The use of encryption and digital signatures helps ensure that what was transmitted is the same as what was received. Which of the following is assured?
The concept of “need to know” is most closely associated with which of the following?
What is the primary goal of business process reengineering?
To develop new security policies
To improve business processes
To implement an enterprise resource system
To determine management bonuses
An unauthorized user accessed protected network storage and viewed personnel records. What has been lost?
What does COBIT stand for?
Control Objectives for Information and Related Technology
Common Objects for Information and Technology
Common Objectives for Information and Technology
Control Objects for Information Technology
What does “tone at the top” refer to?
Policies, in relation to standards, procedures, and guidelines
Confidentiality in the C-I-A triad
Regulatory bodies, in relation to security policies and controls
Which of the following types of security controls stops incidents or breaches immediately?
None of the above
An encryption system is an example of which type of security control?
Security controls fall into three design types: preventive, detective, and:
Which of the following is not a generally accepted principle for implementing a security awareness program?
Competency should be measured.
Remind employees of risks.
Leaders should provide visible support.
None of the above.
Of the following compliance laws, which focuses most heavily on personal privacy?
To which sector does HIPAA apply primarily?
None of the above
Which law was challenged by the American Library Association and the American Civil Liberties Union claiming it violated free speech rights of adults?
To which sector does the Sarbanes-Oxley Act apply primarily?
Publically traded companies
Which compliance law concept states that only the data needed for a transaction should be collected?
Limited use of personal data
Role-based access control
Virtual private networking
Software as a Service
Which of the following is not true of segmented networks?
By limiting certain types of traffic to a group of computers, you are eliminating a number of threats.
Switches, routers, internal firewalls, and other devices restrict segmented network traffic.
A flat network has more controls than a segmented network for limiting traffic.
Network segmentation limits what and how computers are able to talk to each other.
In which domain is virtual private networking a security control?
Remote Access Domain
Both A and B
Neither A nor B
Question 19 0 / 2.5 points
A security policy that addresses data loss protection, or data leakage protection, is an issue primarily in which IT domain?
Question 20 0 / 2.5 points
A nurse uses a wireless computer from a patient’s room to access real-time patient information from the hospital server. Which domain does this wireless connection fall under?
Regarding security policies, what is a stakeholder?
An individual who has an interest in the success of the security policies
A framework in which security policies are formed
A placeholder in the framework where new policies can be added
Another name for a change request
Question 22 0 / 2.5 points
Which personality type tends to be best suited for delivering security awareness training?
Which of the following is typically defined as the end user of an application?
Question 24 0 / 2.5 points
Which of the following is not true of auditors?
Report to the leaders they are auditing
Are accountable for assessing the design and effectiveness of security policies
Can be internal or external
Offer opinions on how well the policies are being followed and how effective they are
Question 25 0 / 2.5 points
In an organization, which of the following roles is responsible for the day-to-day maintenance of data?
Information security office (ISO)
Which of the following include details of how an IT security program runs, who is responsible for day-to-day work, how training and awareness are conducted, and how compliance is handled?
Question 27 0 / 2.5 points
Which of the following are used as benchmarks for audit purposes?
What does an IT security policy framework resemble?
Hierarchy or tree
Question 29 0 / 2.5 points
Which of the following is not a control area of ISO/IEC 27002, “Information Technology–Security Techniques–Code of Practice for Information Security Management”?
Risk assessment and treatment
Audit and accountability
What is included in an IT policy framework?
All of the above
Question 31 0 / 2.5 points
Which of the following is generally not an objective of a security policy change board?
Review requested changes to the policy framework
Coordinate requests for changes
Make and publish approved changes to policies
Assess policies and recommend changes
When publishing an internal security policy or standard, which role or department usually gives final approval?
Audit and Compliance Manager
Question 33 0 / 2.5 points
Virus removal and closing a firewall port are examples of which type of security control?
Detective or response
Question 34 0 / 2.5 points
Fences, security guards, and locked doors are examples of which type of security control?
None of the above
Question 35 0 / 2.5 points
Which principle for developing policies, standards, baselines, procedures, and guidelines discusses a series of overlapping layers of controls and countermeasures?
Question 36 0 / 2.5 points
Who is responsible for data quality within an enterprise?
Question 37 0 / 2.5 points
The core requirement of an automated IT security control library is that the information is:
in a numerical sequence.
in PDF format
Which security policy framework focuses on concepts, practices, and processes for managing and delivering IT services?
__________ refers to the degree of risk an organization is willing to accept.
Question 40 0 / 2.5 points
A fundamental component of internal control for high-risk transactions is:
a defense in depth.
a separation of duties.
following best practices.