Information Security And Assurance – WGU C725 -
Practice Tests: Questions And Answers
What should be the role of the management in developing an information
security program?
A
It is mandatory.
B
It is limited to the sanctioning of funds.
C
It is not required at all.
D
It should be minimal. Right Ans - The role of the management in developing
an information security program is mandatory. The primary purpose of
security management is to protect the information assets of the organization.
Which type of security plan is designed to be a forwarding looking document
pointing out goals to achieve in a five-year time frame?
A
Operational
B
Tactical
C
Strategic Right Ans - A strategic plan focuses on five-year goals, missions,
and objectives. It is a fairly stable, long-term plan that defines an
organization's security purpose.
Answer A is incorrect. An operational plan is a highly-detailed, short-term
plan based on the strategic and tactical plans. It is updated monthly or
quarterly to retain compliance with tactical plans.
Answer B is incorrect. The tactical plan is a midterm plan that provides details
on accomplishing the goals defined in the strategic plan. It is useful for about a
year.
What is the primary objective of data classification schemes?
,A
To formalize and stratify the process of securing data based on assigned labels
of importance and sensitivity
B
To establish a transaction trail for auditing accountability
C
To manipulate access controls to provide for the most efficient means to grant
or restrict functionality
D
To control access to objects for authorized subjects Right Ans - The
primary objective of data classification schemes is to formalize and stratify the
process of securing data based on assigned labels of importance and
sensitivity.
Mark reads the following lines in the document from his workstation:
Access the Aspen Bridge by telnet.
Enter into privileged mode.
Execute command 6 and press Enter.
Load the config file.
Hit Run.
What type of document is Mark reading?
A
Security policy
B
Regulatory policy
C
Guideline
D
Procedure Right Ans - A procedure is a detailed, step-by-step how-to
document that specifies the exact actions required to implement a specific
security mechanism, control, or solution. A procedure can discuss the
complete system deployment operation or focus on a single product or aspect,
such as deploying a firewall or updating virus definitions. Procedures are
system and software specific in most cases.
,Answer A is incorrect. A security policy is a document that defines the scope of
security required by an organization.
Answer B is incorrect. A regulatory policy is used when industry or legal
standards are applied to the organization. It contains the regulations that the
organization must follow and defines the procedures that support compliance
of the same.
Answer C is incorrect. A guideline points to a statement in a policy or
procedure that helps determine a course of action.
What is defined in an acceptable use policy?
A
how users are allowed to employ company hardware
B
the method administrators should use to back up network data
C
the sensitivity of company data
D
which users require access to certain company data Right Ans - Answer A
is correct.
An acceptable use policy defines how users are allowed to employ company
hardware. For example, an acceptable use policy, which is sometimes referred
to as a use policy, might answer the following questions: Are employees
allowed to store personal files on company computers? Are employees
allowed to play network games on breaks? Are employees allowed to "surf the
Web" after hours?
An information policy defines the sensitivity of a company's data. In part, a
security policy defines separation of duties, which determines who needs
access to certain company information. A backup policy defines the procedure
that administrators should use to back up company information.
Which business role must ensure that all operations fit within the business
goals?
A
, data owner
B
business/mission owner
C
system owner
D
data custodian Right Ans - Answer B is correct.
The person in the business/mission owner role must ensure that all
operations fit within the business or mission goals.System and data owners
are responsible for ensuring that proper controls are in place to maintain the
integrity, confidentiality, and availability of the information.
The system owner is responsible for maintaining and protecting one or more
data processing systems. The role of a system owner includes the integration
of required security features into the applications and the purchase decision
of the applications. The system owner also ensures that the remote access
control, password management, and operating system configuration provide
the necessary security.
The data owner is typically part of management. The data owner controls the
process of defining IT service levels, provides information during the review
of controls, and is responsible for authorizing the enforcement of security
controls to protect the information assets of the organization. For example, a
business unit manager has the primary responsibility of protecting the
information assets by exercising due diligence and due care practices.
The data custodian is directly responsible for maintaining and protecting the
data. This role is typically delegated to the IT department staff and includes
implementing the organization security through the implementation and
maintenance of security controls. The data custodian role also includes the
following tasks:
Maintaining records of activity
Verifying the accuracy and reliability of the data
Backing up and restoring data on a regular basis
What process does a system use to officially permit access to a file or a
program?
Practice Tests: Questions And Answers
What should be the role of the management in developing an information
security program?
A
It is mandatory.
B
It is limited to the sanctioning of funds.
C
It is not required at all.
D
It should be minimal. Right Ans - The role of the management in developing
an information security program is mandatory. The primary purpose of
security management is to protect the information assets of the organization.
Which type of security plan is designed to be a forwarding looking document
pointing out goals to achieve in a five-year time frame?
A
Operational
B
Tactical
C
Strategic Right Ans - A strategic plan focuses on five-year goals, missions,
and objectives. It is a fairly stable, long-term plan that defines an
organization's security purpose.
Answer A is incorrect. An operational plan is a highly-detailed, short-term
plan based on the strategic and tactical plans. It is updated monthly or
quarterly to retain compliance with tactical plans.
Answer B is incorrect. The tactical plan is a midterm plan that provides details
on accomplishing the goals defined in the strategic plan. It is useful for about a
year.
What is the primary objective of data classification schemes?
,A
To formalize and stratify the process of securing data based on assigned labels
of importance and sensitivity
B
To establish a transaction trail for auditing accountability
C
To manipulate access controls to provide for the most efficient means to grant
or restrict functionality
D
To control access to objects for authorized subjects Right Ans - The
primary objective of data classification schemes is to formalize and stratify the
process of securing data based on assigned labels of importance and
sensitivity.
Mark reads the following lines in the document from his workstation:
Access the Aspen Bridge by telnet.
Enter into privileged mode.
Execute command 6 and press Enter.
Load the config file.
Hit Run.
What type of document is Mark reading?
A
Security policy
B
Regulatory policy
C
Guideline
D
Procedure Right Ans - A procedure is a detailed, step-by-step how-to
document that specifies the exact actions required to implement a specific
security mechanism, control, or solution. A procedure can discuss the
complete system deployment operation or focus on a single product or aspect,
such as deploying a firewall or updating virus definitions. Procedures are
system and software specific in most cases.
,Answer A is incorrect. A security policy is a document that defines the scope of
security required by an organization.
Answer B is incorrect. A regulatory policy is used when industry or legal
standards are applied to the organization. It contains the regulations that the
organization must follow and defines the procedures that support compliance
of the same.
Answer C is incorrect. A guideline points to a statement in a policy or
procedure that helps determine a course of action.
What is defined in an acceptable use policy?
A
how users are allowed to employ company hardware
B
the method administrators should use to back up network data
C
the sensitivity of company data
D
which users require access to certain company data Right Ans - Answer A
is correct.
An acceptable use policy defines how users are allowed to employ company
hardware. For example, an acceptable use policy, which is sometimes referred
to as a use policy, might answer the following questions: Are employees
allowed to store personal files on company computers? Are employees
allowed to play network games on breaks? Are employees allowed to "surf the
Web" after hours?
An information policy defines the sensitivity of a company's data. In part, a
security policy defines separation of duties, which determines who needs
access to certain company information. A backup policy defines the procedure
that administrators should use to back up company information.
Which business role must ensure that all operations fit within the business
goals?
A
, data owner
B
business/mission owner
C
system owner
D
data custodian Right Ans - Answer B is correct.
The person in the business/mission owner role must ensure that all
operations fit within the business or mission goals.System and data owners
are responsible for ensuring that proper controls are in place to maintain the
integrity, confidentiality, and availability of the information.
The system owner is responsible for maintaining and protecting one or more
data processing systems. The role of a system owner includes the integration
of required security features into the applications and the purchase decision
of the applications. The system owner also ensures that the remote access
control, password management, and operating system configuration provide
the necessary security.
The data owner is typically part of management. The data owner controls the
process of defining IT service levels, provides information during the review
of controls, and is responsible for authorizing the enforcement of security
controls to protect the information assets of the organization. For example, a
business unit manager has the primary responsibility of protecting the
information assets by exercising due diligence and due care practices.
The data custodian is directly responsible for maintaining and protecting the
data. This role is typically delegated to the IT department staff and includes
implementing the organization security through the implementation and
maintenance of security controls. The data custodian role also includes the
following tasks:
Maintaining records of activity
Verifying the accuracy and reliability of the data
Backing up and restoring data on a regular basis
What process does a system use to officially permit access to a file or a
program?
