CMGT 430 provides study materials for information security management including quizzes on access controls, risk management, security standards, and a post-course assessment. The document lists chapter quizzes and learning resources to complete the course on topics like separation of duties, risk treatment strategies, ISO standards, and performance measurement.

1. CMGT/430
ENTERPRISE SECURITY
The Latest Version A+ Study Guide
**********************************************
CMGT 430 Entire Course Link
http://www.uopstudy.com/CMGT-430
**********************************************
CMGT 430 Wk 1 - Managementof Information Security, Ch. 8 Quiz
Complete the Ch. 8 Quiz using the MindTap Access link.
Which access control principle limits a user's access to the specific information required to
perform the currently assigned task?
• Separation of duties
• Eyes only
• Least privilege
• Need-to-know
A time-release safe is an example of which type of access control?
• Nondiscretionary
• Temporal isolation
• Content-dependent
• Constrained user interface
In which form of access control is access to a specific set of information contingent on its subject
matter?
• Temporal isolation
• Content-dependent access controls
• None of these
• Constrained user interfaces

2. Which type of access controls can be role-based or task-based?
• Nondiscretionary
• Constrained
• Content-dependent
• Discretionary
Which of the following specifies the authorization classification of information asset an individual
user is permitted to access, subject to the need-to-know principle?
• Task-based access controls
• Security clearances
• Discretionary access controls
• Sensitivity levels
Under lattice-based access controls, the column of attributes associated with a particular object
(such as a printer) is referred to as which of the following?
• Access control list
• Capabilities table
• Access matrix
• Sensitivity level
Controls that remedy a circumstance or mitigate damage done during an incident are categorized
as which of the following?
• Deterrent
• Preventative
• Corrective
• Compensating
Which security architecture model is based on the premise that higher levels of integrity are more
worthy of trust than lower ones?
• Bell-LaPadula
• Clark-Wilson
• Common Criteria
• Biba
Which control category discourages an incipient incident?
• Compensating
• Preventative
• Remitting
• Deterrent
Which access control principle specifies that no unnecessary access to data exists by regulating
members so they can perform only the minimum data manipulation necessary?
• Need-to-know

3. • Separation of duties
• Least privilege
• Eyes only
For More Classes Please Visit
http://www.uopstudy.com/
CMGT 430 Wk 2 - Managementof Information Security, Ch. 7 Quiz
Complete the Ch. 7 Quiz using the MindTap Access link.
Which of the following describes an organization's efforts to reduce damage caused by a realized
incident or disaster?
• Transference
• Mitigation
• Acceptance
• Avoidance
The financial savings from using the defense risk treatment strategy to implement a control and
eliminate the financial ramifications of an incident is known as __________.
• probability estimate
• asset valuation
• cost avoidance
• risk acceptance premium
Once a control strategy has been selected and implemented, what should be done on an ongoing
basis to determine their effectiveness and to estimate the remaining risk?
• Evaluation and funding
• Monitoring and measurement
• Analysis and adjustment
• Review and reapplication
Strategies to reestablish operations at the primary site after an adverse event threatens continuity
of business operations are covered by which of the following plans in the mitigation control
approach?
• Damage control plan
• Business continuity plan
• Incident response plan
• Disaster recovery plan
Which of the following can be described as the quantity and nature of risk that organizations are
willing to accept as they evaluate the trade-offs between perfect security and unlimited
accessibility?
• Risk appetite

4. • Risk assurance
• Residual risk
• Risk termination
By multiplying the asset value by the exposure factor, you can calculate which of the following?
• Value to adversaries
• Annualized cost of the safeguard
• Single loss expectancy
• Annualized loss expectancy
When vulnerabilities have been controlled to the degree possible, there is often remaining risk that
has not been completely removed, shifted, or planned for and is called __________.
• residual risk
• risk assurance
• risk appetite
• risk tolerance
What is the result of subtracting the postcontrol annualized loss expectancy and the ACS from the
precontrol annualized loss expectancy?
• Annualized rate of occurrence
• Single loss expectancy
• Cost–benefit analysis
• Exposure factor
Which of the following determines acceptable practices based on consensus and relationships
among the communities of interest?
• Operational feasibility
• Technical feasibility
• Political feasibility
• Organizational feasibility
What does FAIR rely on to build the risk management framework that is unlike many other risk
management frameworks?
• Quantitative valuation of safeguards
• Subjective prioritization of controls
• Risk analysis estimates
• Qualitative assessment of many risk components
For More Classes Please Visit
http://www.uopstudy.com/
CMGT 430 Wk 3 - Managementof Information Security, Ch. 9 Quiz

5. Complete the Ch. 9 quiz using the MindTap Access link.
The benefits of ISO certification to organizations achieving it include all of the following
EXCEPT:
• Smoother operations
• Reduced costs
• Lower taxes from governments
• Improved public image
Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan
you are developing is known as which of the following?
• Baselining
• Benchmarking
• Best practices
• Due diligence
Which of the following is not a consideration when selecting recommended best practices?
• Organization structure is similar
• Same networking architecture
• Resource expenditures are practical
• Threat environment is similar
Which of the following InfoSec measurement specifications makes it possible to define success in
the security program?
• Prioritization and selection
• Development approach
• Establishing targets
• Measurements templates
Problems with benchmarking include all but which of the following?
• Recommended practices change and evolve, thus past performance is no indicator of future
success.
• Organizations being benchmarked are seldom identical.
• Organizations don't often share information on successfulattacks.
• Benchmarking doesn't help in determining the desired outcome of the security process.
What are the legal requirements that an organization adopts a standard based on what a prudent
organization should do, and then maintain that standard?
• Due care and due diligence
• Baselining and benchmarking
• Best practices
• Certification and accreditation
Which of the following is not a factor critical to the success of an information security
performance measurement program?

6. • Strong upper level management support
• Results oriented measurement analysis
• High level of employee buy-in
• Quantifiable performance measurements
Which of the following is a possible result of failure to establish and maintain standards of due
care and due diligence?
• Information system faults
• Baselining
• Benchmarking
• Legal liability
Which of the following is not a question a CISO should be prepared to answer, about a
performance measures program, according to Kovacich?
• What affect will measurement collection have on efficiency?
• Who will collect these measurements?
• Why should these measurements be collected?
• Where will these measurements be collected?
Which of the following terms is described as the process of designing, implementing, and
managing the use of the collected data elements to determine the effectiveness of the overall
security program?
• Standards of due care/diligence
• Baselining
• Performance management
• Best practices
For More Classes Please Visit
http://www.uopstudy.com/
CMGT 430 Wk 5 - Post-Course AssessmentQuiz
Complete the Post-Course Assessment quiz using the MindTap Access link.
What tool would you use if you want to collect information as it is being transmitted on the
network and analyze the contents for the purpose of solving network problems?
• Port scanner
• Content filter
• Packet sniffer
• Vulnerability scanner
Which of the following InfoSec positions is responsible for the day-to-day operation of the
InfoSec program?
• CISO

7. • Security officer
• Security manager
• Security technician
Which of the following can be described as the quantity and nature of risk that
organizations are willing to accept as they evaluate the trade-offs between perfect security
and unlimited accessibility?
• Risk termination
• Risk appetite
• Residual risk
• Risk assurance
Which document must be changed when evidence changes hands or is stored?
• Affidavit
• Evidentiary material
• Search warrant
• Chain of custody
The C.I.A. triad for computer security includes which of these characteristics?
• Availability
• Authentication
• Authorization
• Accountability
There are three general categories of unethical behavior that organizations and society
should seek to eliminate. Which of the following is not one of them?
• Malice
• Ignorance
• Intent
• Accident
The type of planning that is used to organize the ongoing, day-to-day performance of
tasks is ____________.
• organizational
• tactical
• operational
• strategic
Which is the first step in the contingency planning process among the options listed here?
• Disaster recovery planning
• Business impact analysis
• Business continuity training
• Incident response planning

8. What is the SETA program designed to do?
• Reduce the occurrence of accidental security breaches.
• Improve operations.
• Increase the efficiency of InfoSec staff.
• Reduce the occurrence of external attacks.
Which type of document is a more detailed statement of what must be done to comply with
a policy?
• Procedure
• Standard
• Guideline
• Practice