Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Chapter 14 Study Guide ____ 1. Audits serve to verify that the security protections enacted by an organization are being followed and that corrective actions can be swiftly implemented before an attacker exploits a vulnerability. ____ 2. The objective of incident response is to restore normal operations as quickly as possible with the least possible impact on either the business or the users. ____ 3. Most organizations follow a three-phase cycle in the development and maintenance of a security policy. ____ 4. A due process policy is a policy that defines the actions users may perform while accessing systems and networking equipment. ____ 5. Education in an enterprise is limited to the average employee. ____ 6. At the heart of information security is the concept of ____. a. threat b. mitigation c. risk d. management ____ 7. Because the impact of changes can potentially affect all users, and uncoordinated changes can result in security vulnerabilities, many organizations create a(n) ____ to oversee the changes. a. change management team b. incident response team c. security control team d. compliance team ____ 8. ____ may be defined as the components required to identify, analyze, and contain that incident. a. Vulnerability response b. Incident response c. Risk response d. Threat response ____ 9. ____ is the planning, coordination, communications, and planning functions that are needed in order to resolve an incident in an efficient manner. a. Incident reporting b. Incident management c. Incident planning d. Incident handling ____ 10. ____ can be defined as the “framework” and functions required to enable incident response and incident handling within an organization. a. Incident reporting b. Incident management c. Incident handling d. Incident planning ____ 11. A ____ is a written document that states how an organization plans to protect the company’s information technology assets. a. security policy b. guideline c. security procedure d. standard ____ 12. A ____ is a collection of suggestions that should be implemented. a. security policy b. baseline c. guideline d. security procedure ____ 13. A ____ is a document that outlines specific requirements or rules that must be met. a. procedure b. standard c. guideline d. policy ____ 14. ____ are generally considered to be the most important information security policies. a. Acceptable use policies b. Encryption policies c. Data loss policies d. VPN policies ____ 15. A(n) ____ policy outlines how the organization uses personal information it collects. a. VPN b. network c. encryption d. privacy ____ 16. A policy that addresses security as it relates to human resources is known as a(n) ____ policy. a. VPN b. acceptable use c. security-related human resource d. technical ____ 17. ____ are a person’s fundamental beliefs and principles used to define what is good, right, and just. a. Morals b. Values c. Ethics d. Standards ____ 18. ____ are values that are attributed to a system of beliefs that help the individual distinguish right from wrong. a. Morals b. Ethics c. Standards d. Morays ____ 19. ____ can be defined as the study of what a group of people understand to be good and right behavior and how people make those judgments. a. Values b. Morals c. Ethics d. Standards ____ 20. A(n) ____ policy is designed to produce a standardized framework for classifying information assets. a. VPN b. acceptable use c. privacy d. classification of information ____ 21. ____ networks are typically used for connecting devices on an ad hoc basis for file sharing of audio, video, and data, or real-time data transmission such as telephony traffic. a. Peer b. Client-server c. P2P d. Share ____ 22. The Web sites that facilitate linking individuals with common interests like hobbies, religion, politics, or school contacts are called ____ sites. a. social networking b. social engineering c. social management d. social control ____ 23. A(n) ____ approach is the art of helping an adult learn. a. andragogical b. pedagogical c. deontological d. metagogical ____ 24. ____ learners learn through taking notes, being at the front of the class, and watching presentations. a. Kinesthetic b. Auditory c. Spatial d. Visual ____ 25. ____ learners tend to sit in the middle of the class and learn best through lectures and discussions. a. Visual b. Auditory c. Kinesthetic d. Spatial ____ 26. ____ learners learn through a lab environment or other hands-on approaches. a. Visual b. Auditory c. Kinesthetic d. Spatial 27. A(n) ____________________ is a methodical examination and review that produces a detailed report of its findings. 28. ____________________ seeks to approach changes systematically and provide the necessary documentation of the changes. 29. A(n) ____________________ is a collection of requirements specific to the system or procedure that must be met by everyone. 30. When designing a security policy, many organizations follow a standard set of ____________________. 31. Most people are taught using a(n) ____________________ approach. Match each term with the correct statement below. a. Privilege f. b. Threat agent g. c. Change management h. d. Privilege management i. e. Vulnerability Privilege auditing Threat Social networking Risk ____ 32. A type of action that has the potential to cause harm ____ 33. A person or element that has the power to carry out a threat ____ 34. A flaw or weakness that allows a threat agent to bypass security ____ 35. The likelihood that the threat agent will exploit the vulnerability ____ 36. A subject’s access level over an object, such as a user’s ability to open a payroll file ____ 37. The process of assigning and revoking privileges to objects; that is, it covers the procedures of managing object authorizations ____ 38. Periodic reviewing of a subject’s privileges over an object ____ 39. Refers to a methodology for making modifications and keeping track of those changes ____ 40. Grouping individuals and organizations into clusters or groups based on some sort of affiliation 41. List and describe two risk categories. 42. List four attributes that should be compiled for new equipment in the change management documentation. 43. What are the typical classification designations of government documents? 44. What are the duties of the CMT? 45. List two characteristics of a policy. 46. Which roles should be represented on the security policy development team? 47. List one reason why social networking sites are popular with attackers. 48. What is a general security tip for using a social networking site? 49. Identify two opportunities for security education and training. 50. Contrast the difference between a pedagogical approach versus an andragogical approach to subject matter. Chapter 14 Study Guide Answer Section 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: T T T F F C A B D B A C D A D C B A C D C A A D B C audit PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: 536 538-539 541 544 555 535 538 538 538 538 539 540 540 546 546 547 549 549 549 549 552 552 555 556 556 556 PTS: 1 REF: 536 28. ANS: Change management PTS: 1 29. ANS: standard REF: 537 PTS: 1 30. ANS: principles REF: 540 PTS: 1 31. ANS: pedagogical PTS: 1 32. ANS: G 33. ANS: B REF: 555 PTS: 1 PTS: 1 REF: 535 REF: 535 34. 35. 36. 37. 38. 39. 40. 41. ANS: E PTS: 1 REF: 535 ANS: I PTS: 1 REF: 535 ANS: A PTS: 1 REF: 536 ANS: D PTS: 1 REF: 536 ANS: F PTS: 1 REF: 536 ANS: C PTS: 1 REF: 537 ANS: H PTS: 1 REF: 552 ANS: Strategic - Action that affects the long-term goals of the organization Compliance - Following a regulation or standard Financial - Impact of financial decisions or market factors Operational - Events that impact the daily business of the organization Environmental - Actions related to the surroundings Technical - Events that affect information technology systems Managerial - Actions that are related to the management of the organization PTS: 1 REF: 536 42. ANS: IP and MAC addresses Equipment name Equipment type Function Inventory tag number Location Manufacturer Manufacturer serial number Model and part number Software or firmware version PTS: 1 REF: 538 43. ANS: The classification designations of government documents are typically Top Secret, Secret, Confidential, and Unclassified. PTS: 1 REF: 538 44. ANS: Review proposed changes. Ensure that the risk and impact of the planned change are clearly understood. Recommend approval, disapproval, deferral, or withdrawal of a requested change. Communicate proposed and approved changes to coworkers. PTS: 1 REF: 538 45. ANS: Policies communicate a consensus of judgment. Policies define appropriate behavior for users. Policies identify what tools and procedures are needed. Policies provide directives for Human Resource action in response to inappropriate behavior. Policies may be helpful in the event that it is necessary to prosecute violators. PTS: 1 REF: 541 46. ANS: Senior level administrator Member of management who can enforce the policy Member of the legal staff Representative from the user community PTS: 1 REF: 543 47. ANS: They provide a treasure trove of personal data. Users often include personal information in their profiles for others to read, such as birthdays, where they live, and their employment history. Attackers may steal this data and use it for malicious purposes. Users are generally trusting. Attackers often join a social networking site and pretend to be part of the network of users. After several days or weeks, users begin to feel they know the attackers and may start to provide personal information or click embedded links provided by the attacker that load malware onto the user’s computer. Social networking Web sites are vulnerable. Because social networking sites have only recently become the target of attackers, many of these sites have lax security measures and it is easy for attackers to break into the sites to steal user information. PTS: 1 REF: 553 48. ANS: Consider carefully who is accepted as a friend. Once a person has been accepted as a friend, that person will be able to access any personal information or photographs. Show “limited friends” a reduced version of your profile. Individuals can be designated “limited friends” who only have access to a smaller version of the user’s profile. This can be useful for casual acquaintances or business associates. Disable options and then reopen them only as necessary. Users should disable options until it becomes apparent that option is needed, instead of making everything accessible and restricting access after it is too late. PTS: 1 REF: 553 49. ANS: When a new employee is hired After a computer attack has occurred When an employee is promoted or given new responsibilities During an annual departmental retreat When new user software is installed When user hardware is upgraded PTS: 1 REF: 554-555 50. ANS: In a pedagogical approach, the subject matter is defined by what the teacher wants to give. In an andragogical approach, learning is organized around situations in life or at work. PTS: 1 REF: 555