problem 6.6. Defining the scope of an ISMS is part of which phase of the BS7799 Part 2 Plan-Do-Check-Act cycle? 
Plan
Do
Check
Act


problem 7.7. A ____ is a more detailed statement of what must be done to comply with a policy. 
procedure
standard
Guideline
Practice


problem 8.8. ____ leaders are also known as "laid-back" leaders. 
Autocratic
Laissez-faire
Democratic
Aristocratic


problem 9.9. The information security policy is written during the ____ phase of the SecSDLC. 
investigation
maintenance
implementation
design


problem 10.10. Vulnerability Identification is a part of the ____ chapter of NIST SP 800-30. 
Risk Assessment
Risk Mitigation
Evaluation and Assessment
Risk Management Overview


problem 11.11. At the end of each phase of the security systems development life cycle (SecSDLC), a ____ takes place. 
brainstorming session
structured discussion
structured review
planning session


problem 12.12. The ___ section of ISO/IEC 17799:2005 addresses legal requirements, security policies and standards, and technical and information systems audit considerations. 
human resources security
business continuity management
compliance
information security incident management


problem 13.13. ____ controls deal with managerial functions and lower-level planning such as disaster recovery and incident response planning. 
Managerial
Operational
Technical
Tactical


problem 14.14. According to the C.I.A. triangle, the three desirable characteristics of information are confidentiality, integrity, and ____. 
accountability
availability
authorization
authentication


problem 15.15. ____ is an international standard framework that is based on the security model Information Technology-Code of Practice for Information Security Management. 
ISO/IEC 17799
NIST SP 800-12
RFC 2196
NIST SP 800-26


problem 16.16. Which of the following is a characteristic of the bottom-up approach to security implementation? 
strong upper-management support
a clear planning and implementation process
systems administrators attempting to improve the security of their systems
ability to influence organizational culture


problem 17.17. The COSO framework is built on five interrelated components. Which of the following is NOT one of them? 
Control environment
Risk assessment
Control activities
Information management


problem 18.18. Which of the following is an advantage of the user support group form of training? 
usually conducted in an informal social setting
formal training plan
can be live, or can be archived and viewed at the trainee's convenience
can be customized to the needs of the trainee


problem 19.19. The ____ model describes the layers at which security controls can be applied. 
NSTISSC
EISP
bull's-eye
policy


problem 20.20. A policy acknowledgment screen that does not require any unusual action on the part of the user to move past it is a ____. 
blow-by screen
first-parameter screen
light screen
peripheral screen


problem 21.21. ____ evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness. 
Systems testing
Risk assessment
Incident response
Planning


problem 22.22. Very large organizations have ____ computers. 
100 to 1,000
1,000 to 5,000
10,000 to 50,000
more than 10,000


problem 23.23. During the ____ phase of the SecSDLC, the information security policy is monitored, maintained, and modified as needed. 
implementation
maintenance
analysis
investigation


problem 24.24. The logical design of a system is said to be ____ independent. 
design
hardware
implementation
product


problem 25.25. Which of the following is not a best practice recommendation from Microsoft for PC protection? 
Use antivirus software
Avoid open source software
Build personal firewalls
Update product security


problem 26.26. Which of the following is the first step in the process of implementing training? 
identify training staff
identify target audiences
identify program scope, goals, and objectives
motivate management and employees


problem 27.27. In NIST SP 800-26, the area of Physical Security comes under ____. 
Management Controls
Operational Controls
Technical Controls
Personnel Controls


problem 28.28. The protection of information and the systems and hardware that use, store, and transmit that information is known as ____. 
security
information security
authentication
identification


problem 29.29. Physical security is concerned with the protection of the ____. 
people within the organization
physical assets of the organization
network devices of the organization
data of the organization


problem 30.30. The ____ layer of the bull's-eye model consists of computers used as servers, desktop computers, and systems used for process control and manufacturing systems. 
Policies
Networks
Applications
Systems


problem 31.31. Security efforts that are among the best in the industry are referred to as ____. 
best industry practices
best security models
best business models
best security practices


problem 32.32. As part of DRP readiness, each employee should have two types of ____ information cards in his or her possession at all times. 
emergency
medical
insurance
lottery


problem 33.33. In the bull's-eye model, the ____ layer is the place where threats from public networks meet the organization's networking infrastructure. 
Applications
Networks
Systems
Policies


problem 34.34. ____ involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely. 
Security awareness
Security education
Security accountability
Security training


problem 35.35. A ____ is a value or profile of a performance metric against which changes in the performance metric can be usefully compared. 
target
framework
benchmark
baseline


problem 36.36. ____ management is the administration of various components involved in the security program. 
Configuration
Accounting
Fault
Performance


problem 37.37. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an ex of the ____ process. 
accountability
authorization
identification
authentication


problem 38.38. ____ is the transfer of live transactions to an off-site facility. 
Remote journaling
Electronic vaulting
Database shadowing
Timesharing


problem 39.39. A manager has informational, interpersonal, and ____ roles within the organization. 
decisional
creative
security related
leadership


problem 40.40. The COSO framework component ____ includes the policies and procedures to support management directives. 
Control environment
Risk assessment
Control activities
Information management