question
2 points
The ____________ may be performed on an annual basis; however, the _________ should be done more frequently.
Quiz 4
Purpose
This assignment will assess your ability to:
· Compare and contrast different types of standards including: laws, regulations, policies, voluntary, and framework-based standards. [IAS 1]
· Recommend managerial, technical, and operational controls within governance channels.
· Promote continuous learning from security incidents.
Overview
This quiz covers Module 4 concepts. It will take about 60 minutes. This is an individual assignment. Make sure to complete all of the module’s reading and preparation before taking the quiz.
vulnerability scanning, policy development
vulnerability scanning, risk assessment
risk assessment, vulnerability scanning
risk assessment, policy development
1
2 points
Which one of the statements is NOT true?
2 points
Which one of the statements is NOT true?
Larger companies are expected to devote more resources to security controls and implement more automated solutions to address the issues
Government entities will have a formalized assessment and authorization process.
Smaller organizations need to decide what is feasible to protect the resources adequately and may need to engage external resources to provide adequate protection.
Each organization should develop a process whereby the security controls and the residual risk are approved and accepted by security analysts.
The NIST uses terminology in the 800-53 standard (Recommended Security Controls for Federal Information Systems) with roots in the insurance sector.
Understanding the intent of the control also assists in interpreting the terminology used within the control.
Many different organizations, committees, and geographic representations promulgate the standards.
Compliance Is not security, but it is a good start.
2
3
2 points
Which one of the statements is NOT true?
2 points
The risk assessment should represent a documented meeting of the minds between information security and__________.
2 points
Which one of the following is NOT a Security Control Framework and Standard Example?
Vulnerability assessments, penetration testing, and internal audit reviews of the security controls ensure that the policies and procedures that were created are being followed.
To achieve support for the implementation of security policies throughout the organization and to ensure that the security policies do not disrupt the business, it is NOT advisable to establish an information security council.
The documented security policies and procedures are necessary; however, if individuals do not truly understand their responsibilities to comply with the security controls, the likelihood that the appropriate processes will be followed is greatly diminished.
Multiple control frameworks can be selected for different levels of detail.
senior management
risk analyst
services acquisition
regulations
ISO 27004
HIPAA
FISMA
NIST 800-53
4
5
6
2 points
According to the Verizon annual report on data breaches, what is the fastest and most cost-effective way for a company not to be a victim of cyber-attackers?
2 points
Vulnerability scanning is performed as part of the ________ to provide the status of the technical controls and where improvements need to be made.
2 points
COBIT stands for:
Review what incidents are occurring and implement and monitor appropriate controls.
Focus on internal threats.
Invest in encryption solutions.
Invest in state-of-art security software and hardware.
penetration testing
control frameworks
risk assessment
security tests
Command Objectives for Information and related Technology framework
Control Objectives for Information and related Technology framework
Computer Objectives for Information and related Technology framework
Computer Objectives for Information and related Testing framework
7
8
9
2 points
____________ is a set of comprehensive requirements for enhancing payment account security, formed by several major credit card issuers, to facilitate the broad adoption of a comprehensive security standard designed to protect cardholder data.
1 point
Which one of the following control families includes the employment of vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process?
2 points
Which is NOT an advantage of reviewing the incidents of other companies from published press releases and news reports?
GLBA
HIPAA
FISMA
PCI-DSS
Risk assessment
Services acquisition
Program management
Risk mitigation
Helps to learn what caused the security breach
Helps to learn what actions the company is planning for free
Helps to enhance security governance in a cost-effective way
Helps ful�lling security certi�cation requirements
10
11
12
2 points
Which one of the following control families includes developmental and evaluation-related assurance requirements?
2 points
Once a control framework or set of standards has been chosen and implemented, the framework must be internally and externally ___________ regularly.
2 points
What does the CMMI stand for?
Risk Assessment
System and Services acquisition
Program management
System Maintenance
discussed
standardized
reviewed
audited
Capability Maturity Model Institute
Capability Managed Model Integration
Capability Maturity Model Integration
Capability Measurement Model Integration
13
14
15
2 points
Which one of the statements is NOT true?
2 points
Which of the control families is NOT classi�ed as operational?
2 points
The _________ control family was added in NIST 800-53 Rev3 to provide the controls in support of managing an information security program.
The world operates on standards.
A practice that works for one organization should be used as a best practice for another.
Most control frameworks are written at a higher, broader level, which provides �exibility to implement controls to satisfy the speci�c technological request.
Over time, the standards evolve, and they change to meet societal and technological needs.
System and information integrity
Con�guration management
Awareness and training
Access control
Program management
Services acquisition
Risk management
Risk Assessment
16
17
18
2 points
Which kind of cyber threats should a company fear the most?
2 points
_____________ is a set of books published by the British government’s Stationary Of�ce between 1989 and 1992 to improve IT service management.
A hacker targeting C-suite executive
Hackers motivated for �nancial gains
Script Kiddies
Advanced Persistent Threats
ITIL
HISMA
ISO 20000
IT-DSS
19
20