Chapter 03 Quiz (ITN260) - Operational and Organizational Security

Who is responsible for the determination of policies for a given system?

System owner

What five phases should be covered in an incident response policy?

Preparation, detection, containment and eradication, recovery, and follow-up actions

Who is responsible for the determination of policies for a given system?

System owner

What five phases should be covered in an incident response policy?

Preparation, detection, containment and eradication, recovery, and follow-up actions

Generally, policies should be updated more frequently than the procedures that implement them. (T/F)

False

Which term refers to the step between the account having access and the account being removed from the system?

Account disablement

Guidelines are mandatory elements regarding the implementation of a policy. (T/F)

False

Which term describes a method to check the security of a system by simulating an attack by a malicious individual?

Penetration test

Which term generally refers to the standard of care a reasonable person is expected to exercise in all situations?

Due care

Which term generally refers to the standard of care a business is expected to exercise in preparation for a business transaction?

Due diligence

Which user type has virtually unlimited power over the system?

system administrator

Which term describes a legal document used to describe a bilateral agreement between parties regarding a set of intended actions between the parties with respect to some common pursuit or goal?

memorandum of understanding (MOU)

Which type of classification includes categories such as High, Medium, Low, Confidential, Private, and Public?

information classification

Which term describes a legal agreement between partners establishing the terms, conditions, and expectations of the relationship between the partners?

business partnership agreement (BPA)

Which term refers to ensuring each individual in the organization is supplied with only the absolute minimum amount of information and privileges they need to perform their work tasks?

need to know

Data requires a data owner. (T/F)

True

Which password best meets typical complexity requirements?

p@ssw0rD

Disabling an account is irreversible. (T/F)

False

Which term is used for people who have data responsibilities?

data owners

Which document lays out a uniform set of rules associated with partnerships to resolve any partnership terms?

Uniform Partnership Act (UPA)

What are the four steps that make up the policy lifecycle?

plan, implement, monitor, and evaluate

Which term describes a high-level statement produced by senior management that outlines both what security means to the organization and the organization's goals for security?

security policy

Maintaining proper information in security training records is a requirement of several laws and regulations. (T/F)

True

Which term refers to a contractual agreement detailing the expectations of the customer and the service provider?

service level agreement (SLA)

Which term is concerned with guaranteeing fundamental fairness, justice, and liberty in relation to an individual's legal rights?

due process

What step can be taken to evaluate the effectiveness of the security measures in place at an organization?

Perform a vulnerability assessment.

Password length is critical to password-based security. (T/F)

True

The purpose of change management is to ensure proper procedures are followed when modifications to the IT infrastructure are made. (T/F)

True

What is one leading cause of account hijacking?

improper use and/or control over passwords

Which term refers to a security principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone?

separation of duties

Before magnetic storage media (such as disks or tapes) is discarded in the trash or sold for salvage, it should have all files deleted and should be overwritten at least times with all 1's, all 0's, and then random characters.

three

Nondisclosure agreements (NDAs) are frequently used to delineate the level and type of company secret information, and with whom it can be shared. (T/F)

True