QUESTION 1 Janet is identifying the set of privileges that should be assigned to

Question

QUESTION 1

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

Identification

Authentication

Accountability

Authorization

0.5 points   

QUESTION 2

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Laws

Company policy

Internal audit

Corporate culture

0.5 points   

QUESTION 3

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?

Reduced operating costs

Access to a high level of expertise

Developing in-house talent

Building internal knowledge

0.5 points   

QUESTION 4

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

Service level agreement (SLA)

Blanket purchase agreement (BPA)

Memorandum of understanding (MOU)

Interconnection security agreement (ISA)

0.5 points   

QUESTION 5

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Service level agreement (SLA)

Blanket purchase agreement (BPA)

Memorandum of understanding (MOU)

Interconnection security agreement (ISA)

0.5 points   

QUESTION 6

What is NOT a good practice for developing strong professional ethics?

Set the example by demonstrating ethics in daily activities

Encourage adopting ethical guidelines and standards

Assume that information should be free

Inform users through security awareness training

0.5 points   

QUESTION 7

Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?

Seeking to gain unauthorized access to resources

Disrupting intended use of the Internet

Enforcing the integrity of computer-based information

Compromising the privacy of users

0.5 points   

QUESTION 8

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?

An organization should collect only what it needs.

An organization should share its information.

An organization should keep its information up to date.

An organization should properly destroy its information when it is no longer needed.

0.5 points   

QUESTION 9

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

Job rotation

Least privilege

Need-to-know

Separation of duties

0.5 points   

QUESTION 10

What is NOT a goal of information security awareness programs?

Teach users about security objectives

Inform users about trends and threats in security

Motivate users to comply with security policy

Punish users who violate policy

0.5 points   

QUESTION 11

Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?

Baseline

Policy

Guideline

Procedure

0.5 points   

QUESTION 12

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Intimidation

Name dropping

Appeal for help

Phishing

0.5 points   

QUESTION 13

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?

Value

Sensitivity

Criticality

Threat

0.5 points   

QUESTION 14

Which activity manages the baseline settings for a system or device?

Configuration control

Reactive change management

Proactive change management

Change control

0.5 points   

QUESTION 15

What is the correct order of steps in the change control process?

Request, approval, impact assessment, build/test, monitor, implement

Request, impact assessment, approval, build/test, implement, monitor

Request, approval, impact assessment, build/test, implement, monitor

Request, impact assessment, approval, build/test, monitor, implement

0.5 points   

QUESTION 16

Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?

Project initiation and planning

Functional requirements and definition

System design specification

Operations and maintenance

0.5 points   

QUESTION 17

Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?

Formatting

Degaussing

Physical destruction

Overwriting

0.5 points   

QUESTION 18

In an accreditation process, who has the authority to approve a system for implementation?

Certifier

Authorizing official (AO)

System owner

System administrator

0.5 points   

QUESTION 19

In what type of attack does the attacker send unauthorized commands directly to a database?

Cross-site scripting

SQL injection

Cross-site request forgery

Database dumping

0.5 points   

QUESTION 20

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

Spiral

Agile

Lean

Waterfall

Identification

Authentication

Accountability

Authorization

Explanation / Answer

Question 1:

The process of providing the access privileges to each employee of an organization is called as the authoeization. The employee having these privileges will authenticate himself and after that he/she can use these privileges.

Hence, the correct choice is authorization.

Question 2:

The laws are not governed by the organizational compliance programme. The compliance programme may require leal actions to identify the risks and frauds. The laws are not in the scope of this programme.

Hence, the correct choice is laws.

Question 3:

The third party service provider can handle security functions more effectively and the cost to operate these functions will be of third party service providers. The service providers have expertise in thei work.

Hence, the correct choice is access to a high level of expertise.

Question 4:

There should be a interconnection between the network and the telecom service providers for the purpose of the given requirement in the problem. Requirement of this type of interconnection can be documented in the Interconnection security agreement(ISA).

Hence, the correct choice is Interconnection security agreement (ISA).

Question 5:

The areas of common interest are expressed in the memorandum of understanding agreement (MOU) in which the common interest of two parties is discussed in the agreement. This type of agreement is similar to the service level agreement (SLA) but it is less formal than SLA.

Hence, the correct choice is Memorandum of understanding (MOU).

Question 6:

The practice of good professional ethics are as follows:

The users should not assume anything theirselves. It could lead to an unethical behavior. The third point is an assumption which leads the users to an unethical behavior.

Hence, the correct choice is assume that information should be free.

Question 7:

The Internet architecture board (IAB) declares some practices unethical which are as follows:

Hence, the correct choice is enforcing the integrity of computer-based information.

Question 8:

The information of a company should be highly confidential and should be kept private within the company. The sharing of any information related to the organization will breech the privacy principles defined by the OECD.

Hence, the correct choice is an organization should share its information.

Question 9:

This type of control is used to prevent fraud. If a main activitis performed by all the users, then there will be a great chance of leaking some confidential information which could lead to a lose of the organization.

If an activity is separated into multiple tasks which will be performed by the different group of users, then the work will be performed more efficiently. This process is called as separation of duties.

Hence, the correct choice is separation of duties.

Question 10:

The security awareness programs can provide information about the importance of the security standards and breech of these security standards.

The punishment of users who violates the security ploicies is not included in the security awareness programs. It is the step after the violation of the policy.

Hece, the correct choice is punish users who violate policy.

Question 11:

A template containing the information about configuration will be created using baseline model in which the starting information will be provided.

Hence, the correct choice is baseline.

Question 12:

This type of cyber attack is called as phishing. The process of sending the emails to an individual and pretending the emails from a reputated organization to trick the users to get their personal information is called as phishing.

Hence, the correct choice is phishing.

Question 13:

The threat is not the ethical way of doing things in an organization. The classification of an information can be based on value, sensitivity, and criticality of the information but not on the threat to anyone.

Hence, the correct choice is threat.

Question 14:

The baseline settings for a system or device can be managed by a process called as configuration control. The configuration control is used to make a system by which any changes in the system are performed with the knowledge of the management of the organization.

Hence, the correct choice is configuration control.

Question 15:

The correct order of the change control process is given as follows:

Hence, the correct choice is request, impact assessment, approval, build/test, implement, and monitor.

Question 16:

The budget analysis of a project is a part of the planning phase. The project will not be successful without analyzing the budget requirement of the project accurately. The budget analysis, objectives etc of a project needs to be done in the planning and initiation phase.

Hence, the correct choice is project initiation and planning.

Question 17:

If the anyone wants to destroy the data which is stored on the magnetic media, then the data should be destroyed in a way such that it cannot be accessible again. The formatted data can be restored with the help of any hardisks etc.

Hence, the correct choice is formatting.

Question 18:

The authorization officials have rights to approve the system for implementation because it is important to take approval before implementing a system.

Hence, the correct choice is authorizing offcials.

Question 19:

The process of sending unauthorized commands directly to the database is called as SQL injection.

Hence, the correct choice is SQL injection.

Question 20:

The waterfall model is based on the linear sequential life cycle. The process inside the waterfall model will be executed in a sequential manner. A process cannot be executed before any other process in the sequence.

Hence, the correct choice is waterfall.

Related Questions

Navigate

• Browse (All)
• Browse Q
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.