Information Security Management Practice Exam
Course Introduction
Information Security Management explores the principles, policies, and practices necessary to protect information assets in modern organizations. The course examines key concepts such as risk assessment, security frameworks, governance models, and compliance requirements. Students will learn about the development and implementation of security policies, incident response planning, and strategies for managing cybersecurity threats. Emphasis is placed on balancing organizational goals with legal, ethical, and technical considerations to establish a robust security posture. Through case studies and practical applications, students gain the skills needed to design, evaluate, and manage effective information security programs.
Recommended Textbook Management of Information Security 5th Edition by Michael
Available Study Resources on Quizplus
12 Chapters
706 Verified Questions
706 Flashcards
Source URL: https://quizplus.com/study-set/2555
Page 2
E. Whitman
Chapter 1: Introduction to the Management of Information Security
Available Study Resources on Quizplus for this Chatper
63 Verified Questions
63 Flashcards
Source URL: https://quizplus.com/quiz/50835
Sample Questions
Q1) Human error or failure often can be prevented with training,ongoing awareness activities, and ____________________.
A) threats
B) education
C) hugs
D) paperwork
Answer: B
Q2) A(n)____________________ is a potential weakness in an asset or its defensive control(s).
Answer: vulnerability
Q3) Explain the differences between a leader and a manager.
Answer: The distinctions between a leader and a manager arise in the execution of organizational tasks.A leader provides purpose,direction,and motivation to those that follow.By comparison,a manager administers the resources of the organization.He or she creates budgets,authorizes expenditures,and hires employees.
Q4) A(n)____________________ hacks the public telephone network to make free calls or disrupt services.
Answer: phreaker
To view all questions and flashcards with answers, click on the resource link above. Page 3
Chapter 2: Compliance: Law and Ethics
Available Study Resources on Quizplus for this Chatper
50 Verified Questions
50 Flashcards
Source URL: https://quizplus.com/quiz/50836
Sample Questions
Q1) an approach that applies moral codes to actions drawn from realistic situations
A)criminal law
B)public law
C)ethics
D)Computer Security Act (CSA)
E)Electronic Communications Privacy Act
F)Cybersecurity Act
G) normative ethics
H) applied ethics
Answer: H
Q2) Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information,as well as policies and procedures to maintain them?
A) ECPA
B) Sarbanes-Oxley
C) HIPAA
D) Gramm-Leach-Bliley
Answer: C
To view all questions and flashcards with answers, click on the resource link above.
Page 4
Chapter 3: Governance and Strategic Planning for Security
Available Study Resources on Quizplus for this Chatper
52 Verified Questions
52 Flashcards
Source URL: https://quizplus.com/quiz/50837
Sample Questions
Q1) The National Association of Corporate Directors (NACD)recommends four essential practices for boards of directors.Which of the following is NOT one of these recommended practices?
A) Hold regular meetings with the CIO to discuss tactical InfoSec planning
B) Assign InfoSec to a key committee and ensure adequate support for that committee
C) Ensure the effectiveness of the corporation's InfoSec policy through review and approval
D) Identify InfoSec leaders, hold them accountable, and ensure support for them
Answer: A
Q2) Which type of planning is used to organize the ongoing,day-to-day performance of tasks?
A) Strategic
B) Tactical
C) Organizational
D) Operational
Answer: D
Q3) The ______________________ phase is the last phase of SecSDLC,but perhaps the most important.
Answer: maintenance and change
To view all questions and flashcards with answers, click on the resource link above.
Page 5
Chapter 4: Information Security Policy
Available Study Resources on Quizplus for this Chatper
56 Verified Questions
56 Flashcards
Source URL: https://quizplus.com/quiz/50838
Sample Questions
Q1) Information security policies are designed to provide structure in the workplace and explain the will of the organization's management.
A)True
B)False
Q2) In the bull's-eye model,the ____________________ layer is the place where threats from public networks meet the organization's networking infrastructure.
Q3) The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for.
A)True
B)False
Q4) In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
A) design
B) implementation
C) investigation
D) analysis
Q5) List the major components of the ISSP.
Q6) How should a policy administrator facilitate policy reviews?
To view all questions and flashcards with answers, click on the resource link above. Page 6
Chapter 5: Developing the Security Program
Available Study Resources on Quizplus for this Chatper
65 Verified Questions
65 Flashcards
Source URL: https://quizplus.com/quiz/50839
Sample Questions
Q1) A task or subtask becomes a(n)action step when it can be completed by one individual or skill set and when it includes a single deliverable.
A)True
B)False
Q2) What is the security education,training,and awareness program? Describe how the program aims to enhance security.
Q3) An organization's information security program refers to the entire set of activities,resources,personnel,and technologies used by an organization to manage the risks to the information _______ of the organization.
Q4) What is the Chief Information Security Office primarily responsible for?
Q5) Which of the following is true about the security staffing,budget,and needs of a medium-sized organization?
A) they have a larger security staff than a small organization
B) they have a larger security budget (as percent of IT budget) than a small organization
C) they have a smaller security budget (as percent of IT budget) than a large organization
D) they have larger information security needs than a small organization
To view all questions and flashcards with answers, click on the resource link above. Page 7
Chapter 6: Risk Management: Identifying and Assessing Risk
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50840
Sample Questions
Q1) List the stages in the risk identification process in order of occurrence.
Q2) What are the included tasks in the identification of risks?
Q3) What should you be armed with to adequately assess potential weaknesses in each information asset?
A) Properly classified inventory
B) Audited accounting spreadsheet
C) Intellectual property assessment
D) List of known threats
Q4) An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
A) Risk determination
B) Assessing potential loss
C) Likelihood and consequences
D) Uncertainty
Q5) MAC addresses are considered a reliable identifier for devices with network interfaces,since they are essentially foolproof.
A)True
B)False
Q6) For the purposes of relative risk assessment how is risk calculated?
To view all questions and flashcards with answers, click on the resource link above. Page 8
Chapter 7: Risk Management: Controlling Risk
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50841
Sample Questions
Q1) Which of the following is NOT an alternative to using CBA to justify risk controls?
A) benchmarking
B) due care and due diligence
C) selective risk avoidance
D) the gold standard
Q2) What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
A) cost-benefit analysis
B) exposure factor
C) single loss expectancy
D) annualized rate of occurrence
Q3) What are the four phases of the Microsoft risk management strategy?
Q4) The ____________________ risk control strategy attempts to shift the risk to other assets, processes,or organizations.
Q5) The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
A)True
B)False
To view all questions and flashcards with answers, click on the resource link above. Page 9
Chapter 8: Security Management Models
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50842
Sample Questions
Q1) Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.
A)True
B)False
Q2) The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know.
A)True
B)False
Q3) The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege.
A)True
B)False
Q4) According to COSO,internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in what three categories?
Q5) Access controls are build on three key principles. List and briefly define them.
Q6) Under what circumstances should access controls be centralized vs.decentralized?
To view all questions and flashcards with answers, click on the resource link above. Page 10
Chapter 9: Security Management Practices
Available Study Resources on Quizplus for this Chatper
59 Verified Questions
59 Flashcards
Source URL: https://quizplus.com/quiz/50843
Sample Questions
Q1) Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?
A) Measurements must yield quantifiable information
B) Data that supports the measures needs to be readily obtainable
C) Only repeatable InfoSec processes should be considered for measurement
D) Measurements must be useful for tracking non-compliance by internal personnel
Q2) Which of the following is NOT a question a CISO should be prepared to answer,about a performance measures program,according to Kovacich?
A) Why should these measurements be collected?
B) Where will these measurements be collected?
C) What affect will measurement collection have on efficiency?
D) Who will collect these measurements?
Q3) The last phase in the NIST performance measures implementation process is to apply ______________ actions which closes the gap found in Phase 2.
Q4) Performance measurements are seldom required in today's regulated InfoSec environment.
A)True
B)False
To view all questions and flashcards with answers, click on the resource link above. Page 11
Chapter 10: Planning for Contingencies
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50844
Sample Questions
Q1) ____________________ planning ensures that critical business functions can continue if a disaster occurs.
Q2) In which contingency plan testing strategy do individuals participate in a role-playing exercise in which the CP team is presented with a scenario of an actual incident or disaster and expected to react as if it had occurred?
A) Desk check
B) Simulation
C) Structured walk-through
D) Parallel testing
Q3) In digital forensics,all investigations follow the same basic methodology.Which of the following should be performed first in a digital forensics investigation?
A) Report the findings to the proper authority
B) Acquire (seize) the evidence without alteration or damage
C) Identify relevant items of evidentiary value (EM)
D) Analyze the data without risking modification or unauthorized access
Q4) Discuss three of the five strategies that can be used to test contingency strategies.
Q5) When undertaking the BIA,what should the organization consider?
To view all questions and flashcards with answers, click on the resource link above.
Page 12
Chapter 11: Personnel and Security
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50845
Sample Questions
Q1) provide the policies,guidelines,and standards,performing conulting and risk assessment and develop technical architectures
A) Definers
B) Builders
C) security manager
D) security technician
E) systems programmer
F) ethics officer
G) CISSP
H) SSCP
I) SANS
J) CCE
Q2) List the six key principles that should shape the career of a CISO.
Q3) Ultimately,the _______________________ is the spokesperson for the security team and is responsible for the overall InfoSec program.
Q4) What are the qualifications and position requirements of a typical security technician?
Q5) What is the Security+ certification and who is a typical candidate for this certification?
To view all questions and flashcards with answers, click on the resource link above. Page 13
Chapter 12: Protection Mechanisms
Available Study Resources on Quizplus for this Chatper
61 Verified Questions
61 Flashcards
Source URL: https://quizplus.com/quiz/50846
Sample Questions
Q1) Which of the following is true about firewalls and their ability to adapt in a network?
A) Firewalls can interpret human actions and make decisions outside their programming
B) Because firewalls are not programmed like a computer, they are less error prone
C) Firewalls are flexible and can adapt to new threats
D) Firewalls deal strictly with defined patterns of measured observation
Q2) A(n)____________________ is a secret word or combination of characters known only by the user.
Q3) The "something a person has" authentication mechanism takes advantage of something inherent in the user that is evaluated using biometrics.
A)True
B)False
Q4) What is the range of the well-known ports used by TCP and UDP?
A) 1024-65,536
B) 0-1023
C) 0-65,536
D) 20, 21, 25, 53, 80
To view all questions and flashcards with answers, click on the resource link above. Page 14