IT Security and Risk Management
Final Exam Questions
Course Introduction
IT Security and Risk Management explores the principles, practices, and technologies used to protect information assets within organizations. The course examines risk assessment methodologies, threat analysis, and strategies for mitigating security risks. Topics include security policies and frameworks, legal and ethical considerations, incident response, vulnerability management, and business continuity planning. Students will gain practical knowledge on identifying security threats, managing vulnerabilities, and implementing controls that support organizational objectives, while aligning with industry standards and regulatory requirements.
Recommended Textbook Management of Information Security 5th Edition by Michael E. Whitman
Available Study Resources on Quizplus
12 Chapters
706 Verified Questions
706 Flashcards
Source URL: https://quizplus.com/study-set/2555
Page 2
Chapter 1: Introduction to the Management of Information Security
Available Study Resources on Quizplus for this Chatper
63 Verified Questions
63 Flashcards
Source URL: https://quizplus.com/quiz/50835
Sample Questions
Q1) One form of e-mail attack that is also a DoS attack is called a mail spoof,in which an attacker overwhelms the receiver with excessive quantities of e-mail.
A)True
B)False
Answer: False
Q2) What do audit logs that track user activity on an information system provide?
A) identification
B) authorization
C) accountability
D) authentication
Answer: C
Q3) ____________________ is unsolicited commercial e-mail.
Answer: Spam
Q4) Which of the following is not among the 'deadly sins of software security'?
A) Extortion sins
B) Implementation sins
C) Web application sins
D) Networking sins
Answer: A
To view all questions and flashcards with answers, click on the resource link above. Page 3
Chapter 2: Compliance: Law and Ethics
Available Study Resources on Quizplus for this Chatper
50 Verified Questions
50 Flashcards
Source URL: https://quizplus.com/quiz/50836
Sample Questions
Q1) Ethics are based on ___________________,which are the relatively fixed moral attitudes or customs of a societal group.
Answer: cultural mores
Q2) Information ____________ occurs when pieces of non-private data are combined to create information that violates privacy.
Answer: aggregation
Q3) regulates the structure and administration of government agencies and their relationships with citizens,employees,and other governments
A)criminal law
B)public law
C)ethics
D)Computer Security Act (CSA)
E)Electronic Communications Privacy Act
F)Cybersecurity Act
G) normative ethics
H) applied ethics
Answer: B
To view all questions and flashcards with answers, click on the resource link above. Page 4
Chapter 3: Governance and Strategic Planning for Security
Available Study Resources on Quizplus for this Chatper
52 Verified Questions
52 Flashcards
Source URL: https://quizplus.com/quiz/50837
Sample Questions
Q1) The individual accountable for ensuring the day-to-day operation of the InfoSec program,accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n)____________.
A) chief information security officer
B) security technician
C) security manager
D) chief technology officer
Answer: C
Q2) Contrast the vision statement with the mission statement.
Answer: If the vision statement states where the organization wants to go,the mission statement describes how it wants to get there.
Q3) In ____________________
testing,security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
Answer: penetration
Q4) _________resources include people,hardware,and the supporting system elements and resources associated with the management of information in all its states.
Answer: Physical
To view all questions and flashcards with answers, click on the resource link above.
5
Chapter 4: Information Security Policy
Available Study Resources on Quizplus for this Chatper
56 Verified Questions
56 Flashcards
Source URL: https://quizplus.com/quiz/50838
Sample Questions
Q1) An organizational policy that provides detailed,targeted guidance to instruct all members of the organization in the use of a resource,such as one of its processes or technologies.
A) capability table
B) statement of purpose
C) Bull's eye model
D) SysSP
E) Procedures
F) InfoSec policy
G) standard
H) access control lists
I) systems management
J) ISSP
Q2) What are configuration rules? Provide examples.
Q3) Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
A) can suffer from poor policy dissemintation, enforcement, and review
B) may skip vulnerabilities otherwise reported
C) may be more expensive than necessary
D) implementation can be less difficult to manage
To view all questions and flashcards with answers, click on the resource link above. Page 6
Chapter 5: Developing the Security Program
Available Study Resources on Quizplus for this Chatper
65 Verified Questions
65 Flashcards
Source URL: https://quizplus.com/quiz/50839
Sample Questions
Q1) ____________________ is a phenomenon in which the project manager spends more time documenting project tasks,collecting performance measurements,recording project task information,and updating project completion forecasts than in accomplishing meaningful project work.
Q2) An organization carries out a risk ____________________ function to evaluate risks present in IT initiatives and/or systems.
Q3) The work breakdown structure (WBS)can only be prepared with a complex specialized desktop PC application.
A)True
B)False
Q4) What is the Chief Information Security Office primarily responsible for?
Q5) In the early stages of planning,the project planner should attempt to specify completion dates only for major employees within the project.
A)True
B)False
Q6) An organization's information security program refers to the entire set of activities,resources,personnel,and technologies used by an organization to manage the risks to the information _______ of the organization.
To view all questions and flashcards with answers, click on the resource link above. Page 7
Chapter 6: Risk Management: Identifying and Assessing Risk
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50840
Sample Questions
Q1) As part of the risk identification process,listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.
Q2) MAC addresses are considered a reliable identifier for devices with network interfaces,since they are essentially foolproof.
A)True
B)False
Q3) Describe the use of an IP address when deciding which attributes to track for each information asset.
Q4) The information technology management community of interest often takes on the leadership role in addressing risk.
A)True
B)False
Q5) List the stages in the risk identification process in order of occurrence.
Q6) An approach to combining risk identification,risk assessment,and risk appetite into a single strategy.is known as risk protection.
A)True
B)False
Q7) What are the included tasks in the identification of risks?
To view all questions and flashcards with answers, click on the resource link above. Page 8
Chapter 7: Risk Management: Controlling Risk
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50841
Sample Questions
Q1) What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
A) probability calculation
B) documented control strategy
C) risk acceptance plan
D) mitigation plan
Q2) Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
A) organizational feasibility
B) political feasibility
C) technical feasibility
D) operational feasibility
Q3) Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
A) incident response plan
B) business continuity plan
C) disaster recovery plan
D) damage control plan
To view all questions and flashcards with answers, click on the resource link above.
9
Chapter 8: Security Management Models
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50842
Sample Questions
Q1) Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure.
A)True
B)False
Q2) According to COSO,internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in what three categories?
Q3) Access controls are build on three key principles. List and briefly define them.
Q4) Lattice-based access controls use a two-dimensional matrix to assign authorizations,what are the two dimensions and what are they called?
Q5) Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec,and was created by ISACA and the IT Governance Institute?
A) COBIT
B) COSO
C) NIST
D) ISO
Q6) Under what circumstances should access controls be centralized vs.decentralized?
To view all questions and flashcards with answers, click on the resource link above.
Page 10
Chapter 9: Security Management Practices
Available Study Resources on Quizplus for this Chatper
59 Verified Questions
59 Flashcards
Source URL: https://quizplus.com/quiz/50843
Sample Questions
Q1) A company striving for 'best security practices' makes every effort to establish security program elements that meet every minimum standard in their industry.
A)True
B)False
Q2) Compare and contrast accreditation and certification.
Q3) The data or the trends in data that may indicate the effectiveness of security countermeasures or controls-technical and managerial-implemented in the organization.
A) Accreditation
B) Baseline
C) Benchmarking
D) Certification
E) due diligence
F) best security practices
G) recommended business practices
H) standard of due care
I) performance measurements
J) NIST SP 800-37
Q4) Describe the three tier approach of the RMF as defined by NIST SP 800-37.
To view all questions and flashcards with answers, click on the resource link above. Page 11
Chapter 10: Planning for Contingencies
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50844
Sample Questions
Q1) A(n)____________________ occurs when an attack affects information resources and/or assets,causing actual damage or other disruptions.
Q2) In the event of an incident or disaster,which planning element is used to guide off-site operations?
A) Project management
B) Business continuity
C) Disaster recovery
D) Incident response
Q3) A(n)wrap-up review is a detailed examination and discussion of the events that occurred during an incident or disaster,from first detection to final recovery.
A)True
B)False
Q4) List the seven steps of the incident recovery process according to Donald Pipkin.
Q5) Which document must be changed when evidence changes hands or is stored?
A) Chain of custody
B) Search warrant
C) Affidavit
D) Evidentiary material
To view all questions and flashcards with answers, click on the resource link above. Page 12
Chapter 11: Personnel and Security
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/50845
Sample Questions
Q1) Temporary workers-often called temps-may not be subject to the contractual obligations or general policies that govern other employees.
A)True
B)False
Q2) provide the policies,guidelines,and standards,performing conulting and risk assessment and develop technical architectures
A) Definers
B) Builders
C) security manager
D) security technician
E) systems programmer
F) ethics officer
G) CISSP
H) SSCP
I) SANS
J) CCE
Q3) Describe the certifications developed by SANS. How are they different from InfoSec certifications like CISSP and SSCP?
Q4) What are some of the common qualifications for a CISO?
To view all questions and flashcards with answers, click on the resource link above. Page 13
Chapter 12: Protection Mechanisms
Available Study Resources on Quizplus for this Chatper
61 Verified Questions
61 Flashcards
Source URL: https://quizplus.com/quiz/50846
Sample Questions
Q1) A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network-for example,restricting user access to Web sites with material that is not related to business,such as pornography or entertainment.
A) VPN
B) transport mode
C) SSL
D) PKI
E) digital certificate
F) asymmetric encryption
G) Vernam cipher
H) transposition cipher
I) content filter
J) footprinting
Q2) Describe in basic terms what an IDPS is.
Q3) ____________________ presents a threat to wireless communications,a practice that makes it prudent to use a wireless encryption protocol to prevent unauthorized use of your Wi-Fi network.
Q4) A(n)____________________ is a secret word or combination of characters known only by the user.
To view all questions and flashcards with answers, click on the resource link above. Page 14