Q&A Hero

Media Study

Q: Which CobiT domain has the most control objectives? A) Planning & Organization B) Acquisition & Implementation C) Delivery & Support D) Monitoring
Q: In COSO, a company's overall control culture is called its ________. A) control culture B) tone at the top C) control environment D) security culture
Q: CobiT focuses on ________. A) corporate governance B) controlling entire IT function C) IT security governance D) All of the above about equally
Q: COSO focuses on ________. A) corporate internal and financial controls B) IT governance C) IT security governance D) All of the above
Q: A governance framework specifies how to do ________. A) planning B) implementation C) oversight D) All of the above.
Q: An example of "pressure" from the fraud triangle would include paying back embezzled money.
Q: Which of the following are examples of opportunity? A) Weak security controls B) Insufficient oversight from management C) An unlocked safe D) All of the above
Q: Before doing a vulnerability test, a security employee must ensure that ________. A) doing a vulnerability test is in his or her job description B) no damage will be done C) he or she has a specific contract to do a specific test D) the test is a surprise to everyone, including the tester's superior, who may be engaged in illicit activities
Q: Employees usually must rationalize bad behavior.
Q: Which of the following is not one of the three elements in the fraud and abuse triangle? A) Opportunity B) Resistance C) Rationalization D) Pressure
Q: Internal corporate attackers often have a history of overt unacceptable behavior.
Q: Hotlines for reporting improper behavior are required by law to be non-anonymous.
Q: ________ audits are done by an organization on itself. A) Internal B) External C) Both A and B D) Neither A nor B
Q: Audits place special attention on ________. A) compliance avoidance B) noncompliance C) memo log files D) absences from duty
Q: The purpose(s) of auditing is(are) to ________. A) develop opinions on the health of controls B) find punishable instances of noncompliance C) Both A and B D) Neither A nor B
Q: Security metrics allow a company to know if it is improving in its implementation of policies.
Q: Informing employees that monitoring will be done is a bad idea.
Q: Electronic employee monitoring is rare.
Q: Conducting stings on employees ________. A) raises awareness B) raises resentment C) Both A and B D) Neither A nor B
Q: Policies drive ________. A) implementation B) oversight C) Both A and B D) Neither A nor B
Q: Which of the following is a good rule for handling exceptions? A) Only some people should be allowed to request exceptions. B) The requestor and approver should be different people. C) The exception should be documented. D) All of the above.
Q: Exceptions in policies and procedures should be forbidden.
Q: It is acceptable for an employee to reveal ________. A) confidential information B) private information C) trade secrets D) None of the above
Q: ________ are payments made by a supplier to a corporate buyer when a purchase is made. A) Bribes B) Kickbacks C) Both A and B D) Neither A nor B
Q: ________ are monetary gifts to induce an employee to favor a supplier or other party. A) Bribes B) Kickbacks C) Both A and B D) Neither A nor B
Q: Which of the following is an example of a conflict of interest? A) Preferential dealings with relatives B) Investing in competitors C) Competing with the company while still employed by the company D) All of the above
Q: Senior officers often have an additional code of ethics.
Q: In a firm, codes of ethics apply to ________. A) part-time employees B) senior managers C) Both A and B D) Neither A nor B
Q: Companies create codes of ethics in order to make ethical decision making more predictable.
Q: Different honest people can make different ethical decisions in a given situation.
Q: The owner can delegate ________ to the trustee. A) the work of implementation of a resource or control B) accountability for a resource or control C) Both A and B D) Neither A nor B
Q: The party that is ultimately held accountable for a resource or control is ________. A) the owner B) the trustee C) the accredited security officer D) the certified security officer
Q: ________ are prescriptive statements about what companies should do and are put together by trade associations and government agencies. A) Best practices B) Recommended practices C) Both A and B D) Neither A nor B
Q: ________ are descriptions of what the best firms in the industry are doing about security. A) Best practices B) Recommended practices C) Both A and B D) Neither A nor B
Q: ________ are check lists of what should be done in a specific procedure. A) Baselines B) Guidelines C) Standards D) Procedures
Q: Mandatory vacations should be enforced ________. A) to improve employee diligence to threats B) to reduce the possibility of collusion between employees C) to be in compliance with state and federal law D) for ethical purposes
Q: When someone requests to take an action that is potentially dangerous, what protection should be put into place? A) Limit the number of people that may request an approval B) Ensure that the approver is the same as the requestor C) Both A and B D) Neither A nor B
Q: In manual procedures, the segregation of duties ________. A) reduces risk B) increases risk by creating blind spots C) increases risk by reducing accountability D) can only be done safely through information technology
Q: The steps required to issue a new employee a password should be specified in a ________. A) procedure B) process C) Both A and B D) Neither A nor B
Q: ________ specify the low-level detailed actions that must be taken by specific employees. A) Procedures B) Processes C) Both A and B D) Neither A nor B
Q: Guidelines are appropriate in simple and highly certain circumstances.
Q: It is mandatory for decision makers to consider guidelines.
Q: ________ are discretionary. A) Standards B) Guidelines C) Both A and B D) Neither A nor B
Q: ________ are mandatory. A) Standards B) Guidelines C) Both A and B D) Neither A nor B
Q: Policies should be written by ________. A) IT security B) corporate teams involving people from multiple departments C) a senior executive D) an outside consultant, to maintain independence
Q: When you wish to create a specific firewall, you should create a security policy for that firewall specifically.
Q: Policies should specify implementation in detail.
Q: Policies should specify the details of how protections are to be applied.
Q: A(n) ________ is a statement of what should be done under specific circumstances. A) implementation control B) policy C) policy guidance document D) procedure
Q: Border management ________. A) is no longer important because there are so many ways to bypass borders B) is close to a complete solution to access control C) Both A and B D) Neither A nor B
Q: Having realistic goals for reducing vulnerabilities ________. A) is giving in to the problem B) helps to focus on the most critical threats C) is a cost-saving method D) is risk avoidance
Q: Security professionals should minimize burdens on functional departments.
Q: Central security consoles ________. A) are dangerous B) allow policies to be applied consistently C) Both A and B D) Neither A nor B
Q: ________ is a single countermeasure composed of multiple interdependent components in series that require all components to succeed if the countermeasure is to succeed. A) Defense in depth B) Weakest link C) Both A and B D) Neither A nor B
Q: ________ requires multiple countermeasures to be defeated for an attack to succeed. A) Defense in depth B) Weakest link analysis C) Both A and B D) Neither A nor B
Q: Using both a firewall and host hardening to protect a host is ________. A) defense in depth B) risk acceptance C) an anti-weakest link strategy D) adding berms
Q: Companies should replace their legacy security technologies immediately.
Q: A technical security architecture should be created ________. A) annually B) before a firm creates individual countermeasures C) before a firm creates a specific countermeasure D) after each major compromise
Q: A technical security architecture includes ________. A) all of a firm's countermeasures B) how countermeasures are organized C) Both A and B D) Neither A nor B
Q: Responding to risk through risk avoidance is likely to be acceptable to other units of the firm.
Q: ________ means responding to risk by not taking a risky action. A) Risk reduction B) Risk acceptance C) Risk avoidance D) Risk transference
Q: ________ means responding to risk by taking out insurance. A) Risk reduction B) Risk acceptance C) Risk avoidance D) Risk transference
Q: ________ means implementing no countermeasures and absorbing any damages that occur. A) Risk reduction B) Risk acceptance C) Risk avoidance D) None of the above
Q: Which of the following is a way of responding to risk with active countermeasures? A) Risk reduction B) Risk acceptance C) Risk avoidance D) All of the above
Q: The book recommends hard-headed thinking about security ROI analysis.
Q: The worst problem with classic risk analysis is that ________. A) protections often protect multiple resources B) resources often are protected by multiple resources C) we cannot estimate the annualized rate of occurrence D) costs and benefits are not the same each year
Q: Which of the following gives the best estimate of the complete cost of a compromise? A) ALE B) ARO C) TCI D) Life cycle cost
Q: When risk analysis deals with costs and benefits that vary by year, the computations should use ________. A) NPV B) IRR C) Either A or B D) Neither A nor B
Q: SLE times APO gives the ________. A) expected per-event loss B) expected annual loss C) expected life cycle loss D) expected per-event benefit
Q: In benefits, costs and benefits are expressed on a per-year basis.
Q: Security tends to impede functionality.
Q: The goal of IT security is reasonable risk reduction.
Q: The goal of IT security is risk elimination.
Q: According to the author, information assurance is a good name for IT security.
Q: Vulnerability testing typically is not outsourced.
Q: What security function(s) usually is(are) not outsourced? A) Planning B) Intrusion detection C) Vulnerability testing D) All of the above
Q: What security functions typically are outsourced? A) Policy B) Vulnerability testing C) Both A and B D) Neither A nor B
Q: What security functions typically are outsourced? A) Intrusion detection B) Vulnerability testing C) Both A and B D) Neither A nor B
Q: A benefit of using MSSPs is that they provide ________. A) cost savings B) independence C) Both A and B D) Neither A nor B
Q: To outsource some security functions, a firm can use an MISP.
1 2 3 27

Subjects

Accounting Anthropology Archaeology Art History Banking Biology & Life Science Business Business Communication Business Development Business Ethics Business Law Chemistry Communication Computer Science Counseling Criminal Law Curriculum & Instruction Design Earth Science Economic Education Engineering Finance History & Theory Humanities Human Resource International Business Investments & Securities Journalism Law Management Marketing Medicine Medicine & Health Science Nursing Philosophy Physic Psychology Real Estate Science Social Science Sociology Special Education Speech Visual Arts