《安全管理习题讲解.ppt》由会员分享,可在线阅读,更多相关《安全管理习题讲解.ppt(53页珍藏版)》请在三一办公上搜索。
1、QUIZ,1 Which of the following is not a responsibility of a database administrator?A Maintaining databasesB Implementing access rules to databasesC Reorganizing databasesD Providing access authorization to databases,D,QUIZ,2 According to governmental data classification levels,how would answers to te
2、sts and health care information be classified?A ConfidentialB Sensitive but unclassifiedC Private D Unclassified,B,QUIZ,3.According to private sector data classification levels,how would salary levels and medical information be classified?A Confidential B Public C Private D Sensitive,C,QUIZ,4 Which
3、of the next are steps of a common development process of creating a security policy,standards and procedures?A design,development,publication,coding,testing B design,evaluation,approval,publication,implementation C initial and evaluation,development,approval,publication,implementation,maintenance D
4、feasibility,development,approval,implementation,integration,C,5 What is the main purpose of a security policy?A to transfer the responsibility for the information security to all users of the organizationB to provide detailed steps for performing specific actionsC to provide a common framework for a
5、ll development activitiesD to provide the management direction and support for information security,D,6 Which of the following department managers would be best suited to oversee the development of an information security policy?A Security administrationB Human resourcesC Business operationsD Inform
6、ation systems,C,7 Which of the following is not a responsibility of an information owner?A Running regular backups and periodically testing the validity of the backup data.B Delegate the responsibility of data protection to data custodians.C Periodically review the classification assignments against
7、 business needs.D Determine what level of classification the information requires.,A,8 Which of the following is not a goal of integrity?A Prevention of the modification of information by unauthorized users.B Prevention of the unauthorized or unintentional modification of information by authorized u
8、sers.C Prevention of the modification of information by authorized users.D Preservation of the internal and external consistency.,C,9 Why do many organizations require every employee to take a mandatory vacation of a week or more?A To lead to greater productivity through a better quality of life for
9、 the employee.B To reduce the opportunity for an employee to commit an improper or illegal act.C To provide proper cross training for another employee.D To allow more employees to have a better understanding of the overall system.,B,10 Which of the following would best relate to resources being used
10、 only for intended purposes?A AvailabilityB IntegrityC ReliabilityD Confidentiality,A,11 Security of computer-based information systems is which of the following?A technical issue B management issue C training issue D operational issue,B,12 Which of the following would be the first step in establish
11、ing an information security program?A Development and implementation of an information security standards manual.B Development of a security awareness-training program for employees.C Purchase of security access control software.D Adoption of a corporate information security policy statement.,D,13 W
12、hich of the following tasks may be performed by the same person in a well-controlled information processing facility/computer center?A Computer operations and system development B System development and change management C System development and systems maintenance D Security administration and chan
13、ge management,C,14 Computer security should not:A Cover all identified risks.B Be cost-effective.C Be examined in both monetary and non-monetary terms.D Be proportionate to the value of IT systems.,A,15 Which of the following is most concerned with personnel security?A Management controls B Human re
14、sources controls C Technical controls D Operational controls,D,16 Which of the following is most likely given the responsibility of the maintenance and protection of the data?A Security administrator B User C Data custodian D Data owner,C,17 Who is responsible for providing reports to the senior man
15、agement on the effectiveness of the security controls?A Information systems security professionals B Data owners C Data custodians D Information systems auditors,D,18 Risk mitigation and risk reduction controls can be of which of the following types?A preventive,detective,or correctiveB Administrati
16、ve,operational or logicalC detective,correctiveD preventive,corrective and administrative,A,19 Which of the following would best classify as a management control?A Review of security controls B Documentation C Personnel security D Physical and environmental protection,A,20 What is the goal of the Ma
17、intenance phase in a common development process of a security policy?A to present document to approving body B to write proposal to management that states the objectives of the policy C publication within the organization D to review of the document on the specified review date,D,21 Which approach t
18、o a security program makes sure that the people actually responsible for protecting the companys assets are driving the program?A The top-down approach B The bottom-up approach C The technology approach D The Delphi approach,A,22 The preliminary steps to security planning include all of the followin
19、g EXCEPT which of the following?A Determine alternate courses of action B Establish a security audit function.C Establish objectives.D List planning assumptions.,B,23IT security measures should:A Be tailored to meet organizational security goals.B Make sure that every asset of the organization is we
20、ll protected.C Not be developed in a layered fashion.D Be complex,A,24 Which of the following embodies all the detailed actions that personnel are required to follow?A Baselines B Procedures C Guidelines D Standards,B,25 Which of the following should NOT be addressed by employee termination practice
21、s?A Deletion of assigned logon-ID and passwords to prohibit system access.B Return of access badges.C Employee bonding to protect against losses due to theft.D Removal of the employee from active payroll files.,C,26 Preservation of confidentiality information systems requires that the information is
22、 not disclosed to:A Authorized persons and processes B Unauthorized persons.C Unauthorized persons or processes.D Authorized person,C,27 Which of the following statements pertaining to quantitative risk analysis is false?A It requires a high volume of informationB It involves complex calculationsC I
23、t can be automatedD It involves a lot of guesswork,D,28 All except which of the follow are not used to ensure integrity?A compliance monitoring services B intrusion detection services C communications security management D firewall services,A,29 Which of the following would violate the Due Care conc
24、ept?A Latest security patches for servers only being installed once a week B Network administrator not taking mandatory two-week vacation as planned C Security policy being outdated D Data owners not laying out the foundation of data protection,D,30 What does residual risk mean?A Weakness of an asse
25、ts which can be exploited by a threat B Risk that remains after risk analysis has has been performed C The result of unwanted incident D The security risk that remains after controls have been implemented,D,31 Which of the following questions should any user not be able to answer regarding their org
26、anizations information security policy?A Where is the organizations security policy defined?B Who is involved in establishing the security policy?C What are the actions that need to be performed in case of a disaster?D Who is responsible for monitoring compliance to the organizations security policy
27、?,C,32 In a properly segregated environment,which of the following tasks is compatible with the task of security administrator?A Data entry B Systems programming C Quality assurance D Applications programming,C,33 The major objective of system configuration management is which of the following?A sys
28、tem maintenanceB system trackingC system stabilityD system operations,C,34 In an organization,an Information Technology security function should:A Be independent but report to the Information Systems function.B Be lead by a Chief Security Officer and report directly to the CEO.C Report directly to a
29、 specialized business unit such as legal,corporate security or insurance.D Be a function within the information systems function of an organization.,B,35 Who should measure the effectiveness of security related controls in an organization?A the central security manager B the local security specialis
30、t C the systems auditor D the business manager,C,36 What is a difference between Quantitative and Qualitative Risk Analysis?A fully qualitative analysis is not possible,while quantitative is B quantitative provides formal cost/benefit analysis and qualitative not C there is no difference between qua
31、litative and quantitative analysis D qualitative uses strong mathematical formulas and quantitative not,B,37 How is Annualized Loss Expectancy(ALE)derived from a treat?A ARO x(SLE-EF)B SLE x ARO C SLE/EF D AV x EF,B,38 One purpose of a security awareness program is to modify:A attitudes of employees
32、 with sensitive data.B corporate attitudes about safeguarding data.C employees attitudes and behaviors.D managements approach.,C,39 Controls are implemented to:A eliminate risk and reduce the potential for loss B mitigate risk and eliminate the potential for loss C eliminate risk and eliminate the p
33、otential for loss D mitigate risk and reduce the potential for loss,D,40 Who should decide how a company should approach security and what security measures should be implemented?A The information security specialistB AuditorC Senior managementD Data owner,C,41 Which of the following is the weakest
34、link in a security system?A People B Communications C Hardware D Software,A,42 ISO 17799 is a standard for:A Information Security ManagementB Implementation and certification of basic security measuresC Certification of public key infrastructuresD Evaluation criteria for the validation of cryptograp
35、hic algorithms,A,43Who of the following is responsible for ensuring that proper controls are in place to address integrity,confidentiality,and availability of IT systems and data?A Business and functional managersB Chief information officerC IT Security practitionersD System and information owners,D
36、,44 Related to information security,the guarantee that the message sent is the message received is an example of which of the following?A integrityB identityC availabilityD confidentiality,A,45 Which one of the following represents an ALE calculation?A asset value x loss expectancy B actual replacem
37、ent cost-proceeds of salvage C gross loss expectancy x loss frequency D single loss expectancy x annualized rate of occurrence,D,46 Which of the following choices is NOT part of a security policy?A description of specific technologies used in the field of information securityB definition of overall
38、steps of information security and the importance of securityC statement of management intend,supporting the goals and principles of information securityD definition of general and specific responsibilities for information security management,A,47 Which of the following statements pertaining to a sec
39、urity policy is incorrect?A It must be flexible to the changing environment.B Its main purpose is to inform the users,administrators and managers of their obligatory requirements for protecting technology and information assets.C It needs to have the acceptance and support of all levels of employees
40、 within the organization in order for it to be appropriate and effective.D It specifies how hardware and software should be used throughout the organization.,D,48 Which of the following could be defined as the likelihood of a threat agent taking advantage of a vulnerability?A A risk B A countermeasu
41、re C An exposure D A residual risk,A,49 Which of the following should be given technical security training?A Senior managers,functional managers and business unit managersB Security practitioners and information systems auditorsC IT support personnel and system administratorsD Operators,C,50 Related
42、 to information security,availability is the opposite of which of the following?A distribution B destruction C documentation D delegation,B,51 Which must bear the primary responsibility for determining the level of protection needed for information systems resources?A Seniors security analystsB systems auditorsC Senior ManagementD IS security specialists,C,52 What would best define risk management?A The process of eliminating the riskB The process of reducing risk to an acceptable levelC The process of assessing the risksD The process of transferring risk,B,
