199. Which of the following proactive technical methods is used to complement the security controls review?
a. Information scanning tool
b. Vulnerability scanning tool
c. Network scanning tool
d. Penetration testing tool
199. d. Penetration testing tool can be used to complement the security controls review and to ensure that different facets of the IT system are secured. The penetration testing occurs after the review of security controls, which includes the use of the automated information scanning tool, automated vulnerability scanning tool, and automated network scanning tool, and security test and evaluation. The penetration testing uses the results obtained from the security controls review.
200. When an employee of an organization uses an internal system to connect with an external organization’s system for data exchange, the employee should comply with which of the following agreed upon trust relationships?
1. Conflict of interest statements
2. Rules of behavior
3. Remote session rules
4. Rules of operation
a. 1 and 2
b. 2 and 3
c. 1, 3, and 4
d. 1, 2, 3, and 4
200. d. Employees of an organization should be bound by the terms and conditions consistent with any agreed upon trust relationships between internal system owner and external system owner. These conditions include rules of behavior, remote session rules, rules of operation, and signed conflict of interest statements.
201. The security objective or principle of confidentiality does not deal with which of the following?
a. Authenticity
b. Sensitivity
c. Secrecy
d. Criticality
201. a. Authentication is a part of the integrity security objective or principle, whereas the other three choices are part of a confidentiality objective or principle.
202. Which of the following is not a goal of IT security?
a. Confidentiality
b. Integrity
c. Aggregation
d. Availability
202. c. Aggregation is an element of sensitivity where data is summarized to mask the details of a subject matter. The other three choices are the goals of IT security.
203. Which of the following is not an outcome of information security governance?
a. Strategic alignment
b. Information asset
c. Risk management
d. Resource management
203. b. Information asset is a business-critical asset, without which most organizations would not function properly. It is a business enabler, not an outcome. The other three choices are examples of outcome of information security governance.
204. Which of the following is not an input to the risk management and information security strategy?
a. Business strategy
b. Security requirements
c. Business processes
d. Risk assessments
204. b. Security requirements are the outputs of the risk management activity. Inputs to the risk management and information security strategy include business strategy, business processes, risk assessments, business input analysis, information resources, and regulatory requirements.
205. Which of the following is not a correct method of expressing information security baselines?
a. Technical standards
b. Procedural standards
c. Vendor standards
d. Personnel standards
205. c. Information security baselines can be expressed as technical, procedural, and personnel standards because they are internal to an organization. In addition to the above standards, the baseline should consider laws, regulations, policies, directives, and organizational mission/business/operational requirements, which could identify security requirements.
Vendors are external to an organization and it would be difficult to accommodate their standards into the baseline due to many vendors. In addition, vendor standards could be unpredictable and unstable.
206. Regarding information security governance, which of the following does not change, unlike others?
a. Programs
b. Assets
c. Mission
d. Practices
206. c. An organization’s basic mission does not change because it is the guiding principle to follow at all times. However, the organization may change its security practices and protection mechanisms over IT assets and computer programs. Yet, these changes must be made within the boundaries of the mission requirements and guidelines. Note that the information security governance must follow the IT governance and the corporate governance principles.
207. What is the most important objective of system security planning?
a. To improve the protection of information system resources
b. To protect highly sensitive systems
c. To protect highly critical systems
d. To focus on accredited systems
207. a. The most important objective of system security planning is to improve the protection of information system resources (e.g., systems, programs, people, data, and equipment). All information systems have some level of sensitivity and criticality and some systems may be accredited. The sensitive, critical, and accredited systems are part of the information system resources and they need protection as part of good management practices.
208. Which of the following policy types is usually broad in scope and function?
a. Program policies
b. Issue-specific policies
c. System-specific policies
d. Network policies
208. a. Program policy is usually broad in scope in that it does not require much modification over time, whereas other types of policies are likely to require more frequent revisions as changes in technology take place.
209. Which of the following is not a part of access agreements?
a. Nondisclosure agreements
b. Rules-of-behavior agreements
c. Employment agreements
d. Conflict-of-interest agreements
209. c. Employment agreements come before the access agreements. Access agreements include nondisclosure, acceptable use, rules-of-behavior, and conflict-of-interest for individuals requiring access to information and information system resources before authorizing access to such resources.