The Most Advanced Business Management MCQ Test

Guidelines for how to implement policy

Authority for information security department

Basis for data classification

Recognition of information as an asset of the organization

Permit losses that aren't very important.

Be 100% effective in preventing loss.

Reduce losses to a pre-defined level that management can tolerate.

Reduce losses to within 10% of a pre-defined level

When responsibility for the conditions that cause the risk to arise is outside their department

When the cost of taking action outweighs the potential cost of the risk being realized.

When risk reduction measures may affect the productivity of the business.

Never - action should always be taken to reduce or eliminate an identified risk.

Threat and vulnerability analysis

Risk evaluation

ALE calculation

Countermeasure cost/benefit analysis

Job rotation

Least privilege

Special privilege

Separation of duties

Employee's attitude and behaviors

Management's approach

Attitudes of employees with sensitive data

Corporate attitudes about safeguarding data

Governance oversight

System security oversight

Human resource oversight

Business service oversight

Individual accountability

Access authentication

Authorization levels

Identification of users

The approval of the change management control team

The development of a detailed test plan

The formulation of specific management objectives

The communication process among team members

The company is a multi-national company

They have not exercised due care protecting computing resources

They have failed to properly insure computer resources against loss

The company does not prosecute the hacker that caused the breach

Monitor only during off hours

Obtain a search warrant prior to any monitoring

Not capture any network traffic related to monitoring employee's activity

Apply for a waiver from Interpol before monitoring

Privacy

Secrecy

Availability

Reliability

The fire caused critical business systems to be disabled for longer than the Recovery Time Objective

The fire alarms went off and the building had to be evacuated.

The trash can contained company sensitive documents.

The fire spread beyond the trash can and the fire department had to be called.

Identify the organization's key business functions

Identify the computer systems critical to the survival of the organization.

Estimate the financial impact a loss would have on the business based on how long an outage would last.

Acquire information from government agencies about the likelihood of a natural disaster occurring.

Risk assessment

Emergency response plan

Disaster recovery plan

Business impact analysis

It is the process of analyzing all business functions to determine the impact of an outage.

It is the process of analyzing corporate functions, such as accounting, personnel, and legal to determine which functions must operate immediately following an outage.

It is the process of documenting procedures and capabilities to sustain organizational essential functions at an alternate site.

It is the process of documenting viable recovery options for each business unit in the event of an outage.

Customer interruption impacts

Embarassment of loss of confidence impacts

Executive management disruption impacts

Revenue loss potential impact

A description of the settings that will provide the highest level of security

A brief high-level statement defining what is and is not permitted in the operation of a system

A definition of those items that must be denied on the system

A listing of tools and applications that will be used to protect the system

Recommendations for salary improvement of security professionals

Addressing privacy and health care requirements of employees

Alignment with organizational audit and marketing plans

Incorporating input from organizational privacy and safety professionals

Assure protection of organizational data and information

Select the technology solutions to enhance organizational security effectiveness

Identify potential risks to organizational employee behavior

Align organizational data protection schemes to business goals

Reliability

Need-to-know

Auditability

Trustworthiness

Service level agreements

Customer satisfaction

Policy

Profit

The Security Officer is responsible for ensuring that recommendations to executive management are full, accurate, and complete.

The Security Officer accepts the risk of system failures

The Security Officer reports to the Privacy Officer.

The Security Officer is responsible for protection of business information assets.

The regulations that affect a company within a state or country

The risk management processes and procedures within a company

The organizational structure that includes standards, procedures and policies

The organizational chart that describes who reports to whom as defined for a company

Commercial software

Shareware

Public domain

Freeware

World Intellectual Property Office (WIPO)

International Traffic in Arms Reductions (ITAR) Agreements

Organization for Economic Cooperation and Development (OECD)

Wassenaar Arrangement

Personal data should be relevant to the purpose for which they are to be used

Personal data might need to be protected by reasonable security safeguards as necessary

The use of personal data does not need to be disclosed at any time

There are no limits on the amount of personal data or the type of personal data that is collected.

RTO (Recovery Time Objective) is the amount of time it will take to recover all critical systems at an alternate site

RPO (Recovery Point Objective) is a measure of tolerable data loss

End of disaster is when all systems are recovered at the alternate site

End of disaster declaration occurs when the Security Manager determines that the activation was false alarm

A non-disclosure agreement

Their passwords

His or her badge

Any clothing items with the company logo

When exposure factor (EF) is unknown it should be assumed to be zero

Annual Rate of Occurrence (ARO) increases whenever Single Loss Expectancy (SLE) is greater than zero

ALE (Annual Loss Expectancy) equals Asset Value (AV) times EF times ARO

ALE equals AV times EF times SLE

Session hijacking

Shoulder surfing

Baiting

Tailgating

Option 5

Lack of compliance by staff

Large number of approved exceptions

Policy is short

Policy contains metrics

All data must be encrypted

Encryption is not required and due to the overhead of key management, is not warranted

Encryption of Patient Identification Information (PII) alone is required, and each sales person must have a unique key

Whole disk encryption is not required, but it is the easiest and safest solution

ISO 27000

The Wassenaar Arrangement

The Montreal Protocol

WIPO

A deterrent control

A detective control

A corrective control

A preventive control

A control put in place when another control is suspended or disabled

A control put in place to overcome the shortcomings of another control

A control put in place that automatically continues to protect the system when the primary control fails

A control that compensates for law enforcement or management's lack of technical skills

A symbol that represents an idea

A proprietary process or procedure

The expression of an idea

The idea itself

The employer owns the copyright since it is work for hire, but you may use it if you don't charge anyone for it, under fair use principles

The employer owns the copyright since it is work for hire so you many not use it under any circumstances without permission

As author you own the copyright and may use it any way you wish

You and the employer share the copyright and you may use it if you don't charge anyone for it

Determine asset value.

Assess the annualized rate of occurrence.

Derive the annualized loss expectancy.

Conduct a cost/benefit analysis.

Storage of information by a customer on a provider’s server

Caching of information by the provider

Transmission of information over the provider’s network by a customer

Caching of information in a provider search engine

The right to access

Privacy by design

The right to be forgotten

The right of data portability

Focused on assets

Focused on attackers

Focused on software

Focused on social engineering

Student identification number

Social Security number

Driver’s license number

Credit card number

Due diligence rule

Personal liability rule

Prudent man rule

Due process rule

Username

Personal identification number (PIN)

Security question

Fingerprint scan

Department of Defense

Department of the Treasury

State Department

Department of Commerce

GLBA

SOX

HIPAA

FERPA

FISMA

PCI DSS

HIPAA

GISRA

Memory chips

Office productivity applications

Hard drives

Encryption software

Spoofing

Repudiation

Tampering

Elevation of privilege