Quiz 6

Question 1

Janet is identifying the set of privileges that should be assigned to a new employee in her organization.
Which phase of the access control process is she performing?

Identification

Authentication

Accountability

Authorization

0.5 points

QUESTION 2

1. Which of the following would NOT be considered in the scope of organizational compliance efforts?

Laws

Company policy

Internal audit

Corporate culture

0.5 points

QUESTION 3

1. Mark is considering outsourcing security functions to a third-party service provider. What benefit is
he most likely to achieve?

Reduced operating costs

Access to a high level of expertise

Developing in-house talent

Building internal knowledge

0.5 points
QUESTION 4

1. Biyu is making arrangements to use a third-party service provider for security services. She wants to
document a requirement for timely notification of security breaches. What type of agreement is most
likely to contain formal requirements of this type?

Service level agreement (SLA)

Blanket purchase agreement (BPA)

Memorandum of understanding (MOU)

Interconnection security agreement (ISA)

0.5 points

QUESTION 5

1. Which agreement type is typically less formal than other agreements and expresses areas of
common interest?

Service level agreement (SLA)

Blanket purchase agreement (BPA)

Memorandum of understanding (MOU)

Interconnection security agreement (ISA)

0.5 points

QUESTION 6

1. What is NOT a good practice for developing strong professional ethics?

Set the example by demonstrating ethics in daily activities

Encourage adopting ethical guidelines and standards

Assume that information should be free

Inform users through security awareness training

0.5 points
QUESTION 7

1. Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture
Board (IAB)?

Seeking to gain unauthorized access to resources

Disrupting intended use of the Internet

Enforcing the integrity of computer-based information

Compromising the privacy of users

0.5 points

QUESTION 8

1. What is NOT a principle for privacy created by the Organization for Economic Cooperation and
Development (OECD)?

An organization should collect only what it needs.

An organization should share its information.

An organization should keep its information up to date.

An organization should properly destroy its information when it is no longer needed.

0.5 points

QUESTION 9

1. Karen is designing a process for issuing checks and decides that one group of users will have the
authority to create new payees in the system while a separate group of users will have the authority to
issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen
enforcing?

Job rotation

Least privilege

Need-to-know

Separation of duties

0.5 points
QUESTION 10

1. What is NOT a goal of information security awareness programs?

Teach users about security objectives

Inform users about trends and threats in security

Motivate users to comply with security policy

Punish users who violate policy

0.5 points

QUESTION 11

1. Ann is creating a template for the configuration of Windows servers in her organization. It includes
the basic security settings that should apply to all systems. What type of document should she create?

Baseline

Policy

Guideline

Procedure

0.5 points

QUESTION 12

1. Roger's organization received a mass email message that attempted to trick users into revealing
their passwords by pretending to be a help desk representative. What category of social engineering is
this an example of?

Intimidation

Name dropping

Appeal for help

Phishing

0.5 points
QUESTION 13

1. Aditya is attempting to classify information regarding a new project that his organization will
undertake in secret. Which characteristic is NOT normally used to make these type of classification
decisions?

Value

Sensitivity

Criticality

Threat

0.5 points

QUESTION 14

1. Which activity manages the baseline settings for a system or device?

Configuration control

Reactive change management

Proactive change management

Change control

0.5 points

QUESTION 15

1. What is the correct order of steps in the change control process?

Request, approval, impact assessment, build/test, monitor, implement

Request, impact assessment, approval, build/test, implement, monitor

Request, approval, impact assessment, build/test, implement, monitor

Request, impact assessment, approval, build/test, monitor, implement

0.5 points
QUESTION 16

1. Marguerite is creating a budget for a software development project. What phase of the system
lifecycle is she undertaking?

Project initiation and planning

Functional requirements and definition

System design specification

Operations and maintenance

0.5 points

QUESTION 17

1. Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which
method is NOT a good approach for destroying data?

Formatting

Degaussing

Physical destruction

Overwriting

0.5 points

QUESTION 18

1. In an accreditation process, who has the authority to approve a system for implementation?

Certifier

Authorizing official (AO)

System owner

System administrator

0.5 points
QUESTION 19

1. In what type of attack does the attacker send unauthorized commands directly to a database?

Cross-site scripting

SQL injection

Cross-site request forgery

Database dumping

0.5 points

QUESTION 20

1. In what software development model does activity progress in a lock-step sequential process where
no phase begins until the previous phase is complete?

Spiral

Agile

Lean

Waterfall