WGU C725 INFORMATION SECURITY & ASSURANCE
People - Answers -Information security is primarily a discipline to manage the behavior
of _____.
A. Technology
B. People
C. Processes
D. Organizations
All of these - Answers -Careers in information security are booming because of which of
the following factors?
A. Threats of cyberterrorism
B. Government regulations
C. Growth of the Internet
D. All of these
Security policies and procedures
Explanation: Answer A is correct.
The Carnegie Melon Information Network Institute (INI) designed programs to carry out
multiple tasks including Information Security Policies. - Answers -A program for
information security should include which of the following elements?
A. Security policies and procedures
B. Intentional attacks only
C. Unintentional attacks only
D. None of these
D. All of these - Answers -The growing demand for InfoSec specialists is occurring
predominantly in which of the following types of organizations?
A. Government
B. Corporations
C. Not-for-profit foundations
D. All of these
Confidentiality - Answers -The concept of the measures used to ensure the protection of
the secrecy of data, objects, or resources.
B-Rate Safe Rating - Answers -A catchall safe rating for any box with a lock on it. This
rating describes the thickness of the steel used to make the lockbox. No actual testing is
performed to gain this rating.
,C-Rate Safe Rating - Answers -This safe rating is defined as a variably thick steel box
with a 1-inch-thick door and a lock. No tests are conducted to provide this rating, either.
UL TL-15 Safe Rating - Answers -Safes with an Underwriters Laboratory rating that
have passed standardized tests as defined in Underwriters Laboratory Standard 687
using tools and an expert group of safe-testing engineers. The safe rating label requires
that the safe be constructed of 1-inch solid steel or equivalent. The label means that the
safe has been tested for a net working time of 15 minutes using "common hand tools,
drills, punches hammers, and pressure applying devices." Net working time means that
when the tool comes off the safe, the clock stops. Engineers exercise more than 50
different types of attacks that have proven effective for safecracking.
UL TL-30 Safe Rating - Answers -This Underwriters Laboratory rating testing is
essentially the same as the TL-15 testing, except for the net working time. Testers get
30 minutes and a few more tools to help them gain access. Testing engineers usually
have a safe's manufacturing blueprints and can disassemble the safe before the test
begins to see how it works.
B. Disclosure
Explanation:
Private - Answers -This common business/private sector data classification level is used
for data that is of a private or personal nature and intended for internal use only. A
significant negative impact could occur for the company or individuals if private data is
disclosed.
Sensitive - Answers -This common business/private sector data classification level is
used for data that is more classified than public data. A negative impact could occur for
the company if sensitive data is disclosed.
Public - Answers -This common business/private sector data classification level is the
lowest level of classification. This is used for all data that does not fit in one of the
higher classifications. Its disclosure does not have a serious negative impact on the
organization.
Ownership - Answers -Relating to data classification or categorization, this is the formal
assignment of responsibility to an individual or group.
Senior Manager - Answers -This role is assigned to the person who is ultimately
responsible for the security maintained by an organization and who should be most
concerned about the protection of its assets. They sign off on all policy issues.
Security Professional - Answers -This Role is assigned to a trained and experienced
network, systems, and security engineer who is responsible for following the directives
mandated by senior management.
,Data Owner - Answers -This role is assigned to the person who is responsible for
classifying information for placement and protection within the security solution. They
are typically a high-level manager who is ultimately responsible for data protection.
Data Custodian - Answers -This role is assigned to the user who is responsible for the
tasks of implementing the prescribed protection defined by the security policy and
senior management. They perform all activities necessary to provide adequate
protection for the CIA Triad (confidentiality, integrity, and availability) of data and to fulfill
the requirements and responsibilities delegated from upper management. These
activities can include performing and testing backups, validating data integrity,
deploying security solutions, and managing data storage based on classification.
User - Answers -This role is assigned to any person who has access to the secured
system. Their access is tied to their work tasks and is limited so they have only enough
access to perform the tasks necessary for their job position (the principle of least
privilege). They are responsible for understanding and upholding the security policy of
an organization by following prescribed operational procedures and operating within
defined security parameters.
Auditor - Answers -This role is responsible for reviewing and verifying that the security
policy is properly implemented and the derived security solutions are adequate. They
may be assigned to a security professional or a trained user. The auditor produces
compliance and effectiveness reports that are reviewed by the senior manager.
Control Objectives for Information and Related Technology (COBIT ) - Answers -One of
the more widely used security control frameworks. It is a documented set of best IT
security practices crafted by the Information Systems Audit and Control Association
(ISACA).
COBIT 5 (Five Key principles for governance and management of enterprise IT) -
Answers -Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
C. Prevention, detection, and response
Explanation:
Defense in depth is implemented in overlapping layers that provide the three elements
needed to secure assets: prevention, detection, and response. - Answers -Defense in
depth is needed to ensure that which three mandatory activities are present in a security
system?
, A. Prevention, response, and prosecution
B. Response, collection of evidence, and prosecution
C. Prevention, detection, and response
D. Prevention, response, and management
True - Answers -T or F
Functional requirements describe what a system should do.
True - Answers -T or F
Assurance requirements describe how functional requirements should be implemented
and tested.
Functional and assurance
Explanation:
Functional requirements describe what a system should do. Assurance requirements
describe how functional requirements should be implemented and tested. - Answers -
Which of the following best represents the two types of IT security requirements?
A. Functional and logical
B. Logical and physical
C. Functional and assurance
D. Functional and physical
D) Risk
Explanation:
Risk involves looking at what is the consequence of a loss and the likelihood that this
loss will occur. - Answers -Which of the following terms best describes the probability
that a threat to an information system will materialize?
A. Threat
B. Vulnerability
C. Hole
D. Risk
B. Controls are implemented to mitigate risk and reduce the potential for loss.
Explanation:
Controls mitigate a wide variety of information security risks and reduce loss. - Answers
-Which of the following statements is true?
People - Answers -Information security is primarily a discipline to manage the behavior
of _____.
A. Technology
B. People
C. Processes
D. Organizations
All of these - Answers -Careers in information security are booming because of which of
the following factors?
A. Threats of cyberterrorism
B. Government regulations
C. Growth of the Internet
D. All of these
Security policies and procedures
Explanation: Answer A is correct.
The Carnegie Melon Information Network Institute (INI) designed programs to carry out
multiple tasks including Information Security Policies. - Answers -A program for
information security should include which of the following elements?
A. Security policies and procedures
B. Intentional attacks only
C. Unintentional attacks only
D. None of these
D. All of these - Answers -The growing demand for InfoSec specialists is occurring
predominantly in which of the following types of organizations?
A. Government
B. Corporations
C. Not-for-profit foundations
D. All of these
Confidentiality - Answers -The concept of the measures used to ensure the protection of
the secrecy of data, objects, or resources.
B-Rate Safe Rating - Answers -A catchall safe rating for any box with a lock on it. This
rating describes the thickness of the steel used to make the lockbox. No actual testing is
performed to gain this rating.
,C-Rate Safe Rating - Answers -This safe rating is defined as a variably thick steel box
with a 1-inch-thick door and a lock. No tests are conducted to provide this rating, either.
UL TL-15 Safe Rating - Answers -Safes with an Underwriters Laboratory rating that
have passed standardized tests as defined in Underwriters Laboratory Standard 687
using tools and an expert group of safe-testing engineers. The safe rating label requires
that the safe be constructed of 1-inch solid steel or equivalent. The label means that the
safe has been tested for a net working time of 15 minutes using "common hand tools,
drills, punches hammers, and pressure applying devices." Net working time means that
when the tool comes off the safe, the clock stops. Engineers exercise more than 50
different types of attacks that have proven effective for safecracking.
UL TL-30 Safe Rating - Answers -This Underwriters Laboratory rating testing is
essentially the same as the TL-15 testing, except for the net working time. Testers get
30 minutes and a few more tools to help them gain access. Testing engineers usually
have a safe's manufacturing blueprints and can disassemble the safe before the test
begins to see how it works.
B. Disclosure
Explanation:
Private - Answers -This common business/private sector data classification level is used
for data that is of a private or personal nature and intended for internal use only. A
significant negative impact could occur for the company or individuals if private data is
disclosed.
Sensitive - Answers -This common business/private sector data classification level is
used for data that is more classified than public data. A negative impact could occur for
the company if sensitive data is disclosed.
Public - Answers -This common business/private sector data classification level is the
lowest level of classification. This is used for all data that does not fit in one of the
higher classifications. Its disclosure does not have a serious negative impact on the
organization.
Ownership - Answers -Relating to data classification or categorization, this is the formal
assignment of responsibility to an individual or group.
Senior Manager - Answers -This role is assigned to the person who is ultimately
responsible for the security maintained by an organization and who should be most
concerned about the protection of its assets. They sign off on all policy issues.
Security Professional - Answers -This Role is assigned to a trained and experienced
network, systems, and security engineer who is responsible for following the directives
mandated by senior management.
,Data Owner - Answers -This role is assigned to the person who is responsible for
classifying information for placement and protection within the security solution. They
are typically a high-level manager who is ultimately responsible for data protection.
Data Custodian - Answers -This role is assigned to the user who is responsible for the
tasks of implementing the prescribed protection defined by the security policy and
senior management. They perform all activities necessary to provide adequate
protection for the CIA Triad (confidentiality, integrity, and availability) of data and to fulfill
the requirements and responsibilities delegated from upper management. These
activities can include performing and testing backups, validating data integrity,
deploying security solutions, and managing data storage based on classification.
User - Answers -This role is assigned to any person who has access to the secured
system. Their access is tied to their work tasks and is limited so they have only enough
access to perform the tasks necessary for their job position (the principle of least
privilege). They are responsible for understanding and upholding the security policy of
an organization by following prescribed operational procedures and operating within
defined security parameters.
Auditor - Answers -This role is responsible for reviewing and verifying that the security
policy is properly implemented and the derived security solutions are adequate. They
may be assigned to a security professional or a trained user. The auditor produces
compliance and effectiveness reports that are reviewed by the senior manager.
Control Objectives for Information and Related Technology (COBIT ) - Answers -One of
the more widely used security control frameworks. It is a documented set of best IT
security practices crafted by the Information Systems Audit and Control Association
(ISACA).
COBIT 5 (Five Key principles for governance and management of enterprise IT) -
Answers -Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
C. Prevention, detection, and response
Explanation:
Defense in depth is implemented in overlapping layers that provide the three elements
needed to secure assets: prevention, detection, and response. - Answers -Defense in
depth is needed to ensure that which three mandatory activities are present in a security
system?
, A. Prevention, response, and prosecution
B. Response, collection of evidence, and prosecution
C. Prevention, detection, and response
D. Prevention, response, and management
True - Answers -T or F
Functional requirements describe what a system should do.
True - Answers -T or F
Assurance requirements describe how functional requirements should be implemented
and tested.
Functional and assurance
Explanation:
Functional requirements describe what a system should do. Assurance requirements
describe how functional requirements should be implemented and tested. - Answers -
Which of the following best represents the two types of IT security requirements?
A. Functional and logical
B. Logical and physical
C. Functional and assurance
D. Functional and physical
D) Risk
Explanation:
Risk involves looking at what is the consequence of a loss and the likelihood that this
loss will occur. - Answers -Which of the following terms best describes the probability
that a threat to an information system will materialize?
A. Threat
B. Vulnerability
C. Hole
D. Risk
B. Controls are implemented to mitigate risk and reduce the potential for loss.
Explanation:
Controls mitigate a wide variety of information security risks and reduce loss. - Answers
-Which of the following statements is true?
