Information Assurance Test Preparation
Course Introduction
Information Assurance focuses on the strategies, processes, and tools necessary to protect and manage information and information systems. This course covers the principles of ensuring the confidentiality, integrity, availability, authenticity, and non-repudiation of data. Students will explore risk management, security policies, legal and ethical considerations, threat analysis, vulnerability assessment, and incident response. Through real-world case studies and practical exercises, learners will gain a comprehensive understanding of how to safeguard information assets against various security threats in organizational and networked environments.
Recommended Textbook Management of Information Security 5th Edition by Michael E. Whitman
Available Study Resources on Quizplus
12 Chapters
706 Verified Questions
706 Flashcards
Source URL: https://quizplus.com/study-set/2555
Page 2
Chapter 1: Introduction to the Management of Information Security
Available Study Resources on Quizplus for this Chatper
63 Verified Questions
63 Flashcards
Source URL: https://quizplus.com/quiz/50835
Sample Questions
Q1) List the specialized areas of security.
Answer: Physical securityOperations securityCommunications securityNetwork security
Q2) Which of the following is not among the 'deadly sins of software security'?
A) Extortion sins
B) Implementation sins
C) Web application sins
D) Networking sins
Answer: A
Q3) Discuss the planning element of information security.
Answer: Planning in InfoSec management is an extension of the basic planning model.Included in the InfoSec planning model are activities necessary to support the design,creation,and implementation of InfoSec strategies within the IT planning environment.The business strategy is translated into the IT strategy.Both the business strategy and the IT strategy are then used to develop the InfoSec strategy.For example,the CIO uses the IT objectives gleaned from the business unit plans to create the organization's IT strategy.
Q4) A(n)____________________ hacks the public telephone network to make free calls or disrupt services.
Answer: phreaker
Page 3
To view all questions and flashcards with answers, click on the resource link above.
Chapter 2: Compliance: Law and Ethics
Available Study Resources on Quizplus for this Chatper
50 Verified Questions
50 Flashcards
Source URL: https://quizplus.com/quiz/50836
Sample Questions
Q1) Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information,as well as policies and procedures to maintain them?
A) ECPA
B) Sarbanes-Oxley
C) HIPAA
D) Gramm-Leach-Bliley
Answer: C
Q2) ___________________ is a subset of civil law that allows individuals to seek redress in the event of personal,physical,or financial injury.
Answer: tort law
Q3) Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
A) (ISC)²
B) ACM
C) SANS
D) ISACA
Answer: A
To view all questions and flashcards with answers, click on the resource link above.
Page 4
Chapter 3: Governance and Strategic Planning for Security
Available Study Resources on Quizplus for this Chatper
52 Verified Questions
52 Flashcards
Source URL: https://quizplus.com/quiz/50837
Sample Questions
Q1) A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.
A) vulnerability assessment
B) penetration testing
C) exploit identification
D) safeguard neutralization
Answer: B
Q2) When using the Governing for Enterprise Security (GES)program,an Enterprise Security Program (ESP)should be structured so that governance activities are driven by the organization's executive management,select key stakeholders,as well as the
A) Board Risk Committee
B) Board Finance Committee
C) Board Audit Committee
D) Chairman of the Board
Answer: A
Q3) The ______________________ phase is the last phase of SecSDLC,but perhaps the most important.
Answer: maintenance and change
To view all questions and flashcards with answers, click on the resource link above.
Page 5
Chapter 4: Information Security Policy
Available Study Resources on Quizplus for this Chatper
56 Verified Questions
56 Flashcards
Source URL: https://quizplus.com/quiz/50838
Sample Questions
Q1) Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
A) can suffer from poor policy dissemintation, enforcement, and review
B) may skip vulnerabilities otherwise reported
C) may be more expensive than necessary
D) implementation can be less difficult to manage
Q2) When issues are addressed by moving from the general to the specific, always starting with policy.
A) capability table
B) statement of purpose
C) Bull's eye model
D) SysSP
E) Procedures
F) InfoSec policy
G) standard
H) access control lists
I) systems management
J) ISSP
Q3) List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.
To view all questions and flashcards with answers, click on the resource link above. Page 6
Chapter 5: Developing the Security Program
Available Study Resources on Quizplus for this Chatper
65 Verified Questions
65 Flashcards
Source URL: https://quizplus.com/quiz/50839
Sample Questions
Q1) Which of the following is a disadvantage of the one-on-one training method?
A) Inflexible
B) May not be responsive to the needs of all the trainees
C) Content may not be customized to the needs of the organization
D) Resource intensive, to the point of being inefficient
Q2) Explain the conflict between the goals and objectives of the CIO and the CISO.
Q3) The goal of a security ____________________ program is to keep information security at the forefront of users' minds on a daily basis.
Q4) Which of the following is an advantage of the one-on-one method of training?
A) Trainees can learn from each other
B) Very cost-effective
C) Customized
D) Maximizes use of company resources
Q5) Which of the following is true about a company's InfoSec awareness Web site?
A) it should contain large images to maintain interest
B) appearance doesn't matter if the information is there
C) it should be placed on the Internet for public use
D) it should be tested with multiple browsers
Q6) What minimum attributes for project tasks does the WBS document?
Q7) What is the role of help desk personnel in the InfoSec team?
To view all questions and flashcards with answers, click on the resource link above. Page 7
Chapter 6: Risk Management: Identifying and Assessing Risk
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50840
Sample Questions
Q1) A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet.
A)True
B)False
Q2) Why is threat identification so important in the process of risk management?
Q3) List the stages in the risk identification process in order of occurrence.
Q4) Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.
A) risk management
B) risk analysis
C) classification categories
D) risk identification
E) field change order
F) threat assessment
G) risk appetite
H) qualitative assessment
I) residual risk
J) ranked vulnerability risk worksheet
Page 8
Q5) For the purposes of relative risk assessment how is risk calculated?
Q6) What are the included tasks in the identification of risks?
To view all questions and flashcards with answers, click on the resource link above.
Page 9
Chapter 7: Risk Management: Controlling Risk
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50841
Sample Questions
Q1) Once a control strategy has been selected and implemented,what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
A) analysis and adjustment
B) review and reapplication
C) monitoring and measurement
D) evaluation and funding
Q2) The ____________________ risk control strategy attempts to shift the risk to other assets, processes,or organizations.
Q3) Briefly describe the five basic strategies to control risk that result from vulnerabilities.
Q4) Application of training and education is a common method of which risk control strategy?
A) mitigation
B) defense
C) acceptance
D) transferal
Q5) The goal of InfoSec is not to bring residual risk to zero; rather,it is to bring residual risk in line with an organization's risk ___________.
To view all questions and flashcards with answers, click on the resource link above. Page 10
Chapter 8: Security Management Models
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50842
Sample Questions
Q1) Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec,and was created by ISACA and the IT Governance Institute?
A) COBIT
B) COSO
C) NIST
D) ISO
Q2) Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information.
A)True
B)False
Q3) There are seven access controls methodologies categorized by their inherent characteristics. List and briefly define them.
Q4) Lattice-based access control specifies the level of access each subject has to each object,if any.
A)True
B)False
Q5) Under what circumstances should access controls be centralized vs.decentralized?
Q6) Access controls are build on three key principles. List and briefly define them.
To view all questions and flashcards with answers, click on the resource link above. Page 11
Chapter 9: Security Management Practices
Available Study Resources on Quizplus for this Chatper
59 Verified Questions
59 Flashcards
Source URL: https://quizplus.com/quiz/50843
Sample Questions
Q1) Data or the trends in data that may indicate the effectiveness of security countermeasures or controls-technical and managerial-implemented in the organization are known as program measurements.
A)True
B)False
Q2) Attaining certification in security management is a long and difficult process,but once attained,an organization remains certified for the life of the organization.
A)True
B)False
Q3) Which of the following is the first phase in the NIST process for performance measurement implementation?
A) Develop the business case
B) Obtain resources
C) Prepare for data collection
D) Identify corrective actions
Q4) A practice related to benchmarking is ____________,which is a measurement against a prior assessment or an internal goal.
Q5) Compare and contrast accreditation and certification.
To view all questions and flashcards with answers, click on the resource link above. Page 12
Chapter 10: Planning for Contingencies
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50844
Sample Questions
Q1) Which of the following is a responsibility of the crisis management team?
A) Restoring the data from backups
B) Evaluating monitoring capabilities
C) Keeping the public informed about the event and the actions being taken
D) Restoring the services and processes in use
Q2) Which of the following allows investigators to determine what happened by examining the results of an event-criminal,natural,intentional,or accidental?
A) Digital malfeasance
B) E-discovery
C) Forensics
D) Evidentiary procedures
Q3) A(n)____________________ is a document containing contact information of the individuals to notify in the event of an actual incident.
Q4) A(n)____________________ is an agency that provides,in the case of DR/BC planning,physical facilities for a fee.
Q5) When undertaking the BIA,what should the organization consider?
Q6) What teams are involved in contingency planning and contingency operations?
Q7) Compare and contrast a hot site,a warm site,and a cold site.
Q8) Describe the methodology an organization should follow in an investigation.
To view all questions and flashcards with answers, click on the resource link above. Page 13
Chapter 11: Personnel and Security
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50845
Sample Questions
Q1) According to Schwartz et al.,employees who create and install security solutions fall under which classification of InfoSec positions?
A) Definers
B) Administers
C) Builders
D) Architects
Q2) The most common qualification for a CISO includes the CISSP and CISM certifications.
A)True
B)False
Q3) Which of the following policies makes it difficult for an individual to violate InfoSec and is quite useful in monitoring financial affairs?
A) Task rotation
B) Mandatory vacations
C) Separation of duties
D) Job rotation
Q4) Describe the certifications developed by SANS. How are they different from InfoSec certifications like CISSP and SSCP?
Q5) Briefly describe at least five types of background checks.
To view all questions and flashcards with answers, click on the resource link above. Page 14
Chapter 12: Protection Mechanisms
Available Study Resources on Quizplus for this Chatper
61 Verified Questions
61 Flashcards
Source URL: https://quizplus.com/quiz/50846
Sample Questions
Q1) What is asymmetric encryption?
Q2) Was developed by Netscape in 1994 to provide security for online e-commerce transactions.
A) VPN
B) transport mode
C) SSL
D) PKI
E) digital certificate
F) asymmetric encryption
G) Vernam cipher
H) transposition cipher
I) content filter
J) footprinting
Q3) Describe in basic terms what an IDPS is.
Q4) What is the range of the well-known ports used by TCP and UDP?
A) 1024-65,536
B) 0-1023
C) 0-65,536
D) 20, 21, 25, 53, 80
Q5) What should you look for when selecting a firewall for your network?
Page 15
To view all questions and flashcards with answers, click on the resource link above.