Midterm Question and answers 100%
correct 2025/2026
A statement explicitly declaring the business of the organization and its intended areas of operations is a
____________. - correct answer ✔Mission statement
Data Security - correct answer ✔Commonly used as a surrogate for information security, the focus of
protecting information in its various states- at rest, in processing, and in transmission
Which of the following is NOT a unique function of Information Security Management? - correct answer
✔principles
Information security is the protection of the confidentiality, integrity, and availability of information
assets, in storage, processing, and transmission via the application of policy, education, training,
awareness, and technology. - correct answer ✔True
The protection of voice and data components, connections, and content is known as _________
security. - correct answer ✔network
The __________ phase of the SecSDLC, the team studies the documents from earlier and looks at of
relevant legal issues that could affect the design of the security solution. - correct answer ✔Analysis
A potential weakness in an asset or its defensive control system(s) is known as a(n) __________ - correct
answer ✔vulnerability
Rule-based policies are less specific to the operation of a system than access control lists. - correct
answer ✔false
,Policies must specify penalties for unacceptable behavior and define an appeals process. - correct
answer ✔True
Having an established risk management program means that an organization's assets are completely
protected. - correct answer ✔False
A detailed outline of the scope of the policy development project is created during which phase of the
SecSDLC? - correct answer ✔investigation
Which type of device exists to intercept requests for information from external users and provide the
requested information by retrieving it from an internal server? - correct answer ✔proxy server
Which of the following access control processes confirms the identity of the entity seeking access to a
logical or physical area? - correct answer ✔authentication
The IT community often takes on the leadership role in addressing risk. - correct answer ✔False
One of the goals of an issue-specific security policy is to indemnify the organization against liability for
an employee's inappropriate or illegal use of the system. - correct answer ✔True
In the bull's-eye model, the ____________________ layer is the place where threats from public
networks meet the organization's networking infrastructure. - correct answer ✔networks
According to the C.I.A. triad, which of the following is the most desirable characteristic for privacy -
correct answer ✔confidentiality
The __________ phase of the SecSDLC has team members create and develop the blueprint for security
and develop critical contingency plans for incident response. - correct answer ✔Justification
,Which type of attack involves sending a large nyumber of connection or information requests to a
target? - correct answer ✔denial of service (DoS)
A methodology for the design and implementation of an information system that is a formal
development strategy is referred to as a __________. - correct answer ✔Systems Development Life
Cycle(SDLC)
The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of
which process? - correct answer ✔authentication
IT - correct answer ✔supports the business objectives of the
organization by supplying and supporting IT
appropriate to the business' needs
Database security - correct answer ✔A subset of information security that focuses on the assessment
and protection of information stored in repositories
MAC addresses are considered a reliable identifier for devices with network interfaces because they are
essentially foolproof. - correct answer ✔False
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special
Publication 800-14 - correct answer ✔user-specific security policy
The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for. -
correct answer ✔False
Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to
enter premises or systems they have not been authorized to access. - correct answer ✔trespass
, General business - correct answer ✔articulates and communicates
organizational policy and objectives and allocates
resources to the other groups
a hacker who intentionally removes or bypasses software copyright protection designed to prevent
unauthorized duplication or use is known as a - correct answer ✔cracker
The ____ is the individual primarily responsible for the assessment, management, and implementation
of information security in the organization. - correct answer ✔Chief Information Security Officer(CISO)
It is possible to take a very complex operation and diagram it in PERT if you can answer three key
questions about each activity. Which of the following is NOT one of them? - correct answer ✔What
other activities require the same resources as this activity?
Attack - correct answer ✔An ongoing act against an asset that could result in a loss of its value
Which of the following is NOT one of the administrative challenges to the operation of firewalls? -
correct answer ✔replacement
Rule-based policies are less specific to the operation of a system than access control lists. (T/F) - correct
answer ✔false
Access control lists regulate who, what, when, where, and why authorized users can access a system. -
correct answer ✔False
An intentional or unintentional act that can damage or otherwise compromise information and the
systems that support it is known as a(n) __________. - correct answer ✔attack