Scribd
Upload
41 views3 pages

Chapter 2 Assessment Questions

Chapter 2 focuses on various aspects of security policies and principles, including definitions and applications of concepts like least privilege, separation of duties, and risk management. It also discusses technical controls, intrusion detection systems, server hardening, and relevant government agencies involved in security standards and alerts. The chapter concludes with questions related to the CVE list and information security vulnerability naming standards.

Uploaded by

hiltontakudzwamativenga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
41 views3 pages

Chapter 2 Assessment Questions

Chapter 2 focuses on various aspects of security policies and principles, including definitions and applications of concepts like least privilege, separation of duties, and risk management. It also discusses technical controls, intrusion detection systems, server hardening, and relevant government agencies involved in security standards and alerts. The chapter concludes with questions related to the CVE list and information security vulnerability naming standards.

Uploaded by

hiltontakudzwamativenga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

CHAPTER 2 ASSESSMENT

1. What is a security policy?


A. A document with a rigid set of rules created so that people
follow it explicitly to be effective and avoid technical
problems
B. A technical control used to enforce security
C. A physical control used to enforce security
D. A document created by senior managers that identifies the
role of security in the organization and is used as a defense
mechanism to protect the assets of the organization

2. What should be used to ensure that users are granted only the
rights to perform actions required for their jobs?
A. Principle of least privilege
B. Principle of need to know
C. Principle of limited rights
D. Separation of duties

3. What should be used to ensure that the amount spent on


mitigating a risk (such as buying insurance) is proportional to
the risk?
A. Principle of least privilege
B. Principle of proportionality
C. Principle of limited rights
D. Principle of limited permissions

4. Which of the following security principles divides job


responsibilities to reduce fraud?
A. Need to know
B. Least privilege
C. Separation of duties
D. Mandatory vacations
5. What can be used to ensure that unauthorized changes are not
made to systems?
A. Input validation
B. Patch management
C. Version control
D. Configuration management

6. What are two types of intrusion detection systems?


A. Intentional and unintentional
B. Natural and man-made
C. Host based and network based
D. Technical and physical

7. A technical control prevents unauthorized personnel from


having physical access to a secure area or secure system.
A. True
B. False

8. What allows an attacker to gain additional privileges on a


system by sending unexpected code to the system?
A. Buffer overflow
B. MAC flood
C. Input validation
D. Spiders

9. What is hardening a server?


A. Securing it from the default configuration
B. Ensuring it cannot be powered down
C. Locking it in a room that is hard to access
D. Enabling necessary protocols and services

10. Which of the following steps could be taken to harden a server?


A. Removing unnecessary services and protocols
B. Keeping the server up to date
C. Changing defaults
D. Enabling local firewalls
E. All of the above

11. Which government agency includes the Information Technology


Laboratory and publishes SP 800-30?
A. NIST
B. DHS
C. NCCIC
D. US-CERT

12. Which of the following is a Guide for Applying the Risk


Management Framework to Federal Information Systems: A
Security Lifecycle Approach?
A. SP 800-34
B. SP 800-35
C. SP 800-37
D. SP 800-84

13. Which U.S. government agency regularly publishes alerts and


bulletins related to security threats?
A. NIST
B. FBI
C. US-CERT
D. MITRE Corporation

14. The CVE list is maintained by _______.

15. What is the standard used to create information security


vulnerability names?
A. CVE
B. MITRE
C. DISA
D. CSI

You might also like