Questions to Module 1 Review with correct Answers
Chapter 1
1. An organizational resource that is being protected is sometimes logical, such as a Web site, software
information, or data; or is sometimes physical, such as a person, computer system, hardware, or other
tangible object. Collectively all of these things are known as a(n) ___________. ASSET
2. When dealing with computerized information, a breach of possession will result in a breach of
confidentiality. FALSE
3. __________ of information is the quality or state of being genuine or original. AUTHENTICITY
4. Which of the following phases of the SDLC is often considered the longest and most expensive phase
of the systems development life cycle? MAINTENANCE AND CHANGE
5. __________ security addresses the issues necessary to protect the tangible items, objects, or areas of
an organization from unauthorized access and misuse. PHYSICAL
6. The ____ is the individual primarily responsible for the assessment, management, and
implementation of information security in the organization. CISO
7. Indirect attacks originate from a compromised system or resource that is malfunctioning or working
under the control of a threat. TRUE
8. The value of information comes from the characteristics it possesses. TRUE
9. Information has redundancy when it is free from mistakes or errors and it has the value that the end
user expects. FALSE
10. Computer hardware is seldom the most valuable asset possessed by an organization. TRUE
CHAPTER 2
1. A worm may be able to deposit copies of itself onto all Web servers that the infected system can
reach, so that users who subsequently visit those sites become infected. TRUE
2. ____ is any technology that aids in gathering information about a person or organization without their
knowledge. SPYWARE
3. A worm requires that another program is running before it can begin functioning. FALSE
4. ____________________ is the premeditated, politically motivated attacks against information,
computer systems, computer programs, and data which result in violence against noncombatant targets
by subnational groups or clandestine agents. CYBERTERRORISM
5. In a ____________________ attack, the attacker sends a large number of connection or information
requests to disrupt a target from many locations at the same time. DISTRIBUTED DENIAL OF SERVICE
6. The ____________________ hijacking attack uses IP spoofing to enable an attacker to impersonate
another entity on the network. TCP
7.When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or
destroy equipment. FALSE
8. A short-term interruption in electrical power availability is known as a ____. FAULT
9. "4-1-9" fraud is an example of a ____________________ attack. SOCIAL ENGINEERING
10. A table of hash values and their corresponding plaintext values that can be used to look up password
values if an attacker is able to steal a system's encrypted password file is known as a(n) __________
RAINBOW TABLE
CHAPTER 3
1.Individuals with authorization and privileges to manage information within the organization are often
those who are most likely to cause harm or damage by accident. TRUE
2. Which of the following countries reported the least tolerant attitudes toward personal use of
organizational computing resources? SINGAPORE
3. The Secret Service is charged with safeguarding the nation's financial infrastructure and payments
systems to preserve the integrity of the economy. TRUE
4. Ethics are the moral attitudes or customs of a particular group. FALSE
5. Which of the following acts is a collection of statutes that regulate the interception of wire, electronic,
and oral communications? ELECTRONIC COMMUNICATIONS PRIVACY ACT
6. Which of the following acts is also widely known as the Gramm-Leach-Bliley Act?
FINANCIAL SERVICES MODERNIZATION ACT
7. Criminal or unethical __________ goes to the state of mind of the individual performing the act.
INTENT
8. What is the subject of the Sarbanes-Oxley Act? FINANCIAL REPORTING
9. The __________ defines stiffer penalties for prosecution of terrorist crimes. USA PATRIOTS ACT
10. In the context of information security, confidentiality is the right of the individual or group to protect
themselves and their information from unauthorized access. FALSE
CHAPTER 4
1.Database shadowing duplicates data in real-time data storage, but does not backup the databases at
the remote site. FALSE
2. The Security Education Training and Awareness (SETA) program is a control measure designed to
reduce the instances of __________ security breaches by employees. ACCIDENTAL
3. __________ is a strategy for the protection of information assets that uses multiple layers and
different types of controls (managerial, operational, and technical) to provide optimal protection.
DEFENSE IN DEPTH
4. The ________is the high-level information security policy that sets the strategic direction, scope, and
tone for all of an organization's security efforts. EISP
5. To remain viable, security policies must have a responsible individual, a schedule of reviews, a
method for making recommendations for reviews, and a policy issuance and planned revision date.
TRUE
6. Standards may be published, scrutinized, and ratified by a group, as in formal or ________standards.
DE JURE
7. _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and
availability of information and information assets during or just following an incident. D
DAMAGE ASSESMENT
8. A disaster recovery plan is a plan that shows the organization's intended efforts to restore operations
at the original site in the aftermath of a disaster. TRUE
9.A policy should state that if employees violate a company policy or any law using company
technologies, the company will protect them, and the company is liable for the employee's actions.
FALSE
10. A(n) _________ is a document containing contact information for the people to be notified in the
event of an incident. ALERT ROSTER
CHAPTER 5
1.The __________ strategy is the choice to do nothing to protect a vulnerability and to accept the
outcome of its exploitation. ACCEPTANCE
2. When organizations adopt security measures for a legal defense, they may need to show that they
have done what any prudent organization would do in similar circumstances. This is referred to as
__________. STANDARD OF DUE CARE
3. Risk control is the application of controls that reduce the risks to an organization's information assets
to an acceptable level. TRUE
4. The calculation of the likelihood of an attack coupled with the attack frequency to determine the
expected number of losses within a specified time range is called the __________. LOSS FREQUENCY
5. The _________ control strategy that attempts to eliminate or reduce any remaining uncontrolled risk
through the application of additional controls and safeguards. DEFENSE
6. The __________ plan specifies the actions an organization can and should take while an adverse
event (that could result in loss of an information asset or assets, but does not currently threaten the
viability of the entire organization) is in progress. INCIDENT RESPONSE
7.Management of classified data includes its storage and _________. ALL OF THE ABOVE
8. Risk _________ defines the quantity and nature of risk that organizations are willing to accept as they
evaluate the tradeoffs between perfect security and unlimited accessibility. APPETITE
9. A security clearance is a component of a data classification scheme that assigns a status level to
systems to designate the maximum level of classified data that may be stored on it. FALSE
10. The concept of competitive _________ refers to falling behind the competition. DISADVANTAGE