Scrty Strgy & Plcy Exam
· Question 1
2 out of 2 points
One of the processes designed to eradicate maximum possible security risks is to ________________, which limits access credentials to the minimum required to conduct any activity and ensures that access is authenticated to particular individuals. | ||||||||
|
· Question 2
0 out of 2 points
One of seven domains of a typical IT infrastructure is the user domain. Within that domain is a range of user types, and each type has specific and distinct access needs. Which of the following types of users has the responsibility of creating and putting into place a security program within an organization? | ||||||||
|
· Question 3
2 out of 2 points
Which of the following user types is responsible for audit coordination and response, physical security and building operations, and disaster recovery and contingency planning? | ||||||||
|
· Question 4
0 out of 2 points
Imagine a scenario in which an employee regularly shirks the organization’s established security policies in favor of convenience. What does this employee’s continued violation suggest about the culture of risk management in the organization? | ||||||||
|
· Question 5
0 out of 2 points
Which of the following user groups has both the business needs of being able to access the systems, network, and application to complete contracted services, and access capability that is limited to particular sections of the systems, network, and application? | ||||||||
|
· Question 6
2 out of 2 points
Security policies that clarify and explain how rights are assigned and approved among employees can ensure that people have only the access needed for their jobs. Which of the following is not accomplished when prior access is removed? | ||||||||
|
· Question 7
0 out of 2 points
Aside from human user types, there are two other non-human user groups. Known as account types, ________________ are accounts implemented by the system for the purpose of supporting automated service, and ___________________ are accounts that remain non-human until individuals are assigned access and can use them to recover a system following a major outage. | ||||||||
|
· Question 8
2 out of 2 points
Which of the following is the most important reason why data needs to be both retrievable and properly stored? | ||||||||
|
· Question 9
0 out of 2 points
There are many different types of automated controls that are configured into devices for the purpose of enforcing a security policy. Which of the following is not an automated control? | ||||||||
|
· Question 10
0 out of 2 points
One of the different manual controls necessary for managing risk is ________________, which is a type of formal management verification. In the process, management confirms that a condition is present and that security controls and policies are in place. | ||||||||
|
· Question 11
2 out of 2 points
The information security organization performs a significant role in the implementation of solutions that mitigate risk and control solutions. Because the security organization institutes the procedures and policies to be executed, they occupy role of ____________________. | ||||||||
|
· Question 12
0 out of 2 points
___________________ are responsible for the monitoring of activities the pre, middle, and post stages of goal implementation, whereas __________________are responsible for the monitoring of activities following the implementation and are called upon to evaluate whether or not the goals have been achieved. | ||||||||
|
· Question 13
2 out of 2 points
The executive management has the responsibility of connecting many lines of business to bring resolution to strategy business issues. However, their ultimate responsibility is to ___________________________. | ||||||||
|
· Question 14
0 out of 2 points
There are number of issues to consider when composing security policies. One such issue concerns the use of security devices. One such device is a ____________, which is a network security device with characteristics of a decoy that serves as a target that might tempt a hacker. | ||||||||
|
· Question 15
0 out of 2 points
A ______________________ is an apparatus for risk management that enables the organization to comprehend its risks and how those risks might impact the business. | ||||||||
|
· Question 16
0 out of 2 points
If an organization is creating a customized data classification scheme, it is important to keep in mind the accepted guidelines. Which of the following is not one these guidelines? | ||||||||
|
· Question 17
2 out of 2 points
Of the risk management strategies, _________________ refers to the act of not engaging in actions that lead to risk, whereas ____________________refers to acquiescence in regard to the risks of particular actions as well as their potential results . | ||||||||
|
· Question 18
0 out of 2 points
Despite the fact that there exists no mandatory scheme of data classification for private industry, there are four classifications used most frequently. Which of the following is not one of the four? | ||||||||
|
· Question 19
2 out of 2 points
When constructing policies regarding data _______________, it is important that these policies offer particular guidance on separation of duties (SOD), and that there are procedures that verify SOD requirements. | ||||||||
|
· Question 20
0 out of 2 points
The term ________________ denotes data that is being stored on devices like a universal serial bus (USB) thumb drive, laptop, server, DVD, CD, or server. The term ______________ denotes data that exists in a mobile state on the network, such as data on the Internet, wireless networks, or a private network. | ||||||||
|
· Question 21
0 out of 2 points
Consider this scenario: A major software company finds that code has been executed on an infected machine in its operating system. As a result, the company begins working to manage the risk and eliminates the vulnerability 12 days later. Which of the following statements best describes the company’s approach? | ||||||||
|
· Question 22
0 out of 2 points
___________________ is a term that denotes a user’s capability to authenticate once to access the network and then have automatic authentication on different applications and devices afterward. | ||||||||
|
· Question 23
2 out of 2 points
The ______________________ denotes the application software and technology that concerns a wide range of topics from the data management to the systems that process information. | ||||||||
|
· Question 24
0 out of 2 points
Domain security control requirements are embodied in several different types of documents. One such document is known as _______________________, which uses a hierarchical organizing structure to identify the key terms and their explanations. | ||||||||
|
· Question 25
0 out of 2 points
A procure document should accompany every baseline document. Which of the following is a true statement about the circumstances for when a procedure document needs to be created to support the baseline document? | ||||||||
|
· Question 26
2 out of 2 points
An important principle in information security is the concept of layers of security, which is often referred to as layered security, or defense in depth. Which of the following is not an example of a layer of security? | ||||||||
|
· Question 27
2 out of 2 points
Baseline LAN standards are concerned with network traffic monitoring because no matter how good firewalls and routers can be, they are still not 100% effective. Thus, _________________ offer a wide range of protection because they seek out patterns of attack. | ||||||||
|
· Question 28
0 out of 2 points
In general, WAN-specific standards identify specific security requirements for WAN devices. For example, the ____________________ explains the family of controls needed to secure the connection from the internal network to the WAN router, whereas the ______________________ identifies which controls are vital for use of Web services provided by suppliers and external partnerships. | ||||||||
|
· Question 29
0 out of 2 points
Which of the following control standards in the system/application domain maintains control of both managing errors and ensuring against potentially damaging code? | ||||||||
|
· Question 30
0 out of 2 points
In order to form an IRT, an organization is required to create a charter; this document identifies the authority, mission, and goals of a committee or team, and there are a number of different types of IRT models for doing this. Which of the following models permits an IRT to have the complete authority to ensure a breach is contained? | ||||||||
|
· Question 31
0 out of 2 points
An organization’s _______________________ is a particular group of differently skilled individuals who are responsible for attending to serious security situations. | ||||||||
|
· Question 32
2 out of 2 points
There are particular tools and techniques that the IRT utilizes to gather forensic evidence, including ____________________, which articulates the manner used to document and protect evidence. | ||||||||
|
· Question 33
2 out of 2 points
While the amount of data known as mission-critical depends on the organization and industry, such data should only represent less than ____________ percent of the data population. | ||||||||
|
· Question 34
0 out of 2 points
In general, the IRT is comprised of a team with individuals that have different specialties; one such individual is the ___________________, who offers analytical skills and risk management. This specialist has focused forensic skills necessary for the collection and analysis of evidence. | ||||||||
|
· Question 35
2 out of 2 points
To measure the effectiveness of the IRT, which of the following does not need to be evaluated? | ||||||||
|
· Question 36
2 out of 2 points
___________________ are attacks that obtain access by means of remote services, such as vendor networks, employee remote access tools, and point-of sale (POS) devices. | ||||||||
|
· Question 37
0 out of 2 points
In order to build security policy implementation awareness across the organization, there should be ____________________ who partner with other team and departments to promote IT security through different communication channels. | ||||||||
|
· Question 38
2 out of 2 points
The department responsible for providing security training to new employees is the _______________. | ||||||||
|
· Question 39
0 out of 2 points
A major defense corporation rolls out a campaign to manage persistent threats to its infrastructure. The corporation decides to institute a ___________________ to identify and evaluate the knowledge gaps that can be addressed through additional training for all employees, even administrators and management. | ||||||||
|
· Question 40
2 out of 2 points
Training that happens in a classroom has many benefits, but which of the following is the one of the most significant drawbacks concerning the instructors’ abilities? | ||||||||
|
· Question 41
2 out of 2 points
While there are many ways that policy objectives and goals can be described, some techniques are more effective than others for persuading an organization to implement them. Which of the following is not one of the effective techniques for persuading people to follow policy objectives and goals? | ||||||||
|
· Question 42
2 out of 2 points
The goal of employee awareness and training is to ensure that individuals are equipped with the tools necessary for the implementation of security policies. Which of the following is one of the other benefits of a successfully enacted training and awareness program? | ||||||||
|
· Question 43
2 out of 2 points
A ________________ is a technological term used in security policy to describe a future state in which specific goals and objectives have been achieved and which processes, resources, and tools are needed to achieve those goals and objectives. | ||||||||
|
· Question 44
0 out of 2 points
Microsoft domains offer _______________ in order to enhance security for certain departments or users in an organization. This method allows security gaps to close and security settings to be increased for some computers or users. | ||||||||
|
· Question 45
0 out of 2 points
In order to assess policy compliance, many organizations will use a report card. The evaluation tools are comprised of criteria based on an organization’s requirements. Which of the following is not one the elements that would be included on a report card? | ||||||||
|
· Question 46
2 out of 2 points
The window of ________________ is the time between when an opportunity for risk is identified and when the risk is ultimately eliminated by a patch. | ||||||||
|
· Question 47
0 out of 2 points
There are a number of automated tools created by Microsoft that can be used to verify compliance. Once such tool is the ____________________, which is a free download that locates system vulnerabilities by sending queries. This tool can scan multiple systems in a network and maintain a history of reports for all prior scans. | ||||||||
|
· Question 48
0 out of 2 points
There are several different best practices available for implementation when creating a plan for IT security policy compliance monitoring. One such practice is to design a baseline derived from the security policy, which entails _________________. | ||||||||
|
· Question 49
2 out of 2 points
A __________________________ is a term that refers to the original image that is duplicated for deployment. Using this image saves times by eradicating the need for repeated changes to configuration and tweaks to performance. | ||||||||
|
· Question 50
0 out of 2 points
In order to ensure compliance, organizations deploy both new and current technologies. Which of the following is not one these new technologies? | |||||
|