The gramm-leach-bliley act (glba) addresses information security concerns in the financial industry.

Upgrade to remove ads

Only ₩37,125/year

• Flashcards

• Learn

• Test

• Match

• Flashcards

• Learn

• Test

• Match

Terms in this set (40)

Which formula is typically used to describe the components of information security risks?

A. Risk = Likelihood X Vulnerability
B. Risk = Threat X Vulnerability
C. Risk = Threat X Likelihood
D. Risk = Vulnerability X Cost

B. Risk = Threat X Vulnerability
The risk equation is Risk = Threat X Vulnerability. A threat is the frequency of any event. In most cases, the events in the threat equation are negative or adverse events. Vulnerability is the likelihood that a specific threat will successfully be carried out. Multiplying the probability of a threat and the likelihood of a vulnerability yields the risk of that particular event

Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register?

A. Description of the risk
B. Expected impact
C. Risk survey results
D. Mitigation steps

C. Risk survey results
The risk register can contain many different types of information but should contain at a minimum: a description of the risk, the expected impact if the associated event occurs, the probability of the event occurring, steps to mitigate the risk, steps to take should the event occur, and the rank of the risk. Risk survey results are not typically included in a risk register.

Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?

A. Recovery time objective (RTO)
B. Recovery point objective (RPO)
C. Business recovery requirements
D. Technical recovery requirements

A. Recovery time objective (RTO)
The RTO expresses the maximum allowable time to recover a function. Time may be a critical factor and specifying the requirements for recovery time helps determine the best recovery options.

Which one of the following is an example of a direct cost that might result from a business disruption?

A. Damaged reputation
B. Lost market share
C. Lost customers
D. Facility repair

D. Facility repair
Direct costs are immediate expenditures that reduce profit, such as the cost to repair a facility. Indirect costs, such as damaged reputation, lost market share, and lost customers, affect revenue but are harder to calculate because there is no record of an expenditure.

Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?

A. Disaster recovery plan (DRP)
B. Business impact analysis (BIA)
C. Business continuity plan (BCP)
D. Service level agreement (SLA)

C. Business continuity plan (BCP)
BCPs specify how an organization can recover from an interruption, as opposed to a disaster that would be covered by the DRP. In general, an interruption is a minor event that may disrupt one or more business processes for a short period. In contrast, a disaster is an event that affects multiple business processes for an extended period. Disasters often also cause substantial resource damage that you must address before you can resolve the business process interruption.

What is the first step in a disaster recovery effort?

A. Respond to the disaster.
B. Follow the disaster recovery plan (DRP).
C. Communicate with all affected parties.
D. Ensure that everyone is safe.

D. Ensure that everyone is safe.
The first critical step in a disaster recovery plan is to ensure that everyone is safe. The second step is responding to the disaster before pursuing recovery, and the final step is following the DRP, which includes communicating with all affected parties.

Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?

A. Hot site
B. Warm site
C. Cold site
D. Primary site

B. Warm site A warm site balances cost and switchover time. It is less expensive than a hot site but can activate more quickly than a cold site.

Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?

A. Checklist test
B. Full interruption test
C. Parallel test
D. Simulation test

C. Parallel test
The parallel test evaluates the effectiveness of the disaster recovery plan (DRP) by enabling full processing capability at an alternate data center without interrupting activity at the primary data center.

As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct?

A. Checklist test
B. Parallel test
C. Simulation test
D. Structured walk-through

C. Simulation test
A simulation test is more realistic than a structured walk-through. In a simulation test, the DRP team uses role playing and follows through with as many of the effects of a simulated disaster as possible without affecting live operations.

Which one of the following is an example of a reactive disaster recovery control?

A. Moving to a warm site
B. Disk mirroring
C. Surge suppression
D. Antivirus software

A. Moving to a warm site
The use of alternate processing facilities, such as warm sites, is a reactive control. Some parts of a disaster recovery plan (DRP) are preventive and intended to avoid the negative effects of a disaster in the first place. Preventive components of a DRP may include disk mirroring, surge suppression, and antivirus software.

George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?

A. Risk Management Guide for Information Technology Systems (NIST SP800-30)
B. CCTA Risk Analysis and Management Method (CRAMM)
C. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
D. ISO/IEC 27005, "Information Security Risk Management"

A. Risk Management Guide for Information Technology Systems (NIST SP800-30) NIST SP800-30, "Risk Management Guide for Information Technology Systems," is a widely used guide for IT security assessments. It contains specific guidance for U.S. government agencies and would be the most appropriate methodology for use in a federal government setting

Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to health care providers?

A. FFIEC
B. FISMA
C. HIPAA
D. PCI DSS

C. HIPAA

Health Insurance Portability and Accountability Act (HIPAA) governs the way doctors, hospitals, and other health care providers handle personal medical information. HIPAA requires that all medical records, billing, and patient information be handled in ways that maintain the patient's privacy.

A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?

A. Health Insurance Portability and Accountability Act (HIPAA)
B. Payment Card Industry Data Security Standard (PCI DSS)
C. Federal Information Security Management Act (FISMA)
D. Federal Financial Institutions Examination Council (FFIEC)

B. Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS applies to all merchants and service providers who handle credit card information.

The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?

A. 11
B. 13
C. 15
D. 18

B. 13

Which one of the following is the best example of an authorization control?

A. Biometric device
B. Digital certificate
C. Access control lists
D. One-time password

C. Access control lists

Once you have authenticated a user, access controls help ensure that only authorized users can access the protected resources. Authorization controls include access control lists, intrusion prevention systems, and network traffic filters.

Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?

A. Support ownership
B. Onboarding/offboarding
C. Forensics
D. Data ownership

D. Data ownership

What is NOT a commonly used endpoint security technique?

A. Full device encryption
B. Network firewall
C. Remote wiping
D. Application control

B. Network firewall
A network firewall is not an endpoint control because it is deployed on a network connection. Full device encryption, remote wiping, and application control are all examples of endpoint device security controls.

What is NOT one of the three tenets of information security?

A. Confidentiality
B. Integrity
C. Safety
D. Availability

C. Safety

What compliance regulation applies specifically to the educational records maintained by schools about students?

A. Family Education Rights and Privacy Act (FERPA)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. Federal Information Security Management Act (FISMA)
D. Gramm-Leach-Bliley Act (GLBA)

A. Family Education Rights and Privacy Act (FERPA)

What level of technology infrastructure should you expect to find in a cold site alternative data center facility?

A. Hardware and data that mirror the primary site
B. Hardware that mirrors the primary site, but no data
C. Basic computer hardware
D. No technology infrastructure

D. No technology infrastructure

The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.

A. True
B. False

A. True

The term risk methodology refers to a list of identified risks that results from the risk-identification process.

A. True
B. False

B. False
Risk methodology is a description of how you will manage risk. The risk register is a list of identified risks that results from the risk-identification process.

The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks.

A. True
B. False

A. True

The recovery point objective (RPO) is the maximum amount of data loss that is acceptable.

A. True
B. False

A. True

The business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary.

A. True
B. False

A. True

Continuity of critical business functions and operations is the first priority in a well-balanced business continuity plan (BCP).

A. True
B. False

B. False
Safety and well-being of people is the first priority in a well-balanced BCP.

A disaster recovery plan (DRP) directs the actions necessary to recover resources after a disaster.

A. True
B. False

A. True

The first step in creating a comprehensive disaster recovery plan (DRP) is to document likely impact scenarios.

A. True
B. False

B. False
The steps involved in creating a comprehensive DRP should be completed in this order: define potential threats, document likely impact scenarios, and document the business and technical requirements to initiate the implementation phase.

Regarding data center alternatives for disaster recovery, a mobile site is the least expensive option but at the cost of the longest switchover time.

A. True
B. False

B. False
A mobile site is very flexible, has a fairly short switchover time, and has widely varying costs based on size and capacity. A cold site is the least expensive option but at the cost of the longest switchover time, since all hardware, software, and data must be loaded at the new site.

Most enterprises are well prepared for a disaster should one occur.

A. True
B. False

B. False
: Most enterprises remain unprepared or underprepared for disaster. Despite recurrent reminders, many companies do not have a disaster recovery plan (DRP) at all.

A surge protector is an example of a preventative component of a disaster recovery plan (DRP).

A. True
B. False

A. True

A security policy is a comparison of the security controls you have in place and the controls you need in order to address all identified threats.

A. True
B. False

B. False
A gap analysis is a comparison of the security controls you have in place and the controls you need in order to address all identified threats. A security policy defines a risk-mitigating definition or solution for your organization

The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry.

A. True
B. False

A. True

The Government Information Security Reform Act (Security Reform Act) of 2000 focuses on management and evaluation of the security of unclassified and national security systems.

A. True
B. False

A. True

Authentication controls include passwords and personal identification numbers (PINs).

A. True
B. False

A. True

Authorization controls include biometric devices.

A. True
B. False

B. False
Authorization controls include access control lists, physical access control, and network traffic filters. A biometric device is an authentication control.

In a Bring Your Own Device (BYOD) policy, the user acceptance component may include separation of private data from business data.

A. True
B. False

A. True

Remote wiping is a device security control that allows an organization to remotely erase data or email in the event of loss or theft of the device.

A. True
B. False

A. True

Screen locks are a form of endpoint device security control.

A. True
B. False

A. True

Removable storage is a software application that allows an organization to monitor and control business data on a personally owned device.

A. True
B. False

B. False
Mobile device management (MDM) includes a software application that allows organizations to monitor, control, data wipe, or data delete business data from a personally owned device.

Sets with similar terms

Chapter 8: Risk, Response, and Recovery

73 terms

natalie_aguirre2

5- Information Security

61 terms

Primaltech

CyberOps SecFund: Section 5 Information Security

68 terms

sakis_panou

CIS4361 - Information Assurance and Security - Cha…

102 terms

Yakkuza

Sets found in the same folder

Chapter 5

40 terms

reverish004

Chapter 6

40 terms

reverish004

Network Quiz 03

40 terms

PhilColodetti

Chapter 7

20 terms

reverish004

Other sets by this creator

Services Lines

14 terms

reverish004

WNRS - Race & Privilege Edition

24 terms

reverish004

Chapter 15

20 terms

reverish004

Chapter 12

20 terms

reverish004

Other Quizlet sets

spanish sem two vocab

20 terms

Mia_Lickfelt

exam 2 prep

74 terms

ZachhTheDestroyer

CH.1

116 terms

Matthew_Lyman2

Related questions

QUESTION

DMC do not have to be legally insured for business liability because they will be covered under the clients policy? (T/F)

3 answers

QUESTION

The Windows operating system is used in 90% of the world's PCs. Microsoft has an international ...

4 answers

QUESTION

An advantage of hiring from within is that it improves employee morale.

15 answers

QUESTION

An organization in which managers do all that they can to maximize the ability of subordinates to think creatively so as to maximize the potential for organizational learning is called:

15 answers

What is the main purpose of the Gramm

What is the main purpose of the Gramm

How does GLBA impact information systems security?

What are the main security requirements of the GLBA law?