CHAPTER 1-INTRODUCTION TO INFORMATION SECURITY
TRUE/FALSE
1. It is important that every company protect not only its data, but the people, infrastructure, and
systems that support this data.
ANS: T PTS: 1 REF: 7
2. In the context of creating a security policy, for the areas in which it is determined that the
business is willing to accept the risk, the risk must be approved by management, but once it has
been approved, in order to wisely use company resources, no reassessment is necessary in the
future.
ANS: F PTS: 1 REF: 8
3. To effectively build a new security policy, a company or organization should dump its existing
written policies and procedures and start planning from scratch.
ANS: F PTS: 1 REF: 9
4. It is not possible for you to calculate the internal value of systems that serve a dual-purpose.
ANS: F PTS: 1 REF: 10
5. In many companies, the responsibility for physical security does not lie with the IT or
Information Security departments.
ANS: T PTS: 1 REF: 14
, 6. In general, a security policy should include measures for preventing malicious activity that
attempts to access systems via their physical interface.
ANS: T PTS: 1 REF: 15
7. Many pertinent questions surround the use of passwords. Whatever the answers to these questions
are, security professionals should allow differences to exist across applications and platforms.
ANS: F PTS: 1 REF: 16
8. The security of an environment is only as strong as the weakest link.
ANS: T PTS: 1 REF: 16
9. One important aspect of an effective security policy is requiring specific security settings on the
systems within an environment.
ANS: T PTS: 1 REF: 18
10. A security policy should never specify requirements for vulnerability scanners, compliance
checking tools, or other security tools that run within the environment.
ANS: F PTS: 1 REF: 18
11. The CISSP is designed for corporate security officers, security advisors, and other individuals
who set security architecture, policies, and processes.
ANS: T PTS: 1 REF: 19
12. Currently, the CISSP, SSCP, and GIAC certifications are the only security-related certifications
from venerable certification organizations available.
, ANS: F PTS: 1 REF: 21
13. All security professionals should have a good list of Web sites and subscribe to a variety of
mailing lists.
ANS: T PTS: 1 REF: 22
14. The figure above shows the PPP triad.
ANS: F PTS: 1 REF: 5
MODIFIED TRUE/FALSE
, 1. Enforcing data availability involves the processes or technical mechanisms that ensure the data is
transferred without necessary modifications. _________________________
ANS: F, integrity
PTS: 1 REF: 5
2. The now infamous distributed denial-of-service attacks of 1999 involved dozens of separate
systems focused on making the target Web sites unavailable to legitimate users by flooding the
target with useless traffic. _________________________
ANS: T PTS: 1 REF: 6
3. A Web site that sells products brings in a quantifiable amount of money to the company. This
monetary amount determines the profitable value for the company Web site.
_________________________
ANS: F, external
PTS: 1 REF: 10
4. Because the external value is often part of the business case that was built to justify the existence
of an asset, the external value may be hard to retrieve. _________________________
ANS: F
easy
simple
PTS: 1 REF: 10
5. In most cases, information represents an asset more valuable than a company’s products and
services. _________________________
TRUE/FALSE
1. It is important that every company protect not only its data, but the people, infrastructure, and
systems that support this data.
ANS: T PTS: 1 REF: 7
2. In the context of creating a security policy, for the areas in which it is determined that the
business is willing to accept the risk, the risk must be approved by management, but once it has
been approved, in order to wisely use company resources, no reassessment is necessary in the
future.
ANS: F PTS: 1 REF: 8
3. To effectively build a new security policy, a company or organization should dump its existing
written policies and procedures and start planning from scratch.
ANS: F PTS: 1 REF: 9
4. It is not possible for you to calculate the internal value of systems that serve a dual-purpose.
ANS: F PTS: 1 REF: 10
5. In many companies, the responsibility for physical security does not lie with the IT or
Information Security departments.
ANS: T PTS: 1 REF: 14
, 6. In general, a security policy should include measures for preventing malicious activity that
attempts to access systems via their physical interface.
ANS: T PTS: 1 REF: 15
7. Many pertinent questions surround the use of passwords. Whatever the answers to these questions
are, security professionals should allow differences to exist across applications and platforms.
ANS: F PTS: 1 REF: 16
8. The security of an environment is only as strong as the weakest link.
ANS: T PTS: 1 REF: 16
9. One important aspect of an effective security policy is requiring specific security settings on the
systems within an environment.
ANS: T PTS: 1 REF: 18
10. A security policy should never specify requirements for vulnerability scanners, compliance
checking tools, or other security tools that run within the environment.
ANS: F PTS: 1 REF: 18
11. The CISSP is designed for corporate security officers, security advisors, and other individuals
who set security architecture, policies, and processes.
ANS: T PTS: 1 REF: 19
12. Currently, the CISSP, SSCP, and GIAC certifications are the only security-related certifications
from venerable certification organizations available.
, ANS: F PTS: 1 REF: 21
13. All security professionals should have a good list of Web sites and subscribe to a variety of
mailing lists.
ANS: T PTS: 1 REF: 22
14. The figure above shows the PPP triad.
ANS: F PTS: 1 REF: 5
MODIFIED TRUE/FALSE
, 1. Enforcing data availability involves the processes or technical mechanisms that ensure the data is
transferred without necessary modifications. _________________________
ANS: F, integrity
PTS: 1 REF: 5
2. The now infamous distributed denial-of-service attacks of 1999 involved dozens of separate
systems focused on making the target Web sites unavailable to legitimate users by flooding the
target with useless traffic. _________________________
ANS: T PTS: 1 REF: 6
3. A Web site that sells products brings in a quantifiable amount of money to the company. This
monetary amount determines the profitable value for the company Web site.
_________________________
ANS: F, external
PTS: 1 REF: 10
4. Because the external value is often part of the business case that was built to justify the existence
of an asset, the external value may be hard to retrieve. _________________________
ANS: F
easy
simple
PTS: 1 REF: 10
5. In most cases, information represents an asset more valuable than a company’s products and
services. _________________________
