Questions and Answers of Principles Of Information Security

Recognize that the cornerstone of many computer-related federal laws as mentioned in the text is the Computer Fraud and Abuse Act of 1986 (CFA Act or CFAA).Recall that the CFAA was amended in 1996
True or False: Regardless of what information a company manages, it is shielded from local and state laws and regulations because the federal laws supersede them.
Which of the following is an American contribution to an effort to improve copyright protection internationally?a. Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS)b. Digital
Which of the following respected professional society was founded in 1947 as "the world’s first educational and scientific computing society"?a. Council of Europe Convention on Cybercrimeb. SANSc.
Illustrate to students that intellectual property is recognized as a protected asset in the United States. U.S. copyright laws extend this privilege to the published word, which includes electronic
What is the name of a nonprofit organization that focuses on the development and implementation of information security certifications?a. International Information Systems Security Certification
Recall that the Sarbanes–Oxley Act of 2002, which is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms, seeks to
True or False: The Federal Bureau of Investigation (FBI) is the federal agency responsible for signal intelligence and information system security of classified systems.
Justify that this law provides the right of any person to request access to federal agency records or information not determined to be a matter of national security. These requests must be provided
True or False: The National Security Agency (NSA) is responsible for the security of all national critical infrastructure.
Explain that the Payment Card Industry (PCI) Security Standards Council offers a standard of performance to which participating organizations must comply. Point out that it is not a law, but is a
Remind students that in addition to the national and international restrictions placed on organizational use of computer technology, each state or locality may have a number of its own applicable
Determine that it is important for IT professionals and information security practitioners to realize that when their organizations do business on the Internet, they do business globally. This is
Compare and contrast laws that are enforceable in the United Kingdom (U.K.) with the ones that have been described in the United States. Ones of importance and described in the text are the
Review laws that are currently enforceable in Australia and determine how they are similar yet different to ones that are in place here in the United States. Discuss with students the following laws
Explain how the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), created by the World Trade Organization (WTO), introduced intellectual property rules into the multilateral
Explain how the Digital Millennium Copyright Act (DMCA) is the American contribution to an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially
Justify that many professional groups have explicit rules governing ethical behavior in the workplace. Note that the information technology and security fields do not have a binding code of
Review the findings from the study and draw conclusions from the following observations from the study results:Overall, most of the nations studied had similar attitudes toward software
Demonstrate that there was a common theme between countries where participants condemned viruses, hacking, and other forms of system abuse.Establish the fact, though, that there were different
Emphasize that employees must be trained and kept aware of many topics related to information security, not the least of which are the expected behaviors of an ethical employee and cultural
Explain that most IT and information security organizations have their own codes of ethics, and what is contained in them may vary from one another.
Distinguish to students that(ISC)2is a nonprofit organization that focuses on the development and implementation of information security certifications and credentials. Its code of ethics is
Describe the System Administration, Networking, and Security Institute (SANS), a professional organization with a large membership group, with over 153,000 members since its inception in 1989,that is
Relate that this organization was originally known as the Information Systems Audit and Control Association. ISACA is a professional association that focuses on auditing, control, and security. The
Comment that this organization is a nonprofit society of information security professionals. As a professional association, its primary mission is to bring together qualified practitioners of
Explain that this is a security organization founded by Jay Bavisi that offers a variety of security, technical, and managerial certifications. This includes its renowned Certified Ethical Hacker
Discuss the key U.S. federal agencies charged with the protection of American information resources and the investigation of threats to, or attacks on, these resources.
Describe the Department of Homeland Security (DHS), created in 2003 through the Homeland Security Act of 2002, which was passed in response to the events of September 11, 2001.Outline the structure
Explain that the U.S. Computer Emergency Readiness Team (US-CERT) is a division of DHS’s National Cybersecurity and Communications Integration Center (NCCIC).
Describe the U.S. Secret Service, which was relocated from the Department of the Treasury to the DHS in 2002. They have been charged with the responsibility of safeguarding the nation’s financial
Recognize that this group is the primary U.S. law enforcement agency, and it investigates both traditional crimes and cybercrimes, as well as works with the U.S. Attorney’s Office to prosecute
Explain that the national Infra Gard program began as a cooperative effort between the FBI’s Cleveland field office and local technology professionals, and it was established in January
Identify the purpose of the NSA and what it is responsible for within the federal government. Discuss the following with students with respect to this agency:The NSA is responsible for signals
Define what an incident response is and how it is similar or different to an adverse event.Express concern that incident responses depend on the quick, efficient, and timely containment of an issue
True or False: The three communities of interest are general management, operations management, and information security management.
Discuss the view that information security is unlike any other aspect of information technology. The primary mission is to ensure things stay the way they are. Point out that if there were no threats
Hackers of limited skill who use expertly written software to attack a system are known as which of the following?a. Cyber terroristsb. Script kiddiesc. Jail breakersd. Social engineers
Explain that without the underlying business to generate revenue and use information, it has a likelihood to lose value and the need for it would go to zero.Stress that the decisions that need to be
Which of the following occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it?a.
Discuss the fact that general management, IT management, and information security management are responsible for implementing information security to protect the ability of the organization to
Which type of attacker will hack systems to conduct terrorist activities via network or Internet pathways?a. Cyber attackersb. Electronic terroristsc. Cyberterroristsd. Electronic hackers
Stress to students that they should understand that many organizations realize that one of their most valuable assets is their data. Without data, an organization loses its record of transactions
True or False: Cyberterrorism has thus far been largely limited to acts such as the defacement of NATO Web pages during the war in Kosovo.
Distinguish an understanding that a modern organization needs to create an environment that protects and safeguards applications, specifically ones that are important elements to the infrastructure
True or False: When looking at forces of nature that could cause destruction or damage to information systems, electrostatic discharge (ESD) is not considered to be one of them.
Relate to students that as an organization grows, so does its need for more robust technologies and commercial-grade solutions.Explain the example that is provided in the textbook that lists core
Using a known or previously installed access mechanism is known as which of the following?a. Hidden bombb. Vectorc. Spoofd. Back door
Remind students that to make sound decisions about information security as well as to create and enforce policies, management must be informed of the various kinds of threats facing the organization
True or False: When a program tries to reverse-calculate passwords, this is known as a brute force spoof.
True or False: Warnings of attacks that are not valid are usually called hoaxes.
What is another name for a man-in-the-middle attack?a. TCP hijackingb. Mail bombingc. Spoofingd. Denial of service
Introduce students to the CAPEC Web site, which can be used by security professionals to understand attacks.Explain that this resource is a good tool for information security professionals to use to
Which of the following is an application error that occurs when more data is sent to a program buffer than it is designed to handle?a. Buffer underrunb. Buffer overrunc. Heap overflowd. Heap attack
True or False: A SQL injection occurs when developers fail to properly validate user input before using it to query a relational database.
Explain that many organizations create or support the development of intellectual property (IP) as part of their business operations. Intellectual property is defined as “the ownership of ideas and
True or False: The Domain Name System (DNS) is a function of the World Wide Web that converts a URL (Uniform Resource Locator) such as www.course.com into the IP address of the Web server host.
Emphasize to students that the most common IP breaches involve the unlawful use or duplication of software-based intellectual property, known as software piracy.Outline that in addition to the laws
Discuss that enforcement of copyright laws has been attempted through several technical security mechanisms, such as digital watermarks, embedded code, and copyright codes.Identify that online
Summarize that concerns in this category represent situations in which a product or service is not delivered to the organization as expected.Explain that the organization’s information system
Describe communications and other service provider issues: other utility services can impact organizations as well. Among these are telephone, water, wastewater, trash pickup, cable television,
Describe power irregularities: irregularities from power utilities are common and can lead to fluctuations, such as power excesses, power shortages, and power losses. In the United States, we are
Emphasize that an attack is a deliberate act that exploits a vulnerability to compromise a controlled system. This attack can consist of specially crafted software that attackers trick users into
Explain that the Council of Europe adopted the Convention on Cybercrime in 2001. It provides for the creation of an international task force to oversee a range of security functions associated with
What is the term called for which actions taken by management specify the organization's efforts and actions if an adverse event becomes an incident or disaster?a. CSIRT planb. Contingency planningc.
Emphasize that the purpose of this module focuses on plants that are made for adverse events and when the technologies an organization uses are disrupted, and business comes to a halt.Stress that
Which of the following is NOT a stage as described in NIST’s SP 800-34, Rev. 1?a. Determine mission/business process and recovery critically.b. Identify resource requirements.c. Identify recovery
Providing customer billing as mentioned in the text is an example of what?a. Potential incident that can occur in an organizationb. Additional resource detailc. Mission/business processd. Description
Define the purpose of the business impact analysis (BIA). Stress that this document is the first major component of the CP process and what it is intended for. As mentioned in the text, it serves as
True or False: The NIST Cybersecurity Framework has a total of four processes that are cyclical in nature.
True or False: Remote journaling is the process in which an organization can transfer live transactions to an off-site facility.
True or False: An alert roster often is done one of two ways: sequentially or hierarchically.
Recall that the final step of the BIA is to prioritize the resources associated with the mission/business processes. This is best done to determine what needs to be recovered first, even with the
Which of the following is NOT part of the disaster recovery policy?a. Financingb. Purposec. Exercise and testing schedulesd. Scope
Identify that the CP team should work to develop the policy environment that will enable the BIA process and should provide specific policy guidance toward authoring the creation of each of the
What type of data acquisition is done where information is taken off as a protected copy while a system is actively live for the purpose of business continuity?a. Offlineb. Onlinec. Transitoryd.
A ________ is sworn testimony that certain facts are in the possession of an investigating officer, and they warrant the examination of specific items located in a location.a. Memorandumb. Piece of
In a ________, the organization creates a role-playing exercise in which the CP team is presented with a scenario of an actual incident or disaster and is expected to react as if it had occurred.a.
Which of the following is a primary responsibility of the CPMT?a. Conducting a building walk-through during an emergencyb. Securing financing so that physical infrastructure can be immediately
True or False: The term chain of evidence is also known as a chain of custody.
Stress that by hackers posing as friendly help-desk associates or repair techs, they have an easy inroad into servers and systems even if they resolve a user’s issue.Critique the scenario where
Detail the net effects a flood can do to a facility and computing equipment. On top of damaging the systems, building access may also be compromised.Explain that this specific threat often may be
Present that an earthquake can cause direct damage to information system equipment and/or the facilities that house the equipment.Stress that not only physical structures are at risk. Give the
Illustrate what a lightning strike is. It is an abrupt, discontinuous natural electric discharge in the atmosphere.Recognize that lightning strikes not only can damage all or part of an information
Relate that these are downward slides of masses of earth, rock, or snow and are sometimes sudden or with minimal notice so evacuations can take place.Direct students to understand the impacts here to
Contrast the differences between a tornado and wind shear events.Denote that a tornado facility housing the information systems can directly damage all or part of the structure, depending on the
Compare the difference between a typhoon and a hurricane.Stress that excessive rainfall and high winds from these storms can directly damage all or part of the information system or, more likely, the
Describe the impact of a tsunami and the severity of impact that just one event may cause.Apply the tsunami that occurred in 2011 as a threat that affected the world directly and indirectly.Explain
Relate that dust particle buildups and debris inside systems can dramatically reduce the effectiveness and efficiency of the equipment. This often leads to unexpected shutdowns and overheating.Stress
Detail the purpose of cyberterrorism and what the United States and other government bodies are doing to combat this.Differentiate between the three examples provided in the text with respect to
Detail the purpose of cyberterrorism and what the United States and other government bodies are doing to combat this.Differentiate between the three examples provided in the text with respect to
Illustrate that one of the best-known hardware failures was the Intel Pentium II chip.Since a simple quotient problem caused systems to crash, the Pentium floating-point division bug (FDIV) led to a
Summarize that the protection function is done through a set of risk management activities in addition to protection mechanisms, technologies, and tools. Note that these are critical pieces of an
Stress that this section of the policy provides strict guidance with respect to where technology is prohibited to be used.Predict the fact that an organization and its employees cannot be penalized
Explain that this section provides focus on the users’ relations to systems management.Emphasize that it is important to identify all responsibilities delegated to both users and systems
Explain that this is a new practice in the workplace, which can assist with some of the busywork policy managers have to deal with.Outline that automation streamlines the repetitive steps of writing
Emphasize that everyone in an organization needs to be trained and aware of information security, but not every member of the organization needs a formal degree or certificate in information
Relate how security training involves providing members of the organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely.Present how
Stress that a security awareness program is one of the least frequently implemented but most beneficial programs in an organization.Explain that a security awareness program is designed to keep
Recognize that this is an excellent reference and guide for a security manager or administrator in the routine management of information security.Stress that it, however, provides little guidance for

Showing 500 - 600 of 746