Professional Documents
Culture Documents
Principles of Information Security 6Th Edition Whitman Test Bank Full Chapter PDF
Principles of Information Security 6Th Edition Whitman Test Bank Full Chapter PDF
TRUEFALSE
1. The upper management of an organization must structure the IT and information security
functions to defend the organization's information assets.
False
Answer : (A)
2. Risk control is the application of controls that reduce the risks to an organization's
information assets to an acceptable level.
False
Answer : (A)
3. According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to
be successful in an engagement.
False
Answer : (B)
4. Knowing yourself means identifying, examining, and understanding the threats facing the
organization.
(A) True (B)
False
Answer : (B)
5. In addition to their other responsibilities, the three communities of interest are responsible for
determining which control options are cost effective for the organization.
False
Answer : (A)
6. Residual risk is the risk that has not been removed, shifted, or planned for after vulnerabilities
have been completely resolved.
False
Answer : (B)
False
Answer : (B)
8. You should adopt naming standards that do not convey information to potential system attackers.
(A) True
(B) False
Answer : (A)
9. Within a data classification scheme, "comprehensive" means that an information asset should fit
in only one category.
False
Answer : (B)
10. A data classification scheme is a formal access control methodology used to assign a level of
availability to an information asset and thus restrict the number of people who can access it.
False
Answer : (B)
11. A security clearance is a component of a data classification scheme that assigns a status level
to systems to designate the maximum level of classified data that may be stored on them.
(A) True
(B) False
Answer : (B)
12. When determining the relative importance of each asset, refer to the organization's mission
statement or statement of objectives to determine which elements are essential, which are
supportive, and which are merely adjuncts.
False
Answer : (A)
13. When it is necessary to calculate, estimate, or derive values for information assets, you might
give consideration to the value incurred from the cost of protecting the information.
False
Answer : (A)
14. The value of information to the organization's competition should influence the asset's valuation.
(A) True
(B) False
Answer : (A)
15. You cannot use qualitative measures to rank information asset values.
(A) True
(B) False
Answer : (B)
False
Answer : (A)
17. The defense control strategy is the risk control strategy that attempts to eliminate or reduce
any remaining uncontrolled risk through the application of additional controls and safeguards, but it
is not the preferred approach to controlling risk.
False
Answer : (B)
18. If the acceptance strategy is used to handle every vulnerability in the organization, its
managers may be unable to conduct proactive security activities and may portray an
apathetic approach to security in general.
False
Answer : (A)
19. To determine if the risk to an information asset is acceptable or not, you estimate the expected
loss the organization will incur if the risk is exploited.
False
Answer : (A)
20. In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with
the most likely loss from an attack; the SLE is the product of the asset's value and the annualized
loss expectancy.
False
Answer : (B)
21. Some information security experts argue that it is virtually impossible to determine the true
value of information and information-bearing assets.
False
Answer : (A)
22. Cost-benefit analyses (CBAs) cannot be calculated after controls have been functioning for a
time, as observation over time prevents precision in evaluating the benefits of the safeguard and
determining whether it is functioning as intended.
False
Answer : (B)
23. Process-based measures are performance measures that are focused on numbers and are less
strategic than metric-based measures.
False
Answer : (B)
(A) True
(B) False
Answer : (A)
25. A best practice proposed for a small to medium-sized business will be similar to one used to help
design control strategies for a large multinational company.
False
Answer : (B)
26. One advantage to benchmarking is that best practices change very little over time.
(A) True
(B) False
Answer : (B)
27. Baselining is the comparison of past security activities and events against the
organization's current performance.
(A) True
(B) False
Answer : (B)
28. Operational feasibility is an assessment of whether the organization can acquire the technology
necessary to implement and support the proposed control.
False
Answer : (B)
29. Organizations should communicate with system users throughout the development of the
security program, letting them know that changes are coming, and reduce resistance to these
expected changes through communication, education, and involvement.
False
Answer : (A)
30. The results from risk assessment activities can be delivered in a number of ways: a report on a
systematic approach to risk control, a project-based risk assessment, or a topic-specific risk
assessment.
False
Answer : (A)
False
Answer : (A)
32. Risk control is the enumeration and documentation of risks to an organization's information
assets.
False
Answer : (B)
33. Risk acceptance defines the quantity and nature of risk that organizations are willing to accept
as they evaluate the trade-offs between perfect security and unlimited accessibility.
False
Answer : (B)
34. Pervasive risk is the amount of risk that remains to an information asset even after
the organization has applied its desired level of controls.
False
Answer : (B)
35. TVA safeguard risk is a combined function of (1) a threat less the effect of threat-reducing
safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset
less the effect of asset value-reducing safeguards.
False
Answer : (B)
36. Within data classification schemes, it is important that all categories used be classified and
mutually exclusive.
False
Answer : (B)
37. One way to determine which information assets are valuable is by evaluating which information
asset(s) would expose the company to liability or embarrassment if revealed.
False
Answer : (A)
38. Each of the threats faced by an organization must be evaluated, including determining the
threat's potential to endanger the organization, which is known as a threat prioritization.
False
Answer : (B)
39. Risk mitigation is the process of assigning a risk rating or score to each information asset.
False
Answer : (B)
40. Likelihood is the probability that a specific vulnerability within an organization will be the
target of an attack.
False
Answer : (A)
41. Loss event frequency is the combination of an asset's value and the percentage of it that might
be lost in an attack.
False
Answer : (B)
42. The mitigation control strategy attempts to reduce the impact of a successful attack through
planning and preparation.
False
Answer : (A)
(A) True
(B) False
Answer : (A)
44. A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the
organization when a disaster's scope or scale exceeds the ability of the organization to restore
operations, usually through relocation of critical business functions to an alternate location.
False
Answer : (B)
45. Cost mitigation is the process of preventing the financial impact of an incident by implementing
a control.
False
Answer : (B)
46. Exposure factor is the expected percentage of loss that would occur from a particular attack.
False
Answer : (A)
47. The computed value of the ALE compares the costs and benefits of a particular control
alternative to determine whether the control is worth its cost.
False
Answer : (B)
48. A(n) qualitative assessment is based on characteristics that do not use numerical measures.
(A) True
(B) False
Answer : (A)
49. Process-based measures are comparisons based on observed numerical data, such as numbers of
successful attacks.
False
Answer : (B)
50. Benchmarking is the process of comparing other organizations' activities against the
practices used in one's own organization to produce results it would like to duplicate.
False
Answer : (A)
51. Security efforts that seek to provide a superior level of performance in the protection of
information are referred to as best business practices.
False
Answer : (A)
52. In information security, benchmarking is the comparison of past security activities and events
against the organization's current performance.
False
Answer : (B)
53. Within organizations, the most important feasibility is technical feasibility, which defines what
can and cannot occur based on the consensus and relationships between the communities of
interest.
False
Answer : (B)
54. Operational feasibility is also known as behavioral feasibility.
False
Answer : (A)
55. Sometimes a risk assessment report is prepared for a specific IT project at the request of the
project manager, either because it is required by organizational policy or because it is good project
management practice.
False
Answer : (A)
MULTICHOICE
(A) disadvantage
(B) drawback
(C) failure
(D) shortcoming
Answer : (A)
57. Risk is the application of security mechanisms to reduce the risks to an organization's
data and information systems.
(A) management
(B) control
(C) identification
(D) security
Answer : (B)
Answer : (A)
59. Risk defines the quantity and nature of risk that organizations are willing to accept as
they evaluate the trade-offs between perfect security and unlimited accessibility.
(A) benefit
(B) appetite
(C) acceptance
(D) avoidance
Answer : (B)
60. addresses are sometimes called electronic serial numbers or hardware addresses.
(A) HTTP
(B) IP
MAC Answer
: (D)
(A) IP (B)
FCO (C)
CTO (D)
HTTP
Answer : (B)
62. A(n) is a formal access control methodology used to assign a level ofconfidentiality to
an information asset and thus restrict the number of people who can access it.
Answer : (D)
63. Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For
materials that are not considered "National Security Information," data is the lowest-level
classification.
(A) sensitive
(B) confidential
(C) unclassified
(D) public
Answer : (C)
64. A assigns a status level to employees to designate the maximum level of classified data
Answer : (A)
(A) distribution
(B) portability
(C) destruction
Answer : (D)
66. Some people search trash and recycling bins-a practice known as -to retrieve
information that could embarrass a company or compromise information security.
(A) shoulder surfing
(C) pretexting
Answer : (B)
67. In a(n) , assets or threats can be prioritized by identifying criteria with differing levels
of importance, assigning a score for each of the criteria, and then summing and ranking those
scores.
Answer : (C)
68. The calculation of the likelihood of an attack coupled with the attack frequency to determine the
expected number of losses within a specified time range is called the .
(C) likelihood
Answer : (A)
69. equals the probability of a successful attack multiplied by the expected loss from a
successful attack plus an element of uncertainty.
(B) Risk
(D) Loss
Answer : (B)
Another random document with
no related content on Scribd:
1.E.5. Do not copy, display, perform, distribute or redistribute
this electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1
with active links or immediate access to the full terms of the
Project Gutenberg™ License.
1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if
you provide access to or distribute copies of a Project
Gutenberg™ work in a format other than “Plain Vanilla ASCII” or
other format used in the official version posted on the official
Project Gutenberg™ website (www.gutenberg.org), you must, at
no additional cost, fee or expense to the user, provide a copy, a
means of exporting a copy, or a means of obtaining a copy upon
request, of the work in its original “Plain Vanilla ASCII” or other
form. Any alternate format must include the full Project
Gutenberg™ License as specified in paragraph 1.E.1.
• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.F.
Most people start at our website which has the main PG search
facility: www.gutenberg.org.