Download Information Security Governance and Risk Management and more Exams Nursing in PDF only on Docsity!
NETSEC 2 Exam Questions and Answers 2025.
- This book focuses on.
A) offense
B) defense
C) offense and defense about equally
D) None of the above - ANSWER B
2)Closing all routes of attack into an organization's
system(s) is called.
A) defense in depth
B) comprehensive security
C) total security
D) access control - ANSWER B
3)A occur(s) when a single security element failure
defeats the overall security of a system.
A) spot failure
B) weakest link failure
C) defense in depth departure
D) critical failure - ANSWER B
- Which of the following is a formal process?
A) Annual corporate planning
B) Planning and developing individual countermeasures
1
C) Both A and B
D) Neither A nor B - ANSWER C
- A planned series of actions in a corporation is a(n).
A) strategy
B) sequence
C) process
D) anomaly - ANSWER C
6)The growing number of compliance laws and regulations is
driving firms to use formal governance frameworks to
guide their security processes. - ANSWER TRUE
7)Many compliance regimes require firms to adopt specific
formal governance framework to drive security planning
and operational management. - ANSWER TRUE
8)Planning, protection, and response follow a fairly strict
sequence from one stage to another. - ANSWER
FALSE
9)The stage of the plan-protect response cycle that
consumes the most time is.
A) planning
B) protection
C) response
D)each of the above consumes about the same amount
of time - ANSWER B
- is the plan-based creation and
operation of countermeasures.
A) Planning
B) Protection 2
- Once a company's resources are enumerated, the next
step is to
4
A) create a protection plan for each
B) assess the degree to which each is already protected
C) enumerate threats to each
D) classify them according to sensitivity - ANSWER
D
- After performing a preliminary security assessment, a
company should develop a remediation plan for EVERY
security gap identified.
- ANSWER TRUE
19)A company should consider list of possible remediation
plans as an investment portfolio. - ANSW E R TRUE
20)The factors that require a firm to change its security
planning, protection, and response are called driving
forces. - ANSW E R TRUE
- Compliance laws and regulations.
A) create requirements to which security must respond
B) can be expensive for IT security
C) Both A and B
D) Neither A nor B - ANSWER C
- A is a material deficiency, or combination of
significant defi ciencies, that results in more than a
remote likelihood that a material misstatement in the
annual or interim financial statements will not be
prevented or detected.
E) material control failure
F) material control deficiency
G) critical control defi ciency
5
D) Neither A nor
B -
ANSWER C
27)The FTC can act against companies that fail to take
reasonable precautions to protect privacy information. -
ANSWER TRUE
- The FTC can.
A) impose fines
B) require annual audits by external auditing firms for
many years
C) Both A and B
D) Neither A nor B - ANSWER C
- Which companies do PCI-DSS affect?
A) E-commerce firms
B) Medical firms
C) Government organizations
D) Companies that accept credit card
payments -
ANSWER D
- What type of organization is subject to
FISMA?
A) E-commerce firms
B) Medical firms
C) Government organizations
D) Companies that accept credit card
payments -
ANSWER C
7
- In FISMA, is done internally by the organization.
A) certifi cation
B) accreditation
C) Both A and B
D) Neither A nor B - ANSWER C
- The manager of the security department often is called
E) the chief security offi cer (CSO)
F) the chief information security offi cer (CISO)
G) Either A and B
H) Neither A nor B - ANSWER C
- Placing security within IT.
I) creates independence
J) is likely to give security stronger backing from the IT
department
K) Both A and B
L) Neither A nor B - ANSWER B
34)Independence is best provided for IT security by placing
it within the IT department. - ANSWER FALSE
35)Most IT security analysts recommend placing IT
security functions within the IT department. -
ANSWER FALSE
8
B) Financial
auditing
C) IT auditing
D) None of the
above -
ANSWER C
40)Placing IT auditing in an existing auditing department
would give independence from IT security. - ANSWER
TRUE
- entails investigating the IT security of
external companies and the implications of close IT
partnerships before implementing interconnectivity.
A) Auditing
B) Due diligence
C) Peer-to-peer security
D) Vulnerability testing - ANSWER B
42)To outsource some security functions, a firm can use an
MISP. - ANSWER FALSE
- A benefit of using MSSPs is that they provide.
A) cost savings
B) independence C) Both A and B
D) Neither A nor
B -
ANSWER C
10
- What security functions typically are
outsourced?
11
- The goal of IT security is reasonable risk ANSWER
reduction. - TRUE
- Security tends to impede
functionality. -
ANSWER TRUE
- In benefits, costs and benefits are expressed on a per-
year basis.
- ANSWER TRUE
- SLE times APO gives the.
A) expected per-event loss
B) expected annual loss
C) expected life cycle loss
D) expected per-event benefit - ANSWER B
- When risk analysis deals with costs and benefits that
vary by year, the computations should use.
E) NPV
F) IRR
G) Either A or B
H) Neither A nor B - ANSWER C
- Which of the following gives the best estimate of the
complete cost of a compromise?
13
A)
ALE
14
C) Risk avoidance
D) None of the
above -
ANSWER B
- means responding to risk by taking out
insurance.
A) Risk reduction
B) Risk acceptance
C) Risk avoidance
D) Risk transference - ANSWER D
- means responding to risk by not taking a risky
action.
E) Risk reduction
F) Risk acceptance
G) Risk avoidance
H) Risk transference - ANSWER C
62)Responding to risk through risk avoidance is
likely to be acceptable to other units of the firm. -
ANSWER FALSE
- A technical security architecture includes.
A) all of a firm's countermeasures
B) how countermeasures are organized
C) Both A and B
D) Neither A nor B - ANSWER C
16
- A technical security architecture should be created.
A) annually
B) before a firm creates individual countermeasures
C) before a firm creates a specific countermeasure
D) after each major compromise - ANSWER B
65)Companies should replace their legacy security
technologies immediately. - ANSWER FALSE
- Using both a firewall and host hardening to protect a
host is
A) defense in depth
B) risk acceptance
C) an anti-weakest link strategy
D) adding berms - ANSWER A
- requires multiple countermeasures to be
defeated for an attack to succeed.
E) Defense in depth
F) Weakest link analysis C) Both A and B
D) Neither A nor
B -
ANSWER A
17
A)is no longer important because there are so many ways to
bypass borders
B) is close to a complete solution to access control
C) Both A and B
D) Neither A nor B - ANSWER D
- A(n) is a statement of what should be done
under specific circumstances.
E) implementation control
F) policy
G) policy guidance document
H) procedure - ANSWER B
- Policies should specify the details of how protections
are to be applied. - ANSW ER FALSE
- Policies should specify implementation in ANSWER
detail. - FALSE
76)When you wish to create a specific firewall, you should
create a security policy for that firewall specifically. -
ANSWER TRUE
- Policies should be written by.
A) IT security
B) corporate teams involving people from multiple
departments
19
C) a senior executive
D) an outside consultant, to maintain
independence -
ANSWER B
- are mandatory.
A) Standards
B) Guidelines
C) Both A and B
D) Neither A nor B - ANSWER A
- are discretionary.
E) Standards
F) Guidelines
G) Both A and B
H) Neither A nor B - ANSWER B
80)It is mandatory for decision makers to consider
guidelines. - ANSWER TRUE
81)Guidelines are appropriate in simple and highly
certain circumstances. - ANSW ER FALSE
- specify the low-level detailed actions that must
be taken by specific employees.
A) Procedures
20
