Multiple Choice

   1. Which of the following elements ensures a policy is enforceable?  Options:   A. Compliance can be measured. B. Appropriate sanctions are applied when the policy is violated. C. Appropriate administrative, technical, and physical controls are put in place to support the policy. D. the above.  2. Which of the following is an example of an information asset? Options:  A. Business plans B. Employee records C. Company reputation D. All the above 3. Endorsed is one of the seven policy characteristics. Which of the following statements best describes endorsed?  A. The policy is supported by management. B. The policy is accepted by the organization’s employees. C.  The policy is mandatory; compliance is measured; and appropriate sanctions are applied. D.  The policy is regulated by the government. 4. Which of the following statement about standards and guidelines is true?  A. Standards are mandatory, whereas guidelines are not. B. Guidelines are mandatory, whereas standards are not. C.  Both standards and guidelines are mandatory. D.  Neither standards nor guidelines are mandatory.  5. Which of the following grants users and systems a predetermined level of access?  A. Accountability B. Authentication C.  Authorization D. Assurance   6. What is the purpose of the policy definition section?  A. To explain terms, abbreviations, and acronyms used in the policy  B. To refer the reader to additional information  C. To provide the policy version number D. To provide information about policy exceptions  7. Which of the following statement about standards and guidelines is true?  A. Standards are mandatory, whereas guidelines are not. B. Guidelines are mandatory, whereas standards are not. C.  Both standards and guidelines are mandatory. D.  Neither standards nor guidelines are mandatory.  8. Which of the following best describes a procedure?  A. Specifications for implementation of a policy B. Instructions on how a policy is carried out C.  Aggregate of implementation standards and security controls D.  Teaching tools that help people conform to a policy  9. Which of the following is the topmost object in the policy hierarchy?  A. Standards B. Baselines C.  Guidelines D.  Guiding principles  10. Which of the following is a network of the national standards institutes of 146 countries?  A. ISO B. NIST C. FIPS D. IEC 11. Which of the following is a behavioral control that can be used to safeguard against the loss of integrity?  A. Rotation of duties B. Log analysis C.  Code testing D.  Digital signatures 12. Which of the following is a characteristic of the parallel approach to information security?  A. Compliance is discretionary. B. Security is the responsibility of the IT department. C.  Little or no organizational accountability exists. D.  All the above. 13. Which of the following is the objective of risk assessment?  A. Identify the inherent risk. B. Determine the impact of a threat.  C.  Calculate the likelihood of a threat occurrence.  D.  All the above. 14. Which of the following statements best describes strategic risk?  A. Risk that relates to monetary loss B. Risk that relates to adverse business decisions C.  Risk that relates to a loss from failed or inadequate systems and processes D.  Risk that relates to violation of laws, regulations, or policy 15. Which of the following statements best describes the Biba security model?  A. No read up and write up B. No write up and no write down C. No read up and no write down D. No read down and no write up 16. : Which of the following is the heist classification level under the private sector classification system?  A. Secret B. Protected C.  Confidential D.  Top secret 17. Which of the following best describes the purpose of security awareness?  A. To teach skills that would allow a person to perform a certain function B. To focus attention on security C.  To integrate all the security skills and competencies into a common body of knowledge D.  To involve management in the process 18.  Which of the following regulations explicitly specifies the topics that should be covered in a security awareness training?  A. FACTA B. HIPAA C.  FCRA D.  DPPA 19. : Which of the following is a type of access control that is defined by a policy and cannot be changed by the information owner?   A. Mandatory access control B. Discretionary access control  C. Role-based access control D. Rule-based access control  20. : Which of the following is an access control that is based on a specific job roles or functions?  A. Mandatory access control B. Discretionary access control  C.  Role-based access control D.  Rule-based access control  21. : Which of the following is used to associate a public key with an identity?  A. Encryption B. Digital hash C.  Digital certificate D.  Digital signature 22. : Identification of compliance requirements is done during which of the following phases of the SDLC?  A. Initiation B. Development  C.  Implementation D.  Operational  23. Which of the following is the most common web application vulnerability?  A. Failure to validate output B. Failure to validate input C.  Dynamic data validation D.  Static data validation  24. Which of the following are components of PKI?  A. Certification Authority B. Registration Authority C.  Client nodes D.  All the above 25. : Which of the following best describes the purpose of the detection and investigation portion of the incident response plan?  A. To describe the steps that need to be taken to prevent the incident from spreading B. To establish processes and knowledge base to accurately detect and assess precursors and indicators C. To describe incident declaration and notification D. To describe the steps to eliminate the components of the incident 26. : Which of the following is the total length of time an essential business function can be unavailable without causing significant harm to the organization?  A. Maximum tolerable downtime B. Maximum tolerable uptime C.  Recovery time objective D.  Recovery point objective  27. Which of the following plans focuses on the initial response and includes plan activation, notification, evacuation, and communication?  A. Response plans B. Contingency plans C.  Recovery plans  D.  Resumption plans  28. : Which of the following agencies regulates financial institutions not covered by other agencies?  A. Federal Trade Commission (FTC) B. Commodity Futures Trading Commission (CFTC) C.  National Credit Union Administration (NCUA) D.  Federal Deposit Insurance Corporation (FDIC) 29. The Federal Reserve Board is responsible for regulating which of the following? A. Bank holding companies and member banks of the Federal Reserve System B. National banks, federal saving associations, and federal branches of foreign banks C. Federally charted credit unions D. State-chartered banks  30. : Which of the following statements best describes a healthcare clearing house? A. A person or organization that provides patient or medical services B. An entity that provides payment for medical services C.  An entity that processes nonstandard health information it receives from another entity D.  A person or entity that creates, receives, maintains, transmits, accesses, or has the potential to access ePHI  31. Which of the following best describes HIPAA administrative safeguards?  A. Retention, availability, and update requirements related to supporting documentation B. The use of technical security measures to protect ePHI data C.  Standards for business associate contracts and other arrangement D.  Documented policies and procedures for managing day-to-day operations and access to ePHI 32. : Which of the following statements best describes the HIPAA breach notification rules?  A. Covered entities are required to notify individuals for any ePHI breach within 60 days after the discovery of the breach. B. Covered entities are required to notify individuals for breach of unsecured ePHI within 60 days after the discovery of the breach. C.  Covered entities are required to notify individuals for any ePHI breach within 30 days after the discovery of the breach. D.  Covered entities are required to notify individuals for breach of unsecured ePHI within 30 days after the discovery of the breach. 33. : Which of the following is the goal of integrity control standard?  A. Implementing technical controls that protect ePHI from improper alteration or destruction B. Restrict access to ePHI only to users and processes that have been specifically authorized C. Implementing of hardware, software, and mechanisms that record and examine activity in information systems that contain ePHI D. Verification that a person or process seeking to access ePHI is the one claimed 34. Which of the following is not one of the classification levels for national security information?  A. Secret B. Protected C.  Confidential D.  Sensitive but Unclassified 35. Which of the following is an evidence-based examination that compares current practices against internal or external criteria?  A. Testing B. Audit C.  Assurance D.  Assessment