A__________________ communicates general rules that cut across the entire organization.

2/24/2019 Take Test: Final Exam – 2019_SPR_IG_Operations Security_25

https://ucumberlands.blackboard.com/webapps/assessment/take/launch.jsp?course_assessment_id=_97140_1&course_id=_107985_1&content_id=… 1/11

Content Week 8 Take Test: Final ExamH

Take Test: Final ExamTake Test: Final Exam

Test Information Description

Instructions Multiple Attempts Not allowed. This test can only be taken once. Force Completion This test can be saved and resumed later.

The final exam is comprehensive, covering chapters 1 - 15. There are 100 multiple choice questions.

Question Completion Status:

QUESTION 1

Privacy regulations involve two important principles. _____________________ gives the consumer an understanding of what and how data is collected and used. ________________________ provides a standard for handling consumer information.

Business liability, Legal obligation Acceptable use policies, Data encryption Full disclosure, Legal obligation Full disclosure, Data encryption

1 points SavedSaved

QUESTION 2

In 1999, the ___________________ is a law that came into being to repeal existing laws so that banks, investment companies, and other financial services companies could merge.

The Health Insurance Portability and Accountability Act (HIPAA) The Federal Information Security Management Act (FISMA) The Gramm-Leach-Bliley Act (GLBA) The Sarbanes-Oxley (SOX) Act

1 points SavedSaved

QUESTION 3

During the process of developing a communications plan, it is necessary to ask the question, __________________.

“Who is communicating?” “What is the intended message?” “What is the target audience?” “How is it communicated?”

1 points Save AnswerSave Answer

QUESTION 4

Which of the following is the most important reason why data needs to be both retrievable and properly stored?

Companies are required by law to retain all data on record. Companies need to have a record of customer and vendor contact information. Companies cannot ensure that the destruction of data will be successful. Companies need to maintain data or the purpose of keeping an audit trail.

1 points Save AnswerSave Answer

QUESTION 5

A major defense corporation rolls out a campaign to manage persistent threats to its infrastructure. The corporation decides to institute a ___________________ to identify and evaluate the knowledge gaps that can be addressed through additional training for all employees, even administrators and management.

needs assessment new policy communications plan branding campaign

1 points Save AnswerSave Answer

QUESTION 6 1 points Save AnswerSave Answer

??

Home CoursesCoursesCourses

Save All AnswSave All Answ Click Save and Submit to save and submit. Click Save All Answers to save all answers.

Tharun Kumar Gumudavally 28

https://ucumberlands.blackboard.com/
https://ucumberlands.blackboard.com/webapps/blackboard/execute/courseMain?course_id=_107985_1
https://ucumberlands.blackboard.com/webapps/blackboard/content/listContent.jsp?course_id=_107985_1&content_id=_1520059_1&mode=reset
https://ucumberlands.blackboard.com/webapps/blackboard/content/listContent.jsp?course_id=_107985_1&content_id=_1542751_1&mode=reset
https://ucumberlands.blackboard.com/webapps/portal/execute/tabs/tabAction?tab_tab_group_id=_46_1
https://ucumberlands.blackboard.com/webapps/portal/execute/tabs/tabAction?tab_tab_group_id=_2_1
https://ucumberlands.blackboard.com/webapps/login/?action=logout
2/24/2019 Take Test: Final Exam – 2019_SPR_IG_Operations Security_25

https://ucumberlands.blackboard.com/webapps/assessment/take/launch.jsp?course_assessment_id=_97140_1&course_id=_107985_1&content_id=… 2/11

Consider this scenario: A health insurer in Oklahoma settled a class-action lawsuit after having reported that one laptop was stolen in 2008; this laptop contained personal data of more than 1.6 million customers. Based on the fact that the laptop was not encrypted, and that employees were lacking in security awareness training, which of the following statements captures the root cause of this breach?

The security measures required by HIPAA were not sufficiently observed. The thorough implementation of security policies was not something that the executive management prioritized. The security policies were routinely ignored by company employees. The HIPAA regulations were unclear and difficult to implement.

QUESTION 7

A ________________ is a technological term used in security policy to describe a future state in which specific goals and objectives have been achieved and which processes, resources, and tools are needed to achieve those goals and objectives.

threat vector target state agent communications plan

1 points Save AnswerSave Answer

QUESTION 8

________________ functions as a preventive control designed to prevent mistakes from happening. ________________functions as a detective control intended to improve the quality over time by affording opportunities to learn from past mistakes.

Quality control; Quality assurance Governance; Nonrepudiation Quality assurance; Quality control Quality control; Business as usual

1 points Save AnswerSave Answer

QUESTION 9

Which of the following domains addresses schedules and deliverables? Plan, Organize, and Perform Build, Acquire, and Implement Deliver, Service, and Support Evaluate, Assess, and Review

1 points Save AnswerSave Answer

QUESTION 10

Which of the following statements illustrates the importance of the LAN-to-WAN domain to an organization’s security?

The significance of the LAN is that it controls network traffic to the private network, which is the WAN. The LAN-to-WAN Domain is many organizations’ connection to the Internet. Many organizations have an internet presence so they can deliver content to their clients. The LAN needs to establish a secure connection to the WAN to ensure that traffic is thoroughly inspected and carefully filtered.

1 points Save AnswerSave Answer

QUESTION 11

When implementing a framework, the two main considerations for implementation are _____________ and _____________.

platform, infrastructure cost, impact cost, infrastructure impact, granularity

1 points Save AnswerSave Answer

QUESTION 12

The security posture of an organization is usually expressed in terms of ___________________, which generally refers to how much risk an organization is willing to accept to achieve its goal, and ____________________, which relates how much variance in the process an organization will accept.

risk assessment, risk manageability risk tolerance, risk appetite risk awareness, risk reduction risk appetite, risk tolerance

1 points Save AnswerSave Answer

QUESTION 13

A(n)______________________ aligns strategic goals, operations effectiveness, reporting, and compliance objectives.

operational risk committee layered security approach

t i i k t f k

1 points Save AnswerSave Answer

Save All AnswSave All Answ Click Save and Submit to save and submit. Click Save All Answers to save all answers.

2/24/2019 Take Test: Final Exam – 2019_SPR_IG_Operations Security_25

https://ucumberlands.blackboard.com/webapps/assessment/take/launch.jsp?course_assessment_id=_97140_1&course_id=_107985_1&content_id=… 3/11

enterprise risk management framework governance, risk management, and compliance framework

QUESTION 14

_____________________ denotes the use of human interactions to gain any kind of desired access. Most often, this term involves exploiting personal relationships by manipulating an individual into granting access to something a person should not have access to.

value delivery tone at the top social engineering strategic risk

1 points Save AnswerSave Answer

QUESTION 15

Which of the following statements captures the function of guidelines presented in guidance documents for IT security?

Guidelines may present conventional thinking on a specific topic and seldom require revision. Guidelines are generally mandatory, and failing to follow them explicitly can lead to compliance issues. Guidelines assist people in creating unique and distinct procedures or processes that are specific to the needs of a particular company’s IT security needs. Guidelines provide those who implement standards/baselines more detailed information such as hints, tips, and processes to ensure compliance.

1 points Save AnswerSave Answer

QUESTION 16

___________________________ are formal written policies describing employee behavior when using company computer and network systems.

Mitigating controls Nondisclosure agreements Confidentiality agreements Acceptable use policies

1 points Save AnswerSave Answer

QUESTION 17

In general, it’s not a good idea to implement significant policy changes during a _______________. change in leadership reduction in force new quarter separation of duties

1 points Save AnswerSave Answer

QUESTION 18

If a security policy clearly distinguishes the responsibilities of computer services providers from those of the managers of applications who use the computer services, which of the following goals is served?

accountability confidentiality scope compliance

1 points Save AnswerSave Answer

QUESTION 19

When a CISO is seeking executive buy-in for implementing security policies with respect to a target state, the dialogue should make certain to address each of the following except:

the degree of commitment being solicited of the executive and his or her team how the policies will impact the present environment what risks are specifically addressed by the policy the names of the teams members who were consulted to create the policy

1 points Save AnswerSave Answer

QUESTION 20

In an issue-specific standard, the ___________________________section defines a security issue and any relevant terms, distinctions, and conditions.

definition of roles and responsibilities statement of applicability statement of the organization’s position statement of an issue

1 points Save AnswerSave Answer

QUESTION 21

Generally, regardless of threat or vulnerability, there will ____________ be a chance a threat can exploit a vulnerability.

never occasionally

1 points Save AnswerSave Answer

Save All AnswSave All Answ Click Save and Submit to save and submit. Click Save All Answers to save all answers.

2/24/2019 Take Test: Final Exam – 2019_SPR_IG_Operations Security_25

https://ucumberlands.blackboard.com/webapps/assessment/take/launch.jsp?course_assessment_id=_97140_1&course_id=_107985_1&content_id=… 4/11

y always

seldom

QUESTION 22

_______________ is a measurement that quantifies how much information can be transmitted over the network.

Memory DMZ Cloud storage Bandwidth

1 points Save AnswerSave Answer

QUESTION 23

Consider this scenario: A major software company finds that code has been executed on an infected machine in its operating system. As a result, the company begins working to manage the risk and eliminates the vulnerability 12 days later. Which of the following statements best describes the company’s approach?

The company effectively implemented data classification. The company effectively implemented quality control. The company effectively implemented patch management. The company effectively implemented quality assurance.

1 points Save AnswerSave Answer

QUESTION 24

The term ________________ denotes data that is being stored on devices like a universal serial bus (USB) thumb drive, laptop, server, DVD, CD, or server. The term ______________ denotes data that exists in a mobile state on the network, such as data on the Internet, wireless networks, or a private network.

data at rest, data in transit data in transit, data at rest data on record, data in motion data in transit, data on record

1 points Save AnswerSave Answer

QUESTION 25

There are many distinct benefits to control measurement. Which of the following benefits is the result of determining which security controls to measure?

defines the effectiveness of the controls being measured defines the scope of the compliance being measured defines the impact to the business if the goals are not achieved defines how the policy will be enforced

1 points Save AnswerSave Answer

QUESTION 26

In the Build, Acquire, and Implement domain, the ability to manage change is very important. Thus, there are often ___________________ set to avoid disrupting current services while new services are added.

authentications entitlements upgrades guidelines

1 points Save AnswerSave Answer

QUESTION 27

The National Security Information document EO 12356 explains the U.S. military classification scheme of top secret, secret data, confidential, sensitive but unclassified, and unclassified. Which of the following data can be reasonably expected to create serious damage to national security in the event that it was subject to unauthorized disclosure?

top secret secret confidential sensitive but unclassified

1 points Save AnswerSave Answer

QUESTION 28

At Stanford University, data is labeled according to a classification scheme that identifies information in the following way: prohibited, restricted, confidential, and unrestricted. Which of the following schemes has Stanford adopted?

customized classification business classification legal classification military classification

1 points Save AnswerSave Answer

QUESTION 29 1 points Save AnswerSave Answer

Save All AnswSave All Answ Click Save and Submit to save and submit. Click Save All Answers to save all answers.

2/24/2019 Take Test: Final Exam – 2019_SPR_IG_Operations Security_25

https://ucumberlands.blackboard.com/webapps/assessment/take/launch.jsp?course_assessment_id=_97140_1&course_id=_107985_1&content_id=… 5/11

QUESTION 29

Which of the following scenarios demonstrates consideration of building consensus on intent? A manager calls a meeting with employees to announce when new security policies will be implemented in the organization. A manager calls a meeting with employees to discuss the drivers for the change in terms of the architecture operating model and principles. A manager shares policy documents with employees to gain feedback for revision before implementation. A manager seeks the expertise of technical staff with specific technical knowledge in the area about a particular policy area.

1 points Save AnswerSave Answer

QUESTION 30

In order to be compliant with Payment Card Industry Data Security Standard (PCI DSS), one of the control objectives that should be included in one’s security policies and controls is building and maintaining a secure network. The reason for this is as follows:

to require monitoring access to cardholder and periodic penetration testing of the network to specify how to maintain secure systems and applications, including the required use of antivirus software to require that security policies reflect the PCI DSS requirements, and that these policies are kept current and an awareness program is implemented to have a specific firewall, system password, and other security network layer controls

1 points Save AnswerSave Answer

QUESTION 31

_____________ risk is the possible outcome that can occur when an organization or business unsuccessfully addresses its fiscal obligations.

Monetary Financial Strategic Compliance

1 points Save AnswerSave Answer

QUESTION 32

A procure document should accompany every baseline document. Which of the following is a true statement about the circumstances for when a procedure document needs to be created to support the baseline document?

The most important part about a procedure document is that it guarantees that administrators know how to access and implement the baseline configuration. The tools and methods for all configurations are unique, so a new procedure document always needs to be generated. Every device configuration requires a specific procedure, so there needs to be a related procedure document. Because many configuration processes reuse the same procedure, there does not need to be a new procedure document for every configuration.

1 points Save AnswerSave Answer

QUESTION 33

An occurrence that transgresses an organization’s security policies is known as an incident. Which of the following is not an example of a security incident?

non-permitted access to any computer system a server crash that was accidentally caused duplicating customer information derived from a database non-permitted use of computer systems for purpose of gaming

1 points Save AnswerSave Answer

QUESTION 34

When reporting incidents, it is necessary to institute transparent procedures for filing incident reports. The process of the incident classification is known as triage. When triage is set in motion, the severity of the threat is assessed. For example, ___________________ occurs when there are a numbers of unauthorized scans, system probes, or vast viruses detected; the event also necessitates manual intervention.

severity 1 severity 2 severity 3 severity 4

1 points Save AnswerSave Answer

QUESTION 35

The department responsible for providing security training to new employees is the _______________. IT PR CISO HR

1 points Save AnswerSave Answer

QUESTION 36

After management has created and agreed upon its policies, it must then determine how these policies

1 points Save AnswerSave AnswerSave All AnswSave All Answ Click Save and Submit to save and submit. Click Save All Answers to save all answers.

2/24/2019 Take Test: Final Exam – 2019_SPR_IG_Operations Security_25

https://ucumberlands.blackboard.com/webapps/assessment/take/launch.jsp?course_assessment_id=_97140_1&course_id=_107985_1&content_id=… 6/11

g g p p , p will be implemented. Which of the following is not one the processes that line management will follow in order to make the new policies operational?

It will ensure that all members on the front-line team have received training. It will take on the responsibility of being the point person for contact. It will ensure that users with the most sensitive security access especially adhere to the policies. It will apply the policies in an even and consistent manner.

QUESTION 37

Which of the following types of baseline documents is often created to serve the demands of the workstation domain?

content-blocking tools configuration standard virus scanner configuration standards intrusion detection and prevention tools configuration standard proxy server configuration standard

1 points Save AnswerSave Answer

QUESTION 38

Which of the following control standards in the system/application domain maintains control of both managing errors and ensuring against potentially damaging code?

developer-related standards authentication separation of environments physical security control standards

1 points Save AnswerSave Answer

QUESTION 39

When a CISO is seeking executive buy-in for implementing security policies with respect to a target state, the dialogue should make certain to address each of the following except:

the degree of commitment being solicited of the executive and his or her team how the policies will impact the present environment what risks are specifically addressed by the policy the names of the teams members who were consulted to create the policy

1 points Save AnswerSave Answer

QUESTION 40

The COBIT Monitor, Evaluate, and Assess domain looks at specific business requirements and strategic direction, and determines if the system still meets these objectives. To ensure requirements are being met, independent assessments known as________________ take place.

audits quality controls quality assurance information assurances

1 points Save AnswerSave Answer

QUESTION 41

Federal and state governments in the United States establish laws that define how to control, handle, share, and process the sensitive information that the new economy relies on. ___________________ are then added to these laws, which are typically written by civil servants to implement the authority of the law.

Risk assessments Stakeholder reports Regulations Data privacy reports

1 points Save AnswerSave Answer

QUESTION 42

When an organization lacks policies, its operations become less predictable. Which of the following is a challenge you can expect without policies?

lower costs increased regulatory compliance customer dissatisfaction low retention rates for employees

1 points Save AnswerSave Answer

QUESTION 43

There are no universal prescriptions for building an IT security program. Instead, principles can be used to help make decisions in new situations using industry best practices and proven experience. Which of the following is not created with the use of principles?

policies baselines business plan guidelines

1 points Save AnswerSave Answer

QUESTION 44 1 points Save AnswerSave Answer

Save All AnswSave All Answ Click Save and Submit to save and submit. Click Save All Answers to save all answers.

2/24/2019 Take Test: Final Exam – 2019_SPR_IG_Operations Security_25

https://ucumberlands.blackboard.com/webapps/assessment/take/launch.jsp?course_assessment_id=_97140_1&course_id=_107985_1&content_id=… 7/11

A ____________ would be a misconfiguration of a system that allows the hacker to gain unauthorized access, whereas a______________ is a combination of the likelihood that such a misconfiguration could happen, a hacker’s exploitation of it, and the impact if the event occurred.

vulnerability, risk risk, vulnerability threat, risk risk, threat

p Sa e s e

QUESTION 45

If human action is required, the control is considered _______________. corrective automated manual preventative

1 points Save AnswerSave Answer

QUESTION 46

Once an organization clearly defines its IP, the security policies should specify how to ___________ documents with marks or comments, and ____________ the data, which determines in what location the sensitive file should be placed.

label, classify restrict, filter label, filter classify, restrict.

1 points Save AnswerSave Answer

QUESTION 47

It is important that partnership exists between the ___________________, which needs to review the standing legislation that governs their business, and the ____________________, which needs to review all recent or significant policy changes.

information security team, legal department CISO, legal department legal department, CISO information security team, executive committee

1 points Save AnswerSave Answer

QUESTION 48

A__________________ communicates general rules that cut across the entire organization. procedure policy principles document guideline policy definitions document

1 points Save AnswerSave Answer

QUESTION 49

In general, WAN-specific standards identify specific security requirements for WAN devices. For example, the ____________________ explains the family of controls needed to secure the connection from the internal network to the WAN router, whereas the ______________________ identifies which controls are vital for use of Web services provided by suppliers and external partnerships.

Web services standard, WAN router security standard WAN router security standard, Web services standard Web services standard, Domain Name System WAN router security standard, Domain Name System

1 points Save AnswerSave Answer

QUESTION 50

A(n) ___________________ sets expectations on the use and security of mobile devices, whereas a(n) _________________ establishes a broad set of rules for approved conduct when a user accesses information on company-owned devices.

acceptable use policy, system access policy corporate mobility policy, acceptable use policy system access policy, social networking policy social networking policy, acceptable use policy

1 points Save AnswerSave Answer

QUESTION 51

The COBIT Align, Plan, and Organize domain includes basic details of an organization’s requirements and goals; this domain answers which of the following questions?

What are the areas of vulnerability? Where is there room to build? What are the processes for quality assurance? What do you want to do?

1 points Save AnswerSave Answer

Save All AnswSave All Answ Click Save and Submit to save and submit. Click Save All Answers to save all answers.

2/24/2019 Take Test: Final Exam – 2019_SPR_IG_Operations Security_25

https://ucumberlands.blackboard.com/webapps/assessment/take/launch.jsp?course_assessment_id=_97140_1&course_id=_107985_1&content_id=… 8/11

QUESTION 52

During the process of developing a communications plan, it is necessary to ask the question, __________________.

“Who is communicating?” “What is the intended message?” “What is the target audience?” “How is it communicated?”

1 points Save AnswerSave Answer

QUESTION 53

In policies regarding the ___________ of data, it must be guaranteed that the data that exits the private network is secured and monitored; the data should also be encrypted while in transit.

creation storage use physical transport

1 points Save AnswerSave Answer

QUESTION 54

The scope of security awareness training must be customized based on the type of user assigned to each role in an organization. For instance, it is important that ________________ receives training in security basic requirement, regulatory and legal requirement, detail policy review, and reporting suspicious activity.

middle management senior management the end users the IT custodians

1 points Save AnswerSave Answer

QUESTION 55

It is necessary to retain information for two significant reasons: legal obligation and business needs. Data that occupies the class of ________________ is comprised of records that are required to support operations; the data included might be customer and vendor records.

regulated business temporary permanent

1 points Save AnswerSave Answer

QUESTION 56

Of the roles commonly found in the development, maintenance, and compliance efforts related to a policy and standards library, which of the following has the responsibilities of directing policies and procedures designed to protect information resources, identifying vulnerabilities, and developing a security awareness program?

information resources manager information resources security officer control partners CISO

1 points Save AnswerSave Answer

QUESTION 57

In order to build security policy implementation awareness across the organization, there should be ____________________ who partner with other team and departments to promote IT security through different communication channels.

many HR department personnel numerous marketing department professionals multiple executive supporters several IT department specialists

1 points Save AnswerSave Answer

QUESTION 58

When an incident occurs, there are a number of options that can be pursued. Which of the following actions is recommended when assets of a low value are being attacked?

The breach must be stopped as soon as possible because it is in the best interest of the business. The breach should always be permitted to proceed so that information on the attacker can be determined; doing so always serves the goals of the business. The breach should be permitted to proceed until the senior leader in the information security team can be notified to make the final decision. The breach may be permitted to proceed so that information on the attacker can be determined, but doing so depends on the goals of the business.

1 points Save AnswerSave Answer

QUESTION 59

In order to move data from an unsecure WAN to a secure LAN, you typically begin by segmenting a piece of your LAN into a which sits on the outside of your private

1 points Save AnswerSave Answer Save All AnswSave All Answ

Click Save and Submit to save and submit. Click Save All Answers to save all answers.

2/24/2019 Take Test: Final Exam – 2019_SPR_IG_Operations Security_25

https://ucumberlands.blackboard.com/webapps/assessment/take/launch.jsp?course_assessment_id=_97140_1&course_id=_107985_1&content_id=… 9/11

piece of your LAN into a _________________________, which sits on the outside of your private

network facing the public Internet. Servers in this area provide public-facing access to the organization, such as public Web sites.

demilitarized zone (DMZ) virtual private network (VPN) remote access domain botnet

QUESTION 60

In the ______________ principle adopted by many organizations, you gain access only to the systems and data you need to perform your job.

confidentiality integrity don’t ask, don’t tell need to know

1 points Save AnswerSave Answer

QUESTION 61

In order to be thoughtful about the implementation of security policies and controls, leaders must balance the need to reduce______________ with the impact to the business operations. Doing so could mean phasing security controls in over time or be as simple as aligning security implementation with the business’s training events.

costs productivity risk data storage

1 points Save AnswerSave Answer

QUESTION 62

There are particular tools and techniques that the IRT utilizes to gather forensic evidence, including ____________________, which articulates the manner used to document and protect evidence.

classification log chain of custody digital data files data log report

1 points Save AnswerSave Answer

QUESTION 63

Implementing security policy means continuous communication with ___________________ and ensuring transparency about what’s working and what’s not working.

control partners stakeholders executives data custodians

1 points Save AnswerSave Answer

QUESTION 64

The scope of security awareness training must be customized based on the type of user assigned to each role in an organization. For instance, it is important that ________________ receives training in security basic requirement, regulatory and legal requirement, detail policy review, and reporting suspicious activity.

middle management senior management the end users the IT custodians

1 points Save AnswerSave Answer

QUESTION 65

Which of the following departments has a significant role to play concerning the act of creating the messaging around an incident to the media and the parties impacted?

senior management PR legal HR

1 points Save AnswerSave Answer

QUESTION 66

Hierarchical models have many advantages to organizations, but there are also a number of disadvantages. Which of the following is one of the disadvantages?

Accountability can be a problem because when many component teams are involved, it can be difficult to determine whose fault it is if something doesn’t work. Communication lines are not clearly defined, so it is difficult to find the group that specializes in the area that can help solve it. Unlike in flat organizations, hierarchical organizations do not have teams dedicated to identifying the next big threat.

1 points Save AnswerSave Answer

Save All AnswSave All Answ Click Save and Submit to save and submit. Click Save All Answers to save all answers.

2/24/2019 Take Test: Final Exam – 2019_SPR_IG_Operations Security_25

https://ucumberlands.blackboard.com/webapps/assessment/take/launch.jsp?course_assessment_id=_97140_1&course_id=_107985_1&content_id… 10/11

There is often a decentralized authority, which can quickly become a negative when the span of control becomes too wide.

QUESTION 67

The _______________________domain establishes the context and business view for a risk evaluation and guarantees that risk activity aligns with the business goals, objectives, and tolerances. The ________________ domain establishes that technology risks are identified and delivered to leadership in business terms.

risk governance, risk response risk response, risk evaluation risk evaluation, risk governance risk governance, risk evaluation

1 points Save AnswerSave Answer

QUESTION 68

The _______________ domain refers to any endpoint device used by end users, which includes but is not limited to mean any smart device in the end user’s physical possession and any device accessed by the end user, such as a smartphone, laptop, workstation, or mobile device

workstation user remote access system/application

1 points Save AnswerSave Answer

QUESTION 69

The concept of _________________ comes from the acknowledgment that data changes form and often gets copied, moved, and stored in many places. Sensitive data often leaves the protection of application databases and ends up in e-mails, spreadsheets, and personal workstation files.

file transfer protocol patch management data loss protection security management

1 points Save AnswerSave Answer

QUESTION 70

In order to enhance the training experience and emphasize the core security goals and mission, it is recommended that the executives _______________________.

issue a written welcome letter to new employees remove themselves from the process because it doesn’t concern them schedule multiple training sessions with new employees for face-to-face interaction video record a message from one the leaders in a senior role to share with new employees

1 points Save AnswerSave Answer

QUESTION 71

A(n) ______________________ is a centrally located device that is capable and permitted to extend and connect to distributed services.

malware tool inventory assessment agentless central management tool distributed infrastructure

1 points Save AnswerSave Answer

QUESTION 72

__________________ is a term that denotes the way that a policy either diminishes business disruptions or facilitates the business’s success.

Risk and control self-assessment Business risk Bolt-on Compliance

1 points Save AnswerSave Answer

QUESTION 73

Of the six specific business risks, the ___________________ risk results from negative publicity regarding an organization’s practices. Litigation and a decline in revenue are possible outcomes of this type of risk.

compliance financial operational reputational

1 points Save AnswerSave Answer

QUESTION 74

The goal of employee awareness and training is to ensure that individuals are equipped with the tools necessary for the implementation of security policies. Which of the following is one of the other benefits of a successfully enacted training and awareness program?

1 points Save AnswerSave Answer

Save All AnswSave All Answ Click Save and Submit to save and submit. Click Save All Answers to save all answers.

2/24/2019 Take Test: Final Exam – 2019_SPR_IG_Operations Security_25

https://ucumberlands.blackboard.com/webapps/assessment/take/launch.jsp?course_assessment_id=_97140_1&course_id=_107985_1&content_id… 11/11

y g p g employees will have improved job security instituting chances for employees to gather new skills, which can foster enhanced job satisfaction employees will be easier to discipline management will have more control over employees

QUESTION 75

While there are many ways that policy objectives and goals can be described, some techniques are more effective than others for persuading an organization to implement them. Which of the following is not one of the effective techniques for persuading people to follow policy objectives and goals?

giving an explanation how the policy will minimize business risk explaining how the policy will guarantee that the business complies with laws and regulations explaining how the policy will safeguard against or locate IT security threats explaining the careful process of design and approval that went into creating the polices

1 points Save AnswerSave Answer

QUESTION 76

It is important to create an IT security program structure that aligns with program and organizational goals and describes the operating and risk environment. Which of the following is one of the important issues for the structure of the information security program?

Human resources security Management and coordination of security-related resources Access control Asset management

1 points Save AnswerSave Answer

QUESTION 77

A(n) ___________________ is a confirmed event that compromises the confidentiality, integrity, or availability of information.

breach residual risk operational deviation threat

1 points Save AnswerSave Answer

QUESTION 78

One of the different manual controls necessary for managing risk is ________________, which is a type of formal management verification. In the process, management confirms that a condition is present and that security controls and policies are in place.

attestation background checks log reviews access rights reviews

1 points Save AnswerSave Answer

QUESTION 79

In the financial services sector, some organizations have implemented a three-lines-of defense model. What does the use of this model suggest about an organization’s structure?

The management has a good understanding of organizational culture. The organization has an effective training model in place. This organization uses a layered approach that creates a separation of duties. The management is out of step with the organizational culture.

1 points Save AnswerSave Answer

QUESTION 80

When trying to achieve operational consistency, which of following oversight phases performs the function of periodically assessing to ensure desired results are achieved?

improve measure review manage

1 points Save AnswerSave Answer

Save All AnswSave All Answ Click Save and Submit to save and submit. Click Save All Answers to save all answers.