Review Questions

1. Which of the following contains the primary goals and objectives of security?

A. A network’s border perimeter B. The CIA Triad

C. A stand-alone system D. The Internet

2. Vulnerabilities and risks are evaluated based on their threats against which of the

following?

A. One or more of the CIA Triad C. Due care

principles
D. Extent of liability
B. Data usefulness

3. Which of the following is a principle of the CIA Triad that means authorized subjects are

granted timely and uninterrupted access to objects?

A. Identification C. Encryption

B. Availability D. Layering

4. Which of the following is not considered a violation of confidentiality?

A. Stealing passwords C. Hardware destruction

B. Eavesdropping D. Social engineering

5. Which of the following is not true?

A. Violations of confidentiality include C. Violations of confidentiality are

human error. limited to direct intentional attacks.

B. Violations of confidentiality include D. Violations of confidentiality can occur

management oversight. when a transmission is not properly
encrypted.

7. If a security mechanism offers availability, then it offers a high level of assurance that

authorized subjects can _________________________ the data, objects, and resources.

A. Control C. Access

B. Audit D. Repudiate

8. ____________ refers to keeping information confidential that is personally identifiable or

which might cause harm, embarrassment, or disgrace to someone if revealed.

A. Seclusion C. Privacy

B. Concealment D. Criticality

9. All but which of the following items requires awareness for all individuals affected?

A. Restricting personal email D. The backup mechanism used to retain

email messages
B. Recording phone conversations

C. Gathering information about surfing

habits

12. Which of the following is the most important and distinctive concept in relation to layered

security?

A. Multiple D. Filter

C. Parallel B. Series

Chapter Two

7. Which of the following statements is not true?

A. IT security can provide protection only C. Risks to an IT infrastructure are all

against logical or technical attacks. computer based.

B. The process by which the goals of risk D. An asset is anything used in a business
management are achieved is known as risk process or task.
analysis.

8. Which of the following is not an element of the risk analysis process?

A. Analyzing an environment for risks C. Selecting appropriate safeguards and

implementing them
B. Creating a cost/benefit report for
safeguards to present to upper management
D. Evaluating each threat event as to its
likelihood of occurring and cost of the
resulting damage

9. Which of the following would generally not be considered an asset in a risk analysis?

A. A development process C. A proprietary system resource

B. An IT infrastructure D. Users’ personal files

10. Which of the following represents accidental or intentional exploitations of vulnerabilities?

A. Threat events C. Threat agents

B. Risks D. Breaches

11. When a safeguard or a countermeasure is not present or is not sufficient, what remains?

A. Vulnerability C. Risk

B. Exposure D. Penetration

12. Which of the following is not a valid definition for risk?

A. An assessment of probability, C. Risk = threat * vulnerability

possibility, or chance
D. Every instance of exposure
B. Anything that removes a vulnerability
or protects against one or more specific
threats

16. What security control is directly focused on preventing collusion?

A. Principle of least privilege C. Separation of duties

B. Job descriptions D. Qualitative risk analysis

17. What process or event is typically hosted by an organization and is targeted to groups of

employees with similar job functions?

A. Education C. Training

B. Awareness D. Termination
18. Which of the following is not specifically or directly related to managing the security
function of an organization?

A. Worker job satisfaction C. Information security strategies

B. Metrics D. Budget

Chapter Three

1. What is the first step that individuals responsible for the development of a business
continuity plan should perform?

A. BCP team selection C. Resource requirements analysis

B. Business organization analysis D. Legal and regulatory assessment

2. Once the BCP team is selected, what should be the first item placed on the team’s agenda?

A. Business impact assessment C. Resource requirements analysis

B. Business organization analysis D. Legal and regulatory assessment

3. What is the term used to describe the responsibility of a firm’s officers and directors to

ensure that adequate measures are in place to minimize the effect of a disaster on the

organization’s continued viability?

A. Corporate responsibility C. Due diligence

B. Disaster requirement D. Going concern responsibility

4. What will be the major resource consumed by the BCP process during the BCP phase?

A. Hardware C. Processing time

B. Software D. Personnel

16. In which business continuity planning task would you actually design procedures and

mechanisms to mitigate risks deemed unacceptable by the BCP team?

A. Strategy development B. Business impact assessment

C. Provisions and processes D. Resource prioritization

18. What type of plan outlines the procedures to follow when a disaster interrupts the normal

operations of a business?

A. Business continuity plan C. Disaster recovery plan

B. Business impact assessment D. Vulnerability assessment

Chapter Four

1. Which criminal law was the first to implement penalties for the creators of viruses, worms,

and other types of malicious code that cause harm to computer system(s)?

A. Computer Security Act C. Computer Fraud and Abuse Act

B. National Infrastructure Protection Act D. Electronic Communications Privacy Act

2. Which law first required operators of federal interest computer systems to undergo periodic

training in computer security issues?

A. Computer Security Act C. Computer Fraud and Abuse Act

B. National Infrastructure Protection Act D. Electronic Communications Privacy Act

3. What type of law does not require an act of Congress to implement at the federal level but

rather is enacted by the executive branch in the form of regulations, policies, and procedures?

A. Criminal law C. Civil law

B. Common law D. Administrative law

4. Which federal government agency has responsibility for ensuring the security of government
computer systems that are not used to process sensitive and/or classified information?

A. National Security Agency

B. Federal Bureau of Investigation

C. National Institute of Standards and

Technology

D. Secret Service