Quzlet

Chapter 2: The Need for Security
Study online at https://quizlet.com/_4vxiou
1. Data Security Commonly used as a surrogate for information security,

data security is the focus of protecting data or information
in its various states-at rest (in storage), in processing, and
in transmission (over networks).
2. Data its of fact collected by an organization.

*raw numbers, facts, words. (quiz scores)
3. information data that has been organized, structured, and presented

to provide additional insight into its context, worth, or
usefulness. ex. 90%=A
4. information as- the focus of information security; information that has val-
set ue to the organization, and the systems the store, process,
and transmit the information.
5. media a subset of information assets, the systems and networks

that store, process, and transmit the information.
6. database a collection of related data that is stored in a structured

form and usually managed by a database management
system.
7. database securi- a subset of information security that focuses on the as-

ty sessment and protection of the information stored in data
repositories like database management systems and stor-
age media.
8. attack an intentional or unintentional act that can damage or

otherwise compromise information and the systems that
support it. Attacks can be active or passive, direct or
indirect.
9. exploit a technique used to compromise a system.
10. vulnerability a potential weakness in an asset or its defensive control

system(s)
11. intellectual prop- the creation, ownership, and control of original ideas as
erty (IP) well as the representation of those ideas
1 / 10
12. software piracy the unauthorized duplication, installation, or distribution

of copyrighted computer software, which is a violation of
intellectual property.
13. availability dis- an interruption in service, usually from a service provider,

ruption which causes an adverse event within an organization.
14. downtime the percentage of time a particular service is not available;

the opposite of uptime.
15. service level a document or part of a document that specifies the ex-
agreement (SLA) pected level of service from a service provider. An SLA
usually contains provisions for the minimum acceptable
availability and penalties or remediation procedures for
downtime.
16. uptime the percentage of time a particular service is available; the

opposite of downtime.
17. blackout a long-term interruption (outage) in electrical power avail-

ability
18. brownout a long-term decrease in electrical power availability
19. fault a short-term interruption in electrical power availability.
20. sag a short-term decrease in electrical power availability
21. noise the presence of additional and disruptive signals in net-

work communications or electrical power delivery
22. spike a short-term increase in electrical power availability; also

known as a swell
23. surge a long-term increase in electrical power availability
24. competitive intel- the collection and analysis of information about an orga-
ligence nization's business competitors through legal and ethical
2 / 10
means to gain business intelligence and competitive ad-
vantage.
25. industrial espi- the collection and analysis of information about an orga-
onage nization's business competitors, often through illegal or
unethical means, to gain an unfair competitive advantage.
also known as corporate spying, or espionage for national
security reasons.
26. shoulder surfing the direct, covert observation of individual information or

system use.
27. expert hacker a hacker who uses extensive knowledge of the inner
"elite hacker" workings of a computer hardware and software to gain
unauthorized access to systems ad information.
~often create automated exploits, scripts, and tools used
by other hackers.
28. hacker a person who accesses systems and information without

authorization and often illegally.
29. jailbreaking escalating privileges to gain administrator-level or root ac-

cess control over a smartphone operating system (usually
done on apple)
30. novice hacker a relatively unskilled hacker who uses the work of expert
hackers to perform attacks.
~newbie, n00bs, kiddies, and packet monkeys
31. packet monkey a script kiddie who uses automated exploits to engage in
denial-of-service attacks
32. penetration an information security professional professional with au-

tester thorization to attempt to gain system access in an effort to
to identify and recommend resolutions for vulnerabilities
in those systems.
33. privilege escala- the unauthorized modification of an authorized or unau-

tion thorized system user account to gain access and control
over system resources.
3 / 10
34. professional a hacker who conducts attacks for personal financial ben-
hacker efit or for a crime organization of foreign government.
35. rooting escalating privileges to gain administrator-level control

over a computer system. (usually with android)
36. script kiddie a hacker of limited skills who uses expertly written soft-
ware to attack a system
37. trespass unauthorized entry into the real or virtual property of an-
other party.
38. cracker a hacker who intentionally removes or bypasses software

copyright protection designed to prevent unauthorized du-
plication or use.
39. phreaker a hacker who manipulates the public telephone system to

make free calls or disrupt services.
40. 10.4 Password an industry recommendation for password structure and

Rule strength that specifies passwords should be at least 10
characters long and contain at least one uppercase letter,
one lowercase letter, one number, and one special char-
acter
41. brute force pass- an attempt to guess a password by attempting every pos-
word attack sible combination of characters and numbers in it
42. cracking attempting to reverse-engineer, remove, or bypass a pass-

word or other access control protection, such as the copy-
right protection on software.
43. dictionary pass- a variation of the brute force password attack that attempts
word attack to narrow the range of possible passwords guessed by
using a list of common passwords and possibly including
attempts based on the target'sperlsonal information
44. rainbow table a table of hash values and their corresponding plaintext
values that can be used to look up password values if an
4 / 10
attacker is able to steal a system's encrypted password
file
45. Electronic Dis- static electricity- can cause millions of dollars of damage
charge (ESD) by bringing dust in and it stick to products
46. advance-fee a form of social engineering, typically conducted via email,

fraud (AFF) in which an organization or some third party indicate that
the recipient is due an exorbitant amount of money and
needs only a small advance fee or personal banking infor-
mation to facilitate the transfer.
47. phishing a form of social engineering in which the attacker provides

what appears to be a legitimate communication (usually
email), but it contains hidden or embedded code that
redirects the reply to a third-party site in an effort to extract
personal or confidential information.
48. pretexting a form of social engineering in which the attacker pretends

to be an authority figure who needs information to con-
firm the target's identity, but the real object is to trick the
target into revealing confidential information. (usually by
telephone)
49. social engineer- the process of using social skills to convince people to
ing reveal access credentials or other valuable information to
a hacker.
50. spear phishing any highly targeted phishing attack.
51. Information Ex- the act of an attacker or trusted insider who steal or
tortion interrupts access to the information from a computer sys-
tem and demands compensation for its return or for an
agreement not to disclose the information.
52. ransomware computer software specifically designed to identify and

encrypt valuable information in a victim's system in order
to extort payment for the key needed to unlock encryption.
53.
5 / 10
Vandalism on a damages can range from consumer confidence, diminish-
website ing an organization's sales, net worth, and reputation.
54. cyberac- a hacker who seeks to interfere with or disrupt systems to

tivist/hacktivist protest the operations, policies, or actions of an organiza-
tion or government agency.
55. cyberterrorist a hacker who attacks systems to conduct terrorist activi-

ties via networks or Internet pathways
56. cyberwarfare "in- formally sanctioned offensive operations conducted by the

formation war- government or state against information of systems of
fare" another government or state.
57. adware malware intended to provide undesired marketing and

advertising, including popups and banners on a user's
screens.
58. boot virus "boot virus that targets the boot sector or Master Boot Record
sector virus" (MBR) of a computer system's hard drive or removable
storage media.
59. macro virus virus that is unwritten in a specific macro language to

target applications that use the language.
~activated when the application's product is opened.
-typically affects documents, slideshows, e-mails, or
spreadsheets created by office suites
60. malicious computer software specifically designed to perform mali-

code/malicious cious or unwanted actions.
software/mal-
ware
61. memory-resi- virus that is capable of installing itself on a computer's

dent virus operating system, starting when the computer is activated,
"resident virus" and residing in the system's memory even after the host
application is terminated.
62. non-memory-resi-
dent virus
6 / 10
"non-resident virus that terminates after it has been activated, infected
virus" its host system, and replicated itself. NRM's do not reside
in host's operating system or memory after execution.
63. polymorphic Malware ( a virus or worm) that over time changes the
threat way it appears to antivirus software programs, making
it undetectable by techniques that look for preconfigured
signatures
64. spyware any technology that aids in gathering information about

people or organizations without their knowledge
65. Trojan Horse a malware program that hides its true nature and reveals
is designed behavior only when activated
66. virus a type of malware the is attracted to other executable

programs. When activated, it replicates and propagates
itself to multiple systems, spreading by multiple commu-
nications vectors.
67. virus hoax a message that reports the presence of a nonexistent

virus or worm and wastes valuable time as employees
share the message.
68. worm a type of malware that is capable of activation and repli-

cation without being attached to an existing program.
69. zero-day attack an attack that makes use of malware that is to yet known
by the anti-malware software companies.
70. Vector: IP scan the infected system scans a range of IP addresses and
and attack service ports and targets several vulnerabilities known to
hackers or left over from other exploits
71. vector: web if the infected system has write access to any web pages,
browsing it makes all web content files infectious. Users who browse
to those pages infect their computers
72. vector: virus
7 / 10
each affected machine infects common executable or
script files on all computers to which it can write, which
spreads the virus code to cause further infection.
73. vector: unpro- using vulnerabilities in file systems and in the way
tected shares many organizations configure them, the infected machine
copies the viral component to all locations it can reach.
74. vector: mass by sending email infections to addresses found in the

mail address book, the affected machine infects many other
users, whose mail-reading programs automatically run the
virus program and infect more systems.
75. vector: simple used for remote management of network and computer
network manage- devices. By using the widely known and common pass-
ment protocol words there were employed in early versions of this proto-
(snmp) col, the attacking program cancan control of the device.
76. back door/main- a malware payload that provides access to a system by

tenance hook/ bypassing normal access controls. A back door may also
trap door be an intentional access control bypass left by a system
designer to facilitate development
77. bot/zombie an automated software program the executes certain com-

mands when it receives a specific input
78. denial-of-service attack that attempts to overwhelm a computer target's

(DoS) attack ability to handle incoming communications, prohibiting le-
gitimate users from accessing those systems.
79. distributed a DoS attack in which a coordinated stream of requests is

denial-of-service launched against a target from many locations at the same
(DDoS) attack time using bots or zombies.
80. mail bomb an attack designed to overwhelm the receiver with exces-
sive quantities of e-mail
81. spam undesired e-mail, typically commercial advertising trans-

mitted in bulk
8 / 10
82. domain name intentional hacking and modification of a dns database to
system (DNS) redirect legitimate traffic to illegitimate internet locations
cache poisoning
"DNS spoofing"
83. man-in-the-mid- a group of attackers whereby a person intercepts a com-

dle munication stream and inserts himself in the conversation
to convince each of the legitimate parties that he is the
other communications partner.
~can involve encryption functions
84. packet snif- a software program or hardware appliance that can inter-
fer/sniffer cept, copy, and interpret network traffic
85. pharming the redirection of legitimate user Web traffic to illegitimate

Web sites with the intent to collect personal information
86. spoofing technique used for gaining unauthorized access to com-

puters using a forged or modified source IP address to give
the perception that messages are coming from a trusted
host.
87. TCP hijacking/ a form of man-in-the-middle attack whereby the attacker

session hijack- inserts himself into the TCP/IP-based communications.
ing
88. TCP/Ip Transmission Control Protocol/Internet Protocol
89. mean time be- average amount of time between hardware failures, calcu-
tween failure lated as the total amount of operation time for a specified
(MTBF) number of units divided by the the number of failures
90. mean time to di- average amount of time a computer repair technician
agnose (MTTD) needs to determine the cause of failure.
91. mean time to fail- average amount of time until the next hardware failure
ure (MTTF)
92. mean time to re-

pair (MTTR)
9 / 10
average amount of time a computer repair technician
needs to resolve the cause of a failure through replace-
ment of repair of faulty unit
93. buffer overrun an application error that occurs when more data is sent to
"buffer overflow" a program buffer than it is designed to handle.
94. command injec- an application error that occurs when user input is passed
tion directly to a complier or interpreter without screening for
content that may disrupt or compromise the intended func-
tion
95. cross-site script- a web application fault that occurs when an application
ing (XXS) running on a web server inserts commands into a user's
browser session and causes information to be sent to a
hostile server.
96. integer bug a class of computational error caused by methods that

computers use to store and manipulate integer numbers;
bug can be exploited by hackers.
97. secure sockets used to transfer sensitive data, such as credit card num-
layer (ssl) bers
98. theft the illegal taking on another's property, which can be

physical, electronic, or intellectual.
10 / 10
Information Security - Chapter 2
Study online at https://quizlet.com/_2fuek2
1. information asset the focus of information security; information that has

value to an organization, and the systems that store,
process, and transmit the information
2. four important 1. protecting the organization's ability to function 2.

functions of infor- protecting the data and information the organization
mation security collects and uses 3. enabling the safe operation of ap-
plications running on the organization's IT systems 4.
safeguarding the organization's technology assets
3. attack an ongoing act against an asset that could result in a

loss of its value
4. exploit a vulnerability that can be used to cause a loss to an

asset
5. threat a potential risk of an asset's loss of value
6. threat agent a person or other entity that may cause a loss in an

asset's value
7. vulnerability a potential weakness in an asset or its defensive control

systems
8. intellectual proper- the creation, ownership, and control of original ideas as

ty (IP) well as the representation of those ideas
9. service level agree- a document or part of a document that specifies the ex-
ment (SLA) pected level of service from a service provider; usually
contains provisions for minimum acceptable availability
and penalties or remediation procedures for downtime
10. brownout a long-term decrease in electrical power availability
11. fault a short-term interruption in electrical availability (a short

blackout)
12. competitive intelli- the collection and analysis of information about an orga-
gence nization's business competitors through legal and ethi-
1/3
cal means to gain business intelligence and competitive
advantage
13. industrial espi- the collection and analysis of information about an orga-
unethical means, to gain an unfair competitive advan-
tage; also known as corporate spying, which is distin-
guished from espionage for national security reasons
14. jailbreaking escalating privileges to gain administrator-level control

over a smartphone operating system; also "rooting"
15. cracker a hacker who intentionally removes or bypasses soft-

ware copyright protection designed to prevent unautho-
rized duplication or use
16. phreaker a hacker who manipulates the public telephone system

to make free calls or disrupt services
17. 10.3 password rule industry standard that a password be 10 characters

long and contain at least one uppercase letter, one
lowercase letter, one number, and one special character
18. advance-fee fraud a form of social engineering (typically done through

e-mail) in which someone indicates that the recipient is
due an exorbitant amount of money and needs only a
small advance fee or personal banking information to
facilitate the transfer
19. phishing a form of social engineering in which the attacker pro-

vides what appears to be a legitimate communication
(usually e-mail), but it contains hidden or embedded
code that redirects the reply to a third party site in an
effort to extract personal or confidential information
20. pretexting a form of social engineering in which the attacker pre-

tends to be an authority figure who needs information
to confirm the target's identity; commonly performed by
telephone
2/3
21. information extor- the act of an attacker or trusted insider who steals infor-
tion mation from a computer system and demands compen-
sation for its return or for an agreement not to disclose
the information; aka cyberextortion
22. denial-of-service an attack that attempts to overwhelm a computer tar-

(DoS) attack get's ability to handle incoming communications, pro-
hibiting legitimate users from accessing those systems
23. distributed a DoS attack in which a coordinated stream of requests

denial-of-service is launched against a target from many locations at the
(DDoS) attack same time using bots or zombies
24. pharming the redirection of legitimate user Web traffic to illegiti-

mate Web sites with the intent to collect personal infor-
mation
3/3
Chapter 2 Review
Study online at https://quizlet.com/_2gzujy
1. Data Items of fact collected by an organization. Data includes

raw numbers, facts, and words. Student quiz scores are a
simple example of data.
2. Information Data that has been organized, structured, and presented

to provide additional insight into its context, worth, and
usefulness.
3. Information As- The focus of information security; information that has

set value to the organization, and the systems that store,
process, and transmit the information.
4. Data Security Commonly used as a surrogate for information security,

data security is the focus of protecting data or information
in its various states--at rest (in storage), in processing, and
in transmission (over networks).
5. Database Securi- A subset of information security that focuses on the as-

ty sessment and protection of information stored in data
repositories like database management systems and stor-
age media.
6. Attack An ongoing act against an asset that could result in a loss

of its value.
7. Exploit A vulnerability that can be used to cause a loss to an asset.
8. Threat A potential risk of an asset's loss of value.
9. Threat Agent A person or other entity that may cause a loss in an asset's
value.
10. Vulnerability A potential weakness in an asset or its defensive control

system(s).
11. Intellectual Prop- The creation, ownership, and control of original ideas as
erty (IP) well as the representation of those ideas.
12. Software Piracy
1/9
Chapter 2 Review
The unauthorized duplication, installation, or distribution
13. Availability Dis- An interruption in service, usually from a service provider,

14. Downtime The percentage of time a particular service is not avail-

able; the opposite of uptime.
15. Service Level A document or part of a document that specifies the

Agreement (SLA) expected level of service from a service provider. An
SLA usually contains provisions for minimum acceptable
availability and penalties or remediation procedures for
downtime.
16. Uptime The percentage of time a particular service is available;

the opposite of downtime.
17. Blackout A long-term interruption (outage) in electrical power avail-

ability.
18. Brownout A long-term decrease in electrical power availability.
19. Fault A short-term interruption in electrical power availability.
20. Noise The presence of additional and disruptive signals in net-

work communications or electrical power delivery.
21. Sag A short-term decrease in electrical power availability.
22. Spike A short-term increase in electrical power availability, also

known as a swell.
23. Surge A long-term increase in electrical power availability.
24. Competitive In- The collection and analysis of information about an orga-
telligence nization's business competitors through legal and ethical
means to gain business intelligence and competitive ad-
vantage.
2/9
Chapter 2 Review
25. Industrial Espi- The collection and analysis of information about an or-
onage ganization's business competitors, often through illegal or
Also known as corporate spying, which is distinguished
from espionage for national security reasons.
26. Shoulder Surfing The direct, covert observation of individual information or

system use.
27. Expert Hacker A hacker who uses extensive knowledge of the inner work-
ings of computer hardware and software to gain unau-
thorized access to systems and information. Also known
as elite hackers, expert hackers often create automated
exploits, scripts, and tools used by other hackers.
28. Hacker A person who accesses systems and information without

29. Jailbreaking Escalating privileges to gain administrator-level control

over a smartphone operating system (typically associated
with Apple iOS smartphones).
30. Novice Hacker A relatively unskilled hacker who uses the work of expert
hackers to perform attacks. Also known as a neophyte,
n00b, or newbie. This category of hackers includes script
kiddies and packet monkeys.
31. Packet Monkey A script kiddie who uses automated exploits to engage in
denial-of-service attacks.
32. Penetration An information security professional with authorization to

Tester attempt to gain system access in an effort to identify and
recommend resolutions for vulnerabilities in those sys-
tems.
33. Privilege Escala- The unauthorized modification of an authorized or unau-

tion thorized system user account to gain advanced access
and control over system resources.
34.
3/9
Chapter 2 Review
Professional A hacker who conducts attacks for personal financial ben-
Hacker efit or for a crime organization or foreign government. Not
to be confused with a penetration tester.
35. Rooting Escalating privileges to gain administrator-level control

over a computer system (including smartphones). Typical-
ly associated with Android OS smartphones.
36. Script Kiddie A hacker of limited skill who uses expertly written software
to attack a system. Also known as skids, skiddies, or script
bunnies.
37. Trespass Unauthorized entry into the real or virtual property of

another party.
38. Cracker A hacker who intentionally removes or bypasses software

copyright protection designed to prevent unauthorized du-
plication or use.
39. Phreaker A hacker who manipulates the public telephone system to

make free calls or disrupt services.
40. 10.3 Password An industry recommendation for password structure and

Rule strength that specifies passwords should be at least 10
acter.
41. Brute Force An attempt to guess a password by attempting every

Password Attack possible combination of characters and numbers in it.
42. Cracking Attempting to reverse-engineer, remove, or bypass a pass-

word or other access control protection, such as the copy-
right protection on software.
43. Dictionary Pass- A variation of the brute force password attack that
word Attack attempts to narrow the range of possible passwords
guessed by using a list of common passwords and pos-
sibly including attempts based on the target's personal
information.
4/9
Chapter 2 Review
44. Rainbow Table A table of hash values and their corresponding plaintext
file.
45. Advance-fee A form of social engineering, typically conducted via

Fraud (AFF) e-mail, in which an organization or some third party in-
dicates that the recipient is due an exorbitant amount of
money and needs only a small advance fee or personal
banking information to facilitate the transfer.
46. Phishing A form of social engineering in which the attacker provides

what appears to be a legitimate communication (usually
e-mail), but it contains hidden or embedded code that
redirects the reply to a third-party site in an effort to extract
personal or confidential information.
47. Pretexting A form of social engineering in which the attacker pretends

to be an authority figure who needs information to confirm
the target's identity, but the real object is to trick the target
into revealing confidential information. Pretexting is com-
monly performed by telephone.
48. Social Engineer- The process of using social skills to convince people to
an attacker.
49. Spear Phishing Any highly targeted phishing attack.
50. Information Ex- The act of an attacker or trusted insider who steals infor-
tortion mation from a computer system and demands compensa-
tion for its return or for an agreement not to disclose the
information. Also known as cyberextortion.
51. Cyberac- A hacker who seeks to interfere with or disrupt systems to

tivist/Hacktivist protest the operations, policies, or actions of an organiza-
tion or government agency.
52. Cyberterrorist
5/9
Chapter 2 Review
A hacker who attacks systems to conduct terrorist activi-
ties via networks or Internet pathways.
53. Cyberwarfare Formally sanctioned offensive operations conducted by

a government or state against information or systems of
another government or state.
54. Adware Malware intended to provide undesired marketing and

advertising, including popups and banners on a user's
screens.
55. Boot Virus Also known as a boot sector virus, a type of virus that
targets the boot sector or Master Boot Record (MBR)
of a computer system's hard drive or removable storage
media.
56. Macro Virus A type of virus written in a specific macro language to

target applications that use the language. The virus is ac-
tivated when the application's product is opened. A macro
virus typically affects documents, slideshows, e-mails, or
spreadsheets created by office suite applications.
57. Malware Computer software specifically designed to perform mali-

cious or unwanted actions.
58. Memory-resi- A virus that is capable of installing itself in a computer's

dent Virus operating system, starting when the computer is activated,
and residing in the system's memory even after the host
application is terminated. Also known as a resident virus.
59. Non-memory-res- A virus that terminates after it has been activated, infected
ident Virus its host system, and replicated itself. NMR viruses do not
reside in an operating system or memory after executing.
Also known as a non-resident virus.
60. Polymorphic Malware (a virus or worm) that over time changes the
Threat way it appears to antivirus software programs, making
signatures.
6/9
Chapter 2 Review
61. Spyware Any technology that aids in gathering information about
people or organizations without their knowledge.
62. Trojan Horse A malware program that hides its true nature and reveals
its designed behavior only when activated.
63. Virus A type of malware that is attached to other executable

programs. When activated, it replicates and propagates
itself to multiple systems, spreading by multiple communi-
cations vectors. For example, a virus might send copies of
itself to all users in the infected system's e-mail program.
64. Virus Hoax A message that reports the presence of a nonexistent

share the message.
65. Worm A type of malware that is capable of activation and repli-

66. Back Door A malware payload that provides access to a system by

bypassing normal access controls. A back door is also an
intentional access control bypass left by a system design-
er to facilitate development. Also known as a maintenance
hook or trap door.
67. Bot An abbreviation of robot, an automated software program

that executes certain commands when it receives a spe-
cific input. See also Zombie.
68. Denial-of-Ser- An attack that attempts to overwhelm a computer target's

vice (DoS) Attack ability to handle incoming communications, prohibiting le-
gitimate users from accessing those systems.
69. Distributed A DoS attack in which a coordinated stream of requests

Denial-of-Ser- is launched against a target from many locations at the
vice (DDoS) same time using bots or zombies.
Attack
70. Mail Bomb An attack designed to overwhelm the receiver with exces-
sive quantities of e-mail.
7/9
Chapter 2 Review
71. Spam Undesired e-mail, typically commercial advertising trans-

mitted in bulk.
72. Domain Name The intentional hacking and modification of a DNS data-
System (DNS) base to redirect legitimate traffic to illegitimate Internet
Cache Poisoning locations. Also known as DNS spoofing.
73. Man-in-the-Mid- A group of attacks whereby a person intercepts a commu-

dle nications stream and inserts himself in the conversation to
convince each of the legitimate parties that he is the other
communications partner. Some man-in-the-middle attacks
involve encryption functions.
74. Packet Sniffer A software program or hardware appliance that can inter-
cept, copy, and interpret network traffic.
75. Pharming The redirection of legitimate user Web traffic to illegitimate

Web sites with the intent to collect personal information.
76. Spoofing A technique for gaining unauthorized access to computers

using a forged or modified source IP address to give the
perception that messages are coming from a trusted host.
77. TCP Hijacking A form of man-in-the-middle attack whereby the attack-

er inserts himself into TCP/IP-based communications.
TCP/IP is short for Transmission Control Protocol/Internet
Protocol. Also known as session hijacking.
78. Mean Time Be- The average amount of time between hardware failures,
tween Failure calculated as the total amount of operation time for a
(MTBF) specified number of units divided by the total number of
failures.
79. Mean Time to Di- The average amount of time a computer repair technician
agnose (MTTD) needs to determine the cause of a failure.
80. Mean Time to The average amount of time until the next hardware failure.
Failure (MTTF)
8/9
Chapter 2 Review
81. Mean Time to Re- The average amount of time a computer repair technician
pair (MTTR) needs to resolve the cause of a failure through replace-
ment or repair of a faulty unit.
82. Buffer Over- An application error that occurs when more data is sent to
run/Buffer Over- a program buffer than it is designed to handle.
flow
83. Command Injec- An application error that occurs when user input is passed
tion directly to a compiler or interpreter without screening for
content that may disrupt or compromise the intended func-
tion.
84. Cross-site A Web application fault that occurs when an application

Scripting (XSS) running on a Web server inserts commands into a user's
hostile server.
85. Integer Bug A class of computational error caused by methods that

computers use to store and manipulate integer numbers;
this bug can be exploited by attackers.
86. Theft The illegal taking of another's property, which can be

physical, electronic, or intellectual.
9/9
Chapter 3 - Legal Ethical and Professional Issues in Information Security
Study online at https://quizlet.com/_a8omp5
1. For policy to become enforceable it only needs to be False

distributed, read, understood, and agreed to. F/F
2. In a study software license infringement, those from False

United States were significantly more permissive than
those from the Netherlands and other countries. T/F
3. In the context of information security, confidentiali- False

ty is the right of the individual or group to protect
themselves and their information from unauthorized
access. T/F
4. The Computer Security Act of 1987 is the cornerstone False

of many computer-related federal laws and enforce-
ment efforts; it was originally written as an extension
and clarification of the Comprehensive Crime Control
Act of 1987. T/F
5. The Department of Homeland Security (DHS) works True

with academic campuses nationally, focusing on
reliences ,recruitment, internationalization, growing
academic maturity and academic research. T/F
6. The Economic Espionage Ace of 1996 protects Amer- True

ican ingenuity, intellectual property, and competitive
advantage. T/F
7. Criminal laws addresses activities and conduct harm- True

ful to society and is categorized as private or public.
T/F
8. Studies on ethics and computer use reveal that people True

of different nationalities have different perspectives;
difficulties arise when one nationality's ethical behav-
ior violates the ethics of another national group. T/F
9. Individuals with authorization and privileges to man- True

age information within the organization are most likely
to cause harm or damage by accident. T/F
1/6
10. Which of the following acts is also widely known as Financial Services
the Gramm-Leach-Bliley Act? Modernization Act
11. Civil law addresses activities and conduct harmful to False

society and is actively enforced by the state. T/F
12. The Health Insurance Portability and Accountability Kennedy-Kesse-

Act of 1996, also known as the ___________ Act, pro- baum
tects the confidentiality and security of health care
data by establishing and enforcing standards and by
standardizing electronic data interchange.
13. Individuals with authorization and privilege's to man- by accident

age information within the organization are most likely
to cause harm or damage.
14. Employees are not deterred by the potential loss of False

certification or professional accreditation resulting
from a breach of a code of conduct as this loss has no
effect on employee's marketability and earning power.
T/F
15. The key difference between laws and ethics is that False
ethics carry the authority of a governing body and
laws do no. True/False
16. What is the subject of the Computer Security Act? Federal Agency
Information Secu-
rity
17. Cultural differences can make it difficult to determine False

what is ethical and is not ethical between cultures,
except when it comes to the use of computer, where
ethics are considered universal. T/F
18. The Department of Homeland Security is the only U.S. False

Federal agency charged with the protection of Amer-
ican information resources and the investigation of
threats to, or attacks on, the resources. T/F
2/6
19. Since it was established in January 2001, every FBI True
field office has established an InfraGard program to
collaborate with public and private organizations and
the academic community. T/F
20. Which of the following acts is a collection of statues Electronic Com-

that regulate the interception of wire, electronic, and munications Priva-
oral communications? cy Act
21. ___________ law regulates the structure and admin- Public

istration of government agencies and their relation-
ships with citizens, employees, and other govern-
ments.
22. Laws and policies and their associated penalties only All of the above:
deter if which of the following condition is present?
Probability of
penalty being ad-
ministered.
Probability of be-
ing caught.
Fear of penalty
23. Unethical and illegal behavior is generally cause by False

ignorance (of policy and/or the law), by accident, and
by inadequate protection mechanisms. T/F
24. Which of the following acts defines and formalizes Computer Fraud
laws to counter threats from computer related acts and Abuse Act of
and offenses? 1986
25. The ______________ defines stiffer penalties for pros- USA PATRIOT Act
ecution of terrorist crimes.
26. The Council of Europe Convention on Cyber-Crime False

has not been well received by advocates of intellec-
tual property rights because it de-emphasizes prose-
cution for copyright infringement, but has been well
3/6
received by supporters of individual rights in the U.S.
T/F
27. Key studies reveal that legal penalties are the overrid- False
ing factor in leveling ethical perceptions within a small
population. T/F
28. The difference between a policy and a law is that False

ignorance of a law is an acceptable defense. T/F
29. The ____________ attempts to prevent trade secrets Economic Espi-

from being illegally shared. onage Act
30. The U.S. Secret Service is currently a department with- False

in the Department of the Treasury. T/F
31. Due care and due diligence require that an organi- True
zation make a valid effort to protect others and con-
tinually maintain this level of effort, ensuring these
actions are effective. T/F
32. The NSA is responsible for signal intelligence, in- True

formation assurance products and services, and en-
abling computer network operations to gain a deci-
sion advantage for the US and its allies under all
circumstances. T/F
33. The Computer _____________ and Abuse Act of 1986 Fraud

is the cornerstone of many computer-related federal
laws and enforcement effots.
34. The Digital Millennium Copyright Act is the American True

law created in response to Directive 95/46/EC, adopt-
ed in 1995 by the European Union. T/F
35. According to the National Information Infrastructure to harass

Protection Act of 1996, the severity of the penalty for
computer crimes depends on the value of the infor-
mation obtained and whether the offense is judged to
4/6
have been committed for each of the following except
_________________.
36. The Privacy of Customer Information Section of the Marketing

common carrier regulation states that any proprietary
information shall be used explicitly for providing ser-
vices, and not for any ________ purposes.
37. The communications networks of the United States True

carry more funds than all of the armored cars in the
world combined. T/F
38. The Gram-Leach-Bliley Act is a critical piece of legis- False

lation that affects the executive management of pub-
licly traded corporations and public accounting firms.
T/F
39. Which of the following countries reported the least tol- Singapore
erant attitudes toward personal use of organizational
computing resources?
40. The code of ethics put forth by (ISC)2 focuses on True

four mandatory canons: "Protect society, the com-
monwealth, and the infrastructure, act honorably, hon-
estly, justly, responsibly, and legally; provide diligent
and competent service to principals; and advance and
protect the profession". T/F
41. Criminal or unethical ___________ goes to the state of intent

mind of the individual performing the act.
42. The Department of Homeland Security was created in False

2003 by the 9/11 Memorial Act of 2002. T/F
43. __________ law comprises a wide variety of laws that Civil

govern a nation or state.
44. The United States has implemented a version of the False

DMCA law called the Database Right, in order to com-
ply with Directive 95/46EC. T/F
5/6
45. Ethics are the moral attitudes or customs of a partic- False

ular group. T/F
46. Laws, policies, and their associated penalties only True

provide deterrence if offenders fear the penalty, ex-
pect to be caught, and expect the penalty to be applied
if they are caught. T/F
47. The ____________ of 1999 provides guidance on the Security and Free-
use of encryption and provides protection from gov- dom through En-
ernment intervention. cryption Act
48. Privacy is the right of individuals or groups to protect True

themselves and their information from unauthorized
access, providing confidentiality. T/F
49. The National Information Infrastructure Protection Act Computer Fraud

of 1996 modified which Act? and Abuse Act
50. Intellectual privacy, is recognized as a protected asset False

in the United States. T/F
6/6
Chapter 3 - Legal, Ethical, and Professional Issues in Information Securit
Study online at https://quizlet.com/_fzjyz
1. Laws rules that mandate or prohibit certain societal

behavior.
2. Ethics A set of moral principles that may be held by a

society, a group or an individual.
3. Cultural Mores fixed moral attitudes or customs of a particular

group; ethics based on these.
4. Laws carry sanctions of ethics

a governing authority;
________ do not.
5. Civil Law represents a wide variety of laws that are record-

ed in volumes of legal "code" available for review
by the average citizen.
6. Criminal Law addresses violations harmful to society; actively

enforced by the state.
7. Tort Law allows individuals to seek recourse against oth-

ers in the event of personal, physical, or financial
injury.
8. Does tort law fall under civil

civil or criminal law ?
9. Liability actually or potentially subject to a legal violation
10. Restitution to compensate for wrongs committed by an or-

ganization or its employees.
11. Due care insuring that employees know what consti-

tutes acceptable behavior and know the conse-
quences
12. Due dilligence making a valid effort to protect others; continually

maintaing level of effort.
13. Jurisdiction
1/6
courts right to hear a case if the wrong was
committed in its territory or involved its citizenry
(territorial)
14. Long arm jurisdiction right of any court to impose its authority over
an individual or organization if it can establish
jurisdiction (by minimum contacts)
15. Policies body of expectations that describe acceptable

and unacceptable employee behaviors in the
workplace
16. Policies function as laws

______ within an organi-
zation
17. Difference between policy ignorance of a policy may be an acceptable de-

and law: fense
18. Name 5 criteria for policy 1. Dissemination (distribution)

enforcement: 2. Review (reading)
3. Comprehension (understanding)
4. Compliance (agreement)
5. Uniform enforcement
19. Computer Security Act of one of the first attempts to protect federal com-
1987 puter systems by establishing minimum accept-
able security practices.
20. Computer Fraud and the cornerstone of many computer-related feder-

Abuse Act of 1986 al laws and enforcement efforts.
21. USA Patriot Act of 2001 A US federal law designed to strengthen the
federal government's ability to investigate, pros-
ecute, and seize the assets of terrorists.
22. USA Patriot Improvement made permanent fourteen of the sixteen expand-
and Reauthorization Act ed powers of the Department of Homeland Secu-
rity and the FBI in investigating terrorist activity.
2/6
23. This is one of the hottest Privacy
topics in info security :
24. Define privacy: a state of being from unsanctioned intrusion
25. Federal Privacy Act of regulates government agencies and holds them
1974 accountable if they release private info about
individuals or businesses without permission.
26. Roles of HIIPA: protects the confidentiality and security of health

care data by establishing and enforcing stan-
dards and by standardizing electronic data inter-
change.
27. What does HIIPA stand for Health Insurance Portability and Accountability
? Act of 1996
28. FOIA The Freedom of Info Act allows any person to

request access to federal agency records or info
not determined to be a matter of national securi-
ty.
29. Identity Theft occurring when someone uses your personally

identifying information (PII) , like your name, SS
#, or credit card #, w/o your permission, to com-
mit fraud or other crimes.
30. U.S. Copyright Law Intellectual property is a protected asset in the

U.S.
The U.S. copyright laws extend this privilege to
the published word, including electronic formats.
31. Patent an official document that gives a person or com-

pany the right to be the only one that makes or
sells a product for a certain period of time
32. Trademark A brand that has exclusive legal protection for

both its brand name and its design.
33. Fixed-medium
3/6
Copyright is a form of protection grounded in the
U.S. Constitution and granted by law for original
works of authorship fixed in a tangible medium
of expression
34. Intellectual Property recognized as protected asset in the U.S.
35. Fair use allows copyrighted materials to be used to sup-

port news reporting, teaching, scholarship, and
a number of similar activities.
36. World Trade Organization Administers the rules governing trade between
its 144 members. Helps producers, importers,
and exporters conduct their business and ensure
that trade flows smoothly.
37. What is the WTO`s mecha- It outlines requirements for governmental over-
nism ? sight and legislation of WTO member countries
to provide minimum levels of protection for intel-
lectual property.
38. DMCA The Digital Millennium Copyright Act is the Amer-

ican contribution to an international effort by the
WIPO to reduce the impact of copyright, trade-
mark, and privacy infringement.
39. Ethics and Info Security IT and IT Security do not have binding codes of
ethics.
Professional associations and certification agen-
cies work to establish the profession`s ethical
codes of conduct.
40. Things important to edu- policy and ethics

cate employees on:
41. Deterrence - best method There are three general causes of unethical and
illegal behavior:
- ignorance
- accident
- intent
4/6
42. What kind of differences Cultural differences

can make it difficult to de-
termine what is and is not
ethical ?
43. CCI Critical Characteristics of Information
44. Homeland Security created in 2003 by the Homeland Security Act

of 2002, which was passed in response to the
events of 9/11 . The DHS is made up of 5 direc-
torates.
45. FBI National InfraGard - began as a cooperative effort between the

Program FBI`s Cleveland Field Office and local technol-
ogy professionals.
- The FBI sought assistance in determining a
more effective method of protecting critical na-
tional information resources.
46. How does the National In- 1. Maintains an intrusion alert network using en-
fraGard serve its mem- crypted e-mail
bers ?
2. Maintains a secure Web site for communica-
tion about suspicious activity or intrusions
3. Sponsors local chapter activities
4. Operates a help desk for questions
47. ARPANET A computer network developed by the Advanced

Research Project Agency (now the Defense Ad-
vance Research Projects Agency) in the 1960s
and 1970s as a means of communication be-
tween research laboratories and universities.
ARPANET was the predecessor to the Internet.
48. Rand Report 609 A single paper sponsored by the DOD, which
attempted to define multiple controls and mecha-
5/6
nisms necessary for the protection of a multilevel
computer system.
6/6
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
1. Three major se- Confidentiality, integrity, and availability

curity goals pro-
moted by ISC2 Choice (d) is the correct answer. Potential risks include
include which of all possible and probable risks. Countermeasures cover
the following? some but not all potential risks.
a. Usability, in-
tegrity, and avail-
ability
b. Integrity, confi-
dentiality, and au-
thenticity
c. Accuracy, as-
surance, and ac-
countability
d. Confidentiali-
ty, integrity, and
availability
2. Residual risk is Potential risks minus covered risks

calculated as
which of the fol- Choice (d) is the correct answer. Potential risks include
lowing? all possible and probable risks. Countermeasures cover
a. Known risks some but not all potential risks.
minus unknown
risks
b. Actual risks
minus probable
risks
c. Probable risks
minus possible
risks d. Potential
risks minus cov-
ered risks
3. Which of the fol- Risk management = Risk assessment + Risk mitigation

lowing is the
correct equation Choice (c) is the correct answer. Risk management in-
in risk manage- cludes risk assessment and risk mitigation. Risk assess-
ment? ment is also called risk analysis. Risk mitigation includes
1 / 35
a. Risk manage- risk transfer, risk reduction, risk avoidance, and risk ac-
ment = Risk re- ceptance. Risk research is a part of risk analysis.
search + Risk
analysis
b. Risk man-
agement = Risk
analysis + Risk
avoidance
c. Risk manage-
ment = Risk as-
sessment + Risk
mitigation
d. Risk man-
agement = Risk
transfer + Risk
acceptance
4. What can be It can either be assigned or accepted

done with the
residual risk? Choice (a) is the correct answer. Residual risk is the re-
a. It can be ei- maining risk after countermeasures (controls) cover the
ther assigned or risk population. The residual risk is either assigned to
accepted a third party (e.g., insurance company) or accepted by
b. It can be either management as part of doing business. It may not be cost
identified or eval- effective to further reduce residual risk.
uated
c. It can be either
reduced or calcu-
lated
d. It can be ei-
ther exposed or
assessed
5. Which of the fol- Countermeasures

lowing is not part
of risk analysis? Choice (d) is the correct answer. Countermeasures and
a. Assets safeguards come after performing risk analysis. Risk
b. Threats analysis identifies the risks to system security and deter-
c. Vulnerabilities mines the probability of occurrence, the resulting impact,
2 / 35
d. Countermea- and the additional safeguards that mitigate this impact.
sures Assets, threats, and vulnerabilities are part of risk analysis
exercise.
6. Unacceptable 1 and 2
risk is which of
the following? Choice (a) is the correct answer. Unacceptable risk is a
1. Attacker's cost situation where an attacker's cost is less than gain and
< gain where loss anticipated by an organization is greater than
2. Loss anticipat- its threshold level. Choice (d) results in accepting the risk.
ed > threshold The organization's goals should be to increase attacker's
3. Attacker's cost cost and to reduce an organization's loss.
> gain
4. Loss anticipat-
ed < threshold
a. 1 and 2
b. 2 and 3
c. 1 and 4
d. 3 and 4
7. Security safe- Risk analysis

guards and con-
trols cannot do Choice (d) is the correct answer. Risk analysis identifies
which of the fol- the risks to system security and determines the probability
lowing? of occurrence, the resulting impact, and the additional
a. Risk reduction safeguards that mitigate this impact. Risks analysis is
b. Risk avoid- a management exercise performed before deciding on
ance specific safeguards and controls. Choices (a), (b), and (c)
c. Risk elimina- are part of risk mitigation, which results from applying the
tion selected safeguards and controls.
d. Risk analysis
8. Selection and im- Risk mitigation

plementation of
security controls Choice (b) is the correct answer. Risk mitigation involves
refer to which of the selection and implementation of security controls to
the following? reduce risks to an acceptable level. Risk analysis is the
a. Risks analysis same as risk assessment. Risk management includes
b. Risk mitiga- both risk analysis and risk mitigation.
3 / 35
tion
c. Risk assess-
ment
d. Risk manage-
ment
9. Which of the fol- Risk tolerance

lowing is closely
linked to risk ac- Choice (c) is the correct answer. Risk tolerance is the
ceptance? level of risk an entity or a manager is willing to assume
a. Risk detection or accept in order to achieve a potential desired result.
b. Risk preven- Some managers accept more risk than others due to their
tion personal affinity toward risk.
c. Risk tolerance
d. Risk correc-
tion
10. The amount of Acceptable level

risk an organiza-
tion can handle Choice (b) is the correct answer. Often, losses cannot
should be based be measured in monetary terms alone. Risk should be
on which of the handled at an acceptable level for an organization. Both
following: affordable and technological levels vary with the type of
a. Technological organization (e.g., small, medium, or large size; technolo-
level gy dependent or not).
b. Acceptable
level
c. Affordable lev-
el
d. Measurable
level
11. In terms of infor- Threat plus vulnerability

mation systems
security, a risk is Choice (c) is the correct answer. A vulnerability is a weak-
defined as which ness in security policy, procedure, personnel, manage-
of the following ment, administration, hardware, software, or facilities af-
combinations? fecting security that may allow harm to an information
a. Attack plus system. The presence of a vulnerability does not in itself
4 / 35
vulnerability cause harm. It is a condition that may allow the information
b. Threat plus at- system to be harmed by an attack.
tack A threat is any circumstance or event with the potential
c. Threat plus vul- to cause harm to a system in the form of destruction or
nerability modification of data or denial of service. An attack is an
d. Threat plus attempt to violate data security. A risk is the probability
breach that a particular threat will exploit a particular vulnerability
of a system. An exposure is an instance of vulnerabil-
ity in which losses may result from the occurrence of
one or more attacks. A countermeasure is any action,
control, device, procedure, technique, or other measure
that reduces the vulnerability of a threat to a system. A
breach is the successful circumvention or disablement of a
security control, with or without detection, which if carried
to completion, could result in a penetration of the system.
12. Risk manage- Risk data sources

ment is made up
of primary and Choice (a) is the correct answer. Risk management must
secondary activi- often rely on speculation, best guesses, incomplete data,
ties. Which of the and many unproven assumptions. The data are another
following is an source of uncertainty and are an example of a secondary
example of a sec- activity. Data for risk analysis normally come from two
ondary activity? sources: statistical data and expert analysis. Both have
a. Risk data shortcomings. For example, the sample may be too small,
sources or expert analysis may be subjective based on assump-
b. Risk assess- tions made.
ment Risk assessment (choice b), the process of analyzing
c. Risk mitiga- and interpreting risk, comprises three basic activities: (1)
tion determining the assessment's scope and methodology,
d. Risk methodol- (2) collecting and synthesizing data, and (3) interpreting
ogy the risk. Risk mitigation (choice c) involves the selection
and implementation of cost-effective security controls to
reduce risk to a level acceptable to management, within
applicable constraints. Risk methodology (choice d) is a
part of risk assessment. It can be formal or informal,
detailed or simplified, high or low level, quantitative (com-
putationally based) or qualitative (based on descriptions
or rankings), or a combination of these. No single method
5 / 35
is best for all users and all environments. Choices (b), (c),
and (d) are examples of primary activities.
13. From a risk man- Defer the risk

agement view-
point, which of Choice (d) is the correct answer. Deferring risk means
the following op- either ignoring the risk at hand or postponing the issue
tions is not ac- from further consideration. If the decision to defer the risk
ceptable? is a calculated one, it is hoped that management had the
a. Accept the risk necessary data. "Accept the risk" is satisfactory when the
b. Assign the exposure is small and the protection cost is high. "Assign
risk the risk" is used when it costs less to assign the risk to
c. Avoid the risk someone else than to directly protect against it. "Avoid
d. Defer the risk the risk" means placing necessary measures so that a
security incident will not occur at all or so that a security
event becomes less likely or costly.
14. To be useful, A simple process

a risk assess-
ment methodolo- Choice (c) is the correct answer. A risk assessment
gy should use: methodology should be a relatively simple process that
a. Complex meth- could be adapted to various organizational units and in-
ods volves a mix of individuals with knowledge of the business
b. Specialized operations and technical aspects of the organization's
software tools systems and security controls.
c. A simple
process
d. Technical ex-
perts
15. A deviation from Risk acceptance

an organiza-
tion-wide securi- Choice (a) is the correct answer. In order to deviate from an
ty policy means: organization-wide security policy, the business unit man-
a. Risk accep- agement needs to prepare a letter explaining the reason
tance for the deviation and recognizing and accepting the related
b. Risk assign- risk.
ment
c. Risk reduction
6 / 35
d. Risk contain-
ment
16. An effec- List of sign-off letters

tive mechanism
for document- Choice (a) is the correct answer. A sign-off letter require-
ing and reporting ment would help ensure that business managers carefully
business man- considered their decisions before finalizing them.
agers' risk deter-
mination is to re-
quire a:
a. List of sign-off
letters
b. List of system
vulnerabilities
c. List of annual
loss estimates
d. List of system
threats
17. The time allowed Objectives

to accomplish
the risks analysis Choice (d) is the correct answer. The time allowed to
should be com- accomplish the risk analysis should be compatible with its
patible with its: objectives. Large facilities with complex, multi-shift oper-
a. Facilities ations and many files will require more time to complete
b. Equipment than single-shift, limited production facilities.
c. Software
d. Objectives
18. When performing Impact multiplied by frequency of occurrence

risk analysis, an-
nual loss expo- Choice (a) is the correct answer. Quantitative means of ex-
sure is calculat- pressing both potential impact and estimated frequency of
ed occurrence are necessary to perform a risk analysis. The
as: essential elements of a risk analysis are an assessment of
a. Impact multi- the damage that can be caused by an unfavorable event
plied by frequen- and an estimate of how often such an event may happen in
cy of occurrence a period of time. Because the exact impact and frequency
7 / 35
b. Impact minus cannot be specified accurately, it is only possible to ap-
frequency of oc- proximate the loss with an annual loss exposure, which
currence is the product of the estimated impact in dollars and the
c. Impact plus estimated frequency of occurrence per year. The product
frequency of oc- of the impact and the frequency of occurrence would be
currence the statement of loss.
d. Impact divided
by frequency of
occurrence
19. A risk analysis Ranking critical applications

provides man-
agement all of Choice (c) is the correct answer. A risk analysis provides
the following ex- senior management with information to base decisions on
cept: whether it is best to prevent the occurrence of a harm-
a. Preventing the ful event, to reduce the impact of such occurrences, or
occurrence of a to simply recognize that a potential for loss exists. The
harmful event risk analysis should help managers compare the cost
b. Reducing the of the probable consequences to the cost of effective
impact of occur- safeguards. Ranking critical applications comes after the
rence of a harm- risk analysis is completed. Critical applications are those
ful event without which the organization could not function. Proper
c. Ranking criti- attention should be given to ensuring that critical applica-
cal applications tions and software are sufficiently protected against loss.
d. Recognizing
that a potential
for loss exists
20. Which of the fol- Transfer risk

lowing methods
for handling a Choice (d) is the correct answer. An insurance company
risk involves a or a third party is involved in transferring risk. All the other
third party? three choices do not involve a third party since they are
a. Accept risk handled within an organization.
b. Eliminate risk
c. Reduce risk
d. Transfer risk
21.
8 / 35
Which of the fol- The Delphi method
lowing security
risk assessment Choice (b) is the correct answer. The Delphi method is a
techniques use group decision-making technique. The rationale for using
a group of ex- this technique is that it is sometimes difficult to get a
perts as the basis consensus on the cost or loss value and the probabil-
for making de- ities of loss occurrence. Group members do not meet
cisions or judg- face-to-face. Rather, each group member independently
ments? and anonymously writes down suggestions and submits
a. Risk assess- comments that are then centrally compiled. This process
ment audits of centrally compiling the results and comments is re-
b. The Delphi peated until full consensus is obtained. Risk assessment
method audits (choice a) are incorrect because these audits do
c. Expert sys- not provide the same consensus as reached by a group
tems of experts available in the Delphi method. Usually, audits
d. are performed by one or two individuals, not by groups.
Scenario-based Expert system (choice c) is incorrect because it is a
threats computer-based system developed with the knowledge
of human experts. It does not reach a consensus as a
group of people. Scenario based threats (choice d) are
incorrect because possible threats are identified based on
scenarios by a group of people. However, it does not have
the same consensus reached as in the Delphi method.
The process of submitting results and comments make the
Delphi method more useful than the other methods.
22. The costs and Annual loss expectancy

benefits of se-
curity techniques Choice (b) is the correct answer. Annualized loss ex-
should be mea- pectancy (ALE) is the estimated loss expressed in mon-
sured in mone- etary terms at an annual rate, for example, dollars per
tary terms where year. The ALE for a given threat with respect to a given
possible. Which function or asset is equal to the product of the estimates
of the following of occurrence rate, loss potential, and vulnerability factor.
is the most ef- Choice (a) is incorrect because a single-occurrence loss
fective means to (SOL) is the loss expected to result from a single occur-
measure the cost rence of a threat. It is determined for a given threat by first
of addressing rel- calculating the product of the loss potential and vulner-
atively frequent ability factor for each function and asset with respect to
9 / 35
threats? the threat being analyzed. Then the products are summed
a. Single-occur- to generate the SOL for the threat. Since the SOL does
rence losses not depend on an estimate of the threat's occurrence rate,
b. Annual loss it is particularly useful for evaluating rare but damaging
expectancy threats. If a threat's SOL estimate is unacceptably high,
c. Fatal losses it is prudent risk management to take security actions to
d. Catastrophic reduce the SOL to an acceptable level. Both fatal losses
losses (choice c) and catastrophic losses (choice d) are big and
rare. Fatal losses involve loss of human life and cata-
strophic loss incurs great financial loss. In short, ALE is
useful for addressing relatively frequent threats while SOL
and fatal or catastrophic losses address rare threats.
23. Surveys and sta- Employees

tistics indicate
that the great- Choice (d) is the correct answer. Employees of all cat-
est threat to any egories are the greatest threat to any computer system
computer system because they are trusted the most. They have access to
is: the computer system, they know the physical layout of
a. Untrained or the area, and they could misuse the power and authority.
negligent users Most trusted employees have an opportunity to perpe-
b. Vendors and trate fraud if the controls in the system are weak. The
contractors consequence of untrained or negligent users (choice a)
c. Hackers and is the creation of errors and other minor inconveniences.
crackers Although vendors and contractors (choice b) are a threat,
d. Employees they are not as great as employees. With proper security
controls, threats arising from hackers and crackers (choice
c) can be minimized, if not completely eliminated. Hackers
access computer systems for fun, while crackers cause
major damage to computer systems.
24. Risk manage- Measuring risk

ment consists of
risk assessment Choice (a) is the correct answer. The term risk manage-
and risk mitiga- ment is commonly used to define the process of deter-
tion. Which of the mining risk, applying controls to reduce the risk, and then
following is not determining if the residual risk is acceptable. Risk man-
an element of agement supports two goals: measuring risk (risk assess-
risk mitigation? ment) and selecting appropriate controls that will reduce
10 / 35
a. Measuring risk risk to an acceptable level (risk mitigation). Therefore,
b. Selecting measuring risk is part of risk assessment. Choices (b)
appropriate safe- through (d) are incorrect because they are elements of
guards c. Imple- risk mitigation. Risk mitigation involves three steps: deter-
menting and test mining those areas where risk is unacceptable; selecting
safeguards d. Ac- effective safeguards, and valuating the controls; and de-
cepting residual termining if the residual risk is acceptable.
risk
25. What should be Establish recovery priorities

the last step in
a risk assess- Choice (b) is the correct answer. The correct sequence is
ment process a-c-d-b. First step: Possible threats include natural (e.g.,
performed as a fires, floods, earthquakes), technical (e.g., hardware/soft-
part of a busi- ware failure, power disruption, communications interfer-
ness continuity ence), and human (e.g., riots, strikes, disgruntled employ-
plan? ees, sabotage).
a. Consider pos- Second step: Assess impacts from loss of information and
sible threats services from both internal and external sources. This in-
b. Establish re- cludes financial condition, competitive position, customer
covery priorities confidence, legal/regulatory requirements, and cost analy-
c. Assess poten- sis to minimize exposure.
tial impacts Third step: Evaluate critical needs. This evaluation also
d. Evaluate criti- should consider timeframes in which a specific function
cal needs becomes critical. This includes functional operations, key
personnel, information, processing systems, documenta-
tion, vital records, and policies and procedures.
Final step: Establish priorities for recovery based on criti-
cal needs.
26. Risk is the pos- Risk assessment

sibility of some-
thing adverse Choice (b) is the correct answer. Risk management is the
happening to process of assessing risk, taking steps to reduce risk to
an organization. an acceptable level, and maintaining that level of risk. Risk
Which of the fol- management includes two primary and one underlying
lowing step is the activities. Risk assessment and risk mitigation are the pri-
most difficult one mary activities, and uncertainty analysis is the underlying
to accomplish in one.
11 / 35
a risk manage- Risk assessment, the process of analyzing and interpret-
ment process? ing risk, is comprised of three basic activities: (1) de-
a. Risk identifica- termining the assessment's scope and methodology, (2)
tion collecting and synthesizing data, and (3) interpreting the
b. Risk assess- risk. A risk assessment can focus on many different areas
ment such as: technical and operational controls to be designed
c. Risk mitiga- into a new application and the use of telecommunications,
tion a data center, or an entire organization.
d. Risk mainte- Because of the nature of the scope and the extent of
nance risk assessment, it is the most difficult one to accomplish.
Risk identification and maintenance (choices a and d) are
not the most difficult to accomplish since they are the
by-products of the risk assessment process. Risk mitiga-
tion (choice c) involves the selection and implementation
of cost-effective security controls to reduce risk to a level
acceptable to management, within applicable constraints.
Again, risk mitigation comes after the completion of the
risk assessment process.
27. The focus of risk Managed

management is
that risk must be: Choice (d) is the correct answer. Risk must be managed
a. Eliminated since it cannot be completely eliminated or avoided. Some
b. Prevented risks cannot be prevented in a cost effective manner.
c. Avoided
d. Managed
28. A risk event that Known unknown

is an identifi-
able uncertainty Choice (a) is the correct answer. Known unknown fits the
is termed: description. Choice (b) is incorrect because unknown is a
a. Known un- risk event whose existence cannot be imagined. There is
known no risk in choice (c) because everything is known. Choice
b. Unknown un- (d) is a distracter as it is a meaningless phrase.
known
c. Known known
d. Unknown
known
12 / 35
29. Which of the Guidelines
following is an
optional require- Choice (d) is the correct answer. Guidelines assist users,
ment for organi- systems personnel, and others in effectively securing their
zations? systems. Guidelines are suggestive and are not compul-
a. Policies sory within an organization.
b. Procedures
c. Standards
d. Guidelines
30. Which of the fol- Unclassified

lowing is the
least sensitive Choice (a) is the correct answer. Data that is not sensitive
data classifica- or classified is unclassified. This is least sensitive category
tion scheme? while secret is the high sensitive category.
a. Unclassified
b. Unclassified
but sensitive
c. Secret
d. Confidential
31. Which of the fol- Procedures

lowing deals with
detailed steps Choice (b) is the correct answer. Procedures are detailed
to accomplish a steps to be followed by users and systems personnel to
particular task? accomplish a particular task.
a. Policies
b. Procedures
c. Standards
d. Guidelines
32. Which of the fol- Employee names

lowing is not
an example of a Choice (d) is the correct answer. In order to qualify as a
trade secret? trade secret, information must be of competitive value or
a. Customer lists advantage to the owner or his business. Trade secrets can
b. Supplier include technical information and customer and supplier
names lists. Employee names do not come under the trade se-
c. Technical
13 / 35
specifications cret category since they are somewhat public information,
d. Employee requiring protection from recruiters.
names
33. Which of the fol- 3, 2, 1, 4

lowing is the cor-
rect sequence of Choice (c) is the correct answer. Any application software
steps to be fol- change must start with a change request from a functional
lowed in appli- user. An IT person will plan, test, and release the change
cation software after approved by the functional user.
change control
process?
1. Test the
changes
2. Plan for
changes
3. Initiate change
request
4. Release soft-
ware changes
a. 1, 2, 3, and 4
b. 2, 1, 3, and 4
c. 3, 2, 1, and 4
d. 4, 3, 1, and 2
34. Electronic-mail Specific policy

policy is an
example of Choice (c) is the correct answer. Advisory, regulatory, and
which of the informative policies are broad in nature and cover many
following? topics and areas of interest. E-mail policy is an example of
a. Advisory poli- specific policy dealing with communication between and
cy among individuals.
b. Regulatory
policy
c. Specific policy
d. Informative
policy
35.
14 / 35
What should be Review of non-disclosure agreements
done when an
employee leaves Choice (c) is the correct answer. When an employee
an organization? leaves an organization, he should be reminded of nondis-
a. Review of closure agreements that he signed upon his hiring. This
recent perfor- agreement includes measures to protect confidential and
mance evalua- proprietary information such as trade secrets and inven-
tion tions.
b. Review of
human resource
policies
c. Review
of non-disclo-
sure agreements
d. Review of or-
ganizational poli-
cies
36. With respect to Timeliness

computer securi-
ty, integrity does Choice (d) is the correct answer. Timeliness is a part
not mean which of the availability goal, while accuracy, authenticity, and
of the following? completeness are part of the integrity goal.
a. Accuracy
b. Authenticity
c. Completeness
d. Timeliness
37. With respect to Non-repudiation

computer securi-
ty, confidentiality Choice (a) is the correct answer. Non-repudiation is a part
does not mean of the integrity goal, while secrecy, privacy, sensitivity, and
which of the fol- criticality are part of the confidentiality goal.
lowing?
a. Non-repudia-
tion
b. Secrecy
c. Privacy
d. Sensitivity
15 / 35
38. Which of the fol- Availability
lowing security
goals is meant Choice (c) is the correct answer. Availability is for intended
for "intended uses only and not for any other uses.
uses only"?
a. Confidentiality
b. Integrity
c. Availability
d. Accountability
39. Protection mech- Layering, abstraction, and data hiding

anisms defined
in security de- Choice (a) is the correct answer. Layering, abstraction,
sign architecture and data hiding are part of security design architecture. All
include which of the other choices deal with security control architecture.
the following?
a. Layering,
abstraction, and
data hiding
b. Isolation, seg-
mentation, and
separation
c. Security ker-
nel, reference
monitor, and sys-
tem high
d. Accountabili-
ty, integrity, and
confidentiality
40. Business data Secret

classification
schemes usually Choice (d) is the correct answer. The data classification
do not include terms such as secret and top secret are used by gov-
which of the ernment. The terms used in the other choices belong to
following? business data classification scheme.
a. Private
b. Public
c. For internal
16 / 35
use only
d. Secret
41. Data contain- Unclassified but sensitive

ing trade se-
crets is an ex- Choice (c) is the correct answer. Classified category in-
ample of which cludes sensitive, confidential, secret, and top secret. Un-
of the follow- classified category is public information, while unclassified
ing data classifi- but sensitive category requires some protection as in the
cation schemes? case of trade secrets.
a. Classified
b. Unclassified
c. Unclassified
but sensitive
d. Confidential
42. Which of the fol- A procedure

lowing assists in
complying with Choice (b) is the correct answer. Procedures normally
others? assist in complying with applicable policies, standards,
a. A policy and guidelines since they deal with specific steps to carry
b. A procedure out a specific task.
c. A standard
d. A guideline
43. The amount of Countermeasure costs

security does not
depend on which Choice (d) is the correct answer. Since there is no uniform
of the following? standard or assessment method available currently, cost
a. Business is only one factor of consideration. A due diligence review
sense is an evaluation of an organization's internal control sys-
b. Good manage- tems and operations prompted by a major acquisition or
ment practices disposition or changes in management and operations.
c. Due diligence
reviews
d. Countermea-
sure costs
44. Effective infor- CEO level

mation security
17 / 35
starts at which Choice (d) is the correct answer. Effective information
level? security, to that matter any security, starts at the CEO
a. Auditor level level. This means having a policy on managing threats,
b. Functional responsibilities, and obligations, which will be reflected in
user level employee conduct, ethics, and procurement policies and
c. IT security ana- practices. Information security must be fully integrated into
lyst level all relevant organizational policies, which can occur only
d. CEO level when security consciousness exists at all levels.
45. Which of the fol- Awareness

lowing is a pre-
requisite to IT se- Choice (c) is the correct answer. Awareness, training,
curity training? and education are all important processes for helping
a. Certification staff members carry out their roles and responsibilities
b. Education for information technology security, but they are not the
c. Awareness same. Awareness programs are a prerequisite to IT secu-
d. Training rity training. Training is more formal and more active than
awareness activities and is directed toward building knowl-
edge and skills to facilitate job performance. Education
integrates all of the security skills and competencies of
the various functional specialists and adds a multi-discipli-
nary study of concepts, issues, and principles. Normally,
organizations seldom require evidence of qualification or
certification as a condition of appointment.
46. When develop- User behavior

ing IS securi-
ty policies, orga- Choice (c) is the correct answer. A relatively new risk
nizations should receiving particular attention in organizational policies is
pay particular at- user behavior. Some users may feel no compunction
tention to which against browsing sensitive organizational computer files
of the following? or inappropriate Internet sites if there is no clear guidance
a. User educa- on what types of user behaviors are acceptable. These
tion risks did not exist before the extensive use of networks,
b. User aware- electronic mail, and the Internet.
ness
c. User behavior
d. User training
18 / 35
47. A common tech- Policies and guidelines
nique for mak-
ing an organiza- Choice (b) is the correct answer. Policies generally outline
tion's IS systems fundamental requirements that top management consider
security policies to be imperative, while guidelines provide more detailed
more useful is rules for implementing the broader policies. Guidelines,
to distinguish be- while encouraged, are not considered to be mandatory.
tween:
a. Policies and
procedures
b. Policies and
guidelines
c. Principles and
practices
d. Policies and
standards
48. Who must bear Business managers

the primary re-
sponsibility for Choice (b) is the correct answer. Business managers
determining the should bear the primary responsibility for determining
level of protec- the level of protection needed for information systems
tion needed for IS resources that support business operations. In this re-
resources? gard, business managers should be held accountable for
a. Information managing the information security risks associated with
systems security their operations, much as they would for any other type of
specialists business risk.
b. Business
managers
c. Security man-
agers
d. Systems audi-
tors
49. Which of the fol- Establish a senior-level committee

lowing is a bet-
ter method to en- Choice (d) is the correct answer. Some organizations have
sure that IS secu- established senior-level committees to ensure that infor-
rity issues have
19 / 35
received appro- mation technology issues, including information security,
priate attention receive appropriate attention.
by senior man-
agement of an or-
ganization?
a. Establish
a technical-level
committee
b. Establish a
policy-level com-
mittee
c. Establish
a control-level
committee
d. Establish a
senior-level com-
mittee
50. A key character- Information systems security responsibilities

istic that should
be common to Choice (b) is the correct answer. The two key characteris-
all information tics that a security central group should have include (1)
systems security clearly defined information security responsibilities and (2)
central groups is: dedicated staff resources to carry out these responsibili-
a. Organization- ties.
al reporting rela-
tionships
b. Information
systems security
responsibilities
c. Information
systems securi-
ty technical as-
sistance
d. Support re-
ceived from oth-
er organizational
units
20 / 35
51. To ensure that Policies to business risks
IS security poli-
cies serve as Choice (b) is the correct answer. Developing a compre-
the foundation hensive set of policies is the first step in establishing an
of information organization-wide security program. The policy should be
systems security linked to business risks and adjusted on a continuing basis
programs, orga- to respond to newly identified risks or areas of misunder-
nizations should standing.
link:
a. policies to
standards
b. policies to
business risks
c. policies to pro-
cedures
d. policies to con-
trols
52. A useful tech- Requiring a signed statement from all users that they have
nique for im- read the policies
pressing the
users about Choice (c) is the correct answer. A statement is required
the importance from new users at the time access to information system
of organiza- resources was first provided and from all users periodical-
tion-wide IS se- ly, usually once a year. Requiring a signed statement can
curity policies is: serve as a useful technique for impressing on the users
a. Making poli- the importance of understanding organizational policies.
cies available In addition, if the user was later involved in a security
through the Inter- violation, the statement can serve as evidence that he had
net been informed of organizational policies.
b. Ensuring poli-
cies are available
through physical
bulletin boards
c. Requiring a
signed statement
from all users
that they have
read the policies
21 / 35
d. Ensuring poli-
cies are available
through electron-
ic bulletin boards
53. The least ef- Once-a-year memorandums

fective technique
in ensuring that Choice (a) is the correct answer. The security awareness
new risks and manager will ensure that new risks and policies are com-
policies are communicated promptly and that employees are periodical-
municated is: ly reminded of existing policies through means such as
a. Once-a-year monthly bulletins, an intranet web site, and presentations
memorandums to new employees. Once-a-year memorandums are too
b. Monthly bul- infrequent, too formal, and ineffective.
letins
c. Intranet web-
sites
d. New employee
training sessions
54. Effective securi- Lack of enforcement

ty measures can-
not be main- Choice (d) is the correct answer. If employees see that
tained due to management is not serious about security policy enforce-
which of the fol- ment, they will not pay attention to security, thus minimiz-
lowing reasons? ing its effectiveness.
a. Lack of aware-
ness
b. Lack of a poli-
cy
c. Lack of a pro-
cedure
d. Lack of en-
forcement
55. Sensitivity crite- The cost of developing and maintaining an application

ria for a comput- system
er-based infor-
mation system Choice (b) is the correct answer. Sensitivity criteria are
22 / 35
are not defined in largely defined in terms of the value of having, or the cost
terms of which of of not having, an application system or needed informa-
the following? tion.
a. The value of
having an appli-
cation system
b. The cost of
developing and
maintaining an
application sys-
tem
c. The value of
having the need-
ed information
d. The cost of not
having an appli-
cation system
56. What is the first Remove the system access quickly

thing to do upon
unfriendly termi- Choice (c) is the correct answer. Whether the termination
nation of an em- is friendly or unfriendly, the best security practice is to dis-
ployee? able the system access quickly. Out-processing often in-
a. Complete a volves a sign-out form initialed by each functional manager
sign-out form im- with an interest in the separation of the employee. The
mediately sign-out form is a type of checklist. Sending the employee
b. Send employ- to the accounting and human resource departments may
ee to the ac- be done later.
counting depart-
ment for the last
paycheck
c. Remove the
system access
quickly
d. Send employ-
ee to the human
resource depart-
ment for benefits
status
23 / 35
57. Security training Computer operations staff
is usually not giv-
en to which of Choice (c) is the correct answer. The security training
the following par- program should be specifically tailored to meet the needs
ties? of computer operations staff so that they can handle prob-
a. Information lems that have security implications.
systems security
staff b. Function-
al users
c. Computer op-
erations staff
d. Corporate se-
curity staff
58. Which of the fol- Training and awareness

lowing have sim-
ilar structures Choice (a) is the correct answer. Training makes people
and complemen- learn new things and be aware of new issues and proce-
tary objectives? dures. They have similar objectives, that is, to learn a new
a. Training and skill or knowledge. Hence, they complement with each
awareness other.
b. Hackers and Choice (b) is incorrect. A hacker is a person who attempts
users to compromise the security of an IT system, especially
c. Compliance those whose intention is to cause disruption or obtain
and common unauthorized access to data. On the other hand, a user
sense has the opposite objective, to use the system to fulfill his
d. Need-to-know job duties. Hence, they conflict with each other. Choice (c)
and threats is incorrect. Compliance means following the standards,
rules, or regulations with no deviations allowed. On the
other hand, common sense tells people to deviate when
conditions are not practical. Hence, they conflict with each
other. Choice (d) is incorrect. Need-to-know means a need
for access to information to do a job. Threats are actions
or events that, if realized, will result in waste, fraud, abuse,
or disruption of operations. Hence, they conflict with each
other.
59. Establishing a Functional users

data ownership
24 / 35
program should Choice (a) is the correct answer. Functional users own
be the responsi- the data in computer systems. Therefore, they have an
bility undivided interest and responsibility in establishing a data
of: ownership program. Choices (b) and (d) are incorrect
a. Functional because internal/external auditors have no responsibility
users in establishing a data ownership program even though
b. Internal audi- they recommend one. Choice (c) is incorrect because data
tors processors are custodians of the users' data.
c. Data proces-
sors
d. External audi-
tors
60. The effective- When a policy enforcement is predictable

ness of a com-
puter security Choice (d) is the correct answer. Computer security poli-
policy can be cies should be made public but the actual enforcement
compromised: procedures should be kept private. This is to prevent pol-
a. When a policy icy from being compromised when enforcement is pre-
is published dictable. The surprise element makes unpredictable en-
b. When a policy forcements more effective than predictable ones. Choice
is reexamined (a) is incorrect because policies should be published so
c. When a policy that all affected parties are informed. Choice (b) is incor-
is tested rect because policies should be routinely reexamined for
d. When a pol- workability. Choice (c) is incorrect because policies should
icy enforcement be tested to ensure the accuracy of assumptions.
is predictable
61. There are many Specific vendors

different ways to
identify individ- Choice (d) is the correct answer. One method is to look at
uals or groups job categories (choice a), such as executives, functional
who need spe- managers, or technology providers. Another method is to
cialized or ad- look at job functions (choice b), such as system design,
vanced training. system operation, or system user. A third method is to look
Which of the fol- at the specific technology and products used, especially
lowing methods for advanced training for user groups and training for a new
is least important system (choice c). Specific vendors are least important
to consider when during planning but important in implementation.
25 / 35
planning for such
training?
a. Job categories
b. Job functions
c. Specific sys-
tems
d. Specific ven-
dors
62. Which of the fol- The objective must be achievable

lowing security
objective is most Choice (c) is the correct answer. The first step in the
important in a management process is to define security objectives for
computer securi- the specific system. A security objective needs to be more
ty program? specific (choice a); it should be concrete and well defined
a. The objective (choice d). It also should be stated so that it is clear (choice
must be specific b) and most importantly that the objective is achievable
b. The objective (choice c). An example of a security objective is that only
must be clear individuals in the accounting and personnel departments
c. The objective are authorized to provide or modify information used in
must be achiev- payroll processing.
able d. The objec-
tive must be well
defined
63. In which of the Information systems planning

following plan-
ning techniques Choice (d) is the correct answer. Four types of planning
are the informa- help organizations identify and manage IS resources:
tion needs of the strategic, tactical, operational, and information systems
organization de- planning. IS planning is a special planning structure de-
fined? signed to focus organizational computing resource plans
a. Strategic plan- on its business needs. IS planning provides a three
ning phased structured approach for an organization to sys-
b. Tactical plan- tematically define, develop, and implement all aspects
ning of its near- and long-term information needs. Strategic
c. Operational planning (choice a) defines the organization's mission,
planning goal, and objectives. It also identifies the major com-
d. Information puting resource activities the organization will undertake
26 / 35
systems plan- to accomplish these plans. Tactical planning (choice b)
ning identifies, schedules, manages, and controls the tasks
necessary to accomplish individual computing resource
activities, using a shorter planning horizon than strategic
planning. It involves planning projects, acquisitions, and
staffing. Operational planning (choice c) integrates tactical
plans and support activities and defines the short-term
tasks that must be accomplished to achieve the desired
results.
64. Which of the fol- Information technology strategic plan

lowing is a some-
what stable doc- Choice (a) is the correct answer. The IT strategic plan
ument? sets the broad direction and goals for managing informa-
a. Informa- tion within the organization and supporting the delivery
tion technology of services to customers. It should be derived from and
strategic plan relate to the organization's strategic plan. The plan typi-
b. Information cally contains an IT mission statement, a vision describing
technology oper- the target IT environment of the future, an assessment of
ational plan the current environment, and broad strategies for moving
c. Information into the future. An IT strategic plan is a somewhat stable
technology secu- document. It does not require annual updates. An organi-
rity plan zation should periodically review and update this plan as
d. Information necessary to reflect significant changes in the IT mission
technology train- or direction. The strategies presented in the IT strategic
ing plan plan provide the basis for the IT operational plan.
Choice (b) is incorrect. An IT operational plan describes
how the organization will implement the strategic plan. The
operational plan identifies logical steps for achieving the IT
strategic vision. It may present an implementation sched-
ule, identify key milestones, define project initiatives, and
include resources (e.g., funding and personnel) estimates.
The operational plan should identify dependencies among
the IT strategies and present a logical sequence of project
initiatives to assure smooth implementation. Choices (c)
and (d) are incorrect because they are components of the
IT operational plan. Security plans (choice c) should be de-
veloped for an organization or an individual system. These
plans document the controls and safeguards for main-
27 / 35
taining information integrity and preventing malicious/ac-
cidental use, destruction, or modification of information
resources within the organization. Training plans (choice
d) document the types of training the IT staff will require
to effectively perform their duties. The plans in choices (b),
(c), and (d) are in a constant state of flux.
65. An information What is our goal?

technology oper-
ational plan an- Choice (c) is the correct answer. An IT operational plan de-
swers all of the scribes how the organization will implement the strategic
following ques- plan. Usually, this plan answers the following questions:
tions except: How do we get there? (choice a), When will it be done?
a. How do we get (choice b), Who will do it? (choice d). What is our goal?
there? (choice c) is answered by the strategic plan.
b. When will it be
done?
c. What is our
goal?
d. Who will do it?
66. Which of the fol- Assessing internal and external environment

lowing meets the
criteria for an IT d. Assessing internal and external environment
strategic plan? Choice (d) is the correct answer. Strategic planning is
a. Developing en- long-range thinking. Planners apply analytic techniques,
terprise informa- provides a framework for bounding the scope and present-
tion technology ing the results of long-range thinking. A strategic planning
models approach should foster strategic thinking and innovation,
b. Initiating work assess the organization's mission, vision, and strategies,
process redesign define the IT mission, vision, and goals, and assess the
c. Conducting internal and external environment. Internal influences are
business sys- those that have implications for managing the organiza-
tems planning tion such as customers, competitors, contractors, vendors,
d. Assessing in- and user organizations (i.e., internal environment). Exter-
ternal and external influences are broad in scope, imposed from the out-
nal environment side, and uncontrollable by the organization. An organiza-
tion derives its challenges and opportunities from external
influences such as financial community, governments, and
28 / 35
industry (i.e., external environment).
Choices (a), (b), and (c) are examples of IT approaches
to augment the development of strategic plans and in-
clude enterprise IT models, work process redesign, and
business systems planning. Enterprise models (choice a)
provide a means for examining the current environment.
They do not foster the development of an organizational di-
rection (i.e., mission, vision). Hence, they do not meet the
criteria for strategic planning. Choice (b) is incorrect. Work
process redesign is synonymous with the following con-
cepts: business reengineering, business process improve-
ment, and business process design. This approach helps
managers to define relationships and activities within the
organization. Choice (c) is incorrect. Business systems
planning is used to identify information requirements, but
does not consider strategic methodologies. Information
planning approaches do not study organizational cultural
issues
or provide a strategic work focus.
67. Which of the fol- Maintaining reliability and timeliness of information

lowing is not
an example of Choice (b) is the correct answer. The IT mission supports
IT mission state- the organization's mission provided in its strategic plan.
ments? The IT mission statement identifies the basic concept of
a. Streamlining IT, the reason IT exists, and how IT supports the organiza-
work processes tion's mission. The IT mission statement may be examined
through automa- three times during the planning process: at the beginning,
tion after analyzing the current environment, and at the end.
b. Maintain- The IT organization collects, manages, controls, dissemi-
ing reliability and nates, and protects the information used by the organiza-
timeliness of in- tion. IT supports the organization's mission by streamlin-
formation ing work processes through automation (choice a), antic-
c. Anticipating ipating technological advances and problems (choice c),
technological ad- and minimizing the cost to the organization by using IT
vances and prob- efficiently (choice d). Maintaining reliability and timeliness
lems of information (choice b) is a goal statement. Goals specify
d. Minimizing the objectives that support the organization's mission.
cost to the orga-
29 / 35
nization by using
information tech-
nology efficiently
68. An information Risk assessment

technology oper-
ational plan does Choice (a) is the correct answer. Risk assessment is part
not include: of the IT strategic plan along with mission, vision, goals,
a. Risk assess- environmental analysis, strategies, and critical success
ment factors. Typically a strategic plan covers a five year time
b. Project de- span and is updated annually. IT operational planning
scriptions begins when strategic planning ends. During operational
c. Project re- planning, an organization develops a realistic implementa-
source esti- tion approach for achieving its vision based on its available
mates resources.
d. Project imple- An IT operational plan consists of three main parts: pro-
mentation sched- ject descriptions (choice b), resource estimates (choice
ules c), and implementation schedules (choice d). Depending
upon its size and the complexity of its projects, an organi-
zation may also include the following types of documents
as part of its operational plan: security plan summary,
information plans, and information technology plans.
69. The scope of Service objectives

the information
technology tacti- Choice (d) is the correct answer. Effective plans focus
cal plan does not attention on objectives, help anticipate change and po-
include: tential problems, serve as the basis for decision making,
a. Budget plans and facilitate control. IT plans are based on the overall
b. Application organization's plans. The IT strategic, tactical, and opera-
system develop- tional plans provide direction and coordination of activities
ment and mainte- necessary to support mission objectives, ensure that the
nance plans IT meets user requirements, and enable IT management
c. Technical sup- to cope effectively with current and future changing re-
port plans quirements. Detailed plans move from abstract terms to
d. Service objec- closely controlled implementation schedules. Service ob-
tives jectives (choice d) are part of the IT operational plan along
with performance objectives. Operational plans are based
on the tactical plan but are more specific, providing a
30 / 35
framework for daily activity. The focus of operational plans
is on achieving service objectives. Tactical plans span
approximately one year's time. Tactical plans address a
detailed view of IT activities and focus on how to achieve
IT objectives. Tactical plans include budgetary information
detailing the allocation of resources or funds assigned to
IT components. Often, the budget is the basis for develop-
ing tactical plans. The scope of an IT tactical plan includes
budget plans (choice a), application system development
and maintenance plans (choice b), and technical support
plans (choice c).
70. An important Project has achieved its projected benefits

measure of suc-
cess for any Choice (d) is the correct answer. One of the critical at-
IT project is tributes for successful IT investments requires that orga-
whether the: nizations should use projected benefits, not project com-
a. Project was pletion on time and within budget as important measures
completed on of success for any IT project (choices a and b). Business
time goals should be translated into objectives, results-oriented
b. Project was measures of performance, both quantitative and qualita-
completed within tive, which can form the basis for measuring the impact
budget of IT investments. Management regularly monitors the
c. Project man- progress of ongoing IT projects against projected cost,
ager has con- schedule, performance, and delivered benefits. It does not
served organiza- matter whether the project manager has conserved orga-
tional resources nizational resources as long as the project has achieved
d. Project has its projected benefits (choice c). Achievement of choices
achieved its pro- (a), (b), and (c)) does not automatically achieve choice (d).
jected benefits
71. Staffing deci- 2, 4, 1, 3

sions and hir-
ing procedures Choice (c) is the correct answer. Personnel issues are
are critical in closely linked to logical access controls. Early in the
solving comput- process of defining a position, security issues should be
er-related secu- identified and dealt with. Once a position has been broadly
rity issues and defined (Step 2), the responsible supervisor should de-
problems. Which termine the type of computer access level needed for the
31 / 35
of the follow- position (Step 4). Knowledge of the job duties and access
ing is the cor- levels that a particular position will require is necessary for
rect sequence of determining the sensitivity of the position. The responsi-
steps involved ble supervisor should correctly identify position sensitivity
in the staffing levels so that appropriate, cost-effective screening can
process? be completed (Step 1). Once a position's sensitivity has
1. Determining been determined, the position is ready to be staffed. Back-
the sensitivity of ground screening helps determine whether a particular
the position individual is suitable for a given position (Step 3).
2. Defining the
job duties
3. Filling the posi-
tion
4. Determining
the access levels
a. 1, 2, 3, 4
b. 2, 4, 3, 1
c. 2, 4, 1, 3
d. 1, 4, 2 3
72. To overcome re- The change is fully institutionalized

sistance to a
change, which of Choice (d) is the correct answer. Managing change is a
the following ap- difficult process. People resist change due to a certain
proaches provide amount of discomfort that a change may bring. It does not
the best solu- matter how well the change is planned, communicated or
tion? implemented if it is not spread throughout the organiza-
a. The change is tion evenly. Institutionalizing the change means changing
well planned the climate of the company. This needs to be done in a
b. The change consistent and orderly manner. Any major change should
is fully communi- be done using a pilot approach. After a number of pilots
cated have been successfully completed, it is time to use these
c. The change is success stories as levers to change the entire company.
implemented in a
timely way
d. The change is
fully institution-
alized
32 / 35
73. If manual con- Automated software management
trols over pro-
gram changes Choice (a) is the correct answer. In general, automated
were weak, which controls compensate for the weaknesses in or lack of man-
of the following ual controls. An automated software management system
controls would helps in strengthening controls by moving programs from
be effective? production to test libraries and back. It minimizes human
a. Automat- errors in moving wrong programs or forgetting to move
ed software man- the right ones. Written policies, procedures, and standards
agement are equally necessary in manual and automated environ-
b. Written poli- ments.
cies
c. Written proce-
dures
d. Written stan-
dards
74. During the sys- Configuration

tem design
of data input Choice (c) is the correct answer. Configuration manage-
control proce- ment is a procedure for applying technical and administra-
dures, consider- tive direction and monitoring to (1) identify and document
ation should be the functional and physical characteristics of an item or
least given to system, (2) control any changes to such characteristics,
which of the fol- and (3) record and report the change, process, and imple-
lowing items? mentation status. Choices (a), (b), and (d) are incorrect.
a. Authorization The authorization process may be manual or automated.
b. Validation All authorized transactions should be recorded and en-
c. Configuration tered into the system for processing. Validation is ensuring
d. Error notifica- that the entering data meets predefined criteria in terms
tion of its attributes. Error notification is as important as error
correction.
75. Software config- What constitute a software product at any point in time?
uration manage-
ment should pri- Choice (c) is the correct answer. Software configuration
marily address management (SCM) is a discipline for managing the evo-
which of the lution of computer products, both during the initial stages
following ques- of development and through to maintenance and final
33 / 35
tions? product termination. Visibility into the status of the evolving
a. How software software product is provided through the adoption of SCM
evolves during on a software project. Software developers, testers, pro-
system develop- ject managers, quality assurance staff, and the customer
ment? benefit from SCM information. SCM answers the following
b. How software questions: (1) What constitutes the software product at
evolves during any point in time? (2) What changes have been made to
system mainte- the software product? How a software product is planned,
nance? developed, or maintained does not matter because it de-
c. What consti- scribes the history of a software product's evolution (choic-
tutes a software es a, b, and d).
product at any
point in time?
d. How a soft-
ware product is
planned?
76. The main feature Tracing of all software changes

of software con-
figuration man- Choice (a) is the correct answer. It is important to re-
agement is: member that software configuration management (SCM)
a. Tracing of is practiced and integrated into the software development
all software process throughout the entire life cycle of the product. One
changes of the main features of SCM is the tracing of all software
b. Identifying in- changes. Choice (b) is incorrect because identifying indi-
dividual compo- vidual components is a part of configuration identification
nents function. The goals of configuration identification are (1) to
c. Using comput- create the ability to identify the components of the system
er-assisted soft- throughout its life cycle and (2) to provide traceability
ware engineering between the software and related configuration identifica-
(CASE) tools tion items. Choices (c) and (d) are examples of technical
d. Using compil- factors. SCM is essentially a discipline applying technical
ers and assem- and administrative direction and surveillance for managing
blers the evolution of computer program products during all
stages of development and maintenance. Some examples
of technical factors include use of CASE tools, compilers,
and assemblers.
77.
34 / 35
Which of the fol- Audit
lowing areas of
software config- Choice (d) is the correct answer. There are four elements
uration manage- of configuration management. The first element is con-
ment is executed figuration identification (choice a), consisting of selecting
last? the configuration items for a system and recording their
a. Identification functional and physical characteristics in technical docu-
b. Change con- mentation. The second element is configuration change
trol control (choice b), consisting of evaluation, coordination,
c. Status ac- approval or disapproval, and implementation of changes
counting to configuration items after formal establishment of their
d. Audit configuration identification. The third element is configura-
tion status accounting (choice c), consisting of recording
and reporting of information that is needed to manage
a configuration effectively. The fourth element is software
configuration audit (choice d), consisting of periodically
performing a review to ensure that the SCM practices
and procedures are rigorously followed. Auditing is per-
formed last after all the elements are in place to determine
whether they are properly working.
78. Establishing an Information systems management

IS security func-
tion program Choice (a) is the correct answer. Both IS management
within an organi- and functional user management have a joint and shared
zation should be responsibility in establishing an information systems se-
the responsibility curity function within an organization. It is because the
of: functional user is the data owner and IS management is
a. Information the data custodian. Internal/external auditors and compli-
systems man- ance officers have no responsibility in actually establishing
agement such a function although they make recommendations to
b. Internal audi- management to establish such a function.
tors
c. Compliance of-
ficers
d. External audi-
tors
35 / 35
Study online at https://quizlet.com/_c49m1d
1. Event A measurable occurrence that has an impact on the busi-

ness
2. Risk The level of exposure to some event that has an effect on

an asset (good or bad)
3. Likelihood Chance of an event occurring
4. Impact The damage that the event caused to the asset and/or
organization
5. Threat Any action, either natural (flood) or human (threat actor)

induced, that could damage an asset
6. Vulnerability A weakness that allows a threat to be realized or to have

an effect on an asset
7. Enumeration The process of discovering information about systems to

help identify vulnerabilities
8. Incident Any event that violates or threatens to violate your security

policy
9. Control Includes both safeguards and countermeasures
10. Safeguard Addresses gaps or weaknesses in controls that could lead

to a realized threat
11. Countermeasure Counters or addresses a specific threat
12. Mitigation Implementation of a control , safeguard or countermea-

sure that reduces the impact and/or likelihood of a risk
13. Quantitative Risk A risk assessment that uses specific monetary amounts
Assessment to identify cost and asset value. It then uses the SLE and
ARO to calculate the ALE.
14. Qualitative Risk A risk assessment that uses judgment to categorize risks.
Assessment it is based on impact and likelihood of occurrence.
1/3
15. AV Asset Value
16. EF Exposure Factor - AV x % of AV Damaged = EF
17. SLE Single Loss Expectancy - AV x EF = SLE
18. ARO Annualized Rate of Occurrence - Number of incidents per

year
19. ALE Annualized Loss Expectancy - SLE x ARO = ALE
20. Detective Con- Controls used to identify when a threat compromises a

trols systems or has a successful attack
21. Preventive Con- Controls that stop threats from compromises and success-
trols ful attacks
22. Corrective Con- Controls that reduce/remove a threat from a system. Think
trols incident response and forensics
23. Deterrent Con- Controls that warn about risky behaviors, but still allow the
trols behavior to occur
24. Compensating Controls to address a compromise or attack until Correc-

Controls tive Controls can be applied
25. Vulnerability The time between a software vendor's release of a secu-

Window rity patch and your implementation of it.
26. Zero-Day Vulner- Software vulnerability that has been previously unreported
ability and for which no patch yet exists
27. Disclosure Unauthorized users accessing and/or steeling private or

Threats confidential information
28. Sabotage Destruction of property or data
29. Espionage Spying to obtain secret information
30. Alteration Making Unauthorized changes either intentionally or unin-

Threats tentionally on data, systems, and configuartions
2/3
31. Denial or De- Makes assets or resources unavailable to users

struction Threats
32. Attack Vector The path or means by which an attacker gains access to
a computer.
3/3
Chapter 4 Information security
Study online at https://quizlet.com/_c02zz0
1. What are the 5 vulnerability

Levels of Infor- exposure
mation Security? threat
security
information security
2. what is the defini- security-protection against threats

tion for each level information security- protection for information systems
of Info security threat- anything that opposes harm towards your system
exposure- threat that compromises the system
vulnerability- is the posibility your system will be harmed
3. Name 5 factors to 1. Today's network environment

what leads to vul- 2. Cheap Computers
nerability? 3. Decreasing Hacking skills
4. international organized crime
5. lack of management support
4. What are the 1. Human Error

2 unintentional 2. Social Engineering
threats to I.S?
5. What is an unin- An act performed without malicious intent

tentional threat?
1/1
Study online at https://quizlet.com/_c4a4kt
1. Authority Using a position of authority to coerce an individual to

divulge information
2. Consensus/So- Using a position the "everyone else has been doing it"
cial Proof
3. Dumpster Diving Involves digging through trash receptacles to find comput-

er manuals, printouts, or password lists that have been
thrown away
4. Familiarity/Lik- Building a report with the victim first

ing
5. Hoaxes Creating a false perception to gent and individual to do

something
6. Impersonation An act of pretending to be another person for the purpose

of entertainment or fraud
7. Intimidation Using force to extort information
8. Scarcity Leverage fear of not having something or losing access
9. Shoulder Surfing Gaining compromising information through observation

(as in looking over someone's shoulder).
10. Smishing Phishing attacks committed using text messages (SMS).
11. Tailgating Following an individual closely enough where they don't

need a badge to access a building
12. Trusted Users Insider threat can be malicious or ignorance
13. Urgency Creating a sense of urgency where you don't have time to
think
14. Vishing Phishing attacks committed using telephone calls or VoIP

systems.
15. Whaling A phishing attack that targets only wealthy individuals.
1/3
16. Arbitrary/remote An attack that allows an attacker to run programs and
code execution execute commands on a different computer.
17. Buffer Overflow A technique for crashing by sending too much data to the
buffer in a computer's memory
18. Client-side At- An attack that targets vulnerabilities in client applications

tack that interact with a compromised server or process mali-
cious data.
19. Cookies and At- Using cookies or other attachments (or the information
tachments they contain) to compromise security.
20. Cross-Site An attack that injects scripts into a Web application server
Scripting (XSS) to direct attacks at clients.
21. Cross-Site Re- An attack that uses the user's Web browser settings to
quest Forgery impersonate the user.
(XSRF)
22. Directory Traver- An attack that takes advantage of a vulnerability so that

sal a user can move from the root directory to restricted
directories.
23. Header Manipu- Uses other methods (hijacking, cross-site forgery, and
lation so forth) to change values in HTTP headers and falsify
access.
24. Integer Overflow An application attack that attempts to use or create a

numeric value that is too big for an application to handle.
Input handling and error handling thwart the attack.
25. Lightweight Di- Creating fake user id and passwords to authenticate to

rectory Access websites
Protocol (LDAP)
26. Malicious A browser add-on that contains some type of malware

Add-On
27. SQL Injection

2/3
An attack that targets SQL servers by injecting commands
to be manipulated by the database.
28. Business Impact A process that helps an organization identify critical sys-
Analysis (BIA) tems and components that are essential to the organiza-
tion's success.
29. Recovery Point The amount of data the organization is willing to reenter
Objective (RPO) or potentially lose
30. Recovery Time The length of time it will take to recover the data that has
Objective (RTO) been backed up.
3/3
Chapter 5: Planning for Security
Study online at https://quizlet.com/_a4imsw
1. IDPS Intrusion Detection and Prevention System
2. Host-based IDPS Installed on local computer
3. Network-based Look at patterns of network traffic

IDPS
4. IP Spoofing Packets falsified to be from network
5. SETA Security Education Training and Awareness
-Reduce accidental breaches
6. BIA Business Impact Analysis
-Identify/prioritize threats and attacks

-Identify/prioritize business functions
7. Attack Profile Detailed description of the activities that occur during an

attack
8. BIA Stages 1) Threat attack identification and prioritization

2) Business unit analysis
3) Attack success scenario development
4) Potential damage assessment
5) Subordinate plan classification
9. Incidents -Directed against information assets

-Realistic chance of success
-Threaten confidentiality, integrity, availability of informa-
tion
10. Incident Re- 1) Plan

sponse 2) Detect
3) Reaction
4) Recovery
11. Incident Actions -Before

-During
-After
1/5
...THE INCIDENT
12. Testing Strate- -Checklist

gies -Structured walkthrough
-Simulation
-Parallel
-Full interruption
13. Possible Incident -Presence of unfamiliar files

Indicators -Presence/execution of unknown programs or processes
-Unusual consumption of computing resources
-Unusual system crashes
14. Probable Inci- -Activities at unexpected times

dent Indicators -Presence of new accounts
-Reported attacks
-Notification from IDPS
15. Definite Incident -Use of dormant accounts

Indicators -Changes to logs
-Presence of hacker tools
-Notifications that partner or peer attacked
-Notification by hacker
16. Other Definite In- -Loss of availability

cident Indicators -Loss of integrity
-Loss of confidentiality
-Violation of policy
-Violation of law
17. Alert Roster Those to be notified upon incident
Sequential or hierarchical
18. SNMP Simple Network Management Protocol
19. Recovery -Identify and resolve vulnerabilities

-Address safeguards - install, replace, upgrade
-Evaluate monitoring capabilities
2/5
-Restore data from backup
-Restore services and processes
-Continuously monitor system
-Restore confidence to communities of interest
20. A-AR The noise a pirate makes!
After-Action Review
21. Disaster -Organization unable to mitigate impact of the incident

during
-Level of damage and destruction so severe that the orga-
nization is unable to recover quickly
22. Disaster Recov- -Establish priorities

ery -Delineate roles and responsibilities
-Initiate alert roster and key personnel
-Document the disaster
-Mitigate impacts if possible
23. Business Conti- Prepares an organization to reestablish critical operations

nuity Planning if primary site is down
24. Backups Full (everything)

Differential (changes)
Incremental (modifications that day)
25. RAID Redundant Array of Independent Drives
26. Continuity -Sites: hot, warm, cold

Strategies -Timeshare sites with sister organization
-Service bureaus
-Mutual agreements
-Offsite storage
27. Offsite Data Stor- -Electronic vaulting

age -Remote journaling
-Database shadowing
28.
3/5
Contingency -Identify mission or business critical functions
Planning -Identify resources to support critical functions
Process -Anticipate potential contingencies or disasters
-Select contingency planning strategies
-Implement contingency strategies
-Test and revise the strategy
29. EISP Enterprise Information Security Policy
30. Goals of Infor- 1) Alignment of security and business strategy

mation Security 2) Risk management
Governance 3) Resource management
4) Performance measurement
5) Value delivery
31. Security Policy 1) Enterprise information security policy

Types 2) Issue specific security policy
3) System specific security policy
32. Effective Policy -Disseminated

-Review
-Comprehension
-Compliance
-Uniform enforcement
33. ACL Access Control List
34. Configuration How a security system reacts to information received

Rule Policies
35. ISO 27000 -International Organization for Standardization

-Recommendations for information security management
for use by responsible parties
-Plan > Do > Check > Act
36. NIST Special -Security supports mission of organization

Publications -Security an integral element of sound management
-Security should be cost effective
-Systems owners have security responsibilities outside
their own organizations
4/5
-Security responsibilities and accountability should be
made explicit
-Security requires a comprehensive and integrated ap-
proach
-Security should be periodically reassessed
-Security is constrained by social factors
37. Control Levels -Managerial

-Operational
-Technical
38. Security Perime- -Firewalls

ter Components -DMZs
-Proxy Servers
-IDPSs
5/5
Principles of Information Security - Chapter 9 Physical Security
Study online at https://quizlet.com/_7f12d4
1. SOPs (standard Most guards have clear ____ that help them to act deci-
operating proce- sively in unfamiliar situations.
dures)
2. Tailgating ____ occurs when an authorized person presents a key to

open a door, and other people,
who may or may not be authorized, also enter.
3. PROGRAMMA- ____ locks can be changed after they are put in service,
BLE allowing for combination or key
changes without a locksmith and even allowing the owner
to change to another access
method (key or combination) to upgrade security.
4. BIOMETRIC The most sophisticated locks are ____ locks.
5. CLOSED-CIR- Electronic monitoring includes ____ systems.

CUIT
TELEVISION
6. CONTACT AND ____ sensors work when two contacts are connected as,
WEIGHT for example, when a foot steps on a pressure-sensitive
pad under a rug, or a window being opened triggers a
pin-and-spring
sensor.
7. PLENUM Interior walls reach only part way to the next floor, which
leaves a space above the ceiling
of the offices but below the top of the storey. This space is
called a(n) ____.
8. SUPPRESSION Fire ____ systems are devices installed and maintained to

detect and respond to a fire,
potential fire, or combustion danger situation.
9. RATE-OF-RISE In the ____ approach, the sensor detects an unusually

rapid increase in the area
temperature within a relatively short period of time.
10.
1/4
PHOTOELEC- ____ sensors project and detect an infrared beam across
TRIC an area.
11. B Class ____ fires are extinguished by agents that remove

oxygen from the fire.
12. C Class ____ fires are extinguished with non-conducting

agents only.
13. DRY-PIPE A ____ system is designed to work in areas where elec-

trical equipment is used. Instead of
containing water, the system contains pressurized air.
14. WATER MIST ____ sprinklers are the newest form of sprinkler systems
and rely on ultra-fine mists
instead of traditional shower-type systems.
15. ESD One of the leading causes of damage to sensitive circuitry

is ____.
16. GFCI Computing and other electrical equipment in areas where

water can accumulate must be
uniquely grounded, using ____ equipment.
17. UPS A device that assures the delivery of electric power without
interruption is a(n) ____.
18. 1,000 UPS devices typically run up to ____ VA.
19. LINE-INTERAC- In the ____ UPS, the internal components of the standby
TIVE models are replaced with a pair of
inverters and converters.
20. REMOTE SITE ____ involves a wide variety of computing sites that are
COMPUTING distant from the base
organizational facility and includes all forms of telecom-
muting.
21. PHYSICAL ____________________ security encompasses the de-

sign, implementation, and maintenance of countermea-
2/4
sures that protect the physical resources of an organiza-
tion.
22. FACILITY A secure ____________________ is a physical location

that has in place controls to minimize the risk of attacks
from physical threats.
23. IDENTIFICATION A(n) _________________________ is typically worn con-

CARD cealed.
24. MECHANICAL The ____________________ lock may rely on a key that

is a carefully shaped piece of metal, which is rotated to
turn tumblers that release secured loops of steel, alu-
minum, or brass.
25. ELECTRONIC __________________ locks can be integrated into alarm

systems and combined with other building management
systems.
26. PROXIMITY A specialized type of keycard reader is the

____________________ reader, which allows individuals
simply to place their cards within the reader's range.
27. MANTRAP A(n) ____________________ is a small enclosure that

has separate entry and exit points.
28. MOTION DETEC- __________________ detect movement within a confined

TORS space and are either active or passive.
29. FIREWALLS Building codes require that each floor have a number of
____________________, or walls that limit the spread of
damage should a fire break out in an office.
30. FLAMEPOINT The temperature of ignition is called the

____________________ of a material.
31. SENSOR The thermal detection systems contain a sophisticated

heat ___
32. FLAME
3/4
The ____________________ detector is a sensor that
detects the infrared or ultraviolet light produced by an open
flame.
33. A Class ___________________ fires are extinguished by

agents that interrupt the ability of the fuel to be ignited.
34. WET-PIPE A(n) ____________________ system has pressurized

water in all pipes and has some form of valve in each
protected area.
35. DELUGE Some sprinkler systems, called ____________________

systems, keep open all of the individual sprinkler heads,
and as soon as the system is activated, water is immedi-
ately applied to all areas.
36. CLEAN Halon is one of a few chemicals designated as a(n)

___________________ agent, which means that it does
not leave any residue after use, nor does it interfere with
the operation of
electrical or electronic equipment.
37. HUMIDITY _________________ is the amount of moisture in the air.
38. NOISE Interference with the normal pattern of the electrical cur-
rent is also referred to as
___
39. STAND BY A(n) ____________________ or offline UPS is an offline

battery backup that detects the interruption of power to the
power equipment.
40. TEMPEST The U.S. government has developed a program, named

____________________ to reduce the risk of EMR mon-
itoring.
4/4
Information Security chapter 9
Study online at https://quizlet.com/_7h2285
1. physical security the protection of physical items, objects, or areas from

unauthorized access
2. facilities man- the aspect of organizational management focused on the

agement development and maintenance of its buildings and physi-
cal infrastructure
3. secure facility a physical location that has controls in place to minimize

the risk of attacks from physical threats
4. badge an identification card typically worn in a visible locations

to quickly verify an authorized member. The badge may or
may not show the wearer's name.
5. biometric lock a lock that needs a unique biological attribute such as a

fingerprint, iris, retina, or palm and then uses that input as
a key
6. closed-circuit a video capture and recording system used to monitor a

television (CCT) facility
7. contact and an alarm sensor designed to detect increased pressure

weight sensor or contact at a specific location, such as a floor pad or
window
8. electromechani- a lock that can accept a variety of inputs as keys, in-

cal lock cluding magnetic strips on iD cards, radio signals from
badges, personal identification numbers (PINs) typed into
a keypad, or some combination of these to activate an
electronically powered locking mechanism
9. fail-safe lock an electromechanical device that automatically releases

the lock protecting a control point if a power outage occurs.
This type of lock is used for fire safety locations.
10. fail-secure lock an electromechanical device that stays locked and main-
tains the security of the control point if a power outage
occurs
11.
1/6
identification (ID) a document used to verify that identity of a member of an
card organization, group, or domain
12. mantrap a small room or enclosure with separate entry and exit
points, designed to restrain a person who fails an access
authorization attempt
13. mechanical lock a physical lock that may rely on either a key or numerical
combination to rotate tumblers and release the heap. Also
known as a manual lock
14. motion detector an alarm sensor designed to detect movement within a

defined space
15. plenum a space between the ceiling in one level of a commercial

building and the floor of the level above. The plenum is
used for air return.
16. proximity reader an electronic signal receiver used with an electromechan-

ical lock that allows users to place their cards within the
reader's range and release the locking mechanism
17. tailgating the process of gaining unauthorized entry into a facility by

closely following another person through an entrance and
using the credentials of the authorized person to bypass
a control point
18. thermal detector an alarm sensor designed to detect a defined rate of

change in the ambient temperature within a defined space
19. vibrations sen- an alarm sensor designed to detect movement of the

sor sensor rather than movement in the environment
20. air-aspirating de- a fire detection sensor used in high-sensitivity areas that
tector works by taking in air, filtering it, and passing it through a
chamber that contains a leaser beam. The alarm triggers
if the beam is broken.
21. clean agent
2/6
a fire supression agent that does not leave any residue
after use or interfere with the operation of electrical or
electronic equipment
22. deluge ssytem a fire suppression sprinkler system that keeps all individ-
ual sprinkler heads open and applies water to all areas
when activated.
23. dry-pipe system a fire suppression sprinkler system that has pressurized
air in all pipes. The air is released in the event of a fire,
allowing water to from from a central area
24. fire suppression devices that are installed and maintained to detect and
system respond to a fire, potential fire, or construction danger
25. fixed-tempera- a fire detection sensor that works by detecting the point
ture sensor at which the ambient temperature in an area reaches a
predetermined level
26. flame detector a fire detection system that works by detecting the infrared
or ultraviolet light produced by an open flame
27. gaseous (or fire suppression systems that operate through the delivery
chemical gas) of gasses rather than water
emission sys-
tems
28. ionization sensor a fire detection sensor that works by exposing the ambient
air to a small amount of a harmless radioactive material
within a detection chamber; an alarm is triggered when the
level of electrical conductivity changes within the chamber
29. photoelectric a fire detection sensor that works by projecting an in-

sensor frared beam across an area. If the beam is interrupted,
presumably by smoke, the alarm or suppression system
is activated
30. pre-action sys- a fire suppression sprinkler system that employs a

tem two-phase response to a fire. When a fire is detected
anywhere in the facility, the system will first flood all pipes,
3/6
then activate only the sprinkler heads in the area of the
fire
31. rate-of-rise sen- a fire detection sensor that works by detecting an unusual-
sor ly rapid increase in the area temperature within a relatively
short period of time
32. smoke detection a category of fire detection system that focuses on detect-
system ing the smoke from a fire
33. sprinkler system a fire suppression system designed to apply a liquid, usu-
ally water, to all areas in which a fire has been detected
34. thermal detec- a category of fire detection systems that focuses on de-
tion system tecting the heat from a fire
35. water mist sprin- a fire suppression sprinkler system that relies on ultra-fine
kler mists to reduce the ambient temperature below that need-
ed to sustain a flame
36. wet-pipe system a fire suppression sprinkler system that contains pressur-
ized water in all pipes and has some form of valve in each
protected area
37. electrostatic dis- The release of ambient static electricity into a ground
charge (ESD)
38. humidity the amount of moisture in the air
39. static electricity an imbalance of electrical charges in the atmosphere or

on the surface of a material, caused by triboelectrification
40. triboelectrifica- the exchange of electrons between two materials when

tion they make contact, resulting in one object becoming more
positively charged and the other more negatively charged
41. delta conversion an uninterruptible power supply (UPS) that is similar to a

online UPS double conversion online UPS except that it incorporates
a delta transformer, which assists in powering the inverter
while outside power is available
4/6
42. double conver- a UPS in which the protected device draws power from
sion online UPS an output inverter. The inverter is powered by the UPS
battery, which is constantly recharged from the outside
power.
43. ground fault cir- a special circuit device designed to immediately discon-
cuit interruption nect a power supply when a sudden discharge (ground
fault) is detected
44. line-interactive a UPS in which a pair of inverters and converters draw

UPS power form the outside source both to charge the battery
and provide power to the internal protected device
45. noise the presence of additional and disruptive signals in net-

work communications or electrical power delivery
46. Standby ferrores- a UPS in which the outside power source directly feeds
onant UPS the internal protected device. The UPS serves as a battery
backup, incorporating a ferroresonant transformer instead
of a converter switch, providing line filtering and reducing
the effect of some power problems, and reducing noise
that may be present in the power as it is delivered
47. standby (or of- an offline battery backup that detects the interruption of
fline) UPS power to equipment and activates a transfer switch that
provides power from batteries through a DC to AC con-
verter until normal power is restored or the computer is
shut down
48. electromagnetic the transmission of radiant energy through space, com-

radiation (EMR) monly referred to as radio waves
49. TEMPEST a US government program designed to protect computers

form electronic remote eavesdropping by reducing EMR
emissions
50. telecomuting a work arrangement in which employees work from an

off-site location and connect to an organization's equip-
ment electronically. Also known as telework.
5/6
51. virtual organiza- a group of people brought together for a specific task, usu-
tion ally from different organizations, divisions, or departments
6/6
Information security chapter 9
Study online at https://quizlet.com/_6f1zvi
1. Facilities Man- The aspect of organizational management focused on

agement the development and maintenance of its buildings and
physical infrastructure
2. secure facility A physical location that has controls in place to minimize

the risk of attacks from physical threats.
3. Identification (ID) A document used to verify the identity of a member of an

cards organization, group, or domain.
4. Tailgating The process of gaining unauthorized entry into a facility by

closely following another person through an entrance and
using the credentials of the authorized person to bypass
a control point.
5. badge An identification card typically worn in a visible location to

quickly verify an authorized member. The badge may or
may not shoe the wearer's name.
6. mechanical lock A physical lock that may rely on either a key or numerical
combination to rotate tumblers and release the hasp. Also
known as a manual lock.
7. proximity reader An electronic signal receiver used with an electromechan-

ical lock that allows users to place their cards within the
reader's range and release the locking mechanism.
8. Electromechani- A lock that can accept a variety of inputs as keys, including

cal locks magnetic strips on ID cards, radio signals from name
badges, (personal identification number) PINs typed into
a keypad, or some combination of these to activate an
electrically powered locking mechanism.
9. fail-safe lock An electromechanical device that automatically releases

the lock protecting a control point if a power outage occurs.
This type of lock is used for fire safety locations.
10. biometric lock A lock that reads a unique biological attribute such as a
fingerprint, iris, retina, or palm and then uses that input as
a key.
1/5
11. closed circuit A video capture and recording system used to monitor a
television (CCTV) facility.
12. mantrap A small room or enclosure with separate entry and exit
points, designed to restrain a person who fails an access
authorization attempt.
13. Fail-secure lock An electromechanical device that stays locked and main-
tains the security of the control point if a power outage
occurs.
14. Motion detectors An alarm sensor designed to detect movement within a

defined space.
15. contact and An alarm sensor designed to detect increased pressure

weight sensor or contact at a specific location, such as a floor pad or a
window.
16. Thermal Detector An alarm sensor designed to detect a defined rate of

change in the ambient temperature within a defined space.
17. vibration sen- An alarm sensor designed to detect movement of the

sors sensor rather than movement in the environment.
18. plenum The space between a suspended ceiling in one level of a

commercial building and the floor of the above level. The
plenum is used for air return.
19. thermal detec- a category of fire detection systems that focuses on de-
tion system tecting the heat from a fire
20. Fire suppression Devices that are installed and maintained to detect and
system respond to a fire, potential fire, or combustion danger.
21. Fixed-tempera- A fire detection sensor that works by detecting the point
ture sensors at which the ambient temperature in an area reaches a
predetermined level.
22.
2/5
Photoelectric A fire detection sensor that works by projecting an in-
sensors frared beam across an area. If the beam is interrupted,
presumably by smoke, the alarm or suppression system
is activated.
23. rate-of-rise sen- A fire detection sensor that works by detecting an unusual-
sor ly rapid increase in the area temperature within a relatively
short period of time.
24. Smoke detection a category of fire detection systems that focuses on de-
systems tecting the smoke from a fire
25. Ionization sen- A fire detection sensors that works by exposing the ambi-
sors ent air to a small amount of harmless radioactive material
within a detection chamber; an alarm is triggered when the
level of electrical conductivity changes within the chamber.
26. Air-aspirating de- A fire detection sensor used in high-sensitivity areas that
tectors works by taking in air, filtering it, and passing it through a
chamber that contains a lesser beam. The alarm triggers
if the beam is broken.
27. flame detector a fire detection system that works by detecting the infrared
or ultraviolet light produced by an open flame
28. Deluge systems a fire suppression sprinkler system that keeps all individ-
ual sprinkler heads open and applies water to all areas
when activated.
29. Wet Pipe System a fire suppression sprinkler system that contains pressur-
ized water in all pipes and has some form of valve in each
protected area.
30. dry-pipe system A fire suppression sprinkler system that has pressurized
air in all pipes. The air is released in the event of a fire,
allowing water to flow from a central area.
31. sprinkler sys- A fire suppression system designed to apply a liquid, usu-
tems ally water, to all areas in which a fire has been detected.
3/5
32. pre-action sys- A fire suppression sprinkler system that employs a
tem two-phase response to a fire. When a fire is detected
anywhere in the facility, the system will first flood all pipes,
then activate only the sprinkler heads in the area of the
fire.
33. Water mist sprin- Afire suppression water sprinkler system that relies on
klers ultra-fine mists to reduce the ambient temperature below
that needed to sustain a fire.
34. clean agent A fire suppression agent that does not leave any residue
after use or interfere with the operation of electrical or
electronic equipment.
35. gaseous (or Fire suppression systems that operate through the deliv-
chemical gas) ery of gases rather than water
emission sys-
tems
36. triboelectrifica- The exchange of electrons between two materials when

tion they make contact, resulting in one object becoming more
positively charged and the other more negatively charged.
37. static electricity an imbalance of electric charges in the atmosphere or on

the surface of a material, caused by triboelectrification.
38. humidity the amount of moisture in the air
39. standby or offline An offline battery backup that detects the interruption of
UPS power to equipment and activates a transfer switch that
provides power from batteries through a DC to AC con-
verter until normal power is restored or the computer is
shut down.
40. Ground Fault Cir- a special circuit device designed to immediately discon-
cuit Interruption nect a power supply when a sudden discharge (ground
fault) is detected
41. electrostatic dis- The release of ambient static electricity into a ground.
charge (ESD)
4/5
42. Standby ferrores- A UPS in which the outside power source directly feeds
onant UPS the internal protected device. The UPS serves as a battery
backup, incorporating a ferroresonant transformer instead
of a converter switch, providing line filtering and reducing
the effect of some power problems, and reducing noise
that may be present in the power as it is delivered.
43. line-interactive A UPS in which a pair of inverters and converters draw

UPS power from the outside source both to charge the battery
and provide power to the internal protected device.
44. delta conversion An uninterruptible power supply (UPS) that is similar to a

online UPS double conversion online UPS except that it incorporates
a delta transformer, which assists in powering the inverter
while outside power is available.
45. Double conver- A UPS in which the protected device draws power from
sion online UPS an output inverter. The inverter is powered by the UPS
battery, which is constantly recharged from the outside
power.
46. electromagnetic the transmission of radiant energy through space, com-

radiation (EMR monly referred to as radio waves
47. TEMPEST A US government program designed to protect computers

from electronic remote eavesdropping by reducing EMR
emissions.
48. Telecommuting a work arrangement in which employees work from an

off-site location( home) and connect to an organization's
equipment electronically. Also known as telework.
49. telework see telecommuting
50. virtual organiza- A group of people brought together for a specific task, usu-
tion ally from different organizations, divisions, or departments
5/5
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
1. security A state of being secure and free from danger or harm.

Also, the actions taken to make someone or something
secure.
2. Information Se- Protection of the confidentiality, integrity, and availability

curity of information assets, whether in storage, processing,
or transmission, via the application of policy, education,
training and awareness, and technology.
3. Network Security A subset of communications security; the protection of

voice and data networking components, connections, and
content.
4. Communica- The protection of all communications media, technology,

tions Security and content
5. data security The process of keeping data, both in transit and at rest,
safe from unauthorized access, alteration, or destruction
6. information se- an integrated, systematic approach that coordinates peo-

curity manage- ple, policies, standards, processes, and controls used to
ment safeguard critical systems and information from internal
and external security threats
7. CIA triad (Confi- The industry standard for computer security since the
dentiality, Integri- development of the mainframe. The standard is based on
ty, Availability) three characteristics that describe the utility of informa-
tion: confidentiality, integrity, and availability.
8. CNSS model of
information se-
curity
1 / 16
9. Access A subject or object's ability to use, manipulate, modify, or

affect another subject or object. Authorized users have
legal access to a system, whereas hackers must gain
illegal access to a system. Access controls regulate this
ability.
10. Asset: The organizational resource that is being protected. An

asset can be logical, such as a Web site, software in-
formation, or data; or an asset can be physical, such as
a person, computer system, hardware, or other tangible
object. Assets, particularly information assets, are the
focus of what security efforts are attempting to protect.
11. Attack An intentional or unintentional act that can damage or

otherwise compromise information and the systems that
support it. Attacks can be active or passive, intentional or
unintentional, and direct or indirect
12. Passive Attack Attack where the attacker does not interact with pro-
cessing or communication activities, but only carries out
observation and data collection, as in network sniffing.
13. Intentional At- A hacker attempting to break into an IS system

tack
14. Unintentional at- A lightening strike that causes a building fire

tack
15. Direct Attack a hacker using a PC to break into a system. Direct attacks
originate from the threat itself.
16. Indirect attack

2 / 16
a hacker compromising a system and using it to attack
other systems—for example, as part of a botnet. Indirect
attacks originate from a compromised system or resource
that is malfunctioning or working under the control of a
threat.
17. Control, safe- security mechanisms, policies, or procedures that can

guard, or coun- successfully counter attacks, reduce risk, resolve vulner-
termeasure abilities, and otherwise improve the security within an
organization
18. Exploit technique used to compromise a system. a documented

process to take advantage of a vulnerability or exposure,
usually in software, that is either inherent in the software
or created by the attacker. Exploits make use of existing
software tools or custom-made software components.
19. Exposure A condition or state of being exposed; in information se-

curity, exposure exists when a vulnerability is known to an
attacker.
20. Loss A single instance of an information asset suffering dam-

age or destruction, unintended or unauthorized modifica-
tion or disclosure, or denial of use.
21. Protection pro- The entire set of controls and safeguards, including policy,
file or security education, training and awareness, and technology, that
posture the organization implements to protect the asset.
22. security program those procedures and activities designed to protect the
property or assets of guests, employees, and the busi-
ness
23. Risk The probability of an unwanted occurrence, such as an

adverse event or loss. Organizations must minimize risk
to match their risk appetite—the quantity and nature of
risk they are willing to accept.
24. Subjects and ob- A computer can be either the subject of an attack—an
jects of attack agent entity used to conduct the attack—or the object of
3 / 16
an attack: the target entity. A computer can also be both
the subject and object of an attack. For example, it can
be compromised by an attack (object) and then used to
attack other systems (subject).
25. Threat Any event or circumstance that has the potential to ad-
versely affect operations and assets
26. Threat Source The intent and method targeted at the intentional ex-
ploitation of a vulnerability or a situation and method that
may accidentally trigger a vulnerability. Synonymous with
Threat Agent.
27. Threat agent the specific instance or a component of a threat. For

example, all hackers in the world present a collective
threat, while Kevin Mitnick, who was convicted for hacking
into phone systems, is a specific threat agent. Likewise,
a lightning strike, hailstorm, or tornado is a threat agent
that is part of the threat of severe storms.
28. Threat event An occurrence of an event caused by a threat agent
29. Vulnerability: A potential weakness in an asset or its defensive control

system(s). Some examples of vulnerabilities are a flaw in
a software package, an unprotected system port, and an
unlocked door.
30. Critical Charac- Availability

teristics of Infor- Accuracy
mation Authenticity
Confidentiality
Integrity
Utility
Possession
4 / 16
31. Availability of in- An attribute of information that describes how data is
formation accessible and correctly formatted for use without inter-
ference or obstruction.
32. Accuracy of in- An attribute of information that describes how data is free
formation of errors and has the value that the user expects.
33. Authenticity of quality or state of being genuine or original, rather than a

information reproduction or fabrication
34. Confidentiality of An attribute of information that describes how data is

Information protected from disclosure or exposure to unauthorized
individuals or systems.
35. Personally Iden- Information about a person's history, background, and

tifiable Informa- attributes that can be used to commit identity theft. This
tion (PII) information typically includes a person's name, address,
Social Security number, family information, employment
history, and financial information.
36. Integrity of infor- An attribute of information that describes how data is

mation whole, complete, and uncorrupted.
37. Utility of informa- An attribute of information that describes how data has
tion value or usefulness for an end purpose.
38. Possession of in- An attribute of information that describes how the data's
formation ownership or control is legitimate or authorized.
39. McCumber Cube A graphical representation of the architectural approach

widely used in computer and information security.
40. Components of hardware, software, networks, data, procedures, people

an Information
System
5 / 16
41. Information Sys- The entire set of software, hardware, data, people, pro-
tem cedures, and networks that enable the use of information
resources in the organization
42. Physical Securi- The protection of physical items, objects, or areas from
ty unauthorized access and misuse.
43. bottom-up ap- A method of establishing security policies and/or prac-

proach tices that begins as a grassroots effort in which systems
administrators attempt to improve the security of their
systems.
44. top-down ap- A methodology of establishing security policies and/or

proach practices that is initiated by upper management.
45. Systems Devel- The traditional methodology used to develop, maintain,

opment Life Cy- and replace information systems.
cle (SDLC)
46. SecOps a process of using the DevOps methodologies of an

integrated development and operations approach that is
applied to the specification, creation, and implementation
of security control systems
47. methodology A formal approach to solving a problem based on a struc-

tured sequence of procedures.
48. Waterfall Model an SDLC approach that assumes the phases can be
completed sequentially with no overlap
49. Software Assur- A methodological approach to the development of soft-

ance (SwA) ware that seeks to build security into the development life
cycle rather than address it at later stages. SA attempts
to intentionally create software free of vulnerabilities and
provide effective, efficient software that users can deploy
with confidence.
6 / 16
50. Economy of The design of security measures embodied in both hard-
mechanism ware and software should be as simple and small as
possible
51. Fail-safe defaults Base access decisions on permission rather than exclu-
sion
52. Complete media- Every access must be checked against the access control
tion mechanism
53. Open design The design should not be secret, but rather depend on the
possession of keys or passwords.
54. Separation of Where feasible, a protection mechanism should require

privilege two keys to unlock, rather than one.
55. Least privilege Every program and every user of the system should oper-
ate using the least set of privileges necessary to complete
the job
56. Least common Minimize mechanisms (or shared variables) common to

mechanism more than one user and depended on by all users
57. Psychological It is essential that the human interface be designed for

acceptability ease of use, so that users routinely and automatically
apply the protection mechanisms correctly
58. NIST Approach Each phase of the SDLC should include consideration for
to Securing the the security of the system being assembled as well as the
SDLC information it uses.
59. Initiation Phase security considerations are key to diligent and early inte-
of NIST gration, thereby ensuring that threats, requirements, and
potential constraints in functionality and integration are
considered.
60. Key security ac- *Initial delineation of business requirements in terms of

tivities for Initi- confidentiality, integrity, and availability;
ation Phase of
NIST *Determination of information categorization and identifi-
7 / 16
cation of known special handling requirements to trans-
mit, store, or create information such as personally iden-
tifiable information; and
*Determination of any privacy requirements.
61. Chief Informa- An executive-level position that oversees the organiza-

tion Officer (CIO) tion's computing technology and strives to create efficien-
cy in the processing and access of the organization's
information.
62. Chief Informa- Typically considered the top information security officer in
tion Security Of- an organization. The CISO is usually not an executive-lev-
ficer (CISO) el position, and frequently the person in this role reports
to the CIO.
63. information se- should consist of a number of individuals who are expe-
curity project rienced in one or multiple facets of the required technical
team and nontechnical areas.
64. three types of Data owners

data ownership Data Custodians
Data Users
65. Data owners Members of senior management who are responsible for
the security and use of a particular set of information. The
data owners usually determine the level of data classifi-
cation (discussed later), as well as the changes to that
classification required by organizational change. The data
owners work with subordinate managers to oversee the
day-to-day administration of the data.
66. Data custodians Working directly with data owners, data custodians are
responsible for the information and the systems that
process, transmit, and store it. Depending on the size of
the organization, this may be a dedicated position, such
as the CISO, or it may be an additional responsibility of a
systems administrator or other technology manager. The
duties of a data custodian often include overseeing data
storage and backups, implementing the specific proce-
8 / 16
dures and policies laid out in the security policies and
plans, and reporting to the data owner.
67. Data users Everyone in the organization is responsible for the securi-
ty of data, so data users are included here as individuals
with an information security role.
68. communities of A group of individuals who are united by similar interests

interest or values within an organization and who share a common
goal of helping the organization to meet its objectives.
69. Information as- The focus of information security; information that has
sets value to the organization, and the systems that store,
process, and transmit the information.
70. primary mission ensure that information assets—information and the sys-
of an information tems that house them—remain safe and useful
security program
71. media As a subset of information assets, the systems and net-

works that store, process, and transmit information.
72. Information se- - Protecting the organization's ability to function

curity performs - Protecting the data and information the organization
four important collects and uses, whether physical or electronic
functions for an - Enabling the safe operation of applications running on
organization the organization's IT systems
- Safeguarding the organization's technology assets
73. three communi- general management

ties of interest IT management
information security management
74. Databases A collection of related data stored in a structured form and

usually managed by a database management system.
75. Database Securi- A subset of information security that focuses on the as-
ty sessment and protection of information stored in data
repositories like database management systems and
storage media.
9 / 16
76. exploits A technique used to compromise a system.
77. Vulnerabilities A potential weakness in an asset or its defensive control

system(s).
78. Common Attack a nonprofit research and development organization spon-

Pattern Enumer- sored by the U.S. government. This online repository can
ation and Classi- be searched for characteristics of a particular attack or
fication (CAPEC) simply browsed by professionals who want additional
knowledge of how attacks occur procedurally.
79. Compromises to Preventing compromises to intellectual property is a vital

Intellectual Prop- issue for people who make their livelihood in knowledge
erty fields. Protecting intellectual property is particularly diffi-
cult when that property is in digital form.
80. Software Piracy The unauthorized duplication, installation, or distribution

81. Deviations in support systems being interrupted by unforeseen events

quality of service
82. availability dis- An interruption in service, usually from a service provider,

83. industrial espi- The collection and analysis of information about an orga-
Also known as corporate spying, which is distinguished
from espionage for national security reasons.
84. competitive in- gaining information about one's competitors' activities so

telligence that you can anticipate their moves and react appropri-
ately
85. trespass Unauthorized entry into the real or virtual property of

another party.
10 / 16
86. hacker A person who accesses systems and information without
87. cracking Attempting to reverse-engineer, remove, or bypass a

password or other access control protection, such as the
copyright protection on software.
88. brute force pass- an attempt to guess a password by attempting every

word attack possible combination of characters and numbers in it
89. 10.4 password An industry recommendation for password structure and

rule strength that specifies passwords should be at least 10
acter.
90. Dictionary pass- A variation of the brute force password attack that
word attack attempts to narrow the range of possible passwords
guessed by using a list of common passwords and pos-
sibly including attempts based on the target's personal
information.
91. Rainbow Tables A table of hash values and their corresponding plaintext
file.
92. force majeure a catastrophic occurrence beyond human control
93. Social Engineer- The process of using social skills to convince people to
an attacker.
94. advance-fee A form of social engineering, typically conducted via

fraud (AFF) e-mail, in which an organization or some third party in-
dicates that the recipient is due an exorbitant amount of
money and needs only a small advance fee or personal
banking information to facilitate the transfer.
95. Phishing
11 / 16
A form of social engineering in which the attacker pro-
vides what appears to be a legitimate communication
(usually e-mail), but it contains hidden or embedded code
that redirects the reply to a third-party site in an effort to
extract personal or confidential information.
96. Pretexting a form of social engineering in which one individual lies

to obtain confidential data about another individual
97. Information ex- The act of an attacker or trusted insider who steals or
tortion interrupts access to information from a computer system
and demands compensation for its return or for an agree-
ment not to disclose the information.
98. Ransomware Computer software specifically designed to identify and

encrypt valuable information in a victim's system in order
to extort payment for the key needed to unlock the en-
cryption.
99. hacktivist A hacker who seeks to interfere with or disrupt systems

to protest the operations, policies, or actions of an orga-
nization or government agency.
100. cyberterrorism A hacker who attacks systems to conduct terrorist activi-

ties via networks or Internet pathways.
101. Malware software designed to infiltrate or damage a computer

system without the user's informed consent
102. zero-day attack Malware intended to provide undesired marketing and

advertising, including pop-ups and banners on a user's
screens.
103. macro virus A type of virus written in a specific macro language to

target applications that use the language. The virus is ac-
tivated when the application's product is opened. A macro
virus typically affects documents, slideshows, e-mails, or
spreadsheets created by office suite applications.
104. boot virus

12 / 16
Also known as a boot sector virus, a type of virus that
targets the boot sector or Master Boot Record (MBR)
of a computer system's hard drive or removable storage
media.
105. memory-resi- A virus that is capable of installing itself in a computer's

dent viruses operating system, starting when the computer is activat-
ed, and residing in the system's memory even after the
host application is terminated
106. non-memory-res- A virus that terminates after it has been activated, infected
ident viruses its host system, and replicated itself. NMR viruses do not
reside in an operating system or memory after executing.
107. binary executa- these are programs that were originally created as a text
bles file using a programming language.
108. interpretable command scripts or a specific application's document

data files files; or both
109. IP Scan and At- The infected system scans a range of IP addresses and
tack service ports and targets several vulnerabilities known to
hackers or left over from previous exploits, such as Code
Red, Back Orifice, or PoizonBox.
110. web browsing If the infected system has write access to any Web pages,
it makes all Web content files infectious, so that users who
browse to those pages become infected
111. Virus Each affected machine infects common executable or

script files on all computers to which it can write, which
spreads the virus code to cause further infection.
112. Unprotected Using vulnerabilities in file systems and in the way

Shares many organizations configure them, the infected machine
copies the viral component to all locations it can reach.
113. Mass mail By sending e-mail infections to addresses found in the

address book, the affected machine infects many other
13 / 16
users, whose mail-reading programs automatically run
the virus program and infect even more systems.
114. Simple Net- SNMP is used for remote management of network and
work Manage- computer devices. By using the widely known and com-
ment Protocol mon passwords that were employed in early versions of
(SNMP) Attack this protocol, the attacking program can gain control of the
device. Most vendors have closed these vulnerabilities
with software upgrades.
115. Attack replica- - IP Scan and Attack

tion vactors - Web browsing
- Virus
- Unprotected Shares
- Mass mail
- Simple Network Management Protocol (SNMP) Attack
116. Worms A type of malware that is capable of activation and repli-

117. Trojan horses malware program that hides its true nature and reveals its
designed behavior only when activated.
118. polymorphic Malware (a virus or worm) that over time changes the
threat way it appears to antivirus software programs, making
signatures.
119. virus hoaxes A message that reports the presence of a nonexistent

share the message.
120. back door A malware payload that provides access to a system by

bypassing normal access controls. A back door may also
be an intentional access control bypass left by a system
designer to facilitate development
121. maintenance Backdoor used by programmers to debug and test pro-

hook grams.
14 / 16
122. denial-of-ser- An attack that attempts to overwhelm a computer target's
vice (DoS) attack ability to handle incoming communications, prohibiting
legitimate users from accessing those systems.
123. distributed A form of DoS attack in which a coordinated stream of

denial-of-ser- requests is launched against a target from many locations
vice (DDoS) at the same time using bots or zombies.
attack
124. mail bomb An attack designed to overwhelm the receiver with exces-
sive quantities of e-mail.
125. packet sniffer A software program or hardware appliance that can inter-
cept, copy, and interpret network traffic.
126. spoofing A technique for gaining unauthorized access to comput-

ers using a forged or modified source IP address to give
the perception that messages are coming from a trusted
host.
127. Pharming The redirection of legitimate user Web traffic to illegitimate

Web sites with the intent to collect personal information.
128. Domain Name The intentional hacking and modification of a DNS data-
System (DNS) base to redirect legitimate traffic to illegitimate Internet
cache poisoning locations. Also known as DNS spoofing.
129. man-in-the-mid- A group of attacks whereby a person intercepts a commu-

dle nications stream and inserts himself in the conversation
to convince each of the legitimate parties that he is the
other communications partner.
130. TCP hijacking A form of man-in-the-middle attack whereby the attacker

inserts himself into TCP/IP-based communications.
131. mean time be- The average amount of time between hardware failures,
tween failure calculated as the total amount of operation time for a
(MTBF) specified number of units divided by the total number of
failures.
15 / 16
132. mean time to fail- The average amount of time expected until the first failure
ure (MTTF) of a piece of equipment.
133. Buffer Overruns An application error that occurs when more data is sent
to a program buffer than it is designed to handle.
134. Catching Excep- A program throws an exception when code deals with an
tions exception it is said to catch or handle it
135. Command Injec- An application error that occurs when user input is passed
tion directly to a compiler or interpreter without screening for
content that may disrupt or compromise the intended
function.
136. Cross-Site A Web application fault that occurs when an application

Scripting (XSS) running on a Web server inserts commands into a user's
hostile server.
137.
16 / 16
Planning for Security
Study online at https://quizlet.com/_6q8b65
1. What is security Architec- Creation and review of an organizations info

ture ? security policies standards and practices help
develop a security Architecture
2. What is reasonable securi- -Policies plus standards plus practices = Rea-

ty? sonable security
3. What is a policy? -Policy: course of action used by an organization

to convey instructions (Organizational laws)
4. What are standards? -Standards: what must be done to comply with

policy
5. What are practices? -Practices procedures guidelines effectively ex-

plain how to comply with policy
6. What is the flow of Reason- -Policies -->Standards-->Practices Procedures

able security? Guidelines or PPG
7. To remain viable security -To remain viable security policies must have:
must have what? -Individual responsible for the policy (policy
Admin)
-A schedule of reviews & revisions
-Method for making recommendations for revi-
sions
8. what is Defense in depth? -Implementing of security in layers

-Requires an intruder to face multiple layers of
controls
9. What is a security perime- -Point at which an organizations security protec-

ter? tion ends and the outside world begins
-Does not apply to internal attacks from employ-
ee threats or on-site physical threats
10. What is SETA? *Security Education Training and Awareness

program SETA*
-to reduce instances of accidental security
breach by employees
-SETA:
1/5
-Security Education
-Security Training
-Security Awareness (Regular reminders & in-
formation)
11. What is required of em- -Everyone in an organization needs to be aware

ployees in terms of aware- of information security though not everyone
ness? needs to be an expert
-Formal Security education can offer more in
depth understanding than DIY or learn it your-
self approach
-Knowledge of experts!
-Security awareness needs not be complicated

or expensive
12. How do we plan for fail- *Planning for Failures*

ures? (3 types)
-Incident response plans IRP
Disaster recovery plans DRP
Business continuity plan BCP
13. What is IRP? IRP - focuses on immediate response if attack

escalates or is diasterous process changes to
diaster reovery and BCP
14. What is DRP? DRP focuses on restoring systems after diaster

strikes and is closesly associated with BCP
15. What is BCP? BCP occurs concurrently with DRP when dam-
age is major or long term requiring more than
simple restoration of information and informa-
tion resources
16. Whats the flow of IRP Incident detection->Incident reaction-> In-

irp/dcp/bcp? cident->recovery
DRP Diaster reaction-> Diaster recovery(re-

store operations at primary site)
2/5
BCP Continuity reaction->Alternate site opera-
tions
17. How are attacks classified Attacks are classified as incidents if they:
as incidents? -Could threaten Confidentiality Integrity or avail-
ability CIA of information resources
18. How is damage assessed? Several sources of information on damage in-

cluding system logs intrusion detection logs,
configuration logs and documents
19. What is DRP? Diaster recovery planning DRP is planning the

preparation for and recovery from a disaster
-A DRP strives to reestablish operations at the
primary site
20. How does BCP function? Business continuity planning

-Consists primarily of selecting a continuity
strategy and integrating off-site data storage
and recovery functions
21. What are common raid Common RAID configs

configs? -*RAID 1 *
-*MIRROR*
-*Duplexing*
22. What to backup? -Operating system files - infrequently

-When new programs are installed
-When major configuration changes occur
-Data files- frequently

-Daily for most businesses
-Varies for less critical data
23. Whats typical backup me- -Typical backup media

dia? -Off-site backup
-Thumb drives
-USB hard drives
-NAS
-SAN
3/5
24. Typical backup types? Backup types:

-Normal
-clears 'A' attribute
-Incremental (All files since last incremental)
-Clears A attribute
-Differential(All files since last normal)
-Daily
-Copy
25. Backup times from slowest -Relative Backup Times

to quickest? -Normal
-Takes the longest time each day
-easiest and quickest to restore Only one tape
needed
-Differential
-Each day the backup takes longer
-Two tapes needed
-Incremental
-Quickest daily backups
-Longest to restore Multiple tapes
26. Whats GFS tape rotations? - G-F-S Tape rotations

-Normal backup once per week (Parent)
-Daily Incremental backups (Child)
-Save Last Monthly Normal (Grandpere)
Take tapes off site frequently
27. What are some tips for Restoring data

restoring data? -Check backup archives occasionally to ensure
that restore will work
-You cant restore what you haven't backed up
-When incident at hand constitutes a violation
of law organization may determine involving law
enforcement is necessary
28. Whats the benefit of involv- Agencies may be better equipped at processing
ing law enforcement? evidence
4/5
-Companies and Organizations may be less ef-
fective in convicting suspects
-Law enforcement agencies are prepared to
handle any necessary warrants and subpoenas
-Law enforcement is skilled at obtaining witness
statements and other information collection
29. Drawbacks of involving Once a law enforcement agency takes over

law enforcement? case, organization loses complete control over
chain of events
-Organization may not hear about case for
weeks or months
-Equipment vital to the organization's business
may be tagged and removed as evidence
-If organization detects a criminal act, it is legal-
ly obligated to involve appropriate law enforce-
ment officials
30. Can you summarize SETA Information security education, training, and
and Contingency plan- awareness (SETA) is control measure that re-
ning? duces accidental security breaches and in-
creases organizational resistance to many other
forms of attack
-Contingency planning (CP) made up of three
components: incident response planning (IRP),
disaster recovery planning (DRP), and business
continuity planning (BCP)
5/5
Legal, Ethical, and Professional Issues in Information Security
Study online at https://quizlet.com/_2oevjh
1. Laws are rules that mandate or prohibit certain behavior
2. Ethics socially acceptable behaviors
3. Key difference be- laws carry the authority of a governing body and ethics
tween laws and do not
ethics
4. Cultural Mores fixed moral attitudes or customs of a particular group
5. Liability the legal obligation of an entity that extends beyond

criminal or contract law
6. Due Care standards met when an organization makes sure that

every employee knows what is acceptable or unaccept-
able behavior. know the consequences of illegal or un-
ethical actions
7. Due Diligence requires that an organization make a valid effort to pro-

tect others and continually maintain this level of effort
8. Jurisdiction the courts right to hear a case if a wrong is committed in

its territory or involves its citizenry
9. Long arm Jurisdic- the long arm of the law extending across the country or
tion around the world to draw ac accused individual into its
court system
10. Polices guidelines that describe acceptable and unacceptable

employee behaviors in the workplace
11. The five criteria for Dissemination (distribution)

a ploicy to become Review (reading)
enforable Comprehension (understanding)
Compliance( agreement)
Uniform Enforcement
12. Criminal Law addresses activities and conduct harmful to society. en-
forced by state
1/4
13. Private Law encompasses family law, commercial law, and labor law,
and regulates the relationship between individuals and
organizations
14. Public Law regulates the structure and administration of government

agencies and their relationships with citizens, employ-
ees, and other governments. includes criminal, adminis-
trative, and constitutional law
15. The Computer the cornerstone of many computer-related federal laws

Fraud and Abuse and enforcement efforts.
Act of 1986 (CFA
Act)
16. National Informa- modified several sections of the previous act and in-
tion Infrastructure creased the penalties for selected crimes
Protection Act of
1996
17. Computer Security one of the first attempts to protect federal computer
Act of 1987 systems by establishing minimum acceptable security
practices
18. Privacy of Cus- the common carrier regulation states that any proprietary
tomer Information information shall be used explicitly for providing sercies
Section
19. Aggregate Infor- created by combining pieces of non private data. often
mation collected during software updates via cookies. hen com-
bines may violate privacy
20. Federal Privacy regulates government agencies and holds them ac-
Act of 1974 countable if they release private information about indi-
viduals or business without permission
21. Electronic Com- collection of statues that regulates the interception of

munications Priva- wire, electronic, and oral communications
cy Act of 1986
22. protects individuals from unlawful serach and seizure

2/4
Fourth Amend-
ment of the U.S.
Constitution
23. Health Insurance protects the confidentiality and security of health care
Portability and Ac- data by establishing enforcing stands and by standard-
countability Act of izing electronic data interchange
1996 (HIPAA)
24. Economic Espi- attempts to prevent trade secrets from being illegally
onage Act shraed
25. Freedom of Infor- allows any person to request access to federal agency
mation Act records or information not determined to be a matter of
national security
26. Sarbanes-Oxley critical piece of legislation that affects the executive man-
Act of 2002 agement publicly traded corporation and public account
firms
27. Agreement on created by world trade organization (WTO) intorduced

Trade-Related As- intellectual property rules into the multilateral trade sys-
pects of Intellectu- tem
al Property Rights
(TRIPS)
28. Ethical differences can make it difficult to determine what is and is not
across cultures ethical, especially when it comes to the use of computers
29. Three general Ignorance

causes of unethi- Accident
cal and illegal be- Intent
havior
30. Laws and policies Fear of Penalty

and their associat- Probability of being caught
ed penalties Probability of penalty being administered
31. was created after the Homeland security act of 2002 and
as passed after the September 11 attack
3/4
Department of
Homeland Securi-
ty (DHS)
32. National InfraGard FBI sought assistance in deterring a more effective

Program method of protecting critical national information
33. National Security is responsible for signal intelligence and information sys-
Agency (NSA) tem security
34. U.S Secret Service an agency within the department of the Treasury, pro-
vides services to members of the US government . help-
ing with any related computer fraud and false identifica-
tion crimes.
4/4
principles of information security final
Study online at https://quizlet.com/_7j2wsf
1. Risk manage- process of identifying and controlling risks facing an orga-

ment nization
2. Risk identifica- process of examining an organization's current informa-

tion tion technology security situation
3. Risk control applying controls to reduce risks to an organization's data

and information systems
4. Know yourself identify, examine, and understand the information and sys-
tems currently in place
5. Know the enemy identify, examine, and understand threats facing the orga-
nization
6. risk management risk identification, risk assessment, risk control
7. Communities of -Evaluating the risk controls

interest are re- -Determining which control options are cost effective for
sponsible for the organization
-Acquiring or installing the needed controls
-Ensuring that the controls remain effective
8. Components of -People
risk identification -Procedures
-Data
-Software
-Hardware
9. A threat assess- identifies and quantifies the risks facing each asset
ment process
10. Iterative process •begins with identification of assets, including all elements
of an organization's system (people, procedures, data and
information, software, hardware, networking)
11. Important asset -People: position name/number/ID; supervisor; security

attributes clearance level; special skills
-Procedures: description; intended purpose; what ele-
ments it is tied to; storage location for reference; storage
1/6
location for update
-Data: classification; owner/creator/ manager; data struc-
ture size; data structure used; online/offline; location; back-
up procedures employed
12. Asset attributes name; IP address; MAC address; element type; serial
to be considered number; manufacturer name; model/part number; soft-
are ware version; physical or logical location; controlling entity
13. What informa- -Needs of organization/risk management efforts

tion attributes to -Preferences/needs of the security and information tech-
track depends on nology communities
14. Questions help -Is most critical to organization's success?

develop criteria -Generates the most revenue/profitability?
for asset valua- -Would be most expensive to replace or protect?
tion -Would be the most embarrassing or cause greatest liabil-
Which informa- ity if revealed?
tion asset
15. •Realistic threats -Which threats present danger to assets?

need investiga- -Which threats represent the most danger to information?
tion; unimportant -How much would it cost to recover from attack?
threats are set -Which threat requires greatest expenditure to prevent?
aside
Threat assess-
ment
16. For the purpose -Risk EQUALS

of relative risk -Likelihood of vulnerability occurrence
assessment -TIMES value (or impact)
-MINUS percentage risk already controlled
-PLUS an element of uncertainty
17. There are three -Policies

general cate- -Programs
gories of con- -Technologies
trols
18. Residual risk

2/6
is the risk that remains to the information asset even after
the existing control has been applied.
19. information as- assembles information about information assets and their
set classification impact
worksheet
20. weighted crite- assigns ranked value or impact weight to each information
ria analysis work- asset
sheet
21. ranked vulnera- assigns ranked value of risk rating for each uncontrolled
bility risk work- asset-vulnerability pair
sheet
22. Once ranked vul- -Defend

nerability risk -Transfer
worksheet com- -Mitigate
plete, must -Accept
choose one of Terminate
five strategies to
control each risk
23. The four risk 1. Apply safeguards that eliminate or reduce the remaining
strategies guide uncontrolled risks for the vulnerability (avoidance)
an organization 2. Transfer the risk to other areas or to outside entities
to (transference)
3. Reduce the impact should the vulnerability be exploited
(mitigation)
4. Inform themselves of all of the consequences and ac-
cept the risk without control or mitigation (acceptance)
24. Three common -Application of policy

methods of risk -Training and education
avoidance -Applying technology
25. Transfer is the control approach that attempts to shift the risk to
other assets, other processes, or other organizations.
26.
3/6
•Approach in- -Incident response plan (IRP): define the actions to take
cludes three while incident is in progress
types of plans -Disaster recovery plan (DRP): most common mitigation
procedure
-Business continuity plan (BCP): encompasses continua-
tion of business activities if catastrophic event occurs
27. The only ac- •Determined the level of risk

ceptance strate- • Assessed the probability of attack
gy that is recog- • Estimated the potential damage that could occur from
nized as valid oc- these attacks
curs when the or- • Performed a thorough cost benefit analysis
ganization has • Evaluated controls using each appropriate type of feasi-
bility
Decided that the particular function, service, information,
or asset did not justify the cost of protection
28. The terminate directs the organization to avoid those business activities
control strategy that introduce uncontrollable risks.
29. Rules of thumb -When a vulnerability exists

on strategy se- -When a vulnerability can be exploited
lection can be ap- -When attacker's cost is less than potential gain
plied -When potential loss is substantial
30. Items that affect cost of development or acquisition; training fees; imple-
cost of a control mentation cost; service costs; cost of maintenance
or safeguard in-
clude
31. Benefit value an organization realizes using controls to prevent

losses from a vulnerability
32. Asset valuation process of assigning financial value or worth to each infor-
mation asset
33. Expected loss -Annualized loss expectancy (ALE) = single loss ex-
per risk stated pectancy (SLE) × annualized rate of occurrence (ARO)
in the following
equation
4/6
34. SLE = asset value × exposure factor (EF)
35. ALE(prior) -is annualized loss expectancy of risk before implementa-

tion of control
36. ALE(post) -is estimated ALE based on control being in place for a
period of time
37. ACS is the annualized cost of the safeguard
38. One of two mea- -Metrics-based measures

sures typically -Process-based measures
used to compare
practices
39. Benchmarking process of seeking out and studying practices in other

organizations that one's own organization desires to du-
plicate
40. Standard of due •when adopting levels of security for a legal defense, orga-
care nization shows it has done what any prudent organization
would do in similar circumstances
41. Due diligence demonstration that organization is diligent in ensuring that

implemented standards continue to provide required level
of protection
42. When consider- -Does organization resemble identified target with best
ing best prac- practice?
tices for adoption -Are resources at hand similar?
in an organiza- -Is organization in a similar threat environment?
tion, consider
43. Best business security efforts that provide a superior level of information
practices protection
44. •Problems with -Organizations don't talk to each other (biggest problem)
the application -No two organizations are identical
of benchmarking -Best practices are a moving target
5/6
and best prac- -Knowing what was going on in information security indus-
tices try in recent years through benchmarking doesn't neces-
sarily prepare for what's next
45. •Baselining -Analysis of measures against established standards

-In information security, baselining is comparison of secu-
rity activities and events against an organization's future
performance
-Useful during baselining to have a guide to the overall
process
46. Organizational •examines how well proposed IS alternatives will con-

tribute to organization's efficiency, effectiveness, and over-
all operation
47. Operational •examines user and management acceptance and sup-

port, and the overall requirements of the organization's
stakeholders
48. Technical •examines if organization has or can acquire the tech-

nology necessary to implement and support the control
alternatives
49. Political •defines what can/cannot occur based on consensus and

relationships
6/6

Quzlet

Uploaded by

Copyright:

Available Formats

You might also like

Quzlet

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Quzlet

Uploaded by

Copyright:

Available Formats

Chapter 2: The Need for Security

Study online at https://quizlet.com/_4vxiou

1. Data Security Commonly used as a surrogate for information security,

2. Data its of fact collected by an organization.

3. information data that has been organized, structured, and presented

5. media a subset of information assets, the systems and networks

6. database a collection of related data that is stored in a structured

7. database securi- a subset of information security that focuses on the as-

8. attack an intentional or unintentional act that can damage or

9. exploit a technique used to compromise a system.

10. vulnerability a potential weakness in an asset or its defensive control

12. software piracy the unauthorized duplication, installation, or distribution

13. availability dis- an interruption in service, usually from a service provider,

14. downtime the percentage of time a particular service is not available;

16. uptime the percentage of time a particular service is available; the

17. blackout a long-term interruption (outage) in electrical power avail-

18. brownout a long-term decrease in electrical power availability

19. fault a short-term interruption in electrical power availability.

20. sag a short-term decrease in electrical power availability

21. noise the presence of additional and disruptive signals in net-

22. spike a short-term increase in electrical power availability; also

23. surge a long-term increase in electrical power availability

26. shoulder surfing the direct, covert observation of individual information or

28. hacker a person who accesses systems and information without

29. jailbreaking escalating privileges to gain administrator-level or root ac-

32. penetration an information security professional professional with au-

33. privilege escala- the unauthorized modification of an authorized or unau-

35. rooting escalating privileges to gain administrator-level control

38. cracker a hacker who intentionally removes or bypasses software

39. phreaker a hacker who manipulates the public telephone system to

40. 10.4 Password an industry recommendation for password structure and

42. cracking attempting to reverse-engineer, remove, or bypass a pass-

46. advance-fee a form of social engineering, typically conducted via email,

47. phishing a form of social engineering in which the attacker provides

48. pretexting a form of social engineering in which the attacker pretends

50. spear phishing any highly targeted phishing attack.

52. ransomware computer software specifically designed to identify and

54. cyberac- a hacker who seeks to interfere with or disrupt systems to

55. cyberterrorist a hacker who attacks systems to conduct terrorist activi-

56. cyberwarfare "in- formally sanctioned offensive operations conducted by the

57. adware malware intended to provide undesired marketing and

59. macro virus virus that is unwritten in a specific macro language to

60. malicious computer software specifically designed to perform mali-

61. memory-resi- virus that is capable of installing itself on a computer's

64. spyware any technology that aids in gathering information about

66. virus a type of malware the is attracted to other executable

67. virus hoax a message that reports the presence of a nonexistent

68. worm a type of malware that is capable of activation and repli-

72. vector: virus

74. vector: mass by sending email infections to addresses found in the

76. back door/main- a malware payload that provides access to a system by

77. bot/zombie an automated software program the executes certain com-

78. denial-of-service attack that attempts to overwhelm a computer target's

79. distributed a DoS attack in which a coordinated stream of requests is

81. spam undesired e-mail, typically commercial advertising trans-

83. man-in-the-mid- a group of attackers whereby a person intercepts a com-

85. pharming the redirection of legitimate user Web traffic to illegitimate