当前位置:首页 >> 能源/化工 >>

03 (full)


Within the context of the CBK, which of the following provides a MINIMUM level of security ACCEPTABLE for an environment ?
A baseline

In a properly segregated environment, which of the following tasks is compatible with the task of security administrator?
Quality assurance

Within the realm of IT security, which of the following combinations best defines risk?
Threat coupled with a vulnerability

Step-by-step instructions used to satisfy control requirements is called a:
procedure

Who should provide access authorization to computerized information?
Data owner

IT security measures should:
Be tailored to meet organizational security goals.

What is the goal of the Maintenance phase in a common development process of a security policy?
to review of the document on the specified review date

Three key things that must be considered for the planning and implementation of access control mechanisms do NOT include:
the system's vulnerability to viruses

Which of the following best defines add-on security?
Protection mechanisms implemented after an information system has become operational.

Which of the following should NOT be addressed by employee termination practices?
Employee bonding to protect against losses due to theft.

Which of the following best allows risk management results to be used knowledgeably?
An uncertainty analysis

Why do many organizations require every employee to take a mandatory vacation of a week or more?
To reduce the opportunity for an employee to commit an improper or illegal act.

Related to information security, the guarantee that the message sent is the message received is an example of which of the following?
integrity

What would be the Annualized Rate of Occurrence (ARO) of the threat "user input error", in the case where a company employs 100 data entry clerks and every one of them makes one input error each month?
1,200

What can be best defined as the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment?
Threat analysis

Which of the following is not a responsibility of a database administrator?
Providing access authorization to databases

Which of the following would BEST be defined as an absence or weakness of safeguard that could be exploited?
A vulnerability

One of these statements about the key elements of a good configuration process is NOT true
Controlling modifications to system hardware in order to protect resource from changes

A deviation from an organization-wide security policy requires which of the following?
risk acceptance.

What are the three FUNDAMENTAL principles of security?
Confidentiality, integrity and availability

Which of the following is most concerned with personnel security?
Operational controls

Preservation of confidentiality information systems requires that the information is not disclosed to:
Unauthorized persons or processes.

Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data?
System and information owners

Which of the following should NOT be a role of the Security Administrator?
Authorizing access rights

Which of the following is not a component of a Operations Security "triples"?
Risk

Related to information security, integrity is the opposite of which of the following?
alteration

What can be described as a measure of the magnitude of loss or impact on the value of an asset?
Exposure factor

Ultimately, the security of computer-based information systems is which of the following?
a management issue.

Which of the following would best relate to resources being used only for intended purposes?
Availability

An effective information security policy should not have which of the following characteristic?
Be designed with a short- to mid-term focus

Which of the following would VIOLATE the Due Care concept?
Data owners not laying out the foundation of data protection

Which of the following is NOT a part of a risk analysis?
Choose the best countermeasure

Related to information security, the prevention of the intentional or unintentional unauthorized disclosure of contents is which of the following?
Confidentiality

Which of the following is not a goal of integrity?
Prevention of the modification of information by authorized users.

What is the main responsibility of information (data) owner?
determining the data sensitivity or classification level

What is opposite of the C.I.A. in risk management:
disclosure, alteration, destruction

Who is responsible for initiating corrective actions when there are security violations?
Management

Which of the following is NOT a common integrity goal?
Prevent paths that could lead to inappropriate disclosure.

Which approach to a security program makes sure that the people actually responsible for protecting the company's assets are DRIVING the program?
The top-down approach

Who should DECIDE how a company should approach security and what security measures should be implemented?
Senior management

What can best be defined as high-level statements, beliefs, goals and objectives?
Policies

How should a risk be HANDLED when the cost of the countermeasure OUTWEIGHS the cost of the risk?
Accept the risk

What is called a weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks?
Vulnerability

Which of the following should be given technical security training?
IT support personnel and system administrators

How is Annualized Loss Expectancy (ALE) derived from a threat?
SLE x ARO

Which of the following is an advantage of a qualitative over a quantitative risk analysis?
It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.

Which of the following statements pertaining to a security policy is incorrect?
It specifies how hardware and software should be used throughout the organization.

What is the main purpose of Corporate Security Policy?
to communicate management's intentions in regards to information security

Which of the following is the weakest link in a security system?
People

Which of the following is not a responsibility of an information owner?
Running regular backups and periodically testing the validity of the backup data.

Computer security should be first and foremost which of the following:
Be cost-effective.

Which one of the following individuals has PRIMARY responsibility for determining the classification level of information?
Owner

The control of communications test equipment should be clearly addressed by security policy for which of the following reasons?
Test equipment can be used to browse information passing on a network.

What is called an event or activity that has the potential to cause harm to the information systems or networks?
Threat

The major objective of system configuration management is which of the following?
system stability.

Which of the following is BEST defined as a physical control?
Environmental controls

Which data classification SHOULD APPLY to commercial trade secrets?
Confidential

What is the difference between Advisory and Regulatory security policies?
Advisory policies are not mandated. Regulatory policies must be implemented.

Which of the following is the best reason for the use of an automated risk analysis tool?
Minimal information gathering is required due to the amount of information built into the tool.

Which of the following questions should a user be unable to answer regarding their organization's information security policy?
What are the actions that need to be performed in case of a disaster?

Which of the following would be the first step in establishing an information security program?
Adoption of a corporate information security policy statement.

Which of the following would best classify as a management control?
Review of security controls

Making sure that the data is accessible when and where it is needed is which of the following?

availability

In a discretionary access environments, which of the following entities is authorized to grant information access to other people?
Owner.

What would BEST define risk management?
The process of reducing risk to an acceptable level

According to private sector data classification levels, how would salary levels and medical information be classified?
Private.

Which of the following is given the responsibility of the maintenance and protection of the data?
Data custodian

Which of the following tasks may be performed by the same person in a wellcontrolled information processing facility/computer center?
System development and systems maintenance

Which of the following statements pertaining to quantitative risk analysis is false?
It requires little experience to apply

What can be defined as an event that could cause harm to the information systems?
A threat

Which of the following department managers would be best suited to oversee the development of an information security policy?
Business operations

All risks must be:
Identified

Which must bear the primary responsibility for determining the level of protection needed for information systems resources?
Senior Management.

What is a difference between a Quantitative Analysis versus a Qualitative Risk Analysis?
quantitative analysis provides formal cost/benefit analysis and qualitative does not

The preliminary steps to security planning include all of the following EXCEPT which of the following?
Establish a security audit function.

Which of the following questions would not help in assessing personnel security controls?
Is access to facilities by personnel controlled through the use of guards, identification badges, or entry devices such as key cards or biometrics?

Which one of the following represents an ALE calculation?
single loss expectancy x annualized rate of occurrence.

Related to information security, availability is the opposite of which of the following?
destruction

Which of the following could be BEST defined as the likelihood of a threat agent taking advantage of a vulnerability?
A risk

Why would an information security policy require that communications test equipment be controlled?
The equipment can be used to browse information passing on a network

The absence of a safeguard or weakness in a system that may possibly be exploited is called a(n)?
Vulnerability

Which of the following represents an ALE calculation?
Single loss expectancy X annualized rate of occurrence

Which of the following is the MOST important aspect relating to employee termination?
The appropriate company staff are notified about the termination.

Making sure that only those who are supposed to access the data can access is which of the following?
confidentiality.

In the CIA triad, what does the letter A stand for?
Availability

In an organization, an Information Technology security function should:
Be lead by a Chief Security Officer and report directly to the CEO.

Who should measure the effectiveness of security related controls in an organization?
the systems auditor.

One purpose of a security awareness program is to modify:
employee's attitudes and behaviors.

Risk mitigation and risk reduction controls can be of which of the following types?
preventive, detective, or corrective

ISO 17799 is a standard for:
Information Security Management

Which of the following groups represents the leading source of computer crime losses?
employees.

One of the following assertions is not a characteristic of Internet Protocol Security (IPsec)
Data is delivered in the exact order in which it is sent

What is the property ensure that only those who are supposed to access the data can access it is:
Confidentiality.

What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of once every five years and an exposure factor (EF) of 30%?
$60,000

Which of the following choices is NOT part of a security policy?
description of specific technologies used in the field of information security

If risk is defined as "the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets" then risk has all of the following elements EXCEPT?
Controls addressing the threats

Which of the following is NOT an administrative control?
Logical access control mechanisms

Related to information security, confidentiality is the opposite of which of the following?
disclosure

What is called the probability that a threat to an information system will materialize?
Risk

Which of the following is NOT a technical control?
Monitoring for physical intrusion

Which of the following is not a way for programmers to bypass normal security controls while developing their software?
A Trojan horse

What does "residual risk" mean?
The security risk that remains after controls have been implemented

Controls are implemented to:
mitigate risk and reduce the potential for loss

Making sure that the data has not been changed unintentionally, due to an accident or malice is:
Integrity.

Which of the following would be the best criterion to consider in determining the classification of an information asset?
Value

Which of the following are steps of a common development process of creating a security policy, standards and procedures?
initial and evaluation, development, approval, publication, implementation, maintenance

Who is responsible for providing reports to the senior management on the effectiveness of the security controls?
Information systems auditors

Which of the following embodies all the detailed actions that personnel are required to follow?
Procedures

Which of the following is responsible for MOST of the security issues?
Personnel


相关文章:
full house 03
22页 免费 韩文剧本 浪漫满屋8 19页 免费 full house 01 30页 免费如要投诉违规内容,请到百度文库投诉中心;如要提出功能问题或意见建议,请点击此处进行反馈。 ...
2008-03-05政府工作报告-中英文逐段对照版(...
2008-03-05 政府工作报告全文(中英文对照版) 2008-03-05 Full Text of Report on the Work of the Government (C-E Bilingual Edition) 政府工作报告 —在...
Sybase12日志满的解决办法2
database 'etoh2_cq' because 'logsegment' segment is full/has no free ...00:00000:00001:2004/03/12 10:05:27.81 server No such message: 1105 ...
LC主要条款翻译
空运提单表明运费议付,收货人为开证申 请人显示装运唛头 03. FULL SET (INCLUDED 1 ORIGINAL AND 1 COPY)OF INSURANCE POLICY/CERTIFICATE FOR 110 PCT OF THE...
《Finale 2002&2003》迅速上手指南
Full Staff Name 与 Abbr. Staff Name 后面的 Soprano 文字也已经被删除 http://www.cnbrass.com http://www.cnbrass.com 点选 Bass 按照上述的方法,我们...
Windows Server 2003 集合下载地址及个版本序列号汇总
2003/sp2/R2/Windows Server 2003 R2 Enterprise with SP2 VOL MSDN (ENG) CD2.iso win2003 英文标准版 r2 sp2 cd1:http://sin.fullproduct.download....
全新版大学英语综合教程(第二版)2《a life full of ric...
全新版大学英语综合教程(第二版)2《a life full of riches》翻译 a life full of riches 首次面对这个问题,是在 2003 年 12 月初,我第一次为救世军摇铃 ...
fullCalendar2.9排课
fullCalendar2.9排课_计算机软件及应用_IT/计算机_专业资料。fullCalendar2.9,...'2016-08-02 03:00', color: '#efffe3', textColor:'#444' }, { id...
各种各样的信用证样本 中英文对照
1.SIGNED COMMERCIAL INVOICE IN 03 ORIGINALS AND 01 PHOTOCOPY 已签发的商业发票三正一副 2.FULL SET(3/3) ORIGINALS AND 01 PHOTOSHOP OF SIGNED CLEAN SHIPP...
inner join、 left join 、right join、full outer joi...
inner join、 left join 、right join、full outer join之间的区别_英语学习_...b2) a1 b1 c1 a2 b2 01 数学 95 01 张三 02 语文 90 02 李四 03 ...
更多相关标签: