CIS502 Theories of Security Management

.docx

School

Strayer University *

*We aren’t endorsed by this school

Course

502

Subject

Computer Science

Date

Jan 9, 2024

Type

docx

Pages

106

Uploaded by stephculbreth

CIS502 Theories of Security Management Week 1-10 Chapter 1-12 Questions Compilation, Practice Test A & B Week 1 1. Which of the following describes the correct relationship between confidentiality and privacy? 1. Confidentiality is about keeping information secret so that we retain advantage or do not come to harm; privacy is about choosing who can enter into one’s life or property 1. Explanation: Confidentiality is about keeping information secret so that we retain advantage or do not come to harm. Keeping information secret means agreeing to limit or control how (or if) that information can be passed on to others. Privacy is the freedom from intrusion into your own affairs, person, property, or ideas. The other options either confuse confidentiality with privacy or do not define or use the concepts correctly. 2. How can you turn data into knowledge? 1. You use lots of data to observe general ideas and the test those ideas with more data you observe until you can finally make broad, general conclusions. These conclusions are what are called knowledge. 1. Explanation: You use lots of data to observe general ideas and then test those ideas with more data you observe until you can finally make broad, general conclusions. These conclusions are called knowledge. The hierarchy of data to knowledge represents the results of taking the lower- level input (i.e., data) and processing it with business logic that uses other information you’ve already learned or processed so that you now have something more informative, useful, or valuable. 3. Which of the following are the individual facts, observations, or elements of measurement? 1. Data 1. Explanation: Data are the individual facts, observations, or elements of measurement, such as a person’s name or their residential address. Information results when we process data in various ways; information is data plus conclusions or inferences. Knowledge is a set of broader, more general conclusions or principles that we’ve derived from lots of information. Wisdom is the insightful application of knowledge. 4. Jayne discovers that someone in the company’s HR department has been modifying employee performance appraisals. If done without proper authorization, this would be what kind of violation? 1. Integrity 1. The correctness or wholeness of the data may have been violated, inflation some employees’ ratings while deflating others. This violate the presumed integrity of the appraisal data. Presumably, HR staff have legitimate reasons to access the data, and even enter or change it, so it is

not a confidentiality violation; since the systems are designed to store such data and make it available for authorized use, privacy has not been violated. Appraisals have not been removed, so there are no availability issues. 5. At a job interview, Fred is asked by the interviewer about activities, pictures, and statements he’s made by posting things on his Facebook and LinkedIn pages. This question by the interviewer: 1. Is a legitimate one, since these pages are published by Fred, and therefore are speech he has made in public places. 1. The question by the interviewer is a legitimate one, since these pages are published by Fred, and therefore are speech he has made in public places. What we say and do in public places, is by definition visible to anyone who wants to watch or listen. Publishing a letter or a book, or writing on a publicly visible social media page is also considered public speech. We have no reasonable expectation of privacy on social media - we have no basis on which to assume that by posting something on our private pages, others whom we’ve invited to those pages will not forward that information on to someone else. 6. A thunderstorm knocks out the commercial electric power to your company’s datacenter, shutting down everything. This impacts which aspect of information security? 1. Availability 1. If the equipment cannot run because there is no power, then no data stored in it can be displaced, printed, or shared with users - data is not available. The given scenario impacts the availability aspect of information security. 7. What is business logic? 1. The set of rules that dictate or describe the processes that a business uses to perform the tasks that lead to achieving the required results? 1. Business logic is the set of rules that dictate or describe the processes that a business uses to perform the tasks that lead to achieving the required results, goals, or objectives. The rules and constraints by themselves are not the business logic. Processes (software or people procedures) are not business logic, but they should accurately and effectively implement that logic. 8. How does business logic relate to information security? 1. Business logic represents decisions the company has made and may give it a competitive advantage over others in the marketplace; it needs to be protected from unauthorized change. Processes that implement the business logic need to be available to be run or used when needed. Thus, confidentiality, integrity, and availability. 1. The sequence of steps in a process (such as a recipe for baking a cake) reflects the logic and knowledge of what needs to be done, in what order, and within what limits, as well as the constraints to achieve the desired conditions or results. That’s what business logic is. Most businesses know how to do something that they do better, faster, or cheaper than their competitors, and thus their business logic gives them an advantage in the marketplace. 9. Your company uses computer-controlled machine tools on the factory floor as part of its assembly line. This morning, you’ve discovered that somebody erased a key set of machine control parameter files, and the backups you have will need to be updated and

verified before you can use them. This may take most of the day to accomplish. What information security attribute is involved here? 1. Integrity 1. Although it is clear that the necessary parameter files are not available, this seems to have been caused because somebody could violate the integrity requirements of those files - deleting them does not seem to have been an authorized change. 10. The protection of intellectual property (IP) is an example of what kinds of information security need? 1. Confidentiality 1. The protection of intellectual property (IP) is an example of confidentiality. Disclosure of intellectual property in unauthorized ways can end up giving away any competitive advantage that IP might have had for the business. 11. When you compare safety to security for information systems, which of the following statements are correct? (Choose all that apply) 1. When information security measures fail to keep critical data available and correct, the resulting system malfunctions could lead to loss of revenue, property damage, injury, or death. 1. Keeping a system safe also means “safe from harm,” and thus means much the same as keeping it secure. 1. “Safety” for information systems cn mean keeping the system from suffering damage, keeping the system from failing in ways that cause damage, or both. Thus, Options A and C are correct, though hey are different aspects of safety. 12. John works as the chief information security officer for a medium-sized chemical processing firm. Which of the following groups of people would not be stakeholders in the ongoing operation of this business? 1. State and local tax authorities 1. All other groups have valid personal interest in the success and safe operation of the company; a major chemical spill or fire producing toxic smoke, for example, could directly injure them or damage their property. Although state and local tax authorities might also suffer a loss of revenues in such circumstances, they are not involved with the company or its operation in any way. 13. Suppose that you work for a business or have a business as your client. As an SSCP, which of the following groups do you have responsibilities to? (Choose all that apply.) 1. Coworkers, managers, and owners of the business that employs your (or is your client) 1. Competitors of the business that employs you or is your client. 1. Customers, suppliers, or other companies that work with this business. 1. People and groups that have nothing to do with this business. 1. Options A and C represent direct or indirect stakeholders in the business that employs the SSCP. Options B and D represent other members of society, and you owe them professional service as an SSCP as well. The service you owe others in the marketplace would not include divulging your employer’s private data, of course! 14. We often hear people talk about the need for information systems to be safe and reliable. Is this the same as saying that they need to be secure? 1. Yes, because the objective of information security is to increase our confidence that we can make sound and prudent decisions based on what those information systems are telling us, and in doing so causes no harm.

15. As an SSCP, you work at the headquarters of a retail sales company that has many stores around the country. Its training department has prepared different training materials and operations manuals for in-store sales, warehouse staff and other team members to use in their jobs. Most of these describe procedures that people do as they work with one another or with customers. From an information security standpoint, which of the following statements are correct? 1. If the company has decided that the content of these training materials is proprietary or company confidential, then their confidentiality must be protected. They must also be protected from tampering or unauthorized changes and be available to staff in the stores to sue when they need them, if the company is to do business successfully. Therefore, information security applies. 16. Due diligence means which of the following? 1. Monitoring and assessing that the actions you’ve taken to fulfill your responsibilities are working correctly and completely. 1. Due diligence is continually monitoring and assessing whether the necessary and prudent steps are achieving required results and that they are still necessary, prudent, and sufficient. It is the verification that all is being done well and properly. 17. What do we use protocols for? (Choose all that apply) 1. To conduct ceremonies, parades, or how we salute superiors, sovereigns, or rulers 1. To have conversation with someone and keep a disagreement from turning into a hostile, angry argument 1. To connect elements of computer systems together so that they can share the taks and control each other 1. These options show the human social communications need fr signaling one another about the communication we’re trying to achieve. 18. As the IT security director, Paul does not have anybody looking at systems monitoring or event logging data. Which set of responsibilities is Paul in violation of? 1. Due diligence 1. Paul is violating the responsibilities of due diligence. The fact that systems monitoring and event data is collected at all indicates that Paul or his staff determined it was a necessary part of keeping the organization’s information systems secure - they took (due) care of those responsibilities. But by not reviewing the data to verify proper systems behavior and use, or to look for potential intrusions or compromises, Paul has not been diligent. Integrity and availability do not relate to the given scenario. 19. Why is the preamble to (ISC) 2 Code of Ethics important to us as SSCPs? 1. It is vital to understand the code because it sets purpose and intention; it’s our mission statement as professionals. 20. Do the terms cybersecurity, information assurance, and information security mean the same thing? (Choose all that apply) 1. Yes, but each finds preference in different markets and communities of practice. 1. No, because different groups of people in the field choose to interpret these terms differently, and there is no single authoritative view. 1. In many respects, the debate about what to call what we’re studying is somewhat meaningless. Option B shows that in different communities the different terms are held in greater or lesser favor. It is how people use terms that establish their meaning and not what a “language authority” declares the terms to mean. Option A describes this common use of

different terms as if they are different ideas - defense and intelligence communities, for example, prefer “cybersecurity,” whereas financial and insurance risk managers prefer “information assurance.” And yet defense will use “information assurance” to refer to what senior commanders need when making decisions, and everybody talks about “information security” as if all it involves is the hard, technical stuff - but didn’t cybersecurity cover that? 21. An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud? 1. Mandatory vacation 22. Which of the following is not one of the four canons of the (ISC)2 2 code of ethics? 1. Avoid conflicts of interest that may jeopardize impartiality. 23. Which of the following is not one of the canons of the (ISC) 2 Code of Ethics? 1. Maintain competent records of all investigations and assessments. 24. You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated? 1. Confidentiality 25. Gina recently took the SSCP certification exam and then wrote a blog post that included the text of many of the exam questions that she experienced. What aspect of the (ISC) 2 Code of Ethics is most directly violated in this situation? 1. Advance and protect the profession. 26. Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing? 1. Integrity 27. Frank discovers a keylogger hidden on the laptop of this company’s chief executive officer. What information security principle is the keylogger most likely designed to disrupt? 1. Confidentiality 28. Which of the following security programs is designed to establish a minimum standard common denominator of security understanding? 1. Awareness 29. Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in San Francisco Bay Area. You are newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security. There are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add integrity control that allows you to verify on a periodic basis that the filers were not modified. What control can you add? 1. Hashing 1. You can add hashing that allows you to computationally verify that a files has not been modified between hash evaluations. Hashing the entire contents of a file produces a long-form error detection and correction code by reapplying the hash function and comparing that resultant hase value to the one store with the file; a mismatch indicates the file may have been corrupted or changed.

30. The (ISC)2 Code of Ethics applies to all SSCP holders. Which of the following is not one of the four mandatory canons of the code? 1. Disclose breaches of privacy, trust, and ethics.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help