Name:     ID: 
 
Email: 

Test 2 Chapters 3 - 4

True/False
Indicate whether the statement is true or false.
 

 1. 

The Computer Security Act of 1987 is the cornerstone of many computer-related federal laws and enforcement efforts; it was originally written as an extension and clarification of the Comprehensive Crime Control Act of 1984.
 

 2. 

Cultural differences can make it difficulty to determine what is ethical and is not ethical between cultures, except when it comes to the use of computers, where ethics are considered universal.
 

 3. 

The Council of Europe Convention on Cyber-Crime has not been well received by advocates of intellectual property rights because it de-emphasizes prosecution for copyright infringement, but has been well received by supporters of individual rights in the U.S.
 

 4. 

The Department of Homeland Security (DHS) works with academic campuses nationally, focusing on resilience, recruitment, internationalization, growing academic maturity and academic research.
 

 5. 

. Laws, policies and their associated penalties only provide deterrence if offenders fear the penalty, expect to be caught, and expect the penalty to be applied if they are caught.
 

 6. 

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident.
 

 7. 

Due care and due diligence require that an organization make a valid effort to protect others and continually maintain this level of effort, ensuring these actions are effective.
 

 8. 

Unethical and illegal behavior is generally caused by ignorance (of policy and/or the law), by accident, and by inadequate protection mechanisms.
 

 9. 

The United States has implemented a version of the DMCA law called the Database Right, in order to comply with Directive 95/46/EC.
 

 10. 

The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not.
 

 11. 

The NSA is responsible for signal intelligence, information assurance products and services, and enabling computer network operations to gain a decision advantage for the US and its allies under all circumstances.
 

 12. 

For policy to become enforceable it only needs to be distributed, read, understood, and agreed to.
 

 13. 

Key studies reveal that legal penalties are the overriding factor in leveling ethical perceptions within a small population. 
 

 14. 

Since it was established in January 2001, every FBI field office has established an InfraGard program to collaborate with public and private organizations and the academic community.
 

 15. 

The difference between a policy and a law is that ignorance of a law is an acceptable defense.
 

 16. 

Criminal laws addresses activities and conduct harmful to society and is categorized as private or public.
 

 17. 

The Secret Service is charged with safeguarding the nation’s financial infrastructure and payments systems to preserve the integrity of the economy.
 

 18. 

Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality’s ethical behavior violates the ethics of another national group.
 

 19. 

In the context of information security, confidentiality is the right of the individual or group to protect themselves and their information from unauthorized access.
 

 20. 

Employees are not deterred by the potential loss of certification or professional accreditation resulting from a breach of a code of conduct as this loss has no effect on employees' marketability and earning power.
 

 21. 

The Department of Homeland Security is the only U.S. federal agency charged with the protection of American information resources and the investigation of threats to, or attacks on, the resources.
 

 22. 

Database shadowing duplicates data in real-time data storage, but does not backup the databases at the remote site.
 

 23. 

A disaster recovery plan is a plan that shows the organization’s intended efforts to restore operations at the original site in the aftermath of a disaster.
 

 24. 

An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement.
 

 25. 

A standard is a plan or course of action that conveys instructions from an organization’s senior management to those who make decisions, take actions, and perform other duties.
 

 26. 

Failure to develop an information security system based on the organization’s mission, vision, and culture guarantees the failure of the information security program.
 

 27. 

The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.
 

 28. 

ISO/IEC 17799 is widely considered more useful than any other information security management approach.
 

 29. 

Good security programs begin and end with policy.
 

 30. 

You can create a single comprehensive ISSP document covering all information security issues.
 

 31. 

To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date.
 

 32. 

Administrative controls guide the development of education, training, and awareness programs for users, administrators, and management.
 

 33. 

NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans, and provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size.
 

 34. 

To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards.
 

 35. 

The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.
 

 36. 

The security framework is a more detailed version of the security blueprint.
 

 37. 

Management controls address the design and implementation of the security planning process and security program management.
 

 38. 

A managerial guidance SysSPdocument is created by the IT experts in a company to guide management in the implementation and configuration of technology.
 

 39. 

The ISSP sets out the requirements that must be met by the information security blueprint or framework.
 

 40. 

A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee’s actions.
 

 41. 

In 2014, NIST published a new Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of critical infrastructure services, based on vendor-specific technologies.
 

 42. 

Information security safeguards provide two levels of control: preventative and remedial.
 

 43. 

Every member of the organization's InfoSec department must have a formal degree or certification in information security.
 

 44. 

A cold site provides many of the same services and options of a hot site, but at a lower cost.
 

 45. 

Each policy should contain procedures and a timetable for periodic review.
 

 46. 

ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.
 

 47. 

Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training and rehearsal.
 

 48. 

Hot swapping is a RAID implementation (typically referred to as RAID Level 1) in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails.
 

 49. 

Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.
 

 50. 

NIST 800-14's Principles for Securing Information Technology Systems, can be used to make sure the needed key elements of a successful
effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture.
 

 51. 

Many industry observers claim that ISO/IEC 17799, the precursor to ISO/IEC 27001, is not as complete as other frameworks.
 

Multiple Choice
Identify the choice that best completes the statement or answers the question.
 

 52. 

Which of the following acts is also widely known as the Gramm-Leach-Bliley Act?
a.
Financial Services Modernization Act
c.
Computer Security Act
b.
Communications Act
d.
Health Insurance Portability and Accountability Act
 

 53. 

The Council of Europe adopted the Convention of CyberCrime in 2001 to oversee a range of security functions associated with __________ activities.
a.
online terrorist
c.
cyberactivist
b.
electronic commerce
d.
Internet
 

 54. 

What is the subject of the Computer Security Act?
a.
Federal Agency Information Security
c.
Cryptography Software Vendors
b.
Telecommunications Common Carriers
d.
Banking Industry
 

 55. 

What is the subject of the Sarbanes-Oxley Act?
a.
Banking
c.
Privacy
b.
Financial Reporting
d.
Trade secrets
 

 56. 

According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depends on the value of the information obtained and whether the offense is judged to have been committed for each of the following except __________.
a.
for purposes of commercial advantage
c.
to harass
b.
for private financial gain
d.
in furtherance of a criminal act
 

 57. 

. __________ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.
a.
Public
c.
Civil
b.
Private
d.
Criminal
 

 58. 

Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications?
a.
Electronic Communications Privacy Act
c.
Sarbanes-Oxley Act
b.
Financial Services Modernization Ac
d.
Economic Espionage Act
 

 59. 

Which of the following acts defines and formalizes laws to counter threats from computer related acts and offenses?
a.
Electronic Communications Privacy Act of 1986
c.
Computer Fraud and Abuse Act of 1986
b.
Freedom of Information Act (FOIA) of 1966
d.
Federal Privacy Act of 1974
 

 60. 

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage __________.
a.
with intent
c.
with malice
b.
by accident
d.
with negligence
 

 61. 

Which of the following countries reported the least tolerant attitudes toward personal use of organizational computing resources?
a.
Australia
c.
Singapore
b.
United States
d.
Sweden
 

 62. 

Laws and policies and their associated penalties only deter if which of the following conditions is present?
a.
Fear of penalty
c.
Probability of penalty being administered
b.
Probability of being caught
d.
All of the above
 

 63. 

The __________ attempts to prevent trade secrets from being illegally shared.
a.
Electronic Communications Privacy Act
c.
Financial Services Modernization Act
b.
Sarbanes-Oxley Act
d.
Economic Espionage Act
 

 64. 

The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any __________ purposes.
a.
troubleshooting
c.
customer service
b.
billing
d.
marketing
 

 65. 

The __________ of 1999 provides guidance on the use of encryption and provides protection from government intervention.
a.
Prepper Act
c.
USA PATRIOT Act
b.
Economic Espionage Act
d.
Security and Freedom through Encryption Act
 

 66. 

The Health Insurance Portability and Accountability Act Of 1996, also known as the __________ Act, protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.
a.
Gramm-Leach-Bliley
c.
Privacy
b.
Kennedy-Kessebaum
d.
HITECH
 

 67. 

Criminal or unethical __________ goes to the state of mind of the individual performing the act.
a.
attitude
c.
accident
b.
intent
d.
ignorance
 

 68. 

The National Information Infrastructure Protection Act of 1996 modified which Act?
a.
USA PATRIOT Act
c.
Computer Security Act
b.
USA PATRIOT Improvement and Reauthorization Act
d.
Computer Fraud and Abuse Act
 

 69. 

The Computer __________ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts.
a.
Violence
c.
Theft
b.
Fraud
d.
Usage
 

 70. 

__________ law comprises a wide variety of laws that govern a nation or state.
a.
Criminal
c.
Public
b.
Civil
d.
Private
 

 71. 

The __________ defines stiffer penalties for prosecution of terrorist crimes.
a.
USA PATRIOT Act
c.
Gramm-Leach-Bliley Act
b.
Sarbanes-Oxley Act
d.
Economic Espionage Act
 

 72. 

According to NIST SP 800-14's security principles, security should ________.
a.
support the mission of the organization
c.
be cost-effective
b.
require a comprehensive and integrated approach
d.
All of the above
 

 73. 

__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
a.
Networking
c.
Defense in depth
b.
Proxy
d.
Best-effort
 

 74. 

_________ controls address personnel security, physical security, and the protection of production inputs and outputs.
a.
Informational
c.
Operational
b.
Technical
d.
Managerial
 

 75. 

RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure.
a.
replicated
c.
random
b.
resistant
d.
redundant
 

 76. 

The CPMT conducts the BIA in three stages.  Which of the following is NOT one of those stages?
a.
Determine mission/business processes and recovery criticality
c.
Identify resource requirements
b.
Identify recovery priorities for system resources
d.
All of these are BIA stages
 

 77. 

Standards may be published, scrutinized, and ratified by a group, as in formal or ________standards.
a.
de formale
c.
de jure
b.
de public     
d.
de facto
 

 78. 

The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.
a.
technology
c.
people
b.
Internet
d.
operational
 

 79. 

The stated purpose of ISO/IEC 27002 is to “offer guidelines and voluntary directions for information security __________."
a.
implementation
c.
management
b.
certification
d.
accreditation
 

 80. 

A(n) _________ is a document containing contact information for the people to be notified in the event of an incident.
a.
emergency notification system
c.
phone list
b.
alert roster
d.
call register
 

 81. 

The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____.
a.
off-site storage
c.
electronic vaulting
b.
remote journaling
d.
database shadowing
 

 82. 

Security __________ are the areas of trust within which users can freely communicate.
a.
perimeters
c.
rectangles
b.
domains
d.
layers
 

 83. 

When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems.
a.
The standard lacked the measurement precision associated with a technical standard.
c.
The standard was hurriedly prepared given the tremendous impact its adoption could have on industry information security controls.
b.
It was not as complete as other frameworks.
d.
The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
 

 84. 

The goals of information security governance include all but which of the following?
a.
Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care
c.
Risk management by executing appropriate measures to manage and mitigate threats to information resources
b.
Strategic alignment of information security with business strategy to support organizational objectives.
d.
Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
 

 85. 

________often function as standards or procedures to be used when configuring or maintaining systems.
a.
ESSPs
c.
ISSPs
b.
EISPs
d.
SysSPs
 

 86. 

________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
a.
Managerial
c.
Operational
b.
Technical
d.
Informational
 

 87. 

A fundamental difference between a BIA and risk management is that risk management focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can protect the information, while the BIA assumes __________.
a.
controls have been bypassed
c.
controls have failed
b.
controls have proven ineffective
d.
All of the above
 

 88. 

A security ________ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
a.
plan
c.
model
b.
framework
d.
policy
 

 89. 

Redundancy can be implemented at a number of points throughout the security architecture, such as in ________.
a.
firewalls
c.
access controls
b.
proxy servers
d.
All of the above
 

 90. 

SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________.
a.
plan
c.
policy
b.
standard
d.
blueprint
 

 91. 

The ________is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
a.
SysSP
c.
GSP
b.
EISP
d.
ISSP
 

 92. 

The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees.
a.
intentional
c.
accidental
b.
external
d.
physical
 

 93. 

Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.
a.
damage assessment
c.
incident response
b.
containment strategy
d.
disaster assessment
 

 94. 

A ____ site provides only rudimentary services and facilities.
a.
commercial
c.
hot
b.
warm
d.
cold
 

 95. 

A(n) ________ plan is a plan for the organization’s intended strategic efforts over the next several years.
a.
standard
c.
tactical
b.
operational
d.
strategic
 

 96. 

__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information.
a.
Firewalling
c.
Redundancy
b.
Hosting
d.
Domaining
 

 97. 

In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to __________.
a.
identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
c.
communicate among local, state and national agencies about cybersecurity risk
b.
assess progress toward a recommended target state
d.
None of these
 



 
         Start Over