ET 115 ch1-ch6 Quiz

Chapter 1
1. Which of the following college curriculum is more appropiated for a career in

network/info security?
A) business administration
B) computer information systems
Feedback: Page 1
C) both of the above
D) none of the above
Feedback: Page 1Points Earned: 0.0/7.0
Correct Answer(s): C
2. Which group is responsible for ensuring that systems are auditable and pro
tected from excessive privileges?
A) compliance officers
B) access coordinators
Feedback: Pages 9 and 10
C) security administrators
D) policy makers
Feedback: Pages 9 and 10Points Earned: 0.0/7.0
3. Sound network/Info Security policy:

A) is a balance between the cost of protecting information and resourses and the
value of those items being protected.
B) is worth any price.
C) belongs exclusively to the IT department.
D) results in unique practices and polices specific to the owning IT department.
Feedback: Page 8
Correct Answer(s): A
4. Careers in Information and Network Security are booming because of which f

actors
A) threats of cyber terrorism
B) government regulations
C) growth of the Internet
D) All of the above
Correct Answer(s): D
5. A career in network/info security:

A) has better job growth outlook than other areas of IT.
Feedback: Page 4
B) is limited by programing languages the candidate knows.
C) will eventually disappear with improvements in network/info security tools.
D) is a highly complex but narrow disapline.
6. A good definition of network/info security should include:

A) security policies and procedures.
Feedback: Page 9
B) intentional attacks only.
C) unintentional attacks only.
D) none of the other listed answers.
7. Which of the following would be part of a program in network/info security

? Select all correct answers.
A) laws and ethical practices.
Feedback: Page 8
B) file and access controls
Feedback: Page 8
C) probability and statistics.
Feedback: Page 8
D) None of the other answers are fit topics for such a program.
Correct Answer(s): A , B , C
8. The growing demand for network/information security specialists is occurri

ng predominately in what types of organizations?
A) government
B) corporations
C) not-for-profit organizations
D) all of the above answers
Feedback: Page 3
E) none of the above answers
9. Which of the following groups help security development teams with risk an
alysis?
A) security testers
B) compliance officers
C) security consultants
D) security architects
10. Information security is discipline that manages which of the following? (
Select all correct answers.
A) technology
Feedback: All of Chapter 1
B) people
C) processes
D) oraganizations
Points Earned: 6.0/8.0
Correct Answer(s): A , B , C , D
11. Which of the following would make an individual seeking a career in netwo
rk/info security more marketable?
A) CISSP certification
Feedback: Pages 5 & 6
B) GIAC certification
C) evaluating virus and network protection products in a home lab
D) all of the above answers
Feedback: Pages 5 & 6Points Earned: 0.0/7.0
12. The three objectives of network/information security are:

A) confidentiality, integrity, and availability
Feedback: Page 2
B) confidentiality, secrecy, and privacy
C) resilience, privacy, and safety
D) safety, access control, and secrecy
13. What is meant by the umbrella of InfoSec?

A) When it rains it pours.
B) Network/Info Security incorporates many different pursuits and disciplines.
Feedback: Page 9
C) Just as it is bad luck to open an umbrella indoors, it's equally bad luck to
not have a Network/Info Security policy.
D) Network/Info Security policies, like umbrellas, should never be loaned to oth
ers as they are easily lost or misused.
Correct Answer(s): B
Chapter 2
1. A weakness in a system that may possibly be exploited is called a(n):
A) risk.
B) exposure.
Feedback: Page 28
C) vulnerability.
D) threat.
2. The two types of security requirements are:

A) logical and physical.
B) logical and assurance.
C) functional and logical.
D) functional and physical.
E) functional and assurance.
Feedback: Page 26
Correct Answer(s): E
3. The CIA triad is usually represented as a:

A) ellipse
B) circle
C) diagonal
D) triangle.
Feedback: Page 22
4. The three goals of network/information security are:

A) safety, access control, and secrecy
B) confidentiality, integrity, and availability
Feedback: Page 21
C) resilience, privacy, and safety
D) confidentiality, secrecy, and privacy
5. The three types of security controls that are necessary to secure a networ
k or system are:
A) people, functions, and technology.
Feedback: Page 29
B) people, process, and technology.
C) technology,roles, and separation of duties.
D) separation of duties, processes, and people.
6. A cookbook on how to take advantage of a vulnerability is called a(n):

A) risk.
B) program.
C) exploit.
Feedback: Page 29
D) threat.
7. Related to network/info security, confidentiality is the opposite of which

of the following?
A) disclosure
Feedback: Page 21
B) disposal
C) closure
D) diaster
8. Making sure that data hasn't been changed unintentionally due to accident
or malice is:
A) availability
B) auditability
Feedback: Page 22
C) integrity
D) confidentially
9. The probability that a threat to a information system/network will materia

lize is called:
A) hole
B) vulnerability
C) threat
D) risk
10. Defense in Depth is needed to assure that which three mandatory activitie
s are present in a security system?
A) prevention, response, and management
B) prevention, detection, and response
Feedback: Page 23
C) response, collection of evidence, and prosecution
D) prevention, response, and prosecution
11. Functional requirements describe:
A) quality assurance description and testing approach.
B) what a security system should do by design
Feedback: Page 26
C) how to implement the system.
D) what controls a security system must implement.
12. The weakest link in any security system is the:

A) process element.
B) technology element.
C) Answers B and C
Feedback: Page 23
D) human element.
Chapter 3
1. ISC2 was formed for which of the following purposes
A) certifying industry professionals and practitioners in an international IS st
andard
B) all of the above
C) ensuring credentials are maintained, primarily through continuing education
D) maintaining a Common Body of Knowledge for network and information security
Feedback: See page 41.
Feedback: See page 41.Points Earned: 0.0/1.0
2. The Business Continuity domain includes:

A) plans for recovering business operations in the event of loss of access by pe
rsonnel
B) documented plans for interacting with law enforcement
C) maintenance of current versions of all software in use by the organization
D) management practices to determine business risks
3. The Physical Security domain includes:

A) a code of conduct for employees
B) perimeter security controls and protection mechanisms
C) data center controls and specifications for physically secure operations
D) Both answers "B" and "C"
Feedback: See pages 44 and 45.Points Earned: 0.0/1.0
4. The Network Security Architecture and Models domain includes:
A) concepts and principles for secure designs of computing
B) concepts and principles for secure application development
C) concepts and principles for secure programs
D) concepts and principles for secure operations
5. People more interested in certifying themselves as security technical prac

titioners should consider preparing for which of the following?
A) CISA
B) CISSP
C) CISM
D) GAIC
6. The CBK contains:

A) 9 domains
B) 7 domains
C) 5 domains
D) 3 domains
E) 10 domains
F) 11 domains
G) 6 domains
Correct Answer(s): E
7. The Application Development Security domain includes:

A) a quality assurance testing of custom-developed software
B) a recipe book for developers to follow in building secure applications
C) a language guide on programming security functions
D) an outline for the software development environment to address security conce
rns
8. The Access Control Systems and Methodology domain includes:

A) a methodology for applications development
B) instructions on how to install perimeter door security
C) a methodology for secure network/data center operations
D) a collection of mechanisms to create secure architectures for asset protectio
n
9. Security Management Practices domain includes:

A) identification of security products
B) documented policies, standards, procedures, and guidelines
C) management of risks to corporate assests
D) answers B and C only
10. The Operation Security domain includes:

A) a mechanism to detect a physical intrusion into a data center
B) identification of procedural controls over hardware, media, and personnel
C) evidence collection and preservation for computer crimes
D) password management
11. The Telecommunications, Network, and Internet Security domain includes:

A) technology, principles, and best practices to secure telephone networks
B) technology, principles, and best practices to secure corporate data networks
C) technology, principles, and best practices to secure Internet attached networ
ks
D) All of the above
12. The Law, Investigation, and Ethics domain includes:

A) a council to determine the ethical behavior of security personnel
B) methods to investigate computer crime incidents
C) teams of lawyers to determine the legality of security decisions
D) private law enforcement personnel
13. People more interested in certifying themselves as security experts in a

business context should consider preparing for which certification?
A) CompTIA's Security + and GIAC
B) Symantec Technology Architect and CompTIA's Security +
C) CISA and CISM
D) GAIC and Cisco Firewall Specialist
14. The network/information security Common Body of Knowledge is

ISC2
A) a compilation and distillation of all security information collected internat
ionally of relevance to network/information security professionals
B) a volume of books published by ISC2
C) an encyclopedia of information security principles, best practices, and regul
ations
D) a reference list of books and other publications put together by practitioner
s in network/information security
Feedback: See Page 42.Points Earned: 0.0/1.0
15. The Cryptological domain includes:

A) tools and techniques to intercept competitor's secrets
B) principles, means, and methods to disguise information to assure confidential
ity, integrity, and authenticity
C) procedures on how to protect Internet communications
D) procedures on how to discover cryptographic keys
Feedback: See page 46
Feedback: See page 46Points Earned: 0.0/1.0
Chapter 4
1. 24. Step-by-step directions to execute a specific security activity is referr
ed to as a:
A) Standard
B) Guideline
C) Regulation
D) Procedure
2. Which of the following would be the first step in establishing a network/i

nformation security program?
A) purchase of security access control software
B) development and implementation of a network/information security standards ma
nual
C) adoption of a corporate network/information security policy statement
D) development of a security awareness-training program for employees
3. What can be best defined as high-level statements, beliefs, goals, and obj
ectives?
A) standards
B) guidelines
C) policies
D) procedures
4. Within Network and IT security, which of the following combinations best d

escribe risk
A) threat coupled with a breach of security
B) threat coupled with an attack
C) threat coupled with a vulnerability
Feedback: See pages 78 - 79.
D) vulnerability coupled with a breach
Feedback: See pages 78 - 79.Points Earned: 1.0/1.0
5. Which of the following is not part of a security policy?

A) statement of management intent, supporting the goals and principles of inform
ation security
B) definition of the overall steps of information security and the importance of
security
C) description of specific technologies used in the field of information securit
y regulations
D) definition of general and specific responsibilities for information security
management
Feedback: See pages 60 and 63
Feedback: See pages 60 and 63Points Earned: 0.0/1.0
6. Which of the following is an advantage of qualitative over quantitative ri

sk analysis?
A) It prioritizes the risks and identifies areas for imediate improvement in add
ressing the vulnerabilities.
B) It makes a cost-benefit analysis of recommended controls easier.
C) It can be easily automated.
D) It provides specific quantifiable measurements of th magnitude of the impacts
.
7. An effective security policy would not have which of the following charact
eristics?
A) specify areas of responsibility and authority
Feedback: See pages 59-70.
B) be understandable and supported by all stakeholders
C) include seperations of duty
D) be designed for short to mid-term focus
Feedback: See pages 59-70.Points Earned: 0.0/1.0
8. Step by step instructions used to satisfy control requirements are called

a
A) guideline.
B) procedure.
Feedback: See pages 71 and 74.
C) standard.
D) policy.
9. Controls are implemented to

A) eliminate risk and eliminate potential for loss
B) mitigate risk and reduce the potential for loss
C) eliminate risk and reduce potential for loss
D) mitigate risk and eliminate the potential for loss
10. Which of the following shouldn't be addressed by employee termination pra

ctices?
A) removal of the employee from active payroll files
B) employee bonding to protect against losses due to theft
C) return of access badges
D) deletion of assigned logon ID and passwords to prohibit system access
11. Which of the following would be defined as an absence or weakness of a sa

feguard that could be exploited?
A) an exposure
B) a threat
C) a risk
D) a vulnerability
12. What can be defined as an event that could cause harm to network/informat
ion system?
A) a weakness
B) a threat
C) a vulnerability
D) a risk
13. A(n) ____________ policy might prescribe the need for information securit
y and may delegate the creation and management of the program.
A) System-specific
B) Programme-level
C) Programme-framework
D) Issue-specific
14. What is the difference between advisory and regulatory security policies?
A) Regulatory policies are high-level policies, whereas advisory policies are ve
ry detailed
B) Advisory polices are mandated and regulatory polies are not.
C) There are no differences between them
D) Advisory polices provide recommendations
Feedback: See pages 70 and 71.
15. 23. The supporting documents derived from policy statements include which
of the following? Select all correct answers.
A) Regulations
B) Procedural maps
C) Standards and baselines
D) Guidelines
Correct Answer(s): A , C , D
Chapter 5
1. Which Orange Book security rating introduces security labels?
A) B1
B) C2
C) B2
D) B3
2. Which of the listed Orange Book ratings represent the highest security lev
el?
A) F6
B) B1
C) C2
D) B2
3. Which of the following uses a specific OS and lacks a standard interface t

o connect to other systems?
A) Finite-state machine
B) None of the above
C) Open system
D) Closed system
4. What can best be defined as the sum of protection mechanisms inside a comp
uter, including hardware, firmware, and software?
A) security kernel
B) security perimeter
C) trusted system
D) trusted computing base
5. Functional requirements and assurance requirements answer which of the fol

lowing questions?
A) Both of the above
B) Does the system do the right things?
C) None of the above
D) Does the system do the right things in the right way?
6. Which Orange Book hierarchical levels requires mandatory protections

A) Divisions B and C
B) Divisions A and B
Feedback: See pages 99-101
C) Divisions A, B, and C
D) Divisions D and B
Feedback: See pages 99-101Points Earned: 1.0/1.0
7. What is the Biba security model concerned with?
A) availability
B) integrity
C) confidentiality
D) reliability
8. Which of the following statements about the CC is NOT true?

A) Users and developers defining security requirements ignore environmental thre
ats
B) CC breaks functional and assurance requirements into distinct elements
C) CC provides a common language for security requirements
D) Users and developers of IT security products create protection profiles
9. Which of the following isn't a method to protect subjects, objects, and da

ta within the objects?
A) layering
B) abstraction
C) data hiding
D) data mining
10. Which of the following places the Orange Book classifications in order fr
om most secure to least secure?
A) Division D, Division B, Division A, Division C
B) Division A, Division B, Division C, Division D
C) Division D, Division C, Division B, Division A
D) Division C, Division D, Division B, Division A
11. What is the main concern of the Bell-LaPadula security model?

A) availability
B) confidentiality
C) integrity
D) accountability
12. The ITSEC was written to address which of the following that the Orange B
ook did not address?
A) integrity and confidentiality
B) confidentiality and availability
C) none of the above
D) integrity and availability
13. The Orange Book is founded upon which security model?

A) the Biba model
B) TEMPEST
C) the Bell-LaPadula model
D) the Clark-Wilson model
14. What does CC stand for?

A) enCrypted Communications
B) Common Criteria for Information Security Evaluation
C) Circular Certificate rollover
D) Certificate Creation
15. Which of the following choices describes a condition when RAM and seconda
ry storage are used together?
A) real storage
B) primary storage
C) virtual storage
D) secondary storage
Chapter 6
1. Which of the following would be considered a man-made disaster?
A) earthquake
B) wildcat strike
C) tornado
D) flooding caused by a hurricane
2. The primary goal of a DRP is to:

A) reassure employees that the organization puts their safety above all else.
B) protect the image of the organization above all.
C) educate employees about emergency evacuation procedures
D) alarm employees as a call to arms.
3. The scope definition of the BCP should include all of the following EXCEPT
:
A) prioritizing critical business processes.
Feedback: See page bottom of page 127 and the top of page 128.
B) calculating the value and cost of continuing important business processes.
C) assessing the cost to the business if critical services are disrupted.
D) performing a dry run of emergency fire and medical evacuation procedures.
Feedback: See page bottom of page 127 and the top of page 128.Points Earned: 0.
0/1.0
4. What is a mobile unit site?

A) a SWAT team that provides first-response service.
B) a backup power supply, typically a diesel or gasoline generator.
C) fully equipped recovery site on wheels.
D) a convenient means for employees to give blood.
5. What is the purpose of a BIA?

A) To define a strategy that minimizes the effect of disturbances and allow for
the resumption of business processes.
B) To emphasize the organization's commitment to employees and vendors.
C) To create a document that's used to help management understand what impact a
disruptive event would have on the business.
D) To work with executive management to develop a DRP.
6. According to the Gartner Group:

A) Organizations with fewer than 100 employees generally do not need a DRP.
B) Organizations with sound business continuity plans never experience an interr
uption of business.
C) The BCP and DRP are interchangeable most organizations.
D) Approximately 40% of business that experience a disaster of some sort go out
of business.
7. Which of the following options would not be considered in a disaster recov

ery plan or business continuity plan?
A) Multiple centers to spread processing across sites
B) New business
C) Service bureaus for fast response
D) Mobile units provided by a third party
8. The BIA prioritizes systems for recovery and ____________ are at the top o
f the list.
A) Less critical systems
B) Mission-required systems
C) Mission-critical systems
D) Nice to have systems
9. What is a benefit of cold sites?

A) high cost
B) hardware and communication links
C) quick recovery
D) low cost
10. Using multiple centers as a recovery site has what main disadvantage?
A) Services may be shared between in-house and out-side services.
B) Processing is shared by multiple sites.
C) Multiple center offer redundant processing.
D) Multiple centers are more difficult to administer than other types.
11. What is the prime priority of disaster recovery?

A) protecting hardware
Feedback: See page 124 (Mid-page).
B) personnel safety
C) transaction processing
D) protecting software
Feedback: See page 124 (Mid-page).Points Earned: 0.0/1.0
12. Why is a BCP important?

A) It has spawned a new cottage industry for business planning experts.
B) It minimizes disruption in business continuity.
C) It eliminates risk in an organization.
D) The public is unaware of problems within the organization.

ET 115 ch1-ch6 Quiz

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ET 115 ch1-ch6 Quiz

Uploaded by

Copyright:

Available Formats

Chapter 1

1. Which of the following college curriculum is more appropiated for a career in

3. Sound network/Info Security policy:

4. Careers in Information and Network Security are booming because of which f

5. A career in network/info security:

6. A good definition of network/info security should include:

7. Which of the following would be part of a program in network/info security

8. The growing demand for network/information security specialists is occurri

12. The three objectives of network/information security are:

13. What is meant by the umbrella of InfoSec?

2. The two types of security requirements are:

3. The CIA triad is usually represented as a:

4. The three goals of network/information security are:

6. A cookbook on how to take advantage of a vulnerability is called a(n):

7. Related to network/info security, confidentiality is the opposite of which

9. The probability that a threat to a information system/network will materia

12. The weakest link in any security system is the:

2. The Business Continuity domain includes:

3. The Physical Security domain includes:

5. People more interested in certifying themselves as security technical prac

6. The CBK contains:

7. The Application Development Security domain includes:

8. The Access Control Systems and Methodology domain includes:

9. Security Management Practices domain includes:

10. The Operation Security domain includes:

11. The Telecommunications, Network, and Internet Security domain includes:

12. The Law, Investigation, and Ethics domain includes:

13. People more interested in certifying themselves as security experts in a

14. The network/information security Common Body of Knowledge is

15. The Cryptological domain includes:

2. Which of the following would be the first step in establishing a network/i

4. Within Network and IT security, which of the following combinations best d

5. Which of the following is not part of a security policy?

6. Which of the following is an advantage of qualitative over quantitative ri

8. Step by step instructions used to satisfy control requirements are called

9. Controls are implemented to

10. Which of the following shouldn't be addressed by employee termination pra

11. Which of the following would be defined as an absence or weakness of a sa

3. Which of the following uses a specific OS and lacks a standard interface t

5. Functional requirements and assurance requirements answer which of the fol

6. Which Orange Book hierarchical levels requires mandatory protections

8. Which of the following statements about the CC is NOT true?

9. Which of the following isn't a method to protect subjects, objects, and da

11. What is the main concern of the Bell-LaPadula security model?

13. The Orange Book is founded upon which security model?

14. What does CC stand for?

2. The primary goal of a DRP is to:

4. What is a mobile unit site?

5. What is the purpose of a BIA?

6. According to the Gartner Group:

7. Which of the following options would not be considered in a disaster recov

9. What is a benefit of cold sites?

11. What is the prime priority of disaster recovery?

12. Why is a BCP important?

You might also like