INFORMATION SYSTEM SECURITY BT0059

1-Mark

1. Information system needs to be resume if they are to be a. b. c. d. Unreliable Reliable Accessible All of above

Ans. B 2. Data and information in any information system is at risk from. a. b. c. d. e. Human error Technical errors Fraud Accidents and disasters All of above

Ans. E 3. Data and information come from many sources. a. b. c. d. External Internal Both a & b None of the above

Ans. C 4. When design security controls, a business needs to address the factors. a. b. c. d. Prevention Data recovery Detection All of the above

Ans. D 5. Business benefits from getting information system security right a. Increase the capacity of a business b. Security cannot be used to differentiate a business c. By managing risk more effectively, a business cannot down on losses and potential legal liabilities d. None of the above Ans. A 6. Information that obtained from ________ the business. a. b. c. d. External Internal Technical None of the above

Ans. A 7. _______ is the type of magnetic disk memory which consists of a flexible disk with a magnetic coating. a. b. c. d. Tape storage Floppy Optical disk CD-R

Ans. B 8. A DVD stands for a. b. c. d. Disk video digital Digital versatile disk Digital video disk Both b & c

Ans. D 9. CD-RW disks are writable and can not be erased and re-recorded upon over and over again. a. True

b. False Ans. F 10. Data storage including a. b. c. d. Permanent storage Transient storage Archival storage All of above

Ans. D 11. UPS stands for a. b. c. d. Unified power system Uninterrupted power support Uninterruptible power supply None of the above

Ans. C 12. The process implementing the security plan must be subjected to strong. a. b. c. d. Business management Project management Security management None of the above

Ans. B 13. SDLC stands for a. b. c. d. Security development life cycle System development life cycle Software deployment life cycle None of the above

Ans. B 14. The organization defines ________ information security policy requirement. a. Low level b. Middle level c. High level

d. None of the above Ans. C 15. In _________ phase, the systems is designed, purchased, programmed, developed. a. b. c. d. Development phase Both a & b Acquisition phase None of the above

Ans. C 16. In the implementation phase, the organization __________ system security features and test the functionalities of these features. a. b. c. d. Reconfigure and enable Configures and enable Ensure and enable Support and enable

Ans. B 17. CM stands for a. b. c. d. Control management Cyclic management Configuration management None of the above

Ans. C 18. ______ security controls level to identify potential & security related problem in the information system a. b. c. d. System Monitoring Configuration None of the above

Ans. B 19. The removal of information from a storage medium, such as hard disk or tape, is called

a. b. c. d.

Sanitization Destroying Disposal None of the above

Ans. A 20. How categories of media sanitization : a. b. c. d. 6 2 4 5

Ans. D 21. FISMA stands for a. b. c. d. Federal initial security management association Federal implementation system management agency Federal information security management Act None of the above

Ans. C 22. GPRA stands for a. b. c. d. Govt. paperwork resource analyze Government performance and result act Govt. practice and result association None of the above

Ans. B 23. GPEA stands for a. b. c. d. Govt paperwork elimination act Govt practice effectively approach Govt performance efficient approach None of the above

Ans. A 24. Matics are tools that support

a. b. c. d.

MIS Decision making Management Task

Ans. B 25. _______ process establishes are initial set of metrics. a. b. c. d. Making implementation Process implementation Making development None of the above

Ans. B 26. The process step do not need to be a. b. c. d. Random Sequential a&b none of the above

Ans. B 27. _______ is a useful tool that facilitates integration of information security into the departmental capital planning process. a. b. c. d. Metrics development Metrices implementation Metrices weightily All of the above

Ans. C 28. Information security metrices should be used for a. b. c. d. Monitoring information security control performance Initiating performance improvement actions Both a & b None of the above

Ans. C

29. The iterative process consists of a. b. c. d. 7 phases 5 phases 6 phases 4 phases

Ans. C 30. Collect data and analyze results include the activities : a. b. c. d. Identify area requiring improvement Identify causes of poor performance a&b None of the above

Ans. C 31. ___________ phase identify corrective actions, involves developing a plan that will provide the road map of how to close the implementation gap. a. b. c. d. Collective data and analyze result Prepare for data collection Identify corrective action All of the above

Ans. C 32. Apply corrective action phase, involves a. b. c. d. Implementing corrective action Address the budget cycle Establishing a comprehensive information security Identify corrective cycle

Ans. A 33. SAISD stands for a. b. c. d. System analysis information security officer Senior agency information security officer Secure analysis implementation system output None of the above

Ans. B

34. GSS means a. b. c. d. General support system General secure system Good system support Good software system

Ans. A 35. ______ is responsible for developing and monitoring an agency-wide information security. a. b. c. d. SAISO CIO GSS MA

Ans. B 36. The information system owner is the agency official responsible for the overall procurement, development. a. True b. False Ans. A 37. _______ is responsible for establishing the control for information generation, collection, processing and disposal. a. b. c. d. Chief information officer Information owner Both a & b None of the above

Ans. B 38. COOP stands for a. b. c. d. Common object oriented process Contingency of operation process Continuity of operation planning None of the above

Ans. C 39. _____ means dealing with a concern before it becomes a crisis. a. b. c. d. Support system Risk management Software management Process management

Ans. B 40. _______ is defined as The possibility of suffering harm or loss; danger. a. b. c. d. Process Risk Security All of the above

Ans. B

2-Marks

41. Risk management gives us a _________ to provide visibility into threats to project success. a. b. c. d. Structured mechanism Risk mechanism Project mechanism None of the above

Ans. A 42. Controlling risk means ________. a. b. c. d. Increasing uncertainty Reducing uncertainty Risk analysis None of the above

Ans. B 43. Proactive risk management doesnt necessarily means avoiding projects that a. b. c. d. Could not incur a high level of risk Could incur a low level of risk Could incur a high level of risk Could not incur a low level of risk

Ans. C 45. ______ is the application of appropriate tools and procedures to contains risk within acceptable limits. a. b. c. d. Risk assessment Risk management Risk control All of the above

Ans. B 46. Risk analysis involves examining. a. b. c. d. How project outcomes might change with modification or risk input variables How project inputs might change without modifications of risk variables Both a & b None of the above

Ans. A 47. Vulnerabilities can be identified a. b. c. d. Using a combination of a number of techniques and sources Using a combination of a number of procedures & rules Using a combination of a number of threats All of the above

Ans. A 48. The analysis of controls in place to protect the system can be a. Accomplished using a check list or questionnaires b. Determining the level of risk to a system is impact c. Both a & b

d. None of the above Ans. A 49. The goal of the control recommendation is to a. b. c. d. Increase the level of risk to the information system Reduce the level of risk to the information system Analyze the level of risk to the information system All of the above

Ans. B 50. The risk assessment report I the mechanism used to formally a. b. c. d. Provide mechanism to solve errors Help agencies identify & select controls to the organizations Report the result of all risk assessment activities None of the above

Ans. C 51. The risk assessment report should describe a. b. c. d. The scope of the assessment based on the system characterization Methodology used to conduct the risk assessment Estimation of the overall posture of the system All of the above

Ans. D 52. The second phase of the risk management process is ________. a. b. c. d. Risk analysis Risk mitigation Risk determination Risk assessment

Ans. B 53. The incident response teams expertise should be used to establish recommendation security system. a. True b. False

Ans. A 54. Organizations should not be prepared to collect a set of objective and subjective data for each incident. a. True b. False Ans. B 55. Preventing problems is less costly and more effective than reacting to them after they occur. a. True b. False Ans. A 56. Risk management planning produces a plan for dealing with each significant risk. a. True b. False Ans. A 57. The responsibilities / duties of chief information owner are a. Establishing the rules for the appropriate use and protection of the subject data / information b. Deciding who has access to the information system and determining what types of privileges or access rights c. Assisting in identifying and assessing the common security controls where the information resides d. All of above Ans. D 58. The responsibilities duties of chief informal officer a. Managing the identification, implementation and assessment of common security controls b. Identifying and developing common security controls for the agency

c. Ensuring that personnel with significant responsibilities for system security plans are trained d. All of the above Ans. D 59. Matching 1. CDR 2. Mitigation approach 3. CD-RW 4. Disposal phase a. b. c. d. 1-iv, 2-iii, 3-i, 4-ii 1-iii, 2-ii, 3-iv, 4-i 1-i, 2-iv, 3-iii, 4-ii 1-i, 2-ii, 3-iii, 4-iv i. Rewritable ii. SDLC iii. Risk must planning iv. Write-once media

Ans. A 60. The system owner must understand who is responsible for a. b. c. d. Implementing controls Identify the risk that this extension of trust will generate a&b None of the above

Ans. C 61. Information security metrics program implementation process has six phases. Arrange these phase in an order a. Collect data & analysis, obtain resources, develop business case, identify corrective action, apply corrective action, prepare & data collection b. Prepare for data collection, collect data and analysis result, identify corrective actions, develop business case, obtain resource, apply corrective action c. Develop business cases, identify corrective actions, apply corrective actions, correct data and analyze result, prepare & data collection, obtain resources d. Apply corrective action, obtain resources, develop business case, identify corrective actions, collect data & analyze result, prepare data collection Ans. 62. Risk management planning produces a plan for dealing with each significant risk, including mitigation approach, owners and timeliness.

a. True b. False Ans. A 63. How to find the risk exposure a. b. c. d. Total risk exposure = product of (probability + impact) Total risk exposure = sum of (probability + impact) Total risk exposure = sum of (probability + impact) Total risk exposure = sum of (probability impact)

Ans. B 64. How many types of threats. a. b. c. d. 4 6 3 5

Ans. C 65. IF an observation is rated as moderate risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. a. True b. False Ans. A 66. Information security metrics development process has 7 phases. Arrange all these phase in proper sequence a. Goals and objective, shareholders and interests, policies guidance and procedures, level implementation, program result, program implementation, business mission impact b. Shakeholders & interest, goals and objective, policies, program implementation, level of implementation, program result, buisiness mission c. Both a & b d. None of the above Ans. B

67. System security plans are not living documents that require periodic review, modification and plans of action and milestones (POA & M) for implementing security controls. a. True b. False Ans. B 68. The ISSO has the responsibilities related to system security plans : a. Assisting the SAISO in identifying implementing the common security controls b. Actively supporting the development and maintenance of the system security plan c. Both a & b d. None o the above Ans. C 69. If a set of information resources is identifies as an information system, the resources should not be under the same direct management control. a. True b. False Ans. B 70. A risk management process provides a. b. c. d. A number of benefit process A number of benefits to the project team A number of losses to process All of above

Ans. B 71. Risk prioritization helps the project focus out its most severe risks by assessing the risk exposure. a. True b. False Ans. A

72. Match the following a. Earthquakes b. Intentional or unintentional c. Power failure a. b. c. d. 1-i, 2-ii, 3-iii 1-iii, 2-i, 3-ii 1-iii, 2-ii, 3-i None of the above i. Human threats ii. Environment threats iii. Natural threats

Ans. B 73. Incident response life cycle has ________ phases. a. b. c. d. 4 6 3 5

Ans. A 74. Recovery may involve actions as: a. b. c. d. Restoring system from clean backup Installing patches Replacing compromised files with clean versions All of the above

Ans. D 75. In the process of preparing to collect incident date, organizations should focus on collecting data that is actionable rather than collecting data simply because it is available. a. True b. False Ans. A