Saint COm590 midterm exam

Question Type: # Of Questions: # Correct:

Multiple Choice 40 16

Grade Details - All Questions

Question 1. Question : Why are information security policies important to an organization?

Student Answer: They add complexity to employee functions, so it’s hard for employees to change anything.

They make it hard to attack the organization with viruses.

They strengthen the company’s ability to protect its information resources.

They allow controls to be relaxed or reduced.

Points Received: 2.5 of 2.5

Comments:

Question 2. Question : Which of the following is considered a how-to document?

Student Answer: Policy

Standard

Guideline

Procedure

Points Received: 0 of 2.5

Comments:

Question 3. Question : The concept of “need to know” is most closely associated with which of the following?

Student Answer: Confidentiality

Integrity

Availability

Authentication

Points Received: 0 of 2.5

Comments:

Question 4. Question : What does COBIT stand for?

Student Answer: Common Objectives for Information and Technology

Common Objects for Information and Technology

Control Objects for Information Technology

Control Objectives for Information and Related Technology

Points Received: 2.5 of 2.5

Comments:

Question 5. Question : Which of the following is not one of the four domains of the COBIT framework for ISS management?

Student Answer: Plan and Organize

Support and Monitor

Acquire and Implement

Deliver and Support

Points Received: 2.5 of 2.5

Comments:

Question 6. Question : Which of the following types of security controls stops incidents or breaches immediately?

Student Answer: Preventive

Detective

Corrective

None of the above

Points Received: 0 of 2.5

Comments:

Question 7. Question : A(n) __________ is a confirmed event that compromises the confidentiality, integrity, or availability of information.

Student Answer: risk

threat

breach

impact

Points Received: 2.5 of 2.5

Comments:

Question 8. Question : Security controls fall into three design types: preventive, detective, and:

Student Answer: corrective.

quantitative.

qualitative.

effective.

Points Received: 2.5 of 2.5

Comments:

Question 9. Question : A business __________ emerges when an organization cannot meet its obligation or duty.

Student Answer: liability

driver

culture

None of the above

Points Received: 2.5 of 2.5

Comments:

Question 10. Question : A backup generator is an example of which type of security control?

Student Answer: Physical

Administrative

Technical

Detective

Points Received: 2.5 of 2.5

Comments:

Question 11. Question : Which compliance law concept states that individuals should know what information about them is being collected and should be told how that information is being used?

Student Answer: Full disclosure

Limited use of personal data

Informed consent

Public interest

Points Received: 0 of 2.5

Comments:

Question 12. Question : A popular social networking site recently changed its privacy policy regarding personal profiles. To prevent your profile information from being shared with anyone on the Internet, you must check a box requesting privacy. What is this an example of?

Student Answer: Opt in

Opt out

Least privilege

Defense in depth

Points Received: 0 of 2.5

Comments:

Question 13. Question : Which law applies to educational institutions and protects students’ records?

Student Answer: CIPA

FERPA

GLBA

HIPAA

Points Received: 2.5 of 2.5

Comments:

Question 14. Question : To which sector does HIPAA apply primarily?

Student Answer: Communications

Financial

Medical

None of the above

Points Received: 2.5 of 2.5

Comments:

Question 15. Question : To which sector does the Gramm-Leach-Bliley Act apply primarily?

Student Answer: Communications

Financial

Medical

None of the above

Points Received: 2.5 of 2.5

Comments:

Question 16. Question : A policy that addresses the use of personal mobile devices, such as a smartphone, to access an internal business network is an issue of which IT domain?

Student Answer: User

Workstation

Remote Access

WAN

Points Received: 2.5 of 2.5

Comments:

Question 17. Question : A nurse uses a wireless computer from a patient’s room to access real-time patient information from the hospital server. Which domain does this wireless connection fall under?

Student Answer: User

LAN

WAN

System/Application

Points Received: 0 of 2.5

Comments:

Question 18. Question : Authentication and encryption of intranet traffic is a __________ Domain issue.

Student Answer: System/Application

User

Workstation

LAN

Points Received: 0 of 2.5

Comments:

Question 19. Question : You swipe your finger over your laptop’s fingerprint reader to unlock the computer. Which type of authentication method are you using?

Student Answer: Something you know

Something you are

Something you have

None of the above

Points Received: 2.5 of 2.5

Comments:

Question 20. Question : Within the User Domain, some of the ways in which risk can be mitigated include awareness, enforcement, and:

Student Answer: people.

reward.

process.

user access.

Points Received: 0 of 2.5

Comments:

Question 21. Question : Which personality type tends to be associated with good leaders?

Student Answer: Achiever

Pleaser

Attacker

Analytical

Points Received: 0 of 2.5

Comments:

Question 22. Question : Which of the following is not true of auditors?

Student Answer: Are accountable for assessing the design and effectiveness of security policies

Can be internal or external

Report to the leaders they are auditing

Offer opinions on how well the policies are being followed and how effective they are

Points Received: 0 of 2.5

Comments:

Question 23. Question : A primary reason why security policies often fail is __________.

Student Answer: lack of complexity

insufficient leadership support

not enough money

poor planning

Points Received: 0 of 2.5

Comments:

Question 24. Question : In an organization, which of the following roles is responsible for the day-to-day maintenance of data?

Student Answer: Information security office (ISO)

Compliance officer

Data owner

Data custodian

Points Received: 0 of 2.5

Comments:

Question 25. Question : Which of the following is not true of a hierarchical organization?

Student Answer: More layers than a flat organization

Centralized authorities

A necessity in many large organizations

Wide span of control

Points Received: 0 of 2.5

Comments:

Question 26. Question : Which part of an IT policy framework includes the program’s purpose and mission, and the program’s scope within the organization?

Student Answer: Charter

Standards

Guidelines

Procedures

Points Received: 2.5 of 2.5

Comments:

Question 27. Question : The program framework policy or information security program charter is the __________ document.

Student Answer: policy

capstone

project

compliance

Points Received: 0 of 2.5

Comments:

Question 28. Question : __________ is the ability to reasonably ensure conformity and adherence to both internal and external policies, standards, procedures, laws, and regulations.

Student Answer: Availability

Nonrepudiation

Awareness

Compliance

Points Received: 2.5 of 2.5

Comments:

Question 29. Question : Which act was passed in the wake of the collapse of Enron, Arthur Andersen, WorldCom, and several other large firms?

Student Answer: SOX

FERPA

CIPA

FISMA

Points Received: 0 of 2.5

Comments:

Question 30. Question : Your organization was awarded a U.S. government contract. You need to ensure your organization adheres to an acceptable IT security framework. Which of the following is the best choice?

Student Answer: COBIT

COSO

NIST SP 800-53

None of the above

Points Received: 0 of 2.5

Comments:

Question 31. Question : Which of the following is generally not an objective of a security policy change board?

Student Answer: Assess policies and recommend changes

Make and publish approved changes to policies

Coordinate requests for changes

Review requested changes to the policy framework

Points Received: 0 of 2.5

Comments:

Question 32. Question : Antivirus systems, cryptographic systems, and firewalls are examples of which type of security control?

Student Answer: Administrative

Technical security

Physical security

None of the above

Points Received: 0 of 2.5

Comments:

Question 33. Question : Before you begin security policy awareness training, what is the first step you should take to help ensure success?

Student Answer: Purchase a Governance, Risk, and Compliance tool

Publish the security policy documents to a wiki

Seek management buy-in

Write an article about the training in the company newsletter

Points Received: 0 of 2.5

Comments:

Question 34. Question : What is the primary role of a security policy evangelist?

Student Answer: Promote security policy awareness and address user questions

Monitor user adherence to security policies

Conduct security policy awareness training

Review student participation in security policy awareness training

Points Received: 0 of 2.5

Comments:

Question 35. Question : Which of the following is not a valid reason for using a taxonomy to organize an IT policy library?

Student Answer: Organizes policy library

Makes it easy to see how standards, procedures, and guidelines are related

Is required by all compliance laws

The name of a document indicates where it’s located in the library

Points Received: 2.5 of 2.5

Comments:

Question 36. Question : Which IT framework extends the COBIT framework and is a comprehensive risk management approach?

Student Answer: ISACA Risk IT framework

COSO

ITIL

ISO 27002

Points Received: 2.5 of 2.5

Comments:

Question 37. Question : Which security policy framework, developed by CERT, focuses on information security assessment and planning?

Student Answer: COSO

COBIT

ITIL

OCTAVE

Points Received: 0 of 2.5

Comments:

Question 38. Question : The core requirement of an automated IT security control library is that the information is:

Student Answer: alphabetized.

searchable.

in a numerical sequence.

in PDF format.

 

Points Received: 0 of 2.5

Comments:

Question 39. Question : In the financial services sector, the use of the “three lines of defense” includes the business unit (BU), a risk management program, and:

Student Answer: separation of duties.

an AUP.

an independent auditor.

Both B and C.

Points Received: 0 of 2.5

Comments:

Question 40. Question : Your organization is adopting several security policy frameworks. Which of the following is best suited for processing credit cards?

Student Answer: COSO

PCI DSS

COBIT

ITIL

Points Received: 0 of 2.5

Comments: