CIS502 FINAL EXAM
Chapter 1 Security governance through principles and policies
Quiz
What is the primary objective of data classification schemes?
To formalize and stratify the process of securing data based on assigned
labels of importance and sensitivity
STRIDE is often used in relation to assessing threats against applications or
operating systems. Which of the following is not an element of STRIDE?
Disclosure
_______________ refers to keeping information confidential that is personally
identifiable or that might cause harm, embarrassment, or disgrace to someone
if revealed.
Privacy
Which of the following contains the primary goals and objectives of security?
CIA Triad
What is the primary goal of change management?
Preventing Security Compromises
Which of the following is the lowest military data classification for classified
data?
Secret
Which of the following is typically not a characteristic considered when
classifying data?
Size of the object
What element of data categorization management can override all other forms
of access control?
Taking ownership
Which of the following is not considered an example of data hiding?
Preventing an authorized reader of an object from deleting that object
,Data classifications are used to focus security controls over all but which of
the following?
Layering
All but which of the following items requires awareness for all individuals
affected?
Each correct answer represents a complete solution. Choose two.
Recording phone conversations
The backup mechanism used to retain email messages
Which of the following is not considered a violation of confidentiality?
Hardware Deconstruction
Vulnerabilities and risks are evaluated based on their threats against which of
the following?
One or more of the CIA Triad principles
Which of the following is a principle of the CIA Triad that means authorized
subjects are granted timely and uninterrupted access to objects?
Availability
What ensures that the subject of an activity or event cannot deny that the
event occurred?
Nonrepudiation
,Which commercial business/private sector data classification is used to control
information about individuals within an organization?
Private
Which of the following is the most important and distinctive concept in relation
to layered security?
Series
If a security mechanism offers availability, then it offers a high level of
assurance that authorized subjects can _____________________ the data,
objects, and resources.
Access
What are the two common data classification schemes?
Military and private sector
Which of the following is not true?
Violations of confidentiality are limited to direct intentional attacks.
Labs
Here are the steps to implement a classification scheme:
1. Identify the custodian, and define their responsibilities.
2. Specify the evaluation criteria of how the information will be classified and
labeled.
3. Classify and label each resource.
4. Document any exceptions to the classification policy that are discovered,
and integrate them into the evaluation criteria.
, 5. Select the security controls that will be applied to each classification level
to provide the necessary level of protection.
6. Specify the procedures for declassifying resources and the procedures for
transferring custody of a resource to an external entity.
7. Create an enterprise-wide awareness program to instruct all personnel
about the classification system.
Lesson: Security Governance Through Principles and Policies
Objective: Evaluate and Apply Security Governance Principles
Layering: Performs security restrictions in a series
Abstraction: Used for efficiency
Data Hiding: Prevents data from being discovered or accessed
Encryption: Hides the meaning or intent of a communication from unintended
recipients.
Strategic Plan: Defines the organization’s purpose
Tactical plan: Prescribes and schedules the tasks necessary to achieve
organizational goals
Operational Plan: Spells out how to achieve the various goals of the
organization
Risk Avoidance: Involves identifying a risk and deciding to no longer engage in
the action associated with that risk
Risk Transference: Involves sharing some of the risk burden.
Chapter 1 Security governance through principles and policies
Quiz
What is the primary objective of data classification schemes?
To formalize and stratify the process of securing data based on assigned
labels of importance and sensitivity
STRIDE is often used in relation to assessing threats against applications or
operating systems. Which of the following is not an element of STRIDE?
Disclosure
_______________ refers to keeping information confidential that is personally
identifiable or that might cause harm, embarrassment, or disgrace to someone
if revealed.
Privacy
Which of the following contains the primary goals and objectives of security?
CIA Triad
What is the primary goal of change management?
Preventing Security Compromises
Which of the following is the lowest military data classification for classified
data?
Secret
Which of the following is typically not a characteristic considered when
classifying data?
Size of the object
What element of data categorization management can override all other forms
of access control?
Taking ownership
Which of the following is not considered an example of data hiding?
Preventing an authorized reader of an object from deleting that object
,Data classifications are used to focus security controls over all but which of
the following?
Layering
All but which of the following items requires awareness for all individuals
affected?
Each correct answer represents a complete solution. Choose two.
Recording phone conversations
The backup mechanism used to retain email messages
Which of the following is not considered a violation of confidentiality?
Hardware Deconstruction
Vulnerabilities and risks are evaluated based on their threats against which of
the following?
One or more of the CIA Triad principles
Which of the following is a principle of the CIA Triad that means authorized
subjects are granted timely and uninterrupted access to objects?
Availability
What ensures that the subject of an activity or event cannot deny that the
event occurred?
Nonrepudiation
,Which commercial business/private sector data classification is used to control
information about individuals within an organization?
Private
Which of the following is the most important and distinctive concept in relation
to layered security?
Series
If a security mechanism offers availability, then it offers a high level of
assurance that authorized subjects can _____________________ the data,
objects, and resources.
Access
What are the two common data classification schemes?
Military and private sector
Which of the following is not true?
Violations of confidentiality are limited to direct intentional attacks.
Labs
Here are the steps to implement a classification scheme:
1. Identify the custodian, and define their responsibilities.
2. Specify the evaluation criteria of how the information will be classified and
labeled.
3. Classify and label each resource.
4. Document any exceptions to the classification policy that are discovered,
and integrate them into the evaluation criteria.
, 5. Select the security controls that will be applied to each classification level
to provide the necessary level of protection.
6. Specify the procedures for declassifying resources and the procedures for
transferring custody of a resource to an external entity.
7. Create an enterprise-wide awareness program to instruct all personnel
about the classification system.
Lesson: Security Governance Through Principles and Policies
Objective: Evaluate and Apply Security Governance Principles
Layering: Performs security restrictions in a series
Abstraction: Used for efficiency
Data Hiding: Prevents data from being discovered or accessed
Encryption: Hides the meaning or intent of a communication from unintended
recipients.
Strategic Plan: Defines the organization’s purpose
Tactical plan: Prescribes and schedules the tasks necessary to achieve
organizational goals
Operational Plan: Spells out how to achieve the various goals of the
organization
Risk Avoidance: Involves identifying a risk and deciding to no longer engage in
the action associated with that risk
Risk Transference: Involves sharing some of the risk burden.
