3/22/22, 1:42 PM Midterm Exams: Attempt review

Dashboard My courses AIS 07-19 Midterm Period: Midterm Exams

Started on Saturday, 19 March 2022, 6:53 PM

State Finished
Completed on Saturday, 19 March 2022, 7:51 PM
Time taken 57 mins 23 secs
Grade 60.00 out of 60.00 (100%)

Question 1
Correct

Mark 1.00 out of 1.00

Of what value is a business impact analysis (BIA) for a security leader in an organization?

a. It provides a view of the criticality of business processes in an organization. 

b. It provides a view of the criticality of software applications in an organization.
c. It provides no value to a security leader
d. It provides a view of the criticality of IT systems in an organization.

The correct answer is: It provides a view of the criticality of business processes in an organization.

Question 2
Correct

Mark 1.00 out of 1.00

What is the main advantage of a security architecture function in a larger, distributed organization?

a. Better results in vulnerability assessments

b. Lower cost of operations
c. Greater employee satisfaction
d. Greater consistency in the use of tools and configurations 

The correct answer is: Greater consistency in the use of tools and configurations

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 1/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 3

Correct

Mark 1.00 out of 1.00

Which of the following is the most effective means for making information security policies, standards, and
guidelines available to an organization’s workforce?

a. Publish policies, standards, and guidelines on an intranet site where they can be easily found. 
b. Publish policies, standards, and guidelines in hard copy and have copies available at the security office.
c. Policies, standards, and guidelines should be on a “need to know” basis and not published or sent to
personnel.
d. E-mail policies, standards, and guidelines to the workforce once per year.

The correct answer is: Publish policies, standards, and guidelines on an intranet site where they can be easily
found.

Question 4
Correct

Mark 6.00 out of 6.00

Categories of access control based on inherent characteristics

Remedies a circumstance or mitigates damage done during an incident

Corrective 

Resolves shortcomings
Compensating 

Restores operating conditions back to normal

Recovery 

Helps an organization avoid an incident

Preventative 

Identifies an incident or threat when it occurs

Detective 

Discourages an incipient incident

Deterrent 

The correct answer is:

Remedies a circumstance or mitigates damage done during an incident → Corrective,

Resolves shortcomings → Compensating,

Restores operating conditions back to normal → Recovery,

Helps an organization avoid an incident → Preventative,

Identifies an incident or threat when it occurs → Detective,

Discourages an incipient incident → Deterrent

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 2/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 5

Correct

Mark 1.00 out of 1.00

The ultimate responsibility for an organization’s information security program lies with whom?

a. The chief information officer (CIO)

b. The chief executive officer (CEO)
c. The board of directors 
d. The chief information security officer (CISO)

The correct answer is: The board of directors

Question 6
Correct

Mark 1.00 out of 1.00

What is the purpose of metrics in an information security program?

a. To predict the method of an attack on an organization

b. To predict the likelihood of an attack on an organization
c. To measure the performance and effectiveness of security controls 
d. To measure the likelihood of an attack on the organization

The correct answer is: To measure the performance and effectiveness of security controls

Question 7
Correct

Mark 1.00 out of 1.00

What kind of statement is the following: “Passwords are to consist of upper- and lowercase letters, numbers, and
symbols, and are to be at least 12 characters in length.”

a. Guideline
b. Standard 
c. Procedure
d. Policy

The correct answer is: Standard

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 3/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 8

Correct

Mark 1.00 out of 1.00

Jerome is seeking a control objective framework that is widely accepted around the world and focuses specifically
on information security controls. Which one of the following frameworks would best meet his needs?

a. ITIL
b. CMM
c. PMBOK Guide
d. ISO 27002 

The correct answer is: ISO 27002

Question 9
Correct

Mark 3.00 out of 3.00

InfoSec general policy categories

Developed within the context of the

strategic IT plan, this sets
Enterprise information security policy (EISP)
the tone for the InfoSec department and the InfoSec climate
across the organization.


Technical and/or managerial in nature, these control

the System-specific policies (SysSPs)
configuration and/or use of a piece of equipment or technology.


These are sets of rules that define acceptable
behavior within a Issue-specific security policies (ISSPs)
specific technology, such as e-mail or Internet usage.

The correct answer is:

Developed within the context of the
strategic IT plan, this sets the tone for the InfoSec department and the InfoSec
climate
across the organization. → Enterprise information security policy (EISP),

Technical and/or managerial in nature, these control

the configuration and/or use of a piece of equipment or
technology. → System-specific policies (SysSPs),

These are sets of rules that define acceptable

behavior within a specific technology, such as e-mail or Internet
usage. → Issue-specific security policies (ISSPs)

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 4/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 10

Correct

Mark 1.00 out of 1.00

Ryan is designing the long-term security plan for his organization and has a three- to five-year planning horizon.
What type of plan is he developing?

a. Summary
b. Operational
c. Strategic 
d. Tactical

The correct answer is: Strategic

Question 11
Correct

Mark 1.00 out of 1.00

What is the best approach to the development of an organization’s security incident response plan?

a. Developing separate security incident recordkeeping

b. Leveraging the organization’s crisis management plan 
c. Developing detailed playbooks and relying on the organization’s crisis management plan
d. Developing a general IR plan and leaving the details to subject matter experts

The correct answer is: Leveraging the organization’s crisis management plan

Question 12
Correct

Mark 1.00 out of 1.00

Which of the following is the best description of the COBIT framework?

a. A security process and controls framework that can be integrated with ITIL or ISO 20000
b. An IT controls and process framework on which IT controls and processes can be added at an
organization’s discretion
c. An IT process framework with optional security processes when Extended COBIT is implemented
d. An IT process framework that includes security processes that are interspersed throughout the 
framework

The correct answer is: An IT process framework that includes security processes that are interspersed throughout
the framework

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 5/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 13

Correct

Mark 1.00 out of 1.00

Danmar discovers a keylogger hidden on the laptop of his company’s chief executive officer. What information
security principle is the keylogger most likely designed to disrupt?

a. Confidentiality 
b. Integrity
c. Availability
d. Denial

The correct answer is: Confidentiality

Question 14
Correct

Mark 1.00 out of 1.00

Which of the following is most important for a successful information security program?

a. Open communication with key process owners

b. Adequate policies, standards and procedures
c. Adequate training on emerging security technologies
d. Executive management commitment 

The correct answer is: Executive management commitment

Question 15
Correct

Mark 1.00 out of 1.00

Which security metric is best considered a leading indicator of an attack?

a. Number of security awareness training sessions completed

b. Mean time to apply security patches 
c. Number of firewall rules triggered
d. Percentage of systems scanned

The correct answer is: Mean time to apply security patches

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 6/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 16

Correct

Mark 1.00 out of 1.00

Which is the best party to make decisions about the purpose and function of business applications?

a. Business department head 

b. End user
c. Application developer
d. IT business analyst

The correct answer is: Business department head

Question 17
Correct

Mark 1.00 out of 1.00

You are completing your business continuity planning effort and have decided that you wish to accept one of the
risks. What should you do next?

a. Repeat the business impact assessment.

b. Implement new security controls to reduce the risk level.
c. Design a disaster recovery plan.
d. Document your decision-making process. 

The correct answer is: Document your decision-making process.

Question 18
Correct

Mark 1.00 out of 1.00

Which one of the following tools is most often used for identification purposes and is not suitable for use as an
authenticator?

a. Password
b. Token
c. Username 
d. Retinal scan

The correct answer is: Username

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 7/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 19

Correct

Mark 1.00 out of 1.00

Security efforts that seek to provide a superior level of performance in the protection of information are a
demonstration of due diligence.

Select one:
True

False 

The correct answer is 'False'.

Question 20
Correct

Mark 1.00 out of 1.00

The most important consideration in developing security policies is that:

a. They are based on a threat profile 

b. Management signs off on them
c. They are complete and no detail is left out
d. All employees read and understand them

The correct answer is: They are based on a threat profile

Question 21
Correct

Mark 1.00 out of 1.00

Timothy has located his organization’s mission statement and a list of strategic objectives. What steps should
Timothy take to ensure that the information security program aligns with the business?

a. Develop a list of activities that will support the organization’s strategic objectives, and determine the cost
of each
b. Select those controls from the organization’s control framework that align to each objective, and then
ensure that those controls are effective
c. Discuss strategic objectives with business leaders to understand better what they want to accomplish 
and what steps are being taken to achieve them
d. Select the policies from the organization’s information security policy that are relevant to each objective,
and ensure that those policies are current.

The correct answer is: Discuss strategic objectives with business leaders to understand better what they want to
accomplish and what steps are being taken to achieve them

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 8/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 22

Correct

Mark 1.00 out of 1.00

A security leader has been asked to justify the need to implement a new strategy for information security. How
should the security leader respond?

a. Develop a project plan showing the personnel, tasks, timelines, and dependencies.
b. Develop a business case that includes success criteria, requirements, costs, and action plan. 
c. Develop a SWOT diagram showing strengths, weaknesses, opportunities, and threats.
d. Develop a risk matrix that includes the potential consequences if the strategy is not implemented.

The correct answer is: Develop a business case that includes success criteria, requirements, costs, and action
plan.

Question 23
Correct

Mark 1.00 out of 1.00

An organization has decided to improve its information security program by developing a full suite of policies,
procedures, standards, and processes. Which of these must be developed first?

a. Standards
b. Processes
c. Procedures
d. Policies 

The correct answer is: Policies

Question 24
Correct

Mark 1.00 out of 1.00

What is the purpose of obtaining management commitment in support of a strategy?

a. Approval of spending
b. Approval for new hires
c. Visible support to reinforce the importance of the strategy 
d. Improved enforcement of policy

The correct answer is: Visible support to reinforce the importance of the strategy

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 9/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 25

Correct

Mark 1.00 out of 1.00

Which of the following best describes information security governance?

a. Information security policies

b. Information security policies along with audits of those policies
c. Management’s control of information security processes 
d. Benchmarks of metrics as compared to similar organizations

The correct answer is: Management’s control of information security processes

Question 26
Correct

Mark 3.00 out of 3.00

Categories of access control based on operational impact.

Controls that deal with the operational functions of security that have been integrated into Operational
the repeatable
processes of the organization.


Controls that cover security processes that are designed by strategic planners, integrated
into the organization’s
management practices, and routinely used by security administrators Management

to design, implement, and monitor other control systems.


Controls that support the tactical portion of a security program and that have been
implemented as reactive mechanisms to deal
with the immediate needs of the organization Technical

as it responds to the realities of the technical environment.



The correct answer is:

Controls that deal with the operational functions of security that have been integrated into the repeatable
processes of the organization. → Operational,

Controls that cover security processes that are designed by strategic planners, integrated into the organization’s
management practices, and routinely used by security administrators to design, implement, and monitor other
control systems. → Management,

Controls that support the tactical portion of a security program and that have been implemented as reactive
mechanisms to deal
with the immediate needs of the organization as it responds to the realities of the technical
environment. → Technical

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 10/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 27

Correct

Mark 1.00 out of 1.00

Which of the following statements about guidelines is correct?

a. Guidelines are optional and not required. 

b. Guidelines are mandatory.
c. Security controls are derived from guidelines.
d. Security policies are derived from guidelines.

The correct answer is: Guidelines are optional and not required.

Question 28
Correct

Mark 1.00 out of 1.00

Which of the following statements about ISO 27001 is correct?

a. ISO 27001 consists primarily of a framework of security controls, followed by an appendix of security
requirements for running a security management program.
b. ISO 27001 consists primarily of a body of requirements for running a security management program, 
along with an appendix of security controls.
c. ISO 27001 consists of a framework of information security controls.
d. ISO 27001 consists of a framework of requirements for running a security management program.

The correct answer is: ISO 27001 consists primarily of a body of requirements for running a security management
program, along with an appendix of security controls.

Question 29
Correct

Mark 1.00 out of 1.00

Which of the following is the most likely result of an organization that lacks a security architecture function?

a. Inconsistent application of standards 

b. Added complication in vulnerability management tools
c. Lower process maturity
d. Inconsistent security-related procedures

The correct answer is: Inconsistent application of standards

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 11/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 30

Correct

Mark 1.00 out of 1.00

Bernadette is working with the management team in her company to classify data in an attempt to apply extra
security controls that will limit the likelihood of a data breach. What principle of information security is Bernadette
trying to enforce?

a. Availability
b. Confidentiality 
c. Denial
d. Integrity

The correct answer is: Confidentiality

Question 31
Correct

Mark 1.00 out of 1.00

A security strategy is important for an organization primarily because it provides:

a. Provide users and guidance on how to operate securely in everyday tasks

b. A basis for determining the best logical security architecture of the organization
c. Helps IT auditors ensure compliance
d. Management intent and direction for security activities 

The correct answer is: Management intent and direction for security activities

Question 32
Correct

Mark 1.00 out of 1.00

The biggest barrier to benchmarking in InfoSec is the fact that many organizations do not share results with other
organizations.

Select one:
True 

False

The correct answer is 'True'.

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 12/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 33

Correct

Mark 1.00 out of 1.00

Hani, a CISO, has vulnerability management metrics and needs to build business-level metrics. Which of the
following is the best leading indicator metric suitable for his organization’s board of directors?

a. Number of vulnerabilities remediated on servers supporting manufacturing processes

b. Average time to patch servers supporting manufacturing processes 
c. Percentage of servers supporting manufacturing processes that are scanned by vulnerability scanning
tools
d. Frequency of security scans of servers supporting manufacturing processes

The correct answer is: Average time to patch servers supporting manufacturing processes

Question 34
Correct

Mark 1.00 out of 1.00

What is the purpose of a security awareness program?

a. Helps personnel develop better judgment when handling company information 

b. Helps personnel understand proper computer usage
c. Meets compliance requirements for PCI-DSS and SOX
d. Informs personnel about security policy

The correct answer is: Helps personnel develop better judgment when handling company information

Question 35
Correct

Mark 1.00 out of 1.00

Which one of the following control categories does not accurately describe a fence around a facility?

a. Preventive
b. Deterrent
c. Detective 
d. Physical

The correct answer is: Detective

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 13/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 36

Correct

Mark 1.00 out of 1.00

What is the best method for determining whether employees understand an organization’s information security
policy?

a. Distribute copies of the information security policy to employees.

b. Require employees to acknowledge information security policy in writing.
c. Incorporate quizzes into security awareness training. 
d. Require employees to read the information security policy.

The correct answer is: Incorporate quizzes into security awareness training.

Question 37
Correct

Mark 1.00 out of 1.00

The primary security objective in creating good procedures is:

a. That they are unambiguous and meet the standards 

b. That compliance can be monitored
c. To make sure they work as intended
d. That they be written in plain language and widely distributed

The correct answer is: That they are unambiguous and meet the standards

Question 38
Correct

Mark 1.00 out of 1.00

Victor, a CISO who manages a large security group, wants to create a mission statement for the CISO group. What
is the best approach for creating this mission statement?

a. Start with Victor’s most recent performance review

b. Start with the body of open items in the risk register
c. Start with the organization’s mission statement 
d. Start with the results of the most recent risk assessment

The correct answer is: Start with the organization’s mission statement

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 14/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 39

Correct

Mark 3.00 out of 3.00

Key Concepts of Information Security

The characteristic of information whereby only those with sufficient privileges and a Confidentiality
demonstrated need may access it.


Occurs when a control provides assurance that every activity undertaken can be attributed Accountability
to a named person or
automated process.

The quality or state of being whole, complete, and uncorrupted.

Integrity


The correct answer is:

The characteristic of information whereby only those with sufficient privileges and a demonstrated need may
access it. → Confidentiality,

Occurs when a control provides assurance that every activity undertaken can be attributed to a named person or
automated process. → Accountability,

The quality or state of being whole, complete, and uncorrupted. → Integrity

Question 40
Correct

Mark 1.00 out of 1.00

What is the most effective way of ensuring that personnel are aware of an organization’s security policies?

a. Require personnel to acknowledge compliance to security policies in writing annually. 

b. Require personnel to acknowledge compliance to security policies at the time of hire.
c. Distribute hard copies of information security policies to all personnel.
d. Post information security policies on the organization’s intranet.

The correct answer is: Require personnel to acknowledge compliance to security policies in writing annually.

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 15/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 41

Correct

Mark 3.00 out of 3.00

Access control is built on several key principles:

Limits a user’s access to the specific information required to perform the currently
assigned task, and not
merely to the category of data required for a general work Need-to-know
function.


Requires that significant tasks be split up in such a way that more than one individual is Separation of duties
responsible for
their completion.


Members of the organization can access the minimum amount of information for the Least privilege
minimum
amount of time necessary to perform their required duties.

The correct answer is:

Limits a user’s access to the specific information required to perform the currently assigned task, and not
merely
to the category of data required for a general work function. → Need-to-know,

Requires that significant tasks be split up in such a way that more than one individual is responsible for
their
completion. → Separation of duties,

Members of the organization can access the minimum amount of information for the minimum
amount of time
necessary to perform their required duties. → Least privilege

Question 42

Correct

Mark 1.00 out of 1.00

Lilly is the security administrator for a public school district. She is implementing a new student information system
and is testing the code to ensure that students are not able to alter their own grades. What principle of information
security is Lilly enforcing?

a. Confidentiality
b. Availability
c. Integrity 
d. Denial

The correct answer is: Integrity

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 16/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 43

Correct

Mark 1.00 out of 1.00

What is the best method for ensuring that an organization’s security program achieves adequate business
alignment?

a. Study the organization’s chart of management reporting (the “org chart”)

b. Study the organization’s financial chart of accounts
c. Understand the organization’s vision, mission statement, and objectives 
d. Find and read the organization’s articles of incorporation

The correct answer is: Understand the organization’s vision, mission statement, and objectives

Question 44
Correct

Mark 1.00 out of 1.00

The statement, “Passwords can be constructed from words, phrases, numbers, and special characters in a variety
of ways that are easily remembered but not easily guessed,” is an example of what?

a. A procedure
b. A guideline 
c. A policy
d. A standard

The correct answer is: A guideline

Question 45
Correct

Mark 1.00 out of 1.00

Iris is writing a document that will provide configuration information regarding the minimum level of security that
every system in the organization must meet. What type of document is she preparing?

a. Guideline
b. Baseline 
c. Procedure
d. Policy

The correct answer is: Baseline

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 17/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Question 46

Correct

Mark 1.00 out of 1.00

Examples of security program performance include all of the following except:

a. Time to remediate security incidents

b. Time to discover vulnerabilities
c. Time to perform security scans 
d. Time to detect security incidents

The correct answer is: Time to perform security scans

Question 47
Correct

Mark 1.00 out of 1.00

A new CISO in an organization is building its information security program from the ground up. To ensure
collaboration among business leaders and department heads in the organization, the CISO should form and
manage which of the following?

a. Business-aligned security policy

b. An information security steering committee 
c. An audit committee of the board of directors
d. A risk committee of the board of directors

The correct answer is: An information security steering committee

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 18/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 19/20
3/22/22, 1:42 PM Midterm Exams: Attempt review

Previous activity
◄ Module 3: SECURITY PROGRAMS, MODELS, AND PRACTICES

Jump to...

Next activity
Module 1: INFORMATION SECURITY MANAGEMENT AND PLANNING (3BSAIS3/3BSAIS4) ►

Stay in touch
New Era University

https://neu.edu.ph

+632-8-981-4224

 Data retention summary

 Get the mobile app

https://collvle.neu.edu.ph/mod/quiz/review.php?attempt=587037&cmid=186002 20/20