作报告全文(中英文对照版) 2008-03-05 Full Text of Report on the Work of the Government (C-E Bilingual Edition) 政府工作报告 —在...
LVS+keepalived负载均衡(FULLNAT模式)
LVS+keepalived负载均衡(FULLNAT模式)_计算机软件及应用_IT/计算机_专业资料。LVS...文档贡献者 清风徐来1990 贡献于2016-09-03 1/2 相关文档推荐 ...
世格 海运提单03
世格 海运提单03_调查/报告_表格/模板_实用文档。世格软件答案 国际结算 外贸...(If Dangerous Goods, See Clause 20) N/M CARTON 1521A Latex Full Coated...
2003年6月大学英语四级听力真题参考答案
2003年6月大学英语四级听力真题参考答案_英语考试_外语学习_教育专区。2003 年 ...live and study in their colleges but they are taught in very full groups...
Unit12 Life is full of the unexpected.(03)
Unit12 Life is full of the unexpected.(03)_英语_初中教育_教育专区。人教版九年级英语unit12第四课时教案 累计58 节 课题 Unit12 Life is full of the ...
...内连接(inner join)outer join)、全连接(full join)...
Oracle 内连接(inner join)outer join)、全连接(full join)_计算机软件及应用_...文档贡献者 贝壳丽 贡献于2015-03-24 专题推荐 2014教师资格材料分析辅... ...
最新大学英语综合教程第二册第二六单元原文及翻译
A 1. LEFT FULL OF RICHES It was early December 2003, my first season as a Salvation Army bell ringer, when I was confronted with the question. I ...
LC主要条款翻译
空运提单表明运费议付,收货人为开证申 请人显示装运唛头 03. FULL SET (INCLUDED 1 ORIGINAL AND 1 COPY)OF INSURANCE POLICY/CERTIFICATE FOR 110 PCT OF THE...
全新版大学英语综合教程(第二版)2《a life full of ric...
全新版大学英语综合教程(第二版)2《a life full of riches》翻译 a life full of riches 首次面对这个问题,是在 2003 年 12 月初,我第一次为救世军摇铃 ...
更多相关标签:
beckfull.com | fullcalendar | fullexit | full service | full join | fullcalendar api | full name | a sky full of stars |