Chapter 3 Operational/Organizational Security
1. What are the four steps that make up the policy life cycle?
• A. policies
• B. procedures
• C. standards
• D. guidelines
2. Which term describes a method to check the security of a system by simulating an attack by a malicious individual?
• A. Vulnerability assessment
• B. Penetration test
• C. Due diligence
• D. Due care
3. Which type of classification includes categories such as High, Medium, Low, Confidential, Private, and Public?
• A. Human resources classification
• B. Acceptable use classification
• C. Change management classification
• D. Information classification
4. Which term refers to ensuring each individual in the organization is supplied with only the absolute minimum amount of information and privileges they need to perform their work tasks?
• A. Need to know
• B. Defense in depth
• C. Exception handling
• D. Economy of mechanism
5. What is a leading cause of account hijacking?
• A. Improper use and/or control over passwords
• B. Ineffective data classification programs
• C. Ineffective service level agreements
• D. A business partnership agreement (BPA)
6. Which term refers to a security principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone?
• A. Due diligence
• B. Separation of duties
• C. Defense in depth
• D. Least privilege
7. Which term is concerned with guaranteeing fundamental fairness, justice and liberty in relation to an individual’s legal rights
• A. Due diligence
• B. Due care
• C. Due process
• D. Acceptable use
8. Who is responsible for defining data handling characteristics?
• A. The system owner
• B. The data owner
• C. Executive users
• D. Privileged users
9. Which term refers to contractual agreements between entities that describe specified levels of service that the servicing entity agrees to guarantee for the customer?
• A. Business partnership agreement (BPA)
• B. Interconnection security agreement (ISA)
• C. Service level agreement (SLA)
• D. Memorandum of understanding (MOU)
10. Which document lays out a uniform set of rules associated with partnerships to resolve any partnership terms?
• A. Memorandum of understanding (MOU)
• B. Uniform Partnership Act (UPA)
• C. Interconnection security agreement (ISA)
• D. Service level agreement (SLA)
11. Which term refers to the security perimeter, with its several layers of security, along with additional security mechanisms that may be implemented on a system (such as user IDs/passwords)?
• A. Defense-in-depth
• B. Peer-to-peer communication
• C. Public switched telephone network (PSTN)
• D. Client-server communication
12. Which term eliminates the traditional land lines in an organization and replaces them with special telephones that connect to the IP data network?
• A. Voice over IP (VoIP)
• B. Peer-to-peer communication
• C. Client-server communication
• D. Public switched telephone network (PSTN)
TRUE / FALSE
13. (p. 48) Generally, policies should be updated more frequently than the procedures that implement them.
14. (p. 49) Data requires a data owner.
15. (p. 53) Password length is critical to password-based security
16. (p. 67) Nondisclosure agreements (NDAs) are frequently used to delineate the level and type of information, and with whom it can be shared.
17. (p. 68) An intrusion detection system (IDS) is often part of the security perimeter for an organization.
1. What are the four steps that make up the policy life
cycle?
Ans: B. procedures
Policy life cycle involves five stages: (1) discussion and debate,
(2) political action, (3) legislative proposal, (4) law and
regulation,(5) compliance.
2. Which term describes a method to check the security of a system
by simulating an attack by a malicious individual?
Ans: B. Penetration test
A penetration test, also known as a pen test, is a simulated cyber
attack against your computer system to check for exploitable
vulnerabilities. In the context of web application security,
penetration testing is commonly used to augment a web application
firewall.
3. Which type of classification includes categories such as
High, Medium, Low, Confidential, Private, and Public?
Ans: D. Information classification
Information Classification includes restricted data, for that
information will categories into High, Medium, Low, Confidential,
Private, and Public
4. Which term refers to ensuring each individual in the
organization is supplied with only the absolute minimum amount of
information and privileges they need to perform their work
tasks?
Ans : A. Need to know
For any organization needs to know all the operations and thier
functionality to perform well and manage the things easily.
5. What is a leading cause of
account hijacking?
A. Improper use and/or control over passwords.
Most of the hacker gains access to these accounts via phishing,
though it can also be done with a password cracking tool. A
phishing email for example may warn the recipient that their
Outlook needs to be updated and that they must click on the link
provided, and enter their login. But instead of being a helpful
update, it’s really a scam designed to capture your username and
password.
6. Which term refers to a security principle employed in many
organizations to ensure that no single individual has the ability
to conduct transactions alone?
Ans: D. Least privilege.
The principle of least privilege (POLP), an important concept in
computer security, is the practice of limiting access rights for
users to the bare minimum permissions they need to perform their
work.
7. Which term is concerned with guaranteeing fundamental fairness,
justice and liberty in relation to an individual’s legal
rights?
Ans: C. Due process.
Due process is the legal requirement that the state must respect
all legal rights that are owed to a person. Due process balances
the power of law of the land and protects the individual person
from it.
8. Who is responsible for defining data handling
characteristics?
Ans: D. Privileged users
In any company, the privileged user is an employee with authority
to access more than usual company data or make changes to the
company network. Companies need privileged users because they have
access to source code, file systems and other assets that allow
them to upgrade the systems or make other technical changes.
9. Which term refers to contractual agreements between entities
that describe specified levels of service that the servicing entity
agrees to guarantee for the customer?
Ans: C. Service level agreement (SLA).
A service level agreement (SLA) is a contract between a service
provider (either internal or external) and the end user that
defines the level of service expected from the service provider.
SLAs are output-based in that their purpose is specifically to
define what the customer will receive.
10. Which document lays out a uniform set of rules associated
with partnerships to resolve any partnership terms?
Ans: A. Memorandum of understanding (MOU).
A memorandum of understanding (MOU or MoU) is a formal agreement
between two or more parties. Companies and organizations can use
MOUs to establish official partnerships.
11. Which term refers to the security perimeter, with its
several layers of security, along with additional security
mechanisms that may be implemented on a system (such as user
IDs/passwords)?
Ans: A. Defense-in-depth.
Defense in Depth (DiD) is an approach to cyber security in which a
series of defensive mechanisms are layered in order to protect
valuable data and information. If one mechanism fails, another
steps up immediately to thwart an attack.
12. Which term eliminates the traditional land lines in an
organization and replaces them with special telephones that connect
to the IP data network?
Ans: A. Voice over IP (VoIP).
VoIP (voice over IP) is the transmission of voice and multimedia
content over Internet Protocol(IP) networks. VoIP historically
referred to using IP to connect private branch exchanges, but the
term is now used interchangeably with IP telephony.
13. Generally, policies should be updated more frequently than the
procedures that implement them.
Ans: FALSE
Generally, policies should be updated more frequently than the
procedures that implement them statement is FALSE because both are
updated frequently then only the organization perform efficient
manner. Policies and procedures in the organization may be so that
maintaining a manual becomes a challenge. And by the time the ink
dries on the newest edition of the document, a new law or
regulation may be enacted that requires changing the manual again.
The result is that many organizations have manuals that are
incomplete, out of date, badly written, poorly understood, and
inadequately enforced. Yet there’s no question that a high-quality
policies and procedures manual can provide underlying documentation
that helps an organization run effectively and efficiently.
14. Data requires a data owner?
Ans: FALSE.
In most cases, the Data Custodian is not the Data Owner. A system
administrator or Data Custodian is a person who has technical
control over an information asset dataset.
15. Password length is critical to password-based
security?
Ans: TRUE
Many policies require a minimum password length. Eight characters is typical but may not be appropriate. Longer passwords are generally more secure, but some systems impose a maximum length for compatibility with legacy systems.
16. Nondisclosure agreements (NDA) are frequently used to
delineate the level and type of information, and with whom it can
be shared.
Ans : TRUE
A non-disclosure agreement also known as a confidentiality agreement (CA), confidential disclosure agreement, proprietary information agreement or secrecy agreement (SA), is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties.
17. An intrusion detection system (IDS) is often part of the
security perimeter for an organization.
Ans: TRUE
Intrusion detection systems are primarily focused on identifying possible incidents, logging information about them, and reporting attempts.
Chapter 3 Operational/Organizational Security 1. What are the four steps that make up the policy life...