COMPREHENSUVE EXAM UPDATED QUESTIONS
AND ANSWERS SURE A+
✔✔The target selection step of Internet vulnerability assessment involves using the
external monitoring intelligence to configure a test engine (such as Nessus) for the tests
to be performed.
a. True
b. False - ✔✔False
✔✔An intranet vulnerability scan starts with the scan of the organization's default
Internet search engine.
a. True
b. False - ✔✔False
✔✔All systems that are mission critical should be enrolled in platform security validation
(PSV) measurement.
a. True
b. False - ✔✔True
✔✔Wireless vulnerability assessment begins with the planning, scheduling, and
notification of all Internet connections, using software such as Wireshark.
,a. True
b. False - ✔✔False
✔✔Remediation of vulnerabilities can be accomplished by accepting or transferring the
risk, removing the threat, or repairing the vulnerability.
a. True
b. False - ✔✔True
✔✔The vulnerability database, like the risk, threat, and attack database, both stores and
tracks information.
a. True
b. False - ✔✔True
✔✔In some instances, risk is acknowledged as being part of an organization's business
process.
a. True
b. False - ✔✔True
✔✔Threats cannot be removed without requiring a repair of the vulnerability.
a. True
b. False - ✔✔False
✔✔Policy needs to be reviewed and refreshed from time to time to ensure that it's
providing a current foundation for the information security program.
a. True
b. False - ✔✔True
✔✔Major planning components should be reviewed on a periodic basis to ensure that
they are current, accurate, and appropriate.
a. True
b. False - ✔✔True
✔✔Rehearsal adds value by exercising the procedures, identifying shortcomings, and
providing security personnel the opportunity to improve the security plan before it is
needed.
a. True
b. False - ✔✔True
✔✔An effective information security governance program requires constant change.
__________ - ✔✔False - review
, ✔✔The NIST SP 800-100 Information Security Handbook provides technical guidance
for the establishment and implementation of an information security program.
__________ - ✔✔False - managerial
✔✔The systems development life cycle (SDLC) is the overall process of developing,
implementing, and retiring information systems through a multistep approach—from
initiation to use. __________ - ✔✔False - maintenance to disposal
✔✔For configuration management and control, it is important to document the proposed
or actual changes in the system security plan. __________ - ✔✔True
✔✔Tracking monitoring involves assessing the status of the program as indicated by
the database information and mapping it to standards established by the agency.
__________ - ✔✔False - compliance
✔✔A user ticket is opened when a user calls about an issue. __________ - ✔✔False -
trouble
False - help desk
False - support
✔✔In some organizations, asset management is the identification, inventory, and
documentation of the current information system's status—hardware, software, and
networking configurations. __________ - ✔✔False - configuration
✔✔CM assists in streamlining change management processes and prevents changes
that could detrimentally affect the security posture of a system before they happen.
__________ - ✔✔True
✔✔. CERT stands for "computer emergency recovery team." __________ - ✔✔False -
response
✔✔US-CERT is a set of moderated mailing lists full of detailed, full-disclosure
discussions and announcements about computer security vulnerabilities. It is sponsored
in part by SecurityFocus. __________ - ✔✔False - Bugtraq
✔✔Specific warning bulletins are issued when developing threats and specific assets
pose a measurable risk to the organization. __________ - ✔✔False - attacks
✔✔The basic function of the external monitoring process is to monitor activity, report
results, and escalate warnings. __________ - ✔✔True