《安全管理习题讲解》PPT课件.ppt

1、QUIZ,1 Which of the following is not a responsibility of a database administrator? A Maintaining databases B Implementing access rules to databases C Reorganizing databases D Providing access authorization to databases,D,QUIZ,2 According to governmental data classification levels, how would answers

2、to tests and health care information be classified? A Confidential B Sensitive but unclassified C Private D Unclassified,B,QUIZ,3. According to private sector data classification levels, how would salary levels and medical information be classified? A Confidential B Public C Private D Sensitive,C,QU

3、IZ,4 Which of the next are steps of a common development process of creating a security policy, standards and procedures? A design, development, publication, coding, testing B design, evaluation, approval, publication, implementation C initial and evaluation, development, approval, publication, impl

4、ementation, maintenance D feasibility, development, approval, implementation, integration,C,5 What is the main purpose of a security policy? A to transfer the responsibility for the information security to all users of the organization B to provide detailed steps for performing specific actions C to

5、 provide a common framework for all development activities D to provide the management direction and support for information security,D,6 Which of the following department managers would be best suited to oversee the development of an information security policy? A Security administration B Human re

6、sources C Business operations D Information systems,C,7 Which of the following is not a responsibility of an information owner? A Running regular backups and periodically testing the validity of the backup data. B Delegate the responsibility of data protection to data custodians. C Periodically revi

7、ew the classification assignments against business needs. D Determine what level of classification the information requires.,A,8 Which of the following is not a goal of integrity? A Prevention of the modification of information by unauthorized users. B Prevention of the unauthorized or unintentional

8、 modification of information by authorized users. C Prevention of the modification of information by authorized users. D Preservation of the internal and external consistency.,C,9 Why do many organizations require every employee to take a mandatory vacation of a week or more? A To lead to greater pr

9、oductivity through a better quality of life for the employee. B To reduce the opportunity for an employee to commit an improper or illegal act. C To provide proper cross training for another employee. D To allow more employees to have a better understanding of the overall system.,B,10 Which of the f

10、ollowing would best relate to resources being used only for intended purposes? A Availability B Integrity C Reliability D Confidentiality,A,11 Security of computer-based information systems is which of the following? A technical issue B management issue C training issue D operational issue,B,12 Whic

11、h of the following would be the first step in establishing an information security program? A Development and implementation of an information security standards manual. B Development of a security awareness-training program for employees. C Purchase of security access control software. D Adoption o

12、f a corporate information security policy statement.,D,13 Which of the following tasks may be performed by the same person in a well-controlled information processing facility/computer center? A Computer operations and system development B System development and change management C System developmen

13、t and systems maintenance D Security administration and change management,C,14 Computer security should not: A Cover all identified risks. B Be cost-effective. C Be examined in both monetary and non-monetary terms. D Be proportionate to the value of IT systems.,A,15 Which of the following is most co

14、ncerned with personnel security? A Management controls B Human resources controls C Technical controls D Operational controls,D,16 Which of the following is most likely given the responsibility of the maintenance and protection of the data? A Security administrator B User C Data custodian D Data own

15、er,C,17 Who is responsible for providing reports to the senior management on the effectiveness of the security controls? A Information systems security professionals B Data owners C Data custodians D Information systems auditors,D,18 Risk mitigation and risk reduction controls can be of which of the

16、 following types? A preventive, detective, or corrective B Administrative, operational or logical C detective, corrective D preventive, corrective and administrative,A,19 Which of the following would best classify as a management control? A Review of security controls B Documentation C Personnel sec

17、urity D Physical and environmental protection,A,20 What is the goal of the Maintenance phase in a common development process of a security policy? A to present document to approving body B to write proposal to management that states the objectives of the policy C publication within the organization

18、D to review of the document on the specified review date,D,21 Which approach to a security program makes sure that the people actually responsible for protecting the companys assets are driving the program? A The top-down approach B The bottom-up approach C The technology approach D The Delphi appro

19、ach,A,22 The preliminary steps to security planning include all of the following EXCEPT which of the following? A Determine alternate courses of action B Establish a security audit function. C Establish objectives. D List planning assumptions.,B,23IT security measures should: A Be tailored to meet o

20、rganizational security goals. B Make sure that every asset of the organization is well protected. C Not be developed in a layered fashion. D Be complex,A,24 Which of the following embodies all the detailed actions that personnel are required to follow? A Baselines B Procedures C Guidelines D Standar

21、ds,B,25 Which of the following should NOT be addressed by employee termination practices? A Deletion of assigned logon-ID and passwords to prohibit system access. B Return of access badges. C Employee bonding to protect against losses due to theft. D Removal of the employee from active payroll files

22、.,C,26 Preservation of confidentiality information systems requires that the information is not disclosed to: A Authorized persons and processes B Unauthorized persons. C Unauthorized persons or processes. D Authorized person,C,27 Which of the following statements pertaining to quantitative risk ana

23、lysis is false? A It requires a high volume of information B It involves complex calculations C It can be automated D It involves a lot of guesswork,D,28 All except which of the follow are not used to ensure integrity? A compliance monitoring services B intrusion detection services C communications

24、security management D firewall services,A,29 Which of the following would violate the Due Care concept? A Latest security patches for servers only being installed once a week B Network administrator not taking mandatory two-week vacation as planned C Security policy being outdated D Data owners not

25、laying out the foundation of data protection,D,30 What does residual risk mean? A Weakness of an assets which can be exploited by a threat B Risk that remains after risk analysis has has been performed C The result of unwanted incident D The security risk that remains after controls have been implem

26、ented,D,31 Which of the following questions should any user not be able to answer regarding their organizations information security policy? A Where is the organizations security policy defined? B Who is involved in establishing the security policy? C What are the actions that need to be performed i

27、n case of a disaster? D Who is responsible for monitoring compliance to the organizations security policy?,C,32 In a properly segregated environment, which of the following tasks is compatible with the task of security administrator? A Data entry B Systems programming C Quality assurance D Applicati

28、ons programming,C,33 The major objective of system configuration management is which of the following? A system maintenance B system tracking C system stability D system operations,C,34 In an organization, an Information Technology security function should: A Be independent but report to the Informa

29、tion Systems function. B Be lead by a Chief Security Officer and report directly to the CEO. C Report directly to a specialized business unit such as legal, corporate security or insurance. D Be a function within the information systems function of an organization.,B,35 Who should measure the effect

30、iveness of security related controls in an organization? A the central security manager B the local security specialist C the systems auditor D the business manager,C,36 What is a difference between Quantitative and Qualitative Risk Analysis? A fully qualitative analysis is not possible, while quant

31、itative is B quantitative provides formal cost/benefit analysis and qualitative not C there is no difference between qualitative and quantitative analysis D qualitative uses strong mathematical formulas and quantitative not,B,37 How is Annualized Loss Expectancy (ALE) derived from a treat? A ARO x (

32、SLE - EF) B SLE x ARO C SLE/EF D AV x EF,B,38 One purpose of a security awareness program is to modify: A attitudes of employees with sensitive data. B corporate attitudes about safeguarding data. C employees attitudes and behaviors. D managements approach.,C,39 Controls are implemented to: A elimin

33、ate risk and reduce the potential for loss B mitigate risk and eliminate the potential for loss C eliminate risk and eliminate the potential for loss D mitigate risk and reduce the potential for loss,D,40 Who should decide how a company should approach security and what security measures should be i

34、mplemented? A The information security specialist B Auditor C Senior management D Data owner,C,41 Which of the following is the weakest link in a security system? A People B Communications C Hardware D Software,A,42 ISO 17799 is a standard for: A Information Security Management B Implementation and

35、certification of basic security measures C Certification of public key infrastructures D Evaluation criteria for the validation of cryptographic algorithms,A,43Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability o

36、f IT systems and data? A Business and functional managers B Chief information officer C IT Security practitioners D System and information owners,D,44 Related to information security, the guarantee that the message sent is the message received is an example of which of the following? A integrity B i

37、dentity C availability D confidentiality,A,45 Which one of the following represents an ALE calculation? A asset value x loss expectancy B actual replacement cost - proceeds of salvage C gross loss expectancy x loss frequency D single loss expectancy x annualized rate of occurrence,D,46 Which of the

38、following choices is NOT part of a security policy? A description of specific technologies used in the field of information security B definition of overall steps of information security and the importance of security C statement of management intend, supporting the goals and principles of informati

39、on security D definition of general and specific responsibilities for information security management,A,47 Which of the following statements pertaining to a security policy is incorrect? A It must be flexible to the changing environment. B Its main purpose is to inform the users, administrators and managers of their obligatory requirements