1. 1. Best security practices (BSPs) balance the need for information access with the need for
adequate protection while simultaneously demonstrating social responsibility.
A) True
B) False
2. When an organization applies statistical and quantitative forms of mathematical analysis to the
data points collected to measure the activities and outcomes of the InfoSec program, it is using
InfoSec best practices
A) True
B) False
3. Accreditation is the authorization of an IT system to process, store, or transmit information.
A) True
B) False
4. A community of management and users that is well trained and informed about threats facing
the organization can be crucial in the early detection and response process.
A) True
B) False
5. The information technology community often takes on the leadership role in addressing risk.
A) True
B) False

2. 6. At a minimum organizations should have a simple data classification scheme categorizing
information assets based on their sensitivity and security needs; for example: confidential,
internal and public.
A) True
B) False
7. Economic and non-economic effects of a weakness must be evaluated after a strategy for
dealing with a particular vulnerability has been selected.
A) True
B) False
8. Residual risk is also known as risk tolerance and is the amount of risk organizations are
willing to accept after all reasonable controls have been implemented
A) True
B) False
9. Asset valuation does NOT have to consider the value of information to adversaries or loss of
revenue while information assets are unavailable.
A) True
B) False
10. Network-address translation (NAT) is often implemented with the screened-host firewalls
architecture.
A) True
B) False

3. 11. Kerberos uses asymmetric key encryption to validate an individual user’s access to certain
network resources.
A) True
B) False
12. A system that is secret is safe.
A) True
B) False
13. Creating a blueprint by looking at the paths taken by organizations similar to the one whose
plan you are developing is known as ____.
A) benchmarking
B) best practices
C) baselining
14. In information security, two categories of benchmarks are used: standards of due care and
due diligence and ____ practices.
A) security
B) recommended
C) measures

4. 15. Which of the following is the last phase in the NIST process for performance measures
implementation?
A) Obtain management support
B) Repeat the process
C) Apply corrective actions
16. Which of the following activities is part of the risk identification process?
A) Determining the likelihood that vulnerable systems will be attacked by specific threats
B) Calculating the risks to which assets are exposed in their current setting
C) Assigning a value to each information asset
17. ____ elements are divided into three categories: applications, operating systems, or security
components
A) Networking
B) Hardware
C) Software
18. Classification categories must be ____ (all inventoried assets fit into a category) and ____
(each asset is found in only one category).
A) mutually inclusive, mutually exclusive
B) comprehensive, mutually exclusive
C) mutually exclusive, classification

5. 19. Which of the following is not an example of a disaster recovery plan?
A) Data recovery procedures
B) Information gathering procedures
C) Shut down procedures
20. ____________feasibility determines acceptable practices based on consensus and
relationships among the communities of interest.
A) Political
B) Organizational
C) Technical
21. ____ is the choice to do nothing to protect an information asset from risk and to accept the
outcome from any resulting exploitation.
A) Acceptance
B) Avoidance
C) Risk tolerance
22. ____ controls defend against threats from outside of the organization.
A) Firewall
B) network-based
C) signature-based

6. 23. A ____ intrusion detection and prevention system can monitor multiple computers
simultaneously.
A) signature-based
B) host-based
C) statistical anomaly-based
24. Kerberos’ ____ is an interacting application that validates clients and servers.
A) Ticket Granting Service
B) Authentication Client
C) Authentication Server
25.The ____ Computer Security Act charges the National Bureau of Standards (now NIST) with
the development of all but which of the following?.
A) Standards, guidelines, and associated methods and techniques for computer systems
B) Uniform standards and guidelines for most federal computer systems
C) Mandatory periodic training in computer security awareness and accepted computer
security practice for all employees involved with federal computer systems

7. 23. A ____ intrusion detection and prevention system can monitor multiple computers
simultaneously.
A) signature-based
B) host-based
C) statistical anomaly-based
24. Kerberos’ ____ is an interacting application that validates clients and servers.
A) Ticket Granting Service
B) Authentication Client
C) Authentication Server
25.The ____ Computer Security Act charges the National Bureau of Standards (now NIST) with
the development of all but which of the following?.
A) Standards, guidelines, and associated methods and techniques for computer systems
B) Uniform standards and guidelines for most federal computer systems
C) Mandatory periodic training in computer security awareness and accepted computer
security practice for all employees involved with federal computer systems