1. Name: Class: Date:
Chapter 11: Personneland Security
Copyright Cengage Learning. Powered by Cognero. Page 1
1. The most common qualification for a CISO includes the CISSP and CISM certifications.
a. True
b. False
ANSWER: True
2. InfoSec is a profession with little personnel turnover - most InfoSec professionals stay in their positions for a very long
time.
a. True
b. False
ANSWER: False
3. Temporary workers—often called temps—may not be subject to the contractual obligations or general policies that
govern other employees.
a. True
b. False
ANSWER: True
4. Most hiring organizations are aware of the precise value of information security certifications because these programs
have been in existence for a long time.
a. True
b. False
ANSWER: False
5. The SSCP certification is more applicable to the security manager than the security technician.
a. True
b. False
ANSWER: True
6. A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions is known
as racketeering. ____________
ANSWER: False - collusion
7. Maintaining a secure environment requires that the information security (InfoSec) department be carefully structured
and staffed with appropriately skilled and screened personnel.. ____________
ANSWER: True
8. A(n) credit check can uncover past criminal behavior or other information that suggests a potential for future
misconduct or a vulnerability that might render a candidate susceptible to coercion or blackmail.. ____________
ANSWER: False - background
9. Integrating InfoSec into the hiring process begins with reviewing and updating job descriptions to include InfoSec
responsibilities. ____________
ANSWER: True
10. A technically qualified individual who may configure firewalls and IDPSs, implement security software, diagnose and
troubleshoot problems, and coordinate with systems and network administrators to ensure that security technical controls
are properly implemented is known as a security architect. ____________
2. Name: Class: Date:
Chapter 11: Personneland Security
Copyright Cengage Learning. Powered by Cognero. Page 2
ANSWER: False - technician
11. A requirement that all employees take time off from work, which allows the organization to audit the individual’s
areas of responsibility is known as a mandatory vacation policy. ____________
ANSWER: True
12. ISACA offers the CGEIT certification that is targeted at upper-level executives such as CISOs and CIOs, directors,
and consultants with knowledge and experience in IT operations.. ____________
ANSWER: False - governance
13. A security manager is accountable for the day-to-day operation of all or part of the InfoSec program.. ____________
ANSWER: True
14. To move the InfoSec discipline forward, organizations should take all but which of the following steps?
a. Learn more about the requirements and qualifications
for InfoSec and IT positions
b. Learn more about InfoSec budgetary and
personnel needs
c. Insist all mid-level and upper-level management take
introductory InfoSec courses
d. Grant the InfoSec function an appropriate level
of influence and prestige
ANSWER: c
15. According to Schwartz et al., employees who create and install security solutions fall under which classification of
InfoSec positions?
a. Definers b. Administers
c. Builders d. Architects
ANSWER: c
16. Which of the following is typically true about the CISO position?
a. Business managers first and technologists
second
b. Accountable for the day-to-day operation of all or part of
the InfoSec program
c. Frequently reports directly to the Chief
Executive Officer
d. Technically qualified individual who
may configure firewalls and IDPSs
ANSWER: a
17. Ideally, a candidate for the CISO position should have experience in what other InfoSec position?
a. Security officer b. Security consultant
c. Security technician d. Security manager
ANSWER: d
18. Which of the following InfoSec positions is responsible for the day-to-day operation of the InfoSec program?
a. CISO b. Security manager
c. Security officer d. Security technician
ANSWER: b
19. CISO’s should follow six key principles to shape their careers. Which of the following is NOT among those six
principles?
a. Practice business engagement b. Deliver services
3. Name: Class: Date:
Chapter 11: Personneland Security
Copyright Cengage Learning. Powered by Cognero. Page 3
c. Manage relationships d. Demonstrate technical competence
ANSWER: d
20. Which of the following is NOT a typical task performed by the security technician?
a. Configure firewalls and IDPSs b. Decvelop security policy
c. Coordinate with systems and network administrators d. Implement advanced security appliances
ANSWER: b
21. Which of the following is a responsibility of an information security department manager?
a. Offering technical information security consulting services to network administrators
b. Running vulnerability identification software packages
c. Preparing postmortem analyses of information security breaches
d. Training Access Control System administrators to set up firewalls
ANSWER: c
22. Which of the following is a responsibility of an InfoSec technician?
a. Developing InfoSec requirements for the organization
b. Providing hands-on technical consulting services to teams of technical specialists
c. Establishing procedures for the identification of information assets
d. Managing the development of InfoSec policies
ANSWER: b
23. Which of the following is expected of the security technician?
a. To be expert, certified and proficient b. To possess technical qualifications which may
vary by position
c. To possess experience with a particular hardware
and/or software package
d. All of these
ANSWER: d
24. Which of the following security certifications is considered the most prestigious for security managers and CISOs?
a. CISSP b. GIAC
c. SSCP d. SCP
ANSWER: a
25. Which of the following is a domain of the CISSP examination?
a. Cryptography b. Risk, response, and recovery
c. Monitoring and analysis d. Malicious code and activity
ANSWER: a
26. Which of the following is NOT a CISSP concentration?
a. ISSAP b. ISSTP
c. ISSMP d. ISSEP
ANSWER: b
27. Which certification program has certifications that require the applicant to complete a written practical assignment that
4. Name: Class: Date:
Chapter 11: Personneland Security
Copyright Cengage Learning. Powered by Cognero. Page 4
tests the applicant’s ability to apply skills and knowledge.
a. GIAC b. CGEIT
c. CRISC d. CISA
ANSWER: a
28. Which of the following is NOT among the areas covered as part of the Certified Computer Examiner (CCE)
certification process?
a. Server hardware construction and theory
b. General computer hardware used in data collection
c. Ethics in practice
d. Forensics data seizure procedures
ANSWER: a
29. Before hiring security personnel, which of the following should be conducted before the organization extends an offer
to any candidate, regardless of job level?
a. New hire orientation b. Covert surveillance
c. Organizational tour d. Background check
ANSWER: d
30. Which of the following is NOT a task that must be performed if an employee is terminated?
a. Former employee must return all media
b. Former employee’s home computer must be audited
c. Former employee’s office computer must be secured
d. Former employee should be escorted from the premises
ANSWER: b
31. Which of the following is NOT a common type of background check that may be performed on a potential employee?
a. Identity check b. Political activism
c. Motor vehicle records d. Drug history
ANSWER: b
32. Which of the following policies makes it difficult for an individual to violate InfoSec and is quite useful in monitoring
financial affairs?
a. Task rotation b. Mandatory vacations
c. Separation of duties d. Job rotation
ANSWER: c
33. Which of the following policies requires that two individuals review and approve each other’s work before the task is
considered complete?
a. Task rotation b. Two-person control
c. Separation of duties d. Job rotation
ANSWER: b
34. Which of the following policies requires that every employee be able to perform the work of at least one other staff
member?
5. Name: Class: Date:
Chapter 11: Personneland Security
Copyright Cengage Learning. Powered by Cognero. Page 5
a. Collusion b. Job rotation
c. Two-person control d. Separation of duties
ANSWER: b
35. Temporary hires called contract employees - or simply contractors - should not be allowed to do what?
a. Work on the premises b. Wander freely in and out of buildings
c. Visit the facility without specific, prior
coordination
d. Compensated by the organization based on hourly
rates
ANSWER: b
36. In the classification of information security positions, senior people with a lot of broad knowledge, but often not a lot
of depth, fall under the category of those that ____________________.
ANSWER: define
37. Ultimately, the _______________________ is the spokesperson for the security team and is responsible for the
overall InfoSec program.
ANSWER: CISO
Chief Information Security Officer
38. It is the responsibility of a _______________________ to develop appropriate InfoSec policies, standards, guidelines,
and procedures.
ANSWER: security manager
39. A security ____________________ is the typical information security entry-level position.
ANSWER: technician
40. The CompTIA ____________________ certification tests an individual’s security knowledge mastery and requires
two years on-the-job networking experience, with emphasis on security.
ANSWER: Security+
Security +
41. Briefly describe at least five types of background checks.
ANSWER: - Identity checks: personal identity validation
- Education and credential checks: institutions attended, degrees and certifications earned, and certification
status
- Previous employment verification: where candidates worked, why they left, what they did, and for how long
- Reference checks:validity of references and integrity of reference sources
- Worker’s compensation history: claims from worker’s compensation
- Motor vehicle records: driving records, suspensions, and other items noted in the applicant’s public record
- Drug history: drug screening and drug usage, past and present
- Medical history: current and previous medical conditions, usually associated with physical capability to
perform the work in the specified position
- Credit history: credit problems, financial problems, and bankruptcy
- Civil court history: involvement as the plaintiff or defendant in civil suits
- Criminal court history: criminal background, arrests, convictions, and time served
42. Briefly describe the two outprocessing methods of handling employees who leave their positions at a company.
ANSWER: Hostile departure (usually involuntary), including termination, downsizing, lay-off, or quitting: Security cuts
6. Name: Class: Date:
Chapter 11: Personneland Security
Copyright Cengage Learning. Powered by Cognero. Page 6
off all logical and keycard access, before the employee is terminated. As soon as the employee reports for
work, he or she is escorted into the supervisor’s office to receive the bad news. The individual is then escorted
from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or
her office, cubicle, or personal area to collect personal effects under supervision. No organizational property is
allowed to leave the premises, including diskettes, pens, papers, or books. Terminated employees can submit,
in writing, a list of the property they wish to retain, stating their reasons for doing so. Once personal property
has been gathered, the employee is asked to surrender all keys, keycards, and other organizational
identification and access devices, PDAs, pagers, cell phones, and all remaining company property, and is then
escorted from the building.
Friendly departure (voluntary) for retirement, promotion, or relocation: The employee may have tendered
notice well in advance of the actualdeparture date, which can make it much more difficult for security to
maintain positive control over the employee’s access and information usage. Employee accounts are usually
allowed to continue, with a new expiration date. The employee can come and go at will and usually collects
any belongings and leaves without escort. The employee is asked to drop off all organizational property before
departing.
43. Briefly describe the classifications of InfoSec positions as defined by Schwartz et al.
ANSWER: Definers provide the policies, guidelines, and standards. They’re the people who do the consulting and the risk
assessment, who develop the product and technical architectures.
Builders are the realtechies who create and install security solutions.
Those that administer are the people who operate and [administer] the security tools, the security monitoring
function, and the people who continuously improve the processes.
44. What are some of the common qualifications for a CISO?
ANSWER: The most common qualifications for the CISO include the Certified Information Systems Security
Professional (CISSP) and the Certified Information Security Manager (CISM). A graduate degree in business,
technology, criminal justice, or another related field is usually required as well.
45. List the six key principles that should shape the career of a CISO.
ANSWER: Business engagement
Focus initiatives on what is learned
Align, target, and time initiatives
Service delivery
Credibility
Relationship management
46. Describe the position of security manager.
ANSWER: A security manager is accountable for the day-to-day operation of all or part of the InfoSec program. They
accomplish objectives identified by the CISO and resolve issues identified by the technicians. Security
managers are often assigned specific managerial duties by the CISO, including policy development, risk
assessment, contingency planning, and operational and tactical planning for the security function. They often
liaise with managers from other departments and divisions in joint planning and development sections, such as
security functions in human resources hiring and termination procedures, plant operations in environmental
controls, and physical security design.
47. What are the qualifications and position requirements of a typical security technician?
ANSWER: The technical qualifications and position requirements for a security technician vary. Organizations typically
prefer expert, certified, proficient technicians. Job requirements usually include some level of experience with
a particular hardware and software package. Sometimes, familiarity with a particular technology is enough to
secure an applicant an interview; however, experience using the technology is usually required.
7. Name: Class: Date:
Chapter 11: Personneland Security
Copyright Cengage Learning. Powered by Cognero. Page 7
48. Describe the SSCP certification. How does it compare to the CISSP?
ANSWER: Because it is difficult to master all 10 domains covered on the CISSP exam, many security professionals seek
other less rigorous certifications, such as (ISC)2’s SSCP certification. Like the CISSP, the SSCP certification
is more applicable to the security manager than to the technician, as the bulk of its questions focus on the
operational nature of InfoSec. The SSCP focuses on practices, roles, and responsibilities as defined by experts
from major InfoSec industries. Nevertheless, the InfoSec technician seeking advancement can benefit from
this certification.
49. Describe the certifications developed by SANS. How are they different from InfoSec certifications like CISSP and
SSCP?
ANSWER: The SANS Institute developed a series of technical security certifications known as the Global Information
Assurance Certification (GIAC). GIAC certifications are different than certifications like CISSP because they
not only test for knowledge, they require candidates to demonstrate application of that knowledge. With the
introduction of the GIAC Information Security Professional (GISP) and the GIAC Security Leadership
Certification (GSLC), SANS now offers more than just technical certifications.
50. What is the Security+ certification and who is a typical candidate for this certification?
ANSWER: The CompTIA Security+ certification tests for security knowledge mastery of an individual with two years of
on-the-job networking experience, with an emphasis on security. The exam covers industry-wide topics,
including communication security, infrastructure security, cryptography, access control, authentication,
external attack, and operational and organization security.
a. definers
b. builders
c. security manager
d. security technician
e. systems programmer
f. ethics officer
g. CISSP
h. SSCP
i. SANS
j. CCE
51. a technically qualified individual who may configure firewalls and IDPSs,
implement security software, diagnose and troubleshoot problems, and coordinate with systems
and network administrators to ensure that security technical controls are properly implemented
ANSWER: d
52. an ISC2 certification that focuses on practices, roles, and responsibilities as defined by experts
ANSWER: h
53. accountable for the day-to-day operation of all or part of the InfoSec program and assigned objectives identified by the
CISO
ANSWER: c
54. computer forensics certification from ISFCE
8. Name: Class: Date:
Chapter 11: Personneland Security
Copyright Cengage Learning. Powered by Cognero. Page 8
ANSWER: j
55. a member of the general business community having an information security related role
ANSWER: f
56. provide the policies, guidelines, and standards, performing conulting and risk assessment and develop technical
architectures
ANSWER: a
57. an ISC2 certificate that is often considered to be the most prestigious certification for security managers
ANSWER: g
58. an organization that developed a series of technical security certifications such as the GIAC
ANSWER: i
59. create and install security solutions
ANSWER: b
60. a member of the IT community often responsible for complex operating system programs
ANSWER: e