









Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An overview of the core principles and key elements of an effective information security program. It covers topics such as the alignment of security goals with organizational objectives, the fundamental security triad (confidentiality, integrity, and availability), the importance of senior management support, the role of threat and vulnerability assessments, personnel security practices, security architecture and governance, risk management strategies, security controls and countermeasures, cryptography concepts, access control mechanisms, and security program implementation and measurement. The document aims to equip readers with a comprehensive understanding of the foundational aspects of information security management, which is crucial for organizations to protect their critical information assets and maintain business continuity in the face of evolving cyber threats.
Typology: Exams
1 / 17
This page cannot be seen from the preview
Don't miss anything!










The foundation of an information security program is: - Correct Answer โ Alignment with the goals and objectives of the organization The core principles of an information security program are: - Correct Answer โ Confidentiality, Integrity and Availability The key factor in a successful information security program is: - Correct Answer โ Senior Management support A threat can be described as: - Correct Answer โ Any event or action that could cause harm to the organization True/False: Threats can be either intentional or accidental - Correct Answer โ True Personnel Security requires trained personnel to manage systems and networks. When does personnel security begin?
Who plays the most important role in information security? - Correct Answer โ Upper management The advantage of an IPS (intrusion prevention system) over an IDS (intrusion detection system) is that: - Correct Answer โ The IPS can block suspicious activity in real time True/False: Physical security is an important part of an Information Security program - Correct Answer โ True The Sherwood Applied Business Security Architecture (SABSA) is primarily concerned with: - Correct Answer โ An enterprise=wide approach to security architecture A centralized approach to security has the primary advantage of: - Correct Answer โ Uniform enforcement of security policies The greatest advantage to a decentralized approach to security is: - Correct Answer โ More adjustable to local laws and requirements
What is a primary method for justifying investments in information security? - Correct Answer โ development of a business case Relationships with third parties may: - Correct Answer โ Require the organization to comply with the security standards of the third party True or False? The organization does not have to worry about the impact of third party relationships on the security program - Correct Answer โ False The role of an Information Systems Security Steering Committee is to: - Correct Answer โ Provide feedback from all areas of the organization The most effective tool a security department has is: - Correct Answer โ A security awareness program
The role of Audit in relation to Information Security is: - Correct Answer โ The validate the effectiveness of the security program against established metrics Who should be responsible for development of a risk management strategy? - Correct Answer โ The Security Manager The security requirements of each member of the organization should be documented in: - Correct Answer โ Their job descriptions What could be the greatest challenge to implementing a new security strategy? - Correct Answer โ Obtaining buy-in from employees A disgruntled former employee is a: - Correct Answer โ Threat A bug or software flaw is a: - Correct Answer โ Vulnerability
The main purpose of information classification is to: - Correct Answer โ Ensure the effective, appropriate protection of information The value of information is based in part on: - Correct Answer โ The fines imposed by regulators in the event of a breach The definition of an information security baseline is: - Correct Answer โ The minimum level of security mandated in the organization The use of a baseline can help the organization to: - Correct Answer โ Compare the current state of security with the desired state The purpose of a Business Impact Analysis (BIA) is to: - Correct Answer โ Estimate the potential impact on the business in case of a system failure
The ultimate goal of BIA is to: - Correct Answer โ determine the priorities for recovery of business processes and systems New controls should be implemented as a part of the risk mitigation strategy: - Correct Answer โ In areas where the cost of the control is justified by the benefit obtained An example of risk transference as a risk mitigation option is:
Symmetric encryption is a: - Correct Answer โ two-way encryption process A primary reason for the development of public key cryptography was to: - Correct Answer โ Address the ley distribution problems of asymmetric encryption What is the length of a digest created by a hash function? - Correct Answer โ A hash function creates a fixed length hash regardless of input message length A hash is often used for: - Correct Answer โ Password based authentication The entity requesting access in an access control system is often known as: - Correct Answer โ The subject Access control is a means to: - Correct Answer โ Permit authorized persons appropriate levels of access
A surveillance camera is an access control based on: - Correct Answer โ Physical controls Anti-virus systems should be deployed on: - Correct Answer โ Gateways and individual desktops The use of a policy compliant system may enable an organization to: - Correct Answer โ Enforce policies at a desktop level An information classification policy is what form of control? - Correct Answer โ Administrative controls Which of the following is a one-way function? - Correct Answer โ Hashing True/False: A Disaster Recovery Plan is a part of an Information Security Framework - Correct Answer โ True
The implementation of a security program requires: - Correct Answer โ a person that takes ownership of each activity The manipulation of staff to perform unauthorized actions is known as: - Correct Answer โ NNTPSocial engineering Audit is a form of: - Correct Answer โ business assurance When an organization undertakes a program to outsource the IT function what must it do as part of the outsourcing program? - Correct Answer โ Ensure that security requirements are addressed in any contracts What is the best way to understand business priorities? - Correct Answer โ Interviews with senior management In case the implementation of an IT project fails, what is the next step? - Correct Answer โ Rollback the implementation if possible
A gap analysis can be used to: - Correct Answer โ Determine the disparity between current and desired state Every policy should be backed up through the use of: - Correct Answer โ Procedures, standards and baselines The testing and evaluation of the security of a system made in support of the decision to implement the system is known as - Correct Answer โ Certification Ensuring that a system is not implemented until it has been formally approved by a senior manager is part of: - Correct Answer โ Accreditation Teaching staff how to use a new security tool is known as: - Correct Answer โ Training To ensure the quality and adherence to standards for a modification to a system the organization enforces: - Correct Answer โ Change control
Metrics to evaluate the effectiveness of system controls may be based on: - Correct Answer โ Key performance indicators (KPIs) The three authentication factors are: - Correct Answer โ knowledge, ownership, biometric Sensitive information about a person is called: - Correct Answer โ PII Remote access poses the risk that - Correct Answer โ Unauthorized users may use remote access systems to gain access A Virtual Private Network (VPN) is used to: - Correct Answer โ Create a secure tunnel to allow transmission of sensitive data over an insecure network A security risk associated with disposal of any storage device is: - Correct Answer โ The removal of sensitive information
When an outsourcing contract expires the organization must: