SCIA 370 Final EXAM SET PRACTICE
QUESTIONS WITH CORRECT APPROVED
ANSWERS.
____________ is a widely accepted international best practices framework for implementing
information systems security. - CORRECT ANSWER✅✅✅Control Objectives for Information and
related Technology (COBIT)
_____________ risk is the possible outcome that can occur when an organization or business
unsuccessfully addresses its fiscal obligations. - CORRECT ANSWER✅✅✅Financial
_______________ are owned by an organization if they are created on the computer by company
employees or if the assets were custom developed for and purchased by the organization. - CORRECT
ANSWER✅✅✅Digital Assets
_______________ is a measurement that quantifies how much information can be transmitted over the
network. - CORRECT ANSWER✅✅✅Bandwidth
_______________ is an international governance and controls framework and a widely accepted
standard for governing, assessing, and managing IT security and risks. - CORRECT
ANSWER✅✅✅COBIT
_______________ refers to an attempt to cause fear or major disruptions in a society through hacking
computers. Such attacks target government computers, major companies, or key areas of the economy.
- CORRECT ANSWER✅✅✅Cyberterrorism
________________ controls the processes associated with monitoring and changing configuration
throughout the life of a system. This includes the original baseline configuration. - CORRECT
ANSWER✅✅✅Configuration management
,________________ functions as a preventive control designed to prevent mistakes from happening.
________________functions as a detective control intended to improve the quality over time by
affording opportunities to learn from past mistakes. - CORRECT ANSWER✅✅✅Quality assurance;
Quality control
___________________ addresses how specific a policy is with respect to resources. - CORRECT
ANSWER✅✅✅Granularity
___________________ are attacks that obtain access by means of remote services, such as vendor
networks, employee remote access tools, and point-of sale (POS) devices. - CORRECT
ANSWER✅✅✅Insecure remote access
___________________ is the act of protecting information and the systems that store and process it. -
CORRECT ANSWER✅✅✅Information systems security
___________________ make use of baselines to identify changes in the behavior of the network. -
CORRECT ANSWER✅✅✅Anomaly-based intrusion detection systems
_____________________ denotes the use of human interactions to gain any kind of desired access.
Most often, this term involves exploiting personal relationships by manipulating an individual into
granting access to something a person should not have access to. - CORRECT ANSWER✅✅✅social
engineering
_____________________ in e-commerce broadly deals with creating rules on how to handle a
consumer's transaction and other information. - CORRECT ANSWER✅✅✅Consumer rights
______________________ can run on a workstation or server and is at the heart of all business
applications. - CORRECT ANSWER✅✅✅Application software
___________________________ are formal written policies describing employee behavior when using
company computer and network systems. - CORRECT ANSWER✅✅✅Acceptable use policies
,_________________describes how to design and implement an information security governance
structure, whereas __________________ describes security aspects for employees joining, moving
within, or leaving an organization. - CORRECT ANSWER✅✅✅Organization of information security,
human resources security
A ____________ would be a misconfiguration of a system that allows the hacker to gain unauthorized
access, whereas a______________ is a combination of the likelihood that such a misconfiguration could
happen, a hacker's exploitation of it, and the impact if the event occurred. - CORRECT
ANSWER✅✅✅vulnerability, risk
A ____________________ can be used to hierarchically represent a classification for a given set of
objects or documents. - CORRECT ANSWER✅✅✅taxonomy
A ______________________ is an apparatus for risk management that enables the organization to
comprehend its risks and how those risks might impact the business. - CORRECT ANSWER✅✅✅risk
and control self-assessment (RCSA)
A ________________________ is a string of data associated with a file that provides added security,
authentication, and nonrepudiation. - CORRECT ANSWER✅✅✅digital signature
A __________________________ is a term that refers to the original image that is duplicated for
deployment. Using this image saves times by eradicating the need for repeated changes to configuration
and tweaks to performance. - CORRECT ANSWER✅✅✅gold master
A baseline is a point of departure that guarantees that systems comply with security requirements when
they are enacted. However, it is not an uncommon occurrence that systems are changed in a way that
means they are no longer in compliance. Thus, it is necessary to use an accepted method to ensure that
settings have not been changed. Which of the following is not one of these methods? - CORRECT
ANSWER✅✅✅patch management
A good example of ___________________ is a real estate business that shares data on new home
purchases between the unit that sells insurance for the home and the business unit that sold the home.
- CORRECT ANSWER✅✅✅service integration
, A good security awareness program makes employees aware of the behaviors expected of them. All
security awareness programs have two enforcement components: the carrot and the stick. Which of the
following best captures the relationship of the two components? - CORRECT ANSWER✅✅✅The
carrot aims to educate the employee about the importance of security policies, and the stick reminds
the employees of the consequences of not following policy.
A key component to IT security is authorization, which is especially important in large, complex
organizations with thousands of employees and hundreds of systems. Two methods of authorization are
role based access control (RBAC) and attribute based access control (ABAC). Although RBAC and ABAC
can provide the same access, which of the following is an advantage of ABAC? - CORRECT
ANSWER✅✅✅In ABAC, roles are expressed more in business terms and thus may be more
understandable.
A manager creates a policy document that lists the policy name, identifying information, and the
operational policy. When she gets to the section marked "roles and responsibilities," she is uncertain if
she should include the names of the individuals assigned to the roles and responsibilities, but decides
ultimately that she will because these individuals were newly appointed and have played an active role
in reviewing and providing feedback on the policy. Which of the following statements is an accurate
assessment of this manager's choice to include the names of the individuals? - CORRECT
ANSWER✅✅✅The manager should not have included the names because even though they were
newly appointed, individuals join and leave and the company.
A risk exposure is defined as the impact to the organization when a situation transpires. The widely
accepted formula for calculating exposure is as follows:
Risk exposure =________________ the event will occur + ____________ if the event occurs - CORRECT
ANSWER✅✅✅likelihood, impact
A security _____________identifies a group of fundamental configurations designed to accomplish
particular security objectives. - CORRECT ANSWER✅✅✅baseline
A security awareness program can be implemented in many ways. Which of the following is the list of
generally accepted principles for implementing a program? - CORRECT ANSWER✅✅✅repetition,
onboarding, support, relevance, metrics
QUESTIONS WITH CORRECT APPROVED
ANSWERS.
____________ is a widely accepted international best practices framework for implementing
information systems security. - CORRECT ANSWER✅✅✅Control Objectives for Information and
related Technology (COBIT)
_____________ risk is the possible outcome that can occur when an organization or business
unsuccessfully addresses its fiscal obligations. - CORRECT ANSWER✅✅✅Financial
_______________ are owned by an organization if they are created on the computer by company
employees or if the assets were custom developed for and purchased by the organization. - CORRECT
ANSWER✅✅✅Digital Assets
_______________ is a measurement that quantifies how much information can be transmitted over the
network. - CORRECT ANSWER✅✅✅Bandwidth
_______________ is an international governance and controls framework and a widely accepted
standard for governing, assessing, and managing IT security and risks. - CORRECT
ANSWER✅✅✅COBIT
_______________ refers to an attempt to cause fear or major disruptions in a society through hacking
computers. Such attacks target government computers, major companies, or key areas of the economy.
- CORRECT ANSWER✅✅✅Cyberterrorism
________________ controls the processes associated with monitoring and changing configuration
throughout the life of a system. This includes the original baseline configuration. - CORRECT
ANSWER✅✅✅Configuration management
,________________ functions as a preventive control designed to prevent mistakes from happening.
________________functions as a detective control intended to improve the quality over time by
affording opportunities to learn from past mistakes. - CORRECT ANSWER✅✅✅Quality assurance;
Quality control
___________________ addresses how specific a policy is with respect to resources. - CORRECT
ANSWER✅✅✅Granularity
___________________ are attacks that obtain access by means of remote services, such as vendor
networks, employee remote access tools, and point-of sale (POS) devices. - CORRECT
ANSWER✅✅✅Insecure remote access
___________________ is the act of protecting information and the systems that store and process it. -
CORRECT ANSWER✅✅✅Information systems security
___________________ make use of baselines to identify changes in the behavior of the network. -
CORRECT ANSWER✅✅✅Anomaly-based intrusion detection systems
_____________________ denotes the use of human interactions to gain any kind of desired access.
Most often, this term involves exploiting personal relationships by manipulating an individual into
granting access to something a person should not have access to. - CORRECT ANSWER✅✅✅social
engineering
_____________________ in e-commerce broadly deals with creating rules on how to handle a
consumer's transaction and other information. - CORRECT ANSWER✅✅✅Consumer rights
______________________ can run on a workstation or server and is at the heart of all business
applications. - CORRECT ANSWER✅✅✅Application software
___________________________ are formal written policies describing employee behavior when using
company computer and network systems. - CORRECT ANSWER✅✅✅Acceptable use policies
,_________________describes how to design and implement an information security governance
structure, whereas __________________ describes security aspects for employees joining, moving
within, or leaving an organization. - CORRECT ANSWER✅✅✅Organization of information security,
human resources security
A ____________ would be a misconfiguration of a system that allows the hacker to gain unauthorized
access, whereas a______________ is a combination of the likelihood that such a misconfiguration could
happen, a hacker's exploitation of it, and the impact if the event occurred. - CORRECT
ANSWER✅✅✅vulnerability, risk
A ____________________ can be used to hierarchically represent a classification for a given set of
objects or documents. - CORRECT ANSWER✅✅✅taxonomy
A ______________________ is an apparatus for risk management that enables the organization to
comprehend its risks and how those risks might impact the business. - CORRECT ANSWER✅✅✅risk
and control self-assessment (RCSA)
A ________________________ is a string of data associated with a file that provides added security,
authentication, and nonrepudiation. - CORRECT ANSWER✅✅✅digital signature
A __________________________ is a term that refers to the original image that is duplicated for
deployment. Using this image saves times by eradicating the need for repeated changes to configuration
and tweaks to performance. - CORRECT ANSWER✅✅✅gold master
A baseline is a point of departure that guarantees that systems comply with security requirements when
they are enacted. However, it is not an uncommon occurrence that systems are changed in a way that
means they are no longer in compliance. Thus, it is necessary to use an accepted method to ensure that
settings have not been changed. Which of the following is not one of these methods? - CORRECT
ANSWER✅✅✅patch management
A good example of ___________________ is a real estate business that shares data on new home
purchases between the unit that sells insurance for the home and the business unit that sold the home.
- CORRECT ANSWER✅✅✅service integration
, A good security awareness program makes employees aware of the behaviors expected of them. All
security awareness programs have two enforcement components: the carrot and the stick. Which of the
following best captures the relationship of the two components? - CORRECT ANSWER✅✅✅The
carrot aims to educate the employee about the importance of security policies, and the stick reminds
the employees of the consequences of not following policy.
A key component to IT security is authorization, which is especially important in large, complex
organizations with thousands of employees and hundreds of systems. Two methods of authorization are
role based access control (RBAC) and attribute based access control (ABAC). Although RBAC and ABAC
can provide the same access, which of the following is an advantage of ABAC? - CORRECT
ANSWER✅✅✅In ABAC, roles are expressed more in business terms and thus may be more
understandable.
A manager creates a policy document that lists the policy name, identifying information, and the
operational policy. When she gets to the section marked "roles and responsibilities," she is uncertain if
she should include the names of the individuals assigned to the roles and responsibilities, but decides
ultimately that she will because these individuals were newly appointed and have played an active role
in reviewing and providing feedback on the policy. Which of the following statements is an accurate
assessment of this manager's choice to include the names of the individuals? - CORRECT
ANSWER✅✅✅The manager should not have included the names because even though they were
newly appointed, individuals join and leave and the company.
A risk exposure is defined as the impact to the organization when a situation transpires. The widely
accepted formula for calculating exposure is as follows:
Risk exposure =________________ the event will occur + ____________ if the event occurs - CORRECT
ANSWER✅✅✅likelihood, impact
A security _____________identifies a group of fundamental configurations designed to accomplish
particular security objectives. - CORRECT ANSWER✅✅✅baseline
A security awareness program can be implemented in many ways. Which of the following is the list of
generally accepted principles for implementing a program? - CORRECT ANSWER✅✅✅repetition,
onboarding, support, relevance, metrics
