Professional Documents
Culture Documents
1-Mark
1. Information system needs to be resume if they are to be a. b. c. d. Unreliable Reliable Accessible All of above
Ans. B 2. Data and information in any information system is at risk from. a. b. c. d. e. Human error Technical errors Fraud Accidents and disasters All of above
Ans. E 3. Data and information come from many sources. a. b. c. d. External Internal Both a & b None of the above
Ans. C 4. When design security controls, a business needs to address the factors. a. b. c. d. Prevention Data recovery Detection All of the above
Ans. D 5. Business benefits from getting information system security right a. Increase the capacity of a business b. Security cannot be used to differentiate a business c. By managing risk more effectively, a business cannot down on losses and potential legal liabilities d. None of the above Ans. A 6. Information that obtained from ________ the business. a. b. c. d. External Internal Technical None of the above
Ans. A 7. _______ is the type of magnetic disk memory which consists of a flexible disk with a magnetic coating. a. b. c. d. Tape storage Floppy Optical disk CD-R
Ans. B 8. A DVD stands for a. b. c. d. Disk video digital Digital versatile disk Digital video disk Both b & c
Ans. D 9. CD-RW disks are writable and can not be erased and re-recorded upon over and over again. a. True
b. False Ans. F 10. Data storage including a. b. c. d. Permanent storage Transient storage Archival storage All of above
Ans. D 11. UPS stands for a. b. c. d. Unified power system Uninterrupted power support Uninterruptible power supply None of the above
Ans. C 12. The process implementing the security plan must be subjected to strong. a. b. c. d. Business management Project management Security management None of the above
Ans. B 13. SDLC stands for a. b. c. d. Security development life cycle System development life cycle Software deployment life cycle None of the above
Ans. B 14. The organization defines ________ information security policy requirement. a. Low level b. Middle level c. High level
d. None of the above Ans. C 15. In _________ phase, the systems is designed, purchased, programmed, developed. a. b. c. d. Development phase Both a & b Acquisition phase None of the above
Ans. C 16. In the implementation phase, the organization __________ system security features and test the functionalities of these features. a. b. c. d. Reconfigure and enable Configures and enable Ensure and enable Support and enable
Ans. B 17. CM stands for a. b. c. d. Control management Cyclic management Configuration management None of the above
Ans. C 18. ______ security controls level to identify potential & security related problem in the information system a. b. c. d. System Monitoring Configuration None of the above
Ans. B 19. The removal of information from a storage medium, such as hard disk or tape, is called
a. b. c. d.
Ans. D 21. FISMA stands for a. b. c. d. Federal initial security management association Federal implementation system management agency Federal information security management Act None of the above
Ans. C 22. GPRA stands for a. b. c. d. Govt. paperwork resource analyze Government performance and result act Govt. practice and result association None of the above
Ans. B 23. GPEA stands for a. b. c. d. Govt paperwork elimination act Govt practice effectively approach Govt performance efficient approach None of the above
a. b. c. d.
Ans. B 25. _______ process establishes are initial set of metrics. a. b. c. d. Making implementation Process implementation Making development None of the above
Ans. B 26. The process step do not need to be a. b. c. d. Random Sequential a&b none of the above
Ans. B 27. _______ is a useful tool that facilitates integration of information security into the departmental capital planning process. a. b. c. d. Metrics development Metrices implementation Metrices weightily All of the above
Ans. C 28. Information security metrices should be used for a. b. c. d. Monitoring information security control performance Initiating performance improvement actions Both a & b None of the above
Ans. C
Ans. C 30. Collect data and analyze results include the activities : a. b. c. d. Identify area requiring improvement Identify causes of poor performance a&b None of the above
Ans. C 31. ___________ phase identify corrective actions, involves developing a plan that will provide the road map of how to close the implementation gap. a. b. c. d. Collective data and analyze result Prepare for data collection Identify corrective action All of the above
Ans. C 32. Apply corrective action phase, involves a. b. c. d. Implementing corrective action Address the budget cycle Establishing a comprehensive information security Identify corrective cycle
Ans. A 33. SAISD stands for a. b. c. d. System analysis information security officer Senior agency information security officer Secure analysis implementation system output None of the above
Ans. B
34. GSS means a. b. c. d. General support system General secure system Good system support Good software system
Ans. A 35. ______ is responsible for developing and monitoring an agency-wide information security. a. b. c. d. SAISO CIO GSS MA
Ans. B 36. The information system owner is the agency official responsible for the overall procurement, development. a. True b. False Ans. A 37. _______ is responsible for establishing the control for information generation, collection, processing and disposal. a. b. c. d. Chief information officer Information owner Both a & b None of the above
Ans. B 38. COOP stands for a. b. c. d. Common object oriented process Contingency of operation process Continuity of operation planning None of the above
Ans. C 39. _____ means dealing with a concern before it becomes a crisis. a. b. c. d. Support system Risk management Software management Process management
Ans. B 40. _______ is defined as The possibility of suffering harm or loss; danger. a. b. c. d. Process Risk Security All of the above
Ans. B
2-Marks
41. Risk management gives us a _________ to provide visibility into threats to project success. a. b. c. d. Structured mechanism Risk mechanism Project mechanism None of the above
Ans. A 42. Controlling risk means ________. a. b. c. d. Increasing uncertainty Reducing uncertainty Risk analysis None of the above
Ans. B 43. Proactive risk management doesnt necessarily means avoiding projects that a. b. c. d. Could not incur a high level of risk Could incur a low level of risk Could incur a high level of risk Could not incur a low level of risk
Ans. C 45. ______ is the application of appropriate tools and procedures to contains risk within acceptable limits. a. b. c. d. Risk assessment Risk management Risk control All of the above
Ans. B 46. Risk analysis involves examining. a. b. c. d. How project outcomes might change with modification or risk input variables How project inputs might change without modifications of risk variables Both a & b None of the above
Ans. A 47. Vulnerabilities can be identified a. b. c. d. Using a combination of a number of techniques and sources Using a combination of a number of procedures & rules Using a combination of a number of threats All of the above
Ans. A 48. The analysis of controls in place to protect the system can be a. Accomplished using a check list or questionnaires b. Determining the level of risk to a system is impact c. Both a & b
d. None of the above Ans. A 49. The goal of the control recommendation is to a. b. c. d. Increase the level of risk to the information system Reduce the level of risk to the information system Analyze the level of risk to the information system All of the above
Ans. B 50. The risk assessment report I the mechanism used to formally a. b. c. d. Provide mechanism to solve errors Help agencies identify & select controls to the organizations Report the result of all risk assessment activities None of the above
Ans. C 51. The risk assessment report should describe a. b. c. d. The scope of the assessment based on the system characterization Methodology used to conduct the risk assessment Estimation of the overall posture of the system All of the above
Ans. D 52. The second phase of the risk management process is ________. a. b. c. d. Risk analysis Risk mitigation Risk determination Risk assessment
Ans. B 53. The incident response teams expertise should be used to establish recommendation security system. a. True b. False
Ans. A 54. Organizations should not be prepared to collect a set of objective and subjective data for each incident. a. True b. False Ans. B 55. Preventing problems is less costly and more effective than reacting to them after they occur. a. True b. False Ans. A 56. Risk management planning produces a plan for dealing with each significant risk. a. True b. False Ans. A 57. The responsibilities / duties of chief information owner are a. Establishing the rules for the appropriate use and protection of the subject data / information b. Deciding who has access to the information system and determining what types of privileges or access rights c. Assisting in identifying and assessing the common security controls where the information resides d. All of above Ans. D 58. The responsibilities duties of chief informal officer a. Managing the identification, implementation and assessment of common security controls b. Identifying and developing common security controls for the agency
c. Ensuring that personnel with significant responsibilities for system security plans are trained d. All of the above Ans. D 59. Matching 1. CDR 2. Mitigation approach 3. CD-RW 4. Disposal phase a. b. c. d. 1-iv, 2-iii, 3-i, 4-ii 1-iii, 2-ii, 3-iv, 4-i 1-i, 2-iv, 3-iii, 4-ii 1-i, 2-ii, 3-iii, 4-iv i. Rewritable ii. SDLC iii. Risk must planning iv. Write-once media
Ans. A 60. The system owner must understand who is responsible for a. b. c. d. Implementing controls Identify the risk that this extension of trust will generate a&b None of the above
Ans. C 61. Information security metrics program implementation process has six phases. Arrange these phase in an order a. Collect data & analysis, obtain resources, develop business case, identify corrective action, apply corrective action, prepare & data collection b. Prepare for data collection, collect data and analysis result, identify corrective actions, develop business case, obtain resource, apply corrective action c. Develop business cases, identify corrective actions, apply corrective actions, correct data and analyze result, prepare & data collection, obtain resources d. Apply corrective action, obtain resources, develop business case, identify corrective actions, collect data & analyze result, prepare data collection Ans. 62. Risk management planning produces a plan for dealing with each significant risk, including mitigation approach, owners and timeliness.
a. True b. False Ans. A 63. How to find the risk exposure a. b. c. d. Total risk exposure = product of (probability + impact) Total risk exposure = sum of (probability + impact) Total risk exposure = sum of (probability + impact) Total risk exposure = sum of (probability impact)
Ans. C 65. IF an observation is rated as moderate risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. a. True b. False Ans. A 66. Information security metrics development process has 7 phases. Arrange all these phase in proper sequence a. Goals and objective, shareholders and interests, policies guidance and procedures, level implementation, program result, program implementation, business mission impact b. Shakeholders & interest, goals and objective, policies, program implementation, level of implementation, program result, buisiness mission c. Both a & b d. None of the above Ans. B
67. System security plans are not living documents that require periodic review, modification and plans of action and milestones (POA & M) for implementing security controls. a. True b. False Ans. B 68. The ISSO has the responsibilities related to system security plans : a. Assisting the SAISO in identifying implementing the common security controls b. Actively supporting the development and maintenance of the system security plan c. Both a & b d. None o the above Ans. C 69. If a set of information resources is identifies as an information system, the resources should not be under the same direct management control. a. True b. False Ans. B 70. A risk management process provides a. b. c. d. A number of benefit process A number of benefits to the project team A number of losses to process All of above
Ans. B 71. Risk prioritization helps the project focus out its most severe risks by assessing the risk exposure. a. True b. False Ans. A
72. Match the following a. Earthquakes b. Intentional or unintentional c. Power failure a. b. c. d. 1-i, 2-ii, 3-iii 1-iii, 2-i, 3-ii 1-iii, 2-ii, 3-i None of the above i. Human threats ii. Environment threats iii. Natural threats
Ans. A 74. Recovery may involve actions as: a. b. c. d. Restoring system from clean backup Installing patches Replacing compromised files with clean versions All of the above
Ans. D 75. In the process of preparing to collect incident date, organizations should focus on collecting data that is actionable rather than collecting data simply because it is available. a. True b. False Ans. A