Preview Extract
Chapter 12
Information Security Management
True/False Questions
1) As problems caused by human errors are accidental and not malicious, they are not
considered as security threats to the information system.
Answer: False
Rationale:
Human errors, although unintentional, can still pose significant security threats to an
information system. These errors might include accidentally deleting critical data,
misconfiguring security settings, or falling victim to social engineering attacks, all of which
can compromise system integrity, confidentiality, and availability.
2) A computer crime is committed if an employee who inadvertently installs an old database
on top of the current one.
Answer: False
Rationale:
Inadvertently installing an old database on top of the current one may not constitute a
computer crime if it was done unintentionally and without malicious intent. Computer crimes
typically involve deliberate actions aimed at unauthorized access, modification, or destruction
of data or systems.
3) Unauthorized data disclosures are possible due to human error.
Answer: True
Rationale:
Human error can lead to unauthorized data disclosures, such as accidentally sending sensitive
information to the wrong recipient, failing to properly secure data, or inadvertently sharing
confidential information through misconfigured settings or improper handling of data.
4) Pretexting occurs when a person receives a confidential text message by mistake and
pretends to be the intended recipient.
Answer: False
Rationale:
Pretexting is a form of social engineering where an attacker fabricates a scenario or pretext to
manipulate individuals into divulging confidential information or performing actions they
wouldn't otherwise do. It typically involves creating a false identity or story to deceive the
victim, rather than merely receiving a message intended for someone else.
5) Phishing is a technique for intercepting computer communications.
Answer: False
Rationale:
Phishing is a form of cyber attack where attackers impersonate legitimate entities to deceive
individuals into providing sensitive information, such as usernames, passwords, or financial
details, usually via email, text messages, or fake websites. It aims to trick users into
disclosing information rather than intercepting computer communications.
6) Email spoofing is a synonym for phishing.
Answer: True
Rationale:
Email spoofing is a technique used in phishing attacks where attackers forge the sender's
email address to make it appear as if the email originated from a trusted source. This
deceptive tactic is commonly employed to trick recipients into believing the email is
legitimate and thus increasing the likelihood of them falling for the phishing attempt.
7) Sniffing occurs when an intruder uses another site's IP address to masquerade as that other
site.
Answer: False
Rationale:
Sniffing refers to the unauthorized interception and monitoring of network traffic to capture
sensitive information, such as usernames, passwords, or financial data, as it traverses a
network. It does not involve masquerading as another site using its IP address.
8) Drive-by sniffers monitor and intercept wireless traffic at will.
Answer: True
Rationale:
Drive-by sniffers are attackers who use portable devices to capture and analyze wireless
network traffic, such as Wi-Fi signals, without authorization. They can intercept data packets
transmitted over the airwaves, potentially capturing sensitive information transmitted by
users connected to the network.
9) Faulty service includes incorrectly billing customers or sending the wrong information to
employees, but not incorrect data modification.
Answer: False
Rationale:
Faulty service encompasses a range of errors or malfunctions in providing services, including
incorrectly billing customers, sending wrong information to employees, and incorrect data
modification. Any unauthorized or incorrect modification of data can be considered a form of
faulty service, as it compromises the accuracy and integrity of the information.
10) Usurpation occurs when computer criminals invade a computer system and replace
legitimate programs with their own unauthorized ones.
Answer: True
Rationale:
Usurpation, also known as program alteration, occurs when attackers gain unauthorized
access to a computer system and replace legitimate programs or system files with their own
malicious versions. This can allow them to gain control over the system, steal data, or carry
out further attacks without the user's knowledge.
11) When a hacker floods a Web server with millions of bogus service requests so that it
cannot service legitimate requests, it is called a denial-of-service attack.
Answer: True
Rationale:
A denial-of-service (DoS) attack overwhelms a target system, such as a web server, with a
flood of illegitimate requests, rendering it unable to fulfill legitimate requests from users.
This disrupts the availability of the service, causing inconvenience or harm to users.
12) Natural disasters present the largest risk for infrastructure loss.
Answer: True
Rationale:
Natural disasters, such as earthquakes, hurricanes, floods, or wildfires, can cause widespread
infrastructure damage, leading to disruptions in services, data loss, and downtime for
organizations. They represent significant risks for both physical and digital infrastructure.
13) In context of information security, safeguards increase work efficiency by making
common tasks easier.
Answer: False
Rationale:
Information security safeguards are implemented to protect systems, data, and users from
threats and vulnerabilities. While they enhance security, they may introduce additional steps
or controls that can sometimes impede work efficiency by adding complexity or requiring
extra authentication steps.
14) In a study conducted by Verizon, data theft has been most successful at large scale
enterprises.
Answer: False
Rationale:
According to the Verizon Data Breach Investigations Report (DBIR), data theft has been
successful across organizations of various sizes, including small, medium, and large
enterprises. Attackers target vulnerabilities regardless of the organization's scale.
15) In a study conducted by Verizon, in 2011, the four most frequent computer crimes
involved criminal activity against servers.
Answer: True
Rationale:
According to the Verizon DBIR, in 2011, the four most frequent computer crimes involved
criminal activity against servers, including hacking, malware infections, privilege misuse, and
physical theft.
16) In a study conducted by Verizon, in a year only about a hundred thousand people become
victims of computer crimes.
Answer: False
Rationale:
The actual number of individuals affected by computer crimes is significantly higher than just
a hundred thousand, as cybercrime incidents can impact millions of individuals worldwide.
The Verizon DBIR often reports on cybercrime incidents affecting organizations and
individuals on a much larger scale.
17) As per the study conducted by Verizon, organizations that have been phished have
increased to 40 percent since 2007.
Answer: True
Rationale:
According to the Verizon DBIR, the prevalence of phishing attacks targeting organizations
has increased over the years, with a significant rise observed since 2007. Phishing remains a
common and effective tactic used by attackers to compromise organizational networks and
steal sensitive information.
18) An intrusion detection system (IDS) is a computer program that senses when another
computer is attempting to scan the disk or otherwise access a computer.
Answer: True
Rationale:
An intrusion detection system (IDS) is a security tool designed to monitor network or system
activities for malicious behavior or policy violations. It detects and alerts administrators to
potential security threats, including unauthorized access attempts, network scans, or abnormal
activities.
19) Most emails and IMs are protected by encryption.
Answer: False
Rationale:
While encryption is available for email and instant messaging (IM), it is not universally
applied. Many emails and IMs are transmitted in plain text, making them susceptible to
interception and eavesdropping by unauthorized parties unless additional encryption
measures are implemented.
20) Cookies enable an individual to access Web sites without having to sign in every time.
Answer: True
Rationale:
Cookies are small pieces of data stored on a user's device by websites they visit. They can
store login credentials and preferences, allowing users to access websites without having to
sign in every time, as the website recognizes the user's device through the stored cookie.
21) Brute force requires only 2 days to crack a password having a mixture of upper and
lowercase letters, numbers, and special characters.
Answer: False
Rationale:
Brute force attacks involve trying all possible combinations of characters until the correct
password is found. Passwords with a mixture of upper and lowercase letters, numbers, and
special characters are typically more complex and time-consuming to crack, often requiring
significantly longer than just two days to brute force.
22) Even short passwords with no special characters can make strong passwords.
Answer: False
Rationale:
Short passwords with no special characters are generally weak and easily guessable or
susceptible to brute force attacks. Strong passwords typically include a combination of
uppercase and lowercase letters, numbers, and special characters, and are of sufficient length
to resist cracking attempts.
23) It is safer to use the same password for all the Web sites.
Answer: False
Rationale:
Using the same password for multiple websites increases the risk of security breaches. If one
website's password is compromised, all other accounts with the same password become
vulnerable. It's recommended to use unique, strong passwords for each website or service to
enhance security.
24) The senior management must establish a company-wide security policy that states the
organization's posture regarding the data that it gathers.
Answer: True
Rationale:
Senior management is responsible for establishing a comprehensive security policy that
outlines the organization's approach to managing and protecting its data assets. This policy
should define security objectives, procedures, roles, responsibilities, and guidelines for
safeguarding sensitive information.
25) Security policies must not depend on whether the organization is governmental or
nongovernmental, or whether it is publically held or private.
Answer: False
Rationale:
Security policies may vary based on the nature of the organization, its industry, regulatory
requirements, and risk factors. Governmental and public organizations, as well as those in
highly regulated industries, may have specific security standards and compliance obligations
that differ from those of private or non-governmental organizations.
26) A new hire must seek out the employer's security policy if it is not discussed in new
employee training.
Answer: True
Rationale:
New employees should familiarize themselves with their employer's security policies and
procedures to understand their roles and responsibilities in maintaining information security.
If security policies are not covered in new employee training, it is advisable for new hires to
proactively seek out this information.
27) Technical safeguards involve the hardware and software components of an information
system.
Answer: True
Rationale:
Technical safeguards encompass the hardware and software mechanisms implemented within
an information system to protect against security threats. Examples include firewalls,
encryption, access controls, antivirus software, intrusion detection systems, and biometric
authentication.
28) Unlike credit, debit, and ATM cards, which have a magnetic strip, smart cards have a
microchip.
Answer: True
Rationale:
Smart cards, also known as chip cards, contain an embedded microchip that stores and
processes data securely. Unlike traditional credit, debit, and ATM cards, which rely on
magnetic stripes for data storage, smart cards offer enhanced security and functionality
through their microchip technology.
29) A magnetic strip holds far more data than a microchip.
Answer: False
Rationale:
Microchips used in smart cards have the capability to store significantly more data than
magnetic strips. Microchips can store various types of information securely, including
encrypted authentication credentials, account details, biometric data, and transaction records,
making them more versatile and secure than magnetic strips.
30) Biometric authentication uses characteristics such as retinal scans.
Answer: True
Rationale:
Biometric authentication verifies an individual's identity based on unique biological traits or
characteristics, such as fingerprints, iris patterns, facial features, or retinal scans. These
physiological or behavioral characteristics are difficult to forge or replicate, enhancing
security compared to traditional authentication methods like passwords or PINs.
31) Encryption is an example of a technical safeguard.
Answer: True
Rationale:
Encryption is a fundamental technical safeguard used to protect data by encoding it into an
unreadable format, which can only be decrypted with the appropriate decryption key. It helps
to ensure confidentiality and integrity of sensitive information, both at rest and in transit.
32) In symmetric encryption, two different keys are used to encode and decode a message.
Answer: False
Rationale:
In symmetric encryption, the same key is used for both encryption and decryption of a
message. This key is shared between the sender and the recipient, requiring a secure method
of key exchange. Asymmetric encryption, on the other hand, uses a pair of keys (public and
private) for encryption and decryption.
33) Symmetric encryption is simpler and much faster than asymmetric encryption.
Answer: True
Rationale:
Symmetric encryption is generally faster and less computationally intensive than asymmetric
encryption because it uses a single shared key for both encryption and decryption operations.
Asymmetric encryption involves more complex mathematical operations and typically
requires more computational resources, making it slower.
34) Secure Socket Layer (SSL) is a protocol that is restricted to asymmetric encryption.
Answer: False
Rationale:
Secure Socket Layer (SSL) is a protocol used to establish secure communication channels
over the internet. While SSL/TLS protocols support asymmetric encryption for key exchange
during the initial handshake, they often employ symmetric encryption for the bulk of data
transmission due to its efficiency.
35) Viruses and worms are examples of malware.
Answer: True
Rationale:
Viruses and worms are both types of malicious software, or malware, designed to infect and
compromise computer systems. Viruses attach themselves to legitimate programs or files and
replicate when executed, while worms are standalone programs that self-replicate and spread
across networks to infect other systems.
36) A Trojan horse is a virus that masquerades as a useful program or file.
Answer: True
Rationale:
A Trojan horse is a type of malware that appears to be a legitimate and harmless program or
file to trick users into downloading and executing it. Once activated, it can perform malicious
actions, such as stealing data, spying on users, or damaging the system.
37) Most spyware programs are benign in that they do not perform malicious acts or steal
data.
Answer: False
Rationale:
Spyware is a type of malware designed to gather sensitive information from a user's computer
without their knowledge or consent. While some spyware may not perform overtly malicious
acts, such as damaging files, its primary purpose is to collect data, such as browsing habits,
login credentials, or personal information, for nefarious purposes.
38) SQL injection attack occurs when users enter an SQL statement into a form in which they
are supposed to enter a name or other data.
Answer: True
Rationale:
SQL injection is a common technique used by attackers to exploit vulnerabilities in web
applications that use SQL databases. By injecting malicious SQL commands into input fields,
attackers can manipulate database queries and gain unauthorized access to sensitive data or
execute malicious actions.
39) Improper data disclosure and data damage and loss are possible consequences of an SQL
injection attack.
Answer: True
Rationale:
SQL injection attacks can lead to various consequences, including improper data disclosure,
where attackers gain access to sensitive information stored in databases, and data damage or
loss, where attackers modify or delete database records, causing data corruption or
destruction.
40) Data safeguards are measures used to protect computer hardware from external threats.
Answer: False
Rationale:
Data safeguards are security measures designed to protect data assets from unauthorized
access, disclosure, alteration, or destruction. They include techniques such as encryption,
access controls, data backups, and data masking, aimed at safeguarding the confidentiality,
integrity, and availability of data, rather than protecting hardware.
41) If a backup of the database contents is made, the database is protected.
Answer: False
Rationale:
While backups are an essential component of data protection and disaster recovery strategies,
they do not inherently protect a database from security threats. Backups are copies of data
that can be used to restore information in case of data loss or corruption, but they do not
prevent unauthorized access, modification, or deletion of data in the live database.
42) Documenting position sensitivity enables security personnel to prioritize their activities in
accordance with the possible risk and loss.
Answer: True
Rationale:
Documenting position sensitivity involves categorizing roles within an organization based on
the level of access to sensitive information or critical systems. By understanding the
sensitivity of each position, security personnel can prioritize their efforts to focus on
protecting the most critical assets and mitigating the highest risks.
43) Employee termination is a potential security threat for an organization.
Answer: True
Rationale:
Employee termination poses a security risk if appropriate measures are not taken to revoke
the departing employee's access to sensitive systems and data. Without proper offboarding
procedures, terminated employees may retain access to company resources, potentially
leading to data breaches, sabotage, or unauthorized activities.
44) The existence of accounts that are no longer in use are not a security threat to an
organization.
Answer: False
Rationale:
Unused or dormant accounts pose a security risk to an organization because they represent
potential entry points for unauthorized access. Attackers may exploit inactive accounts that
still have active credentials or weak passwords to gain unauthorized entry into systems and
networks, leading to security breaches.
45) Business requirements do not necessitate opening information systems to nonemployee
personnel—temporary personnel, vendors or partner personnel.
Answer: False
Rationale:
Business requirements, such as collaboration with external partners, vendors, or temporary
personnel, may necessitate granting access to information systems for nonemployee
personnel. However, it's essential to implement proper security measures, such as access
controls, authentication, and monitoring, to mitigate the associated risks.
46) Companies should require vendors and partners to perform appropriate screening and
security training.
Answer: True
Rationale:
To mitigate security risks associated with external vendors and partners, companies should
establish security requirements and protocols, including screening processes to vet vendors'
security practices and ensure compliance with organizational standards. Additionally,
providing security training to vendors and partners can help raise awareness and minimize
security vulnerabilities.
47) It is easy and economical to hold public users of Web sites accountable for security
violations.
Answer: False
Rationale:
Holding public users of websites accountable for security violations can be challenging and
costly due to factors such as anonymity, jurisdictional issues, and the difficulty of identifying
individual users. It often requires significant resources, including legal proceedings, forensic
investigations, and cooperation from internet service providers.
48) Hardening a site means to take extraordinary measures to reduce a system's vulnerability.
Answer: True
Rationale:
Hardening a system or site involves implementing security measures to reduce its
vulnerability to potential attacks and breaches. This may include configuring systems
according to security best practices, applying patches and updates regularly, disabling
unnecessary services, and implementing access controls and firewalls to protect against
unauthorized access.
49) Hardening is actually a human safeguard.
Answer: False
Rationale:
Hardening refers to strengthening the security of computer systems or networks through
technical measures, such as configuring software settings, implementing encryption, or
deploying intrusion detection systems. While human factors, such as user awareness training,
are essential for overall security, hardening primarily involves technical safeguards.
50) If the incident-response plan is not well prepared, there is substantial risk that the actions
of well-meaning people will make the problem worse.
Answer: True
Rationale:
An inadequately prepared incident response plan can lead to ineffective or misguided
responses to security incidents, potentially exacerbating the problem or causing further
damage. Well-meaning individuals may inadvertently take actions that worsen the situation if
there are no clear procedures or guidelines outlined in the incident response plan.
Multiple Choice Questions
1) A ________ is a person or organization that seeks to obtain data or other assets illegally,
without the owner's permission and often without the owner's knowledge.
A) target
B) vulnerability
C) threat
D) warning
Answer: C
Rationale:
In the context of cybersecurity, a threat refers to any person, group, or entity that intends to or
has the capability to exploit vulnerabilities and compromise the security of data or assets.
Threats can include hackers, malware authors, insider threats, or any other malicious actors
seeking unauthorized access to information.
2) Which of the following is considered a threat caused by human error?
A) An employee inadvertently installs an old database on top of the current one.
B) An employee intentionally destroys data and system components.
C) A virus and worm writer infects computer systems.
D) A hacker breaks into a system to steal for financial gain.
Answer: A
Rationale:
Human error can introduce vulnerabilities and security threats to an organization's
information systems. In this scenario, an employee's inadvertent action of installing an old
database over the current one can lead to data loss, system downtime, and potential security
breaches.
3) Which of the following is considered a computer crime?
A) internal software bug deleting customer records
B) poorly written programs resulting in data losses
C) loss of data as a result of flooding
D) hacking of information systems
Answer: D
Rationale:
Computer crimes involve illegal activities perpetrated using computers or computer
networks. Hacking of information systems, where unauthorized individuals gain access to
computer systems or networks for malicious purposes, constitutes a computer crime.
4) ________ occurs when someone deceives by pretending to be someone else.
A) Hacking
B) Baiting
C) Sniffing
D) Pretexting
Answer: D
Rationale:
Pretexting is a social engineering technique in which an attacker fabricates a scenario or
pretext to deceive individuals into divulging sensitive information or performing certain
actions. The attacker pretends to be someone else, such as a trusted authority figure or a
legitimate employee, to gain the victim's trust and extract information.
5) When referring to security threats, pretexting, sniffing, spoofing, and phishing are all
examples of ________.
A) unauthorized data disclosure
B) incorrect data modification
C) faulty services
D) loss of infrastructure
Answer: A
Rationale:
Pretexting, sniffing, spoofing, and phishing are all techniques used to obtain unauthorized
access to sensitive information by deceiving individuals or exploiting vulnerabilities in
systems. These actions result in the unauthorized disclosure of data, which compromises the
confidentiality and privacy of information.
6) A ________ pretends to be a legitimate company and sends an email requesting
confidential data, such as account numbers, Social Security numbers, account passwords, and
so forth.
A) hacker
B) phisher
C) safeguard
D) sniffer
Answer: B
Rationale:
A phisher is an individual or entity that impersonates a legitimate organization or entity to
deceive recipients into divulging sensitive information, such as login credentials, financial
data, or personal information. Phishing attacks often involve sending fraudulent emails or
messages requesting confidential data under false pretenses.
7) Email spoofing is a synonym for ________.
A) hacking
B) phishing
C) usurping
D) sniffing
Answer: B
Rationale:
Email spoofing is a technique used in phishing attacks where attackers forge the sender's
email address to make it appear as if the message originated from a legitimate source. This
deceptive tactic is commonly employed to trick recipients into believing that the email is
from a trusted sender and to increase the likelihood of successful phishing.
8) ________ is a technique for intercepting computer communications, either through a
physical connection to a network or without physical connection in the case of wireless
networks.
A) Spoofing
B) Phishing
C) Sniffing
D) Pretexting
Answer: C
Rationale:
Sniffing is a cybersecurity attack method that involves intercepting and monitoring network
traffic to capture sensitive information, such as usernames, passwords, or other confidential
data. Attackers use specialized tools or software to eavesdrop on network communications,
either by connecting to a physical network or by intercepting wireless transmissions.
9) ________ take computers with wireless connections through an area and search for
unprotected wireless networks and then monitor and intercept wireless traffic at will.
A) Drive-by spoofers
B) Pretexters
C) Drive-by sniffers
D) Phishers
Answer: C
Rationale:
Drive-by sniffers are individuals or entities that drive or move through an area with wireless
connectivity, scanning for vulnerable or unprotected wireless networks. Once identified, they
can intercept and monitor wireless traffic passing through these networks, potentially
capturing sensitive information transmitted over the air.
10) Which of the following is an example of a sniffing technique?
A) IP spoofing
B) caches
C) ad blockers
D) adware
Answer: D
Rationale:
Adware is a type of software that automatically displays or downloads advertisements on a
user's device. While adware itself may not involve sniffing techniques, some malicious
adware programs may employ sniffing capabilities to monitor user activities, track browsing
habits, or capture sensitive information for targeted advertising purposes.
11) ________ occurs when a person breaks into a network to steal data such as customer lists,
product inventory data, employee data, and other proprietary and confidential data.
A) Pretexting
B) Phishing
C) Hacking
D) Spoofing
Answer: C
Rationale:
Hacking involves unauthorized access to computer systems or networks with the intent to
steal, manipulate, or compromise data. Hackers exploit vulnerabilities in network security to
gain entry into systems, where they may steal sensitive information, disrupt operations, or
cause damage to the targeted organization.
12) Which of the following is most likely to be the result of hacking?
A) certain Web sites being blocked from viewing for security reasons
B) small amounts of spam in your inbox
C) an unexplained reduction in your account balance
D) pop-up ads appearing frequently
Answer: C
Rationale:
An unexplained reduction in your account balance is most likely the result of hacking.
Hackers may gain unauthorized access to financial accounts or payment systems, allowing
them to transfer funds, make unauthorized purchases, or engage in fraudulent activities
without the account owner's consent.
13) ________ occurs through human error when employees do not follow proper procedures
or when procedures have not been well designed.
A) Unauthorized data disclosure
B) Incorrect data modification
C) Denial of service
D) Loss of infrastructure
Answer: B
Rationale:
Incorrect data modification refers to unauthorized or accidental changes made to data within
an information system. This can occur due to human error, such as data entry mistakes or
improper data handling procedures, leading to inaccuracies, inconsistencies, or corruption of
data.
14) ________ occurs when computer criminals invade a computer system and replace
legitimate programs with their own unauthorized ones that shut down legitimate applications
and substitute their own processing to spy, steal and manipulate data, or other purposes.
A) Hacking
B) Spoofing
C) Phishing
D) Usurpation
Answer: D
Rationale:
Usurpation is a form of cyber attack where malicious actors infiltrate a computer system and
replace legitimate programs or processes with unauthorized ones. This allows the attackers to
gain control over the system, spy on users, steal sensitive data, or manipulate system
operations for malicious purposes.
15) Which of the following usually happens in a malicious denial-of-service attack?
A) A hacker monitors and intercepts wireless traffic at will.
B) A hacker floods a Web server with millions of bogus service requests.
C) A hacker uses another site's IP address to masquerade as that other site.
D) A phisher pretends to be a legitimate company and requests confidential data.
Answer: B
Rationale:
In a malicious denial-of-service (DoS) attack, the attacker overwhelms a target server or
network with a flood of bogus service requests, rendering it unable to respond to legitimate
user requests. This disrupts the availability of the targeted service or website to legitimate
users.
16) ________ present the largest risk for an organization's infrastructure loss.
A) Employees
B) Natural disasters
C) Hackers
D) Competitors
Answer: B
Rationale:
Natural disasters, such as earthquakes, floods, fires, or severe weather events, pose significant
risks to an organization's infrastructure. These events can cause physical damage to data
centers, servers, networking equipment, and facilities, leading to service interruptions, data
loss, and costly downtime.
17) A(n) ________ is a computer program that senses when another computer is attempting
to scan the disk or otherwise access a computer.
A) IDS
B) botnet
C) antivirus
D) firewall
Answer: A
Rationale:
An Intrusion Detection System (IDS) is a security tool or program designed to monitor
network or system activities for suspicious behavior or patterns that may indicate a potential
security threat or intrusion. IDSs can detect and alert administrators to unauthorized access
attempts, malware activity, or other malicious behavior.
18) Nonword passwords are vulnerable to a(n) ________ attack, in which the password
cracker tries every possible combination of characters.
A) denial-of-service
B) side channel
C) brute force
D) obfuscation
Answer: C
Rationale:
Nonword passwords, which do not contain recognizable words or phrases, are vulnerable to
brute force attacks. In a brute force attack, the attacker systematically tries every possible
combination of characters, including letters, numbers, and symbols, until the correct
password is discovered through trial and error.
19) ________ are small files that your browser stores on your computer when you visit Web
sites and enable you to access Web sites without having to sign in every time.
A) Cookies
B) Registers
C) Pop-ups
D) Public keys
Answer: A
Rationale:
Cookies are small pieces of data stored by web browsers on a user's computer to record
information about their browsing activities on websites. Cookies allow websites to remember
user preferences, login credentials, and other settings, enabling users to access websites
without having to sign in each time they visit.
20) ________ enable you to access Web sites without having to sign in every time.
A) Bookmarks
B) Pop-ups
C) Cookies
D) Public keys
Answer: C
Rationale:
Cookies are used by web browsers to store information about a user's session on a website,
including login credentials and user preferences. By storing this information locally, cookies
enable users to access websites without having to sign in every time they visit, improving
convenience and user experience.
21) Which of the following is a critical security function of senior management in an
organization?
A) safeguarding computer hardware and software
B) developing IS security software
C) establishing the security policy and managing risk
D) managing security programs on a real-time basis
Answer: C
Rationale:
Senior management plays a crucial role in establishing the organization's security policy and
managing risk. This involves defining security objectives, implementing controls and
procedures to mitigate risks, allocating resources for security initiatives, and ensuring
compliance with legal and regulatory requirements. Senior management's leadership and
commitment to security are essential for creating a culture of security awareness and
accountability throughout the organization.
22) The Privacy Act of 1974 provides protection to individuals regarding ________.
A) records held by private companies
B) records held by the U.S. government
C) records held by banks and other financial institutions
D) records held by non-government agencies
Answer: B
Rationale:
The Privacy Act of 1974 regulates the collection, use, and dissemination of personal
information by federal agencies. It provides individuals with certain rights regarding their
own records held by the U.S. government, including the right to access, amend, and control
the use of their personal information.
23) Which of the following was passed to give individuals the right to access their own health
data created by doctors and other healthcare providers?
A) Privacy Act of 1974
B) Sarbanes-Oxley Act
C) HIPAA of 1996
D) Gramm-Leach-Bliley Act
Answer: C
Rationale:
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 includes
provisions known as the Privacy Rule, which grants individuals the right to access their own
health information held by covered entities, such as healthcare providers and health plans.
HIPAA aims to protect the privacy and security of individuals' health information while
ensuring the portability of health insurance coverage.
24) Which of the following is an example of a technical safeguard?
A) position definitions
B) firewalls
C) key escrow
D) locked down servers
Answer: B
Rationale:
Firewalls are an example of a technical safeguard used to protect computer systems and
networks from unauthorized access and malicious threats. Firewalls monitor and control
incoming and outgoing network traffic based on predetermined security rules, helping to
prevent unauthorized access, data breaches, and cyber attacks.
25) A(n) ________ has a microchip in it to hold data.
A) ATM card
B) smart card
C) cookie
D) escrow
Answer: B
Rationale:
A smart card is a portable device that contains an embedded microchip capable of storing and
processing data. Smart cards are used for various applications, including authentication,
identification, payment processing, and secure access control. The microchip technology
enhances security by securely storing sensitive information and performing cryptographic
functions.
26) Users of smart cards are required to enter a ________ to be authenticated.
A) Social Security number
B) public key
C) personal identification number
D) private key
Answer: C
Rationale:
Users of smart cards are typically required to enter a Personal Identification Number (PIN) to
authenticate themselves and access the data or services stored on the smart card. The PIN
serves as a form of authentication to verify the user's identity before granting access to the
smart card's resources.
27) Which of the following is used for biometric authentication?
A) smart cards
B) facial features
C) passwords
D) personal identification numbers
Answer: B
Rationale:
Biometric authentication uses unique biological characteristics, such as facial features,
fingerprints, iris patterns, or voiceprints, to verify an individual's identity. Facial recognition
technology analyzes facial features to authenticate users, providing a secure and convenient
method of identity verification.
28) Which of the following statements is true of biometric identification?
A) It involves the use of a PIN for authentication.
B) It provides weak authentication.
C) It is a relatively inexpensive mode of authentication.
D) It often faces resistance from users for its invasive nature.
Answer: D
Rationale:
Biometric identification, while offering strong authentication based on unique biological
traits, can face resistance from users due to concerns about privacy, security, and the invasive
nature of biometric data collection. Users may be reluctant to adopt biometric authentication
methods that require the capture and storage of sensitive biometric information.
29) A ________ is a number used to encrypt the data.
A) key
B) WPA
C) pretext
D) WEP
Answer: A
Rationale:
A key is a cryptographic code or sequence of characters used to encrypt and decrypt data in
encryption algorithms. Keys are used to secure sensitive information during transmission or
storage by scrambling the data into an unreadable format that can only be deciphered using
the corresponding decryption key.
30) In asymmetric encryption, each site has a ________ for encoding messages.
A) wireless fidelity
B) private key
C) public key
D) pretext
Answer: C
Rationale:
In asymmetric encryption, also known as public-key cryptography, each site generates a pair
of cryptographic keys: a public key and a private key. The public key is used for encryption,
while the private key is kept secret and used for decryption. Messages
31) ________ is the process of transforming clear text into coded, unintelligible text for
secure storage or communication.
A) Inscription
B) Etching
C) Encryption
D) Decryption
Answer: C
Rationale:
Encryption is the process of converting plaintext (clear text) into ciphertext (coded,
unintelligible text) using cryptographic algorithms and keys. This transformation ensures that
the information remains confidential and secure during storage or transmission, as only
authorized parties with the decryption key can decipher the encrypted data.
32) With ________ encryption, the sender and receiver transmit a message using the same
key.
A) asymmetric
B) coaxial
C) symmetric
D) collinear
Answer: C
Rationale:
Symmetric encryption, also known as secret-key encryption or single-key encryption, uses
the same key for both encryption and decryption processes. This key is shared between the
sender and the receiver, allowing them to encrypt and decrypt messages securely. Symmetric
encryption algorithms are faster and more efficient for bulk data encryption compared to
asymmetric encryption.
33) Secure Socket Layer is also known as ________.
A) application security layer
B) transport layer security
C) presentation layer security
D) network security layer
Answer: B
Rationale:
Secure Socket Layer (SSL) is also referred to as Transport Layer Security (TLS). It operates
at the transport layer (Layer 4) of the TCP/IP protocol suite and provides secure
communication over a network by encrypting data transmitted between a client and a server.
SSL/TLS ensures data confidentiality, integrity, and authenticity during transmission.
34) Which of the following is true of the Secure Socket Layer (SSL)?
A) It uses only asymmetric encryption.
B) It is a useful hybrid of symmetric and asymmetric encryption techniques.
C) It works between Levels 2 and 3 of the TCP-OSI architecture.
D) It is a stronger version of HTTPS.
Answer: B
Rationale:
SSL is a hybrid encryption protocol that combines both symmetric and asymmetric
encryption techniques to establish a secure connection between a client and a server. It
negotiates a symmetric session key using asymmetric encryption for data encryption and
decryption during the session. SSL/TLS is commonly used for securing web transactions,
email communication, and other network protocols.
35) You are transferring funds online through the Web site of a reputed bank. Which of the
following displayed in your browser's address bar will let you know that the bank is using the
SSL protocol?
A) http
B) www
C) https
D) .com
Answer: C
Rationale:
The presence of "https" in the browser's address bar indicates that the website is using the
Secure Hypertext Transfer Protocol (HTTPS), which employs the SSL/TLS protocol to
secure data transmission over the internet. The "https" prefix signifies that the communication
between the web browser and the web server is encrypted, providing a secure environment
for sensitive transactions, such as online banking.
36) A ________ examines each part of a message and determines whether to let that part
pass.
A) packet-filtering firewall
B) private key
C) mail server
D) Web server
Answer: A
Rationale:
A packet-filtering firewall is a network security device or software that inspects incoming and
outgoing network packets (data units) based on predetermined rules or criteria. It examines
each part of a message, including source and destination IP addresses, port numbers, and
packet content, to determine whether to allow or block the transmission of data packets
according to the configured security policies.
37) ________ is the term used to denote viruses, worms, and Trojan horses.
A) Malware
B) Kerberos
C) Usurpation
D) Spam
Answer: A
Rationale:
Malware is a broad category of malicious software programs designed to disrupt, damage, or
gain unauthorized access to computer systems and networks. It includes various types of
harmful software such as viruses, worms, Trojan horses, ransomware, spyware, adware, and
rootkits.
38) A virus is a computer program that replicates itself. The program code that causes
unwanted activity is called the ________.
A) payload
B) Trojan
C) bot herder
D) key escrow
Answer: A
Rationale:
The payload of a virus refers to the malicious portion of its program code that executes the
intended harmful actions on an infected computer system. It may include instructions to
overwrite files, steal data, display messages, or perform other undesirable activities. The
payload is distinct from the virus's propagation mechanism, which enables it to spread to
other systems.
39) ________ are viruses that masquerade as useful programs or files.
A) Adware
B) Firmware
C) Trojan horses
D) Payloads
Answer: C
Rationale:
Trojan horses are a type of malware that disguises itself as legitimate or benign software to
deceive users into executing or installing them on their systems. Once activated, Trojan
horses perform malicious actions, such as stealing sensitive information, disrupting system
operations, or providing unauthorized access to attackers. Unlike viruses, Trojan horses do
not self-replicate.
40) A ________ is a type of virus that propagates using the Internet or other computer
networks.
A) worm
B) sniffer
C) Trojan horse
D) phisher
Answer: A
Rationale:
A worm is a self-replicating type of malware that spreads across computer networks by
exploiting vulnerabilities in network protocols or software applications. Unlike viruses,
worms do not require a host program to attach to and can independently replicate and spread
to other systems over a network. Worms can cause widespread damage by consuming
network bandwidth, degrading system performance, and carrying out malicious activities.
41) What is a major difference between spyware and adware?
A) Unlike spyware, adware does not perform malicious acts.
B) Unlike spyware, adware steals data from users.
C) Unlike spyware, adware is installed with the user's permission.
D) Unlike spyware, adware does not observe user behavior.
Answer: A
Rationale:
The major difference between spyware and adware is that spyware typically performs
malicious acts such as monitoring user activities, collecting sensitive information, and
transmitting data to remote servers without the user's consent or knowledge. In contrast,
adware primarily displays unwanted advertisements, pop-ups, or promotional content to users
but does not engage in malicious behavior or data theft.
42) ________ is similar to spyware but it watches user activity and produces pop-ups.
A) Cookies
B) Adware
C) Payloads
D) Beacon
Answer: B
Rationale:
Adware is a type of potentially unwanted software (PUA) that displays unwanted
advertisements, pop-ups, banners, or sponsored content to users while they browse the
internet or use software applications. Although adware may not be inherently malicious, it
can be intrusive and disruptive to the user experience by generating excessive advertising or
redirecting web traffic to sponsored sites.
43) An SQL ________ occurs when users enter an SQL statement into a form in which they
are supposed to enter a name or other data.
A) password attack
B) data attack
C) brute attack
D) injection attack
Answer: D
Rationale:
An SQL injection attack is a type of cyber attack where malicious SQL code is inserted into
input fields of a web application's form, exploiting vulnerabilities in the application's
database layer. This allows attackers to execute unauthorized SQL commands, potentially
gaining access to sensitive data, modifying or deleting database records, or executing
administrative functions.
44) ________ refers to an organization-wide function that is in charge of developing data
policies and enforcing data standards.
A) Data administration
B) Database administration
C) Database management
D) Data safeguard
Answer: A
Rationale:
Data administration is responsible for managing an organization's data resources, including
developing data policies, defining data standards, ensuring data quality and integrity, and
overseeing data management practices across the organization. It involves activities such as
data modeling, data governance, data security, and data lifecycle management.
45) ERP, CRM, and MRP are examples of ________.
A) data policies
B) databases
C) data safeguards
D) network security policies
Answer: B
Rationale:
ERP (Enterprise Resource Planning), CRM (Customer Relationship Management), and MRP
(Material Requirements Planning) are examples of database systems or applications used to
manage various aspects of business operations. They utilize databases to store and process
data related to enterprise resources, customer interactions, and material requirements,
respectively.
46) ________ is a staff function to the chief information officer.
A) Data administration
B) Technical safeguard
C) Network security
D) Human safeguard
Answer: A
Rationale:
Data administration is typically a staff function that reports to the chief information officer
(CIO) or another high-level executive responsible for information technology management. It
involves strategic planning, policy development, and oversight of data-related activities to
ensure effective and secure management of organizational data assets.
47) A safety procedure that allows a trusted party to have a copy of the encryption key is
called key ________.
A) CRM
B) escrow
C) ERP
D) SQL injection
Answer: B
Rationale:
Key escrow is a safety procedure used in encryption systems where a trusted third party,
known as an escrow agent, holds a copy of encryption keys used to secure sensitive data. In
case of emergencies or legal requirements, the escrow agent can release the keys to
authorized parties, enabling decryption of the data.
48) ________ protect databases and other organizational data.
A) Databots
B) Payloads
C) Data safeguards
D) Data strings
Answer: C
Rationale:
Data safeguards are security measures implemented to protect databases and other
organizational data from unauthorized access, disclosure, alteration, or destruction. These
safeguards include encryption, access controls, authentication mechanisms, data backup and
recovery procedures, and security policies and procedures.
49) The computers that run the DBMS and all devices that store database data should reside
in locked, controlled-access facilities. This is done to achieve ________.
A) network security
B) spoofing
C) brute force
D) physical security
Answer: D
Rationale:
Storing computers running the Database Management System (DBMS) and database storage
devices in locked, controlled-access facilities helps achieve physical security. Physical
security measures protect hardware and data assets from theft, vandalism, unauthorized
access, and environmental hazards, ensuring the confidentiality, integrity, and availability of
organizational data.
50) In a locked room, maintaining the computers of an organization that run the DBMS is a
part of ________.
A) malware safeguards
B) recovery procedures
C) physical security procedures
D) data rights and responsibilities
Answer: C
Rationale:
Maintaining computers running the Database Management System (DBMS) in a locked room
is part of physical security procedures. Physical security measures aim to safeguard physical
assets, such as hardware and infrastructure, from unauthorized access or damage. This
includes controlling access to facilities, securing equipment, monitoring environmental
conditions, and implementing disaster recovery plans.
51) ________ involve the people and procedure components of information systems.
A) Firewalls
B) Technical safeguards
C) Human safeguards
D) Payloads
Answer: C
Rationale:
Human safeguards pertain to the policies, procedures, and education implemented to promote
secure behavior among employees and users of information systems. They include activities
such as security training, access control policies, security awareness programs, and
termination procedures to mitigate risks associated with human factors.
52) Which of the following statements about human safeguards for employees is true?
A) Security screening in an organization is a one-time process and applies only to new
employees.
B) Users' computer accounts should give users the least possible privilege necessary to
perform their jobs.
C) Companies can provide user accounts and passwords to employees prior to their security
training.
D) There are only two main aspects to security enforcement: responsibility and
accountability.
Answer: B
Rationale:
Users' computer accounts should be configured to provide the least privilege necessary for
users to perform their job responsibilities effectively. This principle, known as the principle
of least privilege, reduces the risk of unauthorized access or misuse of system resources by
limiting users' permissions to only what is required for their specific roles.
53) When an employee is terminated, IS administrators should receive advance notice so they
can ________.
A) destroy the employee's records
B) plan for new recruitment
C) disseminate information
D) remove the user account and password
Answer: D
Rationale:
When an employee is terminated, IS administrators should receive advance notice so they can
promptly remove the employee's user account and password from the organization's systems.
This helps prevent unauthorized access to sensitive information or systems after the
employee's departure and maintains the security of the organization's resources.
54) ________ a site means to take extraordinary measures to reduce a system's vulnerability,
using special versions of the operating system.
A) Leveling
B) Hardening
C) Authenticating
D) Certifying
Answer: B
Rationale:
Hardening a site involves taking special measures to reduce the vulnerability of a system to
security threats. This often includes configuring the operating system and software
applications to remove unnecessary features, disable unnecessary services, apply security
patches, and enforce strict access controls to enhance the system's security posture.
55) The process of hardening is actually a ________ safeguard.
A) multiple
B) financial
C) technical
D) physical
Answer: C
Rationale:
The process of hardening, which involves strengthening the security of systems and networks
against potential threats, is considered a technical safeguard. Technical safeguards encompass
security measures implemented through technology, such as encryption, access controls,
intrusion detection systems, and firewalls, to protect information systems and data from
unauthorized access, disclosure, or modification.
56) ________ are the primary means of authentication and are important not just for access to
a user's computer, but also for authentication to other networks and servers to which the user
may have access.
A) Private keys
B) User names
C) Passwords
D) Personal identification numbers
Answer: C
Rationale:
Passwords are the primary means of authentication used to verify the identity of users
accessing computer systems, networks, and online services. They are essential for controlling
access to user accounts and protecting sensitive information from unauthorized access.
Passwords are used not only for local computer access but also for authentication to other
networks and servers to which the user may have access.
57) Which of the following systems procedures is specifically the responsibility of operations
personnel?
A) creating back up data on one's personal computer
B) using systems to perform job tasks
C) creating back up system databases
D) knowing whom to contact when a security breach occurs
Answer: C
Rationale:
Creating backup system databases is specifically the responsibility of operations personnel.
Operations personnel are responsible for managing and maintaining the operational aspects of
information systems, including performing routine backups of system databases to ensure
data integrity and availability in case of system failures, disasters, or data loss incidents.
58) ________ helps in accomplishing job tasks during failure.
A) Back up site
B) Operations
C) Development
D) Recovery
Answer: D
Rationale:
Recovery procedures help in accomplishing job tasks during failure by facilitating the
restoration of systems, data, and operations to a functional state following an adverse event or
disruption. Recovery procedures typically involve backup and restoration processes, disaster
recovery plans, and continuity of operations measures to minimize downtime and restore
normal business operations as quickly as possible.
59) Firewalls produce ________ which include lists of all dropped packets, infiltration
attempts, and unauthorized access attempts from within the firewall.
A) hot sites
B) blogs
C) activity logs
D) monitor sheets
Answer: C
Rationale:
Firewalls produce activity logs, which include detailed records of network traffic, such as
lists of dropped packets, infiltration attempts, and unauthorized access attempts from both
external and internal sources. These logs are essential for monitoring and analyzing network
activity, identifying security incidents, and maintaining the security of the network
infrastructure.
60) ________ are false targets for computer criminals to attack.
A) Bot herders
B) Hot sites
C) Honeypots
D) Beacons
Answer: C
Rationale:
Honeypots are false targets or decoy systems set up by organizations to divert and deceive
computer criminals, malware, and attackers. Honeypots simulate vulnerable systems or
networks and are designed to attract and capture malicious activity, allowing organizations to
study attacker tactics, gather threat intelligence, and enhance their security posture.
Essay Questions
1) Define threat, vulnerability, safeguard, and target.
Answer: A threat is a person or organization that seeks to obtain data or other assets illegally,
without the owner's permission and often without the owner's knowledge. A vulnerability is
an opportunity for threats to gain access to individual or organizational assets. For example,
when you buy something online, you provide your credit card data; when that data is
transmitted over the Internet, it is vulnerable to threats. A safeguard is some measure that
individuals or organizations take to block the threat from obtaining the asset. Finally, the
target is the asset that is desired by the threat.
2) What are the three general sources of security threats?
Answer: A security threat is a challenge to the integrity of information systems that arises
from one of three sources: human error and mistakes, computer crime, and natural events and
disasters. Human errors and mistakes include accidental problems caused by both employees
and nonemployees. Computer crime includes employees and former employees who
intentionally destroy data or other system components. It also includes hackers who break
into a system and virus and worm writers who infect computer systems. Natural events and
disasters include fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts
of nature. Problems in this category include not only the initial loss of capability and service,
but also losses stemming from actions to recover from the initial problem.
3) What is meant by denial of service?
Answer: Human error in following procedures, or a lack of procedures, can result in denial of
service. For example, humans can inadvertently shut down a Web server or corporate
gateway router by starting a computationally intensive application. Denial-of-service attacks
can be launched maliciously. A malicious hacker can flood a Web server, for example, with
millions of bogus service requests that so occupy the server that it cannot service legitimate
requests. Finally, natural disasters may cause systems to fail, resulting in denial of service.
4) Describe the magnitude of security problems in the present day.
Answer: The full extent of the financial and data losses due to computer security threats is
unknown. Certainly, the losses due to human error are enormous, but few organizations
compute those losses and even fewer publish them. Losses due to natural disasters are also
enormous and impossible to compute. The earthquake in Japan, for example, shut down
Japanese manufacturing, and losses rippled through the supply chain from the Far East to
Europe and the United States. One can only imagine the enormous expense for Japanese
companies as they restored their information systems.
5) List various personal security safeguards.
Answer: Personal security safeguards include the following:
• Take security seriously.
• Create strong passwords.
• Use multiple passwords.
• Send no valuable data via email or IM.
• Use HTTPS at trusted, reputable vendors.
• Remove high-value assets from computers.
• Clear browsing history, temporary files, and cookies.
• Update antivirus software.
• Demonstrate security concern to your fellow workers.
• Follow organizational security directives and guidelines.
• Consider security for all business initiatives.
6) What is the basic information that a security policy must stipulate?
Answer: At a minimum, a security policy should stipulate:
• What sensitive data the organization will store.
• How it will process that data.
• Whether data will be shared with other organizations.
• How employees and others can obtain copies of data stored about them.
• How employees and others can request changes to inaccurate data.
• What employees can do with their own mobile devices at work.
• What nonorganizational activities employees can take with employee-owned equipment.
7) Define encryption and explain symmetric and asymmetric encryption for computer
systems.
Answer: Encryption is the process of transforming clear text into coded, unintelligible text for
secure storage or communication. To encode a message, a computer program uses the
encryption method with a key to convert a noncoded message into a coded one. The resulting
coded message looks like gibberish. Decoding (decrypting) a message is similar; a key is
applied to the coded message to recover the original text.
In symmetric encryption, the same key is used to encode and to decode the message. With
asymmetric encryption, two keys are used; one key encodes the message, and the other key
decodes the message.
8) What is a virus? Differentiate between Trojan horses and worms.
Answer:
• A virus is a computer program that replicates itself.
• Trojan horses are viruses that masquerade as useful programs or files.
• A worm is a virus that propagates using the Internet or other computer network.
9) What are spyware and adware programs?
Answer:• Spyware programs are installed on the user's computer without the user's
knowledge or permission.
• Adware is similar to spyware but it watches user activity and produces pop-up ads.
10) Describe six antimalware safeguards.
Answer: It is possible to avoid most malware using the following malware safeguards:
1. Install antivirus and antispyware programs on your computer. Your IS department will have
a list of recommended programs for this purpose. If you choose a program for yourself,
choose one from a reputable vendor. Check reviews of antimalware software on the Web
before purchasing.
2. Set up your antimalware programs to scan your computer frequently. You should scan your
computer at least once a week and possibly more. When you detect malware code, use the
antimalware software to remove them. If the code cannot be removed, contact your IS
department or antimalware vendor.
3. Update malware definitions. Malware definitions—patterns that exist in malware code—
should be downloaded frequently. Antimalware vendors update these definitions
continuously, and you should install these updates as they become available.
4. Open email attachments only from known sources. Also, even when opening attachments
from known sources, do so with great care. Most antimalware programs check email
attachments for malware code. However, all users should form the habit of never opening an
email attachment from an unknown source. Also, if you receive an unexpected email from a
known source or an email from a known source that has a suspicious subject, odd spelling, or
poor grammar, do not open the attachment without first verifying with the known source that
the attachment is legitimate.
5. Promptly install software updates from legitimate sources. Unfortunately, all programs are
chock full of security holes; vendors are fixing them as rapidly as they are discovered, but the
practice is inexact. Install patches to the operating system and application programs promptly.
6. Browse only in reputable Internet neighborhoods. It is possible for some malware to install
itself when you do nothing more than open a Web page.
11) What is key escrow?
Answer: Key escrow is a safety procedure. Organizations should protect sensitive data by
storing it in encrypted form. Such encryption uses one or more keys in ways similar to that
described for data communication encryption. One potential problem with stored data,
however, is that the key might be lost or that disgruntled or terminated employees might
destroy it. Because of this possibility, when data are encrypted, a trusted party should have a
copy of the encryption key. This safety procedure is sometimes called key escrow.
12) Discuss some human safeguards for employees that can ensure the security of
information systems.
Answer: Human safeguards involve the people and procedure components of information
systems. In general, human safeguards result when authorized users follow appropriate
procedures for system use and recovery. Restricting access to authorized users requires
effective authentication methods and careful user account management. In addition,
appropriate security procedures must be designed as part of every information system, and
users should be trained on the importance and use of those procedures.
Position Definitions—It is impossible to have effective human safeguards unless job tasks
and responsibilities are clearly defined for each employee position. In general, job
descriptions should provide a separation of duties and authorities. Given appropriate job
descriptions, users' computer accounts should give users the least possible privilege necessary
to perform their jobs. Documenting position sensitivity enables security personnel to
prioritize their activities in accordance with the possible risk and loss.
Hiring and Screening—Security considerations should be part of the hiring process. When
hiring for high-sensitivity positions, extensive interviews, references, and background
investigations are appropriate. Security screening applies not only to new employees, but also
to employees who are promoted into sensitive positions.
Dissemination and Enforcement—Employees need to be trained on security policies,
procedures, and the responsibilities they will have. Employee security training begins during
new-employee training, with the explanation of general security policies and procedures. That
general training must be amplified in accordance with the position's sensitivity and
responsibilities. Promoted employees should receive security training that is appropriate to
their new positions. The company should not provide user accounts and passwords until
employees have completed required security training. Enforcement consists of three
interdependent factors: responsibility, accountability, and compliance.
Termination—Companies also must establish security policies and procedures for the
termination of employees. Standard human resources policies should ensure that system
administrators receive notification in advance of the employee's last day, so that they can
remove accounts and passwords. Procedures for recovering keys for encrypted data and any
other security assets must be part of the employee's out-processing. Unfriendly termination is
more difficult because employees may be tempted to take malicious or harmful actions. In
such a case, system administrators might need to remove user accounts and passwords prior
to notifying the employee of the termination.
13) How should organizations respond to security incidents?
Answer: First, every organization should have an incident-response plan as part of the
security program. No organization should wait until some asset has been lost or compromised
before deciding what to do. The plan should include how employees are to respond to
security problems, whom they should contact, the reports they should make, and steps they
can take to reduce further loss. An incident-response plan will stipulate what an employee
should do when he notices the virus. It should specify whom to contact and what to do. It
may stipulate that the employee should turn off his computer and physically disconnect from
the network. The plan should also indicate what users with wireless computers should do.
When an incident does occur, speed is of the essence. Viruses and worms can spread very
quickly across an organization's networks, and a fast response will help to mitigate the
consequences. Because of the need for speed, preparation pays. The incident-response plan
should identify critical personnel and their off-hours contact information. These personnel
should be trained on where to go and what to do when they get there. Finally, organizations
should periodically practice incident response. Without such practice, personnel will be
poorly informed on the response plan, and the plan itself may have flaws that only become
apparent during a drill.
Test Bank for Using MIS
David M. Kroenke
9780133029673, 9780135191767, 9780134106786, 9780138132484, 9780136100751, 9780134606996
