ISM 5327 cybersecurity Practice questions and answers
2023 correctly answered
Explain key security program area.
involves multiple areas of management. Chief Information Security Officer (CISO) and
the Information Security Manager (ISM). Areas include security planning, capital
planning, awareness and training, information security governance, system
development life cycle, security product and service acquisitions, risk management,
configuration management, incident response, contingency planning, and performance
measures.
Describe the "select-control-evaluate" framework for capital planning.
Defines a process to evaluate what projects are worth pursuing and allocating firm
capital towards. Select the project that best meets the firm's needs after a thorough
analysis of the risk and return of each option. Control is the next step where there is
continued evaluation to ensure the project selected is meeting expected levels of cost
and risk. Evaluate is the final step where a comparison is made between the final result
and the expected result.
Briefly explain the need of an effective information security policy.
is necessary to establish the laws, rules, and practices for how the organization
manages, distributes, and protects its assets and how each individual's role and
responsibility fit within that policy.
Describe some common security policies of an organization.
- Access control policy: how information is accessed.
- Incident response policy: How incidents are reported and responded to.
- Retention policy: how data can be stored and for how long.
Explain functions that information security management perform.
Responsible for establishing and implementing effective security controls and
monitoring all information security programs for the organization to ensure proper
adherence.
How can a company ensure personnel security? Please describe these principles.
Least privilege —Give each person the minimum access necessary to do his or her job.
Separation of duties —Carefully separate duties so that people involved in checking for
inappropriate use are not also capable of perpetrating such inappropriate use.
Limited reliance on key employees —No one in an organization is irreplaceable.
What are the four phases of the cybersecurity learning continuum? Please describe
each level.
· Awareness —A set of activities that explains and promotes security, establishes
accountability, and informs the workforce of security news.
· Cybersecurity essentials —Intended to develop secure practices in the use of IT
resources.
· Role-based training —Intended to provide knowledge and skills specific to an
individual's roles and responsibilities relative to information systems.
· Education/certification —Integrates all of the security skills and competencies of the
various functional specialties into a common body of knowledge and adds a
multidisciplinary study of concepts, issues, and principles (technological and social).
, What should be the goals for a security awareness program?
· Provide a focused approach for all awareness, training, and educational activities
related to information security, with better coordination to make it more effective.
· Communicate key recommended guidelines or practices required to secure
information resources.
· Provide general and specific information about information security risks and controls
to people on a need basis.
· Make individuals aware of their responsibilities in terms of information security.
· Motivate individuals to adopt recommended guidelines or practices by giving
incentives (corporate goodies).
· Create a stronger culture of security with individual commitment to information
security.
What does the term BYOD stand for, and what does it mean? Also, please describe at
least five challenges it imposes to an organization security.
Bring your own device (BYOD) is a strategy adopted by an organization that allows
employees, business partners, and other users to utilize a personally selected and
purchased client device to execute enterprise applications and access company data.
Challenges: Data management issues, Data compliance issues, Malicious applications,
Lost or stolen devices
Describe at least six topics that an ideal cybersecurity program include
1. Technical points about cybersecurity.
2. Common information and computer system security vulnerabilities
3. Common cyber attack mechanisms.
4. Different types of cryptographic algorithms
5. Intrusion, types of intruders, techniques, and motivation
6. Firewalls and other means of intrusion prevention
describe the two possible types of threats in information collection process in today's
information scenario.
· Surveillance is the watching, listening to, and/or recording of an individual's activities
without their knowledge or consent. This could be seen as problematic and a violation to
their right to privacy.
· Interrogation, or the pressuring of an individual to disclose information they otherwise
would not want to. This is done by force or through other measures that create
uncomfortable pressure to divulge sensitive information.
describe at least five potential privacy threats that may occur as information is being
disseminated.
1. Disclosure- The release of factual information about a person. Unfavorable news can
create reputational damage.
2. Breach of confidentiality- A release of private information that comes from a violation
of trust. This could be from a professional relationship, an accountant that releases your
tax returns or an attorney that discloses private conversations or documents.
3. Exposure- This is the release of personal content about one's personality or physical
appearance meant to embarrass and damage a person's reputation.
4. Blackmail- This is the threat of exposure or disclosure to obtain something of value.
5. Distortion- This is the manipulation of a person's public image through modifying
records associated with the individual.
2023 correctly answered
Explain key security program area.
involves multiple areas of management. Chief Information Security Officer (CISO) and
the Information Security Manager (ISM). Areas include security planning, capital
planning, awareness and training, information security governance, system
development life cycle, security product and service acquisitions, risk management,
configuration management, incident response, contingency planning, and performance
measures.
Describe the "select-control-evaluate" framework for capital planning.
Defines a process to evaluate what projects are worth pursuing and allocating firm
capital towards. Select the project that best meets the firm's needs after a thorough
analysis of the risk and return of each option. Control is the next step where there is
continued evaluation to ensure the project selected is meeting expected levels of cost
and risk. Evaluate is the final step where a comparison is made between the final result
and the expected result.
Briefly explain the need of an effective information security policy.
is necessary to establish the laws, rules, and practices for how the organization
manages, distributes, and protects its assets and how each individual's role and
responsibility fit within that policy.
Describe some common security policies of an organization.
- Access control policy: how information is accessed.
- Incident response policy: How incidents are reported and responded to.
- Retention policy: how data can be stored and for how long.
Explain functions that information security management perform.
Responsible for establishing and implementing effective security controls and
monitoring all information security programs for the organization to ensure proper
adherence.
How can a company ensure personnel security? Please describe these principles.
Least privilege —Give each person the minimum access necessary to do his or her job.
Separation of duties —Carefully separate duties so that people involved in checking for
inappropriate use are not also capable of perpetrating such inappropriate use.
Limited reliance on key employees —No one in an organization is irreplaceable.
What are the four phases of the cybersecurity learning continuum? Please describe
each level.
· Awareness —A set of activities that explains and promotes security, establishes
accountability, and informs the workforce of security news.
· Cybersecurity essentials —Intended to develop secure practices in the use of IT
resources.
· Role-based training —Intended to provide knowledge and skills specific to an
individual's roles and responsibilities relative to information systems.
· Education/certification —Integrates all of the security skills and competencies of the
various functional specialties into a common body of knowledge and adds a
multidisciplinary study of concepts, issues, and principles (technological and social).
, What should be the goals for a security awareness program?
· Provide a focused approach for all awareness, training, and educational activities
related to information security, with better coordination to make it more effective.
· Communicate key recommended guidelines or practices required to secure
information resources.
· Provide general and specific information about information security risks and controls
to people on a need basis.
· Make individuals aware of their responsibilities in terms of information security.
· Motivate individuals to adopt recommended guidelines or practices by giving
incentives (corporate goodies).
· Create a stronger culture of security with individual commitment to information
security.
What does the term BYOD stand for, and what does it mean? Also, please describe at
least five challenges it imposes to an organization security.
Bring your own device (BYOD) is a strategy adopted by an organization that allows
employees, business partners, and other users to utilize a personally selected and
purchased client device to execute enterprise applications and access company data.
Challenges: Data management issues, Data compliance issues, Malicious applications,
Lost or stolen devices
Describe at least six topics that an ideal cybersecurity program include
1. Technical points about cybersecurity.
2. Common information and computer system security vulnerabilities
3. Common cyber attack mechanisms.
4. Different types of cryptographic algorithms
5. Intrusion, types of intruders, techniques, and motivation
6. Firewalls and other means of intrusion prevention
describe the two possible types of threats in information collection process in today's
information scenario.
· Surveillance is the watching, listening to, and/or recording of an individual's activities
without their knowledge or consent. This could be seen as problematic and a violation to
their right to privacy.
· Interrogation, or the pressuring of an individual to disclose information they otherwise
would not want to. This is done by force or through other measures that create
uncomfortable pressure to divulge sensitive information.
describe at least five potential privacy threats that may occur as information is being
disseminated.
1. Disclosure- The release of factual information about a person. Unfavorable news can
create reputational damage.
2. Breach of confidentiality- A release of private information that comes from a violation
of trust. This could be from a professional relationship, an accountant that releases your
tax returns or an attorney that discloses private conversations or documents.
3. Exposure- This is the release of personal content about one's personality or physical
appearance meant to embarrass and damage a person's reputation.
4. Blackmail- This is the threat of exposure or disclosure to obtain something of value.
5. Distortion- This is the manipulation of a person's public image through modifying
records associated with the individual.
