COM590 Midterm Exam Latest 2017 (A++++++ Answer)

Question 1 2.5 / 2.5 points

The use of encryption and digital signatures helps ensure that what was transmitted is the same as what was received. Which of the following is assured?

Question options:

Confidentiality

Availability

Integrity

Nonrepudiation

Question 2 2.5 / 2.5 points

The concept of “need to know” is most closely associated with which of the following?

Question options:

Authentication

Availability

Confidentiality

Integrity

Question 3 2.5 / 2.5 points

What is the primary goal of business process reengineering?

Question options:

To develop new security policies

To improve business processes

To implement an enterprise resource system

To determine management bonuses

Question 4 2.5 / 2.5 points

An unauthorized user accessed protected network storage and viewed personnel records. What has been lost?

Question options:

Confidentiality

Nonrepudiation

Integrity

Availability

Question 5 2.5 / 2.5 points

What does COBIT stand for?

Question options:

Control Objectives for Information and Related Technology

Common Objects for Information and Technology

Common Objectives for Information and Technology

Control Objects for Information Technology

Question 6 2.5 / 2.5 points

What does “tone at the top” refer to?

Question options:

Policies, in relation to standards, procedures, and guidelines

Confidentiality in the C-I-A triad

Regulatory bodies, in relation to security policies and controls

Company leaders

Question 7 2.5 / 2.5 points

Which of the following types of security controls stops incidents or breaches immediately?

Question options:

Preventive

Corrective

Detective

None of the above

Question 8 2.5 / 2.5 points

An encryption system is an example of which type of security control?

Question options:

Technical

Corrective

Physical

Administrative

Question 9 2.5 / 2.5 points

Security controls fall into three design types: preventive, detective, and:

Question options:

effective.

corrective.

quantitative.

qualitative.

Question 10 2.5 / 2.5 points

Which of the following is not a generally accepted principle for implementing a security awareness program?

Question options:

Competency should be measured.

Remind employees of risks.

Leaders should provide visible support.

None of the above.

Question 11 2.5 / 2.5 points

Of the following compliance laws, which focuses most heavily on personal privacy?

Question options:

FISMA

GLBA

HIPAA

SOX

Question 12 2.5 / 2.5 points

To which sector does HIPAA apply primarily?

Question options:

Financial

None of the above

Communications

Medical

Question 13 2.5 / 2.5 points

Which law was challenged by the American Library Association and the American Civil Liberties Union claiming it violated free speech rights of adults?

Question options:

CIPA

FERPA

HIPAA

GLBA

Question 14 2.5 / 2.5 points

To which sector does the Sarbanes-Oxley Act apply primarily?

Question options:

Medical

Publically traded companies

Financial

Communications

Question 15 2.5 / 2.5 points

Which compliance law concept states that only the data needed for a transaction should be collected?

Question options:

Public interest

Limited use of personal data

Full disclosure

Opt-in/opt-out

Question 16 2.5 / 2.5 points

You are on the West Coast but want to connect to your company’s intranet on the East Coast. You use a program to “tunnel” through the Internet to reach the intranet. Which technology are you using?

Question options:

Role-based access control

Elevated privileges

Virtual private networking

Software as a Service

Question 17 2.5 / 2.5 points

Which of the following is not true of segmented networks?

Question options:

By limiting certain types of traffic to a group of computers, you are eliminating a number of threats.

Switches, routers, internal firewalls, and other devices restrict segmented network traffic.

A flat network has more controls than a segmented network for limiting traffic.

Network segmentation limits what and how computers are able to talk to each other.

Question 18 2.5 / 2.5 points

In which domain is virtual private networking a security control?

Question options:

WAN Domain

Remote Access Domain

Both A and B

Neither A nor B

Question 19 0 / 2.5 points

A security policy that addresses data loss protection, or data leakage protection, is an issue primarily in which IT domain?

Question options:

User

Workstation

WAN

System/Application

Question 20 0 / 2.5 points

A nurse uses a wireless computer from a patient’s room to access real-time patient information from the hospital server. Which domain does this wireless connection fall under?

Question options:

System/Application

User

WAN

LAN

Question 21 2.5 / 2.5 points

Regarding security policies, what is a stakeholder?

Question options:

An individual who has an interest in the success of the security policies

A framework in which security policies are formed

A placeholder in the framework where new policies can be added

Another name for a change request

Question 22 0 / 2.5 points

Which personality type tends to be best suited for delivering security awareness training?

Question options:

Pleaser

Performer

Analytical

Commander

Question 23 2.5 / 2.5 points

Which of the following is typically defined as the end user of an application?

Question options:

Data owner

Data manager

Data custodian

Data user

Question 24 0 / 2.5 points

Which of the following is not true of auditors?

Question options:

Report to the leaders they are auditing

Are accountable for assessing the design and effectiveness of security policies

Can be internal or external

Offer opinions on how well the policies are being followed and how effective they are

Question 25 0 / 2.5 points

In an organization, which of the following roles is responsible for the day-to-day maintenance of data?

Question options:

Data owner

Information security office (ISO)

Compliance officer

Data custodian

Question 26 2.5 / 2.5 points

Which of the following include details of how an IT security program runs, who is responsible for day-to-day work, how training and awareness are conducted, and how compliance is handled?

Question options:

Procedures

Guidelines

Standards

Policies

Question 27 0 / 2.5 points

Which of the following are used as benchmarks for audit purposes?

Question options:

Policies

Guidelines

Standards

Procedures

Question 28 2.5 / 2.5 points

What does an IT security policy framework resemble?

Question options:

Narrative document

Cycle diagram

List

Hierarchy or tree

Question 29 0 / 2.5 points

Which of the following is not a control area of ISO/IEC 27002, “Information Technology–Security Techniques–Code of Practice for Information Security Management”?

Question options:

Security policy

Risk assessment and treatment

Asset management

Audit and accountability

Question 30 2.5 / 2.5 points

What is included in an IT policy framework?

Question options:

Procedures

Guidelines

Standards

All of the above

Question 31 0 / 2.5 points

Which of the following is generally not an objective of a security policy change board?

Question options:

Review requested changes to the policy framework

Coordinate requests for changes

Make and publish approved changes to policies

Assess policies and recommend changes

Question 32 2.5 / 2.5 points

When publishing an internal security policy or standard, which role or department usually gives final approval?

Question options:

Audit and Compliance Manager

Senior Executive

Legal

Human Resources

Question 33 0 / 2.5 points

Virus removal and closing a firewall port are examples of which type of security control?

Question options:

Corrective

Recovery

Detective or response

Preventive

Question 34 0 / 2.5 points

Fences, security guards, and locked doors are examples of which type of security control?

Question options:

Technical security

None of the above

Administrative

Physical security

Question 35 0 / 2.5 points

Which principle for developing policies, standards, baselines, procedures, and guidelines discusses a series of overlapping layers of controls and countermeasures?

Question options:

Multidisciplinary principle

Accountability principle

Proportionality principle

Defense-in-depth principle

Question 36 0 / 2.5 points

Who is responsible for data quality within an enterprise?

Question options:

Data steward

Data custodian

CISA

CISO

Question 37 0 / 2.5 points

The core requirement of an automated IT security control library is that the information is:

Question options:

alphabetized.

in a numerical sequence.

in PDF format

searchable.

Question 38 2.5 / 2.5 points

Which security policy framework focuses on concepts, practices, and processes for managing and delivering IT services?

Question options:

ITIL

COBIT

COSO

OCTAVE

Question 39 2.5 / 2.5 points

__________ refers to the degree of risk an organization is willing to accept.

Question options:

Probability

Risk aversion

Risk tolerance

Risk appetite

Question 40 0 / 2.5 points

A fundamental component of internal control for high-risk transactions is:

Question options:

a defense in depth.

a separation of duties.

data duplication.

following best practices.