WGU C725 Final Exam Practice Questions and Answers Latest Update 2023/2024 | Graded 100%

WGU C725 Final Exam Practice Questions and Answers Latest Update 2023/2024 | Graded 100%. Careers in information security are booming because of which of the following factors? A. Threats of cyberterrorism B. Government regulations C. Growth of the Internet D. All of these Correct ans - All of these A program for information security should include which of the following elements? A. Security policies and procedures B. Intentional attacks only C. Unintentional attacks only D. None of these Correct ans - Security policies and proceduresExplanation: Answer A is correct. The Carnegie Melon Information Network Institute (INI) designed programs to carry out multiple tasks including Information Security Policies. The growing demand for InfoSec specialists is occurring predominantly in which of the following types of organizations? A. Government B. Corporations C. Not-for-profit foundations D. All of these Correct ans - D. All of these The concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. Correct ans - Confidentiality A catchall safe rating for any box with a lock on it. This rating describes the thickness of the steel used to make the lockbox. No actual testing is performed to gain this rating. Correct ans - B-Rate Safe Rating This safe rating is defined as a variably thick steel box with a 1-inch-thick door and a lock. No tests are conducted to provide this rating, either. Correct ans - C-Rate Safe Rating Safes with an Underwriters Laboratory rating that have passed standardized tests as defined in Underwriters Laboratory Standard 687 using tools and an expert group of safe-testing engineers. The safe rating label requires that the safe be constructed of 1- inch solid steel or equivalent. The label means that the safe has been tested for a net working time of 15 minutes using "common hand tools, drills, punches hammers, and pressure applying devices." Net working time means that when the tool comes off the safe, the clock stops. Engineers exercise more than 50 different types of attacks that have proven effective for safecracking. Correct ans - UL TL-15 Safe Rating This Underwriters Laboratory rating testing is essentially the same as the TL-15 testing, except for the net working time. Testers get 30 minutes and a few more tools to help them gain access. Testing engineers usually have a safe's manufacturing blueprints and can disassemble the safe before the test begins to see how it works. Correct ans - UL TL-30 Safe Rating Related to information security, confidentiality is the opposite of which of the following? A. Closure B. Disclosure C. Disaster D. Disposal Correct ans - B. Disclosure Explanation: Confidentiality models are primarily intended to ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible. Integrity models have which of the three goals: A. Prevent unauthorized users from making modifications to data or programs B. Prevent authorized users from making improper or unauthorized modifications C. Maintain internal and external consistency of data and programs D. All of these Correct ans - D. All of these Explanation: Integrity models keep data pure and trustworthy by protecting system data from intentional or accidental changes. Information security professionals usually address which of these three common challenges to availability: A. Denial of service (DoS) due to intentional attacks or because of undiscovered flaws in implementation (for example, a program written by a programmer who is unaware of a flaw that could crash the program if a certain unexpected input is encountered) B. Loss of information system capabilities because of natural disasters (fires, floods, storms, or earthquakes) or human actions (bombs or strikes) C. Equipment failures during normal use. D. All of these Correct ans - D. All of theseExplanation:Availability models keep data and resources available for authorized use, especially during emergencies or disasters. Which of the following represents the three goals of information security? A. Confidentiality, integrity, and availability B. Prevention, detection, and response C. People controls, process controls, and technology controls D. Network security, PC security, and mainframe security Correct ans - A. Confidentiality, integrity, and availabilityExplanation:These goals form the confidentiality, integrity, availability (CIA) triad, the basis of all security programs. Usually a documented argument or stated position in order to define a need to make a decision or take some form of action. Correct ans - Business Case A type of security management planning where upper, or senior, management is responsible for initiating and defining policies for the organization. Correct ans - Top-down approach A type of security management planning where IT staff makes security decisions directly without input from senior management. This approach is rarely used in organizations and is considered problematic in the IT industry. Correct ans - Bottom-up approach This security plan is a long-term plan that is fairly stable. It defines the organization's security purpose. It also helps to understand security function and align it to the goals, mission, and objectives of the organization. It's useful for about five years if it is maintained and updated annually. This plan also serves as the planning horizon. Longterm goals and visions for the future are discussed this plan. Thisplan should include a risk assessment. Correct ans - Strategic Plan This security plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events. This plan is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals. Some examples of these plans are project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans. Correct ans - Tactical Plan This security plan is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. These plans must be updated often (such as monthly or quarterly) to retain compliance with tactical plans. These plans spell out how to accomplish the various goals of the organization. They include resource allotments, budgetary requirements, staffing assignments, scheduling, and step-by-step or implementation procedures. These plans include details on how the implementation processes are in compliance with the organization's security policy. Examples of these plans are training plans, system deployment plans, and product design plans. Correct ans - Operational Plan Also called classification, the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. It is the process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities. Correct ans - Data classification Top secret, Secret, Confidential, Sensitive but unclassified, Unclassified. Correct ans - Five levels of government/military classification The highest level of government/military data classification. The unauthorized disclosure of top-secret data will have drastic effects and cause grave damage to national security. This data is compartmentalized on a need-to-know basis such that a user could have this clearance and have access to no data until the user has a need to know. Correct ans - Top Secret This level of government/military data classification is used for data of a restricted nature. The unauthorized disclosure of data classified as secret will have significant effects and cause critical damage to national security. Correct ans - Secret This level of government/military data classification is used for data of a sensitive, proprietary, or highly valuable nature. The unauthorized disclosure of data with this classification level will have noticeable effects and cause serious damage to national security. This classification is used for all data between secret and sensitive but unclassified classifications. Correct ans - Confidential This level of government/military data classification is used for data that is for internal use or for office use only (FOUO). Often this data classification is used to protect information that could violate the privacy rights of individuals. This is not technically a classification label; instead, it is a marking or label used to indicate use or management. Correct ans - Sensitive But Unclassified (SBU) This level of government/military data classification is used for data that is neither sensitive nor classified. The disclosure of this type of data does not compromise confidentiality or cause any noticeable damage. This is not technically a classification label; instead, it is a marking or label used to indicate use or management. Correct ans - Unclassified The easy way to remember the names of the five levels of the government or military data classification scheme, Correct ans - U.S. Can Stop Terrorism. Top Secret Secret Confidential Sensitive But unclassified Unclassified Four common or possible business classification levels Correct ans - Confidential Private Sensitive Public This common business/private sector data classification level is the highest level of classification. This is used for data that is extremely sensitive and for internal use only. A significant negative impact could occur for a company if this type of data is disclosed. Sometimes the label proprietary is substituted. Sometimes proprietary data is considered a specific form of this type of information. If proprietary data is disclosed, it can have drastic effects on the competitive edge of an organization. Correct ans - Confidential This common business/private sector data classification level is used for data that is of a private or personal nature and intended for internal use only. A significant negative impact could occur for the company or individuals if private data is disclosed. Correct ans - Private This common business/private sector data classification level is used for data that is more classified than public data. A negative impact could occur for the company if sensitive data is disclosed. Correct ans - Sensitive This common business/private sector data classification level is the lowest level of classification. This is used for all data that does not fit in one of the higher classifications. Its disclosure does not have a serious negative impact on the organization. Correct ans - Public Relating to data classification or categorization, this is the formal assignment of responsibility to an individual or group. Correct ans - Ownership This role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. They sign off on all policy issues. Correct ans - Senior Manager This Role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. Correct ans - Security Professional This role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. They are typically a high-level manager who is ultimately responsible for data protection. Correct ans - Data Owner This role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. They perform all activities necessary to provide adequate protection for the CIA Triad (confidentiality, integrity, and availability) of data and to fulfill the requirements and responsibilities delegated from upper management. These activities can include performing and testing backups, validating data integrity, deploying security solutions, and managing data storage based on classification. Correct ans - Data Custodian This role is assigned to any person who has access to the secured system. Their access is tied to their work tasks and is limited so they have only enough access to perform the tasks necessary for their job position (the principle of least privilege). They are responsible for understanding and upholding the security policy of an organization by following prescribed operational procedures and operating within defined security parameters. Correct ans - User This role is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. They may be assigned to a security professional or a trained user. The auditor produces compliance and effectiveness reports that are reviewed by the senior manager. Correct ans - Auditor One of the more widely used security control frameworks. It is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). Correct ans - Control Objectives for Information and Related Technology (COBIT ) Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management Correct ans - COBIT 5 (Five Key principles for governance and management of enterprise IT) Defense in depth is needed to ensure that which three mandatory activities are present in a security system? A. Prevention, response, and prosecution B. Response, collection of evidence, and prosecution C. Prevention, detection, and response D. Prevention, response, and management Correct ans - C. Prevention, detection, and response Explanation: Defense in depth is implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response. T or F Functional requirements describe what a system should do. Correct ans - True T or F Assurance requirements describe how functional requirements should be implemented and tested. Correct ans - True Which of the following best represents the two types of IT security requirements? A. Functional and logical B. Logical and physical C. Functional and assurance D. Functional and physical Correct ans - Functional and assurance Explanation: Functional requirements describe what a system should do. Assurance requirements describe how functional requirements should be implemented and tested. Which of the following terms best describes the probability that a threat to an information system will materialize? A. Threat B. Vulnerability C. Hole D. Risk Correct ans - D) Risk Explanation: Risk involves looking at what is the consequence of a loss and the likelihood that this loss will occur. Which of the following statements is true? A. Controls are implemented to eliminate risk and eliminate the potential for loss. B. Controls are implemented to mitigate risk and reduce the potential for loss. C. Controls are implemented to eliminate risk and reduce the potential for loss. D. Controls are implemented to mitigate risk and eliminate the potential for loss. Correct ans - B. Controls are implemented to mitigate risk and reduce the potential for loss. Explanation: Controls mitigate a wide variety of information security risks and reduce loss. Security functional requirements describe which of the following?