SlideShare a Scribd company logo

Chapter 11 personnel_and_security

Download as DOCX, PDF
H
husseinalshomali

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Technology
1 of 8
Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 1 1. The most common qualification for a CISO includes the CISSP and CISM certifications. a. True b. False ANSWER: True 2. InfoSec is a profession with little personnel turnover - most InfoSec professionals stay in their positions for a very long time. a. True b. False ANSWER: False 3. Temporary workers—often called temps—may not be subject to the contractual obligations or general policies that govern other employees. a. True b. False ANSWER: True 4. Most hiring organizations are aware of the precise value of information security certifications because these programs have been in existence for a long time. a. True b. False ANSWER: False 5. The SSCP certification is more applicable to the security manager than the security technician. a. True b. False ANSWER: True 6. A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions is known as racketeering. ____________ ANSWER: False - collusion 7. Maintaining a secure environment requires that the information security (InfoSec) department be carefully structured and staffed with appropriately skilled and screened personnel.. ____________ ANSWER: True 8. A(n) credit check can uncover past criminal behavior or other information that suggests a potential for future misconduct or a vulnerability that might render a candidate susceptible to coercion or blackmail.. ____________ ANSWER: False - background 9. Integrating InfoSec into the hiring process begins with reviewing and updating job descriptions to include InfoSec responsibilities. ____________ ANSWER: True 10. A technically qualified individual who may configure firewalls and IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technical controls are properly implemented is known as a security architect. ____________
Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 2 ANSWER: False - technician 11. A requirement that all employees take time off from work, which allows the organization to audit the individual’s areas of responsibility is known as a mandatory vacation policy. ____________ ANSWER: True 12. ISACA offers the CGEIT certification that is targeted at upper-level executives such as CISOs and CIOs, directors, and consultants with knowledge and experience in IT operations.. ____________ ANSWER: False - governance 13. A security manager is accountable for the day-to-day operation of all or part of the InfoSec program.. ____________ ANSWER: True 14. To move the InfoSec discipline forward, organizations should take all but which of the following steps? a. Learn more about the requirements and qualifications for InfoSec and IT positions b. Learn more about InfoSec budgetary and personnel needs c. Insist all mid-level and upper-level management take introductory InfoSec courses d. Grant the InfoSec function an appropriate level of influence and prestige ANSWER: c 15. According to Schwartz et al., employees who create and install security solutions fall under which classification of InfoSec positions? a. Definers b. Administers c. Builders d. Architects ANSWER: c 16. Which of the following is typically true about the CISO position? a. Business managers first and technologists second b. Accountable for the day-to-day operation of all or part of the InfoSec program c. Frequently reports directly to the Chief Executive Officer d. Technically qualified individual who may configure firewalls and IDPSs ANSWER: a 17. Ideally, a candidate for the CISO position should have experience in what other InfoSec position? a. Security officer b. Security consultant c. Security technician d. Security manager ANSWER: d 18. Which of the following InfoSec positions is responsible for the day-to-day operation of the InfoSec program? a. CISO b. Security manager c. Security officer d. Security technician ANSWER: b 19. CISO’s should follow six key principles to shape their careers. Which of the following is NOT among those six principles? a. Practice business engagement b. Deliver services
Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 3 c. Manage relationships d. Demonstrate technical competence ANSWER: d 20. Which of the following is NOT a typical task performed by the security technician? a. Configure firewalls and IDPSs b. Decvelop security policy c. Coordinate with systems and network administrators d. Implement advanced security appliances ANSWER: b 21. Which of the following is a responsibility of an information security department manager? a. Offering technical information security consulting services to network administrators b. Running vulnerability identification software packages c. Preparing postmortem analyses of information security breaches d. Training Access Control System administrators to set up firewalls ANSWER: c 22. Which of the following is a responsibility of an InfoSec technician? a. Developing InfoSec requirements for the organization b. Providing hands-on technical consulting services to teams of technical specialists c. Establishing procedures for the identification of information assets d. Managing the development of InfoSec policies ANSWER: b 23. Which of the following is expected of the security technician? a. To be expert, certified and proficient b. To possess technical qualifications which may vary by position c. To possess experience with a particular hardware and/or software package d. All of these ANSWER: d 24. Which of the following security certifications is considered the most prestigious for security managers and CISOs? a. CISSP b. GIAC c. SSCP d. SCP ANSWER: a 25. Which of the following is a domain of the CISSP examination? a. Cryptography b. Risk, response, and recovery c. Monitoring and analysis d. Malicious code and activity ANSWER: a 26. Which of the following is NOT a CISSP concentration? a. ISSAP b. ISSTP c. ISSMP d. ISSEP ANSWER: b 27. Which certification program has certifications that require the applicant to complete a written practical assignment that
Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 4 tests the applicant’s ability to apply skills and knowledge. a. GIAC b. CGEIT c. CRISC d. CISA ANSWER: a 28. Which of the following is NOT among the areas covered as part of the Certified Computer Examiner (CCE) certification process? a. Server hardware construction and theory b. General computer hardware used in data collection c. Ethics in practice d. Forensics data seizure procedures ANSWER: a 29. Before hiring security personnel, which of the following should be conducted before the organization extends an offer to any candidate, regardless of job level? a. New hire orientation b. Covert surveillance c. Organizational tour d. Background check ANSWER: d 30. Which of the following is NOT a task that must be performed if an employee is terminated? a. Former employee must return all media b. Former employee’s home computer must be audited c. Former employee’s office computer must be secured d. Former employee should be escorted from the premises ANSWER: b 31. Which of the following is NOT a common type of background check that may be performed on a potential employee? a. Identity check b. Political activism c. Motor vehicle records d. Drug history ANSWER: b 32. Which of the following policies makes it difficult for an individual to violate InfoSec and is quite useful in monitoring financial affairs? a. Task rotation b. Mandatory vacations c. Separation of duties d. Job rotation ANSWER: c 33. Which of the following policies requires that two individuals review and approve each other’s work before the task is considered complete? a. Task rotation b. Two-person control c. Separation of duties d. Job rotation ANSWER: b 34. Which of the following policies requires that every employee be able to perform the work of at least one other staff member?
Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 5 a. Collusion b. Job rotation c. Two-person control d. Separation of duties ANSWER: b 35. Temporary hires called contract employees - or simply contractors - should not be allowed to do what? a. Work on the premises b. Wander freely in and out of buildings c. Visit the facility without specific, prior coordination d. Compensated by the organization based on hourly rates ANSWER: b 36. In the classification of information security positions, senior people with a lot of broad knowledge, but often not a lot of depth, fall under the category of those that ____________________. ANSWER: define 37. Ultimately, the _______________________ is the spokesperson for the security team and is responsible for the overall InfoSec program. ANSWER: CISO Chief Information Security Officer 38. It is the responsibility of a _______________________ to develop appropriate InfoSec policies, standards, guidelines, and procedures. ANSWER: security manager 39. A security ____________________ is the typical information security entry-level position. ANSWER: technician 40. The CompTIA ____________________ certification tests an individual’s security knowledge mastery and requires two years on-the-job networking experience, with emphasis on security. ANSWER: Security+ Security + 41. Briefly describe at least five types of background checks. ANSWER: - Identity checks: personal identity validation - Education and credential checks: institutions attended, degrees and certifications earned, and certification status - Previous employment verification: where candidates worked, why they left, what they did, and for how long - Reference checks:validity of references and integrity of reference sources - Worker’s compensation history: claims from worker’s compensation - Motor vehicle records: driving records, suspensions, and other items noted in the applicant’s public record - Drug history: drug screening and drug usage, past and present - Medical history: current and previous medical conditions, usually associated with physical capability to perform the work in the specified position - Credit history: credit problems, financial problems, and bankruptcy - Civil court history: involvement as the plaintiff or defendant in civil suits - Criminal court history: criminal background, arrests, convictions, and time served 42. Briefly describe the two outprocessing methods of handling employees who leave their positions at a company. ANSWER: Hostile departure (usually involuntary), including termination, downsizing, lay-off, or quitting: Security cuts
Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 6 off all logical and keycard access, before the employee is terminated. As soon as the employee reports for work, he or she is escorted into the supervisor’s office to receive the bad news. The individual is then escorted from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects under supervision. No organizational property is allowed to leave the premises, including diskettes, pens, papers, or books. Terminated employees can submit, in writing, a list of the property they wish to retain, stating their reasons for doing so. Once personal property has been gathered, the employee is asked to surrender all keys, keycards, and other organizational identification and access devices, PDAs, pagers, cell phones, and all remaining company property, and is then escorted from the building. Friendly departure (voluntary) for retirement, promotion, or relocation: The employee may have tendered notice well in advance of the actualdeparture date, which can make it much more difficult for security to maintain positive control over the employee’s access and information usage. Employee accounts are usually allowed to continue, with a new expiration date. The employee can come and go at will and usually collects any belongings and leaves without escort. The employee is asked to drop off all organizational property before departing. 43. Briefly describe the classifications of InfoSec positions as defined by Schwartz et al. ANSWER: Definers provide the policies, guidelines, and standards. They’re the people who do the consulting and the risk assessment, who develop the product and technical architectures. Builders are the realtechies who create and install security solutions. Those that administer are the people who operate and [administer] the security tools, the security monitoring function, and the people who continuously improve the processes. 44. What are some of the common qualifications for a CISO? ANSWER: The most common qualifications for the CISO include the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM). A graduate degree in business, technology, criminal justice, or another related field is usually required as well. 45. List the six key principles that should shape the career of a CISO. ANSWER: Business engagement Focus initiatives on what is learned Align, target, and time initiatives Service delivery Credibility Relationship management 46. Describe the position of security manager. ANSWER: A security manager is accountable for the day-to-day operation of all or part of the InfoSec program. They accomplish objectives identified by the CISO and resolve issues identified by the technicians. Security managers are often assigned specific managerial duties by the CISO, including policy development, risk assessment, contingency planning, and operational and tactical planning for the security function. They often liaise with managers from other departments and divisions in joint planning and development sections, such as security functions in human resources hiring and termination procedures, plant operations in environmental controls, and physical security design. 47. What are the qualifications and position requirements of a typical security technician? ANSWER: The technical qualifications and position requirements for a security technician vary. Organizations typically prefer expert, certified, proficient technicians. Job requirements usually include some level of experience with a particular hardware and software package. Sometimes, familiarity with a particular technology is enough to secure an applicant an interview; however, experience using the technology is usually required.
Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 7 48. Describe the SSCP certification. How does it compare to the CISSP? ANSWER: Because it is difficult to master all 10 domains covered on the CISSP exam, many security professionals seek other less rigorous certifications, such as (ISC)2’s SSCP certification. Like the CISSP, the SSCP certification is more applicable to the security manager than to the technician, as the bulk of its questions focus on the operational nature of InfoSec. The SSCP focuses on practices, roles, and responsibilities as defined by experts from major InfoSec industries. Nevertheless, the InfoSec technician seeking advancement can benefit from this certification. 49. Describe the certifications developed by SANS. How are they different from InfoSec certifications like CISSP and SSCP? ANSWER: The SANS Institute developed a series of technical security certifications known as the Global Information Assurance Certification (GIAC). GIAC certifications are different than certifications like CISSP because they not only test for knowledge, they require candidates to demonstrate application of that knowledge. With the introduction of the GIAC Information Security Professional (GISP) and the GIAC Security Leadership Certification (GSLC), SANS now offers more than just technical certifications. 50. What is the Security+ certification and who is a typical candidate for this certification? ANSWER: The CompTIA Security+ certification tests for security knowledge mastery of an individual with two years of on-the-job networking experience, with an emphasis on security. The exam covers industry-wide topics, including communication security, infrastructure security, cryptography, access control, authentication, external attack, and operational and organization security. a. definers b. builders c. security manager d. security technician e. systems programmer f. ethics officer g. CISSP h. SSCP i. SANS j. CCE 51. a technically qualified individual who may configure firewalls and IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technical controls are properly implemented ANSWER: d 52. an ISC2 certification that focuses on practices, roles, and responsibilities as defined by experts ANSWER: h 53. accountable for the day-to-day operation of all or part of the InfoSec program and assigned objectives identified by the CISO ANSWER: c 54. computer forensics certification from ISFCE
Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 8 ANSWER: j 55. a member of the general business community having an information security related role ANSWER: f 56. provide the policies, guidelines, and standards, performing conulting and risk assessment and develop technical architectures ANSWER: a 57. an ISC2 certificate that is often considered to be the most prestigious certification for security managers ANSWER: g 58. an organization that developed a series of technical security certifications such as the GIAC ANSWER: i 59. create and install security solutions ANSWER: b 60. a member of the IT community often responsible for complex operating system programs ANSWER: e

Recommended

Chapter 04 information_security_policy
Chapter 04 information_security_policyChapter 04 information_security_policy
Chapter 04 information_security_policy
husseinalshomali
 
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
husseinalshomali
 
Chapter 12 protection_mechanisms
Chapter 12 protection_mechanismsChapter 12 protection_mechanisms
Chapter 12 protection_mechanisms
husseinalshomali
 
Chapter 08 security_management_models
Chapter 08 security_management_modelsChapter 08 security_management_models
Chapter 08 security_management_models
husseinalshomali
 
Chapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskChapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_risk
husseinalshomali
 
Chapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskChapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_risk
husseinalshomali
 
Chapter 05 developing_the_security_program
Chapter 05 developing_the_security_programChapter 05 developing_the_security_program
Chapter 05 developing_the_security_program
husseinalshomali
 
Chapter 10 planning_for_contingencies
Chapter 10 planning_for_contingenciesChapter 10 planning_for_contingencies
Chapter 10 planning_for_contingencies
husseinalshomali
 

Recommended

Chapter 04 information_security_policy
Chapter 04 information_security_policyChapter 04 information_security_policy
Chapter 04 information_security_policy
husseinalshomali
 
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
husseinalshomali
 
Chapter 12 protection_mechanisms
Chapter 12 protection_mechanismsChapter 12 protection_mechanisms
Chapter 12 protection_mechanisms
husseinalshomali
 
Chapter 08 security_management_models
Chapter 08 security_management_modelsChapter 08 security_management_models
Chapter 08 security_management_models
husseinalshomali
 
Chapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskChapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_risk
husseinalshomali
 
Chapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskChapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_risk
husseinalshomali
 
Chapter 05 developing_the_security_program
Chapter 05 developing_the_security_programChapter 05 developing_the_security_program
Chapter 05 developing_the_security_program
husseinalshomali
 
Chapter 10 planning_for_contingencies
Chapter 10 planning_for_contingenciesChapter 10 planning_for_contingencies
Chapter 10 planning_for_contingencies
husseinalshomali
 
Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practices
husseinalshomali
 
Chapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityChapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_security
husseinalshomali
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
husseinalshomali
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Security operation center
Security operation centerSecurity operation center
Security operation center
MuthuKumaran267
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nist
Naveen Koyi
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
Amazon Web Services
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
Vivek Chauhan
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfSECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
JohnRicos
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5
madunix
 

More Related Content

What's hot

Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 

What's hot (20)

Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practices
 
Chapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityChapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_security
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nist
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 

Similar to Chapter 11 personnel_and_security

SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfSECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
JohnRicos
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5
madunix
 
1. Which of the following elements ensures a policy is enforceab
1. Which of the following elements ensures a policy is enforceab1. Which of the following elements ensures a policy is enforceab
1. Which of the following elements ensures a policy is enforceab
careyshaunda
 
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docxEcon 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
jack60216
 
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Richard Lawson
 

Similar to Chapter 11 personnel_and_security (20)

SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfSECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5
 
000 013
000 013000 013
000 013
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
 
ISA.pdf
ISA.pdfISA.pdf
ISA.pdf
 
ISACA_CISM_April_2023-v1.3.pdf
ISACA_CISM_April_2023-v1.3.pdfISACA_CISM_April_2023-v1.3.pdf
ISACA_CISM_April_2023-v1.3.pdf
 
1. Which of the following elements ensures a policy is enforceab
1. Which of the following elements ensures a policy is enforceab1. Which of the following elements ensures a policy is enforceab
1. Which of the following elements ensures a policy is enforceab
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
 
Certified Data Privacy Solutions Engineer CDPSE Exam Questions
Certified Data Privacy Solutions Engineer CDPSE Exam QuestionsCertified Data Privacy Solutions Engineer CDPSE Exam Questions
Certified Data Privacy Solutions Engineer CDPSE Exam Questions
 
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docxEcon 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
 
Csslp
CsslpCsslp
Csslp
 
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
Strategic Management of Information Systems international student version 5th...
Strategic Management of Information Systems international student version 5th...Strategic Management of Information Systems international student version 5th...
Strategic Management of Information Systems international student version 5th...
 
Cybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdfCybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdf
 
CS0-002 Exam Questinos | CS0002 Guidebook
CS0-002 Exam Questinos | CS0002 GuidebookCS0-002 Exam Questinos | CS0002 Guidebook
CS0-002 Exam Questinos | CS0002 Guidebook
 
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
 
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
 
SOC Analyst Training In Hyderabad | Best
SOC Analyst Training In Hyderabad | BestSOC Analyst Training In Hyderabad | Best
SOC Analyst Training In Hyderabad | Best
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Chapter 11 personnel_and_security

  • 1. Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 1 1. The most common qualification for a CISO includes the CISSP and CISM certifications. a. True b. False ANSWER: True 2. InfoSec is a profession with little personnel turnover - most InfoSec professionals stay in their positions for a very long time. a. True b. False ANSWER: False 3. Temporary workers—often called temps—may not be subject to the contractual obligations or general policies that govern other employees. a. True b. False ANSWER: True 4. Most hiring organizations are aware of the precise value of information security certifications because these programs have been in existence for a long time. a. True b. False ANSWER: False 5. The SSCP certification is more applicable to the security manager than the security technician. a. True b. False ANSWER: True 6. A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions is known as racketeering. ____________ ANSWER: False - collusion 7. Maintaining a secure environment requires that the information security (InfoSec) department be carefully structured and staffed with appropriately skilled and screened personnel.. ____________ ANSWER: True 8. A(n) credit check can uncover past criminal behavior or other information that suggests a potential for future misconduct or a vulnerability that might render a candidate susceptible to coercion or blackmail.. ____________ ANSWER: False - background 9. Integrating InfoSec into the hiring process begins with reviewing and updating job descriptions to include InfoSec responsibilities. ____________ ANSWER: True 10. A technically qualified individual who may configure firewalls and IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technical controls are properly implemented is known as a security architect. ____________
  • 2. Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 2 ANSWER: False - technician 11. A requirement that all employees take time off from work, which allows the organization to audit the individual’s areas of responsibility is known as a mandatory vacation policy. ____________ ANSWER: True 12. ISACA offers the CGEIT certification that is targeted at upper-level executives such as CISOs and CIOs, directors, and consultants with knowledge and experience in IT operations.. ____________ ANSWER: False - governance 13. A security manager is accountable for the day-to-day operation of all or part of the InfoSec program.. ____________ ANSWER: True 14. To move the InfoSec discipline forward, organizations should take all but which of the following steps? a. Learn more about the requirements and qualifications for InfoSec and IT positions b. Learn more about InfoSec budgetary and personnel needs c. Insist all mid-level and upper-level management take introductory InfoSec courses d. Grant the InfoSec function an appropriate level of influence and prestige ANSWER: c 15. According to Schwartz et al., employees who create and install security solutions fall under which classification of InfoSec positions? a. Definers b. Administers c. Builders d. Architects ANSWER: c 16. Which of the following is typically true about the CISO position? a. Business managers first and technologists second b. Accountable for the day-to-day operation of all or part of the InfoSec program c. Frequently reports directly to the Chief Executive Officer d. Technically qualified individual who may configure firewalls and IDPSs ANSWER: a 17. Ideally, a candidate for the CISO position should have experience in what other InfoSec position? a. Security officer b. Security consultant c. Security technician d. Security manager ANSWER: d 18. Which of the following InfoSec positions is responsible for the day-to-day operation of the InfoSec program? a. CISO b. Security manager c. Security officer d. Security technician ANSWER: b 19. CISO’s should follow six key principles to shape their careers. Which of the following is NOT among those six principles? a. Practice business engagement b. Deliver services
  • 3. Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 3 c. Manage relationships d. Demonstrate technical competence ANSWER: d 20. Which of the following is NOT a typical task performed by the security technician? a. Configure firewalls and IDPSs b. Decvelop security policy c. Coordinate with systems and network administrators d. Implement advanced security appliances ANSWER: b 21. Which of the following is a responsibility of an information security department manager? a. Offering technical information security consulting services to network administrators b. Running vulnerability identification software packages c. Preparing postmortem analyses of information security breaches d. Training Access Control System administrators to set up firewalls ANSWER: c 22. Which of the following is a responsibility of an InfoSec technician? a. Developing InfoSec requirements for the organization b. Providing hands-on technical consulting services to teams of technical specialists c. Establishing procedures for the identification of information assets d. Managing the development of InfoSec policies ANSWER: b 23. Which of the following is expected of the security technician? a. To be expert, certified and proficient b. To possess technical qualifications which may vary by position c. To possess experience with a particular hardware and/or software package d. All of these ANSWER: d 24. Which of the following security certifications is considered the most prestigious for security managers and CISOs? a. CISSP b. GIAC c. SSCP d. SCP ANSWER: a 25. Which of the following is a domain of the CISSP examination? a. Cryptography b. Risk, response, and recovery c. Monitoring and analysis d. Malicious code and activity ANSWER: a 26. Which of the following is NOT a CISSP concentration? a. ISSAP b. ISSTP c. ISSMP d. ISSEP ANSWER: b 27. Which certification program has certifications that require the applicant to complete a written practical assignment that
  • 4. Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 4 tests the applicant’s ability to apply skills and knowledge. a. GIAC b. CGEIT c. CRISC d. CISA ANSWER: a 28. Which of the following is NOT among the areas covered as part of the Certified Computer Examiner (CCE) certification process? a. Server hardware construction and theory b. General computer hardware used in data collection c. Ethics in practice d. Forensics data seizure procedures ANSWER: a 29. Before hiring security personnel, which of the following should be conducted before the organization extends an offer to any candidate, regardless of job level? a. New hire orientation b. Covert surveillance c. Organizational tour d. Background check ANSWER: d 30. Which of the following is NOT a task that must be performed if an employee is terminated? a. Former employee must return all media b. Former employee’s home computer must be audited c. Former employee’s office computer must be secured d. Former employee should be escorted from the premises ANSWER: b 31. Which of the following is NOT a common type of background check that may be performed on a potential employee? a. Identity check b. Political activism c. Motor vehicle records d. Drug history ANSWER: b 32. Which of the following policies makes it difficult for an individual to violate InfoSec and is quite useful in monitoring financial affairs? a. Task rotation b. Mandatory vacations c. Separation of duties d. Job rotation ANSWER: c 33. Which of the following policies requires that two individuals review and approve each other’s work before the task is considered complete? a. Task rotation b. Two-person control c. Separation of duties d. Job rotation ANSWER: b 34. Which of the following policies requires that every employee be able to perform the work of at least one other staff member?
  • 5. Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 5 a. Collusion b. Job rotation c. Two-person control d. Separation of duties ANSWER: b 35. Temporary hires called contract employees - or simply contractors - should not be allowed to do what? a. Work on the premises b. Wander freely in and out of buildings c. Visit the facility without specific, prior coordination d. Compensated by the organization based on hourly rates ANSWER: b 36. In the classification of information security positions, senior people with a lot of broad knowledge, but often not a lot of depth, fall under the category of those that ____________________. ANSWER: define 37. Ultimately, the _______________________ is the spokesperson for the security team and is responsible for the overall InfoSec program. ANSWER: CISO Chief Information Security Officer 38. It is the responsibility of a _______________________ to develop appropriate InfoSec policies, standards, guidelines, and procedures. ANSWER: security manager 39. A security ____________________ is the typical information security entry-level position. ANSWER: technician 40. The CompTIA ____________________ certification tests an individual’s security knowledge mastery and requires two years on-the-job networking experience, with emphasis on security. ANSWER: Security+ Security + 41. Briefly describe at least five types of background checks. ANSWER: - Identity checks: personal identity validation - Education and credential checks: institutions attended, degrees and certifications earned, and certification status - Previous employment verification: where candidates worked, why they left, what they did, and for how long - Reference checks:validity of references and integrity of reference sources - Worker’s compensation history: claims from worker’s compensation - Motor vehicle records: driving records, suspensions, and other items noted in the applicant’s public record - Drug history: drug screening and drug usage, past and present - Medical history: current and previous medical conditions, usually associated with physical capability to perform the work in the specified position - Credit history: credit problems, financial problems, and bankruptcy - Civil court history: involvement as the plaintiff or defendant in civil suits - Criminal court history: criminal background, arrests, convictions, and time served 42. Briefly describe the two outprocessing methods of handling employees who leave their positions at a company. ANSWER: Hostile departure (usually involuntary), including termination, downsizing, lay-off, or quitting: Security cuts
  • 6. Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 6 off all logical and keycard access, before the employee is terminated. As soon as the employee reports for work, he or she is escorted into the supervisor’s office to receive the bad news. The individual is then escorted from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects under supervision. No organizational property is allowed to leave the premises, including diskettes, pens, papers, or books. Terminated employees can submit, in writing, a list of the property they wish to retain, stating their reasons for doing so. Once personal property has been gathered, the employee is asked to surrender all keys, keycards, and other organizational identification and access devices, PDAs, pagers, cell phones, and all remaining company property, and is then escorted from the building. Friendly departure (voluntary) for retirement, promotion, or relocation: The employee may have tendered notice well in advance of the actualdeparture date, which can make it much more difficult for security to maintain positive control over the employee’s access and information usage. Employee accounts are usually allowed to continue, with a new expiration date. The employee can come and go at will and usually collects any belongings and leaves without escort. The employee is asked to drop off all organizational property before departing. 43. Briefly describe the classifications of InfoSec positions as defined by Schwartz et al. ANSWER: Definers provide the policies, guidelines, and standards. They’re the people who do the consulting and the risk assessment, who develop the product and technical architectures. Builders are the realtechies who create and install security solutions. Those that administer are the people who operate and [administer] the security tools, the security monitoring function, and the people who continuously improve the processes. 44. What are some of the common qualifications for a CISO? ANSWER: The most common qualifications for the CISO include the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM). A graduate degree in business, technology, criminal justice, or another related field is usually required as well. 45. List the six key principles that should shape the career of a CISO. ANSWER: Business engagement Focus initiatives on what is learned Align, target, and time initiatives Service delivery Credibility Relationship management 46. Describe the position of security manager. ANSWER: A security manager is accountable for the day-to-day operation of all or part of the InfoSec program. They accomplish objectives identified by the CISO and resolve issues identified by the technicians. Security managers are often assigned specific managerial duties by the CISO, including policy development, risk assessment, contingency planning, and operational and tactical planning for the security function. They often liaise with managers from other departments and divisions in joint planning and development sections, such as security functions in human resources hiring and termination procedures, plant operations in environmental controls, and physical security design. 47. What are the qualifications and position requirements of a typical security technician? ANSWER: The technical qualifications and position requirements for a security technician vary. Organizations typically prefer expert, certified, proficient technicians. Job requirements usually include some level of experience with a particular hardware and software package. Sometimes, familiarity with a particular technology is enough to secure an applicant an interview; however, experience using the technology is usually required.
  • 7. Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 7 48. Describe the SSCP certification. How does it compare to the CISSP? ANSWER: Because it is difficult to master all 10 domains covered on the CISSP exam, many security professionals seek other less rigorous certifications, such as (ISC)2’s SSCP certification. Like the CISSP, the SSCP certification is more applicable to the security manager than to the technician, as the bulk of its questions focus on the operational nature of InfoSec. The SSCP focuses on practices, roles, and responsibilities as defined by experts from major InfoSec industries. Nevertheless, the InfoSec technician seeking advancement can benefit from this certification. 49. Describe the certifications developed by SANS. How are they different from InfoSec certifications like CISSP and SSCP? ANSWER: The SANS Institute developed a series of technical security certifications known as the Global Information Assurance Certification (GIAC). GIAC certifications are different than certifications like CISSP because they not only test for knowledge, they require candidates to demonstrate application of that knowledge. With the introduction of the GIAC Information Security Professional (GISP) and the GIAC Security Leadership Certification (GSLC), SANS now offers more than just technical certifications. 50. What is the Security+ certification and who is a typical candidate for this certification? ANSWER: The CompTIA Security+ certification tests for security knowledge mastery of an individual with two years of on-the-job networking experience, with an emphasis on security. The exam covers industry-wide topics, including communication security, infrastructure security, cryptography, access control, authentication, external attack, and operational and organization security. a. definers b. builders c. security manager d. security technician e. systems programmer f. ethics officer g. CISSP h. SSCP i. SANS j. CCE 51. a technically qualified individual who may configure firewalls and IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technical controls are properly implemented ANSWER: d 52. an ISC2 certification that focuses on practices, roles, and responsibilities as defined by experts ANSWER: h 53. accountable for the day-to-day operation of all or part of the InfoSec program and assigned objectives identified by the CISO ANSWER: c 54. computer forensics certification from ISFCE
  • 8. Name: Class: Date: Chapter 11: Personneland Security Copyright Cengage Learning. Powered by Cognero. Page 8 ANSWER: j 55. a member of the general business community having an information security related role ANSWER: f 56. provide the policies, guidelines, and standards, performing conulting and risk assessment and develop technical architectures ANSWER: a 57. an ISC2 certificate that is often considered to be the most prestigious certification for security managers ANSWER: g 58. an organization that developed a series of technical security certifications such as the GIAC ANSWER: i 59. create and install security solutions ANSWER: b 60. a member of the IT community often responsible for complex operating system programs ANSWER: e