Information Security Management 1
01: According to your textbook which of the following is NOT part of risk analysis:
___ Determine how likely each risk is to occur
___ Identify any risks to assets
Save your time - order a paper!
Get your paper written from scratch within the tight deadline. Our service is a reliable solution to all your troubles. Place an order on any task and we will take care of it. You won’t have to worry about the quality and deadlines
Order Paper Now___ Implement an acceptable use policy
___ Determine the value of assets
02: A risk is defined as:
___ A weakness in a system
___ A potential for exploit of a weakness in a system
___ The existence of a weakness in a system and the potential for an exploit
___ An attempted security attack
03: If a manager obtains insurance for damage to an asset, this is called risk transference:
___ True
___ False
04: Managers should declare financial statements about asset values:
___ True
___ False
05: A principle that a single person should not have authority to execute a critical task is called:
___ Access control
___ Separation of duties (or privileges)
___ Discretionary control
___ Confidentiality
06: Unauthorized alteration of information is a breach of:
___ Confidentiality
___ Integrity
___ Availability
___Protocol
07: Of the two types of attackers, which has the potential to do the most damage?
___ Malicious Outsiders
___ Non-Malicious Insiders
___ Non-Malicious Outsiders
___ Malicious Insiders
08: When controlling information such that only those who get the information are those who require it to do their job is called on a “need to know” basis:
___ True
___ False
09: Planning to have a “hot site” to restart operations in the case of a fatal incident is part of having a:
___ Risk Assessment Plan
___ Disaster Recovery Plan
___ Vulnerability Assessment Plan
___ Business Continuity Plan
10: Planning for a “co-location” to continue business as usual in the case of an incident that disrupts operations at one site is part of having a:
___ Risk Assessment Plan
___ Disaster Recovery Plan
___ Vulnerability Assessment Plan
___ Business Continuity Plan
11: SLE represents:
___ The proportion of assets that would be destroyed by a risk
___ Damage to an asset each time a risk would incur in a year
___ Number of times a risk may occur in a year
___ Damage to an asset incurred cumulatively for each year of the asset’s lifetime
12: Privilege creep means:
___ An administrator gives him or herself the ability to examine private accounts
___ An attacker uses a rootkit to escalate privileges to execute system functions
___ When someone changes roles, they accrue both old and new privileges even if they are not needed
___ When a user logs in as a normal user, the executes an “su” to become a superuser
13: The four choices that managers have when managing risks are, (1) risk avoidance, (2) risk prosecution, (3) risk acceptance, (4) risk transference.
___ True
___ False
14: The encryption algorithm AES avoids security through obscurity:
___ True
___ False
15: A security policy is a written document only:
___ True
___ False
16: Even though very simplistic, security “checklists” such as the ISO 27000: 27001/27002 (17799) – also known as the ISO 27000 (or ISO27K) family of standards is useful for security auditing in preparation for or as part of a security certification:
___ True
___ False
17: Conducting background checks on employees is illegal in the United States:
___ True
___ False
18: Least privilege means allocating only the minimum set of privileges required to perform a job function:
___ True
___ False
Short Essay:
19: Give a brief explanation of the differences between risk assessment and risk management. Give as an example the name of at least one standard or framework that is used for each one:
20: Briefly describe what responsibilities managers have in terms of security. In this description, note that managers in this context are not security officers or officers of a company and do NOT have fiduciary responsibilities. In other words, what are minimum security standards managers must adhere to regardless of their position?
Information Systems homework help